Bash, the Crucial Exams Chat Bot
AI Bot
Secure Coding Practices (CSSLP) Flashcards
ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Flashcards
| Front | Back |
| Define cross-site scripting (XSS) | A vulnerability where attackers inject malicious scripts into content viewed by users |
| Define secure coding practices | A set of principles and techniques designed to prevent security flaws during the development process |
| Explain secure dependency management | Ensuring that third-party libraries or frameworks used in a project are up to date with no known vulnerabilities |
| Explain the difference between authentication and authorization | Authentication verifies user identity, while authorization grants permissions to access systems or data |
| How can authentication bypasses be mitigated | Use strong authentication mechanisms and validate session tokens |
| How can DoS attacks be mitigated | Use rate-limiting, input validation, and distributed denial-of-service (DDoS) protection mechanisms |
| How can file upload vulnerabilities be mitigated | Validate file type, limit file size, and scan uploads for malware |
| How can privilege escalation be mitigated | Use proper access control mechanisms and regularly review permissions |
| How can race conditions be prevented | Implement thread-safe programming and locking mechanisms |
| How can SQL injection be mitigated | Use parameterized queries and input validation |
| How does HTTPS enhance security | Encrypts data in transit to protect confidentiality and integrity |
| How is an attack surface minimized | By reducing the amount of code, endpoints, and services exposed to attackers |
| How to avoid hardcoded credentials | Use secure storage solutions like environment variables or configuration files |
| How to minimize risks from third-party libraries | Use trusted repositories, monitor for vulnerabilities, and apply updates promptly |
| How to mitigate supply chain attacks | Perform vendor risk assessments and monitor software dependencies regularly |
| How to prevent buffer overflows | Use language constructs with automatic bounds checking and validate input length |
| How to prevent clickjacking | Use Content Security Policy (CSP) headers or frame-busting techniques |
| How to prevent insecure deserialization | Validate all input and avoid using too flexible deserialization processes |
| How to protect against phishing attacks | Implement email filtering, training for users, and multifactor authentication |
| How to secure APIs from unauthorized access | Use authentication mechanisms like OAuth and validate request payloads |
| Name a measure to secure session identifiers | Use long, random session IDs and transmit them over HTTPS only |
| Name a method to prevent XSS | Use proper output encoding like HTML or JavaScript encoding |
| Name a secure practice for handling secrets | Store secrets in a secure environment, such as an encrypted secrets manager |
| What are hardcoded credentials | A bad practice of embedding usernames or passwords directly into code |
| What are third-party library risks | Vulnerabilities introduced through external code that developers include in their projects |
| What is a denial of service (DoS) attack | An attack that makes a system or application unavailable by overwhelming resources |
| What is a phishing attack | A social engineering attack designed to trick users into divulging sensitive information |
| What is a race condition | An attack exploiting timing issues in code execution to gain unauthorized control |
| What is a supply chain attack | An attack targeting vulnerabilities in a third-party vendor’s software or services |
| What is an authentication bypass | When an attacker gains unauthorized access by exploiting flaws in authentication |
| What is buffer overflow | A vulnerability where data exceeds a buffer's bounds, leading to memory corruption |
| What is clickjacking | An attack where users are tricked into clicking something they did not intend by overlaying UI elements |
| What is CSP (Content Security Policy) | A security feature that helps prevent attacks like XSS by controlling resources websites are allowed to use |
| What is data encryption | The process of converting data into ciphertext to protect its confidentiality |
| What is input validation | The process of ensuring input is correct, complete, and secure before processing |
| What is insecure deserialization | A vulnerability where untrusted data is used to abuse logic, process unexpected data, or execute arbitrary code |
| What is principle of defense in depth | Employ multiple layers of security controls to protect against vulnerabilities and attacks |
| What is privilege escalation | Gaining higher access than allowed by exploiting a vulnerability |
| What is role-based access control (RBAC) | A security model that allows or denies access to resources based on user roles |
| What is secure coding training | Providing developers with knowledge and skills to write more secure code |
| What is secure session management | Properly handling session identifiers, including generation, transmission, and storage |
| What is SQL injection | An attack where malicious SQL code is inserted into queries to manipulate the database |
| What is the importance of least privilege for APIs | It limits API access to only what is necessary for the task, reducing the risk of abuse or compromise |
| What is the OWASP Top Ten | A list of the most critical security risks to web applications, published by OWASP |
| What is the principle of least functionality | Systems should only enable the software, ports, and services essential for their purpose |
| What is the principle of least privilege | Grant users and systems the minimum access necessary to perform their tasks |
| What is the purpose of code review | To identify and address security vulnerabilities and coding errors |
| When should you use hashing | When storing passwords or verifying data integrity |
| Why is configuration management important | To ensure that system settings align with security baselines and reduce misconfiguration risks |
| Why is error handling important | To prevent attackers from gathering sensitive information through error messages |
| Why is logging security events important | To detect, investigate, and respond to security incidents effectively |
| Why is patch management necessary | To ensure software is updated to fix known vulnerabilities and bugs |
| Why is proper error logging crucial | To ensure actionable and non-sensitive information is recorded for debugging and incident detection |
| Why sanitize user input | To remove or neutralize harmful characters that could lead to vulnerabilities |
Front
What is input validation
Click the card to flip
Back
The process of ensuring input is correct, complete, and secure before processing
Front
