Chapter 12 Software Development Security Flashcards

1
Q

What phases appear in most software development models?

A
  1. Feasibility phase
  2. Analysis and requirements definition phase
  3. Design phase
  4. Development phase
  5. Testing and integration phase
  6. Training and transition phase
  7. Ongoing operations and maintenance
  8. Disposition phase
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  • Where initial investigations into whether the effort should occur are conducted
  • Common phase appearing in most software development models
A

Feasibility phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  • Customer input is sought to determine what the desired functionality is, with the current system or application currently does and what it does not do, and what improvements are desired
  • Common phase appearing in most software development models
A

Analysis and requirements definition phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  • Includes functionality, architecture, integration points and techniques, data flows, business processes, and any other elements that require design consideration
  • Common phase appearing in most software development models
A

Design phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  • The actual coding of the application occurs here. This phase may involve testing of parts of the software including unit testing and code analysis
  • Common phase appearing in most software development models
A

Development phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  • Individual units or software components are integrated and then tested to ensure proper functionality
  • Common phase appearing in most software development models
A

Testing and integration phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  • Ensures that end users are trained on the software and that the software has it entered General use
  • Common phase appearing in most software development models
A

Training and transition phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  • Includes patching, updating, minor modifications, and other work that goes into daily support
  • Common phase appearing in most software development models
A

Ongoing operations and maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  • Occurs when product or system reaches the end of its life

- Common phase appearing in most software development models

A

Disposition phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name the software development models

A
  • Waterfall
  • Spiral
  • Agile
  • Rapid Application Development (RAD)
  • The V model
  • The Big Bang model
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A software development sequential model in which each phase is followed by the next phase

A

Waterfall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name the six phases featured in a waterfall model

A
  1. Gather requirements
  2. Design
  3. Implement
  4. Test / Validate
  5. Deploy
  6. Maintain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Uses linear development concepts but adds an interactive process that revisits four phases multiple times during the development life cycle to gather more detailed requirements

A

Spiral

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the four phases in the spiral model?

A
  1. Initial requirements - Gathers business requirements, system requirements and etc..
  2. Design - Conceptual, architectural, logical, and sometimes physical or final design
  3. Build - Produces initial proof-of-concept and then further development releases until final product it’s built
  4. Evaluation - Involves risk analysis for the development project. As the cycle continues involves customer testing and feedback to ensure acceptance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  • Iterative and incremental process, rather than the linear process is found in other software development models
  • Breaks up work into smaller units allowing work to be done more quickly with less upfront planning
A

Agile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The Agile methodology is based on what 12 principles?

A
  1. Ensure customer satisfaction via early and continuous delivery of the software
  2. Welcome changing requirements even late in the development process
  3. Deliver working software frequently (in weeks rather than months)
  4. Ensure daily cooperation between developers and business people
  5. Project should be built around motivated individuals who get the support, trust, and environment they need to succeed
  6. Face-to-face conversations are the most efficient way to convey information inside the development team
  7. Progress is measured by having working software
  8. Development should be done at a sustainable pace that can be maintained on an ongoing basis
  9. Pay continuous attention to technical excellence in good design
  10. Simplicity the art of maximizing the amount of work not done is essential
  11. The best architectures, requirements, and designs emerge from self-organizing teams
  12. Team should reflect on how to become more effective and then implement the behavior at regular intervals
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  • List of features or tasks that are required to complete a project
  • Specialized term in Agile development
A

Backlogs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  • A tool for estimation and planning
  • Estimators are given cards with values for the amount of work required for a task. Estimators are asked to estimate, and each reveals their “bid” on the task
  • This is done until agreement is reached, with the goal to have estimators reach the same estimate through discussion
  • Specialized term in Agile development
A

Planning Poker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  • Are a previously agreed-upon time that a person or team uses to work on a specific goal
  • Specialized term in Agile development
A

Timeboxing

20
Q
  • Describes high-level user requirements

- Specialized term in Agile development

A

User stories

21
Q
  • Conducted by adding up the estimates for the current sprint efforts and then comparing that to what was completed
  • Specialized term in Agile development
A

Velocity tracking

22
Q
  • Functional components of the code being developed in parallel and then integrated to produce the finishing product
  • No planning phase; instead planning is done as a software is written
A

Rapid Application Development (RAD)

23
Q

What are the five phases of Rapid Application Development (RAD)?

