Domain 4 - Software Development Security Flashcards
An agile development method that uses pairs of programmers who work off a detailed specification
Extreme Programming (XP)
In Software Development Security, a black box that combines code and data and sends and receives messages
Object
Changes the older procedural programming methodology and treats a program as a series of connected objects that communicate via messages
Object-Oriented Programming
Programming Languages that use subroutines, procedures, and functions
Procedural Languages (eg. Basic, C, Fortran, Pascal)
A software development model designed to control risk.
Spiral Model
A development model that focuses on security in every phase
Software Delevelopment Life Cycle
An application development model that uses rigid phases; when one phase ends, the next begins
Waterfall Model
Is a software that is executed directly by the CPU
Machine Code or Machine Language
Is a comput prgramming language instructions that are written in text that must that must be translated to machine code before execution by the CPU
Source Code
Is low level programming language
Assembly Language
This converts assembly language into machine language
Assembler
This attempts to convert machine language into assembly
Disassembler
This take source code, such as C or Basic and compile it into machine code
Compilers
A code that is compiled on the fly each time the program is run
Interpreted code. (eg. Perl, Object-Oriented Programming
Object-Oriented Programming
Is a platform independent code that is converted into machine code by the Java Virtual Machine (JVM)
Java Bytecode
These are computr languages that are designed to increase a programmer’s efficiency by automating the creation of computer programming code.
Fourth Generation Language (4GL)
This uses programs to assist in the creation and maintenance of other computer programs
Computer-Aided software engineering (CASE)
Is programming method where it starts with the broadest and highest level requirements (the concept of the final program) and works down toward low-level technical implementation details
Top Down
Reverse of Top Down approach in programming
Bottom-up
Is a software that is typically released in excutable form while the source code is kept confidential.
Closed Software
Is software where its source code is published publicly
Open Source
Is a software that is subject to intellectual property protections such as patents and copyrights
Proprietary Software
A software that is free of charge to use
Freeware
A fully proprietary software that maybe initially use free for a period of time
shareware
Is partially functioning proprietary software, often with key features disable. User typically make a payment to unlock those features
Crippleware
Its a development model that has highly overlapping steps
Sashimi (like japanese overlapping of fish)
What are the XP core practices?
Planning Paired Programming Forty hour workweek Total Customer Involvement Detailed Test Procedures
A rapidly develops software via the use of prototypes, dummy GUI’s, back end databases and more. It’s aim is to quickly meeting business needs of the system; technical concerns are secondary.
Rapid Action Development
is an iterative approach that breaks projects into smaller tasks, creating multiple mockups(prototypes) of system design features
Prototyping
Steps of SDLC Process
- Inititation
- System Concept DEvelopment
- Planning
4, Requirements Analaysis
- Design
- Development
- Integration and Test
- Implmentation
- Operations and Maintenance
- Disposition
This describes the process of having a third party store an archive of computer software
Software Escrow
In OOP. this has the ability of performing different methods depending on the context of the input message
Polymorphism (many forms)
In OOP, a method where two instances (specific objects) with the same names that contain different date
Polyinstantiation (many instances)
A concept used to describe an object that reuires losts of otehr objects to perform basic jobs
Coupling
A concept used to describe an object that can perform most functions independently
Cohesion
A middleware that connect programs to programs. They can be udr to locate objects acting as object search engine.
Object Request Broker (ORB)
Common Object brokers (ORB) includes
COM, DCOM, CORBA
Two object broker technologies by Microsoft
COM - Component Object Model
DCOM - Distributed Component Object Model
What is the difference betwween Microsoft COM and DCOM?
COM locates objects on a local system
DCOM can locate objects over a network
Is an opem vendor neutral networked object broker framework by the Object Management Group (OMG). Its objects communicate via a message interface, described by the interface definition language (IDL)
CORBA - Common Object Request Broker Architecture
Two software development methodologies that take the concept of of obects to a higher , more conceptual design than OOP.
Object Oriented Analysis (OOA)
Object Oriented Design (OOD)
Vulnerabilities that allow an attacker with (typically limited) access to be able to access additional resources.
Privilege Escalation
Is a software testing method that test code passively, that is the code is not running. This includes walkthroughs, syntax checking, and code reviews.
Static Testing
is a softwaretsting method that test the code while executing it.
