Section 10 Secure Software Development Flashcards
- Planning and analysis
- Software/Systems Design
- Implementation
- Testing
- Integration
- Deployment
- Maintenance
SDLC Phasing
Software development is performed in time boxed or small increments to allow more adaptivity to change.
Agile
Software development and information technology operations.
Dev Ops
Applications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user.
Authenticity and Integrity
Layering of security controls is more effective and secure than relying on a single control.
Defense in Depth
Any input that is received from a user should undergo input validation prior to allowing it to be utilized by an application.
Never Trust User Input
Users and processes should be run using the least amount of access necessary to perform a given function.
Least Privilege
Default installations should include secure configurations instead of requiring an administrator or user to add in additional security.
Secure Defaults
Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing.
Fail Security
If a vulnerability is identified, then it should be quickly and correctly patched to remove the vulnerability.
Fix Security Issues
SDK’s must come from trusted sources to ensure no malicious code is being added.
Rely on Trusted SDK’s
Occurs when a tester is not provided with any information about the system or program prior to conducting the test.
Blackbox Testing
Occurs when a tester is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test.
Whitebox Testing
A mix of blackbox and whitebox testing where the tester is given some amount of information about he system, but conducts his testing as if he doesn’t have full access to it.
Graybox Testing
Provides control over what the application should do when faced with a runtime or syntax error.
Structured Exception Handling (SEH)
Application verify that information received from a user matches a specific format or range of values.
Input Validation
Source code of an application is reviewed manually or with automatic tools without running with code.
Static Analysis
Analysis and testing of a program occurs while it is being executed or run.
Dynamic Analysis
Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation.
Fuzzing
Code placed in computer programs to by pass normal authentication and other security mechanisms.
Backdoors
Method of accessing unauthorized directories by moving through the directory structure on a remote server.
Directory Traversal
Occurs when an attacker is able to execute or run commands on a victim computer.
Arbitrary Code Execution
Attack against a vulnerability that is unknown to the original developer or manufacture.
Zero Day
Occurs when a process stores data outside the memory range allocated by the developer.
Buffer overflow
A temporary storage area that a program uses to store data.
Buffer
Reserved area of memory where the program saves the return address when a function call instruction is received.
Stack
Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run.
“Smash the Stack”
Method used by programmers to randomly arranges the different address spaces used by a program or process to prevent buffer overflow exploits.
Address Space Layout Randomization
Occurs when an attacker embeds malicious scripting commands on a trusted website.
Cross-site Scripting (XSS)
- Stored/Persistent
- Reflected
- DOM-Based
3 Types of XSS
Attempt to exploit the victim’s web browser.
Document Object Model (DOM) - based
Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated.
Cross-site Request Forgery (XSRF/CSRF)
Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application.
SQL Injection
Insertion of additional information or code through data input from a client to an applicaiton.
Injection Attack
- SQL
- HTML
- XML
- LDAP
Common Injections
XML encodes entities that expand the exponential sizes, consuming memory on the host and potentially crashing it.
XML Bomb (Billion Laughs Attack)
An attack that embeds a request for a local resource.
XML External Entity (XEE)
A software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to.
Dereferencing
A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and these events fail to execute in the order and timing intended by the developer.
Race condition
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
Time of Check to Time of Use (TOCTTOU)
Any program that does not properly record or log detailed enough information for an analyst to perform their job.
Insufficient Logging and Monitoring
