Secure Development Flashcards
(33 cards)
What is Threat Modeling?
Threat modeling helps to prioritize vulnerability and patching throughout the software development lifecycle
When should security considerations be programmed into software?
At the very beginning of development
What is the concept of least privilege?
Users and processes should be given the least amount of access necessary to perform a function
What is defense in depth?
Layering of security controls
Should you trust user input?
NO - all user input must be validated
How would you minimize the attack surface when developing software?
Reduce the amount of code necessary, eliminate unneeded functionality and require authentication prior to running additional plugins
What is a secure default?
Default configurations on a program that are inherently secure rather than requiring an administrator to add in the additional security
Why should developers use code signing?
For authenticity and integrity purposes
What is meant by “Fail Securely?”
Applications should be coded to properly conduct error handling to fail securely instead of crashing
What is black box testing?
When a tester is not provided with any information about the program prior to conducting the test
What is white box testing?
When a tester is given info about the program prior to testing
What is gray box testing?
A mixture of white and black box where some info is given
- Testing
- Integration
- Planning and Analysis
- Maintenance
- Deployment
- Software Design
- Implementation
Put these steps of the software development cycle in the correct order….
- Planning and Analysis
- Software/Systems Design
- Implementation
- Testing
- Deployment
- Maintenance
What is SEH in secure software development?
Structured Exception Handling - provides control over what the app should do when it handles an error
What is static analysis in SDLC?
Reviewing code manually without automatic tools and without running the program
What is dynamic analysis in SDLC?
Analysis and testing of a program while executing or running it
What is fuzzing in SDLC?
Injection of random data into a program in an attempt to find system failures and other weaknesses
What is a back door?
Code placed in programs that bypasses normal authentication and security mechanisms
What is arbitrary code execution?
When an attacker is able to execute or run commands on a victim’s computer
What is RCE?
Remote code execution - attacker is able to execute commands remotely
Explain stored/persistent XSS
An attempt to get data provided by the attacker stored on the web server by the victim
Explain reflected XSS
When a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website that enables execution of malicious scripts.
Explain DOM-Based XSS
An attempt to exploit the victim’s web browswer
What is XSRF?
Cross Site Request Forgery - when an attacker forces a user to execute actions on a server for which they are already authenticated
