As often as we hear about software vulnerabilities and security incidents related to software, we should wonder why common security flaws continue to appear in new applications. The answer is because discussing security requirements during software development is still not a common priority. Too often security needs are considered far along into the software development lifecycle, if at all, prior the application’s launch. As a CySA+, you will need to take an active approach to ensuring security needs are met during software development.

To be engaged with meeting security requirements during software development, you do not need to be a software developer yourself. You only need to appreciate the importance of information security (which undoubtedly you do) and understand several best practices in secure software development. Your ability to communicate these with developer peers will make both your lives much easier in the end.

Q     QUESTIONS

1.  A developer has just finished modifying an application—specifically, how input is processed. As part of the development cycle, their application must go through testing to determine what, if any, security vulnerabilities might exist as a result. What technique should a tester use to find any flaws in the developer’s changes?

A.  Web application vulnerability scanning

B.  SQL injection

C.  User acceptance

D.  Fuzzing

2.  The finance application seems to operate fine, so long as only a few people are connected to it. However, at the end of the month, when nearly everyone in the company connects to this application, it actually freezes. Even after people stop trying, the application is locked up until an administrator resets it. What type of software testing should have caught this problem?

A.  Input validation testing

B.  Fuzzing

C.  Regression testing

D.  Stress testing

3.  What organization, best known for its Top Ten list, specializes in web security issues?

A.  SANS Institute

B.  CMMI

C.  OWASP

D.  CIS

4.  To reduce the number of modifications soon after an application’s release, what practice is done to verify the application will be used as developers expected?

A.  Stress testing

B.  Static code analysis

C.  User acceptance testing

D.  Manual peer review

Use the following scenario to answer Questions 5–7:

Tywin is the CEO of a factory where most employees are paid hourly. Employees must submit on paper all their expected hours for the week by Tuesday to get paid on Friday. Jon, the factory floor manager, shares with Tywin that every week he hears the same complaints from employees: “How do I know by Tuesday that my schedule won’t change by Friday?” Understanding the need for a quicker way to submit hours, Tywin remembers that his neighbor’s son, Sam, has been taking web development courses at a university for a few semesters. Therefore, Tywin offers Sam an opportunity to help.

After a few weeks of development, Sam launches a web application. Employees are told to authenticate and enter their hours using this application. The application then submits the hours to the Finance department and tells employees how much they can expect to get paid on Friday. Hours can be submitted as late as Thursday night. Jon reports to Tywin that employees are happy with the web application and it seems to be the subject of a constant buzz around the break room.

5.  A very honest user tells Jon that if a user enters a single quote, followed by “OR 1=1” in the password field, they can make the application reply with the hours of any employee. What part of software development did Sam likely overlook?

A.  Parameter validation

B.  Input validation

C.  Stress testing

D.  Session tokens not randomized

6.  Another honest user, Arya, reports that if she changes the user ID in the URL to someone else’s ID number, she can get the paycheck total for that other person’s week. The same user claims by changing other parameters in the URL, she can make the server reveal much information about itself and the application. If you could hire this Arya to perform security analysis work, what type of work does her experience seem to match?

A.  Regression testing

B.  Interception proxy

C.  User acceptance testing

D.  Vulnerability scanning

7.  Considering the issues discovered to date, what phase of software development was likely missing during the application lifecycle?

A.  Security requirements definition

B.  Stress testing

C.  Security regression testing

D.  Operations and Maintenance

E.  User acceptance testing

8.  What detailed guides published by the CIS are equivalent to the Security Technical Implementation Guides published by the Defense Information System Agency and other government entities?

A.  Regression reports

B.  Benchmarks

C.  Security requirements definitions

D.  Secure coding best practice guides

9.  The Center for Internet Security has organized focus groups and built consensus to formulate a group of 20 “CIS Controls.” These controls are separated in groups of Basic, Foundational, and Organizational. What is the intended aim of these controls?

A.  Employee-controlled access

B.  Software development best practices

C.  Wireless access control

D.  System design recommendations

QUICK ANSWER KEY

1.  D

2.  D

3.  C

4.  C

5.  B

6.  D

7.  A

8.  B

9.  D

A     IN-DEPTH ANSWERS

1.  A developer has just finished modifying an application—specifically, how input is processed. As part of the development cycle, their application must go through testing to determine what, if any, security vulnerabilities might exist as a result. What technique should a tester use to find any flaws in the developer’s changes?

