Bash, the Crucial Exams Chat Bot
AI Bot
Secure Coding Practices (CSSLP) Flashcards
ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Flashcards
| Front | Back |
| Define cross-site scripting (XSS) | A vulnerability where attackers inject malicious scripts into content viewed by users |
| Define secure coding practices | A set of principles and techniques designed to prevent security flaws during the development process |
| Explain secure dependency management | Ensuring that third-party libraries or frameworks used in a project are up to date with no known vulnerabilities |
| Explain the difference between authentication and authorization | Authentication verifies user identity, while authorization grants permissions to access systems or data |
| How can authentication bypasses be mitigated | Use strong authentication mechanisms and validate session tokens |
| How can DoS attacks be mitigated | Use rate-limiting, input validation, and distributed denial-of-service (DDoS) protection mechanisms |
| How can file upload vulnerabilities be mitigated | Validate file type, limit file size, and scan uploads for malware |
| How can privilege escalation be mitigated | Use proper access control mechanisms and regularly review permissions |
| How can race conditions be prevented | Implement thread-safe programming and locking mechanisms |
| How can SQL injection be mitigated | Use parameterized queries and input validation |
| How does HTTPS enhance security | Encrypts data in transit to protect confidentiality and integrity |
| How is an attack surface minimized | By reducing the amount of code, endpoints, and services exposed to attackers |
| How to avoid hardcoded credentials | Use secure storage solutions like environment variables or configuration files |
| How to minimize risks from third-party libraries | Use trusted repositories, monitor for vulnerabilities, and apply updates promptly |
| How to mitigate supply chain attacks | Perform vendor risk assessments and monitor software dependencies regularly |
| How to prevent buffer overflows | Use language constructs with automatic bounds checking and validate input length |
| How to prevent clickjacking | Use Content Security Policy (CSP) headers or frame-busting techniques |
| How to prevent insecure deserialization | Validate all input and avoid using too flexible deserialization processes |
| How to protect against phishing attacks | Implement email filtering, training for users, and multifactor authentication |
| How to secure APIs from unauthorized access | Use authentication mechanisms like OAuth and validate request payloads |
| Name a measure to secure session identifiers | Use long, random session IDs and transmit them over HTTPS only |
| Name a method to prevent XSS | Use proper output encoding like HTML or JavaScript encoding |
| Name a secure practice for handling secrets | Store secrets in a secure environment, such as an encrypted secrets manager |
| What are hardcoded credentials | A bad practice of embedding usernames or passwords directly into code |
| What are third-party library risks | Vulnerabilities introduced through external code that developers include in their projects |
| What is a denial of service (DoS) attack | An attack that makes a system or application unavailable by overwhelming resources |
| What is a phishing attack | A social engineering attack designed to trick users into divulging sensitive information |
| What is a race condition | An attack exploiting timing issues in code execution to gain unauthorized control |
| What is a supply chain attack | An attack targeting vulnerabilities in a third-party vendor’s software or services |
| What is an authentication bypass | When an attacker gains unauthorized access by exploiting flaws in authentication |
| What is buffer overflow | A vulnerability where data exceeds a buffer's bounds, leading to memory corruption |
| What is clickjacking | An attack where users are tricked into clicking something they did not intend by overlaying UI elements |
| What is CSP (Content Security Policy) | A security feature that helps prevent attacks like XSS by controlling resources websites are allowed to use |
| What is data encryption | The process of converting data into ciphertext to protect its confidentiality |
| What is input validation | The process of ensuring input is correct, complete, and secure before processing |
| What is insecure deserialization | A vulnerability where untrusted data is used to abuse logic, process unexpected data, or execute arbitrary code |
| What is principle of defense in depth | Employ multiple layers of security controls to protect against vulnerabilities and attacks |
| What is privilege escalation | Gaining higher access than allowed by exploiting a vulnerability |
| What is role-based access control (RBAC) | A security model that allows or denies access to resources based on user roles |
| What is secure coding training | Providing developers with knowledge and skills to write more secure code |
| What is secure session management | Properly handling session identifiers, including generation, transmission, and storage |
| What is SQL injection | An attack where malicious SQL code is inserted into queries to manipulate the database |
| What is the importance of least privilege for APIs | It limits API access to only what is necessary for the task, reducing the risk of abuse or compromise |
| What is the OWASP Top Ten | A list of the most critical security risks to web applications, published by OWASP |
| What is the principle of least functionality | Systems should only enable the software, ports, and services essential for their purpose |
| What is the principle of least privilege | Grant users and systems the minimum access necessary to perform their tasks |
| What is the purpose of code review | To identify and address security vulnerabilities and coding errors |
| When should you use hashing | When storing passwords or verifying data integrity |
| Why is configuration management important | To ensure that system settings align with security baselines and reduce misconfiguration risks |
| Why is error handling important | To prevent attackers from gathering sensitive information through error messages |
| Why is logging security events important | To detect, investigate, and respond to security incidents effectively |
| Why is patch management necessary | To ensure software is updated to fix known vulnerabilities and bugs |
| Why is proper error logging crucial | To ensure actionable and non-sensitive information is recorded for debugging and incident detection |
| Why sanitize user input | To remove or neutralize harmful characters that could lead to vulnerabilities |
This deck highlights coding standards, secure programming techniques, and mitigation strategies for common vulnerabilities like XSS, injection, and buffer overflows.