Chapter 9 - Client And Application Securiity Flashcards
BIOS (Basic Input/Output System)
Firmware that wakens and tests the various components of the computer upon startup.
UEFI (Unified Extensible Firmware Interface)
A newer mechanism that replaces the BIOS for startup.
Secure boot
A standard designed to be used with UEFI to ensure that a computer boots using only software that is trusted by the computer manufacturer.
Hardware root of trust
The hardware starting point in a chain of trust.
Electromagnetic spying
Picking up on the electromagnetic fields that digital devices produce and reading the data that is producing them.
Telecommunications Electronics Material Protected from Emanating Spurious Transmissions (TEMPEST)
A classified standard intended to prevent attackers from picking up electromagnetic fields from government buildings.
Supply chain
A network that moves a product from the supplier to the customer.
Least functionality
A principle in which a user is given the minimum set of permissions required to perform necessary tasks.
Application whitelisting/blacklisting
Creating a list of applications that are permitted (whitelisting) or denied (blacklisting) to run.
Patch
A publicly released software security update intended to repair a vulnerability.
Antivirus (AV)
Software that can examine a computer for any infections as well as monitor computer activity and scan new documents that might contain a virus.
Trusted OS
An operating system that has been designed through OS hardening.
Deadbolt lock
A door lock that extends a solid metal bar into the door frame for extra security.
Key management
Procedures to regulate the distribution of door keys.
Access logs
A paper or electronic record of individuals who have permission to enter a secure area, the time that they entered, and the time they left the area.
Mantrap
A device that monitors and controls two interlocking doors to a small room, designed to separate secure and nonsecure areas.
Protected distribution system (PDS)
A system of cable conduits that is used to protect classified information being transmitted between two secure areas.
Memory leak
A vulnerability that occurs when an application dynamically allocates memory but does not free that memory when finished using it.
Pointer deference
A pointer with a value of NULL used as if it pointed to a valid memory area.
DLL injection
An attack that inserts code into a running process through a Dynamic Link Library.
Development stage
A stage of application development in which the requirements for the application are established and it is confirmed that the application meets the intended business needs before the actual coding begins.
Testing stage
A stage in which an application is tested for any errors that could result in a security vulnerability.
Staging stage
A stage in application development that performs a quality assurance test to verify that the code functions as intended.
Production stage
An application development stage in which the application is released to be used in its actual setting.
Application development lifecycle model
A conceptual model that describes the different stages involved in creating an application.
Waterfall model
An application development lifecycle model that uses a sequential design process.
Agile model
An application development lifecycle model that follows an incremental approach.
Secure DevOps
A specific type of software methodology that follows the agile model and heavily incorporates security concepts.
Security automation
Tools that test for vulnerabilities.
Continuous integration
Ensuring that security features are incorporated at each stage of application development.
Immutable systems
Ensuring that once a vale or configuration is employed as part of an application, it is not modified.
Infrastructure as code
Managing a hardware and software infrastructure using the same
Principles as developing computer code.
Baselining
Creating a starting point for comparison purposes to apply targets and goals to measure success.
Provisioning
The enterprise-wide configuration, deployment, and management of multiple types of air system resources.
Deprovisioning
Removing a resource that is no longer needed.
Change management
A methodology for making modifications to a system and keeping track of those changes.
Version control
Software that allows changes to be automatically recorded and if necessary “rolled back” to a previous version of the software.
Data exposure
Disclosing sensitive data to attackers.
Proper error handling
***(secure coding techniques—->)
Taking the correct steps when an error occurs so that the application does not abort unexpectedly.
Proper input validation
Accounting for errors such as incorrect user input.
Normalization
Organizing data within a database to minimize redundancy.
Stored procedure
A subroutine available to applications that access a relational database.
Code signing
Digitally signing applications.
Obfuscation/camouflaged code
Writing an application in such a way that it’s inner functionality is difficult for an outsider to understand.
Dead code
A section of an application that executes but performs no meaningful function.
Model verification
A test used to ensure that the projected application meets all specifications at that point.
Compiled code testing
Searching for errors that could prevent an application from properly compiling from source code to application code.
Runtime code testing
Looking for errors after the program has compiled correctly and is running, such as a pointer deference or memory leak.
Sandbox
A testing environment that isolates untested code from the live production environment.
Static program analyzers
Tools that examine software without actually executing the program; instead, the source code is reviewed and analyzed.
Dynamic analysis (fuzzing)
Software testing technique that deliberately provides invalid, unexpected, or random data as inputs to a computer program.
Stress testing
Putting an application under a heavier than norma load to determine if the program is robust and can perform all error handling correctly.
Integrity measurement
An “attestation mechanism” designed to ensure that an application is running only known and approved executables.