A.  Web application vulnerability scanning

B.  SQL injection

C.  User acceptance

D.  Fuzzing

  D is correct. Fuzzing, or fuzz testing, is specifically intended to create invalid input or unexpected amounts of input, hoping to trigger an unexpected response. Given a way to monitor that response, security testers can explore how that response could be leveraged into an exploit.

  A, B, and C are incorrect. There was no mention of the application being a web application, so web app vulnerability scanning wouldn’t apply here. Also, there was no mention of a SQL database, so there’s likely no opportunity for a SQL injection attack. Although user acceptance testing can reveal different ways a user will enter input, it’s not the best technique for identifying possible input vulnerabilities.

2.  The finance application seems to operate fine, so long as only a few people are connected to it. However, at the end of the month, when nearly everyone in the company connects to this application, it actually freezes. Even after people stop trying, the application is locked up until an administrator resets it. What type of software testing should have caught this problem?

A.  Input validation testing

B.  Fuzzing

C.  Regression testing

D.  Stress testing

  D is correct. From the narrative, it sounds like the application functions so long as it is not under too much demand. Stress testing would have caught that issue, had it been done.

  A, B, and C are incorrect. The application seems to operate so long as it isn’t pushed to its limits. Input validation was probably performed to ensure the application functioned as expected. The same can be said for fuzzing. Regression testing is intended to discover newly introduced issues due to a change in coding, not necessarily targeted to the problem.

3.  What organization, best known for its Top Ten list, specializes in web security issues?

A.  SANS Institute

B.  CMMI

C.  OWASP

D.  CIS

  C is correct. The Open Web Application Security Project is an organization that specifically addresses web security issues. What most people know OWASP from is its Top Ten common web application security concerns, published almost every year.

  A, B, and D are incorrect. SANS Institute is an authority on security—be it web, application, system, or network—but does not specialize in web security. CMMI is the Capability Maturity Model Integration, the well-known, five-level maturity model from the Software Engineering Institute, a federally funded research and development center at Carnegie-Mellon University. The Center for Internet Security (CIS) is a nonprofit organization that excels in enhancing security with its collaborative approach.

4.  To reduce the number of modifications soon after an application’s release, what practice is done to verify the application will be used as developers expected?

A.  Stress testing

B.  Static code analysis

C.  User acceptance testing

D.  Manual peer review

  C is correct. Before an application gets released, it’s common to have it tested by a handful of users. These early users will report on what should be changed before the application goes to a wider audience. This is called user acceptance testing.

  A, B, and D are incorrect. Stress testing involves pushing the application to its limits to see what breaks or fails first. Static code analysis is an automated form of reviewing code without having to run the program. This is typically performed by a specialized application. Manual peer review is a slower but methodical code review done by the developers’ peers. This code review allows others to catch the simple errors or typos that developers might too easily skip over from being so familiar with the code.

Use the following scenario to answer Questions 5–7:

Tywin is the CEO of a factory where most employees are paid hourly. Employees must submit on paper all their expected hours for the week by Tuesday to get paid on Friday. Jon, the factory floor manager, shares with Tywin that every week he hears the same complaints from employees: “How do I know by Tuesday that my schedule won’t change by Friday?” Understanding the need for a quicker way to submit hours, Tywin remembers that his neighbor’s son, Sam, has been taking web development courses at a university for a few semesters. Therefore, Tywin offers Sam an opportunity to help.

After a few weeks of development, Sam launches a web application. Employees are told to authenticate and enter their hours using this application. The application then submits the hours to the Finance department and tells employees how much they can expect to get paid on Friday. Hours can be submitted as late as Thursday night. Jon reports to Tywin that employees are happy with the web application and it seems to be the subject of a constant buzz around the break room.

5.  A very honest user tells Jon that if a user enters a single quote, followed by “OR 1=1” in the password field, they can make the application reply with the hours of any employee. What part of software development did Sam likely overlook?

