Domain 8: Software Development Security

Question 1

Extreme Programing (XP)

Answer 1

An Agile development method that uses pairs of programmers who work off a detailed specification

XP Core practices:
.Planning:specifies the desired features
.Paired programming
.Forty-hour work week: forecasted iterations should be accurate enough to forecast hours required
.Total customer involvement
.Detailed test procedures: called test units

Question 2

Object

Answer 2

A “black box” that combines code and data, and sends that receives messages

Question 3

Object-Oriented Programming

Answer 3

.Treats a program as a series of connected objects that communicate via messages

.Changes the older procedural programming methodology

Question 4

Procedural Language

Answer 4

Programming language that uses subroutines, procedures and functions

Question 5

Spiral Model

Answer 5

.Software development model designed to control risk
.Repeats steps of a project, starting with the modest goals and expanding outwards in ever wide spirals (called rounds)
.each round of the spiral constitutes a project.
.each round may follow traditional software development methodology such as waterfall
.risk analysis performed each round.

Question 6

Software Development Lifecycle

Answer 6

A development model that focuses on security at every phase.
.Broader that many applications development models, focusing on the entire system, from selection/development, through operational requirements, to secure disposal
.NIST SP 800-14

Question 7

Waterfall Model

Answer 7

An application development model that uses rigid phases; when one phase ends, the next begins
>Unmodified model does not allow developed to go back to previous steps.
>Modified waterfall model allows verified and validate of the user requirements at every phase.

Question 8

SEI Capability Maturity Model (CMM)

Answer 8

.A maturity framework for evaluating and improving the software development process.

.Goal of CMM is to develop a methodical framework for creating quality software which allows for measurable and repeatable results

Question 9

Machine Code

Answer 9

.Machine Language

.software that is executed directly by the CPU

.CPU dependent

.series of 1s and 0s that translate instructions that are understood by the CPU

Question 10

Source code

Answer 10

computer language instructions which are written in text that must be translated into machine code before execution by the CPU

Question 11

Assemblers

Answer 11

.Assembly language is a low-level computer programming language.
.Instructions are show mnemonics, ADD SUB JMP
. An assembler converts assembly language into machine language.
.A disassembler attempts to covert machine language into assembly

Question 12

Compiler

Answer 12

Compiler takes source code, such as C and Basic and compile it into machine code.

Ones compiled the machine language is executed by the CPU

Question 13

Interpreters

Answer 13

.Interpreted language differs from compiled languages:
.Interpreted code (such as shell code) in compiled on the fly each time the program is run
.Perl, Python, Java

Question 14

Bytecode

Answer 14

.Is also interpreted code
.Bytecode exists as an intermediary from (converted from source code), but must still be converted to machine code before it may run on the CPU

Question 15

Programming Language Generation

Answer 15

.First Generation language: machine code
.Second Generation language: assembly
.Third Generation language: COBOL, C, Basic
.Fourth Generation language: Coldfusion, Progress 4GL, Oracle Reports
>tend to be graphical user interface focused, dragging and dropping elements and them generation code based on results
>creation of databases, reports and websites

Question 16

Computer-Aided Software Engineering (CASE)

Answer 16

.Uses programs to assist in the creation and maintenance of other programs
.Three types of CASE software
>Tools: support only specific tasks in a software production process
>Workbenches: supports one or a few software process activities by integrating SEVERAL TOOLS in a single application
>Environments: support all or at least part of the software productions process with a collection of TOOLS and WORKBENCHES

Question 17

Top-Down Programming

Answer 17

Programming starts with the broadest and highest level requirements (the concept of the final program) and works down towards the low-level technical implementation

• procedural languages typically use.
• start with the main program, define the procedures and work down from there

Question 18

Bottom-Up Programming

Answer 18

Starts with the low-level technical implementation details and works up to the concept of the final program

• Object-oriented programming typically uses bottom-up design
• define the objects and use them to build up to the final program

Question 19

Open Source Software

Answer 19

publishes source code publicly, allow anyone to inspect, modify, or compile the code themselves.

