Summarizing Secure Coding Flashcards
code that has been optimized by a special application is known as what? What is the name of the application and describe what it does at a high level?
Compiled code
The application is called a Compiler and it checks the code for errors and provides reports to developers of things they might need to check.
Code that is evaluated, interpreted and executed when the code is run is known as what?
Runtime code.
What does input validation protect against?
Describe at a high level how it does this
it protects against an attacker entering malicious code into an application. It does this by sanitizing the input that a user can send to it to make sure it only accepts what is necessary.
what is one of the most common security issues on web-based applications?
lack of proper input validation
What is more secure, server or client side validation? Why
Server side. Because if using client-side only, bad code can still get to the server.
what can protect against buffer overflow, SQL injection, command injection and cross-site scripting?
Input Validation
why does escaping HTML characters protect against attacks?
because the original character is substituted with the escaped character version, it no longer is valid code.
When two modules or applications access a resource at the same what can it trigger?
A conflict known as a race condition
Two important points/recommendations about error reporting/displaying application error messages are..
1) errors should be general and not give important information to an attacker
2) errors should be logged for developers to look at later
what are the two benefits of code signing?
1) the certificate identifies the author
2) it provides a hash of the code that can be checked to ensure that the code hasn’t been altered.
What method do developers employ to deter people from copying their code they’ve worked hard on?
by employing Code Obfuscation. It renames variables and replaces other things.
In code testing, static code analysis does what?
it examines code without running it
In code testing, dynamic analysis deos what?
it checks the code while it is running
in code testing what does fuzzing do?
it sends random strings of data to applications looking for vulnerabilities.
the process of ensuring an application meets all specifications and does what it’s supposed to do is known as what?
Model verification
what Secure DevOps concept is the name of the process of merging code changes into a central repository where it is then built and tested from?
Continuous Integration.
what secure devops concept often uses a mirror image of production environment to automate testing to check to code?
Security Automation
What is the secure devops concept of base lining code and why is it useful?
baselining refers to applying any code updates to the baseline code and saving it as the new baseline on a daily basis.
because the baseline code is updated daily, any bugs can be identified and fixed more quickly, as opposed to updates once a week after lots of changes have occurred.
Provisioning and Deprovisioning an application does what?
Provisioning configures the application for use on specific devices so it can use the application services on that device, for instance, the gyroscope on an iphone.
Deprovisioning an app refers to removing it from a device.
