Understanding Key Cybersecurity Principles for Developers (Part 5)
Written on
In this segment, we delve into 100 fundamental cybersecurity principles crucial for developing secure applications.
Note: This information is not intended to promote or encourage the misuse of these techniques against others.
Below are links to the previous sections:
100 Essential Cybersecurity Concepts That Every Developer Must Know (Part 1: 1–10)
Your go-to checklist for building secure applications
levelup.gitconnected.com
100 Essential Cybersecurity Concepts That Every Developer Must Know (Part 2: 11–20)
Your go-to checklist for building secure applications
levelup.gitconnected.com
100 Essential Cybersecurity Concepts That Every Developer Must Know (Part 3: 21–30)
Your go-to checklist for building secure applications
levelup.gitconnected.com
100 Essential Cybersecurity Concepts That Every Developer Must Know (Part 4: 31–40)
Your go-to checklist for building secure applications
levelup.gitconnected.com
41. Backdoor
A backdoor is a technique employed to circumvent the authentication system of a computer, allowing unauthorized remote access for the purpose of obtaining sensitive information or altering data. Backdoors are often linked with rootkits and trojan horses.
Learn about a notable backdoor found in Samsung Galaxy devices [here](https://www.zdnet.com/article/backdoor-in-samsung-galaxy-devices-allows-remote-access-to-data).
42. Fileless Malware
This type of malware operates directly from a computer's memory instead of relying on the file system. Fileless malware does not write to the disk and remains active until the system's memory is cleared or rebooted. Examples include Kovter and Powelike, which utilize manipulation of the Windows registry.
43. Brute Force Attack
A brute force attack involves systematically guessing a password by trying every possible combination of characters. The time required to crack a password escalates exponentially with its length.
44. Password Spraying
This method of attack attempts a single password across multiple usernames, helping to avoid lockouts that can occur when multiple incorrect passwords are entered for a single account.
45. Dictionary Attack
A dictionary attack involves testing passwords using a list of common words and their variations. It is a focused brute force method.
46. Salting
When storing passwords, they should not be kept in plaintext. Instead, they are hashed with a cryptographic one-way function, and this hash is stored. To enhance security, a random value known as salt is added to the password before hashing. This process ensures that even if two users have the same password, their salted hashes will differ.
Example: Consider two users with the same password "password". In a non-salted database, their hashed passwords would be identical. However, with salting, each user's hash will be unique due to different salts being applied.
47. Peppering
Similar to salting, peppering involves adding a secret random value, known as pepper, to passwords before they are hashed. Unlike salt, which can be stored with the hash, pepper must be kept secret and stored separately, often on secure hardware.
48. Rainbow Table Attack
This attack method utilizes precomputed tables of common passwords and their corresponding hashes. If an attacker gains access to a password database, they can use a rainbow table to quickly find matches, making the attack more efficient.
To prevent rainbow table attacks, consider using salting, peppering, multi-factor authentication, and OAuth 2.0.
49. Two-factor/ Multi-factor Authentication (2FA/MFA)
This authentication method requires users to verify their identity by providing evidence from two or more of the following categories: - User's secret (Password/PIN) - User's devices generating security tokens - User's location - User's inherent traits (face/voice/fingerprints)
50. Third-party Authenticator (TPA)
A third-party authenticator is an application that facilitates 2FA/MFA for other applications by providing a frequently changing code as proof of identity. Notable examples include: - Google Authenticator - Microsoft Authenticator - Authy
Thank you for reading! See you in the next segment!
100 Essential Cybersecurity Concepts That Every Developer Must Know (Part 6: 51–60)
Your go-to checklist for building secure applications
bamania-ashish.medium.com