Third-Party Code and Code Repositories

Questions and Answers

What primary security practice should be applied to outsourced code development to maintain organizational security standards?

• Subject the outsourced code to the same level of testing as internally developed code. (correct)
• Subject the outsourced code to limited testing to expedite integration.
• Exempt outsourced code from internal testing procedures due to vendor assurances.
• Rely solely on the security certifications of the third-party development organization.

Software diversity focuses on eliminating all dependencies on single components to completely avoid any availability risks.

False (B)

What is the primary function of a code repository in software development?

Centralized storage and management of application source code.

Code repositories promote code ______ by making code accessible to all developers in an organization.

reuse

Match the following code management practices with their descriptions:

Code Signing = Verifies the authenticity of code. Data Minimization = Reduces risk by limiting the collection of sensitive data. Tokenization = Replaces sensitive identifiers with unique values. Parameterized Queries = Prevents SQL injection attacks by using variables for user input.

Why is it important for security professionals to be aware of how an organization uses third-party code and makes its services available?

To identify potential security flaws in shared code and manage dependencies. (D)

Utilizing code signing guarantees that the code is free from malicious content.

False (B)

What is the purpose of software diversity in the context of security?

To avoid single points of failure and reduce availability risks.

Code repositories perform ______ control, allowing the tracking of changes and the rollback of code to earlier versions.

version

Match the database security measures with their corresponding descriptions:

Data Minimization = Collecting only necessary sensitive information. Tokenization = Replacing sensitive data with non-sensitive substitutes. Parameterized Queries = Using predefined SQL statements with input as variables. Obfuscation = Camouflaging code to prevent reverse engineering.

In the context of code repositories, what is 'dead code' and why is it a problem?

Code that is no longer in use or maintained, leading to potential security vulnerabilities and wasted resources. (C)

Code repositories are exclusively used for managing source code and do not play a role in application security.

False (B)

What is the role of developers and operations (DevOps) teams working with cybersecurity teams in application provisioning and deprovisioning?

To ensure applications are provisioned and deprovisioned securely.

Using a cryptographic hash function to replace sensitive identifiers with an irreversible alternative identifier is known as ______.

hashing

Match the following terms related to code security with their definitions:

Code Signing = Digitally confirming the authenticity of code. Hashing = Replacing identifiers with irreversible values. SDKs = Collections of software libraries with documentation. Third-Party Libraries = Reusable code objects shared among developers.

What is the primary purpose of salting hashed values?

To make the hashed values resistant to rainbow table attacks. (D)

Code signing guarantees that the signed code does not contain any malicious content.

False (B)

What are Software Development Kits (SDKs) and how do they assist developers?

Collections of software libraries, documentation, and examples that help developers get up and running quickly.

Libraries consist of shared ______ objects that perform related functions.

code

Match the defense mechanisms with the attacks they mitigate:

Parameterized Queries = SQL injection attacks. Input Validation = Prevents malicious traffic from reaching web servers. Hashing with Salting = Rainbow table attacks. Web Application Firewalls (WAFs) = Web application attacks.

What principle guides database administrators in minimizing the risk of sensitive personal information exposure?

Data minimization. (C)

Parameterized queries allow user input to be directly inserted into SQL code to enhance query flexibility.

False (B)

What is tokenization, and how does it enhance data security?

Replacing sensitive identifiers with unique, non-sensitive substitutes to protect the original data.

Web application firewalls function at the ______ layer of the OSI model.

application

Match each technique with its purpose in application security.

Code Signing = Authenticates source of code. Input Validation = Prevents injection attacks. WAF = Filters malicious web traffic. Hashing = Secures sensitive data.

What is a critical step security teams should take when organizations introduce third-party code into their environments?

Implementing stringent testing protocols equivalent to internally developed code. (A)

Code signing guarantees that the code is free of vulnerabilities.

False (B)

How do code repositories aid in code reusability and consistency within an organization?

By providing a centralized location for sharing and discovering existing code.

When user input is treated as variables rather than executable SQL code, it prevents ______ attacks.

sql injection

Match the following vulnerabilities/attacks with their corresponding mitigation techniques:

SQL Injection = Prepared Statements / Parameterized Queries Cross Site Scripting (XSS) = Input validation. Parameter Pollution = Careful handling of parameters. Rainbow Table Attack = Salting and strong hashing algorithms

Why is it important to track dependencies on single pieces of source code, binary executable files, or compilers?

To maintain a secure codebase. (A)

Code repositories eliminate the possibility of dead code.

False (B)

What does code signing guarantee?

Code came from an authentic source and was not modified.

Applications dependent on secure databases have a core of ______ databases.

relational

Match the definition with the term

Integrity Measurement = Essential part of application security Tokenization = Replaces personal identifiers Code Obfuscation = Camouflaging code Software Diversity = Avoid single points of failure

Maintaining sensitive personal information in databases exposes an organization to:

Potential risk if data is stolen by an attacker (B)

Data Minimization is the least effective defense for protecting against data exposure.

False (B)

What is the best way to protect against the risk of stolen information?

Data minimization

______ replaces personal identifiers that might directly reveal an individual's identity with a unique identifier using a lookup table.

tokenization

Match the descriptions

SDK = Collections of software libraries Private Key = The developer signing the code does so using this Hashing = Uses a cryptographic hash function Code Signing = Digitally sign their code with their own private key

Flashcards

Outsourced Code Testing

Ensure outsourced code undergoes the same rigorous testing as internally developed code.

Software Diversity

Aim to eliminate single points of failure in software development to reduce availability risks.

