Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Studying > Domain 8 > Flashcards

Domain 8 Flashcards

1
Q

What is software security?

A
  • Security is most effective when planned and implemented throughout the entire lifecycle
  • the goal is to ensure data and software integrity, confidentiality, and availability
  • current applications and operating systems are vulnerable because adequate controls are not in place

Must include security in the entire development lifecycle from initial design to final quality assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are capability maturity models?

A

How mature is your software development process? Do you have a process?

Capability maturity models are developed through surveying and analyzing numerous organizations to determine characteristics associated with effective processes.

What is CMMI? Capability Maturity model integration - focused on quality management practices and established a basis for evaluation of the development process.

**know carnegie mellon CMMI maturity levels for the exam - this was created for improving processes for software development but has expanded to encompass more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the CMMI levels?

A

Capability Maturity Model Integration (CMMI)

**memorize these 5

Level 1: Initial - software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort and heroics

Level 2: managed - basic project management processes are established to track cost, schedule and functionality. The necessary process discipline is in place to repeat earlier success on projects with similar applications

Level 3: defined - the software process for both management and engineering activities is documented, standardized ,and integrated into a standard software process for the organization. All projects use an approved, tailored version of the organization’s standard software process for developing and maintaining software.

Level 4: quantitatively managed - detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled.

Level 5: Optimizing - continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is SDLC?

A

It was created to ensure software was developed in an orderly fashion and to ensure completeness.

Stages:

  • initiation and planning
  • definition of requirements
  • design specifications
  • actual development and documentation of applications
  • testing evaluation and acceptance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is waterfall SDLC?

A

Divides a software development project into well-defined sequential stages with specific milestones at each of the stages. After all phases are complete, the product is delivered.

Most direct toward the objectives with the shortest development time and cost possible.

after each phase is completed, it is closed and not revisited. There is no customer involvement.

cannot go back and revert back. even if you know you messed up.

any delays cascade down

Drawbacks:

  • little flexibility in changing the scope of a project because you can only revert back on stage and no more
  • system shortcomings may not be discovered until the product is finally released for use in production

Verification - ensure that the product being developed meets specifications
Validations - ensures that the product solves a real world problem or its operational mission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is spiral SDLC?

A

Phases occur in order, but in an ever-widening spiral of larger and larger activity - phases are repeated over and over

Risk is a driving factor behind the spiral model - risk is mainly project failure

Managing risk is what spiral is for. **see spiral look for the word risk on the exam

each spiral is a new project plan and you take lessons learned from previous spiral and apply it and expand more and more. think the honda hybrid car example

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is software prototyping (SDLC)?

A

development of a working model or mock up for review

  • functionality of the prototype varies considerably
  • could simply be nonoperational mock-up

subsequent refinement of model based on feedback form both users and developers

prototyping typically implies frequent customer / client interaction throughout the project

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what is Agile SDLC?

A

Pair programming - two developers coding from on machine in which the second developer reviews codes as it is written

continuous integration - integrating multiple developers contributions back into the main project can be a cause of issues. Continuous integration seeks to address the problem by regularly integrating developer contributions back into the main branch and thereby finding out about issues earlier

continuous deployment - similar to continuous integration, but the code is actually deployed into production rather than just pushed back into the main branch

two more formal manifestations of agile are extreme programming (XP) and scrum

gives you speed. responds to change vs. following a plan. you can go back and fix something when it is wrong. find the bug and fix it when you find it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is extreme programming (XP) SDLC?

A

An agile development method.

  • Paired programming - work off a detailed specification
    • — one programs while the other assists and verifies adherence to the spec. you work off the spec.
    • — thw two may swap places from time to time.
    • — one programmer programs, the other watches and makes sure there are no bugs. They must follow the spec and how detailed it is.
  • high level of customer involvement
  • detailed test procedures

Total customer involvement - customer is always available and carefully monitors the project

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Scrum? SDLC

A

An agile method

Scrums contain small teams of developers, called the Scrum team.

The team tries to go the distance as a unit, passing the ball back and forth as you need. Conrad is working the code, he is stuck, Jim comes in. Other people come in and take over. Like in rugby you all run down the field together and pass back if you need to hand off to someone to keep going the distance

Scrum master - senior manager of the org who acts as a coach for the team - acts as a mentor, clears out business issues, gets funding

The product owner represents the business unit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are programming tools?

