ISC2 CISSP - Software Development Security Flashcards
ISC2 CISSP Flashcards
| Front | Back |
| Define fail-safe defaults. | Deny access by default, granting permissions only when explicitly allowed |
| Define input validation. | Ensuring data meets criteria before processing to prevent injection flaws |
| Describe dependency scanning. | Automated analysis of libraries/frameworks to find known vulnerabilities |
| Explain code signing. | Using digital signatures to verify code integrity and authenticity |
| How can you prevent buffer overflows? | Use bounds checking, safe functions, and modern languages with runtime checks |
| How does parameterized queries prevent SQL injection? | Separates code from data so user input can't alter SQL structure |
| Name one static code analysis tool. | Examples include SonarQube, Fortify, Checkmarx |
| What are security requirements? | Specifications that define confidentiality, integrity, and availability needs |
| What are the five phases of the SDLC? | Initiation (or Planning), Development/Acquisition, Implementation, Operation/Maintenance, Disposal |
| What is a buffer overflow attack? | Overwriting memory by exceeding buffer boundaries, leading to code execution or crashes |
| What is continuous integration/continuous deployment (CI/CD)? | Automated building, testing, and deployment to integrate changes securely and quickly |
| What is dynamic application security testing (DAST)? | Testing a running application for vulnerabilities from an attacker’s perspective |
| What is output encoding? | Transforming output to a safe format for client consumption to prevent XSS |
| What is secure coding? | Writing software to defend against vulnerabilities throughout development |
| What is secure design pattern? | Reusable solution template to address common security problems in design |
| What is session management control? | Techniques like secure cookies, timeouts, and regeneration to protect user sessions |
| What is software composition analysis (SCA)? | Assessing open-source components for license and security risks |
| What is the principle of least privilege? | Granting users or processes only the access needed to perform their tasks |
| What is the purpose of a security baseline? | Establishes minimum configuration and controls for systems and applications |
| What is threat modeling used for in software development? | Identifying, quantifying, and addressing security risks during design |
| Why incorporate security training in SDLC? | Educates developers on threats, reduces coding errors, improves awareness |
| Why is error handling important for security? | Prevents information leakage and ensures graceful failure modes |
About the Flashcards
Flashcards for the ISC2 CISSP exam help you reinforce the software development lifecycle, from planning through disposal, with an emphasis on building security into each stage. Review how threat modeling, security requirements, and secure design patterns guide architects and developers toward resilient code that withstands real-world attacks.
Cards also cover hands-on defensive techniques-input validation, output encoding, parameterized queries, session management, and fail-safe defaults-plus assessment methods such as static code analysis, DAST, dependency and composition scanning. Key concepts like CI/CD security, least privilege, buffer overflow prevention, error handling, and code signing round out the knowledge needed for the exam.
Topics covered in this flashcard deck:
- SDLC security phases
- Threat modeling
- Secure coding practices
- Static & dynamic testing
- Session and access controls