Section 2.3 Secure Application development, deployment, and automation concepts Flashcards
What do you call the ability to add, remove, or reconfigure hardware and software resources to handle an increase in usage. Requires manual intervention
Scalability
What do you call automatically scaling resources up or down to meet user demands. Completely automatic
Elasticity
What SDLC method goes through each step one by one until they are completed?
Waterfall method
Developers use ____________ to make sure an application does not contain security issues and is resistant to application errors and crashes.
Secure Coding Concepts
What do you call a nonprofit foundation that works to improve the security of software?
OWASP
What does OWASP stand for?
Open Web Application Security Project
Who produces a top 10 vulnerabilities list that has the most common vulnerabilities, how they are exploited, and how to prevent them?
OWASP
What brings together management, development, and operations groups to swiftly release software into production
DevOps
What do you call infrastructure that can not be changed once it is placed?
Immutable Infrastructure
What tools check the various courses of action within the code, validate inputs, and plays a role in integration, delivery, deployment, and monitoring while providing reporting and analytics?
Automation/Scripting Tools
What do you call the surrounding infrastructure that supports software applications?
Data Center
What manages and provisions data centers through machine readable files to support software and user requirements?
Infrastructure as Code
What control keeps multiple developers from overwriting changes that were written by other developers?
Version Control
What ensures everyone associated with a software change understands what changes will be made, when they will be made, and any 2nd or 3rd order effects?
Change Management
What refers to the process of coding applications to accept only certain valid input for user-entered fields?
Input Validation
What concept recognizes specific types of command characters and parses them as simple data rather than executing the text as a command?
Escaping
What is the practice of using either predetermined processes or synthetic processes to create diversity within the software development process?
Software diversity
What analysis is conducted by executing software on a real or virtual processer, with inputs to allow the tester to determine how the software will behave in a potentially negative environment?
Dynamic code analysis
What dynamic technique enters random data into application fields to see how the software program reacts to test for input validation and exception handling?
Fuzzing
What analysis is performed without executing the code, but uses either an automated tool or manual reviewing?
Static code analysis
What checks the ability for a piece of software to undergo large amounts of stress or extremely heavy operating loads by pushing the software beyond its normal or best-scenario operating environments?
Stress testing
What testing provides key performance indicators of software integrity to help measure how effectively software is developed and how efficiently it is tested prior to deployment?
Integrity Measurement
What is largely determined by the OS and programming language environment in use because they can offer varying levels of tools?
Error and Exception Handling
What uses up memory resources needed to execute actions associated with applications?
Resource Exhaustion
What occurs when you have access permissions or systems of trust between different components of a software application that allow users to pass through unexpectedly and without proper authorization to access another software component?
Transitive Access
Which type of validation responds to users quicker but the client must have compatible software with the server?
Client-side validation
Which type of validation is more compatible but responds slower and is safer because the application code isn’t shared?
Server Side validation
What is prevented by verifying a request came from an authorized user by requiring a second identifying value saved saved in a cookie to authenticate an authorized session?
CSRF
What is CSRF
Client Side Request Forgery
What do you call the use of existing source code for a new purpose?
Code Reuse
What is a SDK?
Software Development Kit
What entails using a certificate to digitally sign executables and scripts to confirm that the software was developed by the appropriate author?
Code Signing
What hard codes and shares data?
Data exposure
What do you call code that is never used or executed and its removal can cause exceptions or a change in output?
Dead Code
What is the design of a database to remove redundancies and improve integrity through simplifying the design?
Normalization
What are saved subroutines that can be used within applications accessing databases?
Stored Procedures
In what environment is software developed? Often done in a sandbox.
Development (DEV)
In what environment is software tested, either in a static or dynamic manner?
Testing (TEST)
What environment is built for iterative testing to assure new code does not have negative impacts on the funtionality?
Quality Control/Assurance (QC/QA)
What environment allows the code to be subjected to final testing before being moved to production?
Staging(STAGING)
What is the final, live environment that users get to interact and work with?
Production (PROD)
In what environment is the application initially coded, often through multiple iterations?
Development
In what environment do the developers integrate all of their work into a single application?
Testing
In what environment do we ensure quality assurance before we roll it out to production?
Staging
In what environment does the application go live and end users have the support of the IT team?
Production
What do you call the process of making an application or service available? May also refer to the lifecycle of designing, preparing, creating, and managing the applications?
Provisioning
What process occurs when the application meets its end of life?
Deprovisioning
What is the measuring and identification of changes to a system, away from its expected or baseline value?
Integrity Measurement
What process ensures that the application performs as it should do and conforms to data industry standards and regulations?
Integrity Measurement
Code updates should be _______________ to ensure functionality is intact and no security vulnerabilities exist.
regression tested
What is the result of integrity measurement?
A secure baseline configuration
The goal of ________ is to reduce and eliminate redundancy to make fewer indexes per table and make searching faster.
Normalization
A ___________ is reusable, prepared SQL code.
Stored procedure
When apps use ______________, it will provide the required information while ensuring an attack will not be able to modify the code it contains.
Stored procedures
What is the process of obscuring source code so that if it was stolen, it could not be interpreted or reverse engineered by the attacker?
Obfuscation/Camouflage
What are server-side programming languages?
C# and .NET
__________ execution and validation includes databases, application servers, and domain controllers
Server-side/backend
What kind of execution and validation happen on the client in the browser?
Client-Side
What are the client-side languages?
JavaScript and HTML 5
Failure to manage memory in code may result in?
Memory Leaks
What is a set of software development tools that a vendor creates to make application development easier?
SDK
Sensitive data should be ________to prevent it from being stolen by attackers, and sometimes masked even to the user.
encrypted
What do you call creation of software that is different on each user endpoint/device?
Software diversity
What do you call the process of testing to make sure that an application is fit for its purpose and fulfills the user’s requirements, and ensures security requirements are met?
Continuous validation
What do you call the ability of a system to automatically grow and shrink based on app demand?
Elasticity
What do you call the ability of a system to handle growth of users or work?
Scalability
