Summarizing Secure Coding

Question 1

code that has been optimized by a special application is known as what? What is the name of the application and describe what it does at a high level?

Answer 1

Compiled code
The application is called a Compiler and it checks the code for errors and provides reports to developers of things they might need to check.

Question 2

Code that is evaluated, interpreted and executed when the code is run is known as what?

Answer 2

Runtime code.

Question 3

What does input validation protect against?

Describe at a high level how it does this

Answer 3

it protects against an attacker entering malicious code into an application. It does this by sanitizing the input that a user can send to it to make sure it only accepts what is necessary.

Question 4

what is one of the most common security issues on web-based applications?

Answer 4

lack of proper input validation

Question 5

What is more secure, server or client side validation? Why

Answer 5

Server side. Because if using client-side only, bad code can still get to the server.

Question 6

what can protect against buffer overflow, SQL injection, command injection and cross-site scripting?

Answer 6

Input Validation

Question 7

why does escaping HTML characters protect against attacks?

Answer 7

because the original character is substituted with the escaped character version, it no longer is valid code.

Question 8

When two modules or applications access a resource at the same what can it trigger?

Answer 8

A conflict known as a race condition

Question 9

Two important points/recommendations about error reporting/displaying application error messages are..

Answer 9

1) errors should be general and not give important information to an attacker
2) errors should be logged for developers to look at later

Question 10

what are the two benefits of code signing?

Answer 10

1) the certificate identifies the author

2) it provides a hash of the code that can be checked to ensure that the code hasn’t been altered.

Question 11

What method do developers employ to deter people from copying their code they’ve worked hard on?

Answer 11

by employing Code Obfuscation. It renames variables and replaces other things.

Question 12

In code testing, static code analysis does what?

Answer 12

it examines code without running it

Question 13

In code testing, dynamic analysis deos what?

Answer 13

it checks the code while it is running

Question 14

in code testing what does fuzzing do?

Answer 14

it sends random strings of data to applications looking for vulnerabilities.

Question 15

the process of ensuring an application meets all specifications and does what it’s supposed to do is known as what?

Answer 15

Model verification

Question 16

what Secure DevOps concept is the name of the process of merging code changes into a central repository where it is then built and tested from?

Answer 16

Continuous Integration.

Question 17

what secure devops concept often uses a mirror image of production environment to automate testing to check to code?

Answer 17

Security Automation

Question 18

What is the secure devops concept of base lining code and why is it useful?

Answer 18

baselining refers to applying any code updates to the baseline code and saving it as the new baseline on a daily basis.
because the baseline code is updated daily, any bugs can be identified and fixed more quickly, as opposed to updates once a week after lots of changes have occurred.

Question 19

Provisioning and Deprovisioning an application does what?

Answer 19

Provisioning configures the application for use on specific devices so it can use the application services on that device, for instance, the gyroscope on an iphone.
Deprovisioning an app refers to removing it from a device.