Section 10: Secure Software Development Flashcards
SDLC
Organized process of developing a secure application throughout the life the project
What are the seven phases of the SDLC?
Planning and Analysis
Software/Systems Design (no coding, yet)
Implementation (coding is developed and basic debugging and testing)
Testing (check the code)
Integration
Deployment (application moved into the production environment)
Maintenance (bug fixing, patches, updates; version control, integration management)
Agile Development
Software development is performed in time-boxed or small increments to allow more adaptivity to change
DevOps
Software development and information technology operations
How do you implement integrity?
Hash algorithms, journaling
Threat modeling
helps prioritize vulnerability identification and patching
Defense in depth
Layering of security controls is more effective and secure than relying on a single control
Minimize attack surface
Reduce the amount of code used by a program eliminate unneeded functionality, and require authentication prior to running additional plugins.
Create Secure Defaults
Ensure default installation is secure and require an admin to lessen the default
Authenticity and Integrity
Use digital signatures! That’s what this means
Fail Securely
If the application fails, can it be exploited?
Fix Security Issues
If a vulnerability is identified, then it should be quickly addressed
Rely on trusted SDKs
must come from trusted sources to ensure no malicious code is being added. If you’re reusing somebody’s code, make sure that you trust it.
Black box testing
Occurs when a tester is not provided with any information about the system or program prior to conducting the test
White-box testing
Occurs when a tester is provided full details of a system including the source code
Gray box
mixture of both. Might be given user level credentials, but not admin.
Structured Exception Handling (SEH)
Provides control over what the application should do when faced with a runtime or syntax error
Input Validation
Applications verify that information received from a user matches a specific format or range of values
Static Analysis
Source code of an application is reviewed manually or with automatic tools without running the code
Dynamic Analysis
Analysis and testing while the program is being utilized
Fuzzing
Infection of randomized data into a software program in an attempt to find system failures, memory leaks, etc.
Backdoors
Code placed in computer programs to bypass normal authentication and other security mechanisms (should not be utilized)
Directory Traversal
Method of accessing unauthorized directories by moving through the directory structure on a remote server. (messing with the URL path to get to something else with ../)
Arbitrary Code Execution
Occurs when an attacker is able to execute or run commands on a victim computer
Remote Code Execution
Occurs when they execute the commands on the computer remotely
Zero Day
Attack against a vulnerability that is unknown to the original developer
Buffer Overflow
Occurs when a process stores data outside the memory range allocated by the developer (just remember it’s an attempt to put more data into memory that it is designed to hold)
Buffer
Temporary storage area for a program (glass that holds water)
Stack
Reserved area of memory where the program saves the return address when a function call instruction is received
Smash the stack
Occurs when a attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run
Address Space Layout Randomization
Method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits
XSS
Cross Site Scripting - Occurs when an attacker embeds malicious scripting commands on a trusted website (stored/persistent; reflected; DOM based) (think about exploiting something from a web browser and website)
XSRF
cross site request forgery - Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated (if you’ve already logged into the website, then you can get compromised by someone doing stuff through your already authenticated session)
How do you prevent XRSF?
Tokens, encryption, XML File Scanning, and cookie verification
SQL Injection
Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application (OR 1=1 is always going to refer to an SQL Injection on the exam!)
Injection Attack
Insertion of additional information or code through data input from a client to an application
XML uses
for authentication, etc. data submission
XML Bomb
XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it
XML External Entity (XXE)
An attack that embeds a request for a local resource
Best way to prevent XML attacks?
Input validation! Same with a SQL Injection. Anything with XML in the question, it is talking about an XML vulnerability
Race Condition
Computer is trying to race itself, you’re both trying to do something at the same time and getting there before you. Multiple threats writing at the same time. (get there before the antivirus takes hold) (can also be used against databases and file systems)
Dereferencing
A software vulnerability where we’re breaking apart the pointer and what it’s pointing to
Time of Check to Time of Use
Not checking when checking out of the cart. Do a final check when you try to pay (is it still in stock?)
Prevent time of check
Develop apps to not process things sequentially if possible
implement a locking mechanism to provide app with exclusive access
Where do vulnerabilities arise?
Most of the time, from bad coding
Insecure Components
Any code that is used or invoked outside the main program development process
Insufficient Logging and Monitoring
Any program that does not properly record or log detailed enough information (
Weak or default configuration
Any program that uses ineffective credentials or configurations, or one in which the defaults have not been changed for security
