Chapter 4 - Secure Software Implementation/Coding Flashcards
What is the most important skill a programmer has?
Problem solving.
What is a CPU composed of?
ALU, control unit, registers
What is the ALU
Arithmetic Logic Unit
What is the main component a CPU communicates with?
RAM
What is the system bus?
The gateway channel between which the components of a system communicates.
What is the sequence of executing one instruction?
- Fetching (get the instruction from memory)
- Decoding: Deciphers the instruction and moves data from memory to the ALU
- Execution: ALU performs mathematical or logical operation on the data
- Storing: ALU stores the result in memory or register
Describe the interal memory layout of a program.
- program text
- data
- stack
- heap
What is the text segement of a program?
The instruction code
What is the data segment of a program?
The area in memory that contains global data
What is the ESP?
The Execution Stack Pointer (I think this is wrong and it should be Extended, a remnant of 16->32 bit) Yeah, this is wrong.
What is a VHLL?
Very High Level Language. These are almost like English.
What is another name for machine code?
Native code
What is another name for native code?
Machine code
What is a compiled language?
Code that is converted from source code to object code, then linked with other modules and/or libraries into machine code.
What is complilation and what does it produce?
Compilation: The process of converting textual source code written by the programmer into raw processor specific instruction codes. The output of the compilation process is called the object code.
What is linking?
Duh
What are the benefits of static linking?
Faster processing speed and ease of portability because dependencies are included.
What are the disadvantages of static linking?
Larger executables.
What is a security risk of using dynamic libraries?
If someone compromises a library, they can effective compromise all binaries that use it.
What is an interpreted language?
One that requires an intermediary host program to read and execute each statement of instruction line by line
List common interpreted language.
REXX, PostScript, Perl, Ruby, Python.
Disadvantages of interpreted languages?
Slower, quicker to change, no recompilation
What are hybrid languages?
the source code is compiled into an intermediate stage that resembles object code.
What is an example of a Hybrid Language?
Java and .Net
What are the typical SDLC models?
- Waterfall
- Iterative
- Spiral
- Agile
What is the Waterfall Model
- Requirements specification
- Design
- Construction (also known as implementation or coding)
- Integration
- Testing and debugging (also known as verification)
- Installation
- Maintenance
What are the 5 phases of the Waterfall model according to NIST 800-64?
- Initiation
- Acquisition/development
- Implementation/assessment
- Operations/maintenance
- Sunset
What is the defining characteristic of Waterfall?
the unidirectional sequential phased approach to software development.
What is the Iterative Model?
the project is broken into smaller versions and developed incrementally
Synonym for the Iterative Model?
Prototyping
What is the advantage of the Iterative Model?
Increased user input opportunity.
What is the disadvantage of Iterative?
If planning cycles are too short, nonfunctional requirements like security get missed.
What is the Spiral Model?
The key characteristic of this model is that each phase has a risk assessment review activity.
What is the primary benefit of Agile?
changes can be made quickly
What are the two agile development methodologies?
XP and Scrum
What is XP
Extreme Programming.
People centric. Small projects.
What is Scrum?
An Agile variant that uses short (30 day) release cycles to allow requirements to change on the fly.
Daily progress recorded on a burn down chart
What 3 categories do the 2009 CWE/SANS Top 25 programming errors fall into?
- Insecure interaction between components
- Risky resource management
- Porous defenses