Secure Software Processes Flashcards
Code analysis is the process of …
inspecting the code for quality and weaknesses that can be exploited. It is primarily accomplished by two means; static and dynamic.
The primary advantage that a binary code analyzer has over static code analyzers is that a binary code analyzer can …
detect vulnerabilities and code inefficiencies that have been introduced by the compiler, since it is inspecting the compiled object code, after the compilation process. It also has the ability to look into libraries that are linked during the compilation process.
The benefits of performing static code analysis are …
errors and vulnerabilities can be detected early and addressed before the deployment of the software; can be performed in the development and testing environment.
Dynamic code analysis is the inspection of …
the code when it is being executed (run as a program).
Dynamic code analysis can be performed to ascertain that …
the code is reliably functioning as expected and is not prone to errors or exploitation.
Code/Peer Review can be performed manually or using
tools. It is a systematic evaluation of …
the source code with the goal of finding out syntax issues and weaknesses in the code that can impact the performance and security of the software.
What is not detected in the code review? Code review can be used to validate …
Semantic issues such as business logic and design flaws are usually not detected in a code review, but a code review can be used to validate the threat model generated in the design phase of the software development project.
Injection flaws check for …
code that makes injection attacks possible. E.g. lack of input validation.
Non-repudiation Mechanisms in code review should ensure that …
auditing is properly implemented and that the authenticity of the code and the user or system actions are not disputable.
Spoofing Attacks in code review check for code that makes spoofing attacks possible. This check should ensure that …
session identifiers are not predictable, passwords are not hard-coded, credentials are not cached and code that allows changes to the impersonation context is not implemented.
Errors and Exception Handling in code review must check to make sure that …
errors, when reported, don’t reveal more information than is necessary, and that the software fails securely when errors occur.
Cryptographic Strength in a code review that uses non-standard or custom cryptographic algorithms are considered …
weak and must be avoided.
Unsafe and Unused Functions and Routines must be …
reviewed to ascertain that deprecated and banned APIs are not used.
Reversible Code in code review can be used to …
determine the internal architecture and design, and implementation details of software functionality.
For code review, privileged code is the code that violates the … As part of the code review, checks must be performed to ensure that …
principle of least privilege; code that requires administrative rights to execute are explicitly controlled and monitored.
In a code review, Maintenance Hooks are intentionally introduced, seemingly innocuous code that is implemented to … These maintenance hooks should not be deployed into the production environment because …
primarily provide for maintenance needs; an attacker could easily take advantage of the maintenance hook and gain back door entry into the system, often circumventing all security protection mechanisms.
In a code review, Logic Bombs are serious code security issues as they can be placed in the code and …
go undetected if a code review is not performed. A logic bomb can be triggered to go off to perform some malicious and unintended operation when that logic is met.
The integrity of the build environment can be assured by …
Physically securing access to the systems that build code; Using access control lists (ACLs) that prevent access to unauthorized users; Using version control software to assure that the code built is of the right version; Build automation is the process of scripting or automating the tasks that are involved in the build process.
