Term
| Development Life Cycle Models |
|
Definition
|
|
Term
|
Definition
-Iterative Development
-Short feedback loop
-Changes made as product develops and business environment changes
-Priority to Satisfy customer |
|
|
Term
| Security concern Agile method |
|
Definition
-Rapid development leaves inadequate time for security testing
-New requirements may not be properly vetted for security impact |
|
|
Term
|
Definition
-Sequential Linear model with phases
-Requirements and Analysis
-Design
-Coding
-System Integration
-Testing and debugging
-Delivery
-Maintenance |
|
|
Term
| Security Concerns with Waterfall Method |
|
Definition
-Cannot easily go back to the design phase if security issues are discovered
-Developers may produce software that is no longer needed or not security compliant
-Security may be an after thought due to time constraints |
|
|
Term
|
Definition
-Coordination between development and operations teams to provide rapid deployment of software, features, and capabilities
-Quick feedback loops and iterative testing |
|
|
Term
|
Definition
-Plan
-Create
-Verify
-Package |
|
|
Term
|
Definition
-Release
-Configure
-Monitor |
|
|
Term
|
Definition
-Automating the process of implementing rules, enforcing policies, and making changes
-Based on triggers or policy violations
-Can reduce time to remediate
-Mitigate risk by human error |
|
|
Term
|
Definition
-Merging developer updates continuously to avoid integration changes
-Multiple Developers
-Integrate Early and often
-Testing automation
-Model replica of production |
|
|
Term
|
Definition
-Continuous Integration
-Continuous Development
-Automated build process
-Monitor for revisions
-Reduce number of variations and time required to resolve conflicts
-Every commit to the baseline built |
|
|
Term
|
Definition
-Applications or systems that cannot change
-no modification or updates allowed
-the whole system or application will be replaced |
|
|
Term
| Infrastructure As Code - IAC |
|
Definition
-Virtualized systems, switches, routers, and firewalls
-No hardware
-Roll out application with virtualized hardware
-Virtualized web servers and database servers |
|
|
Term
|
Definition
-Focus on the need of the application, and simply deploy it to where it makes the most sense.
-No concern about backend infrastructure
-Deployed with security tools as well |
|
|
Term
|
Definition
-Hardware and Software
-OS configurations
-Migrations
-Commision/Decommission
-Security changes/Patches |
|
|
Term
|
Definition
-track the changes that are made to a particular file that have been made over time
-application development process
-changes ready to move the application into a production environment
-identify a security problem, or integrate bug fixes |
|
|
Term
|
Definition
| -To make something available |
|
|
Term
|
Definition
| -Process of removing an application or system |
|
|
Term
|
Definition
|
|
Term
|
Definition
-Data is migrated
-Old data no longer needed
-Asset wiped/purged
-Asset disposal |
|
|
Term
|
Definition
- Proper error handling
- Proper input validation
- Normalization
- Stored procedures
- Code signing
- Encryption |
|
|
Term
|
Definition
-Error Handling making sure errors don't crash system leaving elevated privileges
-Input Validation sanitizes data to mitigate SQL insertion, cross site scripting and forgery
-signing to ensure source of software |
|
|
Term
|
Definition
| Code properly handles exceptions |
|
|
Term
|
Definition
-Guards agains SQL Injection
-Cross site scripting |
|
|
Term
|
Definition
| -Software that provides random input to try to crash a program |
|
|
Term
|
Definition
-Handle Exceptions
-Don't use default error messages
-Validate Input
-Encryption
-Code obfuscation
-Memory management
-3rd Party Libraries
-Data exposure |
|
|
Term
|
Definition
-Limits exposure of complex SQL queries
-Simplifies query
-Complex queries can be kept on the server
-Simple CALL command |
|
|
Term
|
Definition
-Validates source of application
-Provides tamper protection
-Deployed application |
|
|
Term
|
Definition
-Code reuse
-Calculations are made, code is executed
-Results are not used |
|
|
Term
| Code reuse vulnerablities |
|
Definition
-Old code
-Security issue spreads to other apps
-Used to build new apps |
|
|
Term
|
Definition
| Taking something that’s perfectly understandable, and we’re turning it into a form that makes it very difficult to understand |
|
|
Term
|
Definition
-checks of the data are occurring on the server itself
-protects against modified front end |
|
|
Term
|
Definition
-application front end input check
-may filter out illegitimate users |
|
|
Term
|
Definition
| -a vulnerability associated with memory |
|
|
Term
|
Definition
| data that’s going into memory is matching the amount of buffer available |
|
|
Term
| Use of third-party libraries and SDKs |
|
Definition
-Used to speed up development
-add on capability
-potential for a security risk because someone else has written this code |
|
|
Term
|
Definition
-Sensitive information
-Encrypt in transit
-Encrypt at rest
-In use On screen |
|
|
Term
|
Definition
-Validate using Static Application Security Testing Tool or SAST
-Check for buffer overflow
-Fuzzing
-Operating System Utility Program Reliability, U of Wis. Prof Barton Miller |
|
|
Term
| basic fuzzing framework, or BFF |
|
Definition
-virtual machine download from Carnegie Mellon
-CERT
-putting input randomly into the application |
|
|
Term
|
Definition
-Simulate 1 or thousand users
-Simultaneous access
-Overload application
-App details
-Unintended error messages
-Kernal and memory dumps |
|
|
Term
|
Definition
-Emulate production
-Allows QA Fuzz, stress |
|
|
Term
|
Definition
| -Different term for Fuzzing |
|
|
Term
|
Definition
-Evaluate against a set of requirements
-Does software work properly performs as expected
-Correct product? |
|
|
Term
|
Definition
-Don't see source code
-Specific to an operating system and CPU
-Logical Bugs
-Executable |
|
|
Term
|
Definition
-Source Code Viewable
-Source instructions execute when the application is run |
|
|
Term
|
Definition
-Source Code Viewable
-Source instructions execute when the application is run |
|
|
