Domain 8

Question 1

__ application security testing involves probing a fielded or running application in order to discover potential flaws. This is considered __ box testing.

Answer 1

dynamic application security testing or dynamic application testing, black box testing.

Question 2

__ computing includes client/server (user over server-based applications by interfacing via the client), 3-tier (web apps e.g. web front-end, middleware, backend data store), peer-to-peer (each endpoint equally capable.

Answer 2

distributed computing

Question 3

__ is if you find a vulnerability in Microsoft’s code and you publicly release it, that forces Microsoft to fix it. __ is going straight to Microsoft and waiting for them to release it.

Answer 3

full disclosure, closed disclosure

Question 4

__ is the acronym for “Secure: by Design, by Default, by Deployment and Communications”

Answer 4

SD3+C, Application security is always best when integrated from the beginning e.g. Windows 8 will always be more secure than Windows XP since security wasn’t a critical design goal at that time.

Question 5

__ is the development of a working model with test or real data using an iterative approach supported by user and developer interaction. This SDLC model typically implies frequent customer/client interaction throughout the project.

Answer 5

software prototyping

Question 6

__ occur in applications which request and later improperly release memory. Sensitive information can also be divulged.

Answer 6

memory leaks

Question 7

__ overflow can add a bit and overwrite information on the stack. Potential issues with this attack are: Memory holding an overflowed variable may be reset to zero (UID 0 is root on Unix), other memory may be corrupted, program logic can misfire due to unexpected values

Answer 7

integer overflow

Question 8

__ seeks to address issues that can arise from the separation of development and the operational environment.

Answer 8

DevOps (Development + Operations): application issues can stem from code, but can also stem from the operational environment

Question 9

__ tools can be used to develop application systems faster and to increase programmers’ and analysts’ productivity.

Answer 9

CASE Tools: Computer-Aided Software Engineering tools

Question 10

A __ can mitigate a simple stack-smashing attack since this value is checked before the function returns. If it is changed, the function will normally exit with an error since the return pointer is eliminated (so you know malicious software is running).

Answer 10

canary

Question 11

A __ tool is a computer-based product aimed at supporting one or more activities within any aspect of the software development process. It might support only one particular part of this process (such as compilers, editors or UI generators).

Answer 11

CASE Tools: Computer-Aided Software Engineering tools

Question 12

Application issues can arise from flaws in code, but also from issues within the operational environment. This approach seeks better understanding, communication and integration among the development and operations portions of an organization.

Answer 12

DevOps (Development and Operations)

Question 13

Canaries may be used in a heap (where dynamic memory allocation normally occurs). What does Microsoft call a heap canary?

Answer 13

cookie

Question 14

Difference between open source and closed source.

Answer 14

open source: source is provided to you. Closed source: source is not provided to you. It is not free vs commercial. Sometimes commercial vendors will provide the source code so you could validate it from security perspective

Question 15

Different types of canaries include a terminator canary (smashing the stack will normally alter and kill the canary), null canary (all null bytes) and a random canary (each byte is a random number). Which is the most secure form of canary?

Answer 15

random canary

Question 16

Eclipse and MS Visual Studio are two popular __.

Answer 16

IDEs (Integrated Development Environment)

Question 17

For this CMMI level continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

Answer 17

Level 5 Optimizing

Question 18

In addition to avoiding flaws, this approach also seeks to streamline the process of deploying an application into operations, which can make for more efficient application updates.

Answer 18

DevOps (Development + Operations)

Question 19

In distributed applications a client can send input to a remote system process to carry out an action. This communication is referred to as a __. __ is a traditional solution to this problem.

Answer 19

RPC (Remote Procedure Call), CORBA (Common Object Request Broker Architecture) employs an Object Request Broker as an intermediary to solve the problem of coordinating the communication.

Question 20

In order to finish a project, 5 people slept in the office for 5 days. Which level of the CMMI does this indicate?

Answer 20

Level 1 Initial (ad hoc, chaotic, few processes, occassionally chaotic. Success depends on individual efforts and heroics.

Question 21

In software security testing, __ involves running tools against application source code to look for known patterns that suggest particular types of security flaws (buffer overflows, SQL injection, OS Command injection)

Answer 21

static analysis

Question 22

In this level of CMMI, the necessary process discipline is in place to repeat earlier successes on projects with similar applications.

Answer 22

Level 2 Managed

Question 23

In this SDLC model, phases occur in succession and after each phase is completed, it is closed and not revisited.

Answer 23

waterfall model: phases occur in succession like water falling down a waterfall

Question 24

Methodologies for software development to improve the process and end-product.

Answer 24

SDLC (Software Development Life Cycle), also referenced as Systems Development Life Cycle

Question 25

Microsoft’s __ establishes 16 practices divided amongst traditional development phases.

Answer 25

MS SDL: Microsoft Security Development Lifecycle. Key practices are under “MS SDL key practices - D8 pg19”

Question 26

Name the software development methodologies aka SDLC models.

