Secure Software Development Flashcards
Occurs when a tester is not provided with any information about
the system or program prior to conducting the test
Black Box Testing
Occurs when a tester is provided full details of a system including
the source code, diagrams, and user credentials in order to
conduct the test
White Box Testing
Provides control over what the application should do when faced with a
runtime or syntax error
Structured Exception Handling(SEH)
Applications verify that information received from a user matches
a specific format or range of values
Input Validation
Source code of an application is reviewed manually or with automatic
tools without running the code
Static Analysis
§ Analysis and testing of a program occurs while it is being executed or run
Dynamic Analysis
Injection of randomized data into a software program in an attempt to
find system failures, memory leaks, error handling issues, and improper
input validation
Fuzzing
Code placed in computer programs to bypass normal authentication and
other security mechanisms
Backdoors
Method of accessing unauthorized directories by moving through the
directory structure on a remote server
Directory Traversal
Occurs when an attacker is able to execute or run commands
on a victim computer
Arbitrary Code execution
Occurs when an attacker is able to execute or run commands
on a remote computer
Remote Code Execution
Attack against a vulnerability that is unknown to the original developer or
manufacturer
Zero Day
Occurs when a process stores data outside the memory range allocated
by the developer
Buffer Overflow
§ A temporary storage area that a program uses to store data
Buffer
Reserved area of memory where the program saves the return
address when a function call instruction is received
Stack
Occurs when an attacker fills up the buffer with NOP so that the
return address may hit a NOP and continue on until it finds the
attacker’s code to run
“Smash the Stack”
Method used by programmers to randomly arrange the different
address spaces used by a program or process to prevent buffer
overflow exploits
Address Space Layout Randomization
Occurs when an attacker embeds malicious scripting commands on a
trusted website
Cross-Site Scripting(XSS)
Occurs when an attacker forces a user to execute actions on a web server
for which they are already authenticated
Cross-Site Request Forgery(XSRF/CSRF)
Attack consisting of the insertion or injection of an SQL query via input
data from the client to a web application
SQL Injection
A software vulnerability when the resulting outcome from execution processes is
directly dependent on the order and timing of certain events, and those events
fail to execute in the order and timing intended by the developer
Race Conditions