Scribd
Upload
12 views

Memory Management SCT

Uploaded by

Sri Latha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
12 views

Memory Management SCT

Uploaded by

Sri Latha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Memory Management

• Check that the buffer is as large as specified.

• When using functions that accept a number of bytes


to copy, such as strncpy(), be aware that if the
destination buffer size is equal to the source buffer
size, it may not NULL-terminate the string.

• Check buffer boundaries if calling the function in a


loop and make sure there is no danger of writing
past the allocated space.
Memory Management(Contd..)
• Truncate all input strings to a reasonable length
before passing them to the copy and concatenation
functions

• Specifically close resources, do not rely on garbage


collection. (for example connection objects, file
handles, etc.)

• Properly free allocated memory upon the


completion of functions and at all exit points.
Memory Management(Contd..)
• Do not allocate and deallocate memory in a
loop as this may slow down the program and
may sometime cause security malfunctions.

• An easy way to find out if your code is leaking


memory is by executing it and examining its
memory usage either using Task Manager on
Windows or top on Linux.
Session Management
• Session management is used to facilitate
secure interactions between a user and some
service or application and applies to a
sequence of requests and responses
associated with that particular user.
• Session information is stored in a cookie, a
querystring value pair, or a hidden form in the
browser or on the client machine.
Session Management(contd..)
• Do not allow concurrent logins with the same
user ID.
• Do not expose session identifiers in URLs,
error messages or logs.
• Generate a new session identifier and
deactivate the old one periodically.
• Consistently utilize HTTPS rather than
switching between HTTP to HTTPS.
Session Management (contd..)
• Use the server or framework’s session
management controls. The application should
recognize only these session identifiers as valid.
• Session identifier creation must always be done
on a trusted system (server side not client side).
• Session management controls should use well
vetted algorithms that ensure sufficiently random
session identifiers.
Session Management(contd..)
• If a session was established before login, close
that session and establish a new session after
a successful login.
• Logout functionality should fully terminate the
associated session or connection.
• Generate a new session identifier on any re-
authentication.
Tokenizing
• Tokenization is the process of replacing
sensitive data with unique identifiers (tokens)
that do not inherently have any meaning.
Doing this helps secure the original underlying
data against unauthorized access or usage.
Tokenizing (contd..)
Tokenization technology can be used with
sensitive data of all kinds, including
• bank transactions
• medical records
• criminal records
• vehicle driver information
• loan applications
• stock trading and voter registration.
Tokenizing (contd..)
• Tokenization is often used to protect credit card
data, bank account information and other sensitive
data handled by payment processors.

• Payment processing use cases that tokenize sensitive


credit card information include the following:
• mobile wallets, such as Google Pay and Apple Pay;
• e-commerce sites; and
• businesses that keep customers' cards on file.
Sandboxing
• Sandboxing is a cybersecurity practice where
you run code, observe and analyze and code
in a safe, isolated environment on a network
that mimics end-user operating environments.
• Software developers use sandboxes to test
new programming code.
• Cybersecurity professionals use sandboxes to
test potentially malicious software.

You might also like