Software Development Life Cycle (SDLC)
WaterfallLinear sequential phases. Each phase must complete before the next begins. Planning → Analysis → Design → Development → Testing → Deployment → Maintenance. Poor at handling changing requirements.
AgileIterative, collaborative development. Short sprints (2–4 weeks). Continuous feedback and adaptation. Better for changing requirements. Security can be integrated at each sprint.
SpiralCombines iterative development with risk management. Each cycle: plan → risk analysis → develop → evaluate. Good for large, high-risk projects.
DevSecOpsIntegrates security directly into the DevOps pipeline. Security testing at every stage — not bolted on at the end. "Shift left" = address security issues earlier in development.
SDLC Environments
DevelopmentWhere code is written. Developers have significant access. Not production data.
Test / QAWhere code is tested. Quality assurance activities. Validates functionality.
StagingPre-production environment. Final validation before deployment. Mirrors production closely.
ProductionLive system. Must follow change management. Direct access should be very limited.
Common Application Vulnerabilities
SQL Injection (SQLi)Attacker injects SQL commands into input fields that are processed by the database. Can read, modify, or delete data. Defense: parameterized queries / prepared statements. Content-based (returns data) and blind (infers data from behavior).
Cross-Site Scripting (XSS)Attacker injects malicious scripts into web pages viewed by other users. Types: Reflected (script in URL, executed immediately), Stored/Persistent (script saved to server, executed when page loads), DOM-based. Defense: input validation, output encoding.
Cross-Site Request Forgery (CSRF)Tricks authenticated user's browser into sending unauthorized requests to a web application. Defense: CSRF tokens, same-site cookie attribute, requiring re-authentication for sensitive actions.
Directory TraversalAttacker accesses files outside the web root by using ../ sequences. Example: ../../etc/passwd. Defense: input validation, chrooted environments.
Buffer OverflowWriting more data to a buffer than it can hold, overwriting adjacent memory. Can allow arbitrary code execution. Defense: bounds checking, ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention).
Race ConditionExploit timing window between check and use of a resource. TOCTOU (Time-of-Check-Time-of-Use). Defense: atomic operations, proper locking mechanisms.
Memory LeakApplication allocates memory and never releases it. Eventually exhausts available memory, causing crashes. Defense: proper memory management, code review.
Hard-Coded CredentialsUsernames or passwords embedded directly in source code. Can be discovered through source code review or reverse engineering. Defense: use configuration files, secrets managers, environment variables.
Stored XSS is more dangerous than reflected XSS because it persists on the server and affects every user who visits the page. Reflected XSS requires a victim to click a specific malicious link. Both steal session cookies or execute code in the victim's browser.
Secure Coding Practices
- Parameterized Queries — Separate code from data. Primary defense against SQL injection.
- Input Validation — Validate all user input on the server side (not just client side). Whitelist acceptable values.
- Output Encoding — Encode output before rendering in browser. Primary defense against XSS.
- Error Handling — Never reveal stack traces, database errors, or internal paths to users. Log internally, show generic messages.
- Code Signing — Digitally sign code so users can verify it hasn't been tampered with.
- Code Review — Manual (Fagan inspection) or automated (SAST tools) review of source code for vulnerabilities before deployment.
- OWASP Top 10 — OWASP (Open Web Application Security Project) publishes the most critical web application security risks. The Top 10 is the exam's reference for web vulnerability priorities.
OWASP Web Application Top 10
The OWASP Top 10 is the most widely referenced list of critical web application security risks. Updated periodically — testable version is 2021. The exam expects you to recognize which category a described vulnerability falls into.
A01 — Broken Access Control#1 risk. Users can act outside their intended permissions. Examples: accessing another user's account by changing the URL ID, viewing admin pages as a regular user, insecure direct object references (IDOR). Prevention: deny by default, enforce access controls server-side.
A02 — Cryptographic FailuresPreviously called "Sensitive Data Exposure." Weak or missing encryption for data at rest or in transit. Examples: transmitting passwords over HTTP, storing passwords in plaintext, using MD5 for password hashing, using DES or RC4. Prevention: TLS everywhere, strong hashing (bcrypt, SHA-256), encrypt sensitive data at rest.
