Domain 8: Software Development Security 10% Flashcards
Using programming maturity framework
we can lower our errors to 1 per 1,000 lines of code.
Machine code
Sftwr exe directly by the CPU, 0’s and 1’s understood by the CPU
Source Code
Comp programming lang, written in text and is human understandable, translated into machine code.
Assembler language
Short mnemonics like ADD/SUB/JMP which is matched with the full lenght binary machine code, assemblers converts assembly language into machine language
Compiler languages
Translates the higher level language into machine code and saves, often as executables, compiled once and run multiple times.
Interpreted languages
Similar to compilar languages, but interprets the code each time it runs into machine code.
Bytecode
An interpreted code, in intermediary form, converted from source code to interpreted, but still needs to be converted into machine code before it can run on the CPU
Procedural languages (Procedure-oriented)
Uses subroutines, procedures and functions.
Objected-oriented Programming (OOP)
Based on the concept of objects, which may contain data, in the form of fields, often known as attributes, and code, in the form of procedures, often known as methods. An object’s procedures can access and often modify the data fields of the objects with which they are associated. In OOP, comp programs are designed by making them out of obj that interact with one another.
4th gen languages (4GL)
are designed to reduce programming effort and the time it takes to develop software, resulting in a reduction in the cost of sftwr development. Often uses a GUI, drag and drop, and then generating the code, often used for websites, db, reports.
Programming languages and generations
- Machine Code
- Assembler
- Cobol, basic, C++, Java
- ColdFusion, Progress 4gl, SQL, PHP, Perl
CASE (Computer-Aided Software Engineering)
Used for developing high-quality, defect-free, and maintainable software
CASE software 3 categories
- Tools support specific tasks in the sftwr lifecycle 2. Workbenches combine two or more tools focused on a specific part of the sftwr life-cycle. 3. Enviroments combine two or more tools or workbenches and support the complete sftwr life-cycle.
Top-Down Programming
Starts w/ the big picture, then breaks it down into a smaller segments.
Bottom-UP Programming
Piecing together of sys to build more complex sys, making the original sys a sub-sys of the overarching sys.
Proprietary software
Sftwr protected by intellectual property and/or patents, often used interch with Closed Source sftwr, but it really is not. It cna be both Open and Closed Src
GNU (General Public License) also called GPL
users have the freedom to run, study, share and modify the software. A copyleft license, means that derivative work can only be distributed under the same license terms.
BSD (Berkeley Software Distr)
A family of permissive free sftwr licenses, imposing minimal restrictions on the use and redistribution of covered sftwr. This is different than copyleft licenses, which have reciprocity share-alike requirements.
Apache
Sftwr must be free, distri, mod, distri the mod sftwr. Requires the preserv of the cpyrght and disclaimer.
Waterfall
very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.
Sashimi model (Waterfall w/ overlapping phases)(modified waterfall)
Similar to waterfall, but we always have 2 overlapping phases, if we close one phas, we add the next phase. It allows you to go back to the previous phase but no further.
Agile Software development
Describes a set of values and principles for sftwr development under which require and solutions evolve through the collab effort of self-organizing cross-func teams. Uses adaptive planning, evolutionary development, early delivery, and continuous improvement and it encourages rapid and flexible response to change. For the exam know flow agile.
What is valued in the manifesto:
Individuals and Interactions more than processes and tools. Working Software more than comprehensive documentation. Customer Collab more than contract negotiation. Responding to Change more than following the plan.
Scrum further development of Agile
designed for teams of approximately 10 individuals, and generally relies on 2-wks development cycles, called “sprints”, as well as short daily stand-up meetings.
3 Core roles in Scrum
Product owner: representing the prod stakeholders, the voice of the cust, accountable for ensuring that the team delivers value to the business. Development team: Responsible for delivering the product at the end of each sprint. Team is made-up of 3-9 individuals who do the actual wrk
Scrum master
Facilitates and accountable for removing impediments to teh ability of the team to deliver the product goals and deliverables. Buffer btw the team and any distracting influences. Ensures the Scrum framework is followed.
