Domain 8: Software Development Security 10%

Question 1

Using programming maturity framework

Answer 1

we can lower our errors to 1 per 1,000 lines of code.

Question 2

Machine code

Answer 2

Sftwr exe directly by the CPU, 0’s and 1’s understood by the CPU

Question 3

Source Code

Answer 3

Comp programming lang, written in text and is human understandable, translated into machine code.

Question 4

Assembler language

Answer 4

Short mnemonics like ADD/SUB/JMP which is matched with the full lenght binary machine code, assemblers converts assembly language into machine language

Question 5

Compiler languages

Answer 5

Translates the higher level language into machine code and saves, often as executables, compiled once and run multiple times.

Question 6

Interpreted languages

Answer 6

Similar to compilar languages, but interprets the code each time it runs into machine code.

Question 7

Bytecode

Answer 7

An interpreted code, in intermediary form, converted from source code to interpreted, but still needs to be converted into machine code before it can run on the CPU

Question 8

Procedural languages (Procedure-oriented)

Answer 8

Uses subroutines, procedures and functions.

Question 9

Objected-oriented Programming (OOP)

Answer 9

Based on the concept of objects, which may contain data, in the form of fields, often known as attributes, and code, in the form of procedures, often known as methods. An object’s procedures can access and often modify the data fields of the objects with which they are associated. In OOP, comp programs are designed by making them out of obj that interact with one another.

Question 10

4th gen languages (4GL)

Answer 10

are designed to reduce programming effort and the time it takes to develop software, resulting in a reduction in the cost of sftwr development. Often uses a GUI, drag and drop, and then generating the code, often used for websites, db, reports.

Question 11

Programming languages and generations

Answer 11

1. Machine Code
2. Assembler
3. Cobol, basic, C++, Java
4. ColdFusion, Progress 4gl, SQL, PHP, Perl

Question 12

CASE (Computer-Aided Software Engineering)

Answer 12

Used for developing high-quality, defect-free, and maintainable software

Question 13

CASE software 3 categories

Answer 13

1. Tools support specific tasks in the sftwr lifecycle 2. Workbenches combine two or more tools focused on a specific part of the sftwr life-cycle. 3. Enviroments combine two or more tools or workbenches and support the complete sftwr life-cycle.

Question 14

Top-Down Programming

Answer 14

Starts w/ the big picture, then breaks it down into a smaller segments.

Question 15

Bottom-UP Programming

Answer 15

Piecing together of sys to build more complex sys, making the original sys a sub-sys of the overarching sys.

Question 16

Proprietary software

Answer 16

Sftwr protected by intellectual property and/or patents, often used interch with Closed Source sftwr, but it really is not. It cna be both Open and Closed Src

Question 17

GNU (General Public License) also called GPL

Answer 17

users have the freedom to run, study, share and modify the software. A copyleft license, means that derivative work can only be distributed under the same license terms.

Question 18

BSD (Berkeley Software Distr)

Answer 18

A family of permissive free sftwr licenses, imposing minimal restrictions on the use and redistribution of covered sftwr. This is different than copyleft licenses, which have reciprocity share-alike requirements.

Question 19

Apache

Answer 19

Sftwr must be free, distri, mod, distri the mod sftwr. Requires the preserv of the cpyrght and disclaimer.

Question 20

Waterfall

Answer 20

very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.

Question 21

Sashimi model (Waterfall w/ overlapping phases)(modified waterfall)

Answer 21

Similar to waterfall, but we always have 2 overlapping phases, if we close one phas, we add the next phase. It allows you to go back to the previous phase but no further.

Question 22

Agile Software development

Answer 22

Describes a set of values and principles for sftwr development under which require and solutions evolve through the collab effort of self-organizing cross-func teams. Uses adaptive planning, evolutionary development, early delivery, and continuous improvement and it encourages rapid and flexible response to change. For the exam know flow agile.

Question 23

What is valued in the manifesto:

Answer 23

Individuals and Interactions more than processes and tools. Working Software more than comprehensive documentation. Customer Collab more than contract negotiation. Responding to Change more than following the plan.

Question 24

Scrum further development of Agile

Answer 24

designed for teams of approximately 10 individuals, and generally relies on 2-wks development cycles, called “sprints”, as well as short daily stand-up meetings.

Question 25

3 Core roles in Scrum

Answer 25

Product owner: representing the prod stakeholders, the voice of the cust, accountable for ensuring that the team delivers value to the business. Development team: Responsible for delivering the product at the end of each sprint. Team is made-up of 3-9 individuals who do the actual wrk

Question 26

Scrum master

Answer 26

Facilitates and accountable for removing impediments to teh ability of the team to deliver the product goals and deliverables. Buffer btw the team and any distracting influences. Ensures the Scrum framework is followed.

Question 27

XP (Extreme programming)

Answer 27

Intended to improve sftwr quality and responsiveness to changing cust require. Uses/advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted.

Question 28

XP Uses

Answer 28

programming in pairs or doing extensive code review. Unit testing of all code. Avoiding programming of features until they are actually needed. Flat mngmnt structure. Code simplicity and clarity. Expecting changes in the customer’s requirements as time passes and the problem is better understood. Freq comm w/ cust and among prgrmmrs.

Question 29

The spiral model

Answer 29

A risk-driven process model generator for sftwr projects.

Question 30

Spiral model 4 phases

Answer 30

Planning, risk, analysis, engineering and evaluation.. A sftwr project repeatedly passes through these phases in iterations (called Spirals in this model).

Question 31

RAD (Rapid Application Development)

Answer 31

Puts an emphasize on adaptability and the ncessity of adjusting requirements in response to knowledge gained as the project progresses. Prototypes are often used. Very suited for developing sftwr that is driven by user interf requir. GUI blders are often called RAD tools.

Question 32

Prototyping

Answer 32

Breaks projects into smaller tasks, creating multiple prototypes of sys design features. A working mdl of sftwr w/ some limited funct, rather than designing the full sftwr up front.

Question 33

SDLC (Sftwr Development Life Cycle)

Answer 33

The aim is to produce high-quality sys that meet or exceed customer expectations, based on customer requirement, by delivering sys which move through each clearly define phase, within scheduled time frames and cost estimates. All software development method follow SDLC phases but the method of doing that varies vastly btw methodologies.

Question 34

SDLC Phases:

Answer 34

investigation, analysis, design, build, test, implement, maintenance and support (and disposal). Can have security built into each step of the process, for the exam it always does. If an answer about SDLC does not list secure or security, it would be wrong and can be eliminated.

Question 35

Project

Answer 35

is a temp endeavor, w/ a finite start and end, that is focused on creating a unique product, service, or result.

Question 36

Program

Answer 36

is a collection of related projects. It is temporary.

Question 37

Portfolio

Answer 37

is a collection of projects and programs that are managed as a group to achieve strategic objectives

Question 38

IPT (Integrated Product Team)

Answer 38

A multidisciplinary group of people who are collectively responsible for delivering a defined product or process. IPTs are used in complex development programs/projects for review and decision making. Are created most often as part of structured sys engineering methodologies, focusing attention on understanding the needs and desires of each stakeholder.

Question 39

Source code escrow

Answer 39

The deposit of the source code of sftwr w/ a 3rd party escrow agent. Escrow is typic reques by a parting licensing sftwr (the licensee), to ensure maintenance of the sftwr instead of abandonment or orphaning.

Question 40

Source code repositories

Answer 40

Using public 3rd party code repositories comes with some security concerns. One of the most import cntrls is using MFA. They are often used by open-source sftwr prjcts and other multi-developer projects to handle various vers. They help develop submit patches of code in an organized fashion

Question 41

API Security

Answer 41

Allows app to comm w/ another app, OS, DB, Ntwrk.

Question 42

OWASP

Answer 42

also has an Enter Sec API Toolkit project, which includes these crit API cntrls

Question 43

DevOps

Answer 43

a sftwr develop and deliery process that emphasizes comm and collaboration btw product managment, sftwr develop, and ops profs in the entire service lifecycle, from design through software retirement.

Question 44

DevOps

Answer 44

a sftwr develop and deliery process that emphasizes comm and collaboration btw product managment, sftwr develop, and ops profs in the entire service lifecycle, from design through software retirement. Automates and monitors all the sftwr processies.

Question 45

Databases

Answer 45

an organized collection of data. It is the collection of schemas, tables, queries, reports, views, and other objects.

Question 46

DBMS (database management system)

Answer 46

A comp sftwr app that interacts w/ the user, other apps, and the DB itself to capture and analyze data.

Question 47

Most common DB model today

Answer 47

is the relational model as represented by the SQL language.

Question 48

Common logical data models for

Answer 48

DB include: Hierarchical DB, Relational mdl

Question 49

Relational mdl

Answer 49

orgs data into 1 or + tables (or relations) of columns and rows, w/ a unique key identifying each row.

Question 50

Foreign key

Answer 50

They are in relational DBs with the matching primary key of a parent DB table. It is always the primary key in the local DB.

Question 51

Referential integrity

Answer 51

when every foreign key in a secondary tbl matches a primary key in the parent tbl. It is broken if not all foreign keys match the primary key.

Question 52

Semantic integrity

Answer 52

each attribute value is consistent w/ the attribute data type.

Question 53

Entity integrity

Answer 53

Each tuple (row) has a unique primary value that is not null.

Question 54

User-defined integrity

Answer 54

A set of rules specified by a user, which do not belong to the entity, domain and referential integrity categories.

Question 55

Having a single, well cntrlld and well defined data-integrity sys increases:

Answer 55

Stability, Performance, Re-usability, Maintainability.

Question 56

Integrity

Answer 56

modern DB support these features, and it has become the de facto respon of teh DB to ensure data integrity.

Question 57

DB Journal

Answer 57

is a log of all DB transactions. Can be used to restore a DB after a backup.

Question 58

DB normalization

Answer 58

used to clean up the data in a DB tbl to make it logically concise, org, and consistent. Removes redundant data, and improves the integrity and avail of the DB

Question 59

1 Normal Form

Answer 59

divides the base data into tbls, primary key is assigned to most or all tables

Question 60

2 Normal Form

Answer 60

Move data that is partially dependent on the primary key to another table

Question 61

3rd Normal Form

Answer 61

Remove data that is not dependent on the primary key

Question 62

Database Views

Answer 62

What we see when we query DB tables. They give users a view of the parts of the DB they are allowed to access.

Question 63

Data Dictionary

Answer 63

Contains a descrip of the DB tables (metadata). It has the DB view info, info about auth DB admins, user accnts names and privileges, auditing info, DB schema

Question 64

DB schema

Answer 64

describes the att and values of the DB tables. Names should only contain letters, in the US SSN’s should only contain 9 #’s.

Question 65

DB query language

Answer 65

Allow the creation, mod, deletion of DB tbls, the read/write access for those tables. SQL and SQL derivatives are the most common query languages. Have at least 2 subsets of commands

Question 66

Data Definition language (DDL)

Answer 66

a standard for commands that define the different structures in a database. Creates, modifies, and removes DB objects such as tables, indexes, and users. Common DDL statements are create, alter, drop

Question 67

Data Manipulation Language (DML)

Answer 67

Used for selecting, inserting, deleting, updating data in a DB. Common DDL statements are select, delete, insert, update.

Question 68

Hierarchical DB

Answer 68

use a tree-like structure for how data is org. Data is stored as records which are connected to one another through links. A record is a collection of fields, with each field containing only one value. Win registry uses this DB type.

Question 69

Object-Oriented DB (Object DB Management Sys)

Answer 69

Object DB’s store objects rather than data such as integers, strings or real #’s. Objects are used in object oriented languages eg Smalltalk, C++, Java. The object can then be referenced, or called later, as a unit w/o having to go into its complexities.

Question 70

OO DB consist

Answer 70

of the following:

Question 71

Attributes

Answer 71

data which defines the charac of an object.

Question 72

Methods

Answer 72

defines the behavior of an object and are what was formally called procedures or functions. Objects contain both exe code and data.

Question 73

Classes

Answer 73

define the data and methods the object will contain, they are the template for the object.

Question 74

DB shadowing

Answer 74

exact real time copy of the DB or files to another locat

Question 75

Electronic vaulting (e-vaulting)

Answer 75

Using a remote backup service, backups are sent off-site electron at a certain interval or when files change.

Question 76

Remote journaling

Answer 76

sends transaction log files to a remote loca, not the files themselves.

Question 77

Coupling

Answer 77

the degree of interdependence btw sftwr modules, a measure of how closely connected 2 routines or modules are.

Question 78

Cohesion

Answer 78

Refers to the degree to which elements inside a module belong together. Measures the strength of relationships btw peices of functionality within a given module.

Question 79

Coupling is usually

Answer 79

contrasted with cohesion

Question 80

Low coupling often correalates with high cohesion, and vice versa

Answer 80

Low coupling is often a sign of well-structured comp sys and a good design, and when combined with high cohesion, supports the general goals of high readability and maintainability.

Question 81

ORB (Object request broker)

Answer 81

Middleware which allows program calls to be made from one comp to another via network, providing location transparency through remote procedure calls. Common object brokers include .net remoting, COM, DCOM, CORBA

Question 82

ORB (Object request broker)

Answer 82

Middleware which allows program calls to be made from one comp to another via network, providing location transparency through remote procedure calls. Promote interoperability of dist. object sys. Common object brokers include .net remoting, COM, DCOM, CORBA

Question 83

COM (Component Object Model)

Answer 83

a language-neutral way of implementing objects that can be used in enviroments different from the one in which they were created, even across machine boundaries. It is used to enable inter-process comm object creation in a large range of programming languages.

