1. Exception:
   1. An event that occurs during the execution of a program, and requires the execution of code outside the normal flow of control.
   2. There are two kinds of exceptions:
      1. Hardware Exceptions:
         1. Hardware exceptions are initiated by the CPU. They can result from the execution of certain instruction sequences, such as division by zero or an attempt to access an invalid memory address.
      2. Software Exceptions:
         1. Software exceptions are initiated explicitly by applications or the operating system. For example, the system can detect when an invalid parameter value is specified.
   3. Exception Handling
      1. Structured Exception Handling (SEH):
         1. A mechanism for handling both hardware and software exceptions. Your code will handle hardware and software exceptions identically.
         2. This enables you to have complete control over the handling of exceptions, provides support for debuggers, and may be used across all programming languages and machines.
         3. Vectored Exception Handling:
            1. An extension to structured exception handling.
            2. An application can register a function to watch or handle all exceptions for the application.
            3. Vectored handlers are not frame-based, so you can add a handler that will be called regardless of where you are in a call frame.
            4. Vectored handlers are called in the order that they were added, after the debugger gets a first chance notification, but before the system begins unwinding the stack.
      2. Termination Handling:
         1. A mechanism which enables you to ensure that whenever a guarded body of code is executed, a specified block of termination code is also executed. The termination code is executed regardless of how the flow of control leaves the guarded body.
         2. For example, a termination handler can guarantee that clean-up tasks are performed even if an exception or some other error occurs while the guarded body of code is being executed.
2. Input Validation:
   1. The proper testing of any input supplied by a user or application. This prevents improperly formed data from entering an information system.
3. Database Security Controls
   1. Stored Procedure
      1. A set of Structured Query Language (SQL) statements with an assigned name, which are stored in a relational database management system as a group, so it can be reused and shared by multiple programs.
   2. Normalization
      1. Database normalization is a set of design principles that database designers should follow when building and modifying databases.
      2. Databases that follow these principles are said to be in normal forms, which are numbered in increasing order of the level of principle followed.
         1. The first normal form requires that you:
            1. Create separate tables for different sets of related data
            2. Provide a primary key for every table
            3. Avoid creating records that have multivalued fields
            4. Ensure that all records in a table have the same number of fields
         2. The second normal form includes all of the same requirements of the first normal form, as well as the requirement that:
            1. Any field in the database that is not part of the primary key must be a fact about the entire primary key.
         3. The third normal form requires that you meet the requirements of the first and second normal form, and also includes a requirement:
            1. Restricting relationships between non key fields.
      3. Normalized database forms provide the following benefits:
         1. Prevent data inconsistency
         2. Prevent update anomalies
         3. Reduce the need for restructuring existing databases
         4. Make the database schema more informative
   3. Encryption
4. Code Signing
   1. Provides authentication and non-repudiation
   2. If code signing is in place, upon receiving the code, the OS checks that:
      1. the public key in the developer's digital certificate correctly decrypts the code's digital signature;
      2. the hash contained in the (just decrypted) digital signature matches the hash in the downloaded code.
5. Obfuscation/Camouflage
   1. Obfuscation:
      1. Deliberately complicating the source code or system to make it more difficult to understand. This conceals its purpose to prevent tampering and reverse engineering.
   2. Camouflage:
      1. To disguise or hide the presence of a key piece of code to make it better blend in with its surroundings.
6. Code Reuse/Dead Code
   1. The use of existing software, or software knowledge, to build new software, following the reusability principles.
   2. Reusability:
      1. The use of existing assets in some form within the software product development process; these assets are products and by-products of the software development life cycle (SDLC) and include:
         1. Code
         2. Software components
         3. Test suites
         4. Designs
         5. Documentation
   3. Reusability Principles:
      1. Build
      2. Packaging
      3. Distribution
      4. Installation
      5. Configuration
      6. Deployment
      7. Maintenance
      8. Upgrade
   4. Dead Code:
      1. A section in the source code of a program which is executed but whose result is never used in any other computation. The execution of dead code wastes computation time and memory.
      2. While the result of a dead computation may never be used, it may raise exceptions or affect some global state, thus removal of such code may change the output of the program and introduce unintended bugs.
7. Server-Side vs Client-Side Execution and Validation
   1. Server-Side Scripting
      1. A technique used in web development which involves employing scripts on a web server which produce a response customized for each user's (client's) request to the website.
   2. Static Web Page
      1. A web page that is delivered to the user exactly as stored, in contrast to dynamic web pages which are generated by a web application.
   3. Advantages and Disadvantages:
      1. Advantages of a static website
         1. Provide improved security over dynamic websites
         2. Improved performance for end users compared to dynamic websites
         3. Fewer or no dependencies on systems such as databases or other application servers
      2. Disadvantages of a static website
         1. Dynamic functionality has to be added separately
8. Memory Management
   1. Bounds Checking
      1. Range Checking
         1. Validating input before executing, to ensure that the range of values is acceptable.
      2. Type Checking
         1. Validating input before executing, to ensure that the values provided are of the correct type (int, str, bool, etc).
   2. Canary Values
      1. A value that will be overwritten first in case of a buffer overflow. When the canary value is overwritten, the CPU stops writing to the buffer on its next cycle.
   3. Address Space Layout Randomization (ASLR):
      1. In order to prevent an attacker from reliably jumping to a particular location in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
   4. Garbage collection libraries should be added to C and C++
9. Use of Third-Party Libraries and SDKs
   1. Library
      1. Libraries consist of shared code objects that perform related functions.
      2. Third-Party Library
         1. Developers can use GNU GPL licensed libraries that contain relevant functions and then call those functions.
   2. SDK
      1. Organizations trying to make their code libraries more accessible to developers often publish software development kits (SDKs).
      2. SDKs are collections of software libraries combined with documentation, examples, and other resources designed to help programmers get up and running quickly in a development environment.
      3. SDKs also often include specialized utilities designed to help developers design and test code.