Bash, the Crucial Exams Chat Bot
AI Bot
Secure Coding Practices (CSSLP) Flashcards
ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Flashcards
Study our Secure Coding Practices (CSSLP) flashcards for the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) exam with 54+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Define cross-site scripting (XSS) | A vulnerability where attackers inject malicious scripts into content viewed by users |
| Define secure coding practices | A set of principles and techniques designed to prevent security flaws during the development process |
| Explain secure dependency management | Ensuring that third-party libraries or frameworks used in a project are up to date with no known vulnerabilities |
| Explain the difference between authentication and authorization | Authentication verifies user identity, while authorization grants permissions to access systems or data |
| How can authentication bypasses be mitigated | Use strong authentication mechanisms and validate session tokens |
| How can DoS attacks be mitigated | Use rate-limiting, input validation, and distributed denial-of-service (DDoS) protection mechanisms |
| How can file upload vulnerabilities be mitigated | Validate file type, limit file size, and scan uploads for malware |
| How can privilege escalation be mitigated | Use proper access control mechanisms and regularly review permissions |
| How can race conditions be prevented | Implement thread-safe programming and locking mechanisms |
| How can SQL injection be mitigated | Use parameterized queries and input validation |
| How does HTTPS enhance security | Encrypts data in transit to protect confidentiality and integrity |
| How is an attack surface minimized | By reducing the amount of code, endpoints, and services exposed to attackers |
| How to avoid hardcoded credentials | Use secure storage solutions like environment variables or configuration files |
| How to minimize risks from third-party libraries | Use trusted repositories, monitor for vulnerabilities, and apply updates promptly |
| How to mitigate supply chain attacks | Perform vendor risk assessments and monitor software dependencies regularly |
| How to prevent buffer overflows | Use language constructs with automatic bounds checking and validate input length |
| How to prevent clickjacking | Use Content Security Policy (CSP) headers or frame-busting techniques |
| How to prevent insecure deserialization | Validate all input and avoid using too flexible deserialization processes |
| How to protect against phishing attacks | Implement email filtering, training for users, and multifactor authentication |
| How to secure APIs from unauthorized access | Use authentication mechanisms like OAuth and validate request payloads |
| Name a measure to secure session identifiers | Use long, random session IDs and transmit them over HTTPS only |
| Name a method to prevent XSS | Use proper output encoding like HTML or JavaScript encoding |
| Name a secure practice for handling secrets | Store secrets in a secure environment, such as an encrypted secrets manager |
| What are hardcoded credentials | A bad practice of embedding usernames or passwords directly into code |
| What are third-party library risks | Vulnerabilities introduced through external code that developers include in their projects |
| What is a denial of service (DoS) attack | An attack that makes a system or application unavailable by overwhelming resources |
| What is a phishing attack | A social engineering attack designed to trick users into divulging sensitive information |
| What is a race condition | An attack exploiting timing issues in code execution to gain unauthorized control |
| What is a supply chain attack | An attack targeting vulnerabilities in a third-party vendor’s software or services |
| What is an authentication bypass | When an attacker gains unauthorized access by exploiting flaws in authentication |
| What is buffer overflow | A vulnerability where data exceeds a buffer's bounds, leading to memory corruption |
| What is clickjacking | An attack where users are tricked into clicking something they did not intend by overlaying UI elements |
| What is CSP (Content Security Policy) | A security feature that helps prevent attacks like XSS by controlling resources websites are allowed to use |
| What is data encryption | The process of converting data into ciphertext to protect its confidentiality |
| What is input validation | The process of ensuring input is correct, complete, and secure before processing |
| What is insecure deserialization | A vulnerability where untrusted data is used to abuse logic, process unexpected data, or execute arbitrary code |
| What is principle of defense in depth | Employ multiple layers of security controls to protect against vulnerabilities and attacks |
| What is privilege escalation | Gaining higher access than allowed by exploiting a vulnerability |
| What is role-based access control (RBAC) | A security model that allows or denies access to resources based on user roles |
| What is secure coding training | Providing developers with knowledge and skills to write more secure code |
| What is secure session management | Properly handling session identifiers, including generation, transmission, and storage |
| What is SQL injection | An attack where malicious SQL code is inserted into queries to manipulate the database |
| What is the importance of least privilege for APIs | It limits API access to only what is necessary for the task, reducing the risk of abuse or compromise |
| What is the OWASP Top Ten | A list of the most critical security risks to web applications, published by OWASP |
| What is the principle of least functionality | Systems should only enable the software, ports, and services essential for their purpose |
| What is the principle of least privilege | Grant users and systems the minimum access necessary to perform their tasks |
| What is the purpose of code review | To identify and address security vulnerabilities and coding errors |
| When should you use hashing | When storing passwords or verifying data integrity |
| Why is configuration management important | To ensure that system settings align with security baselines and reduce misconfiguration risks |
| Why is error handling important | To prevent attackers from gathering sensitive information through error messages |
| Why is logging security events important | To detect, investigate, and respond to security incidents effectively |
| Why is patch management necessary | To ensure software is updated to fix known vulnerabilities and bugs |
| Why is proper error logging crucial | To ensure actionable and non-sensitive information is recorded for debugging and incident detection |
| Why sanitize user input | To remove or neutralize harmful characters that could lead to vulnerabilities |
About the Flashcards
Flashcards for the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) exam help students review essential terminology and core concepts in application and web security. The deck defines common vulnerabilities such as cross-site scripting (XSS), SQL injection, buffer overflows, insecure deserialization, clickjacking, phishing, and denial of service, with concise explanations of how attacks work.
It emphasizes defensive practices and exam-relevant mitigation strategies including input validation and output encoding, parameterized queries, secure session management and long random session IDs, Content Security Policy, least privilege and role-based access control, secure dependency and patch management, encryption and hashing, proper error handling and logging, and code review.
Topics covered in this flashcard deck:
- Web application vulnerabilities
- Input and output validation
- Authentication and sessions
- Access control and least privilege
- Dependency and supply chain
- Encryption and hashing