XP (Extreme programming)
Intended to improve sftwr quality and responsiveness to changing cust require. Uses/advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted.
XP Uses
programming in pairs or doing extensive code review. Unit testing of all code. Avoiding programming of features until they are actually needed. Flat mngmnt structure. Code simplicity and clarity. Expecting changes in the customer’s requirements as time passes and the problem is better understood. Freq comm w/ cust and among prgrmmrs.
The spiral model
A risk-driven process model generator for sftwr projects.
Spiral model 4 phases
Planning, risk, analysis, engineering and evaluation.. A sftwr project repeatedly passes through these phases in iterations (called Spirals in this model).
RAD (Rapid Application Development)
Puts an emphasize on adaptability and the ncessity of adjusting requirements in response to knowledge gained as the project progresses. Prototypes are often used. Very suited for developing sftwr that is driven by user interf requir. GUI blders are often called RAD tools.
Prototyping
Breaks projects into smaller tasks, creating multiple prototypes of sys design features. A working mdl of sftwr w/ some limited funct, rather than designing the full sftwr up front.
SDLC (Sftwr Development Life Cycle)
The aim is to produce high-quality sys that meet or exceed customer expectations, based on customer requirement, by delivering sys which move through each clearly define phase, within scheduled time frames and cost estimates. All software development method follow SDLC phases but the method of doing that varies vastly btw methodologies.
SDLC Phases:
investigation, analysis, design, build, test, implement, maintenance and support (and disposal). Can have security built into each step of the process, for the exam it always does. If an answer about SDLC does not list secure or security, it would be wrong and can be eliminated.
Project
is a temp endeavor, w/ a finite start and end, that is focused on creating a unique product, service, or result.
Program
is a collection of related projects. It is temporary.
Portfolio
is a collection of projects and programs that are managed as a group to achieve strategic objectives
IPT (Integrated Product Team)
A multidisciplinary group of people who are collectively responsible for delivering a defined product or process. IPTs are used in complex development programs/projects for review and decision making. Are created most often as part of structured sys engineering methodologies, focusing attention on understanding the needs and desires of each stakeholder.
Source code escrow
The deposit of the source code of sftwr w/ a 3rd party escrow agent. Escrow is typic reques by a parting licensing sftwr (the licensee), to ensure maintenance of the sftwr instead of abandonment or orphaning.
Source code repositories
Using public 3rd party code repositories comes with some security concerns. One of the most import cntrls is using MFA. They are often used by open-source sftwr prjcts and other multi-developer projects to handle various vers. They help develop submit patches of code in an organized fashion
API Security
Allows app to comm w/ another app, OS, DB, Ntwrk.
OWASP
also has an Enter Sec API Toolkit project, which includes these crit API cntrls
DevOps
a sftwr develop and deliery process that emphasizes comm and collaboration btw product managment, sftwr develop, and ops profs in the entire service lifecycle, from design through software retirement.
DevOps
a sftwr develop and deliery process that emphasizes comm and collaboration btw product managment, sftwr develop, and ops profs in the entire service lifecycle, from design through software retirement. Automates and monitors all the sftwr processies.
Databases
an organized collection of data. It is the collection of schemas, tables, queries, reports, views, and other objects.
DBMS (database management system)
A comp sftwr app that interacts w/ the user, other apps, and the DB itself to capture and analyze data.
Most common DB model today
is the relational model as represented by the SQL language.
Common logical data models for
DB include: Hierarchical DB, Relational mdl
Relational mdl
orgs data into 1 or + tables (or relations) of columns and rows, w/ a unique key identifying each row.
Foreign key
They are in relational DBs with the matching primary key of a parent DB table. It is always the primary key in the local DB.
Referential integrity
when every foreign key in a secondary tbl matches a primary key in the parent tbl. It is broken if not all foreign keys match the primary key.
