Application Security Flashcards
Describe these Secure Design Action:
1) Security Requirement Specifications
2) Threat Modeling
3) Secure Design Principles
4) Secure Application Architecture
1) Design application according the security specifications.
2) Perform to know your threats.
3) Define the secure coding standards to be implemented.
4) Design Secure Application Architecture.
What is Threat Modeling?
Is the process of identifying, analyzing and mitigating the threats to the application.
What are the six steps of the Threat Modeling Process?
1) Identify Security Objectives
2) Application Overview
3) Decompose the Application
4) Identify Threats
5) Identify Vulnerabilities
6) Risk and Impact Analysis
Describe these Secure Coding Practices:
1) Input Validation
2) Parametized Queries and Stored Procedures
3) Unicode Normalization
4) Output Encoding
5) Error/Exception handling
6) Secure Session Cookies
7) Secure Response Headers
8) Obfuscation/Camouflage
9) Code Signing
1) The process of verifying and testing user inputs.
2) Parametized queries do not allow attacker to change the intent of the query. Stored procedures allow the developer to write SQL code first, then accept parameters.
3) The process of normalizing strings and whether two given strinfg are equivalent.
4) Convert special characters to a different format so they are no longer vulnerable at the interpreter.
5) Prevents the application from entering an unknown state.
6) Employ cookie randomization, cookie timeout.
7) Hardens the application against security threats and prevents browsers from delivering vulnerable resources.
8) Is a technique used by developers ti secure their code from reverse engineering.
9) Digitally signs software to ensure integrity and authenticity.
What is Static Application Security Testing (SAST)?
Is the systematic inspection of source code to detect vulnerabilities and design flaw.
What is Dynamic Application Security Testing (DAST)?
Simulating attacks against the application and analyzes how the application behaves.
What is Fuzz Testing?
Sending huge amounts of random data against the web application. Used for buffer overflow, DoS, XSS, SQL.
What is Application Whitelisting?
Is a control access mechanism to only allow a list of approved applications.
What is Application Blacklisting?
Uses a list of undesirable applications to block and prevent their execution.
What is a Web Application Firewall (WAF)?
Provides a security layer that protects the web server from malicious traffic.