Chapter 6

Question 1

SDLC (Software Development Life Cycle)

Answer 1

The steps in a model for software development throughout its life.

Question 2

Feasibility Phase

Answer 2

Initial investigations into whether the effort should occur are conducted.

Question 3

Analysis/Requirements Phase

Answer 3

Customer input is sought to determine what the desired functionality is.

Question 4

Design Phase

Answer 4

Design for functionality, architecture, integration, and any other elements that require design consideration.

Question 5

Development Phase

Answer 5

Coding the of the application.

Question 6

UAT (User Acceptance Testing)

Answer 6

Testing that ensures that the users of the software are satisfied.

Question 7

Testing/Integration Phase

Answer 7

Formal testing with customers or others outside the development team.

Question 8

Maintenance Phase

Answer 8

Patching, updating, minor modifications, and other work that goes into daily support.

Question 9

Disposition Phase

Answer 9

The end of a products life, is sometimes shutdown.

Question 10

Waterfall Model

Answer 10

A sequential development model in which each phase is followed by the next.

Question 11

Spiral Model

Answer 11

A development model that uses linear concepts from the Waterfall model and adds an iterative process that revisits phases multiple times throughout the development cycle.

Question 12

Agile Model

Answer 12

A development model that is iterative and incremental rather than linear.

Question 13

Continuous Integration

Answer 13

A development practice that checks code into a shared repository on a consistent basis.

Question 14

OWASP

Answer 14

Define Security Requirements
Leverage Security Frameworks
Secure Database Access
Encode and Escape Data
Validate All Inputs
Implement Digital Identity
Enforce Access Controls
Protect Data Everywhere
Implement Logging and Monitoring
Handle all Errors and Exceptions

Question 15

API (Application Programming Interface)

Answer 15

Interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.

Question 16

Pair Programming

Answer 16

An Agile software development technique that places two developers at one workstation.

Question 17

Over-the-Shoulder

Answer 17

Relies on a pair of developers and requires one developer to explain the code to the other.

Question 18

Pass-around Code Review

Answer 18

A form of manual peer review done by sending completed code to reviewers who check the code for issues.

Question 19

Tool-assisted

Answer 19

Relies on software based tools to conduct code reviews.

Question 20

Fagan Inspection

Answer 20

A structured formal code review intended to find a variety of problems during the development process.

Question 21

Static Code Analysis

Answer 21

Reviewing the source code for an application.

Question 22

Dynamic Code Analysis

Answer 22

Executing the code and using inputs to test the software.

Question 23

Fuzz Testing

Answer 23

Sending invalid or random data to an application to test its ability to handle unexpected data.

Question 24

Injection Vulnerabilities

Answer 24

An attacker supplies some type of code to a web application as input to trick the web server into executing the code or supplying it to another server to execute.

Question 25

Session Hijacking

Answer 25

Stealing an existing authenticated session with a website.

Question 26

Directory Traversal Attack

Answer 26

AN attack that uses a security misconfiguration to navigate directory structures to access files that should remain secure.

Question 27

File Inclusion Attack

Answer 27

Uses directory traversal to actually execute the code contained in a file.

Question 28

XSS (Cross-Site Scripting)

Answer 28

Attackers perform an HTML injection by inserting their own HTML code into a web page.

Question 29

Request Forgery Attack

Answer 29

Exploit trust relationships and attempt to have users unwittingly execute commands against a remote server.

Question 30

XSRF or CSRF (Cross-site Request Forgery)

Answer 30

An attack that exploits the trust that a user has in a website to execute code on the user’s computer.

Question 31

SSRF (Server-side Request Forgery)

Answer 31

An attack that tricks a server into visiting a URL based on user-supplied input.

Question 32

WAF (Web Application Firewall)

Answer 32

A “firewall” that works at the Application Layer and receives all network traffic headed to that server. It then perform input validation before passing that info on to the server.

Question 33

Database Normalization

Answer 33

A Set of design principle that database designers should follow when building and modifying databases.

Question 34

Code Signing

Answer 34

Provides developers a way to confirm the authenticity of their code to end users.

Question 35

SWG (Secure Web Gateway)

Answer 35

Protects users working in the office or outside the office who are accessing resources from the internet.

Question 36

OWASP (Open Web Application Security Project)

Answer 36

Provides a regularly updated list of proactive controls regarding security threats to web applications.

Question 37

CI/CD (Continuous Integration/Continuous Delivery)

Answer 37

Ensures that code vulnerabilities can be patched and updated code placed into production as quickly as possible.