SDL Flashcards

1
Q

Continuous Integration (CI)

A
  • Is a development practice that checks code into a shared repository on a consistent ongoing basis.
    • In continuous integration environments, this can range from a few times a day to a very frequent process of check-ins and automated builds.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Continuous Deployment (CD)

A
  • Which rolls out tested changes into production automatically as soon as they have been tested.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Improper Error Handling

A
  • Which often results in error messages that shouldn’t be exposed outside of a secure environment being accessible to attackers or the general public.
    • Since errors often include detailed information about what is going on at the moment the error occurs, attackers can use them to learn about the application, databases, or even to get stack trace information providing significant detail they can leverage in further attacks. Errors that don’t appear to provide detailed information can still allow attackers to learn more about the application, as differing responses can give attackers clues about how successful their efforts are.
    • As a security practitioner, you should pay careful attention to application vulnerability reports that show accessible error messages, as well as the content of those messages.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Dereferencing

A
  • Issues are often due to null pointer dereferences.
  • Common flaw that occurs when software attempts to access a value stored in memory that does not exist
  • This means that a pointer with a value of NULL (in other words, one that isn’t set) is used as though it contains an expected value
  • This type of error almost always leads to a crash unless caught by an error handler
  • Race conditions, like those mentioned in a moment, are also a common place to find a dereferencing issue.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Output Encoding

A
  • Translates special characters into an equivalent but safe version before a target application or interpreter reads it
  • Helps to prevent XSS attacks by preventing special characters from being inserted that cause the target application to perform an action
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Insecure Object References

A
  • Occur when applications expose information about internal objects, allowing attackers to see how the object is identified and stored in a backend storage system
  • Once an attacker knows that, they may be able to leverage the information to gain further access, or to make assumptions about other data objects that they cannot view in this way.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Race Conditions

A
  • Rely on timing. An application that needs to take action on an object may be sensitive to what is occurring or has occurred to that object
  • When a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously
  • This techinque takes advantage of a time gap between the moment a service is intiated and the moment a security control takes effect
  • Although race conditions are not always reliable, they can be very powerful, and repeated attacks against a race condition can result in attackers succeeding.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Parameterized Queries

A
  • (also known as a prepared statement) is a programming technique that treats user inputs as parameters to a function instead of substrings in a literal query.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly