Chapter 12 Software Development Security Flashcards

1
Q

What phases appear in most software development models?

A
  1. Feasibility phase
  2. Analysis and requirements definition phase
  3. Design phase
  4. Development phase
  5. Testing and integration phase
  6. Training and transition phase
  7. Ongoing operations and maintenance
  8. Disposition phase
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  • Where initial investigations into whether the effort should occur are conducted
  • Common phase appearing in most software development models
A

Feasibility phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  • Customer input is sought to determine what the desired functionality is, with the current system or application currently does and what it does not do, and what improvements are desired
  • Common phase appearing in most software development models
A

Analysis and requirements definition phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  • Includes functionality, architecture, integration points and techniques, data flows, business processes, and any other elements that require design consideration
  • Common phase appearing in most software development models
A

Design phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  • The actual coding of the application occurs here. This phase may involve testing of parts of the software including unit testing and code analysis
  • Common phase appearing in most software development models
A

Development phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  • Individual units or software components are integrated and then tested to ensure proper functionality
  • Common phase appearing in most software development models
A

Testing and integration phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  • Ensures that end users are trained on the software and that the software has it entered General use
  • Common phase appearing in most software development models
A

Training and transition phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  • Includes patching, updating, minor modifications, and other work that goes into daily support
  • Common phase appearing in most software development models
A

Ongoing operations and maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  • Occurs when product or system reaches the end of its life

- Common phase appearing in most software development models

A

Disposition phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name the software development models

A
  • Waterfall
  • Spiral
  • Agile
  • Rapid Application Development (RAD)
  • The V model
  • The Big Bang model
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A software development sequential model in which each phase is followed by the next phase

A

Waterfall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name the six phases featured in a waterfall model

A
  1. Gather requirements
  2. Design
  3. Implement
  4. Test / Validate
  5. Deploy
  6. Maintain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Uses linear development concepts but adds an interactive process that revisits four phases multiple times during the development life cycle to gather more detailed requirements

A

Spiral

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the four phases in the spiral model?

A
  1. Initial requirements - Gathers business requirements, system requirements and etc..
  2. Design - Conceptual, architectural, logical, and sometimes physical or final design
  3. Build - Produces initial proof-of-concept and then further development releases until final product it’s built
  4. Evaluation - Involves risk analysis for the development project. As the cycle continues involves customer testing and feedback to ensure acceptance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  • Iterative and incremental process, rather than the linear process is found in other software development models
  • Breaks up work into smaller units allowing work to be done more quickly with less upfront planning
A

Agile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The Agile methodology is based on what 12 principles?

A
  1. Ensure customer satisfaction via early and continuous delivery of the software
  2. Welcome changing requirements even late in the development process
  3. Deliver working software frequently (in weeks rather than months)
  4. Ensure daily cooperation between developers and business people
  5. Project should be built around motivated individuals who get the support, trust, and environment they need to succeed
  6. Face-to-face conversations are the most efficient way to convey information inside the development team
  7. Progress is measured by having working software
  8. Development should be done at a sustainable pace that can be maintained on an ongoing basis
  9. Pay continuous attention to technical excellence in good design
  10. Simplicity the art of maximizing the amount of work not done is essential
  11. The best architectures, requirements, and designs emerge from self-organizing teams
  12. Team should reflect on how to become more effective and then implement the behavior at regular intervals
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  • List of features or tasks that are required to complete a project
  • Specialized term in Agile development
A

Backlogs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  • A tool for estimation and planning
  • Estimators are given cards with values for the amount of work required for a task. Estimators are asked to estimate, and each reveals their “bid” on the task
  • This is done until agreement is reached, with the goal to have estimators reach the same estimate through discussion
  • Specialized term in Agile development
A

Planning Poker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  • Are a previously agreed-upon time that a person or team uses to work on a specific goal
  • Specialized term in Agile development
A

Timeboxing

20
Q
  • Describes high-level user requirements

- Specialized term in Agile development

A

User stories

21
Q
  • Conducted by adding up the estimates for the current sprint efforts and then comparing that to what was completed
  • Specialized term in Agile development
A

Velocity tracking

22
Q
  • Functional components of the code being developed in parallel and then integrated to produce the finishing product
  • No planning phase; instead planning is done as a software is written
A

Rapid Application Development (RAD)

23
Q

What are the five phases of Rapid Application Development (RAD)?

