Domain 8: Software Development Security Flashcards
Extreme Programming (XP)
Introduces the use of integrated teams including developers,
customers, and managers to drive the delivery of high-value software features.
- Utilizes a concept known as pair programming, which pairs developers. The developers take turns writing
code and offering advice/input, with the goal of achieving higher quality code by providing extra oversight and
knowledge to draw upon.
Test-Driven Development (TDD)
First a test is written, then it is run. If it fails, code is written or refactored as needed to make the test succeed; the ultimate goal is to ensure that all tests pass.
DevOps Phases (8)
- Plan
- Code
- Build
- Test
- Release
- Deploy
- Operate
- Monitor
DevSecOps Manifesto (9 canons)
• Leaning in - over Always Saying “No”
• Data & Security Science - over Fear, Uncertainty and Doubt
• Open Contribution & Collaboration - over Security-Only Requirements
• Consumable Security Services with APIs - over Mandated Security Controls & Paperwork
• Business Driven Security Scores - over Rubber Stamp Security
• Red & Blue Team Exploit Testing - over Relying on Scans & Theoretical Vulnerabilities
• 24x7 Proactive Security Monitoring - over Reacting after being Informed of an Incident
• Shared Threat Intelligence - over Keeping Info to Ourselves
• Compliance Operations - over Clipboards & Checklists
Capability Maturity Model Integration (5 Maturity Levels)
- Initial - Processes are unpredictable and largely reactive.
- Managed - Processes are characterized or documented for projects and are often reactive.
- Defined - Processes are characterized for the organization and are proactive.
- Quantitatively managed - Processes are measured and controlled by the measurements.
- Optimizing - The organization focuses on process improvement.
- run by ISACA
The Software Assurance Maturity Model (SAMM) - 5 Phases
SAMM is a prescriptive framework for implementing a software security program and focuses on integrating security activities into an existing SDLC.
1. Governance
2. Design
3. Implementation
4. Verification
5. Operations
Building Security-In Maturity Model (BSIMM) - 4 Domains
Focused on determining the current state of secure software creation capabilities, identifying improvement opportunities, and prioritizing efforts to improve secure software development.
Governance
Intelligence
Software Security Development Lifecycle (SSDL)
Deployment
Cybersecurity Maturity Model Certification (CMMC) - 5 Maturity Levels
CMMC is designed for contractors who are handling sensitive information, known as controlled unclassified information (CUI), on behalf of government clients.
1. Initial - Processes are unpredictable and largely reactive.
2. Managed - Processes are characterized or documented for projects and are often reactive.
3. Defined - Processes are characterized for the organization and are proactive.
4. Quantitatively managed - Processes are measured and controlled by the measurements.
5. Optimizing - The organization focuses on process improvement.
Compiled Programming Languages
Are translated into machine-readable form before being run in a process known as compiling.
- Doesn’t expose source code
- C# and Swift are examples of compiled languages.
Interpreted Programming Languages
Are translated into machine readable format when they are run, also known as on the fly. This makes interpreted code more portable across system types.
- Exposes source code and requires additional operational overhead.
- JavaScript and Python are examples of interpreted languages.
Static Type Checking
Performed by a compiler to verify if the program’s functionality matches type constraints for data inputs.
Dynamic Type Checking
Checks the values stored in a program’s variables as it is running to ensure data matches the expected type.
- Languages that implement these features are known as type-safe, and they support important security goals related to integrity of data.
Declarative Programming
Expresses the logic of a task without describing how it should be executed; in these languages, a system must interpret the logic and execute appropriate tasks.
Imperative paradigm of programming
Uses statements or commands that change a program’s state, similar to issuing imperative commands in human languages like “stand up” or “study for the CISSP.”
Procedural programming
Related to the imperative paradigm and is based on the concept of a program calling procedures, which are similar to routines or subroutines.
Block structured programming
Languages utilize bocks as an organizational unit; the scope of program elements like variables and functions is restricted to the block to prevent conflicts with other elements elsewhere in the code.
Object-oriented programming (OOP)
Instead of writing specific commands to gather input data and perform procedures on it, OOP treats both data and functions as objects, known as classes, which can be linked together through defined interactions.
Encapsulation
This is also known as data hiding and is effectively a way of isolating data from being accidentally mishandled. Direct access to a class can be denied to external objects, thereby restricting access to only approved functions known as methods.
Inheritance
Classes of data objects can have subclasses that inherit some or all of the main class’s characteristics, such as access restrictions.
Polymorphism in Programming
This term refers to the multiple (poly) forms (morphs) an object may take when being created or instantiated. Instantiating a new object from an existing object typically duplicates the attributes and methods of the existing object, but data of a different type may cause security concerns because the new data type requires different methods.
Polyinstantiation
This term means making multiple (poly) copies (instances) of an object, typically with the goal of supporting different levels of confidentiality and integrity for that object.
Hypertext Markup Language (HTML)
Specifies layout or display elements of text delivered to a web browser.
Cascading Style Sheets (CSS)
Allows definition for how a web document should be styled for display, including fonts, color, and layout/spacing of elements on the page.
JavaScript
Provides interactive applications inside a web browser on a client system, often for displaying and manipulating data on the user’s screen.
Python
A high-level interpreted language that can be used for a variety of uses ranging from small personal programs to large web applications.
Static application security testing (SAST)
SAST evaluates source code and other nonrunning application elements like compiled binaries. Testing is performed in development or testing environments, which means there is no impact to live production environments.
Dynamic application security testing (DAST)
They can typically run against any application with an interface or API regardless of underlying language and are not as tightly integrated with an IDE, which means access is easier for non developers.
Interactive application security testing (IAST)
- Combines elements of SAST, DAST, and penetration testing, often using complex algorithms and machine learning to analyze source code and correlate vulnerabilities discovered during dynamic testing
Runtime application self-protection (RASP)
Executes alongside the application as it is run; RASP is also less of a testing tool but is often incorporated into overall application security to complement SAST and DAST. A RASP security tool integrates with an application and analyzes the program’s execution to spot unusual or unexpected behavior, and then it takes corrective action.
