6 Application Security Flashcards
What is a standardized software development life cycle?
A process that moves software through development, test, staging, and production environments.
It ensures that secure software development concepts are followed.
What are the issues associated with code reuse?
Potential vulnerabilities and security risks that arise from using existing code in new applications.
Understanding these issues is crucial for secure software development.
What principles should web applications align with?
Industry-standard principles such as those developed by OWASP.
OWASP stands for Open Worldwide Application Security Project.
What are some common application vulnerabilities?
Memory injection, buffer overflow, race condition attacks, SQL injection (SQLi), and cross-site scripting (XSS).
Familiarity with these vulnerabilities helps in building defenses.
What is the purpose of input validation in application security?
To protect code from malicious input that could lead to vulnerabilities.
It is a fundamental practice in secure coding.
How should cookies for session management be secured?
Through the use of transport encryption.
This helps protect user sessions from interception.
What does code signing provide to end users?
Assurance that code came from a trusted source.
It enhances the integrity and authenticity of software.
What is sandboxing in application security?
Testing code in an isolated environment to prevent potential harm to the main system.
It allows for safe experimentation and vulnerability testing.
What are the main benefits of automation in secure operations?
Efficiency, time-saving, enforcing baselines, standardizing configurations, scaling securely, retaining employees, lowering reaction times, and serving as a workforce multiplier.
These benefits enhance overall operational security.
What are the main drawbacks of automation?
Complexity, cost, single point of failure, technical debt, and ongoing supportability issues.
Understanding these drawbacks is essential for effective implementation.
What are common use cases of automation and scripting in cybersecurity?
User and resource provisioning, creating guard rails, managing security groups, ticket management, enabling/disabling services, continuous integration/testing, and using APIs.
These use cases improve security efficiency and management.
What is the Software Development Life Cycle (SDLC)?
The SDLC describes the steps in a model for software development throughout its life, mapping from idea to requirements, design, coding, testing, and rollout.
The SDLC also includes user training, maintenance, and decommissioning.
What are the common phases in most SDLC models?
- Planning
- Requirements Definition
- Design
- Coding
- Testing
- Training and Transition
- Operations and Maintenance
- Decommissioning
These phases may vary in order or approach, such as linear or iterative.
What occurs during the planning phase of the SDLC?
Initial investigations into the feasibility of the effort, alternative solutions, and high-level costs are conducted, resulting in a recommendation.
This phase is crucial for deciding whether to move forward with a project.
What is the purpose of the requirements definition phase?
To gather customer input on desired functionality, current system capabilities, and desired improvements, often ranking requirements by importance.
Security requirements are a key part of this analysis.
What does the design phase include?
Design for functionality, architecture, integration points, dataflows, and business processes.
This phase is critical for ensuring the application meets specified requirements.
What happens during the coding phase?
The actual coding of the application occurs, which may include unit testing of small components.
Some testing may occur here, but formal testing is conducted later.
What is the focus of the testing phase?
Formal testing of integrated software components to ensure proper functionality, including user acceptance testing (UAT).
This phase is essential for validating the software meets user needs.
What is the purpose of the training and transition phase?
To ensure end users are trained on the software and that it has entered general use.
This phase may also be referred to as acceptance, installation, and deployment.
What occurs during the operations and maintenance phase?
Includes patching, updating, and minor modifications for ongoing support of the application.
This is usually the longest phase in the SDLC.
What is the decommissioning phase in the SDLC?
Occurs when a product or system reaches the end of its life, involving shutting down old products and preserving or disposing of data.
This phase is often overlooked but is important for cost savings and proper data management.
What are the common environments used in software development?
- Development Environment
- Test Environment
- Staging Environment
- Production Environment
Each environment serves a specific purpose in the software development lifecycle.
What is the role of the production environment?
It is the live system where software changes that have been tested and approved are deployed.
Proper change management processes are typically followed to ensure accountability.