Chapter 25: Secure Software

Question 1

machine language

Answer 1

consists of 1’s and 0’s; only format a computer’s processor can understand directly; considered a first-generation language

Question 2

Assembly language

Answer 2

second-generation programming language, uses symbols (mnemonics) to represent complicated binary codes

Question 3

third-generation programming languages

Answer 3

high-level languages (C/C++, Java, Python) have refined programming structures; programming language deals with the low-level system architecture and programmers focus on their programming objectives

Question 4

fourth-generation languages

Answer 4

very high-level languages; use natural language processing to allow inexpert programmers to develop code in less time than it would take an experienced software engineer to do so with a third-generation language

Question 5

fifth-generation languages

Answer 5

natural languages; define the constraints for achieving a specified result and allow development environment to solve problems by itself instead of a programmer having to develop code to deal with individual and specific problems

Question 6

assemblers

Answer 6

tools which convert assembly language source code into machine code

Question 7

compilers

Answer 7

transform instructions from a source language (high-level) to a target language (machine), sometimes using an external assembler

Question 8

garbage collector

Answer 8

identifies blocks of memory which were once allocated but are no longer in use and deallocates the blocks and marks them as free

Question 9

RTE

Answer 9

runtime environment

Question 10

runtime environment

Answer 10

a mini operating system for the program and provides all the resources portable code needs

Question 11

OOP

Answer 11

object-oriented programming

Question 12

object-oriented programming

Answer 12

functions and data are encapsulated together in classes, which may then be instantiated as objects

Question 13

objects in OOP communicate by …

Answer 13

using messages which conform to the receiving object’s application programming interface (API) definition

Question 14

cohesion

Answer 14

how many different types of tasks a module can carry out; goal is to perform only one task (high cohesion), which makes modules easier to maintain

Question 15

coupling

Answer 15

measure of how much a module depends on others; more dependencies are more complex and difficult to maintain, so low or loose coupling is ideal

Question 16

API

Answer 16

the manner in which a software component interacts with other software components

Question 17

parameter validation

Answer 17

confirming the parameter values being received by an application are within defined limits before they are processed by the system

Question 18

software library

Answer 18

collection of components which do specific tasks useful to other components

Question 19

secure coding

Answer 19

set of practices which reduce (to acceptable levels) the risk of vulnerabilities in software

Question 20

source code vulnerability

Answer 20

defect in code which provides threat actors opportunities to compromise the security of a software system

Question 21

secure coding standards

Answer 21

verifiable, mandatory practices to reduce the risk of particular types of vulnerabilities in source code

Question 22

secure coding guidelines

Answer 22

recommended practices which tend to be less specific than standards

Question 23

SDS or SDSec

Answer 23

software-defined security

Question 24

software-defined security

Answer 24

security model in which security functions: firewalling, IDS/IPS, and network segmentation are implemented in software within an SDN environment

Question 25

software development tools

Answer 25

authorized, implemented, and maintained like any software product through the org’s change management process; developers should not be allowed to install and use arbitrary tools

Question 26

static application security testing

Answer 26

SAST; helps identify software defects or security policy violations and carried out by examining source code without executing the program

Question 27

DAST

Answer 27

dynamic application security testing; evaluation of the program in real time, while it is running

Question 28

Fuzzing

Answer 28

used to discover flaws and vulnerabilities in software by sending large amounts of malformed, unexpected, or random data to the target program to trigger failures

Question 29

continuous integration

Answer 29

all new code is integrated into the rest of the system as soon as the developer writes it

Question 30

continuous delivery

Answer 30

incrementally building a software product which can be released at any time and requires continuous integration

Question 31

SCM

Answer 31

software configuration management; identifies attributes of software at various points in time and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the SDLC

Question 32

purpose of software security assessment

Answer 32

to verify the entire development process, organizational policy to delivered product is working as it should

Question 33

security assessments of acquired software are …

Answer 33

essential to mitigate the risk they could pose to an org which acquired it

Question 34

most practical way to assess the security of commercial software

Answer 34

to research vulnerabilities and exploits discovered by others to decide if the vendor uses effective secure coding practices

Question 35

greatest risk in using open-source software

Answer 35

relying on outdated versions of it

Question 36

best way to assess the security of third-party (custom or customized) software

Answer 36

perform external or third-party audits

Question 37

assembly language into machine language

Answer 37

assembler

Question 38

software escrow framework

Answer 38

third party keeps a copy of the source code, which will be released to the customer in specific circumstances (developer going out of business); a good business continuity practice, but not part of security

Question 39

perform only one task so modules are easier to maintain

Answer 39

high cohesion

Question 40

low cohesion

Answer 40

module performs many different types of tasks

Question 41

software-defined security depends on …

Answer 41

software-defined networking (SDN)

Question 42

top three reasons for data breaches in cloud services

Answer 42

misconfigurations, lack of visibility into access settings and activities, and improper access control