Domain 8

Question 1

Acceptance

Answer 1

A formal, structured hand-over of the finished software system to the customer organization; typically involves test, analysis and assessment activities.

Question 2

Accreditation (also Security Accreditation)

Answer 2

Formal declaration by a designated accrediting authority (DAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial and procedural safeguards.

Question 3

ACID Test

Answer 3

Data integrity provided by means of enforcing atomicity, consistency, isolation and durability policies.

Question 4

Advanced Persistent Threats (APTs)

Answer 4

An agent or organization of agents that plans, organizes and carries out a highly sophisticated attack against a target person, organization or industry over a period of months or possibly even years (thus “persistent”). APTs usually have a strategic goal in mind, which requires many steps in a concerted attack plan to achieve. The term APT may refer to the organization conducting the attack, to specific steps in such an attack as observed by a target or the entire attack sequence. An APT usually involves a phased set of activities, each of which may use dozens of different attack vectors in sequence or in tandem.

Question 5

Aggregation

Answer 5

The ability to combine non-sensitive data from separate sources to create sensitive information.

Question 6

Agile Development

Answer 6

Agile development focuses on small team environments and focuses on collaborative, iterative learning, building, testing and deployment of capabilities to operational use. Agile is used to address the need for rapid software development and deployment cycles, perhaps many cycles per day. Agile development follows patterns of activities such as “scrum,” “sprint” or “safe” to manage change and develop and deploy working, reliable and verifiable function.

Question 7

Application Programming Interfaces (APIs)

Answer 7

Mobile code mechanisms that provide ways for applications to share data, methods or functions over a network. Usually implemented either in XML or JavaScript Object Notation (JSON). A reference to a software access point or library function with a well-defined syntax and well-defined functionality.

Question 8

Arbitrary Code

Answer 8

Alternate sets of instructions and data that an attacker attempts to trick a processor into executing.

Question 9

Blocked and Allowed Lists (software, identities, addresses)

Answer 9

Use of lists of blocked or allowed identities—whether as users, URLs, URIs, web addresses, IP addresses, geographic regions, hardware addresses, files or programs—as a means of controlling (prohibiting or permitting) personnel if the attempt involves a resource not on a pre-approved list. Stand-alone security tools and integrated systems that provide these capabilities are now starting to incorporate anti-malware processes as part of their offerings; similarly, anti- malware products have begun to incorporate these blocked/allowed list management and use capabilities. their access, use or attempt to load and execute. These systems also alert designated IT security. In this course, the term “blocked list” replaces “blacklist” and the term “allowed list” replaces “whitelist.”

Question 10

Botnets

Answer 10

A network of automated systems or processes (robots, or for short, bots) performing a specific function together, usually malicious. Botnets have greatly magnified the power and speed of malicious operations because they all work together toward achieving a malicious goal, and they have allowed for tuning and directing of operations in a way that was not possible with malicious programs in the past.

Question 11

Bots

Answer 11

An emerging and special class of mobile code. These employ limited machine- learning capabilities to assist with user requests for help or assistance, automation of or assistance with workflows, data input quality validation and other similar tasks.

Question 12

Buffer Overflow

Answer 12

A source code vulnerability, which allows attempts to access data locations outside of the storage space to be allocated to the buffer. It can be triggered by attempting to input data that is larger than the input buffer being used.

Question 13

Bypass Attack

Answer 13

Users may attempt to bypass controls at the front end of the database application to access information.

Question 14

Certification

Answer 14

The comprehensive technical security analysis of the system to ensure that it meets all applicable security requirements.

Question 15

Citizen Programmers

Answer 15

Members of the organization who codify work-related knowledge, insights and ideas into varying degrees of reusable software- like forms, often using extensibility features found in most commercial software apps. The very ad hoc nature of these pieces of functionality is extremely difficult to manage, control, verify or assess. In almost all cases, these are beyond the reach and visibility of the organization’s software quality, configuration management or security assessment processes. Such “citizen programming” is often done with little regard to security requirements and can pose a significant risk to some organizations.

