Chapter 6: Secure Coding

Software Development Life Cycle

Software Development Life Cycle

The process that a program goes through. It consists of the development, maintenance, and demise of a software system. The phases include analysis, design, coding, testing/verification, maintenance, and obsolescence

Feasibility Phase

The project phase that demonstrates that the client's requirement can be achieved, this phase identifies and evaluates the options to determine the one preferred solution.

analysis and requirements definition phase

customer input is sought to determine what the desired functionality is

Design Phase

Establishes descriptions of the desired features and operations of the system including screen layouts, business rules, process diagrams, pseudo code, and other documentation

Development Phase

Involves taking all of the detailed design documents from the design phase and transforming them into the actual system

testing and integration phase

-when development stage is complete to make sure it conforms to previous requirements of SDLC

User Acceptance Testing (UAT)

determine if the system satisfies the user and business requirements

Training and Transition Phase

acceptance, installation and deployment phase

Ongoing Operations and Maintenance

patching, updating, minor modifications

disposition phase

occurs when a product or system reaches the end of its life

Development Environment

An environment used to create or modify IT services or applications.

test environment

An environment containing hardware, instrumentation, simulators, software tools, and other support elements needed to conduct a test.

Staging Environment

A "production like" environment to test installation, configuration and migration scripts.

Performance testing, load testing, processes required by other teams, boundary partners, etc.

production environment

The environment for the actual system operation. It includes hardware and software configurations, system utilities, and communications resources. Also called the operational environment.

Waterfall Model

an SDLC approach that assumes the phases can be completed sequentially with no overlap

Spiral model

An abstract description of the systems life cycle where there are four defined quadrants - planning, risk analysis, use of design methods, client and management evaluation. Once one stage of development has gone full circle, the next please takes place, and so on until completion.

DevOps

Software development and information technology operations

toolchains

A collection of tools, to improve the coding, building and test, packaging, release, configuration and configuration management, and monitoring elements of a software development life cycle.

Continous Integration

A software development method where code updates are tested and committed to a development or build server/code repository rapidly

Continous Deployment (CD)

a software development model where application and platform updates are committed to production rapidly

Continuous validation

the extension of testing to support the continuous process of software development that occurs in DevOps

continous monitoring

Term used to describe a system that has monitoring built into it, so rather than monitoring being an external event that may or may not happen, monitoring is an intrinsic aspect of the action.

OWASP (Open Web Application Security Project)

Is an online community dedicated to web application security. This community works to create freely-available articles, methodologies, documentation, tools, and technologies that include web application flaws and a way to address and correct them.

Application programming interfaces

programming hooks, or guidelines, published by firms that tell other programs how to get a service to perform a task such as send or receive data

Pair Programming

agile software development technique in which two programmers work together at one workstation

Over the shoulder review

a form of peer review where two programmers sit down in front of the code and work through it together. One explains it to another.

Pass-Around Code Review

A code review process that relies on email or other distribution methods to distribute code for review.

Tool assisted code review

A type of peer review in which authors and reviewers use tools designed for peer code review.

formal code review

This type of code review is often called Fagan inspection and is common for projects that use the waterfall software development methodology. Requires a lot of meeting.

A modern adaptation is to have single meeting to review only the code changes. This way, the code can benefit from the live discussion amongst reviewers. This is sometimes known as a walkthrough.

Fagan inspection

A formal code review process that relies on specified entry and exit criteria for each phase

static code analysis

Analysis of source code carried out without execution of that software.Type of white ox tes

Dynamic Code Analysis

Examining code after the source code is compiled and when all components are integrated and running.

Fuzzing (Fuzz Testing)

A type of black box testing that enters random malformed data as inputs into software programs to determine if they will crash

Injection Vulnerability

A reference to a flaw in software and a common application vulnerability that would allow externally influenced (malicious) input to be used as part of the construction and subsequent execution of a command. Variations include SQL injection, OS command injection, and LDAP injection.

Blind SQL Injection

Is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The results are usually not visible to the attacker.

Blind Content-Based SQL Injection

the perpertrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack.

Lightweight Directory Access Protocol (LDAP)

A protocol used by various client applications when the application needs to query a database.

Extensible Markup Language (XML)

The markup language designed to transport and store data on the Web.

Cross-Site Scripting (XSS)

An attack that injects scripts into a Web application server to direct attacks at clients.

password authentication

Provides authentication of the user

Credential-stealing attacks

allow a hacker or penetration tester to authenticate directly to a service using a stolen account

Session Hijacking

An attack in which an attacker attempts to impersonate the user by using his session token.

man-in-the-middle attack

a hacker placing himself between a client and a host to intercept communications between them

Session Replay Attack

Attacker listens to the conversation between the user and the server and captures the authentication token of the user

Pass the hash

A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.

Unvalidated Redirects and Forwards

redirects: [A] can install malware or trick victims into disclosing. Attacks user

forwards: may allow access to control bypass. Attacks server

Unvalidated redirect

application allows redirection to any URL and attacker may use this to redirect the user to a malicious site

Insecure Direct Object Reference

Takes advantage of lack of checks to ensure a user requesting a resource actually has permissions to do so.

Directory Transversal/ Path Transversal

Read files from a web server that are outside of the websites file directory. Users shouldn't be able to browse the windows folder. Similar to Privilege escalation for for reading access.

Directory Transversal / Command Injection

allows the inclusion of opersators filesystem access controls dont properly restrict access to files stoed elsewhere on the server.

file inclusion attacks

An attack that executes the code contained within a file, allowing the attacker to fool the web server into executing arbitrary code.

Priviledge escalation

a network intrusion attack that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications