SDLC Flashcards

1
Q

What is the order of the Waterfall-Model, SDLC phases?

A
Planning and Analysis
Software/Systems Design
Implementation
Testing
Integration
Deployment
Maintenance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which SDLC model uses time-boxing or small increments?

A

Agile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a runtime error?

A

When the software encounters an error when running.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a syntax error?

A

When the code has mistakes with its coding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is structured exception handling (SEH)?

A

It allows you to have control over what the application should do when faced with a syntax or runtime error.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Is fuzzing conducted during static or dynamic code analysis?

A

Dynamic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What other situations you can use fuzzing?

A

You can also use fuzzing to stress test networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When you see a question on the test involving (dot dot slash), what is this answer of the question most likely to be?

https://www.jennyisaho/../../../etc

A

Directory traversal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When an attacker is able to execute code or run commands on a victim computer, what is it called?

This is when your friend gets on your computer at work and runs something on your computer.

A

Arbitrary code execution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is arbitrary code execution called when its done remotely?

A

Remote code execution

This is considered to be one of the worst types of exploits in the security world. Any type of vulnerability that allows an RCE exploit is considered to be critical in the CVSS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a way programmers help prevent buffer overflow attacks?

A

Address space layout randomization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is cross-site scripting?

A

When an attacker embeds a malicious scripting command on a trusted website.

The victim is the user, not the server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the three types of CSS attacks?

A

Stored/Persistent
Reflected
DOM-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the stored/persistent attack?

A

Attempts to get data provided by the attacker to be saved on the web server. Later this malicious code is served to other users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the reflected attack?

A

Attempts to have a non-persistent effect activated by a victim by clicking a link on the site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the DOM (Document Object Model) based attack?

A

Attempts to exploit the victim’s web browser.

The DOM is a part of the users web browser.

17
Q

How do you stop CSS?

A

Output encoding and good input validation

Output encoding is to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser.

The user can disable scripting languages in their browser and increasing the security settings for their cookie storage.

18
Q

What is Cross-Site Request Forgery (CSRF/XSRF)?

A

When the attacker forces a user to execute actions on a web server that they are authenticated on.

This exploits the trust the server has on the user. This is the attack where the user is authenticated to a bank and the attacker uses a forged request to make it look like it came from the user.

19
Q

How do you prevent CSRF?

A

Programmers can use:

Special tokens on web pages that contain forms such as CAPTCHA’s
Special encryption techniques
XML file scanning
Cookie verification.

20
Q

What does SQL do?

A

It’s how a web app to talks to a database

21
Q

How do you stop SQL injections?

A

Input Validation and least privilege

For the exam, any question that has 1=1 or 999=999 etc, will be an SQL injection.

22
Q

What are the most common injection vectors?

A

SQL, HTML, XML, LDAP

SQL being the most targeted by far

23
Q

What is XML vulnerable to?

A

XML data submitted w/o encryption or input validation is vulnerable to:

Spoofing
Request forgery
Code injection