Domain 8 Flash Cards

Question 1

ActiveX Data Objects (ADO)

Answer 1

A Microsoft high-level interface for all kinds of data.

Question 2

Acceptance

Answer 2

formal, structured hand-off of the completed software system to the customer org; usually involves test, analysis and assessment activites

Question 3

Accreditation

Answer 3

AKA Security Accreditation a formal declaration by a designated accrediting authority (DAA) that an information system is approved to operate at an acceptable level of risk, absed onthe implementation an approved set of technical, managerial, and procedural safeguards

Question 4

ACID Test

Answer 4

data integrity provided by means of enforcing atomicity, consistency, isolation, and durability policies

Question 5

Aggregation

Answer 5

ability to combine non-sensitive data from separate sources to create sensitive info; note that aggregation is a “security issue”, where as inference is an attack (where an attacker can pull together peces of less sensitive info to derive info of greater sensitivity)

Question 6

Arbitrary code

Answer 6

alternate set of instructions and data that an attacker attempts to trick a processor into executing

Question 7

Buffer overflow

Answer 7

source code vulnerability allowing access to data locations outside of the storage space allocated to the buffer; can be triggered by attempting to input data larger than the size of the buffer

Question 8

Bypass attack

Answer 8

attempt to bypass front-end controls of a database to access information

Question 9

Capability Maturity Model for
Software (CMM or SW CMM)

Answer 9

Maturity model focused on quality management processes and has five maturity levels that contain several key practices within each maturity level.

Question 10

Common Object Request
Broker Architecture (CORBA)

Answer 10

A set of standards that addresses the need for interoperability between hardware and software products. residing on different machines across a network; providing object location and use across a network

Question 11

Computer virus

Answer 11

A program written with functions and intent to copy and disperse itself without the knowledge and cooperation of the owner or user of the computer

Question 12

Configuration management
(CM)

Answer 12

A formal, methodical, comprehensive process for establishing a baseline of the IT environment (and each of the assets within that environment).
collection of activities focused on establishing and maintaining integrity of IT products and information systems, through the control of processes for initialization, changing and monitoring the configurations of those products and systems throughout the system development lifecycle

Question 13

Covert channel

Answer 13

An information flow that is not controlled by a security control and has the opportunity of disclosing confidential information.
a method used to pass information over a path that is not normally used for communiction; communication pathways that violate security policy or requirement (deliberately or unwittingly); basic types are timing and storage

Question 14

Certification

Answer 14

comprehensive technical security analysis of a system to ensure it meets all applicable security requirements

Question 15

Change Advisory Board (CAB)

Answer 15

purpose is to review and approve/reject proposed code changes

Question 16

Citizen programmers

Answer 16

organizational members who codify work-related knowledge, insights, and ideas into (varying degress of) usable software; the process and result is ad hoc, difficult to manage, and usually bereft of security considerations

Question 17

Code protection/logic hiding

Answer 17

prevents one software unit from reading/altering the source/intermediate/executable code of another software unit

Question 18

Code resuse

Answer 18

reuse of code, rather than re-invented code means units of software (procedures/objects) means higher productivity toward development requirements using correct, complete, safe code

Question 19

Complete coverage

Answer 19

testing all of the functions of software

Question 20

Configuration Control

Answer 20

process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications prior to, during, and after system implementation

Question 21

Data mining

Answer 21

A decision-making technique that is based on a series of analytical techniques taken from the fields of mathematics, statistics, cybernetics, and genetics.
analysis and decision-making technique that relies on extracting deeper meanings from many different instances and types of data; often applied to data warehouse content

Question 22

Data base Management
System (DBMS)

Answer 22

A suite of application programs that typically manages large, structured sets of persistent data

Question 23

Database model

Answer 23

Describes the relationship between the data elements and provides a framework for organizing the data. design process that identifies all data elements that the system will need to input, create, store, modify, output, and destroy during operational use; should be one of the first steps in analysis and design

Question 24

DevOps

Answer 24

An approach based on lean and agile principles in which business owners and the development, operations, and quality assurance departments collaborate.

