Chapter 20- Software Development Security

Question 1

1. Once Programmers are ready to execute their programs, two options are available to them, list them:

Answer 1

: Compilation and interpretation

Question 2

2. What is compiler?

Answer 2

Complier is used to convert the high-level language into an executable file designed for use on a specific operating system.

Question 3

3. Examples of compiled languages are:

Answer 3

C, Java, FORTRAN

Question 4

4. List some interpreted languages

Answer 4

Python, R, JavaScript and VBScript

Question 5

5. Describe Interpreted Languages:

Answer 5

programmer distributes the source code which contains instructions in the higher language. End users then use an interpreter to execute the source code on their systems.

Question 6

6. What is polymorphism in object oriented programming (oop)?

Answer 6

Object Oriented Programming (OOP) is the characteristic of an object that allows it to respond with different behaviours to the same message or method because of changes in external conditions.

Question 7

7. what is coupling in OOP?

Answer 7

coupling means the level of interaction.

In coupling, two classes or objects collaborate and work with each other to complete a pre-defined task.

Question 8

8. What is Assurance Procedure:

Answer 8

Assurance Procedures are simply formalised processes by which trust is built into the lifecycle of a system.

Question 9

9. List methods to avoid system failure in s/w development:

Answer 9

use input validation, creating fail safe or fail-open procedures.

Question 10

10. What is escaping input?

Answer 10

Escaping input is can transform input to remove risky character sequences and replace them with safe ones. This happens in input validation to avoid the system crash from invalid input of data.

Question 11

11. What is error handling?

Answer 11

error messages make it easier for technical staff to diagnose problems experienced by users. Developers should disable detailed error messages on severs and applications that are publicly accessible. i.e. Debugging mode.

Question 12

12. Explain the 2 basic choices when planning for system failure:

Answer 12

• Fail-secure failure state: puts the system into a high level of security until an administrator can diagnose the problem and restore the system to normal operation.
• Fail-open state allows users to bypass failed security controls, erring on the side of permissiveness.

Question 13

13. What is conceptual definition?

Answer 13

Conceptual Definition involves creating the basic concept definition for a system.

Question 14

14. What is a stop error?

Answer 14

stop error occurs when an undesirable activity occurs in spite of the OS’s efforts to prevent it. This is a fail-secure condition.

Question 15

15. Explain Functional Requirement Determination stage:

Answer 15

this involves creating a functional requirements document that that lists the specific system requirements.

Question 16

16. Explain the 3 major characteristics of a functional requirement:

Answer 16

Inputs: data provided into a function
Behaviour: The business logic describing what actions the system should take in response to different inputs.
Output(s): the data provided from a function

Question 17

17. List Control Specification Development steps:

Answer 17

access control
protect confidential data
Audit trail
fault tolerance

Question 18

18. List the 7 stages of development in waterfall Model

Answer 18

System Requirements
Software Requirements
Preliminary Design
Detailed Design
Code and Debug
Testing
Operations and Maintenance

Question 19

19. SW-CMM, CMM or SCMM means:

Answer 19

Software Capability Maturity Model

Question 20

20. What is Spiral Model?

Answer 20

Spiral Model encapsulates a number of iterations of another model (the waterfall model) and it is known as the metamodel or the model of models.

Question 21

21. What is Agile Software Development?

Answer 21

Agile Software Development places emphasis on the needs of the customer and on quickly developing new functionality that meet those needs in an iterative fashion.

Question 22

22. What is the idea behind SW-CMM?

Answer 22

Idea behind Software Capability Maturity Model is that the quality of the software depends on the quality of the development process.

Question 23

23. List the stages in Software Capability Maturity Model (SW-CMM)

Answer 23

IRDMO
Initial: hardworking people charging ahead in a disorganised fashion.
Repeatable: basic lifecycle management is introduced.
Defined: software developers operate according to set f formal defined software development process.
Managed: Quantitative measures are utilized to gain detailed understanding of the development process.
Optimizing: process of continuous improvement occurs.

