Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
35 Cards in this Set
- Front
- Back
Key objective of application security |
Ensure the confidentiality, integrity and availability of data. |
|
Critical for an application security program to be effective |
Develop the security policy that can be enforced. |
|
Von Neumann |
Architecture that states "There is no inherent difference between data and programming representations in computer memory." |
|
Important characteristic of bytecode |
It is faster than interpreted languages |
|
Covert channel |
Also known as confinement problem is an information flow issue. Two cooperating processes that simultaneously compete for a shared resource in such a way that they can violate the system security policy. Can lead to denial of service and object reuse has to do with disclosure protection when objects in memory are we used by different processes. |
|
Covert storage channel |
Direct or indirect reading of a storage location by one process and a direct or indirect reading of the same storage location by another process. Involves finite resource, such as memory location or sector on a disk that is shared by two subjects at different security levels. |
|
Covert timing channels |
Depends upon being able to influence the rate that some other processes able to acquire resources, such as the CPU, memory, or i/o devices. |
|
Cross-site scripting |
Enables attackers to inject client-side script into web pages viewed by other users. |
|
Social engineering |
The art of influencing people to divulge sensitive information about themselves or their organization by either corrosion in or masquerading as a valid entity. |
|
Time of check time of use TOC/TOU |
The common type of attack that occurs when some control changes between the time that the system security functions check the contents of variables and the time the variables actually are used during operation. |
|
Bounds checking |
The most effective defense against a buffer overflow attack. |
|
Disallowing dynamic construction of queries |
A defense against injection attacks and encoding the output mitigates scripting attacks |
|
Phases of a software acquisition |
Planning, contracting, monitoring and acceptance, follow on |
|
Software librarian |
Ensures and enforce the separation of duties by ensuring that programmers don't have access to production code. |
|
Certification |
Technical evaluation of assurance to ensure that security requirements have been met. The process of evaluating the security stance of the software or system against a predetermined set of security standards or policy. |
|
Cleanroom |
Defect prevention rather than defect removal. Write code correctly the first time, rather than trying to find the problems once they are there. |
|
CASE |
Technique for using computers and computer utilities to help with systematic analysis, design, development, implementation, and maintenance of software. |
|
The spiral software development model |
Uses Deming PDCA models at each phase of the waterfall method |
|
Untrusted code, which is not signed, is restricted from accessing system resources |
Sandboxing security protection mechanism |
|
Sandboxing |
Provide the protective area for program execution. Limits are placed on the amount of memory and processor resources that it can consume. If it program exceeds these limits, the web browser terminates the process and logs an error code. Ensure the safety of browser performance. |
|
Non-repudiation |
Security control mechanism in which the user or process cannot deny its action. |
|
Obfuscation |
Process of rendering source code to be unreadable and unintelligible as a protection against reversing and IP issues. |
|
Trojan |
Program that pretends to do one thing while performing another, unwanted action. Does not reproduce itself but pretends to be performing a legitimate action, while acting/performing malicious operations in the background. |
|
Salami scam |
A variant on the concept of logic bombs, it is a plot to take insignificant pennies from a user's bank account and move them to an attacker's bank account. |
|
Views |
A feature that allows for virtual tables in database, these virtual tables are created from one or more real tables in the database. Can be set up for each user on the system so that the user can then only view those virtual blades. Can achieve role-based access control. |
|
Aggregation and inference |
2 most dangerous types of attacks against a database containing disparit non sensitive information |
|
Aggregation |
The ability to combine non-sensitive data from separate sources to create sensitive information. The combined data sensitivity can be greater than the classification of individual parts. |
|
Inference |
Is the ability to deduce sensitive or restricted information from observing available information. For example reviewing patients medications that have been prescribed a user may be able to determine the illness. |
|
Consistency |
A property that ensures only valid or legal transactions that do not violate any user-defined integrity constraints in a database management system DBMS technology. Occurs when a database is transformed from one valid state to another valid state. A transaction is allowed only that follows user-defined integrity constraints. No legal transactions are not allowed, and if and integrity constraint cannot be satisfied, the transaction is rolled back to its previous valid state and the user is informed that the transaction has failed. |
|
ACID test |
Atomicity, consistency, isolation, and durability is an important DBMS concept |
|
Atomicity |
Is when all the parts of the transactions execution are either all committed or all rolled back - do it all or not at all. Essentially all changes take effect or none do. |
|
Isolation |
Is the process guarantees the results of the transaction are invisible to the other transactions until the transaction is complete. |
|
Durability |
Insurance the results of the completed transaction are permanent and can survive future systems and media failures, that is, once they are done, they cannot be undone. This is similar to transaction persistence. |
|
Expert systems are comprised |
Of knowledge base comprising modeled human experience and inference engine |
|
Best defense against session hijacking and man in the middle attacks |
Unique and random identification - present a challenge for the attacker to guess what the next identifier may be. |