Secure Development Flashcards
What is Threat Modeling?
Threat modeling helps to prioritize vulnerability and patching throughout the software development lifecycle
When should security considerations be programmed into software?
At the very beginning of development
What is the concept of least privilege?
Users and processes should be given the least amount of access necessary to perform a function
What is defense in depth?
Layering of security controls
Should you trust user input?
NO - all user input must be validated
How would you minimize the attack surface when developing software?
Reduce the amount of code necessary, eliminate unneeded functionality and require authentication prior to running additional plugins
What is a secure default?
Default configurations on a program that are inherently secure rather than requiring an administrator to add in the additional security
Why should developers use code signing?
For authenticity and integrity purposes
What is meant by “Fail Securely?”
Applications should be coded to properly conduct error handling to fail securely instead of crashing
What is black box testing?
When a tester is not provided with any information about the program prior to conducting the test
What is white box testing?
When a tester is given info about the program prior to testing
What is gray box testing?
A mixture of white and black box where some info is given
- Testing
- Integration
- Planning and Analysis
- Maintenance
- Deployment
- Software Design
- Implementation
Put these steps of the software development cycle in the correct order….
- Planning and Analysis
- Software/Systems Design
- Implementation
- Testing
- Deployment
- Maintenance
What is SEH in secure software development?
Structured Exception Handling - provides control over what the app should do when it handles an error
What is static analysis in SDLC?
Reviewing code manually without automatic tools and without running the program
What is dynamic analysis in SDLC?
Analysis and testing of a program while executing or running it
What is fuzzing in SDLC?
Injection of random data into a program in an attempt to find system failures and other weaknesses
What is a back door?
Code placed in programs that bypasses normal authentication and security mechanisms
What is arbitrary code execution?
When an attacker is able to execute or run commands on a victim’s computer
What is RCE?
Remote code execution - attacker is able to execute commands remotely
Explain stored/persistent XSS
An attempt to get data provided by the attacker stored on the web server by the victim
Explain reflected XSS
When a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website that enables execution of malicious scripts.
Explain DOM-Based XSS
An attempt to exploit the victim’s web browswer
What is XSRF?
Cross Site Request Forgery - when an attacker forces a user to execute actions on a server for which they are already authenticated
How would you prevent XSRF?
Using session tokens, encryption, XML file scanning and cookie verification
The process of removing redundant entries from a database is known as: sanitization or normalization
Normalization
The process of removing redundant entries from a database is known as:
Normalization
What are the countermeasures against SQL injection attacks?
Input Validation, Stored Procedures
A type of redundant source code producing an output not used anywhere in the application is commonly referred to as
Dead Code
What refers to the concept of virtualization on an application level?
Containerization
What type of computing would be best suited for situations where response time in data processing is of critical importance?
Edge Computing
The practice of finding vulnerabilities in an application by feeding it incorrect input is called:
Fuzzing
What is an automated or manual code review process aimed at discovering logic and syntax errors in the application’s source code
Static Analysis