Question 24

24. Describe Change Management Process:

Answer 24

Change Management Process has 3 components: (RCR) Request control: which users can request modifications; managers conduct cost benefit analysis.
Change Control: used by developers to re-create the situation encountered by users analyse appropriate changes to remedy the situation.
Release control: once changes are finalised, they must be approved for release, through release control procedure.
Configuration Identification: During this process, administrators document the configuration of covered software products throughout the organisation.
Configuration Control:
Configuration Status Accounting:
Configuration Audit:

Question 25

25. What is Reasonableness check?

Answer 25

Reasonableness check ensures that values returned by a software match specified criteria that are within reasonable bounds.

Question 26

26. Describe IDEAL Model:

Answer 26

Initiating: Business reasons behind the change are highlighted.
Diagnosing: engineers analyze the current state of the organisation.
Establishing: Organisations take the general recommendations for change.
Acting: time to stop talking the talk and walk the walk
Learning:

Question 27

27. List 3 software testing methods:

Answer 27

White-Box Testing, Black-Box Testing and Grey-box Testing

Question 28

28. DevOps is a combination of ____, ______ and ____:

Answer 28

Software Development, Quality Assurance and Operations.

Question 29

29. What is white-box software testing?

Answer 29

white-box testing examines the internal logic structures of a program and steps through the code line by line, analyzing the program for potential errors.

Question 30

30. What is Application Programming Interface (API)?

Answer 30

Application Programming Interface (API) is a connection between computers or computer programs. It is a type of software interface, offering a service to other pieces of software.
User Interface connects users to computers, APIs connects computers or pieces of software.

Question 31

31. What is black-box software testing?

Answer 31

Black-box testing examines the program from a user perspective by providing a variety of input scenarios and inspecting the output.

Question 32

32. What is gray-box software testing?

Answer 32

Gray-box testing combines white-box and black-box testing. In this approach, testers examine the software from a user perspective, analysing inputs and outputs. They also have access to the source code and use it to help design their tests. They do not, however, analyse the inner workings of the program during their testing.

Question 33

33. List 2 testing used to evaluate application security:

Answer 33

static testing and dynamic testing

Question 34

34. What is static testing?

Answer 34

Static testing evaluates the security of software without running it by analyzing either the source code or compiled application.

Question 35

35. What is Dynamic Testing?

Answer 35

Dynamic Testing evaluates the security of software in a runtime environment and is often the only option for organisations deploying applications written by someone else

Question 36

36. What are code repositories?

Answer 36

Code Repositories provide several important functions supporting collaborations. e.g. GitHub

Question 37

37. What are Service Level Agreements (SLAs)?

Answer 37

Service Level Agreements (SLAs) is an increasingly popular way to ensure that organisations providing services to internal and external customers maintain an appropriate level of service agreed on by both the service provider and the vendor.

Question 38

38. In a table rows are called _____ and columns are_______:

Answer 38

cardinality and degree.

Question 39

39. What are Candidate Keys?

Answer 39

A Candidate is a subset of attributes that can be used to uniquely identify any record in a table

Question 40

40. What are Primary Keys?

Answer 40

Primary Keys is selected from the set of candidate keys for a table to be used to uniquely identify the records in a table.

Question 41

41. What are Foreign Keys?

Answer 41

Foreign Keys are used to enforce relationships between two tables and are known as referential integrity.

Question 42

42. SQL is divided into 2, list them:

Answer 42

Data Definition Language (DDL) and Data Manipulation Language (DML).

Question 43

43. All databases have four required characteristics, list and describe them

Answer 43

(ACID) atomicity, consistency, isolation and durability.
Atomicity: all or nothing, if a part fails, the entire transaction must be rolled back.
Consistency: All transactions must begin operating in an environment that is consistent with all database’s rule.
Isolation: Transactions operate separately from each other

Question 44

44. What is cell suppression?

Answer 44

Cell Suppression is the concept of hiding individual database fields or cells imposing more security restrictions on them.