A

CASE tools - the code writes the code. CASE = computer aided software engineering tools - they are used to develop application systems faster and to increase programmers and analysts productivity

IDE: an integrated development environment provides a workspace for the developer and typically allows code editing, debugging, and compiling/building

  • many IDEs attempt to provide features to increase efficiency, and perhaps avoid defects
  • IDEs are usually built to support only one or more specific languages
  • eclipse and MS visual studio are two popular IDEs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is DevOps (Development + Operations) SDLC?

A

Seeks better understanding, communication and integration among the development and operations portions of the organization. In addition to providing flaws, this approach also seeks to streamline the process of deploying an application into operations, which can make for more efficient application updates.

seeks to address issues that can arise from the separation of development and the operational environment - successfully deployed application in operations is the product, not simply the code - application issues can stem from code, but can also stem from the operational environment

focus involves closer integration of development and operations and typically establishes known and consistent environments - avoids issues and allows for more efficient delivery of app updates.

developers do not implement security features. They can put their code into production but you still have production security. You write better code if you see the response. security people still play their role. Developers do not take on any security function, they assist production and have a closer relationship with the code. Developers are there but they do not implement security features.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is SD3+C?

A

stands for secure by design, by default, by deployment, and communications.

It is the centerpiece of Microsoft security development lifecycle
- incorporates security through all phases of the product lifecycle

Secure by default:

  • least privilege
  • defense in depth
  • conservative default settings
  • avoidance of risk default changes
  • less commonly used services off by default

secure in deployment:

  • deployment guides
  • analysis and management tool`s
  • patch deployment tools
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the software environment?

A

It is important to the security of operations on information systems since this is where exploits affect the most. The software environment is involved in the control, restrictions and access to exploitable areas.

The software environment must be set before computer operations can be conducted.

This environment can have an impact on the security of the application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are application architectures?

A

The first element of software environment is understanding the application architecture.

Distributed computing:

  • client/server - allows the use of server based applications by interfacing via the client
  • 3-tier - most commonly associated with web applications (web front end, middle-ware, Back-end data store)
  • peer-to-peer - each endpoint equally capable. **integrity is usually the answer for peer to peer (think of napster) - searching for files was client/server - the download was peer to peer. - how do you know you have all the data, need hashing and that provides integrity

**middleware - this is applications talking to applications, like a thin client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are remote procedure calls?

A

When a client sends input to a remote system process to carry out an action in distributed applications. However, when a process interfaces with a remote running process, this can be an example of a remote procedure call (RPC)

Common object request broker architecture (CORBA) is a traditional solution to this problem to coordinating the communication.

17
Q

What is peer to peer (P2P)?

A

Peer to peer is when applications have equal capabilities and responsibilities, and there is no main controller. Exchange is permitted between applications or systems, even though there is no central enforcement that prevents such an exchange. The control is delegated to each of the peers and security is difficult to maintain.

It is decentralized. Deviates from the traditional client/server architecture by allowing each system to operate as both client and server.

P2P architecture does not necessitate central servers.

It is fully decentralized architecture and can provide for increased resiliency and availability in the face of failures.

Think integrity - you must hash to know the integrity of the data.

18
Q

What are software environment issues?

A

Open Source:

  • public development and scrutiny can lead to more secure environments
  • source code is publicly available
  • Apache, linux - can I see the source code, dont need a license.
  • can I view the source code legally and publicly

Closed Source:

  • source code is proprietary
  • third party access may be provided by an NDA

“Free” Software:
- freedom to change the

Can I view the source code?
Can I change it?
Do I pay for it?

Ganu public license: (GPL)
- free squared - free of charge and free to change. If you change it, you must share your changes

19
Q

What is disclosure?

A

Responsible Disclosure:

  • Privately notify a vendor if you discover a security flaw in a source code
  • vendor must act responsibly by fixing the flaw in a reasonable amount of time and not threaten legal action against the researcher
  • *** exam wants responsible disclosure - you can full disclose but only after a very reasonable amount of time

Full Disclosure:

  • intentional public release of bugs and exploit code to force security issues
  • serious flaws tend to get fixed quickly, but collateral damage may occur
  • happens because vendors were ignoring when people would tell the vendor about a bug
  • exploit is now out before the patch - the bad guys know about it and worms come out
20
Q

What are general security principles for a development environment?

