Secure software development Flashcards
Black box testing
Occurs when a tester is not provided with any information about
the system or program prior to conducting the test
White box testing
Occurs when a tester is provided full details of a system including
the source code, diagrams, and user credentials in order to
conduct the test
SEH
Structured Exception handling: provides control over what the application should do when faced with a
runtime or syntax error
Static analysis
Source code of an application is reviewed manually or with automatic
tools without running the code
Dynamic analysis
Analysis and testing of a program occurs while it is being executed or run
Fuzzing
Injection of randomized data into a software program in an attempt to
find system failures, memory leaks, error handling issues, and improper
input validation
RCE
Remote Code execution: Occurs when an attacker is able to execute or run commands
on a remote computer
Arbitrary code execution
Occurs when an attacker is able to execute or run commands
on a victim computer
Directory traversal
Method of accessing unauthorized directories by moving through the
directory structure on a remote server
Stack
Reserved area of memory where the program saves the return address when a function call instruction is received
Smash the stack
Occurs when an attacker fills up the buffer with NOP so that the
return address may hit a NOP and continue on until it finds the
attacker’s code to run
XSRF
Cross site request forgery: Occurs when an attacker forces a user to execute actions on a web server
for which they are already authenticated
XML Bomb
XML encodes entities that expand to exponential sizes, consuming
memory on the host and potentially crashing it
XML external entity
An attack that embeds a request for a local resource
Race conditions
A software vulnerability when the resulting outcome from execution processes is
directly dependent on the order and timing of certain events, and those events
fail to execute in the order and timing intended by the developer
