CHAPTER 10_Software Development Security Flashcards

1
Q

Explanations: Object-Oriented Concepts

A

Software development used to be done by classic input-processing-output methods. This development used an information flow model from hierarchical information structures. Data were input into a program, and the program passed the data from the beginning to end, performed logical procedures, and returned a result.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Emphasis: System Development Life Cycle

A

System Development Life CycleA life cycle is a representation of development changes. A person is conceived, born, matures (baby, toddler, teenager, middle age, elderly), and dies. Such is the circle of life. Projects have a life cycle: initiation, planning, execution and controlling, and closure. A system has its own developmental life cycle, which is made up of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal. Collectively these are referred to as a system development life cycle (SDLC). Here are the basic components of each phase:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Emphasis: Authentication and Access Control

A

Authentication and Access ControlIf you’ve used the Internet for banking, shopping, registering for classes, or working from home, you most likely logged in through a web-based application. From the consumer side or the provider side, the topic of authentication and access control is an obvious issue. Consumers want an access control mechanism that provides the security and privacy they would expect from a trusted entity, but they also don’t want to be too burdened by the process. From the service providers’ perspective, they want to provide the highest amount of security to the consumer that performance, compliance, and cost will allow. So, from both of these perspectives, typically usernames and passwords are still used to control access to most web applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Emphasis: Web Application Security Principles

A

Web Application Security PrinciplesConsidering their exposed nature, web sites are primary targets during an attack. It is, therefore, essential for web developers to abide by the time-honored and time-tested principles to provide the maximum level of deterrence to attackers. Web application security principles are meant to govern programming practices to regulate programming styles and strategically reduce the chances of repeating known software bugs and logical flaws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Bullets: Development

A

Programming software code to meet specifications laid out in the design phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Bullets: V-model

A

Emphasizes verification and validation at each phase and testing to take place throughout the project, not just at the end.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Bullets: Third-party evaluations

A

Reviewing the level of service and quality a specific vendor will provide if the system is to be purchased.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explanation Bullets: A database is the mechanism that provides structure for the data collected. The actual specifications of the structure may be different per database implementation, because different organizations or departments work with different types of data and need to perform diverse functions upon that information. There may be different workloads, relationships between the data, platforms, performance requirements, and security goals. Any type of database should have the following characteristics:

A
  • It centralizes by not having data held on several different servers throughout the network.
  • It allows for easier backup procedures.
  • It provides transaction persistence.
  • It allows for more consistency since all the data are held and maintained in one central location.
  • It provides recovery and fault tolerance.
  • It allows the sharing of data with multiple users.
  • It provides security controls that implement integrity checking, access control, and the necessary level of confidentiality.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Bullets: Parameter validation

A

The values that are being received by the application are validated to be within defined limits before the server application processes them within the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explanation Bullets: As it pertains to security, the following items should be accomplished in this phase:

A
  • Security requirements
  • Security risk assessment
  • Privacy risk assessment
  • Risk-level acceptance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explanation Bullets: 17. B. The characteristics and their associated definitions are listed as follows:

A
  • Modularity Autonomous objects, cooperation through exchanges of messages.
  • Deferred commitment The internal components of an object can be redefined without changing other parts of the system.
  • Reusability Other programs using the same objects.
  • Naturalness Object-oriented analysis, design, and modeling map to business needs and solutions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Bullets: Mobile code

A

Code that can be transmitted across a network, to be executed by a system or device on the other end.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Bullets: Statement of Work (SOW)

A

Describes the product and customer requirements. A detailed-oriented SOW will help ensure that these requirements are properly understood and assumptions are not made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Bullets: Repeatable

A

A formal management structure, change control, and quality assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Emphasis: Spyware and Adware

A

Spyware and AdwareSpyware is a type of malware that is covertly installed on a target computer to gather sensitive information about a victim. The gathered data may be used for malicious activities, e.g., identity theft, spamming fraud, etc. Spyware can also gather information about a victim’s online browsing habits, which are then often used by spammers to send targeted advertisements. It can also be used by an attacker to direct a victim’s computer to perform tasks such as installing software, changing system settings, transfer browsing history, logging key strokes, taking screenshots, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Bullets: Schema

A

Database structure that is described in a formal language supported by the database management system (DBMS). It is used to describe how data will be organized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Explanation Bullets: The following list illustrates the basic software programming language generations:

A
  • Generation one: machine language
  • Generation two: assembly language
  • Generation three: high-level language
  • Generation four: very high-level language
  • Generation five: natural language
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Bullets: Software escrow

A

Storing of the source code of software with a third-party escrow agent. The software source code is released to the licensee if the licensor (software vendor) files for bankruptcy or fails to maintain and update the software product as promised in the software license agreement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Bullets: Client-side validation

A

Input validation is done at the client before it is even sent back to the server to process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Bullets: Verification

A

Determines if the product accurately represents and meets the specifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Bullets: Probabilistic

A

Identifies data interdependencies and applies probabilities to their relationships.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Emphasis: tunneling virus

A

Another type of virus, called the tunneling virus, attempts to install itself “under” the antivirus program. When the antivirus goes around doing its health check on critical files, file sizes, modification dates, and so on, it makes a request to the operating system to gather this information. Now, if the virus can put itself between the antivirus and the operating system, when the antivirus sends out a command (system call) for this type of information, the tunneling virus can intercept this call. Instead of the operating system responding to the request, the tunneling virus responds with information that indicates that everything is fine and healthy and that there is no indication of any type of infection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Bullets: Security plan

A

Documented security controls the system must contain to ensure compliance with the company’s security needs. This plan provides a complete description of the system and ties them to key company documents, as in configuration management, test and evaluation plans, system interconnection agreements, security accreditations, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Bullets: Information gathering

A

Usually the first step in an attacker’s methodology, in which the information gathered may allow an attacker to infer additional information that can be used to compromise systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Bullets: Object Linking and Embedding Database (OLE DB)

A

Separates data into components that run as middleware on a client or server. It provides a low-level interface to link information across different databases, and provides access to data no matter where they are located or how they are formatted. The following are some characteristics of an OLE DB:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Emphasis: parameter validation

A

The issue of parameter validation is akin to the issue of input validation mentioned earlier. Parameter validation is where the values that are being received by the application are validated to be within defined limits before the server application processes them within the system. The main difference between parameter validation and input validation would have to be whether the application was expecting the user to input a value as opposed to an environment variable that is defined by the application. Attacks in this area deal with manipulating values that the system would assume are beyond the client being able to configure, mainly because there isn’t a mechanism provided in the interface to do so.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Emphasis: Fast flux

A

NOTE Fast flux is an evasion technique. Botnets can use fast flux functionality to hide the phishing and malware delivery sites they are using. One common method is to rapidly update DNS information to disguise the hosting location of the malicious web sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Explanation Bullets: In reality, the flaws within the software cause a majority of the vulnerabilities in the first place. Several reasons explain why perimeter devices are more often considered than dealing with the insecurities within the software:

A
  • In the past, it was not crucial to implement security during the software development stages; thus, many programmers today do not practice these procedures.
  • Most security professionals are not software developers, and thus do not have complete insight to software vulnerability issues.
  • Many software developers do not have security as a main focus. Functionality is usually considered more important than security.
  • Software vendors are trying to get their products to market in the quickest possible time, and thus do not take time for proper security architecture, design, and testing steps.
  • The computing community has gotten used to receiving software with flaws and then applying patches. This has become a common and seemingly acceptable practice.
  • Customers cannot control the flaws in the software they purchase, so they must depend upon perimeter protection.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Emphasis: Spam Detection

A

Spam DetectionWe are all pretty tired of receiving emails that try to sell us things we don’t need. A great job, a master’s degree that requires no studying, and a great sex life are all just a click away (and only $19.99!)—as promised by this continual stream of messages. These emails have been given the label spam, which is electronic unsolicited junk email. Along with being a nuisance, spam eats up a lot of network bandwidth and can be the source of spreading malware. Many organizations have spam filters on their mail servers, and users can configure spam rules within their e-mail clients, but just as virus writers always come up with ways to circumvent antivirus software, spammers come up with clever ways of getting around spam filters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Bullets: Self-garbling virus

A

Attempts to hide from antivirus software by modifying its own code so that it does not match predefined signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Emphasis: Information Gathering

A

Information GatheringInformation gathering is usually the first step in an attacker’s methodology. Information gathered may allow an attacker to infer additional information that can be used to compromise systems. Unfortunately, most of the information gathered is from sources that are available to anyone who asks. The big search engines make it even easier for an attacker to gather information because they aggregate information and can return results from the search engine’s cache without the attacker ever connecting to the target company’s web server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Explanations: Java Platform, Enterprise Edition

A

Another distributed computing model is based upon the Java programming language, which is the Java Platform, Enterprise Edition (J2EE). Just as the COM and CORBA models were created to allow a modular approach to programming code with the goal of interoperability, J2EE defines a client/server model that is object oriented and platform independent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Bullets: Polymorphic virus

A

Produces varied but operational copies of itself. A polymorphic virus may have no parts that remain identical between infections, making it very difficult to detect directly using signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Emphasis: Transaction persistence

A

NOTE Transaction persistence means the database procedures carrying out transactions are durable and reliable. The state of the database’s security should be the same after a transaction has occurred, and the integrity of the transaction needs to be ensured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Explanations: Specific Threats for Web Environments

A

The most common types of vulnerabilities, threats, and complexities are covered in the following sections, which we will explore one at a time:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Emphasis: Service-Oriented Architecture

