Scripting Best Practices

Why must deployment of scripts be subject to best practices?

Deploying any type of code comes with the risk of introducing vulnerabilities

How could enabling an interpreter expand risk?

If the interpreter is not a default feature, enabling it expands the attack surface

What environment is mentioned as used to craft fileless malware?

PowerShell

How could a threat actor turn a script into a Trojan?

Modify the source code to make it act as malware

How could a script’s network port or user input become a vulnerability?

If the script does not handle input correctly, a threat actor could exploit a vulnerability to return unauthorized data or run arbitrary code

What controls should be applied to script source code to prevent unauthorized changes?

Access and version controls

What should be done to code before deployment to mitigate vulnerabilities and errors?

Scanned and tested for vulnerabilities and errors

What privilege level should scripts run with?

The minimum privileges necessary for the task

What is an example of accidental DoS from inadvertent system changes?

Powers off a system rather than restarting it or locks out remote access by changing a firewall configuration

What kinds of changes can weaken security configuration in this context?

Enabling the script environment, creating port exceptions, disabling scanning software so that the script executes successfully

What is stated about scripts that only work by disabling security mechanisms?

Not safe enough to consider running

Where should code be tested, and what should be done about required host changes?

Test in a development environment; include required changes and update/monitor through new configuration baselines

How can mishandling of resources cause accidental DoS?

Coding mistakes can lead to situations where the script mishandles computer or storage resources

What resource-handling vulnerability is associated with C/C++?

Requires very careful use of coding techniques to avoid creating vulnerabilities in the way instructions manipulate system RAM

How are scripting languages described with respect to memory handling?

Considered safe with respect to memory handling

What are three examples of resource mishandling by scripts?

Creating files that deplete disk storage resources; faulty loop that does not terminate and causes the script to hang; faulty API call that causes another process (such as the host browser) to crash

What must be done before deployment and during execution to catch these mistakes?

Test every script before deployment; monitor execution to pick up bugs not found in the test phase