Chapter 10- Secure Software Development Flashcards
What does SDLC stand for
Software Development Life Cycle
is an organized process of developing a secure application throughout the life of the project.
Software Development Life Cycle (SDLC)
What are the phases of SDLC?
- Planning and Analysis
- Software/Systems Design
- Implementation
- Testing
- Integration
- Deployment
- Maintenace
Software develpment is performed in time-boxed or small increments to allow more adaptivity to change.
Agile
Software develpoment and inforemation technology operations.
DevOps
Users and processes should be run using the least amount of access necessary to perform a given function.
Least Privilege
Layering of security controls is moe effective and secure than relying on a single control.
Defense in Depth
Any input that is recieved from a user should undergo input validation prior to allowing it ot utilized by an application.
Never Trust User Inuput
Reduce the amount of code used by a program, eliminate unneeded fuctionality, and require authentication prior to running additional plugins.
Minimize Attack Surface
Default instalations should include secure configurations instead of requiring an administrator or user to add in additional security.
Create Secure Defaults
Applications should be deployed using code signing to esure the program is not changed inadvertently or maliciously prior to delivery to an end user.
Authenticity and integrity
Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing.
Fail Securely
If a vulnerability is identified, then it should be quickly and correctly patched to remove the vulnerablity.
Fix Security Issues
SDKs must come from trusted sources to ensure no malicious code is being added
Rely on Trusted SDKs
Occurs when a tester is not provided with any information about the system or program prior to conduction the test.
Black-box Testing
Occurs when a tester is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test.
White-box Testing
This is a mixture of black-box and white-box where the tester is given some amount of information about the system and conducts his testing as if he doesn’t have full access to it.
Gray-box Testing
Provides control over what the application should do when faced with a runtime or syntax error.
Structured Exception Handling (SEH)
Applications verigy that information received from a user matches a specific format or range of values.
Input Validation