Chapter 2 - Security Risks and Vulnerabilities in the SDLC

Understanding Software Vulnerabilities in the SDLC

To understand how to protect software by integrating security into every step of the SDLC, it is vital to first understand what makes software vulnerable.

Causes of Common Vulnerabilities

Risk Definition Example Mitigation Strategy
Improper Access Control Users can access data or systems they shouldn’t be allowed to Role Based Access Controls
Injections User input sends malicious code into system Sanitize user input
SQL Injections User inputted malicious SQL queries that are used to gain manipulate the database Parameterized queries and prepared statements to validate user input
Cross-Site Scripting (XSS) Injection of malicious scripts into websites usually using JavaScript Use output encoding when displaying user input on a web page
Cryptographic Risks Weak or outdated data encryption Modern encryption methods
Improper Authentication Weak or outdated login systems Requiring Multi-factor Authentication (MFA)
Insufficient Logging and Monitoring Weak identification and alerting of suspicious activity in a system Regular log reviews and real-time alerts of suspicious network and system activity
Misconfiguration Systems are set up incorrectly Automated scanning and testing tools and have a separate dev and production project to ensure no misconfigurations are live

🧠 Knowledge Check

Answer the questions below to test your knowledge!

Q1: What is the main risk when users can access data or systems they shouldn’t be allowed to?

Q2: Which mitigation strategy is most effective against injection attacks?

Q3: What kind of attack involves injecting malicious SQL queries into a system?

Q4: True or False: Output encoding helps prevent SQL injections by restricting unauthorized queries.

Q5: Fill in the blank: __________ is a technique to limit what actions users can perform based on their role in an organization.

Resources for Further Information