Code Repositories

Centralized locations for storing and managing application source code, enabling secure storage and coordinated changes among developers.

Version Control

Tracking changes and enabling the rollback of code to earlier versions.

Code Reuse

Promotes code reuse by making code accessible to developers, reducing the need to start from scratch.

Software Libraries

Shared code objects that perform related functions, simplifying development by providing pre-built functionalities.

Software Development Kits (SDKs)

Collections of software libraries combined with documentation, examples, and resources to help programmers quickly start developing.

Code Signing

Verifying the authenticity of code to end-users using cryptographic signatures, ensuring that the code is legitimate and unmodified.

Tokenization

A technique that replaces sensitive identifiers with a unique identifier using a lookup table.

Database Security

Securing databases by implementing practices like data minimization and tokenization.

Parameterized Queries

Passing user inputs as variables to a pre-compiled SQL statement instead of directly inserting code.

Stored Procedures

A technique to protect applications against injection attacks by passing user imputs to a pre-compiled query template stored on the database server.

Input Validation

A security measure that prevent malicious traffic from reaching the web server.

Web Application Firewalls (WAFs)

A security measure that focuses on protecting application code by using input validation.

Study Notes

• Organizations may introduce third-party code by outsourcing code development, making security testing of outsourced code as important as internally developed code.
• Security professionals should know how third-party code is used and how their organization makes services available, because security flaws often arise in shared code.
• Vigilance about security updates is crucial due to the dependencies created by shared code.

Software Diversity

• Security professionals aim to avoid single points of failure to prevent availability risks from single component issues.
• Monitoring dependencies on single source code, binary executables, or compilers is vital, even if eliminating all dependencies is impossible.
• Tracking dependencies is a key element in maintaining a secure codebase.

Code Repositories

• These are centralized locations for application source code storage and management.
• Their main purpose is storing source files used in software development in a centralized, secure location that allows for change coordination among developers.
• Code repositories offer version control, tracking changes, and allowing code rollback to earlier versions when needed.
• Code repositories facilitate software development by enabling organized collaboration and meet the needs of security/auditing professionals through automated auditing/logging of changes.
• Exposing code promotes code reuse; developers can search for and reuse code for specific functions instead of starting from scratch.
• May be public, offering open-source code, or private, for internal organizational use.
• They help avoid the problem of dead code, where no one is responsible for the code, or know the location of the original source files.
• They are an important part of application security, but only one aspect of code management, which means cybersecurity teams should work with developers to properly provision and deprovision applications following approved release management processes.

Code Security

• Software developers take steps to secure the creation, storage, and delivery of their code using various methods.

Code Signing

• Code signing allows developers to confirm code authenticity to end-users.
• Developers use a cryptographic function to digitally sign code with a private key, with browsers using the developer's public key to verify the signature.
• This ensures the code is legitimate and unchanged by unauthorized individuals; lacking this can lead to users running inauthentic code.
• Code signing relies on the digital signature process; the developer signs with a private key, and the public key is in a digital certificate distributed with the application.
• Users get the certificate with the application, and their system uses the certificate's public key for signature verification.
• Code signing guarantees code origin and integrity, but does not guarantee the code is free of malicious content and malicious code can still pass the signature verification process if the developer signs it.

Code Reuse

• Many organizations reuse internal and third-party software libraries and software development kits (SDKs).

• Libraries are shared code objects for related functions, such as those for biology research, financial analysis, or social media functions.

• Instead of writing all code, developers can locate and use libraries with relevant functions.

• Organizations often publish SDKs to make libraries more accessible.

• SDKs are software library collections with documentation, examples, and resources that help programmers quickly start developing.

• SDKs also include utilities to help developers design and test code.

• Parameter pollution attacks exploit web platforms that improperly handle multiple copies of the same parameter.

• Modern platforms often defend against parameter pollution, but successful attacks still occur due to unpatched systems or insecure custom code.

Web Application Firewalls

• Web application firewalls (WAFs) play an important role in securing web applications against attacks.
• Developers should have strong application-level defenses like input validation and parameterized queries, to protect their applications.
• Applications may contain injection flaws due to insufficient developer testing or delayed vendor patches.
• WAFs operate like network firewalls but at the Application layer of the OSI model.
• A WAF sits in front of a web server, and processes all network traffic.
• The server scrutinizes input, performs validation using whitelisting/blacklisting, and prevents malicious traffic from reaching the web server as a layered defense against web application vulnerabilities.

Database Security

• Secure applications depend on secure databases to provide necessary content and transaction processing.
• Relational databases are at the core of modern applications; securing them goes beyond protection against SQL injection attacks.
• Cybersecurity professionals need deep knowledge of secure database administration practices.

Parameterized Queries and Stored Procedures

• Parameterized queries protect applications against injection attacks.
• With parameterized queries, developers prepare SQL statements and then allow user input as defined variables that prevent code insertion; Java uses PreparedStatement(), while PHP uses bindParam().
• Stored procedures work similarly, but SQL code is on the database server, not in the application.
• The client sends arguments to the server, which inserts those into a precompiled query template, thereby preventing injection attacks and improving database performance.

Obfuscation and Camouflage

• Organizations risk data theft by maintaining sensitive personal information in databases.
• Minimize data; do not collect unnecessary sensitive information and dispose of sensitive information when no longer needed.
• Data minimization reduces risk by preventing the loss of control of information that is not stored.
• Tokenization replaces direct personal identifiers with unique identifiers using lookup tables.
• A widely known value is replaced, such as a student ID, with a randomly generated 10-digit number.
• Maintain a lookup table to convert the values if needed, while keeping the lookup table secure.