A

Service-Oriented ArchitectureWhile many of the previously described distributed computing technologies are still in use, the industry has moved toward and integrated another approach in providing commonly needed application functionality and procedures across various environments. A service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. Application functionality is separated into distinct units (services) and offered up through well-defined interfaces and data-sharing standardization. This means that individual applications do not need to possess the same redundant code and functionality. The functionality can be offered by an individual entity and then all other applications can just call upon and use the one instance. This is really the crux of all distributed computing technologies and approaches—SOA is just a more web-based approach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Bullets: Change control

A

The process of controlling the changes that take place during the life cycle of a system and documenting the necessary change control activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Bullets: Database management system (DBMS)

A

Enforces access control restrictions, provides data integrity and redundancy, and sets up different procedures for data management manipulation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Bullets: Stealth virus

A

A virus that hides the modifications it has made. The virus tries to trick antivirus software by intercepting its requests to the operating system and providing false and bogus information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Bullets: Natural languages

A

Otherwise known as fifth-generation programming languages, which have the goal to create software that can solve problems by themselves. Used in systems that provide artificial intelligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Bullets: Formal risk assessment

A

Identifies vulnerabilities and threats in the proposed system and the potential risk levels as they pertain to confidentiality, integrity, and availability. This builds upon the initial risk assessment carried out in the previous phase. The results of this assessment help the team build the system’s security plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Explanations: Static Analysis

A

Static analysis is a debugging technique that is carried out by examining the code without executing the program, and therefore is carried out before the program is compiled. The term static analysis is generally reserved for automated tools that assist programmers and developers, whereas manual inspection by humans is generally referred to as code review.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Bullets: Attack surface analysis

A

Identify and reduce the amount of code accessible to untrusted users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Emphasis: inference engine

A

Rule-based programming is a common way of developing expert systems. The rules are based on if-then logic units and specify a set of actions to be performed for a given situation. This is one way expert systems are used to find patterns, which is called pattern matching. A mechanism, called the inference engine, automatically matches facts against patterns and determines which rules are applicable. The actions of the corresponding rules are executed when the inference engine is instructed to begin execution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Bullets: Pre-validation

A

Input controls verifying data are in appropriate format and compliant with application specifications prior to submission to the application. An example of this would be form field validation, where web forms do not allow letters in a field that is expecting to receive a number (currency) value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Bullets: Waterfall

A

Sequential approach that requires each phase to complete before the next one can begin. Difficult to integrate changes. Inflexible model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Explanation Bullets: We will cover the main categories of malware in the following sections, but the main reasons that they are all increasing in numbers and potency are as follows:

A
  • Environments are heterogeneous and increase in complexity.
  • Everything is becoming a computer (phones, TVs, play stations, power grids, medical devices, etc.), and thus all are capable of being compromised.
  • More people and companies are storing all of their data in some digital format.
  • More people and devices are connecting through various interfaces (phone apps, Facebook, web sites, email, texting, e-commerce, etc.).
  • Many accounts are configured with too much privileged (administrative or root access).
  • More people who do not understand technology are using it for sensitive purposes (online banking, e-commerce, etc.).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Bullets: Security assurance requirements analysis

A

Identifies the assurance levels the system must provide. The activities that need to be carried out to ensure the desired level of confidence in the system are determined, which are usually specific types of tests and evaluations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Bullets: Object linking and embedding (OLE)

A

Provides a way for objects to be shared on a local computer and to use COM as their foundation. It is a technology developed by Microsoft that allows embedding and linking to documents and other objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Bullets: Interpreters

A

Tools that convert code written in interpreted languages to the machine-level format for processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Explanation Bullets: The proliferation of malware has a direct relationship to the large amount of profit individuals can make without much threat of being caught. The most commonly used schemes for making money through malware are as follows:

A
  • Spyware collects personal data for the malware developer to resell to others.
  • Malware redirects web traffic so that people are pointed toward a specific product for purchase.
  • Malware installs back doors on systems, and they are used as proxies to spread spam or pornographic material.
  • Systems are infected with bots and are later used in distributed-denial-of-service attacks.
  • Malware installs key loggers, which collect sensitive financial information for the malware author to use.
  • Malware is used to carry out phishing attacks, fraudulent activities, identity theft steps, and information warfare activities.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Emphasis: stealth virus

A

A stealth virus hides the modifications it has made to files or boot records. This can be accomplished by monitoring system functions used to read files or sectors and forging the results. This means that when an antivirus program attempts to read an infected file or sector, the original uninfected form will be presented instead of the actual infected form. The virus can hide itself by masking the size of the file it is hidden in or actually move itself temporarily to another location while an antivirus program is carrying out its scanning process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Bullets: Unicode encoding

A

Unicode is an industry-standard mechanism developed to represent the entire range of over 100,000 textual characters in the world as a standard coding format. Web servers support Unicode to support different character sets (for different languages), and, at one time, many web server software applications supported it by default. So, even if we told our systems to not allow the “../” directory traversal request mentioned earlier, an attacker using Unicode could effectively make the same directory traversal request without using “/” but with any of the Unicode representations of that character (three exist: %c1%1c, %c0%9v, and %c0%af). That request may slip through unnoticed and be processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Explanations: Operations/Maintenance

A

The system was secure when we installed it. I am sure nothing has changed since then.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Bullets: Java Database Connectivity (JDBC)

A

An API that allows a Java application to communicate with a database. The application can bridge through ODBC or directly to the database. The following are some characteristics of JDBC:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Bullets: P2

A

Moderate Privacy Risk: The sole behavior that affects privacy in the feature, product, or service is a one-time, user-initiated anonymous data transfer (e.g., the user clicks on a link and goes out to a web site).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Explanations: Data Structures

A

A data structure is a representation of the logical relationship between elements of data. It dictates the degree of association among elements, methods of access, processing alternatives, and the organization of data elements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Bullets: Post-validation

A

Ensuring an application’s output is consistent with expectations (that is, within predetermined constraints of reasonableness).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Emphasis: Rapid Application Development (RAD)

A

The Rapid Application Development (RAD) model relies more on the use of rapid prototyping instead of extensive upfront planning. In this model, the planning of how to improve the software is interleaved with the processes of developing the software, which allows for software to be developed quickly. The delivery of a workable piece of software can take place in less than half the time compared to other development models. The RAD model combines the use of prototyping and iterative development procedures with the goal of accelerating the software development process. The development process begins with creating data models and business process models to help define what the end-result software needs to accomplish. Through the use of prototyping, these data and process models are refined. These models provide input to allow for the improvement of the prototype, and the testing and evaluation of the prototype allow for the improvement of the data and process models. The goal of these steps is to combine business requirements and technical design statements, which provide the direction in the software development project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Explanations: SDLC and Security

A

The main phases of a software development life cycle are shown here with some specific security tasks:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Bullets: Two-phase commit

A

A mechanism that is another control used in databases to ensure the integrity of the data held within the database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Emphasis: Release/Maintenance Phase

A

Release/Maintenance PhaseOnce the software code is developed and properly tested, it is released so that it can be implemented within the intended production environment. The software development team’s role is not finished at this point. Newly discovered problems and vulnerabilities are commonly identified. For example, if a company developed a customized application for a specific customer, the customer could run into unforeseen issues when rolling out the product within their various networked environments. Interoperability issues might come to the surface, or some configurations may break critical functionality. The developers would need to make the necessary changes to the code, retest the code, and re-release the code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Emphasis: DOM (Document Object Model)

A

• DOM (Document Object Model)–based XSS vulnerabilities are also referred to as local cross-site scripting. DOM is the standard structure layout to represent HTML and XML documents in the browser. In such attacks the document components such as form fields and cookies can be referenced through JavaScript. The attacker uses the DOM environment to modify the original client-side JavaScript. This causes the victim’s browser to execute the resulting abusive JavaScript code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Emphasis: Administrative Interfaces

A

Administrative InterfacesEveryone wants to work from the coffee shop or at home in their pajamas. Webmasters and web developers are particularly fond of this concept. Although some systems mandate that administration be carried out from a local terminal, in most cases, there is an interface to administer the systems remotely, even over the Web. While this may be convenient to the webmaster, it also provides an entry point into the system for an unauthorized user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Emphasis: logic bomb

A

A logic bomb executes a program, or string of code, when a certain set of conditions are met. For example, a network administrator may install and configure a logic bomb that is programmed to delete the company’s whole database if he is terminated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Bullets: Compilers

A

Tools that convert high-level language statements into the necessary machine-level format (.exe, .dll, etc.) for specific processors to understand.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Bullets: Data modeling

A

Considers data independently of the way the data are processed and of the components that process the data. A process used to define and analyze data requirements needed to support the business processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Bullets: Acceptance testing

A

Ensuring that the code meets customer requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Bullets: Fuzzing

A

A technique used to discover flaws and vulnerabilities in software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Bullets: Rapid Application Development

A

Combines prototyping and iterative development procedures with the goal of accelerating the software development process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Bullets: Validation

A

Determines if the product provides the necessary solution for the intended real-world problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Bullets: Functional model

A

Outlines the tasks and functions the application needs to carry out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Explanation Bullets: 10. D. The following are correct characteristics of the ACID test:

A
  • Atomicity Divides transactions into units of work and ensures that all modifications take effect or none take effect. Either the changes are committed or the database is rolled back.
  • Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data are consistent in the different databases.
  • Isolation Transactions execute in isolation until completed without interacting with other transactions. The results of the modification are not available until the transaction is completed.
  • Durability Once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Explanations: Logic Bombs

A

A logic bomb executes a program, or string of code, when a certain set of conditions are met. For example, a network administrator may install and configure a logic bomb that is programmed to delete the company’s whole database if he is terminated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Emphasis: Persistent XSS

A

• Persistent XSS vulnerabilities, also known as stored or second order vulnerabilities, are generally targeted at web sites that allow users to input data which are stored in a database or any other such location, e.g., forums, message boards, guest books, etc. The attacker posts some text that contains some malicious JavaScript, and when other users later view the posts, their browsers render the page and execute the attackers JavaScript.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Bullets: P1

