Section 10: Secure Software Development Flashcards
SDLC
Organized process of developing a secure application throughout the life the project
What are the seven phases of the SDLC?
Planning and Analysis
Software/Systems Design (no coding, yet)
Implementation (coding is developed and basic debugging and testing)
Testing (check the code)
Integration
Deployment (application moved into the production environment)
Maintenance (bug fixing, patches, updates; version control, integration management)
Agile Development
Software development is performed in time-boxed or small increments to allow more adaptivity to change
DevOps
Software development and information technology operations
How do you implement integrity?
Hash algorithms, journaling
Threat modeling
helps prioritize vulnerability identification and patching
Defense in depth
Layering of security controls is more effective and secure than relying on a single control
Minimize attack surface
Reduce the amount of code used by a program eliminate unneeded functionality, and require authentication prior to running additional plugins.
Create Secure Defaults
Ensure default installation is secure and require an admin to lessen the default
Authenticity and Integrity
Use digital signatures! That’s what this means
Fail Securely
If the application fails, can it be exploited?
Fix Security Issues
If a vulnerability is identified, then it should be quickly addressed
Rely on trusted SDKs
must come from trusted sources to ensure no malicious code is being added. If you’re reusing somebody’s code, make sure that you trust it.
Black box testing
Occurs when a tester is not provided with any information about the system or program prior to conducting the test
White-box testing
Occurs when a tester is provided full details of a system including the source code
Gray box
mixture of both. Might be given user level credentials, but not admin.
Structured Exception Handling (SEH)
Provides control over what the application should do when faced with a runtime or syntax error
Input Validation
Applications verify that information received from a user matches a specific format or range of values
Static Analysis
Source code of an application is reviewed manually or with automatic tools without running the code