Question 16

Code Protection or Logic Hiding

Answer 16

Prevents one software unit from reading or altering the source, intermediate or executable code of another software unit.

Question 17

Code Reuse

Answer 17

When programmers reuse, rather than reinvent, units of software (procedures or objects) that have already been demonstrated to be correct, complete, safe and secure.

Question 18

Commercial Off- the-Shelf (COTS)

Answer 18

Software elements, usually applications, that are provided as finished products not intended for alteration by the end user. Most COTS applications are available as host-based, endpoint-based or platform- based services, and support user extensibility by means of non-programming tools, scripts, macros and configuration parameters. COTS can also include firmware and hardware elements.

Question 19

Common Object Request Broker Architecture (CORBA)

Answer 19

A set of standards that addresses the need for interoperability between hardware and software products residing on different machines across a network. CORBA provides for object location and use across a network.

Question 20

Configuration Control (CC)

Answer 20

Process of controlling modifications to hardware, firmware, software and documentation to protect the information system against improper modifications prior to, during and after system implementation.

Question 21

Configuration Management (CM)

Answer 21

A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing and monitoring the configurations of those products and systems throughout the system development lifecycle.

Question 22

Continuous Integration and Continuous Delivery (CI/CD)

Answer 22

Workflow automation processes and tools that attempt to reduce, if not eliminate, the need for manual communication and coordination between the steps of a software development process.

Question 23

Covert Channel or Covert Path

Answer 23

A communications pathway between two or more processes that transfers information in ways that violate some security policy or requirement. These can be created deliberately (wittingly) by the process designer(s), or unwittingly by the hostile process exploiting hitherto unrecognized exposures of information, resources or other characteristics by the target system.

Question 24

Data Contamination

Answer 24

Attackers can attempt to use malformed inputs—at the field, record, transaction or file level—in an attempt to disrupt the proper functioning of the system.

Question 25

Data Lake

Answer 25

A data warehouse incorporating multiple types or streams of unstructured or semi- structured data.

Question 26

Data Mining

Answer 26

An analysis and decision-making technique that relies on extracting deeper meanings from many different instances and types of data; often applied to data warehouse content.

Question 27

Data Modeling

Answer 27

A design process that identifies all data elements that the system will need to input, create, store, modify, output and destroy during its operational use. Arguably, data modeling should be one of the first steps in systems analysis and design, regardless of whether procedural or OOP approaches will be used to implement it.

Question 28

Data Protection or Data Hiding

Answer 28

Restricts or prevents one software unit from reading or altering the private data of another software unit.

Question 29

Data Type Enforcement

Answer 29

How well (or how poorly) a language protects the programmer from trying to perform operations on dissimilar types of data, or in ways that would lead to erroneous results.

Question 30

Data Warehouse

Answer 30

A collection of data sources such as separate internal databases to provide a broader base of information for analysis, trending and reference. May also involve databases from outside of the organization, either by importing a copy or by reference.

Question 31

Data-centric Threat Modeling

Answer 31

A methodology and framework for focusing on the authorized movement, locations, execution, input and output of data within, from and into a system. These correspond with the security concepts of protecting data in transit, at rest (or in storage) and in use, and it provides a focus for carrying out the security decisions already made as the organization classifies and categorizes its data.

Question 32

Database Management System (DBMS)

Answer 32

A suite of application programs that typically manages databases and their environments. The heart of the DBMS is the database engine, a core application that performs and manages the basic functions of create, read, update and delete (CRUD) of data to and from the database, while also making data available for display or export to users, endpoints and other systems. The DBMS provides the structure for the data and some type of language and architecture for accessing and manipulating the data. The primary objective is to store data and allow users to interact with the data, but of course, in a secure way from a confidentiality, integrity and availability perspective.

Question 33

Database Model

Answer 33

The underlying software design concepts that a DBMS implements; it identifies the specific organization, structure and architecture that the DBMS can provide to users, as they build specific databases to meet business needs.

