Domain 8: Software Development Security Flashcards

1
Q

Extreme Programing (XP)

A

An Agile development method that uses pairs of programmers who work off a detailed specification

XP Core practices:
.Planning:specifies the desired features
.Paired programming
.Forty-hour work week: forecasted iterations should be accurate enough to forecast hours required
.Total customer involvement
.Detailed test procedures: called test units

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Object

A

A “black box” that combines code and data, and sends that receives messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Object-Oriented Programming

A

.Treats a program as a series of connected objects that communicate via messages

.Changes the older procedural programming methodology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Procedural Language

A

Programming language that uses subroutines, procedures and functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Spiral Model

A

.Software development model designed to control risk
.Repeats steps of a project, starting with the modest goals and expanding outwards in ever wide spirals (called rounds)
.each round of the spiral constitutes a project.
.each round may follow traditional software development methodology such as waterfall
.risk analysis performed each round.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Software Development Lifecycle

A

A development model that focuses on security at every phase.
.Broader that many applications development models, focusing on the entire system, from selection/development, through operational requirements, to secure disposal
.NIST SP 800-14

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Waterfall Model

A

An application development model that uses rigid phases; when one phase ends, the next begins
>Unmodified model does not allow developed to go back to previous steps.
>Modified waterfall model allows verified and validate of the user requirements at every phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SEI Capability Maturity Model (CMM)

A

.A maturity framework for evaluating and improving the software development process.

.Goal of CMM is to develop a methodical framework for creating quality software which allows for measurable and repeatable results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Machine Code

A

.Machine Language

.software that is executed directly by the CPU

.CPU dependent

.series of 1s and 0s that translate instructions that are understood by the CPU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Source code

A

computer language instructions which are written in text that must be translated into machine code before execution by the CPU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Assemblers

A

.Assembly language is a low-level computer programming language.
.Instructions are show mnemonics, ADD SUB JMP
. An assembler converts assembly language into machine language.
.A disassembler attempts to covert machine language into assembly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Compiler

A

Compiler takes source code, such as C and Basic and compile it into machine code.

Ones compiled the machine language is executed by the CPU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Interpreters

A

.Interpreted language differs from compiled languages:
.Interpreted code (such as shell code) in compiled on the fly each time the program is run
.Perl, Python, Java

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Bytecode

A

.Is also interpreted code
.Bytecode exists as an intermediary from (converted from source code), but must still be converted to machine code before it may run on the CPU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Programming Language Generation

A

.First Generation language: machine code
.Second Generation language: assembly
.Third Generation language: COBOL, C, Basic
.Fourth Generation language: Coldfusion, Progress 4GL, Oracle Reports
>tend to be graphical user interface focused, dragging and dropping elements and them generation code based on results
>creation of databases, reports and websites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Computer-Aided Software Engineering (CASE)

A

.Uses programs to assist in the creation and maintenance of other programs
.Three types of CASE software
>Tools: support only specific tasks in a software production process
>Workbenches: supports one or a few software process activities by integrating SEVERAL TOOLS in a single application
>Environments: support all or at least part of the software productions process with a collection of TOOLS and WORKBENCHES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Top-Down Programming

A

Programming starts with the broadest and highest level requirements (the concept of the final program) and works down towards the low-level technical implementation

  • procedural languages typically use.
  • start with the main program, define the procedures and work down from there
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Bottom-Up Programming

A

Starts with the low-level technical implementation details and works up to the concept of the final program

  • Object-oriented programming typically uses bottom-up design
  • define the objects and use them to build up to the final program
19
Q

Open Source Software

A

publishes source code publicly, allow anyone to inspect, modify, or compile the code themselves.

