SDLC Principles (Software Development Life Cycle) Flashcards
What is the CIA Triad?
Confidentiality
Integrity
Availability
What is confidentiality?
Ensures that only authorized users can access the data.
This is provided by encryption
What is integrity?
Ensures that the data is not modified or altered without permission.
This is provided by hash algorithms, or journaling and logging to provide an audit trail.
What is availibility?
Ensuring that data is available to authorized users when its needed.
This is provided by redundancy, error free software, or software error handling to prevent crashes.
Who performs code reviews? Why?
Programmers
They are the ones who write the code.
How do security analysts help during the development lifecycle?
Threat modeling and vulnerability identification.
Essentially, they find vulnerabilities and report them to the programmers.
Note: Studies have proven its cheaper to secure the product before rather than fixing a problem after release.
What is Least Privilege? Why use it?
When users and processes should run using the least amount of access necessary to perform their function.
Least privilege reduces the risk of attackers gaining access to critical systems or sensitive data.
Do applications use defense in depth? What is it?
Yes, it’s the layering of security controls.
Note: One layer of defense is generally weaker than two or more layers.
Why should we never trust user input?
Any input from a user needs to be validate before the application uses it. It can stop a lot of different attacks.
SQL Injections (SQL) Buffer Overflows Cross Site Scripting (XSS) Commands Injection Code Injection CCS Injection SMTP/IMAP Command Injection Host Header Injection LDAP Injection
How do you minimize attack surface in a application?
Reduce the amount of code, eliminate unneeded functionality, require authentication prior to running extra plugins.
Most users accept the default settings when installing an application. What is a good practice in this case for default installation settings?
The default installation settings should include secure configurations without the need for a user to add them.
How does an application maintain authenticity and integrity prior to delivery to the end user?
Applications should use code signing with a digital signature.
When an error occurs in an application, how does it “Fail Securely”?
Failing securely means the app should be coded to properly deal with error handling for exceptions.
Note: Exceptions are when something goes wrong in the application, but the application can recover from it, if programmed with error handling.
Note: Errors are when the app can not recover from an error and thus the app will definitely crash.
If a vulnerability is identified what should occur?
It should be quickly patched to fix the security issues and remove it.
What is an SDK?
Software Development Kit. Only trusted SDK’s should be used from trusted sources.