Question 25

Data Contamination

Answer 25

attackers attempt to use malformed inputs, at the field, record, transaction, or file level, in an attempt to disrupt the proper functioning of the system

Question 26

Data Lake

Answer 26

a data warehouse incorporating multiple types of streams of unstructured or semi-structured data

Question 27

Data Protection and Data Hiding

Answer 27

restricts or prevents one software unit from reading or altering the private data of another software unit or in preventing data from being discovered or accessed by a subject

Question 28

Data Type Enforcement

Answer 28

how a language protects a developer from trying to perform operations on dissimilar types of data, or in ways that would lead to erroneous results

Question 29

Data Warehouse

Answer 29

collection of data sources such as separate internal databases to provide a broader base of info for analysis, trending and reference; may also involve databases from outside the org

Question 30

Data-centric Threat Modeling

Answer 30

methodology and framework focusing on the authorized movements and data input/output into and from a system; corresponds with protecting data in transit, at rest, and in use when classifying organizational data

Question 31

Defensive Programming

Answer 31

design/coding allowing acceptable but sanitized data inputs to a system; lack of defensive programming measures can result in arbitrary code execution, misdirection of the program to other resoruces/locations, or reveal info useful to an attacker

Question 32

Design Reviews

Answer 32

should take place after the development of functional and control specifications but before the creation of code

Question 33

Dirty read

Answer 33

occurs when one transaction reads a value from a database that was written by another transaction that didn't commit

Question 34

Emerging Properties

Answer 34

an alternate/more powerful way of looking at systems-level behavior characteristics such as safety and security; helps provide a more testable, measurable answer to questions such as "how secure is our system?"

Question 35

Encapsulation

Answer 35

enforcement of data/code hiding during all phases of software development and operational use; bundling together data and methods is the process of encapulation (opposite of unpacking/revealing)

Question 36

Executable/Object Code

Answer 36

binary representation of the machine language instruction set that the CPU and other hardware of the target computer can directly execute

Question 37

Extensible Markup Language (XML)

Answer 37

is a set of HTML extensions providing for data storage and transport in networked environments; frequently used to integrate web pages with databases; XML is often embedded in the HTML files making up elements of a web page

Question 38

Functional requirements

Answer 38

describes a finite task or process the system must perform; often directly traceable to specific elements in the final system's design and construction

Question 39

Hierarchical database model

Answer 39

data elements and records are arranged in tree-like parent-child structures

Question 40

Integrated Product and Process Development (IPPD)

Answer 40

A management technique that simultaneously integrates all essential acquisition activities through the use of multidisciplinary teams to optimize the design, manufacturing, and supportability processes. Management technique that simultaneously integrates essential acquisition activities through the use of multidisciplinary teams to optimize the design, manufacturing, and supportability processes

Question 41

Integrated Product Team

Answer 41

team of stakeholders and individuals that possess different skills and who work together to acheive a defined process or product

Question 42

Infrastructure as Code (IaC)

Answer 42

instead of viewing hardware config as a manual, direct hands-on, one-on-one admin hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed under DevSecOps

Question 43

Interactive Application Security Testing (IAST)

Answer 43

testing that combines or integrates SAST and DAST to improve testing and provide behavioral analysis capabilities to pinpoint the source of vulnerabilities

Question 44

Knowledge Discovery in Databases (KDD)

Answer 44

A mathematical, statistical, and visualization method of identifying valid and useful patterns in data.

Question 45

Knowledge Management

Answer 45

efficient/effective management of info and associated resources in an enterprise to drive business intelligence and decision-making; may include workflow management, business process modeling, doc management, db and info systems, and knowledge-based systems

Question 46

Log

Answer 46

A record of actions and events that have taken place on a computer system.

