CISSP (Domain 4 - Software Development Security) Flashcards
Waterfall Method
- Traditional model
- Completion of one task goes to another
- Long term projects
Prototyping Method
- Address time issues with waterfall
- Evolves each round
- Four Phases
+ initial concept, implement pt, refine, release
Spiral Model
- Combination of waterfall and prototyping
- Develop initial with PT then each with Waterfall
Software Development Life Cycle (SDLC) (7 things)
PI/FD/SD/SD/ITI/OM/D
- Project initiation
- Functional design analysis and planning
- System design specifications
- Software development
- Installation/Test/Implementation
- Operational/Maintenance
- Disposal
Project Initiation - SDLC
Identify security requirements
Functional Design - SDLC
Function to address the threat
System Design - SDLC
What security technology will be used
Software Development - SDLC
Write code to meet specifications
Testing and Installation - SDLC
Test system components, create manuals, UAT
Operations/Maintenance - SDLC
Maintain system through SLA
Disposal - SDLC
Data moved to another system or discarded
Verification
Test features for functionality
Validation
Test system as a whole
Computer Aided Software Engineering (CASE)
Tools used to help programmers/PM/Analyst for automation, debugging, and rapid prototyping
Capability Maturity Model (5 levels)
IRDMO
Used to improve processes which improves output
- Initiating
- Repeatable
- Defined
- Managed
- Optimizing
Initiating - CMM
Processes are disorganized, ad-hoc processes
Repeatable - CMM
Processes made, established, defined, and documented
Defined - CMM
Know the date it will be done
Managed - CMM
% measurements of completion
Optimizing - CMM
Constant process improvement
Object Oriented Programming
- Closely maps to real activities in the business world
- Highly modular
- Self contained
Classes
Define attributes and characteristics of the possible objects within them
Objects
Software entities that are grouped into Classes
Polymorphism
Two objects sent the same message but react differently.
Same input different output with different object in same class.
Polyinstantiation
Creation of another version of an object using different values for its variables to ensure lower level subjects do not access data at higher classification.
Data masking