Bash, the Crucial Exams Chat Bot
AI Bot
ISC2 CISSP - Software Development Security Flashcards
| Front | Back |
| Define fail-safe defaults. | Deny access by default, granting permissions only when explicitly allowed |
| Define input validation. | Ensuring data meets criteria before processing to prevent injection flaws |
| Describe dependency scanning. | Automated analysis of libraries/frameworks to find known vulnerabilities |
| Explain code signing. | Using digital signatures to verify code integrity and authenticity |
| How can you prevent buffer overflows? | Use bounds checking, safe functions, and modern languages with runtime checks |
| How does parameterized queries prevent SQL injection? | Separates code from data so user input can't alter SQL structure |
| Name one static code analysis tool. | Examples include SonarQube, Fortify, Checkmarx |
| What are security requirements? | Specifications that define confidentiality, integrity, and availability needs |
| What are the five phases of the SDLC? | Initiation (or Planning), Development/Acquisition, Implementation, Operation/Maintenance, Disposal |
| What is a buffer overflow attack? | Overwriting memory by exceeding buffer boundaries, leading to code execution or crashes |
| What is continuous integration/continuous deployment (CI/CD)? | Automated building, testing, and deployment to integrate changes securely and quickly |
| What is dynamic application security testing (DAST)? | Testing a running application for vulnerabilities from an attacker’s perspective |
| What is output encoding? | Transforming output to a safe format for client consumption to prevent XSS |
| What is secure coding? | Writing software to defend against vulnerabilities throughout development |
| What is secure design pattern? | Reusable solution template to address common security problems in design |
| What is session management control? | Techniques like secure cookies, timeouts, and regeneration to protect user sessions |
| What is software composition analysis (SCA)? | Assessing open-source components for license and security risks |
| What is the principle of least privilege? | Granting users or processes only the access needed to perform their tasks |
| What is the purpose of a security baseline? | Establishes minimum configuration and controls for systems and applications |
| What is threat modeling used for in software development? | Identifying, quantifying, and addressing security risks during design |
| Why incorporate security training in SDLC? | Educates developers on threats, reduces coding errors, improves awareness |
| Why is error handling important for security? | Prevents information leakage and ensures graceful failure modes |
Front
Name one static code analysis tool.
Click the card to flip
Back
Examples include SonarQube, Fortify, Checkmarx
Front
What is the purpose of a security baseline?
Back
Establishes minimum configuration and controls for systems and applications
Front
What is secure coding?
Back
Writing software to defend against vulnerabilities throughout development
Front
What is secure design pattern?
Back
Reusable solution template to address common security problems in design
Front
What are the five phases of the SDLC?
Back
Initiation (or Planning), Development/Acquisition, Implementation, Operation/Maintenance, Disposal
Front
What is software composition analysis (SCA)?
Back
Assessing open-source components for license and security risks
Front
What are security requirements?
Back
Specifications that define confidentiality, integrity, and availability needs
Front
Define input validation.
Back
Ensuring data meets criteria before processing to prevent injection flaws
Front
What is the principle of least privilege?
Back
Granting users or processes only the access needed to perform their tasks
Front
Define fail-safe defaults.
Back
Deny access by default, granting permissions only when explicitly allowed
Front
Explain code signing.
Back
Using digital signatures to verify code integrity and authenticity
Front
What is threat modeling used for in software development?
Back
Identifying, quantifying, and addressing security risks during design
Front
Why is error handling important for security?
Back
Prevents information leakage and ensures graceful failure modes
Front
Describe dependency scanning.
Back
Automated analysis of libraries/frameworks to find known vulnerabilities
Front
What is a buffer overflow attack?
Back
Overwriting memory by exceeding buffer boundaries, leading to code execution or crashes
Front
What is dynamic application security testing (DAST)?
Back
Testing a running application for vulnerabilities from an attacker’s perspective
Front
What is continuous integration/continuous deployment (CI/CD)?
Back
Automated building, testing, and deployment to integrate changes securely and quickly
Front
Why incorporate security training in SDLC?
Back
Educates developers on threats, reduces coding errors, improves awareness
Front
What is session management control?
Back
Techniques like secure cookies, timeouts, and regeneration to protect user sessions
Front
What is output encoding?
Back
Transforming output to a safe format for client consumption to prevent XSS
Front
How can you prevent buffer overflows?
Back
Use bounds checking, safe functions, and modern languages with runtime checks
Front
How does parameterized queries prevent SQL injection?
Back
Separates code from data so user input can't alter SQL structure
1/22
This deck addresses secure coding principles, SDLC (Software Development Life Cycle), vulnerabilities, and controls relevant to application security.