Domain 8

Question 1

Programming Languages and Generations:

Answer 1

▪ 1st generation: Machine Code
▪ 2nd Generation: Assembler
▪ 3rd Generation: Cobol, basic, C, C++, C#, Java, JavaScript,…
▪ 4th Generation: ColdFusion, Progress 4GL, SQL, PHP, Perl,…

Question 2

Waterfall

Answer 2

Question 3

Manifesto for Agile Software Development:

Answer 3

What is valued in the manifesto:
▫ Individuals and Interactions more than processes and tools.
▫ Working Software more than comprehensive documentation.
▫ Customer Collaboration more than contract negotiation.
▫ Responding to Change more than following a plan.

Question 4

The twelve principles in the manifesto:

Answer 4

1. Customer satisfaction by early and continuous delivery of valuable software.
2. Welcome changing requirements, even in late development.
3. Working software is delivered frequently (weeks rather than months).
4. Close, daily cooperation between business people and developers.
5. Projects are built around motivated individuals, who should be trusted.
6. Face-to-face conversation is the best form of communication (co-location).
7. Working software is the primary measure of progress.
8. Sustainable development, able to maintain a constant pace.
9. Continuous attention to technical excellence and good design.
10. Simplicity—the art of maximizing the amount of work not done—is essential.
11. Best architectures, requirements, and designs emerge from self-organizing teams.
12. Regularly, the team reflects on how to become more effective, and adjusts accordingly.

Question 5

Agile Software Development: cycle

Answer 5

Question 6

SDLC (Software Development Life Cycle):

Answer 6

Question 7

Referential integrity:

Answer 7

When every foreign key in a secondary table matches a primary key in the parent table.
⬧ It is broken if not all foreign keys match the primary key.

Question 8

Semantic integrity:

Answer 8

Each attribute value is consistent with the attribute data type.

Question 9

Entity integrity:

Answer 9

Each tuple (row) has a unique primary value that is not null.

Question 10

Data Definition Language (DDL):

Answer 10

⬧ A standard for commands that define the different structures in a database.
⬧ Creates, modifies, and removes database objects such as tables, indexes, and users.
⬧ Common DDL statements are CREATE, ALTER, and DROP.

Question 11

⬧ A standard for commands that define the different structures in a database.
⬧ Creates, modifies, and removes database objects such as tables, indexes, and users.
⬧ Common DDL statements are CREATE, ALTER, and DROP.

Answer 11

⬧ Used for selecting, inserting, deleting and updating data in a database.
⬧ Common DML statements are SELECT, DELETE, INSERT, UPDATE.

Question 12

Coupling:

Answer 12

▪ The degree of interdependence between software modules, a measure of how closely connected two routines or modules are.

Question 13

• Cohesion:

Answer 13

▪ Refers to the degree to which the elements inside a module belong together.
▪ Measures the strength of relationship between pieces of functionality within a given module.
▪ In highly cohesive systems functionality is strongly related.

Question 14

• ORB (Object Request Broker):

Answer 14

▪ Middleware which allows program calls to be made from one computer to another via a network, providing location transparency through remote procedure calls.
▪ ORBs promote interoperability of distributed object systems, enabling such systems to be built by piecing together objects from different vendors, while different parts communicate with each other via the ORB.

Question 15

DCOM (Distributed COM):

Answer 15

⬧ The networked sequel to COM which adds to support communication among objects on different computers—on a LAN, a WAN, or even the Internet.

Question 16

CORBA (Common Object Request Broker Architecture):

Answer 16

⬧ Open vendor neutral ORB standard defined by the Object Management Group (OMG) designed to facilitate the communication of systems that are deployed on diverse platforms.
⬧ Enables collaboration between systems on different operating systems, programming languages, and computing hardware.

Question 17

OOAD (Object-Oriented Analysis and Design):

Answer 17

Iteration after iteration, the outputs of OOAD activities, analysis models for OOA and design models for OOD respectively, will be refined and evolve continuously driven by key factors like risks and business value.

Question 18

OOA (Object-Oriented Analysis):

Answer 18

⬧ Creates a model of the system’s functional requirements that is independent of implementation constraints.
⬧ Organizes requirements around objects, which integrate both behaviors (processes) and states (data)

Question 19

OOD (Object-Oriented Design):

Answer 19

⬧ The developer applies the constraints to the conceptual model produced in object-oriented analysis.
⬧ Such constraints could include the hardware and software platforms, the performance requirements, persistent storage and transaction, usability of the system, and limitations imposed by budgets and time.

Question 20

OOM (Object-Oriented Modeling):

Answer 20

⬧ Common approach to modeling applications, systems, and business domains by using the object-oriented paradigm throughout the entire development life cycles.
⬧ Heavily used by both

Question 21

The ACID model (Atomicity, Consistency, Isolation, and Durability):

Answer 21

⬧ Atomicity:
▫ All or nothing, if any part of the transaction fails, the entire transaction fails.
⬧ Consistency:
▫ The database must be consistent with the rules, before and after the transaction.
⬧ Isolation:
▫ One transaction must be completed before another transaction can modify the same data.
⬧ Durability:
▫ Once transactions are committed to the
database they must be preserved.