Why is logging security events important
Back
To detect, investigate, and respond to security incidents effectively
Front
Explain the difference between authentication and authorization
Back
Authentication verifies user identity, while authorization grants permissions to access systems or data
Front
What is insecure deserialization
Back
A vulnerability where untrusted data is used to abuse logic, process unexpected data, or execute arbitrary code
Front
What is the OWASP Top Ten
Back
A list of the most critical security risks to web applications, published by OWASP
Front
Name a secure practice for handling secrets
Back
Store secrets in a secure environment, such as an encrypted secrets manager
Front
What is the principle of least functionality
Back
Systems should only enable the software, ports, and services essential for their purpose
Front
Define secure coding practices
Back
A set of principles and techniques designed to prevent security flaws during the development process
Front
What is CSP (Content Security Policy)
Back
A security feature that helps prevent attacks like XSS by controlling resources websites are allowed to use
Front
Define cross-site scripting (XSS)
Back
A vulnerability where attackers inject malicious scripts into content viewed by users
Front
What is secure session management
Back
Properly handling session identifiers, including generation, transmission, and storage
Front
How can DoS attacks be mitigated
Back
Use rate-limiting, input validation, and distributed denial-of-service (DDoS) protection mechanisms
Front
What are hardcoded credentials
Back
A bad practice of embedding usernames or passwords directly into code
Front
How can privilege escalation be mitigated
Back
Use proper access control mechanisms and regularly review permissions
Front
How to mitigate supply chain attacks
Back
Perform vendor risk assessments and monitor software dependencies regularly
Front
What is a supply chain attack
Back
An attack targeting vulnerabilities in a third-party vendor’s software or services
Front
What is a race condition
Back
An attack exploiting timing issues in code execution to gain unauthorized control
Front
What is principle of defense in depth
Back
Employ multiple layers of security controls to protect against vulnerabilities and attacks
Front
What is the importance of least privilege for APIs
Back
It limits API access to only what is necessary for the task, reducing the risk of abuse or compromise
Front
What is an authentication bypass
Back
When an attacker gains unauthorized access by exploiting flaws in authentication
Front
Name a method to prevent XSS
Back
Use proper output encoding like HTML or JavaScript encoding
Front
What is SQL injection
Back
An attack where malicious SQL code is inserted into queries to manipulate the database
Front
How to avoid hardcoded credentials
Back
Use secure storage solutions like environment variables or configuration files
Front
How can race conditions be prevented
Back
Implement thread-safe programming and locking mechanisms
Front
Explain secure dependency management
Back
Ensuring that third-party libraries or frameworks used in a project are up to date with no known vulnerabilities
Front
What is role-based access control (RBAC)
Back
A security model that allows or denies access to resources based on user roles
Front
How to minimize risks from third-party libraries
Back
Use trusted repositories, monitor for vulnerabilities, and apply updates promptly
Front
How to protect against phishing attacks
Back
Implement email filtering, training for users, and multifactor authentication
Front
What is clickjacking
Back
An attack where users are tricked into clicking something they did not intend by overlaying UI elements
Front
How does HTTPS enhance security
Back
Encrypts data in transit to protect confidentiality and integrity
Front
How to prevent clickjacking
Back
Use Content Security Policy (CSP) headers or frame-busting techniques
Front
How to prevent insecure deserialization
Back
Validate all input and avoid using too flexible deserialization processes
Front
Why is configuration management important
Back
To ensure that system settings align with security baselines and reduce misconfiguration risks
Front
What is the purpose of code review
Back
To identify and address security vulnerabilities and coding errors
Front
When should you use hashing
Back
When storing passwords or verifying data integrity
Front
Why is patch management necessary
Back
To ensure software is updated to fix known vulnerabilities and bugs
Front
How can authentication bypasses be mitigated
Back
Use strong authentication mechanisms and validate session tokens
Front
How can file upload vulnerabilities be mitigated
Back
Validate file type, limit file size, and scan uploads for malware
Front
How can SQL injection be mitigated
Back
Use parameterized queries and input validation
Front
How to secure APIs from unauthorized access
Back
Use authentication mechanisms like OAuth and validate request payloads
Front
What is secure coding training
Back
Providing developers with knowledge and skills to write more secure code
Front
Why is error handling important
Back
To prevent attackers from gathering sensitive information through error messages
Front
Why is proper error logging crucial
Back
To ensure actionable and non-sensitive information is recorded for debugging and incident detection
Front
How to prevent buffer overflows
Back
Use language constructs with automatic bounds checking and validate input length
Front
What is data encryption
Back
The process of converting data into ciphertext to protect its confidentiality
Front
What are third-party library risks
Back
Vulnerabilities introduced through external code that developers include in their projects
Front
What is a denial of service (DoS) attack
Back
An attack that makes a system or application unavailable by overwhelming resources
Front
What is a phishing attack
Back
A social engineering attack designed to trick users into divulging sensitive information
Front
What is privilege escalation
Back
Gaining higher access than allowed by exploiting a vulnerability
Front
What is the principle of least privilege
Back
Grant users and systems the minimum access necessary to perform their tasks
Front
Why sanitize user input
Back
To remove or neutralize harmful characters that could lead to vulnerabilities
Front
What is buffer overflow
Back
A vulnerability where data exceeds a buffer's bounds, leading to memory corruption
Front
Name a measure to secure session identifiers
Back
Use long, random session IDs and transmit them over HTTPS only
Front
How is an attack surface minimized
Back
By reducing the amount of code, endpoints, and services exposed to attackers
1/54
This deck highlights coding standards, secure programming techniques, and mitigation strategies for common vulnerabilities like XSS, injection, and buffer overflows.