Software Security

avatar
Created by
DevotedOtter36120

Cards (36)

  • HTML
    Hypertext markup language: the code used to structure a web page and its content
  • CSS
    Cascading style sheets: the language for designing web pages and adding style
  • JavaScript
    An object-oriented computer programming language commonly used to create interactive effects within web browsers
  • HTML displays the content of the webpage, CSS styles the webpage and JavaScript adds interactivity to the webpage
  • The source code and all the information is readily available to everyone, so websites have to take extra precautions to hide sensitive information so that it cannot be seen in the source code
  • Minified code

    Code without any spaces so it is unreadable
  • OWASP (Open Web Application Security Project)

    A highly-regarded organization and it's much used by cybersecurity professionals. It builds an open source community of cybersecurity professionals who help each other out and improve software security
  • Major Developer Tools Within the Inspect Element
    • Elements
    • Console
    • Sources
    • Network
    • Performance
    • Memory
    • Application
    • Security
    • Audits
  • Elements
    This panel allows developers to inspect and modify the HTML and CSS of a webpage
  • Console
    This panel is primarily used for debugging JavaScript code. Developers can log messages, errors, and run JavaScript commands directly within the console
  • Sources
    This panel is used for creating breakpoints and debugging and editing JavaScript
  • Network
    This panel is used for optimizing page load performance and debug server requests
  • Performance
    This panel helps developers analyze and improve the performance of web pages as they're running, rather than after loading
  • Memory
    This panel helps developers identify memory leaks, inefficient memory usage, etc
  • Application
    This panel can be used for inspecting resources such as databases, cookies, local storage, images, etc. It allows developers to inspect, modify, and delete stored data
  • Security
    This panel can be used to debug mixed content issues, certificate problems, and more
  • Audits
    This panel can be used for progressive web apps, performance, accessibility, and best practices
  • In the developer tools, you can view the page source, including the CSS and some JavaScript, the site's performance, local storage, etc. Cyber experts would need to be able to use these tools to search for weaknesses or vulnerabilities in the site. For example, a developer might mistakenly include sensitive information in the console
  • View Source
    Shows the HTML as it was delivered from the web server to your browser
  • Inspect Elements
    Look at the current state of the page after the browser has applied its (HTML) error corrections and after any JavaScript manipulation
  • Benefits of Using Computers to Process Data
    • People can use computers to find patterns in data and make predictions
    • Computers help people visualize data so that it is easy to extract useful information
    • Computers are able to easily process, manipulate, and display large amounts of data
  • Database
    An electronic system composed of organized collections of data (text, images, videos, audio, geospatial, tabular)
  • Database Management Systems (DBMS)

    Systems used to manage databases
  • Databases are like spreadsheets in that they have rows and columns, but they differ from spreadsheets in that they are organized into tables and can store a lot more data
  • SQL (Structured Query Language)
    A programming language for managing and querying data from a relational database
  • Schema
    How we define what is stored in a database
  • Hackers can try to access the database of a website through SQL to find and use sensitive information
  • Select statement

    Allows you to ask for a column or multiple columns from a table in a database
  • Where clause
    Allows you to filter results of a select statement with certain conditions
  • Tips to keep data secure online
    • Use strong passwords
    • Be wary of phishing emails
    • Lock your computer when you leave it
  • As long as your browser shows https:// as the protocol, you can be assured that the data in your communications are secured between your computer and some endpoint
  • SQL Injection (SQLi)
    The placement of malicious code in SQL statements through a web page or app's input. The hacker's goal is to control the web app's database server
  • Information that can be stolen through SQLi
    • Customer data (credit card numbers)
    • Personal identifiable information (phone numbers, addresses)
    • Company proprietary information
    • Intellectual property
    • Log-in credentials for website admins that can give additional network access
  • Types of SQLi Vulnerabilities
    • Error-based
    • Union-based
    • Blind
  • Primary SQLi Prevention Options

    • Use of prepared statements (with parameterized queries)
    • Use of stored procedures
    • White list input validation
    • Escape all user supplied input
  • Preventing SQLi in Application
    • Keep data separate from commands and queries
    • Use a safe API
    • Use Object Relational Mapping to reduce the amount of SQL
    • Use server-side input validation
    • Escape special characters using the specific escape syntax for that interpreter
    • Use other SQL controls to prevent mass disclosure of records
    • No raw SQL anywhere in the code
    • SQL should be sitting behind multiple layers and not accessible by the site