Secure Software Fundamentals Week 03 Quiz

Questions and Answers

What is a crucial aspect of building secure software according to the discussed principles?

• Only functional requirements are necessary to define security.
• Security should not be considered in the design phase.
• Security must be integrated from the beginning of the design process. (correct)
• Implementing security features alone is sufficient.

What does the concept of 'tradeoffs' in software requirements imply?

• All security measures should be implemented without considering performance.
• There is no need to balance different security measures.
• Developers should focus solely on performance over security.
• There are compromises between performance and security features that need to be addressed. (correct)

Which of the following is NOT a component of software security as risk management?

• Detection
• Reaction
• User Interface Design (correct)
• Prevention

Why are basic security features like authentication alone considered inadequate?

Attackers can circumvent them if deeper security measures are lacking. (D)

What is emphasized as a fundamental approach to software security?

Thinking like an attacker throughout the development process. (A)

What does software security aim to achieve during the software development life cycle?

Avoiding security vulnerabilities (D)

Which statement best reflects why there is an exponential increase in vulnerabilities in software systems?

Convenience often outweighs security measures (D)

What does the CIA triad stand for in the context of software security principles?

Confidentiality, Integrity, Availability (A)

What is a common misconception regarding the role of programmers in security?

They contribute to security vulnerabilities unknowingly (D)

What is a frequent result of poor software quality concerning security?

Increased vulnerability to attacks (B)

Why is circumventing security often easier than defeating it?

Developers often overlook simple exploits (B)

What does the cost of inadequate software security typically involve?

Potential financial losses and reputational damage (A)

Which term refers to data that is actively being processed in a computer's memory?

Data in Use (D)

Which of the following is NOT a source of software vulnerabilities?

Version Control (A)

What is a proactive control mechanism that detects flaws in software?

Auditing (B)

Which type of software failure occurs due to a flaw deeply instantiated in the code?

Flaw (A)

Which attack is commonly associated with inserting malicious code into a program during its execution?

Command Injection (D)

What is one main reason cited for the high cost of poor software quality in the U.S.?

Rising Complexity of Software Projects (A)

Which of the following is an example of a buffer overflow vulnerability?

Exceeding allocated memory space (D)

What does the TIOBE Programming Community Index primarily measure?

Popularity of Programming Languages (A)

Which of the following practices focuses on preventing vulnerabilities in software development?

Better Software Development (C)

What is a common misinterpretation of the term 'Bug' in software development?

It signifies a deep level flaw (D)

Flashcards

Software Security

Ensuring software functions correctly even under malicious attacks

Software Vulnerabilities

Flaws or bugs in software that can be exploited by attackers

Secure Programming

Designing and developing software with security in mind from the start

Security Risk Management

Assessing and addressing potential security threats and vulnerabilities in software development

CIA Triad

A security framework focusing on Confidentiality, Integrity, and Availability

Security Tradeoffs

Balancing security needs with other needs like performance and functionality

Software Security Practices

Methods and strategies for developing secure software throughout the software development process

Security as a Feature

Viewing security as a simple addition to software, like implementing SSL or encryption, without considering the underlying design and development.

Security as a Design Principle

Incorporating security considerations into every stage of the software development process, from initial design to implementation and testing.

Thinking Like an Attacker

Employing the mindset of a potential attacker to identify vulnerabilities and design defenses accordingly.

Multi-Layer Control

Using multiple security controls and mechanisms to defend against various attack methods.

Data at Rest

Data stored in a medium like a hard drive or a cloud storage system.

Data in Transit

Data moving between different locations, like from your computer to a website.

Data in Use

Data actively being processed by a computer, such as a program using data to perform calculations.

Input Validation

Checking if user input is valid and safe, preventing malicious data from entering the system.

Buffer Overflow

A vulnerability where a program writes more data into a memory buffer than it can hold, potentially overwriting critical data or executing malicious code.

Secure Coding Practices

A set of guidelines and techniques for writing software that is secure by design.

Patching

Fixing security vulnerabilities in software by installing updates or patches.

Software Defects

Flaws or errors in software, often caused by mistakes or limitations.

Software Bugs

Specific errors in software code that can be identified and corrected.

Study Notes

Course Information

• Course name: Secure Software Fundamentals
• Course code: CSC 1029

Objectives

• Identify common software vulnerabilities
• Identify what secure programming is and why it is needed
• Overview of security problems and introduce security terms and concepts
• Provide insight into why so many vulnerabilities are found in different programming languages
• Describe security principles, including the CIA triad

Agenda: Week 03

• Why Software Security
• Software Security & Risk Management
• What are we protecting
• Security Policy: CIA
• Security Trade-Offs
• Common Software Attacks
• Secure Software Mitigation Practices
• What is the cost
• Software Security Practices
• Terminology
• Programming language vulnerabilities
• TODO & Resources for Help

Why Secure Software

• Most software systems have flaws and bugs that attackers exploit
• New threats emerge frequently
• Convenience often trumps security measures
• Vulnerabilities in software systems are increasing exponentially
• Software security is everyone's job
• Programmers often repeat security-related mistakes

Software Security

• Engineering software to continue functioning correctly under malicious attack
• Avoiding security vulnerabilities by addressing security from the early stages of software development
• Security is a risk management

Software Requirements & Misconceptions

• Software developers often describe requirements in terms of system functionality when everything goes right
• The focus has been mainly on functionality
• Often assume the system won't be intentionally abused
• Some developers see security only as a set of features (e.g., implemented SSL, 128-bit encryption)
• Security features alone are insufficient; security must be built into the design from the beginning

Building Secure Software

• Developers need to explicitly define trade-offs between performance and functional security features in system requirements
• Obvious features (e.g., authentication, authorization) might not be sufficient to stop attackers
• Security approaches need to be deeply integrated into all layers of a software system
• Need to incorporate attacker thinking throughout the development process

Software Security = Risk Management

• Prevention (proactive measures to stop security breaches)
• Detection (proactive measures to detect breaches)
• Reaction (measures to recover assets, repair damage, and persecute/deter offenders)
• Multi-layer (in-depth) control (software systems with access control mechanisms should also include detection mechanisms)

What Are We Protecting?

• Data at rest (stored in media)
• Data in transit (transmitted between locations)
• Data in use (loaded into computer memory for processing)

Common Software Attacks

• Input Validation
• Buffer overflow
• Stack overflow
• Command injection
• SQL injection
• Dangling pointers
• Cross-site scripting
• Homogeneity (sourcing from open source or common vendors)
• Complexity (needlessly complicated code)
• Poor design (poor access control)
• Connectivity (increases attack paths)

Secure Software Mitigation Practices

• Review the Top 10 Secure Coding Practices (link provided)

What Is the Cost of Poor Software Quality in the U.S.?

• Cost of fixing defects at each stage of software development (requirements, design, coding, testing, maintenance) - costs increase dramatically as you move later in the software development stage; costs provided in graph format. (link provided)

Software Security Practices

• Better Software Development (preventive control mechanism)
• Patching (reactive control mechanism)
• Testing (proactive control mechanism - detection)
• Auditing (proactive control mechanism - detection)
• Improvement in automation and quality of audits is needed.
• Testing is inherently limited on coverage and depth (often manual)

Terminology

• Defects: implementation and design vulnerabilities
• Bugs: implementation-level errors that can be detected and removed
• Buffer Overflow
• Flaws: problems at a deep level in the code
• Error handling problems
• Failures: inability of software to perform required functions

TIOBE Index

• Indicator of programming language popularity
• Not the best programming language but an indicator of commonly used languages
• Used to check programming skills and make strategic decisions when building a new software system

Interpreted Compared to Compiled

• Interpreted languages are easier and quicker to use for application development but have more overhead and leave more weaknesses for attackers
• Compiled languages are more challenging but create more secure and efficient binary files

Comparing C and C++

• C: low-level, powerful language originally used to develop the Unix operating system, lacks many modern constructs
• C++: newer language based on C, adds modern programming language features and makes programming easier

Programming Language Vulnerabilities

• Read article and share the programming language and topic that most caught attention (link provided)

Why Software Security?

• Software systems have numerous flaws and bugs that attackers exploit
• New security threats emerge frequently
• Convenience often outweighs security measures
• Vulnerabilities in software systems increase exponentially
• Software security is everyone's responsibility
• Programmers frequently repeat security-related errors

How Many Millions Lines of Code

• Discusses the paradigm shift for software
• Highlights software-enabled products & their security considerations

Review Security Requirements

• Summarizes security requirements and possible matching descriptions (e.g., authentication, integrity, confidentiality, service availability, non-repudiation, security auditing, malicious activities detection, backup and recovery)

Pre-work Grade

• Post weekly discussion question and research solution
• Complete week 3 content module in D2L

Questions, Clarifications, and Help

• Student office hours (appointment and drop-in)
• Email
• RRCC on-campus tutoring
• 24/7 online tutoring located in the D2L course content.

Description

This quiz covers important concepts from the Secure Software Fundamentals course, specifically focusing on Week 03's topics. You'll explore software security principles, common vulnerabilities, risk management, and secure software practices. Test your knowledge on why these security measures are critical in today's programming landscape.