Question 34

Defensive Programming

Answer 34

The style of program design and coding that translates the business logic about acceptable and harmful input into code, which allows processing of acceptable inputs, but safely blocks attempts to input (or inject) harmful inputs. The lack of adequate defensive programming measures can result in an arbitrary code execution, a misdirection of the program to other resources or locations or otherwise reveal more information useful to an attacker.

Question 35

DevOps

Answer 35

A systems development approach based on lean and agile principles in which business owners and the development, operations and quality assurance departments collaborate and work together to deliver software in a continuous manner that enables the business to more quickly react to market opportunities and reduce the time to include customer feedback into products that need to be developed.

Question 36

DevSecOps

Answer 36

Provides for a merger of phased review (as in the waterfall SDLC) with the DevOps method, so as to incorporate the needs for security, safety, resilience or other emerging properties in the final system, at each turn of the cycle of development.

Question 37

Dynamic Application Security Testing (DAST)

Answer 37

Tools that execute the software unit, application or system under test, in ways that attempt to drive it to reveal a potentially exploitable vulnerability.

Question 38

Emerging Properties

Answer 38

An alternate and perhaps more powerful way of looking at systems-level behavior characteristics such as safety and security. This perspective also helps provide a more testable, measurable answer to questions such as “how secure is our system?”

Question 39

Encapsulation

Answer 39

Enforcement of data hiding and code hiding during all phases of software development and operational use. Bundling together data and methods is the process of encapsulation; its opposite process may be called unpacking or revealing. Also used to refer to taking any set of data and packaging it or hiding it in another data structure, as is common in network protocols and encryption.

Question 40

Executable Code, Object Code

Answer 40

The binary representation of the machine language instruction set that the CPU and other hardware of the target computer directly execute.

Question 41

Extensible Markup Language (XML)

Answer 41

A set of extensions to HTML that provide for data storage and transport in networked environments. XML is frequently used to interface web pages at the front end of a system (as they are displayed and used on client endpoint devices) with databases on back-end servers. XML is often embedded in the HTML files that make up the elements of web pages.

Question 42

Functional Requirements

Answer 42

Describes a finite task or process the system must perform. These are often directly traceable to specific elements in the final system’s design and construction; formal configuration item audits should, for example, be able to identify a given unit of software with the specific functional requirements that dictated it be written and included into the product build.

Question 43

Hierarchical Database Model

Answer 43

Database model in which data elements and records are arranged in parent-child structures such as trees.

Question 44

Independent Verification and Validation (IV&V)

Answer 44

A comprehensive review, analysis and test (software and/or hardware) performed by an objective third party to confirm (i.e., verify) that the requirements are correctly defined, and to confirm (i.e., validate) that the system correctly implements the required functionality and security requirements.

Question 45

Inheritance

Answer 45

Provides mechanisms by which objects that are members of a class (a higher level grouping of like objects) can make use of specific characteristics of the class. Files in a read-only folder, for example, generally will also inherit the folder’s read-only attribute.

Question 46

Integrated Development Environments (IDEs)

Answer 46

A set of software applications, their control procedures, supporting databases, libraries and toolsets that provide a programmer or a team of programmers what they need to specify designs; translate designs into source code; and then compile, test and integrate that code into a finished software product. Many IDEs support multiple programming languages and facilitate their use on the same project.

Question 47

Integrated Product and Process Development (IPPD)

Answer 47

A management technique that simultaneously integrates all essential acquisition activities through the use of multidisciplinary teams to optimize the design, manufacturing and supportability processes.

Question 48

Integrated Product Team (IPT)

Answer 48

A team of stakeholders and individuals that possess various different skills and who work together to achieve a defined process or product.

Question 49

Interactive Application Security Testing (IAST)

Answer 49

Testing that combines or integrates SAST and DAST to improve testing and provide behavioral analysis capabilities to pinpoint the source of vulnerabilities.

Question 50

Intermediate Code

Answer 50

Expressing a program’s required function in a form that is somewhere between human- readable source code and binary sets of values that can be loaded into memory and executed by a CPU. The most common use of intermediate code is to provide machine independence or portability for a program, such as Java does.

Question 51

Knowledge Discovery in Database (KDD)

Answer 51

A mathematical, statistical and visualization method of identifying valid and useful patterns in data.

Question 52

Knowledge Management

Answer 52

The efficient and effective management of information and associated resources in an enterprise to drive business intelligence and decision-making. It may include workflow management, business process modeling, document management, databases and information systems and knowledge-based systems.

Question 53

Level of Abstraction

Answer 53

How close the description (in source code, design documents or any other form) represents one-to-one the details of the underlying object, system or component. Lower-level abstractions generally have far more fine-grain detail than higher level ones.

Question 54

Living-Off- the-Land Non-malware based Ransom Attack

Answer 54

An attack on a system in which illicit access to a system is then used to misuse systems capabilities in the pursuit of the attacker’s agenda. The attacker does not use malware in such attacks, hence anti-malware defenses will not detect and prevent it.

Question 55

Logic Bombs

Answer 55

Malware inserted into a program which will activate and perform functions that suit an attacker’s needs at some later date or when certain conditions are met.

Question 56

Malformed Input Attack

Answer 56

Many of the common source code errors in software can lead to that software failing to correctly handle input data, singly or in combination, that exceeds logical range checks, is contradictory or inconsistent, or is unauthorized. This can result in an arbitrary code execution, a misdirection of the program to other resources or locations or otherwise reveal additional information useful to an attacker.

Question 57

Malware

Answer 57

A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity or availability of the victim’s data, applications or operating system or of otherwise annoying or disrupting the victim.

Question 58

Markup Languages

Answer 58

Non-programming languages used to express formatting or arrangement of data on a page or screen. Markup languages are extensible, which allows users to define other operations to be performed. These extend the language into a programming language, such as the way that JavaScript extends HTML.

Question 59

Memory or Object Reuse

Answer 59

All systems must allocate memory or other resources as objects to requesting processes, which involves one process reusing such resources after the first using process has finished with them. Any data remaining in the object when it is reused is a potential security violation (i.e., a data remanence issue).

Question 60

Metadata

Answer 60

Information that describes the format or meaning of other data, which can be used to provide a systematic method for describing resources and improving the retrieval of information.

Question 61

Mobile Code (Executable Content)

Answer 61

A file or a set of files sent by one system to one or more other target or client systems, which, when opened by software already installed on that client, will either control the execution of systems and applications software on that client or be directly executed by that client’s CPU.

Question 62

Modified Prototype Model

Answer 62

An approach to designing and building a system, which starts by building a simplified version of the entire application; this is released for review, with the feedback from the stakeholders used to improve the design of a second, much better version. This is repeated until the owner and stakeholders are satisfied with the final product.

Question 63

Network Database Model

Answer 63

Database model in which data elements and records are arranged in arbitrary linked fashion, such as lists, clusters or other network forms.

Question 64

Nonfunctional Requirements

Answer 64

Identifies broad characteristics of the system as a whole. These usually do not align with a clearly identified subset of systems elements. Typically, many safety, security, privacy and resiliency needs have been deemed nonfunctional by their systems’ analysts and engineers, and as such, configuration audits cannot identify whether any given software unit contributes to such nonfunctional requirements, or indeed if any of them do.

Question 65

Object

Answer 65

An encapsulation of a set of data and the methods that can be used to manipulate that data.

Question 66

Object-oriented (OO) Database Model

Answer 66

A database model that uses object- oriented programming concepts of classes, instances and objects to organize, structure and store both data and methods. Schemas define the structure of the data (in terms of tables, records and attributes or fields); views establish specific selections of tables, rows and columns to meet user or security needs.

