Chapter 20- Software Development Security Flashcards

1
Q
  1. Once Programmers are ready to execute their programs, two options are available to them, list them:
A

: Compilation and interpretation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. What is compiler?
A

Complier is used to convert the high-level language into an executable file designed for use on a specific operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Examples of compiled languages are:
A

C, Java, FORTRAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. List some interpreted languages
A

Python, R, JavaScript and VBScript

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Describe Interpreted Languages:
A

programmer distributes the source code which contains instructions in the higher language. End users then use an interpreter to execute the source code on their systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. What is polymorphism in object oriented programming (oop)?
A

Object Oriented Programming (OOP) is the characteristic of an object that allows it to respond with different behaviours to the same message or method because of changes in external conditions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. what is coupling in OOP?
A

coupling means the level of interaction.

In coupling, two classes or objects collaborate and work with each other to complete a pre-defined task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. What is Assurance Procedure:
A

Assurance Procedures are simply formalised processes by which trust is built into the lifecycle of a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. List methods to avoid system failure in s/w development:
A

use input validation, creating fail safe or fail-open procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. What is escaping input?
A

Escaping input is can transform input to remove risky character sequences and replace them with safe ones. This happens in input validation to avoid the system crash from invalid input of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. What is error handling?
A

error messages make it easier for technical staff to diagnose problems experienced by users. Developers should disable detailed error messages on severs and applications that are publicly accessible. i.e. Debugging mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Explain the 2 basic choices when planning for system failure:
A
  • Fail-secure failure state: puts the system into a high level of security until an administrator can diagnose the problem and restore the system to normal operation.
  • Fail-open state allows users to bypass failed security controls, erring on the side of permissiveness.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. What is conceptual definition?
A

Conceptual Definition involves creating the basic concept definition for a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What is a stop error?
A

stop error occurs when an undesirable activity occurs in spite of the OS’s efforts to prevent it. This is a fail-secure condition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Explain Functional Requirement Determination stage:
A

this involves creating a functional requirements document that that lists the specific system requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Explain the 3 major characteristics of a functional requirement:
A

Inputs: data provided into a function
Behaviour: The business logic describing what actions the system should take in response to different inputs.
Output(s): the data provided from a function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. List Control Specification Development steps:
A

access control
protect confidential data
Audit trail
fault tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. List the 7 stages of development in waterfall Model
A
System Requirements
Software Requirements
Preliminary Design
Detailed Design
Code and Debug
Testing
Operations and Maintenance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. SW-CMM, CMM or SCMM means:
A

Software Capability Maturity Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. What is Spiral Model?
A

Spiral Model encapsulates a number of iterations of another model (the waterfall model) and it is known as the metamodel or the model of models.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. What is Agile Software Development?
A

Agile Software Development places emphasis on the needs of the customer and on quickly developing new functionality that meet those needs in an iterative fashion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. What is the idea behind SW-CMM?
A

Idea behind Software Capability Maturity Model is that the quality of the software depends on the quality of the development process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. List the stages in Software Capability Maturity Model (SW-CMM)
A

IRDMO
Initial: hardworking people charging ahead in a disorganised fashion.
Repeatable: basic lifecycle management is introduced.
Defined: software developers operate according to set f formal defined software development process.
Managed: Quantitative measures are utilized to gain detailed understanding of the development process.
Optimizing: process of continuous improvement occurs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. Describe Change Management Process:
A

Change Management Process has 3 components: (RCR) Request control: which users can request modifications; managers conduct cost benefit analysis.
Change Control: used by developers to re-create the situation encountered by users analyse appropriate changes to remedy the situation.
Release control: once changes are finalised, they must be approved for release, through release control procedure.
Configuration Identification: During this process, administrators document the configuration of covered software products throughout the organisation.
Configuration Control:
Configuration Status Accounting:
Configuration Audit:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  1. What is Reasonableness check?
A

Reasonableness check ensures that values returned by a software match specified criteria that are within reasonable bounds.

26
Q
  1. Describe IDEAL Model:
A

Initiating: Business reasons behind the change are highlighted.
Diagnosing: engineers analyze the current state of the organisation.
Establishing: Organisations take the general recommendations for change.
Acting: time to stop talking the talk and walk the walk
Learning:

27
Q
  1. List 3 software testing methods:
A

White-Box Testing, Black-Box Testing and Grey-box Testing

28
Q
  1. DevOps is a combination of ____, ______ and ____:
A

Software Development, Quality Assurance and Operations.

29
Q
  1. What is white-box software testing?
A

white-box testing examines the internal logic structures of a program and steps through the code line by line, analyzing the program for potential errors.

30
Q
  1. What is Application Programming Interface (API)?
A

Application Programming Interface (API) is a connection between computers or computer programs. It is a type of software interface, offering a service to other pieces of software.
User Interface connects users to computers, APIs connects computers or pieces of software.

31
Q
  1. What is black-box software testing?
A

Black-box testing examines the program from a user perspective by providing a variety of input scenarios and inspecting the output.

32
Q
  1. What is gray-box software testing?
A

Gray-box testing combines white-box and black-box testing. In this approach, testers examine the software from a user perspective, analysing inputs and outputs. They also have access to the source code and use it to help design their tests. They do not, however, analyse the inner workings of the program during their testing.

33
Q
  1. List 2 testing used to evaluate application security:
A

static testing and dynamic testing

34
Q
  1. What is static testing?
A

Static testing evaluates the security of software without running it by analyzing either the source code or compiled application.

