Chapter 8: Software Development Security

Question 1

What is XSS ?

Answer 1

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

Question 2

What is CSRF ?

Answer 2

In a CSRF attack, an unauthorized party tricks a user into browsing to an attacker’s website while already authenticated to a resource provider (RP). The attacker then exploits a vulnerability in the web application that can’t tell the difference between a request from the user and a request from someone without their consent. This causes the user to unknowingly perform actions.

Question 3

What are the phases of RAD ?

Answer 3

Per CISSP, Rapid Application Development has 4 phases: Requirements Planning, User Design, Rapid Construction and Cutover.

Question 4

What is the first stage of SW-CMM?

Answer 4

The first stage of the Software Capability Maturity Model:
Initial – The software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort and heroics.

Question 5

What is the second stage of SW-CMM?

Answer 5

The second stage of the Software Capability Maturity Model:
Repeatable – Basic project management processes are established to track cost, schedule, & functionality. Necessary process discipline in place to repeat earlier successes on projects with similar applications.

Question 6

What is the third stage of SW-CMM?

Answer 6

The third stage of the Software Capability Maturity Model:
Defined – Software process for both management & engineering activities is documented, standardized, & integrated into all processes for the organization. All projects use the organization’s standard software process for developing & maintaining software.

Question 7

What is the fourth stage of SW-CMM?

Answer 7

The fourth stage of the Software Capability Maturity Model:
Managed – Detailed measures of the software process & product quality are collected. The software process & products are quantitatively understood & controlled.

Question 8

What is the fifth stage of SW-CMM?

Answer 8

The fifth stage of the Software Capability Maturity Model:
Optimizing – Continuous process improvement is enabled by quantitative feedback from the process & from piloting innovative ideas & technologies.

Question 9

What is the “degree” of a database table?

Answer 9

The number of attributes (Fields).

Question 10

List the steps for SDLC Software Development.

Answer 10

Planning, Requirements, System Analysis, Design, Testing, Deployment, Maintenance

Question 11

What is Fagan Inspection ?

Answer 11

A structured process for identifying defects in software development documents, such as code, designs, and specifications. The process is named after Michael Fagan, who is credited with inventing formal software inspections.

Question 12

Which is an asynchronous review process: Pass-around Reviews, or Team Review?

Answer 12

Pass-around.

Question 13

What is SOAR ?

Answer 13

Security orchestration, automation and response

Question 14

What is a CAB in software development?

Answer 14

Change Advisory Board

Question 15

What is a PERT chart ?

Answer 15

Program Evaluation and Review Technique chart, often used at the beginning of a project to identify obstacles, prioritize tasks, and estimate how long it will take to complete each step.

Question 16

What are the first 4 design principles from the Agile Manifesto ?

Answer 16

1. Our highest priority is to satisfy the customer
   through early and continuous delivery
   of valuable software.
2. Welcome changing requirements, even late in
   development. Agile processes harness change for
   the customer’s competitive advantage.
3. Deliver working software frequently, from a
   couple of weeks to a couple of months, with a
   preference to the shorter timescale.
4. Business people and developers must work
   together daily throughout the project.

Question 17

What are design principles 5-8 from the Agile Manifesto ?

Answer 17

5. Build projects around motivated individuals.
   Give them the environment & support they need, & trust them to get the job done.
6. The most efficient & effective method of
   conveying information to & within a development team is face-to-face conversation.
7. Working software is the primary measure of progress.
8. Agile processes promote sustainable development. Sponsors, developers, & users should be able to maintain a constant pace indefinitely.

Question 18

What are the last 4 design principles from the Agile Manifesto ?

Answer 18

9. Continuous attention to technical excellence
   & good design enhances agility.
10. Simplicity–the art of maximizing the amount
    of work not done–is essential.
11. The best architectures, requirements, & designs emerge from self-organizing teams.
12. At regular intervals, the team reflects on how
    to become more effective, then tunes & adjusts
    its behavior accordingly.

Question 19

What is polyinstantiation ?

Answer 19

Polyinstantiation allows for multiple versions of a database record or file to be created, each with different access classes. This allows for different views of the information to be provided to different users or groups.