Question 20

Closed Source Software

Answer 20

.software is released on executable form.
.source code is kept confidential.
>”Closed source” and “proprietary software” are sometime used as synonyms, but that is not always true.
>some open source software is also proprietary

Question 21

Sashimi Model

Answer 21

.highly overlapping steps
.based on the reaction to waterfall
.based on the hardware design model of Fuji-Xerox

Question 22

Agile Software Development

Answer 22

.Individuals and interactions over process and tools
.Working software over comprehensive documentation
.Customer collaboration over contract negotiation
.Responding to change over following a plan

Question 23

Scrum

Answer 23

.small teams of developers
.Scrum Master acts as coach
.Product owner is the voice of the business unit

Question 24

Rapid Application Development (RAD)

Answer 24

.Rapidly develops software via the use of prototypes, dummy GUI and back-end databases
.Goal is to quickly need the business needs of the system
.Technical concerns secondary
.Customer heavily involved in the process

Question 25

Prototyping

Answer 25

.an interactive approach which breaks projects into smaller tasks, creating multiple mock ups (prototypes) of system design features.
.lower risk by allowing customer to see realistic-looking results long before final product in completed.

Question 26

Application Programming Interface

Answer 26

.API

.allows an application to communicate with another application or an operating system, database or network

Question 27

Configuration Management

Answer 27

.Configuration Management Plan is a comprehensive description of the roles, responsibilities, policies and procedures that apply when managing the configuration of products and systems.
.Basic parts
>Configuration Change Board
>Configuration Item Identification -
>Configuration Change Control - process for managing updates to the baseline configuration
>Configuration Monitoring

Question 28

DevOps

Answer 28

.Separation of duties of the developers, quality assurance, and production teams
.the practice of operation and development engineers participating together in the entire service lifecycle, from design through the development process to production support.

Question 29

Object-oriented Programming (OOP)

Answer 29

.replicates the use of objects in computer programs
.treats a program as a series of connected objects that communicate via messages.
.attempts to model real world
.objects contain data and methods
.object provides encapsulation (data hiding)

Question 30

Object-oriented Design (OOD)

Answer 30

treats objects as a higher-level design concept, like a flow chart

Question 31

OOP Concepts

Answer 31

.Inheritance: a way to reuse code of existing objects, establish a subtype from an existing object.
.Delegation: refers to one object relying upon another to provide a specified set of functionalities.
Polymorphism: the ability to create a variable, a functions, or an object that has more than one form
Polyinstantiation: “many instances” two instances (specific objects) with the same names that contain different data

Question 32

Coupling and Cohesion

Answer 32

.Highly coupled objects requires lots of other objects to perform basis jobs. like math

.an object with high cohesion is far more independent: it can perform most functions independently

Question 33

Object Request Brokers (ORB)

Answer 33

.can be used to located objects:
.object search engines
.connects programs to programs
.COM, DCOM, CORBA

Question 34

Software Vulnerabilities

Answer 34

. Hard-coded credentials:
.Buffer overflow: occurs when a programmer does not perform variable bounds checking
.SQL Injection: manipulation of a back-end SQL server via a front-end web server
.Directory path Traversal: escaping from the root of a web server into the regular file system by reference directories such as “../..”

Question 35

TOCTOU/Race Condition

Answer 35

attacker attempts to alter a condition after it has been checked by the operation system, but before it is used.

Question 36

Disclosure

Answer 36

.the actions taken by a security researcher after discovering a software vulnerability
.Full Disclosure: releasing vulnerability publicly
.Responsible Disclosure: privately sharing vulnerability information with a vendor and withholding public release until a patch is available.

Question 37

Foreign Key

Answer 37

A key is an related database that matches a primary key in the parent database

Question 38

Referential Integrity

Answer 38

means every foreign key is a secondary table matches a primary key in the parent table

Question 39

Semantic Integrity

Answer 39

means that each attribute (column) value is consistent with the attribute data type

Question 40

Entity Integrity

Answer 40

means each tuple (row) has a unique primary key that is now null

Question 41

Normalization

Answer 41

.seeks to make the data in database table logically concise and organized
.removes redundant data
.3 forms:
>(1NF) divide data into table
>(2NF) move data that is partially dependent on the primary key to another table
>(3NF) remove data that is not dependent on the primary key

Question 42

Data Dictionary

Answer 42

.Contains a description of the database tables
.Metadata
.Contains database view information, information about authorized database administrator, and user accounts.
.contains database schema: it describes the attributes and values of the database table

Question 43

Database Query Language

Answer 43

.Allows the creation of database tables, read/write access to those tables and other functions
.Two subsets
-Data Definition Language (DDL)- created, modify and delete table
-Data Manipulation Language (DML)-used to query and update data stored in the tables