Question 47

Level of abstraction

Answer 47

how closely a source-code/design doc represents the details of the underlying object/system/component; lower-level abstractions generally have more detail than high-level ones

Question 48

Living off the land (non-malware based ransom attack)

Answer 48

system attack where the system/resources compromised are used in pursuit of additional attacks (i.e. the attacker's agenda); anti-malware defence doesn't detect/prevent the attack given the attacker's methodology

Question 49

Metadata

Answer 49

Information about the data. info that describes the format or meaning of other data, which can be used to provide a systematic method for describing resources and improving info retrieval

Question 50

Malformed input attack

Answer 50

not currently handling input data is a common source of code errors that can result in arbitrary code exec, or misdirection of the program to other resources/locations

Question 51

Markup Language

Answer 51

non-programming language used to express formatting or arrangement of data on a page/screen; usually extensible, allowing users to define additional/other operations to be performed; they etend the language into a programming language (e.g. in the same way JavaScript extends HTML)

Question 52

Mobile code (executable content)

Answer 52

file(s) sent by a system to others, that will either control the execution of systems/applications on that client or be directly executed

Question 53

Modified prototype model

Answer 53

approach to system design/build that starts with a simplified version of the application; feedback from stakeholders is used to improve design of a second version; this is repeated until owners/stakeholders are satisfied with the final product

Question 54

Network database model

Answer 54

database model in which data elements and records are arranged in arbitrary linked fashion (.e.g lists, clusters, or other network forms)

Question 55

Nonfunctional requirements

Answer 55

broad characteristics that do not clearly align with system elements; many safety, security, privacy, and resiliency can be deemed nonfunctional

Question 56

Object/Memory reuse

Answer 56

systems allocate/release and reuse memory/resources as objects to requesting processes; data remaining in the object when it is reused is a potential security violation (i.e. data remanence)

Question 57

Object

Answer 57

encapsulation of a set of data and methods that can be used to manipulate that data

Question 58

Object-oriented database model

Answer 58

database model that uses object-oriented programming concepts like classes, instances, and objects to organize, structure, and store data and methods; schemas define the structure of the data, views specify table, rows, and columns that meet user/security requirements

Question 59

Object-oriented security

Answer 59

systems security designs that make sue of object-oriented programming characteristics such as encapsulation, inheritance, polymorphism, and polyinstantiation

Question 60

Open-source software

Answer 60

source code and design info is made public, and often using licenses that allow modification and refactoring

Question 61

Pair programming

Answer 61

requires two devs to work together, one writing code, and the other reviewing and tracking progress

Question 62

Pass-around reviews

Answer 62

often done via email or code review system, allows devs to review code asynchronously

Question 63

PERT

Answer 63

chart that uses nodes to represent milestones or deliverables, showing the estimated to to move between milestones

Question 64

Polyinstantiation

Answer 64

creates a new instance (copy) of a data item, with the same identifier or key, allowing each process to have its own version of that data; useful for enforcing and protecting different security levels for a shared resource; polyinstantiation also allows the storage of multiple different pieces of info in a database at different classification levels to prevent attackers from inferring anything about the absence of info

Question 65

Procedural programming

Answer 65

emphasizes the logical sequence of steps to be peformed, where a procedure is a set of software that performs a particular function, requiring specific input data, producing a specific set of outputs, and procedures can invoke other procedures

Question 66

Query attack

Answer 66

use of query tools to access data not normally allowed by the trusted front end, including the views controlled by the query application; could also result from malformed queries using SQL to bypass security controls; improper/incomplese checks on queries can be used in a similar way to bypass access controls

Question 67

Ransom attack

Answer 67

form of attack that threatens destruction, denial, or unauthorized public release/remarketing of private information assets; usually involves encrypting assets and withhold the decryption key until a ransom is paid by the victim

Question 68

Refactoring

Answer 68

partial or complete rewrite of a set of software to perform the same functions, but in a more straightforward, more efficient, or more maintainable form

