Chapter 20

Question 1

Programming language generations

Answer 1

Gen 1: Machine language; 0 and 1 computer directly understands
Gen 2: Assembly language; mnemonics
Gen 3: Structured, object oriented, etc.
Gen 4: Domain-specific
Gen 5: AI, natural language

Question 2

Compiled vs Interpreted

Answer 2

Compiled - no source code, but easier to hide malware
Interpreted - need source code

Question 3

Run-time environment

Answer 3

Portable across different OS platforms

Question 4

Software libraries

Answer 4

Re-usable code; need to be aware of origins of source code

Question 5

Software failure mitigation

Answer 5

Input validation
Authen and session mgmt
Error handling
Logging
Fail secure

Question 6

SDLC

Answer 6

Conceptual definition
Functional specifications - input/behavior/output
Controls specifications
Design
Coding
Code review
Test
Maintain and change mgmt

Question 7

SDLC models

Answer 7

Iterative Waterfall - with feedback for one phase back only
Spiral - repeated waterfall iterations; each one delivering a prototype until finished product

Question 8

Agile development

Answer 8

Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan

Scrum, scrum master, sprints

Question 9

Agile - 12 principles

Answer 9

1. Highest priority - satisfy customer thru early delivery
2. Welcome changes
3. Deliver working software frequently
4. Business and dev work together
5. Build around motivated people - provide support and trust
6. Face-to-face communication
7. Primary measure of progress is working software
8. Maintain constant pace indefinitely
9. Attention to technical excellence and good design
10. Maximize work not done
11. Self-organizing teams produce best
12. Regular review and adjust

Question 10

SW-CMM
(Software Capability Maturity Model)

Answer 10

Lvl 1: Initial
Lvl 2: Repeatable - basic lifecycle mgmt, reusable code, repeatable project outcomes
Lvl 3: Defined - standard processes, orgranizational processes, training program
Lvl 4: Managed - use metrics, quantitative measurement and quality mgmt
Lvl 5: Optimizing - change mgmt

Question 11

SAMM - software assurance maturity model

Answer 11

5 business functions:
- Governance - strategy, compliance, metrics, training, policy
- Design - threat assessment, security req, security arch
- Implementation - secure building, secure deploy
- Verification - testing
- Operations - incident mgmt, operational mgmt env mgmt

Total of 15 security practices

Question 12

IDEAL

Answer 12

Initiating
Diagnosing
Establishing
Acting
Learning

Question 13

Change Management

Answer 13

Request control processes - request, cost/benefit, prioritize
Change control processes - test and document
Release control processes - approvals, user acceptance, deployment

Question 14

Software Configuration Management

Answer 14

Configuration identification
Configuration Control - auth changes, versioning
Configuration status accounting - change tracking
Configuration Audit - regular check for unauth changes