A

High Privacy Risk: The feature, product, or service stores or transfers Personally Identifiable Information (PII); monitors the user with an ongoing transfer of anonymous data; changes settings or file type associations; or installs software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Emphasis: operational prototypes

A

The operational prototypes are an extension of the evolutionary prototype method. Both models (operational and evolutionary) improve the quality of the prototype as more data are gathered, but the operational prototype is designed to be implemented within a production environment as it is being tweaked. The operational prototype is updated as customer feedback is gathered, and the changes to the software happen within the working site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Emphasis: Project Management

A

Project ManagementMany developers know that good project management keeps the project moving in the right direction, allocates the necessary resources, provides the necessary leadership, and plans for the worst yet hopes for the best. Project management processes should be put into place to make sure the software development project executes each life-cycle phase properly. Project management is an important part of product development, and security management is an important part of project management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Explanation Bullets: Each object should have specifications it should adhere to. This discipline provides cleaner programming and reduces programming errors and omissions. The following list is an example of what should be developed for each object:

A
  • Object name
  • Attribute descriptions
  • Attribute name
  • Attribute content
  • Attribute data type
  • External input to object
  • External output from object
  • Operation descriptions
  • Operation name
  • Operation interface description
  • Operation processing description
  • Performance issues
  • Restrictions and limitations
  • Instance connections
  • Message connections
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Bullets: Server side includes (SSI)

A

An interpreted server-side scripting language used almost exclusively for web-based communication. It is commonly used to include the contents of one or more files into a web page on a web server. Allows web developers to reuse content by inserting the same content into multiple web documents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Bullets: Bots

A

Software applications that run automated tasks over the Internet, which perform tasks that are both simple and structurally repetitive. Malicious use of bots is the coordination and operation of an automated attack by a botnet (centrally controlled collection of bots).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Explanations: Malicious Software (Malware)

A

Several types of malicious code or malware exist, such as viruses, worms, Trojan horses, and logic bombs. They usually are dormant until activated by an event the user or system initiates. They can be spread by email, sharing media, sharing documents and programs, or downloading things from the Internet, or they can be purposely inserted by an attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Bullets: High-level languages

A

Otherwise known as third-generation programming languages, due to their refined programming structures, using abstract statements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Bullets: Incremental

A

Multiple development cycles are carried out on a piece of software throughout its development stages. Each phase provides a usable version of software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Emphasis: Testing/Validation Phase

A

Testing/Validation PhaseFormal and informal testing should begin as soon as possible. Unit testing can start very early in development. After a programmer develops a component, or unit of code, it is tested with several different input values and in many different situations. The goal of this type of testing is to isolate each part of the software and show that the individual parts are correct. Unit testing usually continues throughout the development phase. A totally different group of people should carry out the formal testing. This is an example of separation of duties. A programmer should not develop, test, and release software. The more eyes that see the code, the greater the chance that flaws will be found before the product is released.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Explanation Bullets: 14. A. The software development models and their definitions are as follows:

A
  • Joint Analysis Development (JAD) A method that uses a team approach in application development in a workshop-oriented environment.
  • Rapid Application Development (RAD) A method of determining user requirements and developing systems quickly to satisfy immediate needs.
  • Reuse Model A model that approaches software development by using progressively developed models. Reusable programs are evolved by gradually modifying pre-existing prototypes to customer specifications. Since the Reuse model does not require programs to be built from scratch, it drastically reduces both development cost and time.
  • Cleanroom An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Emphasis: artificial neural network (ANN)

A

An artificial neural network (ANN) is a mathematical or computational model based on the neural structure of the brain. Computers perform activities like calculating large numbers, keeping large ledgers, and performing complex mathematical functions, but they cannot recognize patterns or learn from experience as the brain can. ANNs contain many units that stimulate neurons, each with a small amount of memory. The units work on data that are input through their many connections. Via training rules, the systems are able to learn from examples and have the capability to generalize.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Emphasis: high coupling

A

An example of low coupling would be one module passing a variable value to another module. As an example of high coupling, Module A would pass a value to Module B, another value to Module C, and yet another value to Module D. Module A cannot complete its tasks until Modules B, C, and D complete their tasks and return results back to Module A.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Bullets: Software as a Service (SAAS)

A

A software delivery model that allows applications and data to be centrally hosted and accessed by thin clients, commonly web browsers. A common delivery method of cloud computing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Bullets: Machine language

A

A set of instructions in binary format that the computer’s processor can understand and work with directly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Bullets: Behavior blocking

A

Allowing the suspicious code to execute within the operating system and watches its interactions with the operating system, looking for suspicious activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Bullets: Initial

A

Development process is ad hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

Bullets: Immunizer

A

Attaches code to the file or application, which would fool a virus into “thinking” it was already infected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

Emphasis: Relational Database Components

A

Relational Database ComponentsLike all software, databases are built with programming languages. Most database languages include a data definition language (DDL), which defines the schema; a data manipulation language (DML), which examines data and defines how the data can be manipulated within the database; a data control language (DCL), which defines the internal organization of the database; and an ad hoc query language (QL), which defines queries that enable users to access the data within the database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

Bullets: Eradication

A

Removes itself after the payload has been executed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Bullets: Noise and perturbation

A

A technique of inserting bogus information in the hopes of misdirecting an attacker or confusing the matter enough that the actual attack will not be fruitful.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

Bullets: System development life cycle (SDLC)

A

A methodical approach to standardize requirements discovery, design, development, testing, and implementation in every phase of a system. It is made up of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

Emphasis: Session Management

A

Session ManagementAs highlighted earlier, managing several thousand different clients connecting to a web-based application is a challenge. The aspect of session management requires consideration before delivering applications via the Web. Commonly, the most used method of managing client sessions is by assigning unique session IDs to every connection. A session ID is a value sent by the client to the server with every request that uniquely identifies the client to the server or application. In the event that an attacker was able to acquire or even guess an authenticated client’s session ID and render it to the server as its own session ID, the server would be fooled and the attacker would have access to the session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

Bullets: Foreign key

A

An attribute of one table that is related to the primary key of another table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

Bullets: Service-oriented architecture (SOA)

A

Provides standardized access to the most needed services to many different applications at one time. Service interactions are self-contained and loosely coupled, so that each interaction is independent of any other interaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

Emphasis: Database Management Software

A

Database Management SoftwareA database is a collection of data stored in a meaningful way that enables multiple users and applications to access, view, and modify data as needed. Databases are managed with software that provides these types of capabilities. It also enforces access control restrictions, provides data integrity and redundancy, and sets up different procedures for data manipulation. This software is referred to as a database management system (DBMS) and is usually controlled by a database administrator. Databases not only store data, but may also process data and represent them in a more usable and logical form. DBMSs interface with programs, users, and data within the database. They help us store, organize, and retrieve information effectively and efficiently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

Bullets: Inference engine

A

A computer program that tries to derive answers from a knowledge base. It is the “brain” that expert systems use to reason about the data in the knowledge base for the ultimate purpose of formulating new conclusions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

Bullets: Cross-site scripting (XSS)

A

An attack where a vulnerability is found on a web site that allows an attacker to inject malicious code into a web application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

Emphasis: COM and DCOM

A

COM and DCOMComponent Object Model (COM) is a model that allows for interprocess communication within one application or between applications on the same computer system. The model was created by Microsoft and outlines standardized APIs, component naming schemes, and communication standards. So if I am a developer and I want my application to be able to interact with the Windows operating system and the different applications developed for this platform, I will follow the COM outlined standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

Bullets: Primary key

A

Columns that make each row unique. (Every row of a table must include a primary key.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

Emphasis: Environment versus Application

A

Environment versus ApplicationSoftware controls can be implemented by the operating system or by the application—and usually a combination of both is used. Each has its strengths and weaknesses, but if they are all understood and programmed to work in a concerted effort, then many different scenarios and types of compromises can be thwarted. One downside to relying mainly on operating system controls is that although they can control a subject’s access to different objects and restrict the actions of that subject within the system, they do not necessarily restrict the subject’s actions within an application. If an application has a security vulnerability within its own programming code, it is hard for the operating system to predict and control this vulnerability. An operating system is a broad environment for many applications to work within. It is unfair to expect the operating system to understand all the nuances of different programs and their internal mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

Bullets: Worms

A

These are different from viruses in that they can reproduce on their own without a host application and are self-contained programs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

Bullets: Atomicity

A

Divides transactions into units of work and ensures that all modifications take effect or none takes effect. Either the changes are committed or the database is rolled back.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

Explanations: Acquisition/Development

A

Before the system is actually developed or purchased, several things should take place to ensure the end result meets the company’s true needs. Some of the activities are as follows:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

Explanations: Development Phase

A

This is the phase where the programmers become deeply involved. The software design that was created in the previous phase is broken down into defined deliverables, and programmers develop code to meet the deliverable requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

Emphasis: Script viruses

A

Script viruses have been quite popular and damaging over the last several years. Scripts are files that are executed by an interpreter—for example, Microsoft Windows Script Host, which interprets different types of scripting languages. Web sites have become more dynamic and interactive through the use of script files written in Visual Basic (VBScript) and Java (Jscript) as well as other scripting languages that are embedded in HTML. When a web page that has these scripts embedded is requested by a web browser, these embedded scripts are executed, and if they are malicious, then everything just blows up. Okay, this a tad overdramatic. The virus will carry out the payload (instructions) that the virus writer has integrated into the script, whether it is sending out copies of itself to everyone in your contact list or deleting critical files. Scripts are just another infection vector used by malware writers to carry out their evil ways.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