A.  Parameter validation

B.  Input validation

C.  Stress testing

D.  Session tokens not randomized

  B is correct. Input validation is the coding practice of verifying that a user’s input falls within the expected range in size, character types, and format.

  A, C, and D are incorrect. Parameter validation is the coding practice of verifying that the information passed is what the application expects. It’s similar to input validation, but parameter validation might also check input from another portion of the application or another application entirely. Stress testing involves pushing the application to its limits to see what breaks or fails first. Lastly, session tokens not being randomized is incorrect as session tokens aren’t mentioned nor are relevant to the attack.

6.  Another honest user, Arya, reports that if she changes the user ID in the URL to someone else’s ID number, she can get the paycheck total for that other person’s week. The same user claims by changing other parameters in the URL, she can make the server reveal much information about itself and the application. If you could hire this Arya to perform security analysis work, what type of work does her experience seem to match?

A.  Regression testing

B.  Interception proxy

C.  User acceptance testing

D.  Vulnerability scanning

  D is correct. Arya seems determined to find vulnerabilities in this web application. She successfully attempted URL manipulation as well as found information leaks. In this case, URL manipulation was able to make the application return another person’s paycheck amount. Web application vulnerability scanning would encompass these and many other checks, including cross-site scripting (XSS), improper use of HTTPS, improper user authentication, and more.

  A, B, and C are incorrect. Regression testing is applicable, but because this is the first release of the app, we would not call this regression testing. Interception proxy is a software tool, not a person’s role, used to discover similar vulnerabilities by being inserted between two devices. The interception proxy will act as a go-between monitoring device. An analyst can examine the traffic for any vulnerabilities. Up to now, Arya has been a user determined to discover issues. If Arya transitions to the security team, she would no longer be “just a user” but as a team member to validate issues discovered by user testing. Normally, before an application is released, it is tested by a handful of users. These early users will report on what should be changed before the application goes to a wider audience.

7.  Considering the issues discovered to date, what phase of software development was likely missing during the application lifecycle?

A.  Security requirements definition

B.  Stress testing

C.  Security regression testing

D.  Operations and Maintenance

E.  User acceptance testing

  A is correct. It seems the developer did very little security testing prior to the application’s release. If security requirements had been submitted and followed closely over the course of development, many of these issues could have been avoided. Truly, these are dark times.

  B, C, D, and E are incorrect. Stress testing involves trying to break an application by making it work far harder than intended. Regression testing is testing the application after a modification to ensure new vulnerabilities were not introduced. Operations and Maintenance is the continued care of the application after its release, so this option doesn’t actually apply to the question. User acceptance testing describes how an application gets tested by a handful of users, prior to release. Early users can report what should be changed before the application goes to a wider audience.

8.  What detailed guides published by the CIS are equivalent to the Security Technical Implementation Guides published by the Defense Information System Agency and other government entities?

A.  Regression reports

B.  Benchmarks

C.  Security requirements definitions

D.  Secure coding best practice guides

  B is correct. The Center for Internet Security Benchmarks are detailed configuration guides that are comparable to the STIGs published by the DISA and other government agencies. These guides are free to download, are available for desktop, mobile, server, and network devices, and cover both hardware and virtual platforms. They are highly recommended for anyone to review and understand.

  A, C, and D are incorrect. A regression report would detail what, if any, security vulnerabilities had appeared due to a modification to software. A security requirements definition is a key document that details the security expectations for software. Ideally, this should be drafted in parallel to the software’s early requirements and definitions documents. Secure coding best practice guides are not a particular publication of CIS.

9.  The Center for Internet Security has organized focus groups and built consensus to formulate a group of 20 “CIS Controls.” These controls are separated in groups of Basic, Foundational, and Organizational. What is the intended aim of these controls?

A.  Employee-controlled access

B.  Software development best practices

C.  Wireless access control

D.  System design recommendations

  D is correct. The CIS Controls are system design recommendations, grouped into three categories: Basic, Foundational, and Organizational. These consensus-based best practices provide a set of actionable recommendations, intended for anyone responsible for information security.

  A, B, and C are incorrect. Although employee-controlled access, software development, and wireless access controls are all very important, they each represent just one area to be covered by the CIS Controls.