Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company's final software releases? (Choose two.)
A.
Unsecure protocols B.
Use of penetration-testing utilities C.
Weak passwords D.
Included third-party libraries E.
Vendors/supply chain F.
Outdated anti-malware software.
AC.
Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company's final software releases? (Choose two.)
A.
Unsecure protocols
B.
Use of penetration-testing utilities
C.
Weak passwords
D.
Included third-party libraries
E.
Vendors/supply chain
F.
Outdated anti-malware software.
AC.
The two most likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company's final software releases are:
A. Unsecure protocols: Unsecure protocols, such as FTP or Telnet, are often used to transfer code from one system to another. These protocols lack encryption and authentication, which makes them vulnerable to eavesdropping, interception, and manipulation by attackers. Attackers can intercept the code in transit and inject malicious code or modify the existing code to introduce vulnerabilities. Hence, the use of secure protocols such as SFTP or SSH is recommended.
D. Included third-party libraries: Software companies often use third-party libraries or modules to speed up development and reduce costs. However, these libraries may contain vulnerabilities that can be exploited by attackers. If the software company fails to perform due diligence and assess the security of these libraries, the vulnerabilities can propagate to the final software releases. Additionally, software companies may not promptly apply patches or updates to these libraries, which can also expose the software to attacks.
B. Use of penetration-testing utilities: Penetration testing utilities are tools that simulate attacks to test the security of a system or software. While they can be useful for identifying vulnerabilities, they can also introduce vulnerabilities if not used correctly. If the software company uses these tools without proper authorization or oversight, the tools may inadvertently introduce vulnerabilities or damage the system or software.
C. Weak passwords: Weak passwords can be easily guessed or cracked by attackers, allowing them to gain unauthorized access to the software company's systems or software. Once inside, they can inject malicious code, modify existing code, or exfiltrate sensitive information.
E. Vendors/supply chain: Software companies may rely on vendors or suppliers for various components, such as hardware, software, or services. If these vendors or suppliers are compromised, their components may contain vulnerabilities that can propagate to the final software releases. Additionally, attackers may target the vendors or suppliers to gain access to the software company's systems or software.
F. Outdated anti-malware software: Anti-malware software is designed to detect and prevent malware infections. However, if the anti-malware software is outdated or misconfigured, it may not detect or prevent new or sophisticated malware attacks. Malware can then infect the software company's systems or software and introduce vulnerabilities or steal sensitive information.