Contents
hide
INTRODUCTION – APPLICATION SECURITY AND TESTING
Welcome to the differentiated learning that will provide you with an opportunity to understand the complicated connection of an application architecture, security, as well as the DevSecOps practice as a whole. It provides a tutorial on the fundamental principles and methods essential for designing, developing, and securing present-day software applications.
The course in-depth examines the gateways of application architectures, security measures, and *the new bard* of DevSecOps while empowering you with all the knowledge necessary to build robust, secure, and high-performing software ecosystems. Concurrences between application design and security strategies, as well as the principles of DevSecOps, are unlocked for you so you can have the tools and knowledge to thrive in the fast-changing world of software development.
Learning Objectives
- At the end of this module, you will be able to:
- Defend Against Cross-Site Scripting (XSS): Define XSS, understand its dangers, and describe strategies to prevent it.
- Write Secure Code: Apply best practices in secure application code development.
- Understand DevSecOps: Explain the principles of DevSecOps and how they touch the security of applications.
- Navigate the Security Standards: Identify major security standards, regulations, and application in software development.
- Summarize the OWASP Top 10: Describe and mitigate the most important application security risks.
- Analyze Application Threats: Common threats and attack methodologies involved in the application.
- Use Security Tools: Techniques and tools to improve security in applications.
- Evaluate Software Development Lifecycles: For instance differentiate between the different SDLC models and implications those have on security.
- Leverage Security Patterns: Use tried and true security patterns to aid in speedily implementing secure infrastructures and interfaces between applications and services.
SECURITY ARCHITECTURE CONSIDERATIONS KNOWLEDGE CHECK
1. True or False. A security architect’s job is to make sure that security considerations dominate other design aspects such as usability, resilience and cost.
- True
- False (CORRECT)
2. Which of these is an aspect of an Enterprise Architecture?
- Considers the needs of the entire organization (CORRECT)
- Gives the technology perspectives in detail
- Describes how specific products or technologies are used
- Shows the internal data and use of reusable or off-the-shelf components
3. Which of these is an aspect of a Solution Architecture?
- Does not describe the internals of the main components or how they will be implemented
- Describes how specific products or technologies are used (CORRECT)
- Maps the main components of a problem space and solution at a very high level
- Considers the needs of the entire organization
4. Which three (3) of these are general features of Building Blocks? (Select 3)
- Defined boundary, but can work with other building blocks (CORRECT)
- Package of function defined to meet a business need (CORRECT)
- May be product or vendor aware
- Could be an actor, business service, application or data (CORRECT)
5. Which three (3) of these are Architecture Building Blocks (ABBs)? (Select 3)
- Certificate Authority
- Data Security (CORRECT)
- Identity and Access Management (CORRECT)
- Application Security (CORRECT)
Partially correct
6. Which three (3) of these are Solution Building Blocks (SBBs)? (Select 3)
- Key Security Manager (CORRECT)
- HSM (CORRECT)
- Certificate Authority (CORRECT)
- Data Security
Partially correct!
7. The diagram below shows which type of architecture?
- Context-Aware Enterprise Security Architecture
- Solution Architecture
- Enterprise Security Architecture (CORRECT)
- Solution Building Blocks
8. Solution architectures often contain diagrams like the one below. What does this diagram show?
- Functional components and data flow
- Enterprise architecture
- External context and boundary diagram
- Architecture overview (CORRECT)
9. In security architecture, a reusable solution to a commonly recurring problem is known as what?
- A module
- A component
- A blueprint
- A pattern (CORRECT)
APPLICATION SECURITY TECHNIQUES AND RISKS KNOWLEDGE CHECK
1. Which of these is an application security threat?
- Earthquake
- Malware (CORRECT)
- Hackers
- A security flaw in source code
2. Failure to use input validation in your application introduces what?
- A vulnerability (CORRECT)
- A threat
- A vector
- A risk
3. Which software development lifecycle is characterized as a top-down approach where one stage of the project is completed before the next stage begins?
- Iterative
- Agile and Scrum
- Waterfall (CORRECT)
- Spiral
4. Which form of penetration testing allows the testers complete knowledge of the systems they are trying to penetrate in advance of their attack to simulate an internal attack from a knowledgeable insider?