Question 69

Regression testing

Answer 69

test a system to ascertain whether recently approved modifications have changed performance of other approved functions or introduced other unauthorized behavior;testing that runs a set of known inputs against an app and compares to results previously produced (by an earlier version of the software)

Question 70

Relational database model

Answer 70

AKA relational database management system (RDBMS), data elements and records arranged in tables which are related or linked to each other to implement business logic, where data records of different structures or types are needed together in the same activity

Question 71

Representational State Transfer (REST)

Answer 71

software architectural style for synchronizing the activities of two or more apps running on different systems on a network; REST facilitiates these processes exchanging state information, usually via HTTP/S

Question 72

Reputation monitoring

Answer 72

defensive tactic that uses the trust reputation of a website or IP address as a means of blocking an org's users, processes or systems from connecting to a possible source of malware or exploitations; possibly the only real defense against zero-day exploits; involves monitoring URLs, domains, IP addresses or other similar info to separate untrustworthy traffic

Question 73

Runtime Application Security Protection (RASP)

Answer 73

security agents comprised of small code units built into an app which can detect set of security violations; upon detection, the RASP agent can cause the app to terminate, or take other protective actions

Question 74

Software assurance (SwA)

Answer 74

The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that it functions in the intended manner.

Question 75

Security Assessment

Answer 75

testing, inspection, and analysis to determine the degree to which a system meets or exceeds the required security posture; may assess whether an as-built system meets the requirements in its specs, or whether an in-use system meets the current perception of the real-world security threats

Question 76

Software Quality Assurance

Answer 76

variety of formal and informal processes that attempt to determine whether a software app or system meets all of its intended functions, doesn't perform unwanted functions, is free from known security vulns, and is free from insertion or other errors in design and function

Question 77

Software Development LifeCycle (SDLC)

Answer 77

is a framework and systematic associated with tasks that are performed in a series of steps for building, deploying, and supporting software apps; begins with planning and requirements gathering, and ends with decommissioning and sunsetting; there are many different SDLCs, such as agile, DevSecOps, rapid prototyping, offering different approaches to defining and managing the software lifecycle

Question 78

Source code

Answer 78

program statements in human-readable form using a formal programming language's rules for syntax and semantics

Question 79

Spyware/Adware

Answer 79

software that performas a variety of monitoring and data gathering functions; AKA potentailly unwanted programs/applications (PUP/PUA), may be used in monitoring employee activities/use of resources (spyware), or advertising efforts (adware); both may be legit/authorized by system owners or unwanted intruders

Question 80

Strong data typing

Answer 80

feature of a programming language preventing data type mismatch errors; strongly typed languages will generate errors at compile time

Question 81

Time multiplexing

Answer 81

Allows the operating system to provide well-defined and structured access to processes that need to use resources according to a controlled and tightly managed schedule.

Question 82

Time of Check vs. Time of Use (TOC/TOU) Attacks

Answer 82

Takes advantage of the dependency on the timing of events that takes place in a multitasking operating system.

Question 83

Trusted computing bases (TCB)

Answer 83

The collection of all of the hardware, software, and firmware within a computer system that contains all elements of the system responsible for supporting the security policy and the isolation of objects.

Question 84

Threat surface

Answer 84

total set of penetrations of a boundary or perimeter that surrounds or contains system elements

Question 85

Trapdoor/backdoor

Answer 85

AKA maintenance hook; hidden mechanism that bypasses access control measures; an entry point into an architecture or system that is inserted in software by devs during development to provide a method of gaining access for modification/support; can also be inserted by an attacker, bypassing access control measures designed to prevent unauthorized software changes

Question 86

User Acceptance Testing (UAT)

Answer 86

typically the last phase of the testing process; verifies that the solution developed meets user requirements, and validates against use cases

Question 87

Waterfall development methodology

Answer 87

A development model in which each phase contains a list of activities that must be performed and documented before the next phase begins