Emphasis: only

A

Client-side validation is when the input validation is done at the client before it is even sent back to the server to process. If you’ve missed a field in a web form and before clicking Submit, you immediately receive a message informing you that you’ve forgotten to fill in one of the fields, you’ve experienced client-side validation. This is a good idea, rather than sending incomplete requests to the server and the server having to send back an error message to the user. The problem arises when the client-side validation is the only validation that takes place. In this situation, the server trusts that the client has done its job correctly and processes the input as if it is valid. In normal situations, accepting this input would be fine, but when an attacker can intercept the traffic between the client and server and modify it or just directly make illegitimate requests to the server without using a client, a compromise is more likely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

Emphasis: Spyware

A

Spyware is a type of malware that is covertly installed on a target computer to gather sensitive information about a victim. The gathered data may be used for malicious activities, e.g., identity theft, spamming fraud, etc. Spyware can also gather information about a victim’s online browsing habits, which are then often used by spammers to send targeted advertisements. It can also be used by an attacker to direct a victim’s computer to perform tasks such as installing software, changing system settings, transfer browsing history, logging key strokes, taking screenshots, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

Bullets: Path or directory traversal

A

This attack is also known as the “dot dot slash” because it is perpetrated by inserting the characters “../” several times into a URL to back up or traverse into directories that weren’t supposed to be accessible from the Web. The command “../” at the command prompt tells the system to back up to the previous directory (i.e., “cd ../”). If a web server’s default directory is c:\inetpub\www, a URL requesting http://www.website.com/scripts/../../../../../windows/system32/cmd.exe?/c+dir+c:\ would issue the command to back up several directories to ensure it has gone all the way to the root of the drive and then make the request to change to the operating system directory (windows\ system32) and run the cmd.exe listing the contents of the C: drive. Access to the command shell allows extensive access for the attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

Emphasis: ActiveX Controls

A

ActiveX ControlsActiveX is a Microsoft technology composed of a set of OOP technologies and tools based on COM and DCOM. A programmer uses these tools to create ActiveX controls, which are self-sufficient programs similar to Java applets. ActiveX controls can be reused by many applications within one system or different systems within an environment. These controls can be downloaded from web sites to add extra functionality (as in providing animations for web pages), but they are also components of Windows operating systems themselves (dynamic link libraries [DLLs]) and carry out common operating system tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

Bullets: Trigger

A

Uses an event to initiate its payload execution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

Bullets: Cleanroom

A

An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

Emphasis: Capability Maturity Models (CMMs)

A

Capability Maturity Models (CMMs) are used for many different purposes, software development processes being one of them. They are general models that allow for maturity-level identification and maturity improvement steps. We showed how CMM can be used for organizational security program improvement processes in Chapter 2.

119
Q

Explanations: Testing Types

A

If we would like the assurance that the software is any good at all, we should probably test it.

120
Q

Emphasis: Distributed Computing

A

Distributed ComputingMany of our applications work in a client/server model, which means the smaller part (client) of the application can run on different systems and the larger piece (server) of the application runs on a single, and commonly more powerful, back-end system. The server portion carries out more functionality and horsepower compared to the clients. The clients will send the server portion requests, and the server will respond with results. Simple enough, but how do the client and server pieces actually carry out communication with each other?

121
Q

Bullets: Cohesion

A

A measurement that indicates how many different types of tasks a module needs to carry out.

122
Q

Bullets: Macro virus

A

A virus written in a macro language and that is platform independent. Since many applications allow macro programs to be embedded in documents, the programs may be run automatically when the document is opened. This provides a distinct mechanism by which viruses can be spread.

123
Q

Bullets: Rollback

A

An operation that ends a current transaction and cancels all the recent changes to the database until the previous checkpoint/commit point.

124
Q

Bullets: Java Platform, Enterprise Edition (J2EE)

A

Is based upon the Java programming language, which allows a modular approach to programming code with the goal of interoperability. J2EE defines a client/server model that is object oriented and platform independent.

125
Q

Bullets: Integration testing

A

Verifying that components work together as outlined in design specifications.

126
Q

Emphasis: evolutionary prototypes

A

When evolutionary prototypes are developed, they are built with the goal of incremental improvement. Instead of being discarded after being developed, as in the rapid prototype approach, the prototype in this model is continually improved upon until it reaches the final product stage. Feedback that is gained through each development phase is used to improve the prototype and get closer to accomplishing the customer’s needs.

127
Q

Bullets: Object-relational database (ORD)

A

Uses object-relational database management system (ORDBMS) and is a relational database with a software front end that is written in an object-oriented programming language.

128
Q

Emphasis: knowledge discovery in database (KDD)

A

Data mining is also known as knowledge discovery in database (KDD), and is a combination of techniques to identify valid and useful patterns. Different types of data can have various interrelationships, and the method used depends on the type of data and the patterns sought. The following are three approaches used in KDD systems to uncover these patterns:

129
Q

Bullets: Disposal

A

System is removed from production environment

130
Q

Emphasis: Nonpersistent XSS

A

• Nonpersistent XSS vulnerabilities, or reflected vulnerabilities, occur when an attacker tricks the victim into processing a URL programmed with a rogue script to steal the victim’s sensitive information (cookie, session ID, etc.). The principle behind this attack lies in exploiting the lack of proper input or output validation on dynamic web sites.

131
Q

Emphasis: Rapid prototyping

A

Rapid prototyping is an approach that allows the development team to quickly create a prototype (sample) to test the validity of the current understanding of the project requirements. As an analogy, let’s say that you and your spouse were thinking about starting a family and having children. Instead of forging ahead and enduring the nine-month-long pregnancy adventure, you decide to babysit your brother’s kids for two weeks to see if you even like kids. You and your spouse could potentially find out very quickly that this is not the life for you and instead buy a plant.

132
Q

Bullets: Reuse model

A

A model that approaches software development by using progressively developed models. Reusable programs are evolved by gradually modifying pre-existing prototypes to customer specifications. Since the reuse model does not require programs to be built from scratch, it drastically reduces both development cost and time.

133
Q

Bullets: Authenticode

A

A type of code signing, which is the process of digitally signing software components and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was digitally signed. Authenticode is Microsoft’s implementation of code signing.

134
Q

Explanations: Verification versus Validation

A

Verification determines if the product accurately represents and meets the specifications. After all, a product can be developed that does not match the original specifications, so this step ensures the specifications are being properly met.

135
Q

Emphasis: mashup

A

A mashup is the combination of functionality, data, and presentation capabilities of two or more sources to provide some type of new service or functionality. Open APIs and data sources are commonly aggregated and combined to provide a more useful and powerful resource. For example, the site http://hireadroid.com combines the functionality of APIs provided by the following sites: CareerBuilder, LinkedIn, LinkUp Job Search Engine, and Simply Hired Jobs.

136
Q

Bullets: Isolation

A

Transactions execute in isolation until completed, without interacting with other transactions. The results of the modification are not available until the transaction is completed.

137
Q

Emphasis: Agile Model

A

Agile ModelThe industry seems to be full of software development models, each trying to improve upon the deficiencies of the ones before it. Before the Agile approach to development was created, teams were following rigid process-oriented models. These approaches focused more on following procedures and steps instead of potentially carrying out tasks in a more efficient manner. As an analogy, if you have ever worked within or interacted with a large government agency, you may have come across silly processes that took too long and involved too many steps. If you are a government employee and need to purchase a new chair, you might have to fill out four sets of documents that need to be approved by three other departments. You probably have to identify three different chair vendors, who have to submit a quote, which goes through the contracting office. It might take you a few months to get your new chair. The focus is to follow a protocol and rules instead of efficiency.

138
Q

Emphasis: polymorphic virus

A

A polymorphic virus produces varied but operational copies of itself. This is done in the hopes of outwitting a virus scanner. Even if one or two copies are found and disabled, other copies may still remain active within the system.

139
Q

Explanations: How Do We Know What to Create?

A

Object-oriented analysis (OOA) is the process of classifying objects that will be appropriate for a solution. A problem is analyzed to determine the classes of objects to be used in the application.

140
Q

Bullets: Unit testing

A

Individual component is in a controlled environment where programmers validate data structure, logic, and boundary conditions.

141
Q

Emphasis: Input Validation

A

Input ValidationWeb servers are just like any other software applications; they can only carry out the functionality their instructions dictate. They are designed to process requests via a certain protocol. When a person interacts with their web browser and types in a request for http://www.logicalsecurity.com/index.htm, he is using a protocol called Hypertext Transfer Protocol (HTTP) to request the file “index.htm” from the server “www” in the “logicalsecurity.com” namespace. A request in this form is called a Uniform Resource Locator (URL). Like many situations in our digital world, there is more than one way to request something because computers speak several different “languages”—such as binary, hexadecimal, and many encoding mechanisms—each of which is interpreted and processed by the system as valid commands. Validating that these requests are allowed is part of input validation and is usually tied to coded validation rules within the web server software. Attackers have figured out how to bypass some of these coded validation rules.

142
Q

Bullets: Relational database model

A

Uses attributes (columns) and tuples (rows) to contain and organize information.

143
Q

Bullets: Trojan horse

A

A program that is disguised as another program with the goal of carrying out malicious activities in the background without the user knowing.

144
Q

Bullets: Artificial neural network (ANN)

A

A mathematical or computational model based on the neural structure of the brain.

145
Q

Bullets: Requirements analysis

A

In-depth study of what functions the company needs the desired system to carry out.

146
Q

Bullets: Durability

A

Once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.

147
Q

Bullets: Component Object Model (COM)

A

A model developed by Microsoft that allows for interprocess communication between applications potentially written in different programming languages on the same computer system.

148
Q

Bullets: Open Database Connectivity (ODBC)

A

An API that allows an application to communicate with a database, either locally or remotely. The application sends requests to the ODBC API. ODBC tracks down the necessary database-specific driver for the database to carry out the translation, which in turn translates the requests into the database commands that a specific database will understand.