A03 — InjectionAttacker sends untrusted data that is interpreted as code or commands. Includes SQL injection, command injection, LDAP injection, and XXE. Prevention: parameterized queries, input validation, allowlisting.
A04 — Insecure DesignFlaws in architecture and design — not just implementation bugs. Cannot be fixed by patching — requires redesign. Prevention: threat modeling during design, secure design patterns, reference architectures.
A05 — Security MisconfigurationMost commonly seen issue in practice. Default credentials, unnecessary features enabled, verbose error messages revealing stack traces, open cloud storage buckets, missing security headers. Prevention: hardening guides, automated configuration scanning, disable default accounts.
A06 — Vulnerable & Outdated ComponentsUsing libraries, frameworks, or software with known vulnerabilities. SCA (Software Composition Analysis) tools detect this. Examples: running Log4j with Log4Shell vulnerability, outdated jQuery with known XSS. Prevention: inventory all components, subscribe to vulnerability alerts, patch promptly.
A07 — Identification & Authentication FailuresPreviously "Broken Authentication." Weak passwords allowed, missing MFA, session IDs exposed in URLs, sessions not invalidated on logout, credential stuffing not prevented. Prevention: MFA, strong password policies, secure session management.
A08 — Software & Data Integrity FailuresAssuming that software updates and data are trustworthy without verification. Includes insecure deserialization and CI/CD pipeline attacks (e.g., SolarWinds supply chain attack). Prevention: digital signatures on updates, verify checksums, secure CI/CD pipeline.
A09 — Security Logging & Monitoring FailuresInsufficient logging means attacks go undetected. Without logs: you can't detect breaches, investigate incidents, or meet compliance requirements. Prevention: log all authentication events, failures, and high-value transactions. Centralize in SIEM. Set alerting thresholds.
A10 — Server-Side Request Forgery (SSRF)Application fetches a remote resource based on user-supplied URL. Attacker can make the server send requests to internal systems (bypassing firewalls), cloud metadata endpoints (stealing credentials), or internal services not exposed externally. Prevention: allowlist approved URLs/IPs, disable HTTP redirects, validate all user-supplied URLs.
The four most exam-relevant OWASP Web Top 10 entries: A01 Broken Access Control (#1 and rising), A03 Injection (the classic), A05 Security Misconfiguration (most common in the real world), A07 Identification & Authentication Failures (MFA and session management). SSRF (A10) is newer and increasingly tested — know what it is.
Application Security Controls
WAF (Web Application Firewall)Inspects HTTP/HTTPS traffic to web applications. Filters out SQLi, XSS, and other web attacks. Works at Layer 7. Can be hardware, software, or cloud-based.
TokenizationReplaces sensitive data with a non-sensitive placeholder (token). The real data is stored securely elsewhere. Common for payment cards (PCI DSS).
Data MaskingObscures sensitive data by substituting characters. Used in non-production environments so developers work with realistic data without exposure. Example: 4532-****-****-1234.
NormalizationDatabase design process that reduces redundancy and prevents anomalies. Structured correctly, prevents some injection paths.
Injection Attack Types
SQL InjectionMost common injection type. Attacker inserts SQL commands into user input fields that get executed by the database. Prevent with parameterized queries/prepared statements and stored procedures.
Command InjectionAttacker injects OS-level commands through application inputs. Application passes user input directly to a shell. Example: entering ; rm -rf / in a ping field. Prevent with input validation and avoiding shell calls with user input.
LDAP InjectionInjects LDAP filter characters to manipulate directory queries. Can allow authentication bypass or unauthorized directory data access. Prevent with input sanitization of LDAP special characters.
XML Injection / XXEXML External Entity injection. Attacker sends malicious XML referencing external entities. Can read local files, perform SSRF, or cause DoS. Prevent by disabling external entity processing in XML parsers.
HTML / Template InjectionInjects HTML or template syntax that gets rendered by the server or browser. Can lead to XSS or Server-Side Template Injection (SSTI) — which can execute arbitrary code on the server.
API Security
API (Application Programming Interface)Interface allowing applications to communicate with each other. REST, SOAP, and GraphQL are common types. APIs are a major and growing attack surface — they often bypass traditional web application controls.