- Red Box Testing
- White Box testing (CORRECT)
- Black Box Testing
- Gray Box Testing
5. Which application testing method requires access to the original application source code?
- SAST: Static Application Security Testing (CORRECT)
- IAST: Interactive Application Security Testing
- DAST: Dynamic Security Application Testing
- PAST: Passive Application Security Testing
6. Which three (3) steps are part of a Supplier Risk Assessment? (Select 3)
- Identify how the risk would impact the business (CORRECT)
- Identify how any risks would impact your organization’s business (CORRECT)
- Determine the likelihood the risk would interrupt the business (CORRECT)
- Identify mitigations that would minimize or eliminate the risk
Partially correct!
7. What type of firewall should you install to protect applications used by your organization from hacking?
- A statefull firewall
- A web application firewall (WAF) (CORRECT)
- A Juniper firewall
- A stateless firewall
8. Which type of application attack would include elevation of privilege, data tampering and luring attacks?
- Configuration management
- Authorization (CORRECT)
- Auditing and logging
- Exception management
9. Which type of application attack would include information disclosure and denial of service?
- Exception management
- Authorization
- Authentication (CORRECT)
- Configuration management
10. Which one of the OWASP Top 10 Application Security Risks would be occur when untrusted data is sent to an interpreter as part of a command or query?
- Injection (CORRECT)
- XML external entities (XXE)
- Broken authentication
- Sensitive data exposure
11. Which one of the OWASP Top 10 Application Security Risks would be occur when a poorly configured XML processor evaluates an external entity reference within an XML document allowing the external entity to expose internal files?
- XML external entities (XXE) (CORRECT)
- Security misconfiguration
- Broken access control
- Cross-site scripting
12. Which of these threat modeling methodologies was introduced in 1999 at Microsoft to provide their developer’s a mnemonic that would help them find security vulnerabilities in their products?
- STRIDE (CORRECT)
- TRIKE
- VAST
- P.A.S.T.A.
13. Security standards do not have the force of law but security regulations do. Which one of these is a security regulation?
- ISO 27034/24772
- Gramm-Leach-Bliley Act (CORRECT)
- DISA-STIG
- PCI-DSS
DEVSECOPS & SECURITY AUTOMATION KNOWLEDGE CHECK
1. Which phase of DevSecOps would contain the activities Threat modeling & risk analysis, Security backlog and Architecture & design?
- Code & build
- Operate & monitor
- Plan
- Release, deploy & decommission (CORRECT)
- Test
2. Which phase of DevSecOps would contain the activities Continuous component control, Application and infrastructure orchestration, and Data cleansing & retention?
- Reports
- Charts (Correct)
- Graphs (Correct)
- Maps (Correct)
Correct: Data visualization utilizes tools like graphs, maps, and charts.
3. The Release step in the DevSecOps Release, Deploy & Decommission phase contains which of these activities?
- Creation of Immutable images
- IAM controls to regulate authorization
- Centralized Key-Value & Secret stores
- Versioning of infrastructure (CORRECT)
4. The Detect & Visualize step in the DevSecOps Operate & Monitor phase contains which of these activities?
- Inventory (CORRECT)
- Chaos engineering
- Virtual Patching
- Root Cause Analysis
Data analysts hold several roles within their works. In this part of the course, you learn about some of these roles and the fundamental skills used by analysts. You will also learn analytical thinking as well as its relevance to data-driven decision making.
Learning Objectives
- Define the terms data and decision-driven. Clarify the examples What are the most important attributes of analytical thinking?
- Self-assessment of analytical thinking should be accompanied by examples of the situations in which analytical thinking has been applied to carry out Individual tasks.
- Understand the five fundamental analytical abilities of a data analyst.
- How analytical thinking leads to better decision-making.
- How to question better going forward.
DEEP DIVE INTO CROSS-SCRIPTING KNOWLEDGE CHECK
1. True or False. Finding a bug in a software product from a major vendor can be very profitable for a security researcher.
- True (CORRECT)
- False
2. Which is the top vulnerability found in common security products?
- Cross-site scripting (CORRECT)
- Use of broken or risky cryptographic algorithms
- Password in clear text
- SQL Injection
3. True or False. Building software defenses into your software includes: input validation, output sensitization, strong encryption, strong authentication and authorization.
- True (CORRECT)
- False
4. Complete the following statement. Cross-site scripting ____
- allows a hacker to write a script that links applications across sites.
- is a rare hack but a potentially dangerous one.
- is limited to http parameters and can be defeated by using https.