A
  1. Business modeling
  2. Data modeling
  3. Process modeling
  4. Application generation
  5. Testing and turnover
24
Q
  • Includes what information is important, how it is process, and what the business process should involve
    Rapid Application Development (RAD) phase
A

Business modeling

25
- Gathers and analyzes all datasets and objects needed for the effort and defines their attributes and relationships - Rapid Application Development (RAD) phase
Data modeling
26
- For dataflows based on the business model, as well as process descriptions of how data is handled - Rapid Application Development (RAD) phase
Process modeling
27
- Coding and use of automated tools to convert data and process models into prototypes - Rapid Application Development (RAD) phase
Application generation
28
- Focuses on the data flow and interfaces between components since prototypes are tested at each iteration for functionality - Rapid Application Development (RAD) phase
Testing and turnover
29
An extension of the waterfall model that pairs a testing phase with each development stage .
The V model
30
- Relies on no planning or process | - Focuses on making resources available and simply start coding based on requirements as they are revealed
The Big Bang model
31
- Places two developers at one workstation one developer writes code, while the other developer reviews their code as they write it - An Agile software development technique - Informal code review method
Pair programming
32
- Requires the developer who wrote the code to explain the code to another developer - Informal code review method
Over-the-shoulder code review
33
- A form of manual peer review done by sending completed code to reviewers to check the code for issues - Informal code review method
Pass around code review
34
- Relies on formal or informal software-based tools to conduct code reviews - i.e. Atlassian’s Crucible collaborative code review tool, Codacy’s static code review tool, and Phabricator’s Differential code review tool - Informal code review method
Tool assisted code reviews
35
In depth often time-consuming process intended to fully review code using a team of experts
Formal code reviews
36
- Specifies entry and exit criteria for processes, ensuring that a process is not started before appropriate diligence has been performed, and also making sure that there are known criteria for a moving to the next phase - Formal code review method
Fagan inspection
37
Name the six phases part of the Fagan inspection process
1. Planning 2. Overview - Assigns rules such as coder, reader, reviewer, and moderator 3. Preparation - reviewing the code or other items being expected in documents any issues or questions they may have 4. Meeting - identifies defects based on the notes from the preparation phase 5. Rework - resolve issues 6. Follow up - the moderator ensures that all issues identified have been found and no new defects were discovered
38
- Analysis focuses on understanding how the program is written and what the code is intended to do - Conducted using automated tools or manually by reviewing the code
Static code analysis
39
Analysis that relies on execution of the code while providing it with input to test a software
Dynamic code analysis
40
- Involves sending invalid or random data to an application to test its ability to handle unexpected data. - Application is monitored to determine if it crashes, fails, or responds to it in the correct manner.
Fuzzing
41
Directly inserts faults into error handling paths, particularly error handling mechanisms that are rarely used or might otherwise be missed during normal testing
Fault injection
42
Fault injections can be done in what three ways?
1. Compile time injection 2. Protocol software fault injection - uses fuzzing techniques to send unexpected or protocol noncompliant data to an application or service that expects protocol compliant input 3. Run-time injection of data into the running program - either by inserting into the running memory of a program or by injecting the faults in a way that causes the program to deal with them
43
Make small modifications to the program itself the altered versions or mutants are then tested and rejected if they cause failures
Mutation testing
44
Used to simulate a full application load
Stress test
45
Testing performed to ensure no new vulnerabilities, misconfigurations, or other issues have been introduced
Security regression testing
46
Name some web application vulnerability scanners
``` Acunetix WVS Arachni Burp Suite IBM’s AppScan HP’s WebInspect Netsparker QualysGuard’s Web Application Scanner W3AF ```
47
Allows tester to capture communication between a browser and the web server and can then modify the data that is sent and received
Interception proxies