Secure Programming Intro

Question 1

Secure Programming =

Answer 1

making sure software does what is expected to do and nothing else.
It cannot be misused in any ways.

Question 2

Mindset of Secure Programming:

Answer 2

Following best practices and thinking defensively

Question 3

Task of Software Engineer:

Answer 3

mainly implementation of business requirements but:
- respect security requirements
- Implement designs and policies in Software
- apply security concepts in every step of development cycle

Question 4

Security flaws may be introduced in which step of the SDLC?

Answer 4

any step of the SDLC

Question 5

Apple goto fail

Answer 5

geschweifte Klammern fehlen, weshalb zweites goto
if statement fragt ab ob es Fehler gab, wenn Fehler war != 0, da in return err zurückgegeben wird, sieht es aus wie successful verified.

Question 6

Heartbleed (2014) led to

Answer 6

Memory leakage

Question 7

Heartbleed (2014) Vulnerability

Answer 7

Idea of heartbeat –> check if server is still alive
Client: “Hi server, please say MESSAGE (length of MESSAGE)
Server: “MESSAGE”

Question 8

Cloudbleed let to…

Answer 8

Memory Leakage

Question 9

Cloudbleed Vulnerabilty

Answer 9

Checking end of HTML buffer before copy to output stream –> broken HTML tags caused vulnerable websites to leaking information of other unrelated sites:
- HTTP headers
- Body of HTTP POST (incl. Passwords)
- JSON requests and responses of API calls
- URI parameters
- Cookies and authentication data (such as API keys and OAuth tokens)
- …

Question 10

Was Cloudbleed vulnerability fixed soon?

Answer 10

Yes, but the problem was Search engines cached some of the leaked content

Question 11

Linux Kernel Backdoor (2003)

Answer 11

current uid wird gesetzt durch = und nicht verglichen –> root

Question 12

British Airways Case

Answer 12

22 lines of JavaScript were injected into British Airways website –> Information was sent to server controlled by attackers without disrupting the flow trhough TLS to host baways.com

Question 13

How to react to a reported security vulnerability:

Answer 13

1. Schwachstellen verifizieren
2. Gezielte Kommunikation (Adressaten, Inhalt, Timing)
3. Entwicklung von Patch
4. Bereitstellung von Patch (Einsatz von älteren Versionen berücksichtigen)
5. Lessons learned

Question 14

Risk =

Answer 14

Impact x Probability

Question 15

Risk in Software Development =

Answer 15

Impact x Threat Level x Vulnerability Level

Question 16

Threat Level =

Answer 16

Exposure, capabilities of an attacker like skills, resources incentive

Question 17

Vulnerability Level =

Answer 17

presence and general security of flaw

Question 18

Goal of Secure Programming:

Answer 18

Reducing Vulnerability Level by:
- reducing number of vulnerabilities in the system
- making it hard to exploit them

Question 19

Attack surface =

Answer 19

sum of different attack vectors where unauthorized users can try to enter data to or extract data from an environment

Question 20

Through an attack surface an adversary can:

Answer 20

• modify data or behavior of a system
• observe it (e.g. server versions displayed, memory dumps etc.)

Question 21

Microsoft Vulnerability Mitigation Strategy

Answer 21

Question 22

Security in Software Development Process is needed in…

Answer 22

every step

Question 23

Answer 23

Question 24

Automatisierung ist im ganzen Prozess wichtig, da es…

Answer 24

die Geschwindigkeit erhöht.

Question 25

Design:

Answer 25

- Overview of functionality - Ommiting implementation details - Conceptual, high-level components

Question 26

Implementation:

Answer 26

- Code is written - Details are specified

Question 27

Potential risks from Design to Implementation:

Answer 27

- increased attack surface - higher vulnerability level - changes in threats

Question 28

Example of risk from Design to Implementation

Answer 28

XOR --> funktioniert grundsätzlich, jedoch in Implementation, wenn jemand exakt Spannung messen kann, kann abgeleitet key und cleartext abgeleitet werden

Question 29

SAST =

Answer 29

Static Application Security Testing = Source Code Analysis = Scanning the code commit and/or during development within IDE

Question 30

SAST = Black- or Whitebox?

Answer 30

Whitebox

Question 31

DAST =

Answer 31

Dynamic Application Security Testing = Vulnerability Scan = testing running application without source code or binaries

Question 32

DAST = Black- or Whitebox?

Answer 32

Blackbox

Question 33

SAST Advantages:

Answer 33

- Early vulnerability finding - Scales well - Usable for any type of code / application - Works well for detection of buffer overflows, SQL injection flaws etc. - Developer-friendly output --> exact locations of flaws

Question 34

SAST disadvantage =

Answer 34

Cannot find runtime or environment-related issues

Question 35

DAST advantages:

Answer 35

- Generally for web applications and web services - works well for some configuration issues, outdated libraries etc. - can find runtime or environment-related issues

Question 36

DAST disadvantages:

Answer 36

- Finds vulnerabilities rather alte in SDLC - Scales with limitiations

Question 37

Dependency Analysis -->

Answer 37

update software components regularly (watch for the patch version)

Question 38

Dependency Analysis uses

Answer 38

SBOM (Software Bill of Materials)

Question 39

SBOM (Software Bill of Materials) contains

Answer 39

dependency / package management + scanning NVD / CVE datasets against components in BOM

Question 40

Integrated scanning in pipeline is good but scans should be triggered...

Answer 40

upon updates to vulnerability datasets