Domain 8 Flashcards

1
Q

Static Application Security Testing (SAST)

A

Analysis of software without execution

  • Tester has access to the src code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Dynamic Application Security Testing (DAST)

A

Analysis of software while it is running

  • Tester has no knowledge of the src code, no src code required
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Relational Database Management Systems (RDBMS)

A

Basic Architecture:

  • Tables (relations)
  • Rows (records)
  • Columns (fields / attributes)
  • Candidate Keys (unique identifier, one or more per table)
  • Primary Keys (one per table, set by designer)
  • Foreign Keys (provide referential integrity)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

RDBMS Threats & Vulns
Aggregation

A

Ability to create sensitive information by combining non-sensitive data from separate sources

  • Need to know / least privilege can prevent this
  • More based on math
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

RDBMS Threats & Vulns
Inference

A

The ability to deduce or assume sensitive info from observing non-sensitive pieces of info

  • Blurring data and DB partitioning helps prevent.
  • More based on human deduction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Types of Storage & Memory
Primary (“Real”) Memory

A

Mem thats directly available to a systems CPU

  • Noramlly volatile RAM, most high performance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Types of Storage & Memory
Secondary Storage

A

inexpensive, nonvolatile resources available to a system for liong term use

  • Hard drive, tapes, CDs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Types of Storage & Memory
Virtual Memory

A

Allows a system to simulate additional primary memory through the use of secondary storage

Ex)
- A system low on RAM makes hard disk available for direct CPU addressing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Types of Storage & Memory
Virtual Storage

A

Allows a system to simulate secondary storage through use of primary storage

-Provides fast file system for apps but no recovery capability

Ex) RAM that presents itself to the OS as secondary storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Types of Storage & Memory
Random Access Storage

A

Allows the OS to request contents from any point within the media

Ex) RAM and hard drives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Types of Storage & Memory
Sequential Access Storage

A

Requires scanning through the entire media from beginning to reach a specific address

Ex) Magnetic tape

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Types of Storage & Memory
Volatile Storage

A

Loses its contents when power is removed from the resource

Ex) RAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Types of Storage & Memory
Nonvolatile Storage

A

Does not depend on power to maintain contents

Ex) Magnetic / Optical media and nonvolatile RAM (NVRAM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ML and Neural Networks
Expert Systems

A

2 main components:
1. Knowledge base that contains a series of “if/then” rules
2. Inference Engine that uses the info to draw conclusions on the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ML and Neural Networks
Machine Learning

A

Attempt to algorithmically discover knowledge from data sets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ML and Neural Networks
Neural Networks

A

Simulate function of the human mind by arranging a series of layered calculations to solve problems

  • Require extensive training on a particular problem before they can give solutions
17
Q

Systems Development Modules
Waterfall

A

Kinda opposite of Agile

a sequential development process that results in the development of a finished product

7 Stages:
1. System Requirements
2. Software Requirements
3. Preliminary Design
4. Detailed Design
5. Code and Debug
6. Testing
7. Ops & Maintenence

(Can only move back and forth one stage at a time)

18
Q

Systems Development Modules
Spiral

A

Uses several iterations of Waterfall model to produce a number of fully specified and tested prototypes

  • metamodel or model of models
  • Loops the waterfall model where each loop is a new prototype
  • Allows devs to return to planning stage as requirements change
19
Q

Software Capability Maturity Model (SW-CMM)

A

5 Steps:
1. Initial - No plan
2. Repeatable - basic lifecycle mgmt
3. Defined - Formal, documented SW dev process
4. Managed - Quantitative measures to gain detailed understanding
5. Optimized - Continuous development (CI / CD) process, with feedback loops

20
Q

IDEAL Model

A

Initiating: Business reasons outlined, support & infrastructure for initiative put in place
Diagnosing: Engineers analyze current state of org and make recommendations for change
Establishing: Org takes recommendations and develops plan to achieve those changes
Acting: Plan is put into action
Learning: Org continues to analyze efforts and results, proposes new action to drive better results

21
Q

Change and Config Mgmt in Software Dev
Request Control

A

framework where users can request modifications, managers do cost / benefit analysis, devs prioritize tasks

22
Q

Change and Config Mgmt in Software Dev
Change Control

A

Used by developers to re-create the situation encountered by the user and analyze the changes needed to remedy situation

23
Q

Change and Config Mgmt in Software Dev
Release Control

A

Once changes are finalized, they must be approved for release through the release control procedure.

  • Should also include acceptance testing
24
Q

Virus Propagation Techniques
File Infection

A

Trigger when the OS attempts to execute them

25
Q

Virus Propagation Techniques
Service Injection

A

Escape detection by injecting themselves into trusted runtime process of the OS such as explorer.exe

26
Q

Virus Propagation Techniques
Boot Sector Infection

A

Infect the boot sector and are loaded into memory during the OS load process

27
Q

Virus Propagation Techniques
Macro Infection

A

Spread through code in macros (often using Visual Basic for apps in MS Office docs)

28
Q

Software Development Lifecycle

A
  1. Requirements Analysis
  2. Design
  3. Implementation
  4. Testing
  5. Evolution

Real Developers Ideas Take Effort

29
Q

Concentric Circle Security

A

Avoids monolithic security stance

  • layered defense
  • defense in depth
30
Q

Shrink Wrap Code Attacks

A

Exploiting unpatched or pooryly configured software that you buy / install.