20
Q

Closed Source Software

A

.software is released on executable form.
.source code is kept confidential.
>”Closed source” and “proprietary software” are sometime used as synonyms, but that is not always true.
>some open source software is also proprietary

21
Q

Sashimi Model

A

.highly overlapping steps
.based on the reaction to waterfall
.based on the hardware design model of Fuji-Xerox

22
Q

Agile Software Development

A

.Individuals and interactions over process and tools
.Working software over comprehensive documentation
.Customer collaboration over contract negotiation
.Responding to change over following a plan

23
Q

Scrum

A

.small teams of developers
.Scrum Master acts as coach
.Product owner is the voice of the business unit

24
Q

Rapid Application Development (RAD)

A

.Rapidly develops software via the use of prototypes, dummy GUI and back-end databases
.Goal is to quickly need the business needs of the system
.Technical concerns secondary
.Customer heavily involved in the process

25
Q

Prototyping

A

.an interactive approach which breaks projects into smaller tasks, creating multiple mock ups (prototypes) of system design features.
.lower risk by allowing customer to see realistic-looking results long before final product in completed.

26
Q

Application Programming Interface

A

.API

.allows an application to communicate with another application or an operating system, database or network

27
Q

Configuration Management

A

.Configuration Management Plan is a comprehensive description of the roles, responsibilities, policies and procedures that apply when managing the configuration of products and systems.
.Basic parts
>Configuration Change Board
>Configuration Item Identification -
>Configuration Change Control - process for managing updates to the baseline configuration
>Configuration Monitoring

28
Q

DevOps

A

.Separation of duties of the developers, quality assurance, and production teams
.the practice of operation and development engineers participating together in the entire service lifecycle, from design through the development process to production support.

29
Q

Object-oriented Programming (OOP)

A

.replicates the use of objects in computer programs
.treats a program as a series of connected objects that communicate via messages.
.attempts to model real world
.objects contain data and methods
.object provides encapsulation (data hiding)

30
Q

Object-oriented Design (OOD)

A

treats objects as a higher-level design concept, like a flow chart

31
Q

OOP Concepts

A

.Inheritance: a way to reuse code of existing objects, establish a subtype from an existing object.
.Delegation: refers to one object relying upon another to provide a specified set of functionalities.
Polymorphism: the ability to create a variable, a functions, or an object that has more than one form
Polyinstantiation: “many instances” two instances (specific objects) with the same names that contain different data

32
Q

Coupling and Cohesion

A

.Highly coupled objects requires lots of other objects to perform basis jobs. like math

.an object with high cohesion is far more independent: it can perform most functions independently

33
Q

Object Request Brokers (ORB)

A

.can be used to located objects:
.object search engines
.connects programs to programs
.COM, DCOM, CORBA

34
Q

Software Vulnerabilities

A

. Hard-coded credentials:
.Buffer overflow: occurs when a programmer does not perform variable bounds checking
.SQL Injection: manipulation of a back-end SQL server via a front-end web server
.Directory path Traversal: escaping from the root of a web server into the regular file system by reference directories such as “../..”

35
Q

TOCTOU/Race Condition

A

attacker attempts to alter a condition after it has been checked by the operation system, but before it is used.

36
Q

Disclosure

A

.the actions taken by a security researcher after discovering a software vulnerability
.Full Disclosure: releasing vulnerability publicly
.Responsible Disclosure: privately sharing vulnerability information with a vendor and withholding public release until a patch is available.

37
Q

Foreign Key

A

A key is an related database that matches a primary key in the parent database

38
Q

Referential Integrity

A

means every foreign key is a secondary table matches a primary key in the parent table

39
Q

Semantic Integrity

A

means that each attribute (column) value is consistent with the attribute data type

40
Q

Entity Integrity

A

means each tuple (row) has a unique primary key that is now null

41
Q

Normalization

A

.seeks to make the data in database table logically concise and organized
.removes redundant data
.3 forms:
>(1NF) divide data into table
>(2NF) move data that is partially dependent on the primary key to another table
>(3NF) remove data that is not dependent on the primary key

42
Q

Data Dictionary

A

.Contains a description of the database tables
.Metadata
.Contains database view information, information about authorized database administrator, and user accounts.
.contains database schema: it describes the attributes and values of the database table

43
Q

Database Query Language

A

.Allows the creation of database tables, read/write access to those tables and other functions
.Two subsets
-Data Definition Language (DDL)- created, modify and delete table
-Data Manipulation Language (DML)-used to query and update data stored in the tables