Question 22

A01:2021 - Broken Access Control:

Answer 22

⬧ It is not implemented consistently across an entire application.
⬧ It can be done correctly in one location but incorrectly in another.
⬧ We need a centralized access control mechanism, and we write the tricky logic once and reuse it everywhere.

Question 23

A02:2021 - Cryptographic Failures:

Answer 23

A02:2021 - Cryptographic Failures:
⬧ Sites are HTTP rather than HTTPS.
⬧ Data is sent in cleartext.
⬧ Backups, data at rest and data in transit are not encrypted (stored/transmitted in plain text).
⬧ Using older, weaker, and deprecated

Question 24

A03:2021 – Injection:

Answer 24

⬧ Can be any code injected into user forms. Often seen is SQL/NoSQL/OS command/LDAP.
⬧ Attackers can do this because our software does not use:
▫ Strong enough input validation and data type limitations input fields.
▫ Input length limitations.
⬧ CGI (Common Gateway Interface):

Question 25

A04:2021 - Insecure Design

Answer 25

⬧ When we design our web applications, we need to design them securely.
⬧ This does not have to be design flaws, it can also be anything that is not secure, any weakness that an attacker could exploit.

Question 26

A05:2021 - Security Misconfiguration:

Answer 26

▪ A05:2021 - Security Misconfiguration:
⬧ Databases configured wrong.
⬧ Not removing out-of-the-box default access and settings.
⬧ Keeping default usernames and passwords.
⬧ VM, OS, webserver, DBMS, applications,… are

Question 27

A06:2021 - Vulnerable and Outdated Components:

Answer 27

⬧ Vulnerable components can be both client and server-side (OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, libraries,…).
⬧ Developers use deprecated code or objects that are known to be unsecure.

Question 28

A07:2021 - Identification and Authentication Failures:

Answer 28

A07:2021 - Identification and Authentication Failures:
⬧ Sessions do not expire or take too long to expire.
⬧ Session IDs are predictable or part of the URL; 001, 002, 003, 004,…
⬧ Tokens, Session IDs, Passwords,… are kept in plaintext or are poorly protected (poor encryption and hashing).
⬧ Weak/default passwords and knowledge based

Question 29

A08:2021 - Software and Data Integrity Failures:

Answer 29

A08:2021 - Software and Data Integrity Failures:
⬧ When our applications use code, plugins, libraries, or modules from untrusted sources.
⬧ Insecure CI/CD pipelines or unverified updates.
⬧ Software with automatic updates without enough integrity checks.

Question 30

A09:2021 - Security Logging and Monitoring Failures:

Answer 30

A09:2021 - Security Logging and Monitoring Failures:
⬧ When our intrusion monitoring and reporting system fail to catch and report signs of intrusion.
⬧ Result of poor configuration, low thresholds, or logs saved just locally.
⬧ Attacks go unnoticed if we do not act on appropriate logs or alerts.

Question 31

A10:2021 - Server-Side Request Forgery:

Answer 31

A10:2021 - Server-Side Request Forgery:
⬧ Web applications usually trigger requests between HTTP servers, to fetch remote resources, such as software updates, or to import metadata from a URL or another web application.
⬧ Usually benign, but if not implemented correctly, they can make a server vulnerable to SSRF.
⬧ Normally an attacker can’t access an internal server because it would be blocked by the firewall. To get around that the attacker can exploit an SSRF vulnerability to launch their attack using a vulnerable web server.

Question 32

Cross-Site Request Forgery (CSRF):

Answer 32

⬧ Stolen session IDs or tokens.
⬧ Often phishing.
⬧ Passwords/Username saved in cookies.
⬧ Saved site passwords, not logging off when done, using the same browser for sensitive and non-sensitive information.
⬧ Current browsers do mitigate some of this, they should use unique session-specific tokens (random or

Question 33

Buffer Overflow (Buffer Overrun):

Answer 33

An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations, happen from improper coding when a programmer fails to perform bounds checking.
▪ Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs.
▪ Buffer overflows can often be triggered by malformed inputs, if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, if an anomalous transaction produces more data it could cause it to write past the end of the buffer.
▪ If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes.
▪ By sending in

Question 34

Race Condition (Race Hazard):

Answer 34

▪ Two or more programs may collide in their attempts to modify or access a file.
▪ This can be an attacker with access, altering files which can then result in data corruption or privilege escalation.
▪ TOCTOU (Time of Check to Time of Use):

Question 35

Privilege Escalation:

Answer 35

▪ Exploiting a bug, design flaw or configuration oversight in an OS or application to gain access to resources that are normally protected from an application or user.
▪ Attacker often use this to elevate the user account they have gained access to, in order to get administrator access.
▪ The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized

Question 36

Ethical disclosure:

What do you do when you discover a vulnerability? We covered some of this in the white, gray, black hat hacker section

Answer 36

▪ Full Disclosure: Tell everyone, make it public, assuming attackers already know and are using it.
▪ Responsible/Partial Disclosure: Telling the vendor, they have time to develop a patch and then disclose it.
⬧ If they do nothing we can revert to the full disclosure forcing them to act.
▪ No Disclosure: Attackers finding a vulnerability would try to exploit it and keep it secret as long as possible.

Question 37

Security Orchestration, Automation, and Response (SOAR):

Answer 37

A software solution that uses AI to allows us to respond to some security incidents automatically.
▪ SOAR vs. SIEM: Very similar, both detect and alert on security events, but using AI, SOAR will also react to some security events.
⬧ SIEMs often generate more alerts than a SOC team can handle, SOAR can help reduce the number of alerts and make workflows more manageable.
▪ SOAR combines all the comprehensive data we gather, has case management, standardization, workflows, and analytics, and it can integrate with many of our other solutions (Vulnerability Management (VM), IT Service Management (ITSM), Threat Intelligence, …).
▪ All this can help our organization implement

Question 38

Integrated Development Environment (IDE):

Answer 38

⬧The Code editor: For writing and editing source code, these editors are different from text editors, they are designed to either simplify or enhance the process of writing and editing the code.
⬧ Compiler: The compilers change our source code, which is written in a human-readable language, into a form that computers can execute.
⬧ Debugger: Debuggers are used during the testing phase and can help our developers debug their code.
⬧ Build automation tools:

Question 39

CMM (Capability Maturity Model):

Level 1: Initial

Answer 39

⬧ Processes at this level are normally undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events.
⬧ This provides a chaotic or unstable environment for the processes.

Question 40

CMM (Capability Maturity Model):

Level 2: Repeatable

Answer 40

⬧ This level of maturity that some processes are repeatable, possibly with consistent results.
⬧ Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.

Question 41

CMM (Capability Maturity Model):

Level 3: Defined

Answer 41

⬧ This level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time.
⬧ These standard processes are in place.
⬧ The processes may not have been systematically or repeatedly utilized enough for the users to become competent or the process to be validated in a range of situations.

Question 42

CMM (Capability Maturity Model):

Answer 42

⬧ Processes at this level uses process metrics, effective achievement of the process objectives can be evidenced across a range of operational conditions.
⬧ The suitability of the process in multiple environments has been tested and the process refined and adapted.
⬧ Process users have experienced the process in multiple and varied conditions, and are able to demonstrate competence.

Question 43

CMM (Capability Maturity Model):

Level 5: Optimizing

Answer 43

Level 5: Optimizing
⬧ Processes at this level focus on continually improving process
performance through both incremental and innovative
technological changes/improvements.
⬧ Addressing statistical common causes of
process variation and changing the
process to improve process
performance.

Question 44

SAMM principles

Answer 44

An organization’s behavior changes slowly over time.
▪ Changes must be iterative while working toward long-term goals.
▪ There is no single recipe that works for all organizations.
▪ A solution must enable risk-based choices tailored to the organization.
▪ Guidance related to security activities must be prescriptive.
▪ A solution must provide enough details for non-security-people.
▪ Overall, it must be simple, well-defined, and measurable.

Question 45

The User Acceptance Test:

Answer 45

Is the software functional for the users who will be using it? It is tested by the users and application managers.

Question 46

Operational Acceptance Testing:

Answer 46

⬧ Does the software and all of the components it interacts with ready requirements for operation.
⬧ Tested by system administrators are the backups in place, do we have a DR plan, how do we handle patching, is it checked for vulnerabilities,…?

Question 47

Contract Acceptance Testing:

Answer 47

⬧ Does the software fulfil the contract specifications? The what/where/how of the acceptance is defined in the contract.

Question 48

Compliance Acceptance Testing:

Answer 48

⬧ Is the software compliant with the rules, regulations and laws of our industry?

Question 49

Compatibility/Production Testing:

Answer 49

⬧ Does the software interface as expected with other applications or systems?
⬧ Does the software perform as expected in our production environment vs. the development environment?

Question 50

Cloud Computing:

Answer 50

• Cloud Computing can be divided into 4 main types:
▪ Private Cloud Computing - Organizations build and run their own cloud infrastructure (or they pay someone to do it for them).
▪ Public Cloud Computing - Shared tenancy – A company builds massive
infrastructures and rents it out to anyone who wants it. (Amazon AWS, Microsoft, Google, IBM).
▪ Hybrid Cloud Computing – A mix of Private and Public Cloud Computing. An organization can choose to use Private Cloud for sensitive information and Public Cloud for non-sensitive data.
▪ Community Cloud Computing – Only for use by a specific community of consumers from organizations that have shared concerns. (Mission, policy, security requirements, and/or compliance considerations.)
As with any other outsourcing, make sure you have the right to audit, pen test

Question 51

Cloud Computing:

Answer 51

⬧ IaaS (Infrastructure as a Service) The vendor provides infrastructure up to the OS, the customer adds the OS and up.
⬧ PaaS (Platform as a Service) The vendor provides pre-configured OSs, then the customer adds all programs and applications.
⬧ SaaS (Software as a Service) The vendor provides the OS and applications/programs. Either the customer interacts with the software manually by entering data on the SaaS page, or data is automatically pushed from your other applications to the SaaS application (Gmail, Office 365, Dropbox, Payroll, …).