Answer 26

waterfall, spiral, prototyping, agile, scrum, XP (Extreme Programming). For exam think evolution - waterfall: too much time between delivery, spiral: more increments but still not what customer wants, prototyping: customer now actively engaged in design but team still went off for too much time; Agile is where we’re meeting every 3-4 weeks instead of 3-4 years

Question 27

Pair programming, continuous integration and continuous deployment are some terms often associated with this SDLC approach.

Answer 27

Agile: Pair programming (two developers coding from one machine in which the 2nd developer reviews code as it is written), Continuous integration (regularly integrating developer contributions back into the main branch, thereby find out about issues earlier), continuous deployment (similar to continuous integration but the code is actually deployed into production rather than just pushed back into main branch)

Question 28

Programmers can harden their applications via the use of secure __ such as Libsafe and SSP/ProPolice e.g. Libsafe will confirm that all variables are checked.

Answer 28

standard libraries. These include additional protections against vulnerabilities such as buffer overflows e.g. stack canaries

Question 29

QA and UAT are types of __ application testing, primarily to ensure functionality and usability of the application are appropriate. While not overtly security-focused they can be built to include security relevant test cases.

Answer 29

dynamic application testing

Question 30

SD3+C stands for __, a centerpiece of Microsoft’s SDL

Answer 30

Secure: by Design, by Default, by Deployment and Communications, Application security is always best when integrated from the beginning e.g. Windows 8 will always be more secure than Windows XP since security wasn’t a critical design goal at that time.

Question 31

Some numeric values are often stored in fixed length memory locations. What type of attack seeks to exploit this characteristic to achieve memory corruption or more?

Answer 31

integer overflow since it’s fixed length memory locations; buffer overflow is NOT fixed length

Question 32

The __ focuses on quality management practices and established a basis for evaluation of the development process.

Answer 32

CMMI (Capability Maturity Model Integration) D8 pg 7

Question 33

The __ level of CMMI has measurable metrics, can measure processes and make sure quality is being done correctly.

Answer 33

Level 4 Quantitatively Managed

Question 34

The __ model is a software development methodology that is also known as the “Traditional Method”.

Answer 34

waterfall model

Question 35

The __ model of the SDLC features a cyclic approach and set of anchor-point milestones. It is driven by risk.

Answer 35

spiral model

Question 36

The __ serves as the developer’s workspace and typically includes at least a code editor, debugger, and builder/compiler. It typically goes beyond simple code editing and debugging to increase the efficiency of the development.

Answer 36

IDE (Integrated Development Environment)

Question 37

The Agile approach is comprised of __ (5-10 min call every day with the customer and testing on the following day; worst case we’ve lost 24 hours) and __ (having customer be part of development team so customer representative is always there; what is the simplest thing to add value to customer).

Answer 37

Scrum, XP (Extreme Programming)

Question 38

The primary focus of employing SDL is different from SDLC. What is the main purpose of SDL?

Answer 38

Security since SDL (Security Development Lifecycle) vs SDLC (Software Development Lifecycle)

Question 39

The primary purpose of __ and __ is to ensure that the functionality and usability of the application are appropriate.

Answer 39

QA testing and UAT testing

Question 40

The SDLC model of __ allows you to prove concepts for the development of software, systems or applications.

Answer 40

software prototyping

Question 41

There is a risk of not meeting what the customer wants in which SDLC model (since there is no customer involvement).

Answer 41

waterfall model

Question 42

There is no customer invovement and no going back in which SDLC model?

Answer 42

waterfall model

Question 43

This SDLC model can simply be a non-operational mock-up.

Answer 43

software prototyping

Question 44

We are concerned that although apps are validated, there will be unforeseen issues in the operational environment. This is most closely tied to what approach?

Answer 44

DevOps (Development + Operations)

Question 45

We are concerned that although apps are validated, there will be unforeseen issues in the production environment This is most closely tied to what approach?

Answer 45

DevOps (Development + Operations)

Question 46

What are the CMMI levels?

Answer 46

Level 1 Initial (ad hoc, chaotic), Level 2 Managed (basic processes), Level 3 Defined (documenting, having predictable outcome), Level 4 Quantitatively Managed (metrics), Level 5 Optimizing (continuous improvement)
‘Capability Maturity Model Integration: D8 pg 7’

Question 47

What is the number one way to reduce risk in code development?

Answer 47

all code should undergo code reviews aka security reviews before implementation. This is an ISC2 golden rule. Other important points: developers should never by directly modifying production code; you always want detailed logging. Mimimize buffer overflow, escalation of privilege and backdoors.

Question 48

Which level of CMMI is where you have formal documentation and can start planning out projects?

Answer 48

Level 3 Defined (software process documented/standardized)

Question 49

Which type of testing would be most appropriate to ensure that all expected functionality of the application is present and working properly?

Answer 49

UAT testing or if that’s not there, it is a subset of QA testing so you can choose that as well