Chapter 12 Software Development Security Flashcards
What phases appear in most software development models?
- Feasibility phase
- Analysis and requirements definition phase
- Design phase
- Development phase
- Testing and integration phase
- Training and transition phase
- Ongoing operations and maintenance
- Disposition phase
- Where initial investigations into whether the effort should occur are conducted
- Common phase appearing in most software development models
Feasibility phase
- Customer input is sought to determine what the desired functionality is, with the current system or application currently does and what it does not do, and what improvements are desired
- Common phase appearing in most software development models
Analysis and requirements definition phase
- Includes functionality, architecture, integration points and techniques, data flows, business processes, and any other elements that require design consideration
- Common phase appearing in most software development models
Design phase
- The actual coding of the application occurs here. This phase may involve testing of parts of the software including unit testing and code analysis
- Common phase appearing in most software development models
Development phase
- Individual units or software components are integrated and then tested to ensure proper functionality
- Common phase appearing in most software development models
Testing and integration phase
- Ensures that end users are trained on the software and that the software has it entered General use
- Common phase appearing in most software development models
Training and transition phase
- Includes patching, updating, minor modifications, and other work that goes into daily support
- Common phase appearing in most software development models
Ongoing operations and maintenance
- Occurs when product or system reaches the end of its life
- Common phase appearing in most software development models
Disposition phase
Name the software development models
- Waterfall
- Spiral
- Agile
- Rapid Application Development (RAD)
- The V model
- The Big Bang model
A software development sequential model in which each phase is followed by the next phase
Waterfall
Name the six phases featured in a waterfall model
- Gather requirements
- Design
- Implement
- Test / Validate
- Deploy
- Maintain
Uses linear development concepts but adds an interactive process that revisits four phases multiple times during the development life cycle to gather more detailed requirements
Spiral
What are the four phases in the spiral model?
- Initial requirements - Gathers business requirements, system requirements and etc..
- Design - Conceptual, architectural, logical, and sometimes physical or final design
- Build - Produces initial proof-of-concept and then further development releases until final product it’s built
- Evaluation - Involves risk analysis for the development project. As the cycle continues involves customer testing and feedback to ensure acceptance
- Iterative and incremental process, rather than the linear process is found in other software development models
- Breaks up work into smaller units allowing work to be done more quickly with less upfront planning
Agile
The Agile methodology is based on what 12 principles?
- Ensure customer satisfaction via early and continuous delivery of the software
- Welcome changing requirements even late in the development process
- Deliver working software frequently (in weeks rather than months)
- Ensure daily cooperation between developers and business people
- Project should be built around motivated individuals who get the support, trust, and environment they need to succeed
- Face-to-face conversations are the most efficient way to convey information inside the development team
- Progress is measured by having working software
- Development should be done at a sustainable pace that can be maintained on an ongoing basis
- Pay continuous attention to technical excellence in good design
- Simplicity the art of maximizing the amount of work not done is essential
- The best architectures, requirements, and designs emerge from self-organizing teams
- Team should reflect on how to become more effective and then implement the behavior at regular intervals
- List of features or tasks that are required to complete a project
- Specialized term in Agile development
Backlogs
- A tool for estimation and planning
- Estimators are given cards with values for the amount of work required for a task. Estimators are asked to estimate, and each reveals their “bid” on the task
- This is done until agreement is reached, with the goal to have estimators reach the same estimate through discussion
- Specialized term in Agile development
Planning Poker
- Are a previously agreed-upon time that a person or team uses to work on a specific goal
- Specialized term in Agile development
Timeboxing
- Describes high-level user requirements
- Specialized term in Agile development
User stories
- Conducted by adding up the estimates for the current sprint efforts and then comparing that to what was completed
- Specialized term in Agile development
Velocity tracking
- Functional components of the code being developed in parallel and then integrated to produce the finishing product
- No planning phase; instead planning is done as a software is written
Rapid Application Development (RAD)
What are the five phases of Rapid Application Development (RAD)?
- Business modeling
- Data modeling
- Process modeling
- Application generation
- Testing and turnover
- Includes what information is important, how it is process, and what the business process should involve
Rapid Application Development (RAD) phase
Business modeling
- Gathers and analyzes all datasets and objects needed for the effort and defines their attributes and relationships
- Rapid Application Development (RAD) phase
Data modeling
- For dataflows based on the business model, as well as process descriptions of how data is handled
- Rapid Application Development (RAD) phase
Process modeling
- Coding and use of automated tools to convert data and process models into prototypes
- Rapid Application Development (RAD) phase
Application generation
- Focuses on the data flow and interfaces between components since prototypes are tested at each iteration for functionality
- Rapid Application Development (RAD) phase
Testing and turnover
An extension of the waterfall model that pairs a testing phase with each development stage .
The V model
- Relies on no planning or process
- Focuses on making resources available and simply start coding based on requirements as they are revealed
The Big Bang model
- Places two developers at one workstation one developer writes code, while the other developer reviews their code as they write it
- An Agile software development technique
- Informal code review method
Pair programming
- Requires the developer who wrote the code to explain the code to another developer
- Informal code review method
Over-the-shoulder code review
- A form of manual peer review done by sending completed code to reviewers to check the code for issues
- Informal code review method
Pass around code review
- Relies on formal or informal software-based tools to conduct code reviews
- i.e. Atlassian’s Crucible collaborative code review tool, Codacy’s static code review tool, and Phabricator’s Differential code review tool
- Informal code review method
Tool assisted code reviews
In depth often time-consuming process intended to fully review code using a team of experts
Formal code reviews
- Specifies entry and exit criteria for processes, ensuring that a process is not started before appropriate diligence has been performed, and also making sure that there are known criteria for a moving to the next phase
- Formal code review method
Fagan inspection
Name the six phases part of the Fagan inspection process
- Planning
- Overview - Assigns rules such as coder, reader, reviewer, and moderator
- Preparation - reviewing the code or other items being expected in documents any issues or questions they may have
- Meeting - identifies defects based on the notes from the preparation phase
- Rework - resolve issues
- Follow up - the moderator ensures that all issues identified have been found and no new defects were discovered
- Analysis focuses on understanding how the program is written and what the code is intended to do
- Conducted using automated tools or manually by reviewing the code
Static code analysis
Analysis that relies on execution of the code while providing it with input to test a software
Dynamic code analysis
- Involves sending invalid or random data to an application to test its ability to handle unexpected data. - Application is monitored to determine if it crashes, fails, or responds to it in the correct manner.
Fuzzing
Directly inserts faults into error handling paths, particularly error handling mechanisms that are rarely used or might otherwise be missed during normal testing
Fault injection
Fault injections can be done in what three ways?
- Compile time injection
- Protocol software fault injection - uses fuzzing techniques to send unexpected or protocol noncompliant data to an application or service that expects protocol compliant input
- Run-time injection of data into the running program - either by inserting into the running memory of a program or by injecting the faults in a way that causes the program to deal with them
Make small modifications to the program itself the altered versions or mutants are then tested and rejected if they cause failures
Mutation testing
Used to simulate a full application load
Stress test
Testing performed to ensure no new vulnerabilities, misconfigurations, or other issues have been introduced
Security regression testing
Name some web application vulnerability scanners
Acunetix WVS Arachni Burp Suite IBM’s AppScan HP’s WebInspect Netsparker QualysGuard’s Web Application Scanner W3AF
Allows tester to capture communication between a browser and the web server and can then modify the data that is sent and received
Interception proxies
