Understanding Application Security and Attack Mitigation Best Practices Flashcards
Secure Software Development Life Cycle (SSDLC)
A method of system development that incorporates security controls in every phase of the system’s lifecycle.
Password Spraying
A brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
Credential stuffing
A brute force attack in which stolen user account names and passwords are tested against multiple websites
Block Authentication
A software vulnerability where the authentication mechanism allows an attacker to gain entry, such as displaying cleartext credentials, using weak session tokens, or permitting brute force login requests.
Input Validation
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
Output Encoding
Coding methods to sanitize output created from user input.
Parameterized Queries
A technique that defends against SQL injection by incorporating placeholders in a SQL query.
How is SSDLC different from SDLC?
SSDLC formally requires security considerations to be included in each phase of development.
Buffer overflow
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
Heap overflow
A software vulnerability where input is allowed to overwrite memory locations within the area of a process’s memory allocation used to store dynamically sized variables.
Integer overflow
An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.
address space layout randomization (ASLR)
A technique that randomizes where components in a running application are placed in memory to protect against buffer overflows.
SQL injection
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
Directory Traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
cross-site scripting (XSS)
A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.
