CPO Test | Questions and Answers 2023
software development vulnerabilities - ans• Buffer overflows
• Race conditions
• Input validation attacks
• Authentication attacks
• Authorization attacks
• Cryptographic attacks
Race conditions - ansA type of software development vulnerability that occurs when
multiple processes or multiple threads within a process control or share access to a particular
resource, and the correct handling of that resource depends on the proper ordering or timing of
transactions
Input validation attacks - ansIf we are not careful to validate the input to our
applications, we may find ourselves on the bad side of a number of issues, depending on the
particular environment and language being used. A good example of an input validation problem
is the format string attack. Could be used to crash an application or cause the operating system to
run a command and potentially compromise the system.
, Authentication attacks - ansTargets and attempts to exploit the authentication process a
web site uses to verify the identity of a user, service, or application.
Authorization attack - ansA type of attack that can occur when we fail to use
authorization best practices for our applications
Cryptographic attacks - ansa method for circumventing the security of a cryptographic
system by finding a weakness in a code, cipher, cryptographic protocol or key management
scheme
Client side attacks - ansTake advantage of weaknesses in the software loaded on our
clients , or those attacks that use social engineering to trick us into going along with the attack
Cross-Site Scripting (XSS) - ansAttack by placing code in the form of scripting
language into a webpage, other media that is interpreted by a client browser including adobe
flash and types of video files. When another person views the webpage or media they execute the
code automatically and the attack is carried out
cross-site request forgery (XSRF) - ansAn attack that uses the user's Web browser
settings to impersonate the user.
, Clickjacking - ansAn attack that tricks users into clicking something other than what
they think they're clicking.
Server-side attacks - ansattacks that exploit vulnerabilities on the server.
Lack of input validation - ansStructured Query Language (SQL) injection gives us a
strong example of what might happen if we do not properly validate the input of our Web
applications. SQL is the language we use to communicate with many of the common databases
on the market today.
Improper or Inadequate Permissions - ansParticularly with Web applications and pages,
there are often sensitive files and directories that will cause security issues if they are exposed to
general users. One area that might cause us trouble is the exposure of configuration files due to
improper or inadequate permissions.
Extraneous files - ansunnecessary files that aren't cleaned up when the application
moves from development to production. Leaving extraneous files may be handing attackers
materials they need to compromise the system.
, Protocol issues - ansVulnerability often involve common software development issues
such as buffer overflows
Unauthenticated access - ansWhen we give a user or process the opportunity to interact
with our database without supplying a set of credentials.
arbitrary code execution - ansOccurs when an attacker is able to execute or run
commands on a victim computer
Privilege Escalation - ansAn attack that exploits a vulnerability in software to gain
access to resources that the user normally would be restricted from accessing.
Information security - ansKeeping data, software, and hardware secure against
unauthorized access, use, disclosure, disruption, modification, or destruction.
Compliance - ansThe requirements that are set forth by laws and industry regulations.
Example : HIPPA/ HITECH- healthcare, PCI/DSS- payment card industry, FISMA- federal
government agencies
software development vulnerabilities - ans• Buffer overflows
• Race conditions
• Input validation attacks
• Authentication attacks
• Authorization attacks
• Cryptographic attacks
Race conditions - ansA type of software development vulnerability that occurs when
multiple processes or multiple threads within a process control or share access to a particular
resource, and the correct handling of that resource depends on the proper ordering or timing of
transactions
Input validation attacks - ansIf we are not careful to validate the input to our
applications, we may find ourselves on the bad side of a number of issues, depending on the
particular environment and language being used. A good example of an input validation problem
is the format string attack. Could be used to crash an application or cause the operating system to
run a command and potentially compromise the system.
, Authentication attacks - ansTargets and attempts to exploit the authentication process a
web site uses to verify the identity of a user, service, or application.
Authorization attack - ansA type of attack that can occur when we fail to use
authorization best practices for our applications
Cryptographic attacks - ansa method for circumventing the security of a cryptographic
system by finding a weakness in a code, cipher, cryptographic protocol or key management
scheme
Client side attacks - ansTake advantage of weaknesses in the software loaded on our
clients , or those attacks that use social engineering to trick us into going along with the attack
Cross-Site Scripting (XSS) - ansAttack by placing code in the form of scripting
language into a webpage, other media that is interpreted by a client browser including adobe
flash and types of video files. When another person views the webpage or media they execute the
code automatically and the attack is carried out
cross-site request forgery (XSRF) - ansAn attack that uses the user's Web browser
settings to impersonate the user.
, Clickjacking - ansAn attack that tricks users into clicking something other than what
they think they're clicking.
Server-side attacks - ansattacks that exploit vulnerabilities on the server.
Lack of input validation - ansStructured Query Language (SQL) injection gives us a
strong example of what might happen if we do not properly validate the input of our Web
applications. SQL is the language we use to communicate with many of the common databases
on the market today.
Improper or Inadequate Permissions - ansParticularly with Web applications and pages,
there are often sensitive files and directories that will cause security issues if they are exposed to
general users. One area that might cause us trouble is the exposure of configuration files due to
improper or inadequate permissions.
Extraneous files - ansunnecessary files that aren't cleaned up when the application
moves from development to production. Leaving extraneous files may be handing attackers
materials they need to compromise the system.
, Protocol issues - ansVulnerability often involve common software development issues
such as buffer overflows
Unauthenticated access - ansWhen we give a user or process the opportunity to interact
with our database without supplying a set of credentials.
arbitrary code execution - ansOccurs when an attacker is able to execute or run
commands on a victim computer
Privilege Escalation - ansAn attack that exploits a vulnerability in software to gain
access to resources that the user normally would be restricted from accessing.
Information security - ansKeeping data, software, and hardware secure against
unauthorized access, use, disclosure, disruption, modification, or destruction.
Compliance - ansThe requirements that are set forth by laws and industry regulations.
Example : HIPPA/ HITECH- healthcare, PCI/DSS- payment card industry, FISMA- federal
government agencies