Question 84

DCOM (Distributed COM)

Answer 84

network sequel to COM which adds to support comm among objects on different comps - on a LAN, WAN, Internet. DCOM includes Object linking and embedding, a way to link docs to other docs. Both COM/DCOM are slowly being replaced by MS.Net, which can interoperate with DCOM, but offers more advanced functionality than COM/DCOM.

Question 85

CORBA (Common object request broker architecture)

Answer 85

Open vendor neutral ORB stdrd defined by the Object Management Group (OMG) designed to facilitate the comm of sys that are deployed on diverse platforms. Enables collaboration btw sys on diff OS’s, programming languages, and comp hrdwr. CORBA uses an object-oriented model although the sys that use CORBA do not have to be object-oreint

Question 86

OOAD (Object-oriented analysis and design)

Answer 86

Iteration after iteration, the outputs of OOAD activities, analysis models for OOA and design models for OOD respectively will be refined and evolve continuously driven by key factors like risks and business value.

Question 87

OOA (objected oriented analysis)

Answer 87

Creates a mdl of the sys functional requir that is independent of implementation constraints. Organize requirements around objects, which integrate both behaviors (processes) and states (data) modeled after real world objects that the sys interacts with.

Question 88

OOA primary tasks are:

Answer 88

Find the objects, organize the obj, describe how the objs interact, define the behavior of the objs, define the internals of the objects

Question 89

OOD (object-oiented design)

Answer 89

The developer applies the constraints to the conceptual mdl produced in OOA.

Question 90

OOM (object-oriented modeling)

Answer 90

common approach to modeling apps, sys, and business domains by using the object-oriented paradigm throughout the entire develpment life cycles. Heavily used by both OOA and OOD activities in modern sftwr engineering.

Question 91

OWASP (open web app security project)

Answer 91

Top 10 most common web security issues

Question 92

A1 Injection

Answer 92

can be any code injected into user forms, often seen is SQL/LDAP. To protect against this only allow users to input appropriate data into the fields.

Question 93

CGI (common gateway interface)

Answer 93

Standard proto for web srvrs to exe programs running on a server that generates web pages dynamically. We use the interface to ensure only proper input makes it to the DB. CGI separates the untrusted (user) from the trusted (DB)

Question 94

A2 Broken Authn and Session Management

Answer 94

Session do not expire or take too long to expire. Session ID’s are predictable. Tokens, Session Id’s, pswrds are kept in plaintext.

Question 95

A3 Cross-site scripting (XSS)

Answer 95

Attackers inject client-side scripts into web pages viewed by other users. Vulnerability may be used by attackers to bypass access controls such as the same-origin policy. To prevent XSS we can use proper input validation and data typing. Set our server to, redirect invalid requests, detect a simultaneous login from 2 different IP’s and invalidate the sessions, require users to enter their psswrds again before changing their registration information and set cookie with HttpOnly flag to prevent access from JavaScript.

Question 96

A4 Broken Access Control

Answer 96

Access control not implemented consistently across an entire app. Use centralized access conrol mechanism, and we write the tricky logic once and resure it everywhere.

Question 97

A5 Security Misconfiguration

Answer 97

DB configured wrong. Not removing out of box default access and settings. Keeping default usernames and passwords. OS, Webserver, DBMS, apps, not patched and up to date. Unnecessary features are enabled or installed, this could be open ports, services, pages, accounts, privileges.

Question 98

A6 Sensitive data exposure

Answer 98

Sites being http, not https. data at rest, backups and in transit are not encrypted. Phishing, using old encryption. Not monitoring is data is being exfiltrated.

Question 99

A7 Insufficient detection and response

Answer 99

Not detecting we have been compromised, due to lack of controls, detection apps. Not performing due diligence and due care on our apps, sys, and our response to compromise. Not responding in a proper way to compromise, not informing anyone, informing too late or just ignoring the incident

Question 100

A8 Cross-site request forgery (CSRF)

Answer 100

stolen session id’s or tokens. Often phishing, psswrds/username saved in cookies. Saved site passwords, not logging off when done, using the same browser for sensitive and non-sensitive info. Current browsers do mitigate some of this, they should use unique session specific tokens (random or pseudo random), and validate session tokens are not replayed.

Question 101

A9 Using components with know vulnerabilities

Answer 101

developers using deprecated code or objs that are known to be unsecure, but they use them because they are used to it or the library they use has the objects in it.

Question 102

A10 Underprotected API’s

Answer 102

badly coded API’s. Not using in depth API code reviews and auditing. Not using SSL/TLS. Forgotten and abandoned API’s, that still have access to backend sys.