API KeysTokens used to authenticate API calls. Must be protected like passwords — never hard-coded in source code, never exposed in URLs. Rotate regularly. Store in secrets managers.
Rate LimitingRestricts how many API requests a client can make in a given time period. Prevents brute force, DoS, and data scraping via API. Returns HTTP 429 (Too Many Requests) when exceeded.
Broken Object Level AuthorizationOWASP API #1 risk. API returns data for objects the requesting user doesn't have permission to access. Validate that the requesting user is authorized for each specific object, not just the endpoint.
Security HeadersHTTP response headers that improve security. Key headers: Content-Security-Policy (CSP, prevents XSS), X-Frame-Options (prevents clickjacking), HSTS (forces HTTPS), X-Content-Type-Options (prevents MIME sniffing).
APIs are tested heavily in SY0-701. The OWASP API Security Top 10 is separate from the OWASP Web Top 10. Broken Object Level Authorization (BOLA) = insecure direct object reference in API context. Treat every API endpoint as a potential attack surface requiring its own authorization check.
OWASP API Security Top 10
Separate from the Web Top 10 — specifically for API vulnerabilities. APIs have unique risks not covered by traditional web app testing. SY0-701 explicitly tests API security, and this list maps directly to exam scenarios.
API1 — Broken Object Level AuthorizationMost critical API risk. API returns data for objects the requesting user shouldn't have access to. Attacker changes an object ID in the request (e.g., /api/users/123 → /api/users/124) and retrieves another user's data. Server doesn't verify the requesting user owns that object. Prevention: validate authorization for every object access, not just the endpoint.
API2 — Broken AuthenticationWeak or missing authentication on API endpoints. Missing tokens, weak API keys, no rate limiting on auth endpoints enabling brute force. Prevention: strong API keys or OAuth tokens, MFA where applicable, rate limit authentication endpoints.
API3 — Broken Object Property Level AuthorizationAPI returns more data than the user needs (over-exposure) or allows updating fields the user shouldn't control (mass assignment). Example: user updates their profile but the API allows setting isAdmin=true. Prevention: explicitly define what fields each user role can read and write.
API4 — Unrestricted Resource ConsumptionNo rate limiting, quotas, or size limits on API requests. Enables DoS via resource exhaustion and financial damage on consumption-based services. Prevention: rate limiting, request size limits, query complexity limits (for GraphQL).
API5 — Broken Function Level AuthorizationUsers can access admin functions by guessing or predicting API endpoint names (e.g., /api/admin/deleteUser). Relies on obscurity rather than authorization. Prevention: deny all admin functions by default, enforce role checks on every endpoint.
API6 — Unrestricted Access to Sensitive Business FlowsAutomation exploits legitimate API flows at machine speed — bulk ticket purchasing bots, credential stuffing, fraudulent account creation. No technical vulnerability — the flow itself is abused. Prevention: CAPTCHA, device fingerprinting, rate limiting on sensitive flows.
API7 — Server-Side Request Forgery (SSRF)API fetches a resource from a URL provided by the client. Attacker points it at internal services or cloud metadata endpoints. Same as Web Top 10 A10 but particularly dangerous in APIs that integrate with other services.
API8 — Security MisconfigurationDefault credentials, unnecessary HTTP methods enabled (e.g., DELETE when only GET is needed), verbose error messages, missing CORS policy, outdated TLS. Prevention: security hardening, disable unused HTTP methods, suppress detailed errors.
API9 — Improper Inventory ManagementShadow APIs — undocumented, forgotten, or deprecated endpoints still running in production. Old API versions with weaker security remain accessible. Prevention: maintain a complete API inventory, version APIs, decommission old endpoints.
API10 — Unsafe Consumption of APIsTrusting data from third-party APIs without validation. If a third-party API you call is compromised, malicious data enters your system. Prevention: validate and sanitize all data received from external APIs, treat third-party API data as untrusted input.
API1 (Broken Object Level Authorization) is #1 for a reason — it's extremely common and easy to exploit. The classic example: change a user ID in an API call and get someone else's data. For the exam, if a scenario describes accessing another user's data by modifying a request parameter — that's BOLA/IDOR. SSRF appears on both lists (Web A10 and API7) — high priority to know.