Semantic integrity
each attribute value is consistent w/ the attribute data type.
Entity integrity
Each tuple (row) has a unique primary value that is not null.
User-defined integrity
A set of rules specified by a user, which do not belong to the entity, domain and referential integrity categories.
Having a single, well cntrlld and well defined data-integrity sys increases:
Stability, Performance, Re-usability, Maintainability.
Integrity
modern DB support these features, and it has become the de facto respon of teh DB to ensure data integrity.
DB Journal
is a log of all DB transactions. Can be used to restore a DB after a backup.
DB normalization
used to clean up the data in a DB tbl to make it logically concise, org, and consistent. Removes redundant data, and improves the integrity and avail of the DB
1 Normal Form
divides the base data into tbls, primary key is assigned to most or all tables
2 Normal Form
Move data that is partially dependent on the primary key to another table
3rd Normal Form
Remove data that is not dependent on the primary key
Database Views
What we see when we query DB tables. They give users a view of the parts of the DB they are allowed to access.
Data Dictionary
Contains a descrip of the DB tables (metadata). It has the DB view info, info about auth DB admins, user accnts names and privileges, auditing info, DB schema
DB schema
describes the att and values of the DB tables. Names should only contain letters, in the US SSN’s should only contain 9 #’s.
DB query language
Allow the creation, mod, deletion of DB tbls, the read/write access for those tables. SQL and SQL derivatives are the most common query languages. Have at least 2 subsets of commands
Data Definition language (DDL)
a standard for commands that define the different structures in a database. Creates, modifies, and removes DB objects such as tables, indexes, and users. Common DDL statements are create, alter, drop
Data Manipulation Language (DML)
Used for selecting, inserting, deleting, updating data in a DB. Common DDL statements are select, delete, insert, update.
Hierarchical DB
use a tree-like structure for how data is org. Data is stored as records which are connected to one another through links. A record is a collection of fields, with each field containing only one value. Win registry uses this DB type.
Object-Oriented DB (Object DB Management Sys)
Object DB’s store objects rather than data such as integers, strings or real #’s. Objects are used in object oriented languages eg Smalltalk, C++, Java. The object can then be referenced, or called later, as a unit w/o having to go into its complexities.
OO DB consist
of the following:
Attributes
data which defines the charac of an object.
Methods
defines the behavior of an object and are what was formally called procedures or functions. Objects contain both exe code and data.
Classes
define the data and methods the object will contain, they are the template for the object.
DB shadowing
exact real time copy of the DB or files to another locat
Electronic vaulting (e-vaulting)
Using a remote backup service, backups are sent off-site electron at a certain interval or when files change.
Remote journaling
sends transaction log files to a remote loca, not the files themselves.
Coupling
the degree of interdependence btw sftwr modules, a measure of how closely connected 2 routines or modules are.
Cohesion
Refers to the degree to which elements inside a module belong together. Measures the strength of relationships btw peices of functionality within a given module.
Coupling is usually
contrasted with cohesion
Low coupling often correalates with high cohesion, and vice versa
Low coupling is often a sign of well-structured comp sys and a good design, and when combined with high cohesion, supports the general goals of high readability and maintainability.
ORB (Object request broker)
Middleware which allows program calls to be made from one comp to another via network, providing location transparency through remote procedure calls. Common object brokers include .net remoting, COM, DCOM, CORBA
ORB (Object request broker)
Middleware which allows program calls to be made from one comp to another via network, providing location transparency through remote procedure calls. Promote interoperability of dist. object sys. Common object brokers include .net remoting, COM, DCOM, CORBA
COM (Component Object Model)
a language-neutral way of implementing objects that can be used in enviroments different from the one in which they were created, even across machine boundaries. It is used to enable inter-process comm object creation in a large range of programming languages.
