Edit

422.3 Memory, session and file management

Manage resources responsibly to ensure data protection, efficient performance, and resistance to common software vulnerabilities.

Overview

Secure software must handle resources—such as memory, session data, and file access—with care. Poor management can lead to vulnerabilities like data leaks, unauthorised access, denial-of-service (DoS) attacks, and corruption of stored information.

This topic focuses on how to allocate, track, and dispose of memory and session data safely, and how to manage files without exposing the system to risk.

Targets

In this topic, students learn to:

  • Apply memory and resource management strategies that reduce risk

  • Manage user sessions securely to prevent hijacking and leakage

  • Implement file access with correct permissions and validation

  • Identify and avoid insecure patterns related to storage and resource use

Syllabus references

Secure software architecture

Developing secure code

  • Design, develop and implement secure code to minimise vulnerabilities in user action controls, including: – broken authentication and session management

  • Design, develop and implement secure code to protect user file and hardware vulnerabilities from file attacks and side channel attacks

  • Design, develop and implement code considering efficient execution for the user

    Including:

    – memory management

    – session management

Memory management

Memory management involves controlling how memory is allocated and freed during program execution. Poor memory handling can result in:

  • Memory leaks: Used memory is never released, leading to performance degradation

  • Buffer overflows: Writing more data than a buffer can hold can overwrite memory and allow code execution

  • Dangling pointers or references: Accessing freed memory can lead to crashes or undefined behaviour

Best practices:

  • Initialise all variables before use

  • Free or dispose of unused resources

  • Use memory-safe languages where possible (e.g. Python, Java)

  • Avoid unsafe operations such as direct pointer arithmetic in C/C++

Session management

Sessions store user-specific data temporarily between requests in web or networked applications. Poor session management can lead to:

  • Session hijacking: An attacker takes over a user’s session ID

  • Session fixation: A user is forced to use a known session ID

  • Session timeout failure: Sessions persist after the user has logged out or become inactive

Best practices:

  • Use secure session tokens (random, long, and unguessable)

  • Rotate session tokens on login and privilege escalation

  • Set session expiration and idle timeouts

  • Store sessions securely—avoid exposing them in URLs or local storage

File handling and storage

Accessing or storing files can introduce risks if permissions are poorly managed or inputs are not validated. Common file-related vulnerabilities include:

  • Path traversal: Attacker accesses files outside the allowed directory (../../../etc/passwd)

  • Unvalidated uploads: Malicious files are uploaded and executed

  • Insecure storage: Sensitive data is stored unencrypted or in a world-readable location

Best practices:

  • Validate filenames and extensions on upload

  • Restrict file access permissions (e.g. read-only, no execution)

  • Store sensitive files outside the web root and encrypt where needed

  • Sanitise input paths to avoid traversal

Summary

  • Secure software must manage memory, sessions, and files intentionally

  • Poor memory management can crash programs or allow code injection

  • Session management must prevent hijacking and ensure user isolation

  • File operations must restrict access, validate input, and store data securely

Previous422.2 Error and exception managementNext422.4 Protecting against attacks

Last updated

Was this helpful?