35
Q
  1. What is Dynamic Testing?
A

Dynamic Testing evaluates the security of software in a runtime environment and is often the only option for organisations deploying applications written by someone else

36
Q
  1. What are code repositories?
A

Code Repositories provide several important functions supporting collaborations. e.g. GitHub

37
Q
  1. What are Service Level Agreements (SLAs)?
A

Service Level Agreements (SLAs) is an increasingly popular way to ensure that organisations providing services to internal and external customers maintain an appropriate level of service agreed on by both the service provider and the vendor.

38
Q
  1. In a table rows are called _____ and columns are_______:
A

cardinality and degree.

39
Q
  1. What are Candidate Keys?
A

A Candidate is a subset of attributes that can be used to uniquely identify any record in a table

40
Q
  1. What are Primary Keys?
A

Primary Keys is selected from the set of candidate keys for a table to be used to uniquely identify the records in a table.

41
Q
  1. What are Foreign Keys?
A

Foreign Keys are used to enforce relationships between two tables and are known as referential integrity.

42
Q
  1. SQL is divided into 2, list them:
A

Data Definition Language (DDL) and Data Manipulation Language (DML).

43
Q
  1. All databases have four required characteristics, list and describe them
A

(ACID) atomicity, consistency, isolation and durability.
Atomicity: all or nothing, if a part fails, the entire transaction must be rolled back.
Consistency: All transactions must begin operating in an environment that is consistent with all database’s rule.
Isolation: Transactions operate separately from each other

44
Q
  1. What is cell suppression?
A

Cell Suppression is the concept of hiding individual database fields or cells imposing more security restrictions on them.

45
Q
  1. What is Content-Dependent Access Control?
A

Content-Dependent Access Control is based on the contents or payload of the object being accessed

46
Q
  1. What is polyinstantiation (databases)?
A

Polyinstantiation in the context of databases occurs when two or more rows in the same relational database table appear to have identical primary key elements but contain different data for use a differing classification levels. It is often used as a defence against some types of inference attacks.

47
Q
  1. What is noise and perturbation?
A

Noise and perturbation is when administrators insert false or misleading data into a DBMS in order to redirect or thwart information confidential attacks.

48
Q
  1. What is Open Database Connectivity?
A

Open Database Connectivity (ODBC) is a database feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type.

49
Q
  1. List 3 major classes of NoSQL databases:
A

Key/value stores: store information in key/value pairs, where the key is essentially an index used to uniquely identify a record. They are useful for high-speed applications and very large datasets.
Graph Databases: they store graph in format, using nodes to represent objects and edges to represent relationships.
Document Stores: similar to key/value stores in that they store information using keys, but the type of information they store is typically more complex than in a key/value store and is in the form of a document.

50
Q
  1. List some types of storage:
A

Primary or real memory: main memory that’s directly available to system’s CPU. Made of Random Access Memory (RAM)
Secondary storage: consists of more inexpensive, non-volatile storage resources available to a system for long-term use. e.g. tapes, disks, hard drives, flash drives
Virtual Memory: allows a system to simulate additional primary memory resources through the use of secondary storage.
Virtual Storage: allows a system to simulate secondary storage resources through the use of primary storage.
Random Access Storage: allows the operating system to request contents from any point within the media. e.g. RAM, hard drives
Sequential Access Storage: requires scanning through the entire media from the beginning to reach a specific address. e.g. magnetic tape
Volatile Storage: loses its contents when power is removed from the resource. e.g. RAM
Non-volatile storage: does not depend upon the presence of power to maintain its contents.

51
Q
  1. List 2 storage threats:
A

Illegitimate Access to storage exists no matter what type of storage is in use.
Covert Channels: these allow the transmission of sensitive data between classification levels through the direct manipulation of shared storage media.

52
Q
  1. List 2 types of knowledge-based artificial intelligence systems:
A

expert systems and neural networks.

53
Q
  1. What are Expert systems?
A

Expert Systems seek to embody the accumulated knowledge of experts on a particular subject and apply it in a consistent fashion to future decisions.

54
Q
  1. Every expert system have 2 main components:
A

knowledge base and inference base.

55
Q
  1. What are knowledge base components in expert systems?
A

Knowledge base contain rules known by an expert system. “if/then” rules

56
Q
  1. What are inference base in expert systems?
A

Inference base analyses information in the knowledge base to arrive at the appropriate decision.
The expert system user employs some sort of user interface to provide the inference engine with details about the current situation, and the inference engine uses a combination of logical reasoning and fuzzy logic techniques to draw a conclusion based on past experience.

57
Q
  1. What is Machine Language?
A

Machine Language use analytic capabilities to develop knowledge from datasets without the direct application of human insight.

58
Q
  1. List 2 categories of machine learning:
A

Supervised learning techniques use labelled data for training. The analyst creating a machine learning model provides a dataset along with the correct answers and allows the algorithm to develop a model that may then be applied to future cases.

Unsupervised Learning: use unlabelled data for training. The dataset provided to the algorithm does not contain the “correct” answers; instead, the algorithm is asked to develop a model independently

59
Q
  1. What is deep learning?
A

Deep Learning is also known as cognitive systems aka Neural networks. This involves chains of computational units in use in an attempt to imitate the biological reasoning process of the human mind.

60
Q
  1. List the benefits of neural networks?
A

Linearity, input-output mapping and adaptivity

61
Q
  1. What is PERT?
A

Program Evaluation Review Technique (PERT) is a project scheduling tool used to judge the size of a software product in development and calculate the standard deviation (SD) for risk assessment.
• PERT is used to direct improvements to project management and software coding in order to produce more efficient software
62. S