Key Concepts 8.4 and 8.5 Flashcards
Domain 8 (24 cards)
Allows indefinite use for a one time fee
Perpetual Software License
Time-bound use based on length of the subscription, often monthly,
quarterly, or annual
Subscription
Offers free usage with some conditions or limitations. May include an
enterprise option that includes software support at a cost.
Open source License
For cloud service subscriptions, require user/organization to
accept terms at the time of registration.
Cloud service license
Most software license types include it, which
defines rights, restrictions, and terms the user must agree to in order to use the software.
End User License Agreement (EULA)
Requires active consent during installation, typically seen in
commercial-off-the-shelf software.
Click-through Agreement
software is commercially available software that is not custom developed for a specific
organization.
Commercial off-the-shelf (COTS)
is software whose source code is publicly available and can be freely modified and distributed.
Open-source software
software is software that is custom-developed by an external vendor or service provider.
Third-party software
IT services that are provided and managed by an external service
provider. This involves transferring responsibility for some important functions to an external vendor. Since accountability for compliance cannot be transferred, adequate due diligence ahead of adoption is absolutely critical.
Managed services
IT services that are provided through a public cloud computing platform,such as Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).
Cloud services
-Fake Websites and Malicious Code Injection
-Sandbox Isolation Breaches
-Execution of Untrusted Code
Security Concerns with JavaScript
A hidden method of bypassing normal authentication or security controls to access a system
or application. It’s typically inserted deliberately by developers, often for legitimate purposes
like troubleshooting or maintenance, but can pose significant security risks if discovered by
malicious actors.
Back Door
are slow, gradual attacks that can be difficult to detect immediately. They often involve making small, seemingly insignificant changes to data or systems. Examples: Data Diddling and Salami Attack
Incremental Attacks
attack is a type of cyberattack that exploits vulnerabilities
in software programs by overwriting adjacent memory locations. It occurs when a program writes more data to a fixed-length buffer than it can hold. Target programs written in languages like C and C++ because they don’t have build in bounds checking
Buffer overflow
is a type of software bug that can occur in multi-threaded systems or environments where the
state of a resource can change between the time it’s checked and the time it’s used. This
vulnerability can lead to race conditions and potentially be exploited by attackers to gain
unauthorized access or to corrupt data.
Time-of-check to Time-of-use (TOCTOU)
is a web security vulnerability that allows attackers to inject
malicious client-side scripts into web pages viewed by other users. These attacks exploit the
trust a user has in a particular website, enabling the attacker to bypass access controls and
impersonate users.
Cross-Site Scripting (XSS)
the malicious script is embedded in a link and only affects users who click on it. The payload is not stored on the server but is instead
“reflected” off the web application.
Reflected XSS
involves malicious scripts being permanently stored
on the target server, usually in a database. this type affects any user who views the compromised content.
Persistent (Stored) XSS
is a web security vulnerability that exploits the trust a
website has in a user’s browser. In this attack, a malicious actor tricks an authenticated user
into unknowingly executing unwanted actions on a web application. The attack is carried out from the user’s browser, often by enticing the victim to click a specially crafted link or visit
a malicious web page.
Cross-Site Request Forgery (CSRF)
is a vulnerability that allows an attacker to induce the
server-side application to make requests to an unintended location. The malicious actor abuses functionality on the server to read or update internal resources. The attacker typically supplies or modifies a URL, which the server-side code then uses to read data from or send data to.
Server-Side Request Forgery (SSRF)
is an attack where a
malicious actor gains unauthorized access to a user’s active session by capturing, intercepting or guessing the session identifier.
Session hijacking
are a set of guidelines and techniques designed to minimize vulnerabilities in software applications. By adhering to this developers can significanly reduce the risk of security breaches, data leaks, and other cyber threats.
Goals:
Prevent vulnerabilities
Mitigate risks
Improve code quality
Comply with regulations
Secure coding practices
is an approach to cybersecurity where security controls
and policies are implemented, managed, and automated through code. This allows security
measures to be directly integrated into the continuous integration and continuous deployment
(CI/CD) pipeline, making security an integral part of the software development lifecycle rather
than an afterthought.
Software-defined security (SDS)