Question 67

Object-oriented Programming (OOP)

Answer 67

Defines an object to be a set of software that offers one or more methods, internal to the object, that software external to that object can request be performed. Each method may require specific inputs and resources and may produce a specified set of outputs.

Question 68

Object-oriented Security

Answer 68

Systems security designs that make use of object-oriented programming characteristics such as encapsulation, inheritance, polymorphism and polyinstantiation.

Question 69

Open-Source Software

Answer 69

Software whose source code and other design information is made publicly available for inspection, testing, assessment and use. In many cases, open-source licenses allow modification and refactoring. While many commercial software products protect their source code as proprietary, others include or are licensed, supported reuse of open-source software.

Question 70

Polyinstantiation

Answer 70

Creates a new instance (or version copy) of a data item, with the same identifier or key, allowing for each using process to have its own version of that data. Useful for enforcing and protecting different security levels for a shared resource.

Question 71

Polymorphism

Answer 71

Allowing an object to “take many forms” based on how it is used means that changes to an object do not have to ripple out into every application’s program that uses that object.

Question 72

Procedural Programming

Answer 72

Emphasizes the logical sequence or flow of steps to be performed. A “procedure” is a set of software that performs a particular function, requires specific input data (and possibly other resources) and produces a specific set of outputs. Outputs may include error signals when appropriate. Procedures can invoke (“call”) other procedures.

Question 73

Query Attack

Answer 73

Use of query tools to access data not normally allowed by the trusted front end, including the views controlled by the query application. Malformed queries using SQL to bypass security controls may be possible as well. There are many other examples of where improper or incomplete checks on queries can be used in a similar way to bypass access controls.

Question 74

Ransom Attack

Answer 74

Any form of attack that threatens the destruction, denial or unauthorized public release or remarketing of private information assets. Usually involves encrypting these assets and withholding the decryption key until the ransom is paid by the victim.

Question 75

Ransomware

Answer 75

Malware used for the purpose of facilitating a ransom attack.

Question 76

Rapid Application Development (RAD)

Answer 76

A development methodology that creates an application more quickly by employing techniques such as the use of fewer formal methodologies and reuse of software components.

Question 77

Refactoring

Answer 77

A partial or complete rewrite of a set of software to perform the same functions, but in a more straightforward, more efficient, or more maintainable form.

Question 78

Regression Testing

Answer 78

Testing of a system to ascertain whether recently approved modifications have changed its performance of other approved functions or has introduced other unauthorized behaviors.

Question 79

Relational Database Model

Answer 79

Database model in which data elements and records arranged in tables, and tables, are related (linked) to each other to implement a business logic needed to use data records of different structures or types together in the same activity.

Question 80

Representational State Transfer (REST)

Answer 80

A software architectural style for synchronizing the activities of two (or more) applications running on different systems on a network. REST facilitates these processes exchanging state information, usually via HTTP or HTTPS.

Question 81

Reputation Monitoring

Answer 81

Defensive tactic that uses the trust reputation of a website or IP address as a means of blocking an organization’s users, processes or systems from connecting to a possible source of malware or exploitations. Possibly one’s only effective defense against zero-day exploits. This involves monitoring URLs, domains, IP addresses or other similar information in an attempt to separate the trustworthy sites from the less-than-trustworthy. Dark web addresses, for example, would almost invariably be non-trustworthy.

Question 82

Runtime Application Security Protection (RASP)

Answer 82

Security agents (small code units) built into an application by the developer, which can detect a given set of security violations; upon such detection, the RASP agents can cause the application to terminate, or take other protective actions.

Question 83

Sandbox

Answer 83

A testing environment which is logically, physically or virtually isolated from other environments, and in which applications or systems can be evaluated. Sandboxes can be used as part of development, integration or acceptance testing (so as to not interact with the production environments), as part of malware screening or as part of a honeynet.

Question 84

Scanners (Anti- malware)

Answer 84

Software that examines a suspected file or set of files for the presence of malware, by signature analysis, activity monitors, heuristics and machine-learning techniques or change analysis.