149
Q

Emphasis: fingerprint detection)

A

Signature-based detection (also called fingerprint detection) is an effective way to detect malicious software, but there is a delayed response time to new threats. Once a virus is detected, the antivirus vendor must study it, develop and test a new signature, release the signature, and all customers must download it. If the malicious code is just sending out silly pictures to all of your friends, this delay is not so critical. If the malicious software is similar to the Slammer worm, this amount of delay can be devastating.

150
Q

Explanations: Language Levels

A

High, really high, very high, not so high, kind of short. What does this really mean?

151
Q

Emphasis: (boot sector viruses)

A

Some viruses infect the boot sector (boot sector viruses) of a computer and either move data within the boot sector or overwrite the sector with new information. Some boot sector viruses have part of their code in the boot sector, which can initiate the virus when a system boots up, and the rest of their code in sectors on the hard drive it has marked off as bad. Because the sectors are marked as bad, the operating system and applications will not attempt to use those sectors; thus, they will not get overwritten.

152
Q

Emphasis: Database Management

A

Database ManagementDatabases have a long history of storing important intellectual property and items that are considered valuable and proprietary to companies. Because of this, they usually live in an environment of mystery to all but the database and network administrators. The less anyone knows about the databases, the better. Users generally access databases indirectly through a client interface, and their actions are restricted to ensure the confidentiality, integrity, and availability of the data held within the database and the structure of the database itself.

153
Q

Emphasis: Crimeware Toolkits

A

Crimeware ToolkitsIt used to require programming knowledge to be able to create and spread malware, but today people can purchase crimeware toolkits that allow them to create their own tailored malware through GUI-based tools. These toolkits provide pre-developed malicious code that can be easily customized, deployed, and automated. The kits are sold in the online underground black market and allow people with little to no technical skill to carry out cybercrime activities. These “out-of-the-box” solutions have lowered the entry barrier for cybercriminals by making sophisticated attacks easy to carry out.

154
Q

Emphasis: Agile model

A

The Agile model is an umbrella term for several development methodologies. It focuses not on rigid, linear, stepwise processes, but instead on incremental and iterative development methods that promote cross-functional teamwork and continuous feedback mechanisms. This model is considered “lightweight” compared to the traditional methods that are “heavyweight,” which just means this model is not confined to a tunneled vision and overly structured approach. It is nimble and flexible enough to adapt to each project’s needs. The industry found out that even an exhaustive library of defined processes cannot handle every situation that could arise during a development project. So instead of investing time and resources into big upfront design analysis, this model focuses on small increments of functional code that are created based upon business need.

155
Q

Emphasis: work breakdown structure (WBS)

A

A work breakdown structure (WBS) is a project management tool used to define and group a project’s individual work elements in an organized manner. The SDLC should be illustrated in a WBS format, so that each phase is properly addressed.

156
Q

Bullets: Regression testing

A

After a change to a system takes place, retesting to ensure functionality, performance, and protection.

157
Q

Bullets: Optimizing

A

The company has budgeted and integrated plans for continuous process improvement.

158
Q

Emphasis: Zero-day vulnerabilities

A

NOTE Zero-day vulnerabilities are vulnerabilities that do not currently have a resolution. If a vulnerability is identified and there is not a pre-established fix (patch, configuration, update), it is considered a zero day.

159
Q

Explanations: Data Modeling

A

Let’s see. The data went thataway. Oh no, it went thataway. Oops, I lost the data.

160
Q

Explanations: Database Programming Interfaces

A

Data are useless if you can’t get to them and use them. Applications need to be able to obtain and interact with the information stored in databases. They also need some type of interface and communication mechanism. The following sections address some of these interface languages:

161
Q

Bullets: Database

A

A collection of data stored in a meaningful way that enables multiple users and applications to access, view, and modify data as needed.

162
Q

Emphasis: Software Configuration Management

A

Software Configuration ManagementWhen changes take place to a software product during its development life cycle, a configuration management system can be put into place that allows for change control processes to take place through automation. A product that provides Software Configuration Management (SCM) identifies the attributes of software at various points in time, and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the software development life cycle. It defines the need to track changes and provides the ability to verify that the final delivered software has all of the approved changes that are supposed to be included in the release.

163
Q

Explanations: Java Applets

A

Java is an object-oriented, platform-independent programming language. It is employed as a full-fledged programming language and is used to write complete programs and small components, called applets, which commonly run in a user’s web browser.

164
Q

Emphasis: preliminary risk assessment

A

A preliminary risk assessment should be carried out to develop an initial description of the confidentiality, integrity, and availability requirements of the system. The assessment should define the environment in which the system will operate within and any identified vulnerabilities. This will help the team to start the process of identifying the required security controls that the system will need to possess.

165
Q

Explanations: What Is a Virus?

A

A virus is a segment of code that searches out hosts and infects them by embedding a copy of itself. When the infected host executes, the embedded virus is executed, which propagates the infection.

166
Q

Bullets: Classification

A

Groups together data according to shared similarities.

167
Q

Emphasis: Which Standard Is Best?

A

Which Standard Is Best?So which “best practice” or standard is best for you? Most of these are general enough to be applied to different organizations and their various software development processes, but each approach has its specific focus. CMMI is a process improvement model, WASC and OWASP focus on integrating security into software development processes, BSI has a focus of protecting critical infrastructure but can be used in any software development project, and ISO/IEC 27034 is a general approach that is used more in the private industry. As with most technological standards, there is a lot of overlap between them.

168
Q

Emphasis: Artificial Neural Networks

A

Artificial Neural NetworksAn artificial neural network (ANN) is a mathematical or computational model based on the neural structure of the brain. Computers perform activities like calculating large numbers, keeping large ledgers, and performing complex mathematical functions, but they cannot recognize patterns or learn from experience as the brain can. ANNs contain many units that stimulate neurons, each with a small amount of memory. The units work on data that are input through their many connections. Via training rules, the systems are able to learn from examples and have the capability to generalize.

169
Q

Bullets: Rootkit

A

Set of malicious tools that are loaded on a compromised system through stealthy techniques. The tools are used to carry out more attacks either on the infected systems or surrounding systems.

170
Q

Emphasis: Object-oriented design (OOD)

A

Object-oriented design (OOD) creates a representation of a real-world problem and maps it to a software solution using OOP. The result of an OOD is a design that modularizes data and procedures. The design interconnects data objects and processing operations.

171
Q

Explanations: Software Development Life Cycle

A

There is a time to live, a time to die, a time to love…Response: And a time to shut up.

172
Q

Bullets: Mashup

A

The combination of functionality, data, and presentation capabilities of two or more sources to provide some type of new service or functionality.

173
Q

Bullets: Agile

A

Iterative and incremental development processes that encourage team-based collaboration. Flexibility and adaptability are used instead of a strict process structure.

174
Q

Bullets: Object-oriented database

A

Designed to handle a variety of data (images, audio, documents, video), which is more dynamic in nature than a relational database.

175
Q

Emphasis: metadata)

A

A data dictionary is a central collection of data element definitions, schema objects, and reference keys. The schema objects can contain tables, views, indexes, procedures, functions, and triggers. A data dictionary can contain the default values for columns, integrity information, the names of users, the privileges and roles for users, and auditing information. It is a tool used to centrally manage parts of a database by controlling data about the data (referred to as metadata) within the database. It provides a cross-reference between groups of data elements and the databases.

176
Q

Bullets: Common Object Request Broker Architecture (CORBA)

A

Open object-oriented standard architecture developed by the Object Management Group (OMG). The standards enable software components written in different computer languages and running on different systems to communicate.

177
Q

Bullets: Defined

A

Formal procedures are in place that outline and define processes carried out in each project. The organization has a way to allow for quantitative process improvement.

178
Q

Explanations: Software Escrow

A

If a company pays another company to develop software for it, it should have some type of software escrow in place for protection. We covered this topic in Chapter 8 from a business continuity perspective, but since it directly deals with software development, we will mention it here also.

179
Q

Bullets: Computer-aided software engineering (CASE)

A

Refers to software that allows for the automated development of software, which can come in the form of program editors, debuggers, code analyzers, version-control mechanisms, and more.

180
Q

Bullets: Logic bomb

A

Executes a program, or string of code, when a certain event happens or a date and time arrives.

181
Q

Bullets: Managed

A

The company has formal processes in place to collect and analyze quantitative data, and metrics are defined and fed into the process-improvement program.

182
Q

Bullets: Joint Analysis Development (JAD)

A

A method that uses a team approach in application development in a workshop-oriented environment.

183
Q

Emphasis: Savepoints

A

Savepoints are used to make sure that if a system failure occurs, or if an error is detected, the database can attempt to return to a point before the system crashed or hiccupped. For a conceptual example, say Dave typed, “Jeremiah was a bullfrog. He was <savepoint> a good friend of mine.” (The system inserted a savepoint.) Then a freak storm came through and rebooted the system. When Dave got back into the database client application, he might see “Jeremiah was a bullfrog. He was,” but the rest was lost. Therefore, the savepoint saved some of his work. Databases and other applications will use this technique to attempt to restore the user’s work and the state of the database after a glitch, but some glitches are just too large and invasive to overcome.</savepoint>

184
Q

Bullets: Consistency

A

A transaction must follow the integrity policy developed for that particular database and ensure all data are consistent in the different databases.

185
Q

Bullets: Multipart virus

A

Also called a multipartite virus, this has several components to it and can be distributed to different parts of the system. It infects and spreads in multiple ways, which makes it harder to eradicate when identified.