Question 103

Insecure direct object reference

Answer 103

users can access resources they shouldn’t, by guessing the URL or path. Mitigated by proper access control.

Question 104

Unvalidated redirects and forwarding

Answer 104

Not confirming URL’s forward and redirect us to the right page.

Question 105

Buffer overflow (buffer overrun)

Answer 105

An anomaly where a prgram, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations, happens from improper coding when a programmer fails to perform bounds checking. By sending in data designed to cause a bufferr overflow, it is possible to write into areas known to hold executable code, and replace it w/ malicious code.

Question 106

Race condition (race hazard)

Answer 106

2 or more programs may collide in their attempts to modify or access a file. This can be an attacker with access, altering files which can then result in data corruption or privilege escalation. TOCTOU (time of check to time of use) a sftwr bugs caused by changes in a sys btw the checking of a condition (such as a security credential) and the use of the results of that check.

Question 107

Privilege escalation

Answer 107

Exploiting a bug, design flaw or configuration oversight in an OS or app to gain access to resources that are normally protected from an app or user.

Question 108

Backdoor

Answer 108

often installed by attackers during an attack to allow them to access the sys after the initial attack is over.

Question 109

Disclosure

Answer 109

What you do when you discover a vulnerability.

Question 110

Full disclosure

Answer 110

tell everyone, make it public, assuming attackers already know are using it

Question 111

Responsible/ Partial disclosure

Answer 111

telling the vendor they have time to develop a patch and then disclose it. If they do nothing we do a full disclosre forcing them to act.

Question 112

No disclosure

Answer 112

attackers finding a vulnerability would try to exploit it and keep it secret as long as possible.

Question 113

CMM (capability maturity model)

Answer 113

the maturity relates to the degree of formality and optimization of processes, from ad hoc practices, to formally defined repeatable steps, to managed result metrics, to active optimization of the processes.

Question 114

Five CMM levels that describes where the org is

Answer 114

it has practical steps to how to mature the org to get to the next level.

Question 115

1. Initial

Answer 115

Processes at this level are normally undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events.

Question 116

2. Repeatable

Answer 116

Some processes are repeatable, possibly with consistent results.

Question 117

3. Defined

Answer 117

There are sets of defined and documented standards processes established and subject to some degree of improvement.

Question 118

4. Managed (Capable)

Answer 118

Processes at this level uses process metrics, effective achievement of the process objectives can be evidenced across a range of operational conditions.

Question 119

5. Optimizing

Answer 119

processes at this level focus on continually improving process performance through both incremental and innovative tech changes/ improvements.

Question 120

Acceptance testing

Answer 120

At the end of development we also use acceptance testing, we need to test it to ensure it does what it is supposed to and it is robust and secure.

Question 121

User acceptance test

Answer 121

is the software functional for the users who will be using it. It is tested by the users and app managers

Question 122

Operational acceptance testing

Answer 122

does the software and all of the components it interacts with ready for opeation.

Question 123

Contract acceptance testing

Answer 123

Does the sftwr fulfill the contract specifications. The what/where/hw of the acceptance is defined in the contract.

Question 124

Compliance acceptance testing

Answer 124

is the software compliant with the rules, regulations and laws of our industry

Question 125

Compatibility/prod testing

Answer 125

does the sftwr interface as expected with other apps/sys. Does the sftwr perform as expected in our prod enivro vs the development enviroment

Question 126

Software development and procurement as well as any other project should be carefully scoped, planned be based on a clear analysis of what the business needs and wants.

Answer 126

When buying software we do our due care and due diligence, as well as use outside council if needed.

Question 127

COTS (commercial off the self) software

Answer 127

use a clear RTM (requirements traceability matrix) requirements are divided into “Must have, nice to have and maybe should have”

Question 128

Custom-developed 3rd party products

Answer 128

Having someone else develop the software we need is also an option. Higher cost than COTS software, but also far more customizable.

Question 129

AI (Artificial Intelligence)

Answer 129

advice that preceives its enviroment and takes actions that maximize its chance of success at some goal, not through experience/programming, but through reasoning.

Question 130

Expert sys

Answer 130

a comp sys that emulates the decision-making ability of a human expert.

Question 131

ANN’s (artificial neural networks)

Answer 131

computing sys inspired by the biological neural networks that constitute animal brains, we make decisions based on 1000’s of memories, stories, the situation and many other factors, the ANN tries to emulate that.

Question 132

GP (genetic programming)

Answer 132

a technique where computer programs are encode as a set of genes that are then modified (evolved) using an evolutionary algorithm often a GA (genetic algorithm). GP favors the use of programming languages that naturally embody tree structures.