Storage

Question 1

Hardcoded Data

Answer 1

*Data can be directly embedded into the source code of a program as opposed to obtaining the data from external sources (e.g. databases, file) or generating it at runtime.

Question 2

Advantages and disadvantages of hardcoded data

Answer 2

• Fast delivery of code
• Considered and anti - pattern
• Hard to adapt
• Hard to internationalise
• Raises security vulnerabilities

Question 3

Security issues with Web applications

Answer 3

• Source code disclosure issues occur when the code of a web application is exposed to the public.
• Source code disclosure enables attackers to understand how the application behaves by simply reading the code and checking for logical flaws, or hardcoded username/password pairs, or secret keys.

Question 4

Security issues with hidden form fields

Answer 4

*Hidden fields are used in web pages to pass information about the current page to the server.
*Hidden fields allow us to send all kinds of information, along with form data entered by a user, without the user having to be involved in the process.
*Hidden fields can also be used to pass information back to scripts

Question 5

Security issues with reverse engineering

Answer 5

*Software reverse engineering involves reversing a program’s machine code back into the source code that it was written in, using program language statements.
*Someone doing reverse engineering on software may use several tools to disassemble a program.

Question 6

Embedded Environment variables

Answer 6

*To use forms in flask we need to config a secret key (already covered).
*A secret key is used for securely signing the session cookie and can be used for any other security related needs of an application.

Question 7

Database security

Answer 7

*The storage and management of massive amounts of, often sensitive data, in databases, makes databases a prime target for cyberattacks.

Question 8

*Separate Database Servers and Web Servers

Answer 8

• Usually this means keeping database servers in a secure, locked environment with access controls in place to keep unauthorised people out.
  *But it also means keeping the database on a separate physical machine, removed from the machines running application or web servers.

Question 9

Use Web Application and Database Firewalls

Answer 9

*A database server should be protected from database security threats by a firewall, which denies access to
traffic by default.
*The firewall should also protect the database from initiating outbound connections unless there is a specific need to do so.
*In addition to protecting the database with a firewall, a web application firewall can be deployed.

Question 10

Secure Database User Access

Answer 10

*The least number of people possible should have access to a database.
*In larger organisation, automating access management using access management software should be
considered.

Question 11

Secure database user access security standards

Answer 11

*On top of this, it is wise to ensure standard account security procedures are followed:
* Strong passwords should be enforced.
* Password hashes should be stored encrypted and salted.
* Accounts should be locked after three or four login attempts.
* A procedure should be put in place to ensure that accounts are deactivated when staff leave or move to different roles.

Question 12

Regularly Updating Operating Systems and patches

Answer 12

*It’s important to regularly update operating systems and database software with all security patches installed to protect against the most recently discovered vulnerabilities.
*It is also important to ensure that all database security controls provided by the database are enabled (most are enabled by default) unless there is a specific reason for any to be disabled.
*This is particularly important for databases connected to a large number of third-party applications that each require their own patches

Question 13

Audit and Continuously Monitor Database Activity

Answer 13

*This includes monitoring logins (and attempted logins) to the operating system and database and reviewing logs regularly to detect anomalous activity.
*Effective monitoring should allow compromised accounts to be spotted, when a user is carrying out suspicious activities or when a database is under attack.
*Database Activity Monitoring (DAM) software can help with this functionality by providing monitoring that is independent of native database logging and audit functions; it can also help
monitor administrator activity.

Question 14

Test database security

Answer 14

*After a database’s security infrastructure has been constructed, it should but put up against a real
attack.
*Hacking or auditing one’s own database will put the penetration (pen) testers in the mindset of an
attacker and help find vulnerabilities that may have been missed.
*To ensure the test is comprehensive enough, there are third-party services and white hat hackers
that specialise in penetration testing that can be hired to do the job.

Question 15

Encrypt Data and backups

Answer 15

*A database should be regularly backed up with any backups encrypted and stored separately from the decryption keys.
*For example, encrypted backups should not be stored alongside description keys in plaintext.
*Regularly backing up systems not only protects against hackers but other failures as well, such as
problems with physical hardware.

Question 16

Avoid using default network ports

Answer 16

*Default ports are often used in brute force attacks due to their common occurrence.
*However, when assigning a new port, it is important to check the Internet Assigned Numbers Authority’s port registry to ensure the new port isn’t used for other services.

Question 17

Reasons for reverse engineering

Answer 17

*the source code was lost
*to study how the program performs certain operations
*to improve the performance of a program
*to fix a bug
*to identify malicious content in a program such as a virus
*to adapt a program written for use with one microprocessor for use with another.