Secure Software Development Flashcards

1
Q

SDLC

A

Software Development Life Cycle:

An organized process of developing a secure application throughout the life of the project

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SDLC Phases

A

Planning, Requirements, Design, Build, Document, Test, Deploy, Maintain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Agile

A

Software development is performed in time-boxed or small increments to allow more adaptivity to change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

DevOps

A

Software development and information technology operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SDLC Principles: Defense in Depth

A

Layering of security controls is more effective and secure than relying on a single control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SDLC Principles: Never Trust User Input

A

Any input that is received from a user should undergo input validation prior to allowing it to be utilized by an application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SDLC Principles: Minimize Attack Surface

A

Reduce the amount of code used by a program, eliminate unneeded functionality, and require authentication prior to running additional plugins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SDLC Principles: Create Secure Defaults

A

the systems we design should default to a secure mode if we don’t do anything else

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SDLC Principles: Authenticity & Integrity

A

Applications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SDLC Principles: Fail Securely

A

Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SDLC Principles: Rely on Trusted SDKs

A

SDKs must come from trusted source to ensure no malicious code is being added

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Black-box Testing

A

Occurs when a tester is not provided with any information about the system or program prior to conducting the test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

White-box Testing

A

allows testers to inspect and verify the inner workings of a software system (code, infrastructure…) and is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Gray-box Testing

A

(Combination of Black & White-box)

The tester partially understands the application’s internal working structure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Structured Exception Handling (SEH)

A

Structured Exception Handling:

Provides control over what the application should do when faced with a runtime or syntax error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Input Validation

A

Applications verify that information received from a user/client matches a specific format or range of values

preventing malformed data from persisting in the database and triggering malfunction of various downstream components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Static Analysis

A

Static analysis is the testing and evaluation of an application by examining the code without executing the application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Dynamic Analysis

A

Dynamic analysis is the testing and evaluation of an application during runtime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Fuzzing

A

Vulnerability testing technique

Send random amount of data in application, p.e. if it requires name, type in novel.

in an attempt to find system failures, memory leaks, error handling issues, and improper input validation

could be start of what could hackers build on, p.e. DoS attack

20
Q

Backdoors

A

Code placed in computer programs to bypass normal authentication and other security mechanisms

Backdoors are a poor coding practice and should not be utilized

21
Q

Directory Traversal

A

type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files

In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

22
Q

Arbitrary Code Execution

A

Occurs when an attacker is able to execute or run commands on a victim computer (not remotely)

23
Q

Remote Code Execution - RCE

A

Occurs when an attacker is able to execute or run commands on a remote computer

24
Q

Buffer Overflow

A

Occurs when a process stores data outside the memory range allocated by the developer

Buffer has allocated memory, p.e. 500 characters. If you give it 600 characters, it overruns other part of memory that is not buffer anymore. Thus, memory trys to always go back to characters that overwrote buffer bc they are in Stack.

25
Buffer
A temporary storage area that a program uses to store data Over 85% of data breaches were caused by a buffer overflow
26
Stack
Reserved area of memory where the program saves the return address when a function call instruction is received
27
"Smash the Stack"
Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run
28
Address Space Layout Randomization
Method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits
29
Cross-Site Scripting (XSS), 3 Types
Occurs when an attacker embeds malicious scripting commands on a trusted website Stored/Persistent Attempts to get data provided by the attacker to be saved on the web server by the victim Isn't just reflected, data is stored in DB/Server then sent to the user from where it's stored Injects anyone that views the content (ex: if Youtube allowed JS in comments) Reflected Attempts to have a non-persistent effect activated by a victim clicking a link on the site Input (JS) is reflected back into the response DOM-based Attempt to exploit the victim’s web browser User's input lands inside a dangerous part of JS code (happens on client-side) Prevent XSS with output encoding and proper input validation
30
Cross-Site Request Forgery (XSRF/CSRF)
Cross-Site Request Forgery: Occurs when an attacker forces a user to execute actions on a web server for which they are logged in. Example: You're loged in to your bank account. Attacker uses Social E. to send you an email (an action embedded in a hyperlink p.e.). If you click on it, and bc you´re already authenticated, the action, p.e. transferring 100 Euro, is executed.
31
SQL Injection
Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application SQL injection is prevented through input validation and using least privilege when accessing a database If you see ` OR 1=1; on the exam, it’s an SQL injection
32
Injection Attack
Insertion of additional information or code through data input from a client to an application SQL HTML XML LDAP Most common type is an SQL injection
33
XML / XML Vulnerabilities
XML (Extensible Markup Language) is a markup language similar to HTML, but without predefined tags to use XML data submitted without encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary code
34
XML Bomb (Billion Laughs Attack)
XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it
35
XML Eternal Entity (XXE)
An attack that embeds a request for a local resource To prevent XML vulnerabilities from being exploited, use proper input validation
36
Race Conditions
when two computer program processes, or threads, attempt to access the same resource at the same time and cause problems in the system A race condition vulnerability is found where multiple threads are attempting to write a variable or object at the same memory location
37
Race Conditions: Dereferencing
A software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to. Race conditions are difficult to detect and mitigate Race conditions can also be used against databases and file systems
38
Time of Check to Time of Use (TOCTTOU)
a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used
39
Preventing Race Conditions/TOCTTOU
Develop applications to not process things sequentially if possible Implement a locking mechanism to provide app with exclusive access
40
Design Vulnerabilities: Insecure Components
Any code that is used or invoked outside the main program development process Code Reuse Third-party Library Software Development Kit (SDK)
41
Design Vulnerabilities: Insufficient Logging/Monitoring
Any program that does not properly record or log detailed enough information for an analyst to perform their job Logging and monitoring must support your use case and answer who, what, when, where, and how
42
Design Vulnerabilities: Weak of Default Configurations
Any program that uses ineffective credentials or configurations, or one in which the defaults have not be changed for security Many applications choose to simply run as root or as a local admin Permissions may be too permissive on files or directories due to weak configurations Utilize scripted installations and baseline configuration templates to secure applications during installation
43
LDAP Injections
LDAP typically stores authentication info (user/pass) Attacker makes malformed queries to pull more info than they're supposed to (or to bypass authentication) Usually via URLs or input fields Example: Normal Query http://www.CVexample.com/people_search.aspx?name=Sam)(zone=public) Manipulated Query http://www.CVexample.com/people_search.aspx?name=Sam)(zone=*)
44
SSL Stripping/HTTP Downgrade
Combines an on-path with a downgrade attack (attacker sits between client/server) Attacker modifies data between victim & web server Done via: Proxy server, ARP spoofing, or rogue AP
45
Dead Code
Section of source code of a program which is executed but whose result is never used in any other computation. Add security vulnerability
46
OWASP
Open Web Application Security Project: An online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security