Question 85

Secure Coding Guidelines and Standards

Answer 85

Best practices identified by a variety of software and security professionals, that when used correctly can dramatically reduce the number of exploitable vulnerabilities introduced during development that remain in the operationally deployed system.

Question 86

Security Assessment

Answer 86

Testing, inspection and analysis to determine the degree to which a system meets or exceeds the required security posture. This may assess whether an as- built system meets the requirements in its specifications, or whether an in-use system meets the current perception of the real-world security threats the system may be facing.

Question 87

Software (Quality) Assurance

Answer 87

A variety of formal and informal processes that attempt to determine whether a software application or system meets all of its intended functions, does not perform unwanted functions, is free from known security vulnerabilities and is free from insertion of other errors in its design, code, form, function and data.

Question 88

Software Capability Maturity Modeling (SW-CMM) and Assessment

Answer 88

A management process to foster the ongoing and continuous improvement of an organization’s processes and workflows for developing, maintaining and using software.

Question 89

Software Development Lifecycle (SDLC)

Answer 89

A framework and a systematic process with associated tasks that are performed in a series of steps for building, deploying and supporting software applications. The lifecycle begins with planning and requirements gathering and ends with decommissioning and sunsetting the software. There are many different SDLCs— such as agile, DevSecOps, rapid prototyping—offering different approaches to defining and managing the software lifecycle.

Question 90

Software Libraries

Answer 90

A repository of pre-written code, classes, procedures, scripts and other programming elements. These may be provided by systems or applications vendors, from trustworthy third-party developers, developed in-house by the organization’s programmers or available from various open-source sites.

Question 91

Source Code

Answer 91

Program statements written in human- readable form using a formal programming language’s rules for syntax and semantics.

Question 92

Spiral Method

Answer 92

Improved waterfall development process, which provides for a cycle of Plan, Do, Check and Act (PDCA) sub-stages at each phase of the SDLC.

Question 93

Spyware and Adware

Answer 93

Software that performs a variety of monitoring and data gathering functions. Also known as potentially unwanted programs or applications (PUPs or PUAs), these may be used in monitoring employee activities or their use of systems resources (spyware); adware facilitates advertising efforts. Both may be legitimate and authorized by systems owners to be in use or may be unwanted intruders in these systems.

Question 94

Static Application Security Testing (SAST)

Answer 94

Also known as static source code analysis, these are tools which examine the source code for a variety of errors such as data type errors, loop and structure bounds violations and unreachable code. Since SAST tools do not attempt to execute or simulate the execution of the code being analyzed, it is a bit of a misnomer to call them “testing” tools.

Question 95

Strong Data Typing

Answer 95

A feature of a programming language that prevents data type mismatch errors (such as trying to add amounts of money to dates or times). Strongly typed languages will generate errors at compile time, forcing the programmer to correct a type mismatch or include additional code that performs the correct data type conversion at run time.

Question 96

Threat Surface

Answer 96

The total set of penetrations of a boundary or perimeter that surrounds or contains systems elements.

Question 97

Time of Check vs. Time of Use (TOCTOU) Attacks

Answer 97

Takes advantage of the time delay between a security check (such as authentication or authorization) being performed and actual use of the asset.

Question 98

Trapdoor or Backdoor

Answer 98

A hidden mechanism that bypasses access control measures. It is an entry point into an architecture or system that is inserted in software by developers, during the program’s development to provide a method of gaining access into the program for modification and support reasons. It can also be inserted by an attacker, bypassing access control measures designed to prevent unauthorized software changes.

Question 99

Trojans

Answer 99

Malware that inserts backdoors or trapdoors into other programs or systems. The malware may or may not be disguised as some useful or entertaining application.

Question 100

Trusted Computing Base (TCB)

Answer 100

The collection of all the hardware, software and firmware components within an architecture that is specifically responsible for security and the isolation of objects. TCB is a term that is usually associated with security kernels and the reference monitor.