186
Q

Bullets: ActiveX Data Objects (ADO)

A

An API that allows applications to access back-end database systems. It is a set of ODBC interfaces that exposes the functionality of data sources through accessible objects. ADO uses the OLE DB interface to connect with the database, and can be developed with many different scripting languages. It is commonly used in web applications and other client/server applications. The following are some characteristics of an ADO:

187
Q

Explanations: Mobile Code

A

Code that can be transmitted across a network, to be executed by a system or device on the other end, is called mobile code. There are many legitimate reasons to use mobile code—for example, web browser applets that may execute in the background to download additional content for the web page, such as plug-ins that allow you to view a video.

188
Q

Bullets: Assemblers

A

Tools that convert assembly code into the necessary machine-compatible binary language for processing activities to take place.

189
Q

Emphasis: Context-dependent access control

A

Context-dependent access control means that the software “understands” what actions should be allowed based upon the state and sequence of the request. So what does that mean? It means the software must keep track of previous access attempts by the user and understand what sequences of access steps are allowed. Content-dependent access control can go like this: “Does Julio have access to File A?” The system reviews the ACL on File A and returns with a response of “Yes, Julio can access the file, but can only read it.” In a context-dependent access control situation, it would be more like this: “Does Julio have access to File A?” The system then reviews several pieces of data: What other access attempts has Julio made? Is this request out of sequence of how a safe series of requests takes place? Does this request fall within the allowed time period of system access (8 A.M. to 5 P.M.)? If the answers to all of these questions are within a set of preconfigured parameters, Julio can access the file. If not, he needs to go find something else to do.

190
Q

Emphasis: Object-oriented analysis (OOA)

A

Object-oriented analysis (OOA) is the process of classifying objects that will be appropriate for a solution. A problem is analyzed to determine the classes of objects to be used in the application.

191
Q

Emphasis: knowledge-based systems

A

Expert systems, also called knowledge-based systems, use artificial intelligence (AI) to solve problems.

192
Q

Bullets: Informational model

A

Dictates the type of information to be processed and how it will be processed

193
Q

Bullets: Rule-based programming

A

A common way of developing expert systems, with rules based on if-then logic units, and specifying a set of actions to be performed for a given situation.

194
Q

Bullets: Query language (QL)

A

Enables users to make requests of the database.

195
Q

Bullets: Break and Fix

A

No real planning up front. Flaws are reactively dealt with after release with the creation of patches and updates.

196
Q

Bullets: Behavioral model

A

Explains the states the application will be in during and after specific transitions take place

197
Q

Emphasis: Dynamic analysis

A

Dynamic analysis refers to the evaluation of a program in real time, i.e., when it is running. Dynamic analysis is carried out once a program has cleared the static analysis stage and basic programming flaws have been rectified offline.

198
Q

Bullets: Expert systems

A

Otherwise known as knowledge-based systems, these use artificial intelligence (AI) to solve complex problems. They are systems that emulate the decision-making ability of a human expert.

199
Q

Emphasis: Adware

A

Adware is software that automatically generates (renders) advertisements. The ads can be provided through pop-ups, user interface components, or screens presented during the installation of updates of other products. The goal of adware is to generate sales revenue, not carry out malicious activities, but some adware use invasive measures, which can cause security and privacy issues.

200
Q

Bullets: ActiveX

A

A Microsoft technology composed of a set of OOP technologies and tools based on COM and DCOM. It is a framework for defining reusable software components in a programming language-independent manner.

201
Q

Emphasis: self-garbling virus

A

A self-garbling virus attempts to hide from antivirus software by garbling (modifying) its own code. As the virus spreads, it changes the way its code is formatted. A small portion of the virus code decodes the garbled code when activated.

202
Q

Bullets: Threat modeling

A

A systematic approach used to understand how different threats could be realized and how a successful compromise could take place.

203
Q

Emphasis: data structure

A

A data structure is a representation of the logical relationship between elements of data. It dictates the degree of association among elements, methods of access, processing alternatives, and the organization of data elements.

204
Q

Emphasis: and

A

An object-oriented database is designed to handle a variety of data types (images, audio, documents, video). An object-oriented database management system (ODBMS) is more dynamic in nature than a relational database, because objects can be created when needed and the data and procedure (called method) go with the object when it is requested. In a relational database, the application has to use its own procedures to obtain data from the database and then process the data for its needs. The relational database does not actually provide procedures, as object-oriented databases do. The object-oriented database has classes to define the attributes and procedures of its objects.

205
Q

Emphasis: Trojan Horses

A

Trojan HorsesA Trojan horse is a program that is disguised as another program. For example, a Trojan horse can be named Notepad.exe and have the same icon as the regular Notepad program. However, when a user executes Notepad.exe, the program can delete system files. Trojan horses perform a useful functionality in addition to the malicious functionality in the background. So the Trojan horse named Notepad.exe may still run the Notepad program for the user, but in the background it will manipulate files or cause other malicious acts.

206
Q

Emphasis: virus

A

A virus is a small application, or string of code, that infects software. The main function of a virus is to reproduce and deliver its payload, and it requires a host application to do this. In other words, viruses cannot replicate on their own. A virus infects a file by inserting or attaching a copy of itself to the file. The virus is just the “delivery mechanism.” It can have any type of payload (deleting system files, displaying specific messages, reconfiguring systems, stealing sensitive data, installing a sniffer or back door).

207
Q

Bullets: Web proxy

A

A piece of software installed on a system that is designed to intercept all traffic between the local web browser and the web server.

208
Q

Bullets: Prototyping

A

Creating a sample or model of the code for proof-of-concept purposes.

209
Q

Bullets: Spiral

A

Iterative approach that emphasizes risk analysis per iteration. Allows for customer feedback to be integrated through a flexible evolutionary approach.

210
Q

Bullets: URL encoding

A

Ever notice a “space” that appears as “%20” in a URL in a web browser? The “%20” represents the space because spaces aren’t allowed characters in a URL. Much like the attacks using Unicode characters, attackers found that they could bypass filtering techniques and make requests by representing characters differently.

211
Q

Bullets: Meme viruses

A

These are not actual computer viruses, but types of e-mail messages that are continually forwarded around the Internet.

212
Q

Bullets: Statistical

A

Identifies relationships between data elements and uses rule discovery.

213
Q

Emphasis: rollback

A

The rollback is an operation that ends a current transaction and cancels the current changes to the database. These changes could have taken place to the data held within the database or a change to the schema. When a rollback operation is executed, the changes are cancelled and the database returns to its previous state. A rollback can take place if the database has some type of unexpected glitch or if outside entities disrupt its processing sequence. Instead of transmitting and posting partial or corrupt information, the database will roll back to its original state and log these errors and actions so they can be reviewed later.

214
Q

Emphasis: software

A

The acronym “SDLC” can represent system development life cycle or software development life cycle. Many resources interchange these terms (system and software) because the basic structure of a life-cycle framework should be applied to a computer, network, or a piece of software. A life-cycle framework just means that the item of focus (system or software) should be properly cared for no matter what stage it is in.

215
Q

Bullets: Security test and evaluation plan

A

Outlines how security controls should be evaluated before the system is approved and deployed.

216
Q

Bullets: Privacy Impact Rating

A

Indicates the sensitivity level of the data that will be processed or made accessible.

217
Q

Bullets: Attack surface

A

Components available to be used by an attacker against the product itself.

218
Q

Emphasis: Antivirus Software

A

Antivirus SoftwareTraditional antivirus software uses signatures to detect malicious code. The signature is a fingerprint created by the antivirus vendor. The signature is a sequence of code that was extracted from the virus itself. Just like our bodies have antibodies that identify and go after a specific type of foreign material, an antivirus software package has an engine that uses these signatures to identify malware. The antivirus software scans files, e-mail messages, and other data passing through specific protocols, and then compares them to its database of signatures. When there is a match, the antivirus software carries out whatever activities it is configured to do, which can be to quarantine the file, attempt to clean the file (remove the virus), provide a warning message dialog box to the user, and/or log the event.

219
Q

Explanations: Build and Fix Model

A

Basically, no architecture design is carried out in the Build and Fix model; instead, development takes place immediately with little or no planning involved. Problems are dealt with as they occur, which is usually after the software product is released to the customer.

220
Q

Bullets: Security functional requirements analysis

A

Identifies the protection levels that must be provided by the system to meet all regulatory, legal, and policy compliance needs.

221
Q

Bullets: Exploratory model

A

A method that is used in instances where clearly defined project objectives have not been presented. Instead of focusing on explicit tasks, the exploratory model relies on covering a set of specifications that are likely to affect the final product’s functionality. Testing is an important part of exploratory development, as it ascertains that the current phase of the project is compliant with likely implementation scenarios.

222
Q

Emphasis: Object-oriented programming (OOP)

A

Object-oriented programming (OOP) methods perform the same functionality, but with different techniques that work in a more efficient manner. First, you need to understand the basic concepts of OOP.

223
Q

Emphasis: software development life cycle (SDLC)

A

There have been several software development life cycle (SDLC) models developed over the years, which we will cover later in this section, but the crux of each model deals with the following items:

224
Q

Bullets: Software Configuration Management (SCM)

A

Identifies the attributes of software at various points in time, and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the software development life cycle.

225
Q

Bullets: Report generator

A

Produces printouts of data in a user-defined manner.

226
Q

Bullets: Java applets

A

Small components (applets) that provide various functionalities and are delivered to users in the form of Java bytecode. Java applets can run in a web browser using a Java Virtual Machine (JVM). Java is platform independent; thus, Java applets can be executed by browsers for many platforms.

227
Q

Bullets: Data warehousing

A

Combines data from multiple databases or data sources into a large database for the purpose of providing more extensive information retrieval and data analysis.

228
Q

Bullets: Remote access Trojans (RATs)

A

Malicious programs that run on systems and allow intruders to access and use a system remotely.

