Chapter 11 Flashcards
Software security
Web app security flaws
- unvalidated input
- cross-site scripting
- Buffer overflow
- injection flaws
- improper error handling
reducing software vulnerabilities
- stop vulnerabilities before occur
- find vulnerabilities before exploited
- reduce impact of vulnerabilities
SAFECode
Software assurance forum for excellence in code
canonicalization
transforming input data into single standard, minimal representation -> to compare to single representation of acceptable input
Input fuzzing
randomly generate data as input to program
writing safe program code
- Correct algorithm implementation - no debugging code
- Ensure machine code corresponds to algorithm - compiler might be hacked
- Correct data interpretation - restrict + validate interpretation of data vars
- Correct use of memory
- race conditions - 2 threads try to access at same time - deadlock /corrupted values
Environment vars
collection of string values inherited by each process from parent- can be modified by program process at any time
Use of least privilege
- privilege escalation - may give privileges to attacker
- least privilege - run with least privilege needed
Root/administrator privileges
programs with root privileges = target
- often privilege only needed at start
- partition into smaller modules
preventing race conditions - lockfile
process must create + own lockfile to gain access - all programs must cooperate
Safe temporary files
- temporary files in common shared system area
- must be unique
handling program output
- output stored ,sent , displayed
- identify what is permissible output content + filter
- defined character set
