Domain 8 Software Dev Security Flashcards

1
Q

What is the NIST SP800-34 SDLC?

A
  1. Initiation
  2. Development/Acquisition - Also System Development cycle
  3. Implementation / Assessment
  4. Operations/maintenance
  5. Disposal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is whitebox testing?

A

Verifies inner program logic. Provides complete access to the program source code, details of data structures and variables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is blackbox testing?

A

Integrity testing for input and output.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Function testing

A

validates the application against a checklist of requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is sociability testing

A

verifies the app can operate in its target environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the Agile Software Development Flow?

A
  1. System Requirements
  2. Software requirements
  3. Preliminary design
  4. Detailed design
  5. Code and debugging
  6. Testing
  7. Operations and maintenance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is valued in the Agile Software Dev Manifesto?

A

▫Individuals and Interactions more than processes and tools.
▫ Working Software more than comprehensive documentation.
▫ Customer Collaboration more than contract
negotiation.
▫ Responding to Change more than following a plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a scrum?

A

A scrum is part of agile softwre dev and is a framework for managing software dev. This is where sprints come from

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 3 functions brought together in DevOps?

A
  1. Software Dev
  2. Quality Assurance
  3. Technology Operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the 5 stages of the Capability Maturity Model (CMM)?

A
  1. Initial
  2. Repeatable
  3. Defined
  4. Managed (Capable)
  5. Optimising
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CMM: Level 1 Initial

A

Adhoc driven and undocumented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CMM: Level 2 Repeatable

A

Some processes are repeatable.
May have some form of change control and QA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CMM: Level 3 Defined

A

Defined processes in place and used; Qualititative process improvement in place; However process may not be used enough and users not yet competent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CMM: Level 4 Managed

A

Process improvement program in use; processes have metrics; users are competent with the processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CMM: Level 5 Optimising

A

Continuous improvement implemented and budgeted for

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the SAMM 5 critical business functions?

A
  1. Governance
  2. Design
  3. Implementation
  4. Verification
    S. Operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What chart is used when time is the major factor rather than cost?

A

PERT - Program evaluation review technique.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the difference between configuration management and change management?

A

Configuration management looks at changes to a specific piece of software.

Change management looks at an entire software development program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the 3 basic components to Change Management:

A
  1. Request Control
  2. Change Control
  3. Release Control
20
Q

When are Integrated Product Teams used?

A

IPTs are used in complex development programs/projects for review and decision making.

21
Q

What is Atomicity?

A

Results of the transaction are either all or nothing

22
Q

What is consistency?

A

transactions are processed only if they meet defined integrity constraints

23
Q

What is Isolation?

A

The final results are invisible until the original transaction is complete

24
Q

What is durability?

A

Once complete, the results of the transactions are permanent.

25
Q

What is SAST?

A

Static application security testing (SAST) is a white-box testing method used to test and analyse code, syntax and componentes of an app offline

26
Q

What is DAST?

A

Dynamic application security testing (DAST) is a form of black-box testing agaisnt live systems and apps.

27
Q

What is RASP?

A

Runtime application self-protection (RASP) is run against systems that have the ability to tune and focus their security measures based on actual environment variables and particular attack methods being used against them. It is designed to react to ongoing and active events and threats. e.g. open/close ports

28
Q

What is software risk?

A

A possibility of suffering from loss in software dev process is called software risk.

29
Q

What is loss when it comes to software risk?

A
  • Increase in production costs
  • The development of poor quality software
  • Not completing the project on time.
30
Q

What is race condition?

A

Time of Check/Time of Use, is an example of a state attack where attacker attempts to alter a condition after it has been checked by the OS

31
Q

What is a multipartite virus?

A

Aka multipart virus, that can spread via several vectors

32
Q

What is a packer?

A

A neutral technology used to shrink the size of exes and used by malware to evade signature-based detection methods.

33
Q

What is referencial integrity?

A

every foreign key in a secondary table matches a primary key in the parent table, assuring the accuracy of cross referencing between tables

34
Q

What is Semantic integrity?

A

each attribute (column) value is consistent with the attribute data type’ assures that data in any field is of appropriate type - e.g. age is an integer

35
Q

What is entity integrity?

A

each tuple has a unique primary key that is not null

36
Q

What is an object request broker (ORB)

A

This is middleware that locates a requested object on either the local system or across a network on another server

37
Q

What is Component Object Model (COM)

A

locates object on local system

38
Q

What is Distributed component object model (DCOM)?

A

locates an object on another server

39
Q

What is a Common Object Request Broker Architecture (CORBA)?

A

an object broker framework that allows different vendor products, such as computer languages, to work seamlessly across distributed networks of diversified computers.

40
Q

What is gray box testing?

A

In a gray-box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted.

41
Q

What is regression testing?

A

Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software.

It reruns a number of test cases and compares the results to baseline results.

42
Q

What are pass-around reviews?

A

Pass-around reviews are often done via email or using a central code review system, allowing developers to review code asynchronously.

43
Q

What are the goals of software threat modelling programs?

A

Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws.

44
Q

What is the proper order of steps in the waterfall model of software development?

A

In the waterfall model, the software development process follows five sequential steps that are, in order: Requirements, Design, Coding, Testing, and Maintenance.

45
Q

What is the degree in a database?

A

The degree of a db table is the number of attributes.