229
Q

Bullets: Release/Maintenance

A

Deploying the software and then ensuring that it is properly configured, patched, and monitored

230
Q

Bullets: Data manipulation language (DML)

A

Contains all the commands that enable a user to view, manipulate, and use the database (view, add, modify, sort, and delete commands).

231
Q

Emphasis: database management system (DBMS)

A

A database is a collection of data stored in a meaningful way that enables multiple users and applications to access, view, and modify data as needed. Databases are managed with software that provides these types of capabilities. It also enforces access control restrictions, provides data integrity and redundancy, and sets up different procedures for data manipulation. This software is referred to as a database management system (DBMS) and is usually controlled by a database administrator. Databases not only store data, but may also process data and represent them in a more usable and logical form. DBMSs interface with programs, users, and data within the database. They help us store, organize, and retrieve information effectively and efficiently.

232
Q

Bullets: Work breakdown structure (WBS)

A

A project management tool used to define and group a project’s individual work elements in an organized manner.

233
Q

Emphasis: Object Linking and Embedding

A

Object Linking and EmbeddingObject linking and embedding (OLE) provides a way for objects to be shared on a local personal computer and to use COM as their foundation. OLE enables objects—such as graphics, clipart, and spreadsheets—to be embedded into documents. The capability for one program to call another program is called linking. The capability to place a piece of data inside a foreign program or document is called embedding.

234
Q

Explanations: Antimalware Programs

A

Detecting and protecting an enterprise from the long list of malware requires more than just rolling out antivirus software. Just as with other pieces of a security program, certain administrative, physical, and technical controls must be deployed and maintained.

235
Q

Emphasis: two-phase commit

A

A two-phase commit mechanism is yet another control that is used in databases to ensure the integrity of the data held within the database. Databases commonly carry out transaction processes, which means the user and the database interact at the same time. The opposite is batch processing, which means that requests for database changes are put into a queue and activated all at once—not at the exact time the user makes the request. In transactional processes, many times a transaction will require that more than one database be updated during the process. The databases need to make sure each database is properly modified, or no modification takes place at all. When a database change is submitted by the user, the different databases initially store these changes temporarily. A transaction monitor will then send out a “pre-commit” command to each database. If all the right databases respond with an acknowledgment, then the monitor sends out a “commit” command to each database. This ensures that all of the necessary information is stored in all the right places at the right time.

236
Q

Emphasis: Functionality versus Security

A

Functionality versus SecurityProgramming code is complex—the code itself, routine interaction, global and local variables, input received from other programs, output fed to different applications, attempts to envision future user inputs, calculations, and restrictions form a long list of possible negative security consequences. Many times, trying to account for all the “what-ifs” and programming on the side of caution can reduce the overall functionality of the application. As you limit the functionality and scope of an application, the market share and potential profitability of that program could be reduced. A balancing act always exists between functionality and security, and in the development world, functionality is usually deemed the most important.

237
Q

Emphasis: Parameter Validation

A

Parameter ValidationThe issue of parameter validation is akin to the issue of input validation mentioned earlier. Parameter validation is where the values that are being received by the application are validated to be within defined limits before the server application processes them within the system. The main difference between parameter validation and input validation would have to be whether the application was expecting the user to input a value as opposed to an environment variable that is defined by the application. Attacks in this area deal with manipulating values that the system would assume are beyond the client being able to configure, mainly because there isn’t a mechanism provided in the interface to do so.

238
Q

Explanations: Design Phase

A

This is the phase that starts to map theory to reality. The theory encompasses all of the requirements that were identified in previous phases, and the design outlines how the product is actually going to accomplish these requirements.

239
Q

Emphasis: (very high-level languages)

A

Fourth-generation languages (very high-level languages) were designed to further enhance the natural language approach instigated within the third-generation language. Fourth-generation languages are meant to take natural language-based statements one step further. Fourth-generation programming languages focus on highly abstract algorithms that allow straightforward programming implementation in specific environments. The most remarkable aspect of fourth-generation languages is that the amount of manual coding required to perform a specific task may be ten times less than for the same task on a third-generation language. This is especially important as these languages have been developed to be used by inexpert users and not just professional programmers.

240
Q

Explanation Bullets: So what’s so great about OOP? If you look at Figure 10-16, you can see the difference between OOP and non-OOP techniques. Non-OOP applications are written as monolithic entities. This means an application is just one big pile of code (commonly called spaghetti code). If you need to change something in this pile, you would need to go through the whole program’s logic functions to figure out what your one change is going to break. If the program contains hundreds or thousands of lines of code, this is not an easy or enjoyable task. Now, if you choose to write your program in an object-oriented language, you don’t have one monolithic application, but an application that is made up of smaller components (objects). If you need to make changes or updates to some functionality in your application, you can just change the code within the class that creates the object carrying out that functionality and not worry about everything else the program actually carries out. The following breaks down the benefits of OOP:

A
  • Modularity
  • Autonomous objects, cooperation through exchanges of messages.
  • Deferred commitment
  • The internal components of an object can be redefined without changing other parts of the system.
  • Reusability
  • Refining classes through inheritance.
  • Other programs using the same objects.
  • Naturalness
  • Object-oriented analysis, design, and modeling map to business needs and solutions.
241
Q

Bullets: Web Application Security Consortium (WASC)

A

A nonprofit organization made up of an international group of experts, industry practitioners, and organizational representatives who produce open-source and widely agreed upon best-practice security standards for the World Wide Web.

242
Q

Emphasis: attack surface

A

An attack surface is what is available to be used by an attacker against the product itself. As an analogy, if you were wearing a suit of armor and it only covered half of your body, the other half would be your vulnerable attack surface. Before you went into battle, you would want to reduce this attack surface by covering your body with as much protective armor as possible. The same can be said about software. The development team should reduce the attack surface as much as possible because the greater the attack surface of software, the more avenues for the attacker; and hence, the greater the likelihood of a successful compromise.

243
Q

Emphasis: primary key

A

The primary key is an identifier of a row and is used for indexing in relational databases. Each row must have a unique primary key to properly represent the row as one entity. When a user makes a request to view a record, the database tracks this record by its unique primary key. If the primary key were not unique, the database would not know which record to present to the user. In the following illustration, the primary keys for Table A are the dogs’ names. Each row (tuple) provides characteristics for each dog (primary key). So when a user searches for Cricket, the characteristics of the type, weight, owner, and color will be provided.

244
Q

Emphasis: Software Development Models

A

Software Development ModelsThere have been several software development models developed over the last 20 or so years. Each model has its own characteristics, pros, cons, SDLC phases, and best use-case scenarios. While some models include security issues in certain phases, these are not considered “security-centric development models.” These are classical approaches on how to build and develop software. A brief discussion of some of the models that have been used over the years is covered next.

245
Q

Specific Threats for Web Environments : The most common types of vulnerabilities, threats, and complexities are covered in the following sections, which we will explore one at a time:

A
  • Information gathering
  • Administrative interfaces
  • Authentication and access control
  • Input validation
  • Parameter validation
  • Session management
246
Q

Bullets: Data dictionary

A

Central repository of data elements and their relationships.

247
Q

Explanation Bullets: The database model defines the relationships between different data elements; dictates how data can be accessed; and defines acceptable operations, the type of integrity offered, and how the data are organized. A model provides a formal method of representing data in a conceptual form and provides the necessary means of manipulating the data held within the database. Databases come in several types of models, as listed next:

A
  • Relational
  • Hierarchical
  • Network
  • Object-oriented
  • Object-relational
248
Q

Bullets: Simple Object Access Protocol (SOAP)

A

An XML-based protocol that encodes messages in a web service environment.

249
Q

Explanation Bullets: From a security point of view, the following items should also be accomplished in this phase:

A
  • Attack surface analysis

* Threat modeling

250
Q

Bullets: Open Web Application Security Project (OWASP)

A

A nonprofit organization focused on improving the security of application software.

251
Q

Bullets: Capability Maturity Model Integration (CMMI) model

A

A process improvement approach that provides organizations with the essential elements of effective processes, which will improve their performance.

252
Q

Bullets: Coupling

A

A measurement that indicates how much interaction one module requires for carrying out its tasks.

253
Q

Explanations: Expert Systems

A

An expert system is a computer program containing a knowledge base and a set of algorithms and rules used to infer new facts from data and incoming requests.

254
Q

Bullets: Replication

A

Makes copies of itself and spreads to other victims

255
Q

Emphasis: computer-aided software engineering (CASE)

A

There are many computer-aided software engineering (CASE) tools that programmers can use to generate code, test software, and carry out debugging activities. When these types of activities are carried out through automated tools, development usually takes place more quickly with fewer errors.

256
Q

Explanation Bullets: 16. A. The five levels of the Capability Maturity Integration Model are:

A
  • Initial Development process is ad hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable.
  • Repeatable A formal management structure, change control, and quality assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined.
  • Defined Formal procedures are in place that outline and define processes carried out in each project. The organization has a way to allow for quantitative process improvement.
  • Managed The company has formal processes in place to collect and analyze quantitative data, and metrics are defined and fed into the process- improvement program.
  • Optimizing The company has budgeted and integrated plans for continuous process improvement.
257
Q

Emphasis: (prototype)

A

A sample of software code or a model (prototype) can be developed to explore a specific approach to a problem before investing expensive time and resources. A team can identify the usability and design problems while working with a prototype and adjust their approach as necessary. Within the software development industry three main prototype models have been invented and used. These are the rapid prototype, evolutionary prototype, and operational prototype.

258
Q

Bullets: Data mining

A

Otherwise known as knowledge discovery in database (KDD), which is the process of massaging the data held in the data warehouse into more useful information.

