Secure Coding Concepts Flashcards
Compiled Code vs Runtime code
Compliled code is optimized by a compiler and converted into an executable file, checking for errors and reporting back to the developer.
Runtime code is evaluated, interpreted, and executed when the code is run.
Input validation
The practice of checking data for validity before using it. Prevents an attacker from sending malicious code by sanitizing the input or rejecting it.
What are some common checks performed by input validation?
Verifying proper characters in certain fields
Implementing boundary/range checking
Blocking HTML code such as < and >
Preventing the use of specific characters (i.e. = ‘ -)
Race Condition
Occurs when 2 or more modules of an application or 2 applications attempt to access a resource at the same time.
What are 2 general guidelines to proper error-handling?
- Make sure errors to users are general, to prevent an attacker from exploiting the system/application
- Detailed error information should be logged, so that developers can identify the cause of the error.
Code Signing
The practice of using a certificate and associating it with an application or code. Provides the code with a digital signature and the certificate includes a hash of the code.
- Certificate identifies the author.
- The hash verifies that the code has not been modified.
Code Obfuscation
The practice of making code more difficult to read or understand, such as renaming variables, replacing strings of characters with hexadecimal characters, etc.
Static code analysis vs Dynamic analysis
Static analysis examines the code without actually executing it.
Dynamic analysis checks the code while it’s running via fuzzing (sends random data to an application to see how it is handled)
Stress Testing
Simulates a live environment to determine how effective an application will operate with a load.
Sandboxing
The practice of testing an application in an isolated environment, so that any changes made will not affect anything outside of it.
The Waterfall SDLC model
Uses multiple stages going from top to bottom, with each stage feeding the next. When followed strictly, when one stage is completed, you do not return to it. Can lack flexibility as it’s difficult to revise things from previous stages.
The Agile SDLC model
Uses a set of principles shared by cross-functional teams, stressing interaction, creating a working application, collaborating with the customer, and responding to change. Uses iterative cycles rather than stages, with each cycle creating a working product. The next cycle adds changes from the previous one.
Secure DevOps
An agile-aligned methodology that stresses security throughout the life cycle of the project. Can allow developers to push out multiple updates daily in response to changing business needs.
Continuous Integration
The process of merging changes in code into a central repository, in which the software is then built+tested from this repository.
Baselining (in context of DevOps)
Application of changes to the baseline code every day and then building the code from those changes.
