Secure Development Flashcards
What is Threat Modeling?
Threat modeling helps to prioritize vulnerability and patching throughout the software development lifecycle
When should security considerations be programmed into software?
At the very beginning of development
What is the concept of least privilege?
Users and processes should be given the least amount of access necessary to perform a function
What is defense in depth?
Layering of security controls
Should you trust user input?
NO - all user input must be validated
How would you minimize the attack surface when developing software?
Reduce the amount of code necessary, eliminate unneeded functionality and require authentication prior to running additional plugins
What is a secure default?
Default configurations on a program that are inherently secure rather than requiring an administrator to add in the additional security
Why should developers use code signing?
For authenticity and integrity purposes
What is meant by “Fail Securely?”
Applications should be coded to properly conduct error handling to fail securely instead of crashing
What is black box testing?
When a tester is not provided with any information about the program prior to conducting the test
What is white box testing?
When a tester is given info about the program prior to testing
What is gray box testing?
A mixture of white and black box where some info is given
- Testing
- Integration
- Planning and Analysis
- Maintenance
- Deployment
- Software Design
- Implementation
Put these steps of the software development cycle in the correct order….
- Planning and Analysis
- Software/Systems Design
- Implementation
- Testing
- Deployment
- Maintenance
What is SEH in secure software development?
Structured Exception Handling - provides control over what the app should do when it handles an error
What is static analysis in SDLC?
Reviewing code manually without automatic tools and without running the program