259
Q

Bullets: Very high-level languages

A

Otherwise known as fourth-generation programming languages and are meant to take natural language-based statements one step ahead.

260
Q

Emphasis: commit

A

The commit operation completes a transaction and executes all changes just made by the user. As its name indicates, once the commit command is executed, the changes are committed and reflected in the database. These changes can be made to data or schema information. Because these changes are committed, they are then available to all other applications and users. If a user attempts to commit a change and it cannot complete correctly, a rollback is performed. This ensures that partial changes do not take place and that data are not corrupted.

261
Q

Explanation Bullets: Antivirus information and expected user behaviors should be integrated into the security-awareness program, along with who a user should contact if she discovers a virus. A standard should cover the do’s and don’ts when it comes to malware, which are listed next:

A
  • Every workstation, server, and mobile device should have antimalware software installed.
  • An automated way of updating antivirus signatures should be deployed on each device.
  • Users should not be able to disable antivirus software.
  • A preplanned malware eradication process should be developed and a contact person designated in case of an infection.
  • All external disks (USB drives and so on) should be scanned automatically.
  • Backup files should be scanned.
  • Antivirus policies and procedures should be reviewed annually.
  • Antivirus software should provide boot virus protection.
  • Antivirus scanning should happen at a gateway and on each device.
  • Virus scans should be automated and scheduled. Do not rely on manual scans.
  • Critical systems should be physically protected so malicious software cannot be installed locally.
262
Q

Bullets: Hierarchical data model

A

Combines records and fields that are related in a logical tree structure.

263
Q

Bullets: Object request broker (ORB)

A

Manages all communications between components and enables them to interact in a heterogeneous and distributed environment. The ORB acts as a “broker” between a client request for a service from a distributed object and the completion of that request.

264
Q

Bullets: ISO/IEC 27034

A

International standard that provides guidance to assist organizations in integrating security into the processes used for managing their applications. It is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.

265
Q

Bullets: Static analysis

A

A debugging technique that is carried out by examining the code without executing the program, and therefore is carried out before the program is compiled.

266
Q

Bullets: Polymorphism

A

Two objects can receive the same input and have different outputs.

267
Q

Emphasis: multipart virus

A

A multipart virus (also called multipartite virus) has several components to it and can be distributed to different parts of the system. For example, a multipart virus might infect both the boot sector of a hard drive and executable files. By using multiple vectors it can spread more quickly than a virus using only one vector.

268
Q

Emphasis: embedding

A

Object linking and embedding (OLE) provides a way for objects to be shared on a local personal computer and to use COM as their foundation. OLE enables objects—such as graphics, clipart, and spreadsheets—to be embedded into documents. The capability for one program to call another program is called linking. The capability to place a piece of data inside a foreign program or document is called embedding.

269
Q

Bullets: Virus

A

A small application, or string of code, that infects host applications. It is a programming code that can replicate itself and spread from one system to another.

270
Q

Bullets: Build Security In (BSI)

A

U.S. DHS effort that provides best practices, tools, guidelines, rules, principles, and other resources for software developers, architects, and security practitioners to use.

271
Q

Bullets: Distributed Computing Environment (DCE)

A

The first framework and development toolkit for developing client/server applications to allow for distributed computing.

272
Q

Emphasis: assemblers

A

An assembly language is considered a low-level programming language and is the symbolic representation of machine-level instructions. It is “one step above” machine language. It uses symbols (called mnemonics) to represent complicated binary codes. Programmers using assembly language could use commands like ADD, PUSH, POP, etc., instead of the binary codes (1001011010, etc.). Assembly languages use programs called assemblers, which automatically convert these assembly codes into the necessary machine-compatible binary language. To their credit, assembly languages drastically reduced programming and debugging times, introduced the concept of variables, and freed programmers from manually calculating memory addresses. But like machine code, programming in an assembly language requires extensive knowledge of a computer’s architecture. It is easier than programming in binary format, but more challenging compared to the high-level languages most programmers use today.

273
Q

Emphasis: Data Warehousing and Data Mining

A

Data Warehousing and Data MiningData warehousing combines data from multiple databases or data sources into a large database for the purpose of providing more extensive information retrieval and data analysis. Data from different databases are extracted and transferred to a central data storage device called a warehouse. The data are normalized, which means redundant information is stripped out and data are formatted in the way the data warehouse expects it. This enables users to query one entity rather than accessing and querying different databases.

274
Q

Bullets: Cell suppression

A

A technique used to hide specific cells that contain sensitive information.

275
Q

Explanations: Programming Languages and Concepts

A

All software is written in some type of programming language. Programming languages have gone through several generations over time, each generation building on the next, providing richer functionality and giving the programmers more powerful tools as they evolve.

276
Q

Bullets: Data structure

A

A representation of the logical relationship between elements of data.

277
Q

Emphasis: distributed

A

Distributed Component Object Model (DCOM) supports the same model for component interaction, and also supports distributed interprocess communication (IPC). COM enables applications to use components on the same systems, while DCOM enables applications to access objects that reside in different parts of a network. So this is how the client/server-based activities are carried out by COM-based operating systems and/or applications.

278
Q

Explanations: Malware Components

A

It is common for malware to have six main elements, although it is not necessary for them all to be in place:

279
Q

Emphasis: web proxy

A

A web proxy is a piece of software installed on a system that is designed to intercept all traffic between the local web browser and the web server. Using freely available web proxy software (such as Achilles or Burp Proxy), an attacker could monitor and modify any information as it travels in either direction. In the preceding example, when the server tells the client via a session cookie that the “number of allowed logins = 3,” if that information is intercepted by an attacker using one of these proxies and he changes the value to “number of allowed logins = 50000,” this would effectively allow a brute force attack on the system if it has no other validation mechanism in place.

280
Q

Explanation Bullets: Figure 10-37 OLE DB provides an interface to allow applications to communicate with different data sources.

A
  • Because it is COM-based, OLE DB is limited to being used by Microsoft Windows-based client tools.
  • A developer accesses OLE DB services through ActiveX Data Objects (ADO).
  • It allows different applications to access different types and sources of data.
281
Q

Bullets: Compression viruses

A

Another type of virus that appends itself to executables on the system and compresses them by using the user’s permissions.

282
Q

Emphasis: inference

A

The other security issue is inference, which is the intended result of aggregation. The inference problem happens when a subject deduces the full story from the pieces he learned of through aggregation. This is seen when data at a lower security level indirectly portrays data at a higher level.

283
Q

Explanation Bullets: 21. A. The following are correct characteristics of ADO:

A
  • It’s a high-level data access programming interface to an underlying data access technology (such as OLE DB).
  • It’s a set of COM objects for accessing data sources, not just database access.
  • It allows a developer to write programs that access data without knowing how the database is implemented.
  • SQL commands are not required to access a database when using ADO.
284
Q

Explanations: Separation of Duties

A

Different environmental types (development, testing, and production) should be properly separated, and functionality and operations should not overlap. Developers should not have access to code used in production. The code should be tested, submitted to a library, and then sent to the production environment.

285
Q

Emphasis: Web Security

A

Web SecurityWhen it comes to the Internet and web-based applications, many security situations are unique to this area. Companies use the Internet to expose products or services to the widest possible audience; thus, they need to allow an uncontrollable number of entities on the Internet to access their web servers. In most situations companies must open up the ports related to the web-based traffic (80 and 443) on their firewalls, which are commonly used avenues for a long list of attacks.

286
Q

Emphasis: Distributed Computing Environment

A

Distributed Computing EnvironmentDistributed Computing Environment (DCE) is a standard developed by the Open Software Foundation (OSF), also called Open Group. It is a client/server framework that is available to many vendors to use within their products. This framework illustrates how various capabilities can be integrated and shared between heterogeneous systems. DCE provides a Remote Procedure Call (RPC) service, security service, directory service, time service, and distributed file support. It was one of the first attempts at distributed computing in the industry.

287
Q

Emphasis: Software’s Importance

A

Software’s ImportanceSoftware controls come in various flavors with many different goals. They can control input, encryption, logic processing, number-crunching methods, interprocess communication, access, output, and interfacing with other software. They should be developed with potential risks in mind, and many types of threat models and risk analyses should be invoked at different stages of development. The goals are to reduce vulnerabilities and the possibility of system compromise. The controls can be preventive, detective, or corrective. While security controls can be administrative and physical in nature, the controls used within software are usually more technical in nature.

288
Q

Emphasis: Online transaction processing (OLTP)

A

Online transaction processing (OLTP) is generally used when databases are clustered to provide fault tolerance and higher performance. OLTP provides mechanisms that watch for problems and deal with them appropriately when they do occur. For example, if a process stops functioning, the monitor mechanisms within OLTP can detect this and attempt to restart the process. If the process cannot be restarted, then the transaction taking place will be rolled back to ensure no data are corrupted or that only part of a transaction happens. Any erroneous or invalid transactions detected should be written to a transaction log. The transaction log also collects the activities of successful transactions. Data are written to the log before and after a transaction is carried out so a record of events exists.

289
Q

Bullets: Testing/Validation

A

Validating software to ensure that goals are met and the software works as planned

290
Q

Bullets: Assembly language

A

A low-level programming language that is the mnemonic representation of machine-level instructions.

291
Q

Bullets: Sandbox

A

A virtual environment that allows for very fine-grained control over the actions that code within the machine is permitted to take. This is designed to allow safe execution of untrusted code from remote sources.

292
Q

Explanations: Different Environments Demand Different Security

A

I demand total and complete security in each and every one of my applications!Response: Well, don’t hold your breath on that one.

293
Q

Bullets: P3

A

Low Privacy Risk: No behaviors exist within the feature, product, or services that affect privacy. No anonymous or personal data is transferred, no PII is stored on the machine, no settings are changed on the user’s behalf, and no software is installed.