Question 45

45. What is Content-Dependent Access Control?

Answer 45

Content-Dependent Access Control is based on the contents or payload of the object being accessed

Question 46

46. What is polyinstantiation (databases)?

Answer 46

Polyinstantiation in the context of databases occurs when two or more rows in the same relational database table appear to have identical primary key elements but contain different data for use a differing classification levels. It is often used as a defence against some types of inference attacks.

Question 47

47. What is noise and perturbation?

Answer 47

Noise and perturbation is when administrators insert false or misleading data into a DBMS in order to redirect or thwart information confidential attacks.

Question 48

48. What is Open Database Connectivity?

Answer 48

Open Database Connectivity (ODBC) is a database feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type.

Question 49

49. List 3 major classes of NoSQL databases:

Answer 49

Key/value stores: store information in key/value pairs, where the key is essentially an index used to uniquely identify a record. They are useful for high-speed applications and very large datasets.
Graph Databases: they store graph in format, using nodes to represent objects and edges to represent relationships.
Document Stores: similar to key/value stores in that they store information using keys, but the type of information they store is typically more complex than in a key/value store and is in the form of a document.

Question 50

50. List some types of storage:

Answer 50

Primary or real memory: main memory that’s directly available to system’s CPU. Made of Random Access Memory (RAM)
Secondary storage: consists of more inexpensive, non-volatile storage resources available to a system for long-term use. e.g. tapes, disks, hard drives, flash drives
Virtual Memory: allows a system to simulate additional primary memory resources through the use of secondary storage.
Virtual Storage: allows a system to simulate secondary storage resources through the use of primary storage.
Random Access Storage: allows the operating system to request contents from any point within the media. e.g. RAM, hard drives
Sequential Access Storage: requires scanning through the entire media from the beginning to reach a specific address. e.g. magnetic tape
Volatile Storage: loses its contents when power is removed from the resource. e.g. RAM
Non-volatile storage: does not depend upon the presence of power to maintain its contents.

Question 51

51. List 2 storage threats:

Answer 51

Illegitimate Access to storage exists no matter what type of storage is in use.
Covert Channels: these allow the transmission of sensitive data between classification levels through the direct manipulation of shared storage media.

Question 52

52. List 2 types of knowledge-based artificial intelligence systems:

Answer 52

expert systems and neural networks.

Question 53

53. What are Expert systems?

Answer 53

Expert Systems seek to embody the accumulated knowledge of experts on a particular subject and apply it in a consistent fashion to future decisions.

Question 54

54. Every expert system have 2 main components:

Answer 54

knowledge base and inference base.

Question 55

55. What are knowledge base components in expert systems?

Answer 55

Knowledge base contain rules known by an expert system. “if/then” rules

Question 56

56. What are inference base in expert systems?

Answer 56

Inference base analyses information in the knowledge base to arrive at the appropriate decision.
The expert system user employs some sort of user interface to provide the inference engine with details about the current situation, and the inference engine uses a combination of logical reasoning and fuzzy logic techniques to draw a conclusion based on past experience.

Question 57

57. What is Machine Language?

Answer 57

Machine Language use analytic capabilities to develop knowledge from datasets without the direct application of human insight.

Question 58

58. List 2 categories of machine learning:

Answer 58

Supervised learning techniques use labelled data for training. The analyst creating a machine learning model provides a dataset along with the correct answers and allows the algorithm to develop a model that may then be applied to future cases.

Unsupervised Learning: use unlabelled data for training. The dataset provided to the algorithm does not contain the “correct” answers; instead, the algorithm is asked to develop a model independently

Question 59

59. What is deep learning?

Answer 59

Deep Learning is also known as cognitive systems aka Neural networks. This involves chains of computational units in use in an attempt to imitate the biological reasoning process of the human mind.

Question 60

60. List the benefits of neural networks?

Answer 60

Linearity, input-output mapping and adaptivity

Question 61

61. What is PERT?

Answer 61

Program Evaluation Review Technique (PERT) is a project scheduling tool used to judge the size of a software product in development and calculate the standard deviation (SD) for risk assessment.
• PERT is used to direct improvements to project management and software coding in order to produce more efficient software
62. S