- allows attackers to inject client-side scripts into a web page. (CORRECT)
5. True or False. A Stored XSS attack is potentially far more dangerous than a Reflected XSS attack.
- True (CORRECT)
- False
6. Cross-site scripting attacks can be minimized by using HTML and URL Encoding. How would a browser display this string?: <b>Test</b>
- <b>Test</b>
- <<Test>>
- <b>Test</b> (CORRECT)
- Test
7. Which is the most effective means of validating user input?
- Client-side input validation
- Server-side input validation
- Blacklisting
- Whitelisting (CORRECT)
APPLICATION TESTING GRADED ASSESSMENT
1. True or False. A security architect’s job is to make sure that security considerations are balanced against other design aspects such as usability, resilience and cost.
- True (CORRECT)
- FALSE
2. Which of these is an aspect of an Enterprise Architecture?
- Maps the main components of a problem space and solution at a very high level. (CORRECT)
- Describes how specific products or technologies are used
- Gives the technology perspectives in detail
- Shows the internal data and use of reusable or off-the-shelf components
3. Which of these is an aspect of a Solution Architecture?
- Maps the main components of a problem space and solution at a very high level
- Considers the needs of the entire organization
- Does not describe the internals of the main components or how they will be implemented
- Shows the internal data and use of reusable or off-the-shelf components (CORRECT)
4. Which three (3) of these are features of Architecture Building Blocks (ABBs)? (Select 3)
- Guides the development of a Solution Architecture (CORRECT)
- Specifies the technical components to implement a function
- Product and vendor neutral (CORRECT)
- Captures and defines requirements such as function, data, and application (CORRECT)
Partially correct!
5. Which three (3) of these are Architecture Building Blocks (ABBs)? (Select 3
- Infrastructure and Endpoint Security (CORRECT)
- Detect and Respond (CORRECT)
- Identity and Access Management (CORRECT)
- Key Security Manager
Partially correct!
6. Which three (3) of these are Solution Building Blocks (SBBs)? (Select 3)
- Application Security
- Hardware Token (CORRECT)
- Privilege Access Manager (CORRECT)
- Web Application Firewall (WAF) (CORRECT)
Partially correct!
7. The diagram below shows which level of architecture?
- Enterprise architecture
- External context and boundry diagram
- Functional components and data flow
- Solution architecture overview (CORRECT)
8. Solution architectures often contain diagrams like the one below. What does this diagram show?
- Enterprise architecture
- External context and boundry diagram
- Functional components and data flow
- Solution architecture overview (CORRECT)
9. Solution architectures often contain diagrams like the one below. What does this diagram show?
- Enterprise architecture
- Functional components and data flow
- External context and boundary diagram (CORRECT)
- Architecture overview
10. What is lacking in a security architecture pattern that prevents it from being used as a finished design?
- Proper level of abstraction
- Proper formatting
- The context of the project at hand (CORRECT)
- Vendor selections
11. What are the possible consequences if a bug in your application becomes known?
- It is embarrassing to your company
- Financial losses via lawsuits and fines can be very significant
- Government agencies can impose fines and other sanctions against your company
- All of the above (CORRECT)
12. What was the ultimate consequence to Target Stores in the United States from their 2013 data breach in which over 100M records were stolen?
- Costs and fines estimated at $1B. (CORRECT)
- Criminal negligence charges were filed 3 Target executives, 1 of whom received a prison sentence
- Costs and fines that forced the company into bankruptcy
- Costs of $10M and reputational damage only.
13. Select the two (2) top vulnerabilities found in common security products. (Select 2)
- Cross-site request forgery (CORRECT)
- Cross-site scripting (CORRECT)
- SQL Injection
- Use of hard-coded credentials
Partially correct!
14. True or False. If you can isolate your product from the Internet, it is safe from being hacked.
- True
- False (CORRECT)
15. Which three (3) things can Cross-site scripting be used for? (Select 3)
- Steal cookies (CORRECT)
- Harvest credentials (CORRECT)
- Take over sessions (CORRECT)
- Break encryption
Partially correct!
16. True or False. Commonly a Reflect XSS attack is sent as part of an Email or a malicious link and affects only the the user who receives the Email or link.
- True (CORRECT)
- False
17. Cross-site scripting attacks can be minimized by using HTML and URL Encoding. How would a browser display this string?:
<b>Password</b>
- <<Password>>
- Password
- <b>Password</b> (CORRECT)
- <b>Password</b>
18. Which three (3) statements about whitelisting user input are true? (Select 3)
- Whitelisting reduces the attack surface to a known quantity (CORRECT)
- Special characters should only be allowed on an exception basis (CORRECT)
- Single quotes should never be allowed as user input
- Whenever possible, input should be whitelisted to alphanumeric values to prevent XSS (CORRECT)
Partially correct!