DCOM (Distributed COM)
network sequel to COM which adds to support comm among objects on different comps - on a LAN, WAN, Internet. DCOM includes Object linking and embedding, a way to link docs to other docs. Both COM/DCOM are slowly being replaced by MS.Net, which can interoperate with DCOM, but offers more advanced functionality than COM/DCOM.
CORBA (Common object request broker architecture)
Open vendor neutral ORB stdrd defined by the Object Management Group (OMG) designed to facilitate the comm of sys that are deployed on diverse platforms. Enables collaboration btw sys on diff OS’s, programming languages, and comp hrdwr. CORBA uses an object-oriented model although the sys that use CORBA do not have to be object-oreint
OOAD (Object-oriented analysis and design)
Iteration after iteration, the outputs of OOAD activities, analysis models for OOA and design models for OOD respectively will be refined and evolve continuously driven by key factors like risks and business value.
OOA (objected oriented analysis)
Creates a mdl of the sys functional requir that is independent of implementation constraints. Organize requirements around objects, which integrate both behaviors (processes) and states (data) modeled after real world objects that the sys interacts with.
OOA primary tasks are:
Find the objects, organize the obj, describe how the objs interact, define the behavior of the objs, define the internals of the objects
OOD (object-oiented design)
The developer applies the constraints to the conceptual mdl produced in OOA.
OOM (object-oriented modeling)
common approach to modeling apps, sys, and business domains by using the object-oriented paradigm throughout the entire develpment life cycles. Heavily used by both OOA and OOD activities in modern sftwr engineering.
OWASP (open web app security project)
Top 10 most common web security issues
A1 Injection
can be any code injected into user forms, often seen is SQL/LDAP. To protect against this only allow users to input appropriate data into the fields.
CGI (common gateway interface)
Standard proto for web srvrs to exe programs running on a server that generates web pages dynamically. We use the interface to ensure only proper input makes it to the DB. CGI separates the untrusted (user) from the trusted (DB)
A2 Broken Authn and Session Management
Session do not expire or take too long to expire. Session ID’s are predictable. Tokens, Session Id’s, pswrds are kept in plaintext.
A3 Cross-site scripting (XSS)
Attackers inject client-side scripts into web pages viewed by other users. Vulnerability may be used by attackers to bypass access controls such as the same-origin policy. To prevent XSS we can use proper input validation and data typing. Set our server to, redirect invalid requests, detect a simultaneous login from 2 different IP’s and invalidate the sessions, require users to enter their psswrds again before changing their registration information and set cookie with HttpOnly flag to prevent access from JavaScript.
A4 Broken Access Control
Access control not implemented consistently across an entire app. Use centralized access conrol mechanism, and we write the tricky logic once and resure it everywhere.
A5 Security Misconfiguration
DB configured wrong. Not removing out of box default access and settings. Keeping default usernames and passwords. OS, Webserver, DBMS, apps, not patched and up to date. Unnecessary features are enabled or installed, this could be open ports, services, pages, accounts, privileges.
A6 Sensitive data exposure
Sites being http, not https. data at rest, backups and in transit are not encrypted. Phishing, using old encryption. Not monitoring is data is being exfiltrated.
A7 Insufficient detection and response
Not detecting we have been compromised, due to lack of controls, detection apps. Not performing due diligence and due care on our apps, sys, and our response to compromise. Not responding in a proper way to compromise, not informing anyone, informing too late or just ignoring the incident
A8 Cross-site request forgery (CSRF)
stolen session id’s or tokens. Often phishing, psswrds/username saved in cookies. Saved site passwords, not logging off when done, using the same browser for sensitive and non-sensitive info. Current browsers do mitigate some of this, they should use unique session specific tokens (random or pseudo random), and validate session tokens are not replayed.
A9 Using components with know vulnerabilities
developers using deprecated code or objs that are known to be unsecure, but they use them because they are used to it or the library they use has the objects in it.