A
  1. Business modeling
  2. Data modeling
  3. Process modeling
  4. Application generation
  5. Testing and turnover
24
Q
  • Includes what information is important, how it is process, and what the business process should involve
    Rapid Application Development (RAD) phase
A

Business modeling

25
Q
  • Gathers and analyzes all datasets and objects needed for the effort and defines their attributes and relationships
  • Rapid Application Development (RAD) phase
A

Data modeling

26
Q
  • For dataflows based on the business model, as well as process descriptions of how data is handled
  • Rapid Application Development (RAD) phase
A

Process modeling

27
Q
  • Coding and use of automated tools to convert data and process models into prototypes
  • Rapid Application Development (RAD) phase
A

Application generation

28
Q
  • Focuses on the data flow and interfaces between components since prototypes are tested at each iteration for functionality
  • Rapid Application Development (RAD) phase
A

Testing and turnover

29
Q

An extension of the waterfall model that pairs a testing phase with each development stage .

A

The V model

30
Q
  • Relies on no planning or process

- Focuses on making resources available and simply start coding based on requirements as they are revealed

A

The Big Bang model

31
Q
  • Places two developers at one workstation one developer writes code, while the other developer reviews their code as they write it
  • An Agile software development technique
  • Informal code review method
A

Pair programming

32
Q
  • Requires the developer who wrote the code to explain the code to another developer
  • Informal code review method
A

Over-the-shoulder code review

33
Q
  • A form of manual peer review done by sending completed code to reviewers to check the code for issues
  • Informal code review method
A

Pass around code review

34
Q
  • Relies on formal or informal software-based tools to conduct code reviews
  • i.e. Atlassian’s Crucible collaborative code review tool, Codacy’s static code review tool, and Phabricator’s Differential code review tool
  • Informal code review method
A

Tool assisted code reviews

35
Q

In depth often time-consuming process intended to fully review code using a team of experts

A

Formal code reviews

36
Q
  • Specifies entry and exit criteria for processes, ensuring that a process is not started before appropriate diligence has been performed, and also making sure that there are known criteria for a moving to the next phase
  • Formal code review method
A

Fagan inspection

37
Q

Name the six phases part of the Fagan inspection process

A
  1. Planning
  2. Overview - Assigns rules such as coder, reader, reviewer, and moderator
  3. Preparation - reviewing the code or other items being expected in documents any issues or questions they may have
  4. Meeting - identifies defects based on the notes from the preparation phase
  5. Rework - resolve issues
  6. Follow up - the moderator ensures that all issues identified have been found and no new defects were discovered
38
Q
  • Analysis focuses on understanding how the program is written and what the code is intended to do
  • Conducted using automated tools or manually by reviewing the code
A

Static code analysis

39
Q

Analysis that relies on execution of the code while providing it with input to test a software

A

Dynamic code analysis

40
Q
  • Involves sending invalid or random data to an application to test its ability to handle unexpected data. - Application is monitored to determine if it crashes, fails, or responds to it in the correct manner.
A

Fuzzing

41
Q

Directly inserts faults into error handling paths, particularly error handling mechanisms that are rarely used or might otherwise be missed during normal testing

A

Fault injection

42
Q

Fault injections can be done in what three ways?

A
  1. Compile time injection
  2. Protocol software fault injection - uses fuzzing techniques to send unexpected or protocol noncompliant data to an application or service that expects protocol compliant input
  3. Run-time injection of data into the running program - either by inserting into the running memory of a program or by injecting the faults in a way that causes the program to deal with them
43
Q

Make small modifications to the program itself the altered versions or mutants are then tested and rejected if they cause failures

A

Mutation testing

44
Q

Used to simulate a full application load

A

Stress test

45
Q

Testing performed to ensure no new vulnerabilities, misconfigurations, or other issues have been introduced

A

Security regression testing

46
Q

Name some web application vulnerability scanners

A
Acunetix WVS
Arachni
Burp Suite 
IBM’s AppScan
HP’s WebInspect
Netsparker
QualysGuard’s Web Application Scanner
W3AF
47
Q

Allows tester to capture communication between a browser and the web server and can then modify the data that is sent and received

A

Interception proxies