Dynamic Testing
is a software testing method that gives the tester access to program source code , data structures, variables etc.
White Box Software Testing
Is software testing method where tester have no internal details; the software is treated as a blackbox that receives input.
Black Box Testing
This can be use to map customer’s requirements to the software testing plan: It traces the requirements and ensures that they are being met.
Traceability Matrix
What are the software testing levels?
- Unit Testing
- Installation Testing
- Integration Testing
- Regression Testing
- Acceptance Testing
In software testing, it is a low level tests of software components, such as functions, procedures or objects
Unit Testing
Testing software as it is installed and first operated
Installation Testing
In software testing, testing multiple software components as they are combined into a working system; substes maybe tested, or Big Bang integration testing tests all integrated software components
Integration Testing
Testing software after updates, modification or updates
Regression Testing
Testing to ensure the software meets the customer’s operational requirements; when this testing is done directly by the customer, it is called “User Acceptance Testing”
Acceptance Testing
Is a type of blackbox testing that enters random, malformed data as inputs into software programs to determine if they will crash
Fuzzing or Fuzz testing
Is a black box testing method that seeks to identify and test all unique combinations of software inputs
Combinatorial Software Testing
A good example of this is the Pairwise Testing
This describes the action taken by a security researcher after discovering a software vulnerability
Disclosure
It is the controversial practice of releasing vulnerability details publicly.
Full Disclosure
Is the practice of privately sharing vulnerability information with a vendor and withholding public release until a patch is available
Responsible Disclosure
Is a maturity framework for evaluating and improving the software development process
Software Capability Maturity Model (CMM)
What are the five levels of Software Capability Mature Model?
- Initial
- Repeatable
- Defined
- Managed
- Optimizing
Is a structured collection of related data
Database
Databases are managed by ______ which controls all access to the database and enforces the database security
Database Management System (DBMS)
Is a mathematical attack where an attacker aggregates details at a lower classification to determine information at higher classification
Aggregation
Is a simillar attack to aggragation but the attacker must logically deduced missing details
Inference
What are the formal database types?
Relational (two dimensional)
Hierarchical
Object Oriented
The simplest form of database, a text file that contains multiple lines of data , each in a standard format
Flat File
A table in database is also called ____
Relation
A row is a database record which is also called _____
Tuple
A column in database table is called _____
Attribute
A single cell (intersection of row and column) in a database is called ____
value
Relational database requires a unique value called ____ in each tuple in a table
Primary Key
Is a key in related database table that matches a primary key in the parent database
Foreign Key
Databases must ensure the integrity of of the data in the tables; this is called _____
Data Integrity
____________ means that every foreign key in a secondary table matches a primary key in the parent table
Referential Integrity
______ means that each attribute (column) value is consistent with the attribute data type
Semantic Integrity
____ means each tuple has a unique primary key that is not a null
Entity Integrity
This seek to make that data in a database table logically concise , organised, and consistent. It removes redundant data and improves the integrity and availability of database
Database Normalisation
Normalisation has three rules called Forms. What are these?
First Normal Form(1NF)- Divide data into tables
Second Normal Form (2NF) - Move data that is partially dependent on the primary key to another table
Third Normal Form (3NF) - Remove data that is not dependent on the primary key
The results of database query
Database View
This contains a description of the database tables
Data Dictionary
A data about data
Metadata
A critical data dictionary component which describes the attributes and values of the database table
Database Schema
______ is a log of all database transactions
Database Journal
____ mirrors live database., allowing simulataneous reads and writes to multiple replicated databases by clients
Database Replication
Its similar to a replicated database but all changes is made to a primary database, but clients do not access this. It serves as a live data backup of the primary
Shadow Database
Is a large collection of data may store even petabytes (1000) terabytes of data
Data Warehouse
This is use to search for patterns in a data warehouse. Commonly sought patterns includes signs of fraud
Data Mining
The science of programming electronic computers to think more intelligently, sometimes mimicking the ability of mammal brains
Artificial Intelligence
Simulate neural networks found in humans and animals
Artificial Neural Networks
Creates Random Programs and assigns them a task of solving a problem
Genetic Programming
Is a form of aritificial intelligence that uses knowledge base and inference engine
Expert System
Is a form of artificial intelligence normally use to identify spam
Bayesan Filtering