19. Which two (2) statements are considered good practice for avoiding XSS attacks (Select 2)
- Encode all data output as part of HTML and JavaScript (CORRECT)
- Develop you own validation or encoding functionality that is customized for your application
- Use strict whitelists on accepting input (CORRECT)
- Use blacklists and client-side validation
Partially correct!
20. How would you classify a hactivist group who thinks that your company’s stance on climate change threatens the survival of the planet?
- A vector
- A threat (CORRECT)
- A vulnerability
- A risk
21. Which software development lifecycle is characterized by short bursts of analysis, design, coding and testing during a series of 1 to 4 week sprints?
- Agile and Scrum (CORRECT)
- Spiral
- Waterfall
- Iterative
22. Which software development lifecycle is characterized by a series of cycles and an emphasis on security?
- Spiral (CORRECT)
- Waterfall
- Agile and Scrum
- Iterative
23. Which form of penetration testing allows the testers no knowledge of the systems they are trying to penetrate in advance of their attack to simulate an external attack by hackers with no knowledge of an organizations systems?
- Black Box Testing (CORRECT)
- Red Box Testing
- Gray Box Testing
- White Box testing
24. Which application testing method requires a URL to the application, is quick and cheap but also produces the most false-positive results?
- PAST: Passive Application Security Testing
- SAST: Static Application Security Testing
- DAST: Dynamic Security Application Testing (CORRECT)
- IAST Interactive Application Security Testing
25. Which type of application attack would include buffer overflow, cross-site scripting, and SQL injection?
- Authentication
- Configuration management
- Authorization
- Input validation (CORRECT)
26. Which type of application attack would include unauthorized access to configuration stores, unauthorized access to administration interfaces and over-privileged process and service accounts?
- Auditing and logging
- Authentication
- Configuration management (CORRECT)
- Exception management
27. Which one of the OWASP Top 10 Application Security Risks would occur when authentication and session management functions are implemented incorrectly allowing attackers to compromise passwords, keys or session tokens.
- Sensitive data exposure
- Broken authentication (CORRECT)
- XML external entities (XXE)
- Broken access control
28. Which one of the OWASP Top 10 Application Security Risks would occur when restrictions on what a user is allowed to do is not properly enforced?.
- Insecure deserialization
- Security misconfiguration
- Cross-site scripting
- Broken access control (CORRECT)
29. Which of these threat modeling methodologies is integrated seamlessly into an Agile development methodology?
- VAST (CORRECT)
- P.A.S.T.A.
- TRIKE
- STRIDE
30. Security standards do not have the force of law but security regulations do. Which one of these is a security regulation?
- Operate & monitor
- Plan
- Release, deploy & decommission
- Code & build (CORRECT)
- Test
31. Which phase of DevSecOps would contain the activities Secure application code, Secure infrastructure configuration, and OSS/COTS validation?
- Online advertising (Correct)
- Word-of-mouth advertising
- Direct mail advertising
- Billboard advertising
Correct: Whether a brick-and-mortar store or online retailer, online advertising is now a popular method for most businesses’ advertising purposes.
32. Which phase of DevSecOps would contain the activities Detect & Visualize, Respond, and Recover?
- Release, deploy & decommission
- Test
- Operate & monitor (CORRECT)
- Plan
- Code & build
33. The Deploy step in the DevSecOps Release, Deploy & Decommission phase contains which of these activities?
- Data backup cleansing
- Versioning of infrastructure
- IAM controles to regulate authorization
- Creation of Immutable images (CORRECT)
34. The Respond step in the DevSecOps Operate & Monitor phase contains which of these activities?
- Root Cause Analysis
- Inventory
- Chaos engineering
- Virtual Patching (CORRECT)
CONCLUSION – Application Security and Testing
Ultimately, this module now opens up both eyes to the various aspects of application architecture, security and DevSecOps that have been rather knowledgeable to participants. It further covers all the principles and practices in view of those audiences and equips them with a full understanding of how the software will be designed, secured, and managed.
By successful implementation of DevSecOps methodologies, the participants will now learn how to integrate security into all software development life cycles, so as to build the culture of continuous security improvement in a process. These skills will make all participants well prepared to have a very robust contribution in developing strong, resilient, and secure software systems that are able to solve the problems of continuously shifting threats.