Secure Software Development Flashcards
SDLC
§ Software Development Life Cycle
§ SDLC is an organized process of developing a secure application throughout the life of the project
Least Privilege
Users and processes should be run using the least amount of access necessary to perform a given function
Defense in Depth
Layering of security controls is more effective and secure than relying on a single control
Structured Exception Handling
SEH Provides control over what the application should do when faced with a
runtime or syntax error
Fuzzing
Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation
Backdoors
Code placed in computer programs to bypass normal authentication and other security mechanisms
Directory Traversal
Method of accessing unauthorized directories by moving through the directory structure on a remote server
Arbitrary Code Execution
Occurs when an attacker is able to execute or run commands on a victim computer
Remote Code Execution (RCE)
Occurs when an attacker is able to execute or run commands on a remote computer
Zero Day
Attack against a vulnerability that is unknown to the original developer or manufacturer
Buffer Overflow
Occurs when a process stores data outside the memory range allocated by the developer
Smash the Stack
Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run
Cross-Site Scripting
Occurs when an attacker embeds malicious scripting commands on a trusted website
Cross-Site Request Forgery
§ Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated
§ Prevent XSRF with tokens, encryption, XML file scanning, and cookie verification
XML Bomb (Billion Laughs Attack)
XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it