A

Authorization
- all personnel should have proper authorization

Risk Reduction
- code review

DevOps has blurred the separation of duties between developers and operations

  • development staff support operations and security
  • developers do not directly manage security functions

Accountability

  • No access directly to database
  • Production data managed by users, not support staff
  • All access to production data should be logged

Least Privilege:
- access given to necessary data only

Layered defense:
- multiple controls

21
Q

What are some software vulnerabilities?

A
  • Privilege Escalation
  • Buffer Overflow
  • Integer Overflow
  • SQL Injection
  • XSS
22
Q

What is privilege escalation?

A

Increases a users or processes privilege, typically to a superuser level

Most privilege escalation attacks require non-privileged local access

  • setuid root programs are a frequent target of privilege escalation attacks
23
Q

What is a buffer overflow?

A

Occurs when a programmer fails to perform bounds checking. You smash the stack. May allow an attacker to write arbitrary data to the stack, including machine code. There are a number of mechanisms for executing that code, including overwriting the return pointer to jump the code.

Allows an attacker to write more than the byte limit in a data field. The extra characters past the end of the buffer are written to the stack. You then write arbitrary content to memory including machine code

24
Q

What is a memory leak?

A

Memory leaks occur in applications that request and later improperly release memory.

Most common symptom: ever growing memory footprint of an application - usually leading to application DoS

Sensitive information can also be divulged via memory leaks.

Memory leaks lead to DoS, meaning availability is at risk but can also risk confidentiality by exposing sensitive data.

25
Q

What are integer overflows?

A

Adding “1” to 255 equals 256. If the value was held in an 8-bit reigster, unexpected behavior can result. The register resets to “00000000” and adjacent memory or register may also be overwritten.

Memory holding an overflowed variable may be reset to zero. Also, other memory may be corrupted and program logic can misfire due to unexpected values.

A bit gets overwritten to the left

26
Q

What are software controls?

A

1) Input - validity and completeness of information. Limit or range tests, logical checks, self-checking digits.
2) Processing - ensure that only valid transactions are performed, that limits imposed are not violated, and end results are verified. Audit trails as well that might enable the detection of fraudulent transactions
3) Output - reconciliation, physical handling procedure, authorization controls - is the output reaching an authorized party?** this is a critical concern

Think about integrity

Implemented based on potential risks.

Approaches employed include the typical preventive, detective and corrective controls.

27
Q

What are application sandbox examples?

A
  • Java applets are placed in a sandbox
    • — malicious applet should not be able to access resources outside of the sandbox, such as the system password file

Chrome places each browser tab and process in a sandbox

- --- malicious code in one tab cannot access resources controlled by another tab - --- tab one cannot touch tab 2 - bank is in tab one and malware is in tab 2. sandbox helps manage this
28
Q

What are standard libraries?

A

Secure standard libraries make code more secure. They help programmers avoid making mistakes. These tools can still protect the code.

Programmers harden their applications via the use of secure standard libraries

Examples are libsafe and SSF/Propolice

29
Q

What is a stack canary?

A

A value on the stack, typically placed before the return pointer. The canary value is checked before the function returns. If it is changed, the function exists with an error. Reaching the return pointer requires overwriting the canary, which will normally kill it.

Smashing the stack will kill of alter the canary

before a return pointer put a value and before you return, check the canary, if the canary is different, dont go back.

30
Q

What are some controls for code management?

A
  • Configuration management
  • Code change control management
  • Security reviews of code
  • Separation of duties for deploying code - production data should be managed through programs
  • least privilege
  • Layered defense
31
Q

What is software security static analysis testing?

A

Static analysis - tools run against source code looking for security issues. the tools look for known patterns that suggest particular types of security flaws

  • some flaws lend themselves to discovery in source code (buffer overflows, SQL injection, OS command injection)
  • other flaws not easily identified in this manner (session management, authentication flaws)

Considered a type of white box security testing - you can see in - can see the code

32
Q

What is software security dynamic analysis testing?

A

Dynamic application security testing involves probing a fielded or running application in order to discover potential flaws.

Considered black box testing since we lack access to the source code during dynamic testing. - cannot see in. cannot see the source code

Fuzzing is an example of testing - how many bytes, add more and more bytes until you break it

33
Q

What is QA and UAT software security testing?

A

Quality Assurance (QA) and User Acceptance Testing (UAT) are additional types of dynamic application testing.

Ensure that the functionality and usability of the application are appropriate.

QA is the dedicated quality team and UAT is you get the actual user to test it out.

They are focused on performance and functionality but they can also be used to perform security testing.

Studying (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions