8. Software Development Security

Question 1

Which IP protocol is secure and how?

Answer 1

IPv6 is inherently secure, as it uses IP Sec. IP Sec is a framework for traffic including the support for encryption, authentication, authorization and integrity.

Question 2

What are the software development methodologies?

Answer 2

1. Waterfall
2. Prototyping
3. Spiral
4. Agile

Question 3

Define Waterfall

Answer 3

Software development methodology.

Phase based approach. Best for small projects

Pros: define before code
Cons: adjusting scope during project can kill it.

Question 4

Define Prototyping

Answer 4

A software development methodology.

A cyclical approach to development. Makes a working model and expand off of it to fit what customer wants.

Pros: users interact with model and give feedback

Cons: tendency for superficial analysis

Question 5

Define Spiral

Answer 5

A software development methodology

Combo of waterfall and prototyping. Good for large projects.

Pros: a usable software is produced early in the cycle.

Cons: costly. Risk analysis requires highly specific expertise.

Question 6

Define Agile

Answer 6

A software development methodology

Current popular model. Have new objective every ~2 weeks

Pros: fewer defects, greater flexibility instant feedback.

Cons: less documentation, less focus on system design. Harder to track.

Question 7

Define distributed computing

Answer 7

An architecture style.

1. Client-server. Ie. thin/fat clients.
2. Peer-to-peer. Ie. file sharing systems.

Question 8

Define Service Orientated Architecture

Answer 8

An architecture and a vision on how heterogeneous applications should be developed and integrated into the enterprise.

Share a formal contract.

Reusable, autonomous, stateless, discoverable.

Question 9

Define Rich Internet Applications

Answer 9

An architecture style.

Web applications

Question 10

What are main threats of rich internet applications?

Answer 10

client side: XSS and CSRF

Server side: code injection and aggregation

Question 11

What is polyinstatiation?

Answer 11

Lying.

Question 12

What is aggregation?

Answer 12

Collecting of information.

Question 13

Define ubiquitous computing.

Answer 13

Wireless networking.

Ie. RFID, NFC, and LBS (location based services)

Question 14

Define monitoring

Answer 14

Validation of compliance to regulations and other governance requirements.

Demonstrates due diligence and due care on the part of the organization towards its shareholders.

Question 15

What are the characteristics of good metrics?

Answer 15

Consistency
Quantitative 
Objectivity 
Relevance
Inexpensive

Question 16

Define auditing

Answer 16

Important detective controls that can be used to correlate information after an event.

Used to ensure policies are being followed and are effective.

Question 17

What is Code injection?

Answer 17

An OWASP Vulnerability

Injection flaws in code that occur when untrusted data is sent to an interpreter as part of a command or quart.

Question 18

What is Broken Authentication & Session Management?

Answer 18

An OWASP Vulnerability
Application functions related to authentication that are not implemented correctly and allow attackers to compromise information to assume others identities.

Question 19

What is XSS?

Answer 19

An OWASP Vulnerability
Cross Site Scripting
Whenever an application takes untrusted data and sends it to a web browser without proper validation.

Question 20

What is Insecure Direct Object References?

Answer 20

An OWASP Vulnerability
Unauthorized user or process which can invoke the internal functionality of the software by manipulating parameters and other object values.

Question 21

What are security misconfigurations?

Answer 21

An OWASP Vulnerability

When a configuration is not set to its secure settings.

Question 22

What is Sensitive Data Exposure?

Answer 22

An OWASP Vulnerability
When web applications do not adequately protect sensitive data.

Ie. Insufficient protection for data-at-rest, data-in-transit, or data-in-use.

Question 23

What is missing function level access control?

Answer 23

An OWASP Vulnerability

When a web app does not reverify the access rights with each new function accessed.

Question 24

What is CSRF?

Answer 24

An OWASP Vulnerability

Forcing a logged-on victims browser to send a forged HTTP request, including cookies and authentication information.

Question 25

What is Known Vulnerability Component Usage?

Answer 25

An OWASP Vulnerability

Using deprecated, insecure, or banned APIs. These can undermine the security of other applications.

Question 26

What are Unvalidated Redirects and Forwards?

Answer 26

An OWASP Vulnerability

When web apps redirect or forward a user to other pages and use untrusted data to determine the destination pages.

Question 27

What is defensive coding?

Answer 27

A form of proactive, secure coding intended to ensure the continued function of the software under unforeseen circumstances.

Question 28

What are the first 5 secure coding practices?

Answer 28

1. Input validation
2. Data sanitization
3. Error handling
4. Safe APIs
5. Concurrency

Question 29

What are the last 5 secure coding practices?

Answer 29

1. Tokenizing
2. Sand boxing
3. Anti-tampering
4. Secure processes for software
5. Secure builds

Question 30

What are the 3 secure processes for software?

Answer 30

1. Version control
2. Code analysis
3. Code review

Question 31

What is concurrency?

Answer 31

Simultaneous operations.

Should be avoided to help avoid race conditions, and keep single threaded operations.

Question 32

What is tokenizing?

Answer 32

Replacing sensitive data with a token that still retains the needed information about the data.

Question 33

What is included in change management?

Answer 33

Parts include: procedural, scheduling, documentation, training, fall backs, change management database, support info.

Question 34

What is patch management?

Answer 34

Additional pieces of code developed to address problems in software, and their management in a secure environment.

Question 35

What is fuzzing?

Answer 35

Fault injection testing
Brute force type of testing in which faults are injected into the software and behavior is observed.

Validated the effectiveness of input validation.

Question 36

What is verification?

Answer 36

The technical design of the product.

Does it meet the developers description?

Question 37

What is validation?

Answer 37

Does the product solve the problem I have?

Does it solve the problem it is supposed to solve?

Question 38

What is accreditation?

Answer 38

Managements acceptance of the product and their decision to implement the software in their environment.

Question 39

What are the database models?

Answer 39

1. Hierarchical
2. Distributed
3. Object-oriented
4. Relational

Question 40

What are object-orientated databases?

Answer 40

Databases that keep track of objects and entities that contain both data and action of the data.

Question 41

What are hierarchical databases?

Answer 41

Stores related information in a tree like fashion.

Question 42

What are distributed databases?

Answer 42

Client-Server type of database located on more then one server in more then on location.

Question 43

What are relational databases?

Answer 43

A database in the form of tables related to each other.

Stores data in such a way that a data manipulation language can be used independently on data.

Question 44

What is a primary key?

Answer 44

A part of relational databases.

A unique identifier for each record.

Question 45

What is normalization?

Answer 45

A part of relational databases.

The process of removing duplicates and ensuring that each attribute only describes the primary key.

Question 46

What is a Tuple?

Answer 46

A part of relational databases.

A group of attributes about a single instance.

Question 47

What are foreign keys?

Answer 47

A part of relational databases.

Primary keys from other tables, listed on a new table with a different primary key. Used to relate tables.

Question 48

What is a record or column?

Answer 48

A part of relational databases.

A group of attributes about a single instance. Like a tuple.

Question 49

What is a schema?

Answer 49

A part of relational databases.

The whole idea for how the database functions and is set up.