.png){kind=logo}
D385 - Software Security and Testing
- studiers in 3 days Leave the first rating
Students also studied Terms in this set (108) Western Governors UniversityD 324 Save D385 Software Security and Testing...69 terms sdelbonPreview D385 Pre-Assessment (All Correct) 39 terms Cydo_EntisPreview WGU D385 - Malicious Attacks and ...40 terms kchermaPreview
D385 -
34 terms Bra What is the primary defense against log injection attacks? Sanitize outbound log messages
- multiple choice options
- Look for Unsanitized User Input
- Examine Log Functions
- Check for User-Controlled Data
SanitizingSanitizing is the process of cleansing, filtering, or altering data to eliminate sensitive, harmful, or inappropriate content. It often involves validation and transformation of data to ensure its integrity and security.In the context of outbound log messages, sanitizing is the practice of reviewing and modifying log data to remove sensitive or confidential information, validate its correctness, and ensure that it adheres to security and privacy standards before it's shared with external systems or users.How to spot - Log Injection
Defensive Programminga software development approach that aims to create robust and secure software by anticipating and guarding against unexpected failures and security vulnerabilities.It involves implementing error handling, input validation, and security measures to protect the software from unexpected inputs, attacks, or faults, thereby enhancing its reliability and security.Static Testinga type of software testing that examines the source code, design, or documentation without executing the program. It aims to identify defects early in the development process.white box
Dynamic Testinga software testing technique that involves executing the program or application with test cases to observe its behavior at runtime. It aims to find defects related to functionality, performance, and reliability white-box, black-box, grey-box Fuzz Testing (Fuzzy Testing)a testing technique that involves providing unexpected or random inputs to a software application to discover vulnerabilities, crashes, or unexpected behavior.It is commonly used for security testing black-box Unit Testinga level of software testing where smallest individual components - units of a software application are tested in isolation to ensure they work as intended. It helps identify and fix issues at the smallest functional level.white box
frequency: as soon as an unit is complete, before it moves on
advantages: done early, easier to find root cause
disadvantages: tunnel vision since performed the developer, less formal
Integration Testinga level of software testing that focuses on testing the interactions between different units or modules of a software application. It ensures that the integrated components work together correctly grey box frequency: usually when 2 or more units get integrated, team specific guidelines, done by developers or specialized teams
advantages: more formal, manual /tools
patterns:
- client /server integration
- collaboration integration (mars probe metric vs us)
- distributed services integration
- layer integration
Regression TestingRegression testing is a type of testing performed to verify that recent code changes or updates do not introduce new defects or negatively impact existing functionality. It typically involves re-running previous test cases.grey-box or black-box
frequency: when a change is made, to verify that the change didn't reintroduce
problems, testing team
disadvantages: could be implemented poorly (radiation 8 ppl died)
Patterns:
- regress all
- regress some
User Acceptance Testing (UAT)a phase of software testing where end users or clients test the software to ensure it meets their requirements and is ready for production use. It validates that the software aligns with user expectations.black-box (because it focuses on whether the software meets user requirements without diving into internal code).
frequency: alpha, beta, done by end users, subject matter expert
disadvantages: end users may be untrained, lack of focus, bias
Penetration Testinga type of security testing where ethical hackers attempt to exploit vulnerabilities in a software system to assess its security posture. The goal is to identify weaknesses before malicious actors can exploit them.could be white-box, black-box or grey-box ad hog (in testing)someone to bang around the software hoping to find problems, bad way attack surfaceThe sum of all entry points through which a system can be attacked defence in depththe layers of security beneath the attack surface Least Privilegea security principle that involves providing individuals, processes, or systems with only the minimum levels of access and permissions necessary to perform their specific tasks or functions.This principle ensures that entities have limited access rights, reducing the potential attack surface and minimizing the risk of unauthorized or unintended actions.attacks aimed at users - Cross-Site-Scripting(XSS)
- Social engineering (phishing, smishing)
- Cros-site-request-forgery (CSRF)
attacks aimed at systems- SQL injection
- Remote Code Execution (RCE)
- Denial of Service (DoS)
- Replay attack
- Secure Hash Algorithm (SHA-2) - a family of cryptographic hash functions
- Transport Layer Security (TLS) - a secure networking protocol
- Cross-origin-recourse-sharing (CORS) - a recourse sharing protocol for
- Content Security Policy (CSP) - a browser based attack mitigation standard
attacks aimed at networks- man-in-the-middle (MITM)
Security standards- Advanced Encryption Standard (AES) - a symmetric encryption algorithm
browsers
Authorizationsometimes referred to as access control Hash Function & Hash Valuethe output of a hash function represented as an alphanumeric string.a hash function maps a set of messages to a set of hash values Cryptographic Hash functionsCryptographic hashing is a secure method of producing fixed-size unique hash values from data
functions requirements:
- one way function property (preimage resistance)
- weak collision resistance (second preimage resistance)
- strong collision resistance (collision resistance)
the built in hash function in Pythonnot secure !pigeonhole principlehash values have set length, therefore the set of all possible messages will always be larger than the the set of all possible hash values safe hash functions (algorithm_guaranteed)- SHA-2
- SHA-3
- BLAKE2
SHA-2
SHA_256
256 bits length, longer is better widely used, general purposes SHA-3
SHA3_256
high security, not as much support
.png)