Chapter 25: Secure Software Flashcards
machine language
consists of 1’s and 0’s; only format a computer’s processor can understand directly; considered a first-generation language
Assembly language
second-generation programming language, uses symbols (mnemonics) to represent complicated binary codes
third-generation programming languages
high-level languages (C/C++, Java, Python) have refined programming structures; programming language deals with the low-level system architecture and programmers focus on their programming objectives
fourth-generation languages
very high-level languages; use natural language processing to allow inexpert programmers to develop code in less time than it would take an experienced software engineer to do so with a third-generation language
fifth-generation languages
natural languages; define the constraints for achieving a specified result and allow development environment to solve problems by itself instead of a programmer having to develop code to deal with individual and specific problems
assemblers
tools which convert assembly language source code into machine code
compilers
transform instructions from a source language (high-level) to a target language (machine), sometimes using an external assembler
garbage collector
identifies blocks of memory which were once allocated but are no longer in use and deallocates the blocks and marks them as free
RTE
runtime environment
runtime environment
a mini operating system for the program and provides all the resources portable code needs
OOP
object-oriented programming
object-oriented programming
functions and data are encapsulated together in classes, which may then be instantiated as objects
objects in OOP communicate by …
using messages which conform to the receiving object’s application programming interface (API) definition
cohesion
how many different types of tasks a module can carry out; goal is to perform only one task (high cohesion), which makes modules easier to maintain
coupling
measure of how much a module depends on others; more dependencies are more complex and difficult to maintain, so low or loose coupling is ideal
API
the manner in which a software component interacts with other software components
parameter validation
confirming the parameter values being received by an application are within defined limits before they are processed by the system
software library
collection of components which do specific tasks useful to other components
secure coding
set of practices which reduce (to acceptable levels) the risk of vulnerabilities in software
source code vulnerability
defect in code which provides threat actors opportunities to compromise the security of a software system
secure coding standards
verifiable, mandatory practices to reduce the risk of particular types of vulnerabilities in source code
secure coding guidelines
recommended practices which tend to be less specific than standards
SDS or SDSec
software-defined security
software-defined security
security model in which security functions: firewalling, IDS/IPS, and network segmentation are implemented in software within an SDN environment
software development tools
authorized, implemented, and maintained like any software product through the org’s change management process; developers should not be allowed to install and use arbitrary tools
static application security testing
SAST; helps identify software defects or security policy violations and carried out by examining source code without executing the program
DAST
dynamic application security testing; evaluation of the program in real time, while it is running
Fuzzing
used to discover flaws and vulnerabilities in software by sending large amounts of malformed, unexpected, or random data to the target program to trigger failures
continuous integration
all new code is integrated into the rest of the system as soon as the developer writes it
continuous delivery
incrementally building a software product which can be released at any time and requires continuous integration
SCM
software configuration management; identifies attributes of software at various points in time and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the SDLC
purpose of software security assessment
to verify the entire development process, organizational policy to delivered product is working as it should
security assessments of acquired software are …
essential to mitigate the risk they could pose to an org which acquired it
most practical way to assess the security of commercial software
to research vulnerabilities and exploits discovered by others to decide if the vendor uses effective secure coding practices
greatest risk in using open-source software
relying on outdated versions of it
best way to assess the security of third-party (custom or customized) software
perform external or third-party audits
assembly language into machine language
assembler
software escrow framework
third party keeps a copy of the source code, which will be released to the customer in specific circumstances (developer going out of business); a good business continuity practice, but not part of security
perform only one task so modules are easier to maintain
high cohesion
low cohesion
module performs many different types of tasks
software-defined security depends on …
software-defined networking (SDN)
top three reasons for data breaches in cloud services
misconfigurations, lack of visibility into access settings and activities, and improper access control