A10 Underprotected API’s
badly coded API’s. Not using in depth API code reviews and auditing. Not using SSL/TLS. Forgotten and abandoned API’s, that still have access to backend sys.
Insecure direct object reference
users can access resources they shouldn’t, by guessing the URL or path. Mitigated by proper access control.
Unvalidated redirects and forwarding
Not confirming URL’s forward and redirect us to the right page.
Buffer overflow (buffer overrun)
An anomaly where a prgram, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations, happens from improper coding when a programmer fails to perform bounds checking. By sending in data designed to cause a bufferr overflow, it is possible to write into areas known to hold executable code, and replace it w/ malicious code.
Race condition (race hazard)
2 or more programs may collide in their attempts to modify or access a file. This can be an attacker with access, altering files which can then result in data corruption or privilege escalation. TOCTOU (time of check to time of use) a sftwr bugs caused by changes in a sys btw the checking of a condition (such as a security credential) and the use of the results of that check.
Privilege escalation
Exploiting a bug, design flaw or configuration oversight in an OS or app to gain access to resources that are normally protected from an app or user.
Backdoor
often installed by attackers during an attack to allow them to access the sys after the initial attack is over.
Disclosure
What you do when you discover a vulnerability.
Full disclosure
tell everyone, make it public, assuming attackers already know are using it
Responsible/ Partial disclosure
telling the vendor they have time to develop a patch and then disclose it. If they do nothing we do a full disclosre forcing them to act.
No disclosure
attackers finding a vulnerability would try to exploit it and keep it secret as long as possible.
CMM (capability maturity model)
the maturity relates to the degree of formality and optimization of processes, from ad hoc practices, to formally defined repeatable steps, to managed result metrics, to active optimization of the processes.
Five CMM levels that describes where the org is
it has practical steps to how to mature the org to get to the next level.
- Initial
Processes at this level are normally undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events.
- Repeatable
Some processes are repeatable, possibly with consistent results.
- Defined
There are sets of defined and documented standards processes established and subject to some degree of improvement.
- Managed (Capable)
Processes at this level uses process metrics, effective achievement of the process objectives can be evidenced across a range of operational conditions.
- Optimizing
processes at this level focus on continually improving process performance through both incremental and innovative tech changes/ improvements.
Acceptance testing
At the end of development we also use acceptance testing, we need to test it to ensure it does what it is supposed to and it is robust and secure.
User acceptance test
is the software functional for the users who will be using it. It is tested by the users and app managers
Operational acceptance testing
does the software and all of the components it interacts with ready for opeation.
Contract acceptance testing
Does the sftwr fulfill the contract specifications. The what/where/hw of the acceptance is defined in the contract.
Compliance acceptance testing
is the software compliant with the rules, regulations and laws of our industry
Compatibility/prod testing
does the sftwr interface as expected with other apps/sys. Does the sftwr perform as expected in our prod enivro vs the development enviroment
Software development and procurement as well as any other project should be carefully scoped, planned be based on a clear analysis of what the business needs and wants.
When buying software we do our due care and due diligence, as well as use outside council if needed.
COTS (commercial off the self) software
use a clear RTM (requirements traceability matrix) requirements are divided into “Must have, nice to have and maybe should have”
Custom-developed 3rd party products
Having someone else develop the software we need is also an option. Higher cost than COTS software, but also far more customizable.
AI (Artificial Intelligence)
advice that preceives its enviroment and takes actions that maximize its chance of success at some goal, not through experience/programming, but through reasoning.
Expert sys
a comp sys that emulates the decision-making ability of a human expert.
ANN’s (artificial neural networks)
computing sys inspired by the biological neural networks that constitute animal brains, we make decisions based on 1000’s of memories, stories, the situation and many other factors, the ANN tries to emulate that.
GP (genetic programming)
a technique where computer programs are encode as a set of genes that are then modified (evolved) using an evolutionary algorithm often a GA (genetic algorithm). GP favors the use of programming languages that naturally embody tree structures.
