Domain 8: (Software Development Security)

Question 1

What can improve application security and reduce risk for some important core functions?

Answer 1

Code Libraries

Question 2

What evaluates security of an application during runtime?

Answer 2

Dynamic Application Security Testing

Question 3

What will improve recoverability and issues tracking?

Answer 3

Release Versioning

Question 4

What describes the analysis of cpu software performed without actually executing programs, where the tester has access to the underlying framework, design, and implementation and requires source code.

Answer 4

Static Application Security Testing

Question 5

What is a program which communicates w/ a web app and the tester has no knowledge of the technologies or frameworks that the app is built on, and no source code is required.

Answer 5

Dynamic Application Security Testing

Question 6

In a basic relational database management system, what contains a number of attributes or fields and corresponds to a column.

Answer 6

Tables

Question 7

In a basic relational database management system, what is a data record within a table?

Answer 7

Rows

Question 8

In a basic relational database management system, what represents a set of data values of a particular type, one value for each row of the database.

Answer 8

Columns

Question 9

What is a subset of attributes that can be used to uniquely identify any record in a table?

Answer 9

Candidate Keys

Question 10

What is selected from the set of candidate keys for a table to be used to uniquely identify the record in a table, each table can only have one, and is selected by the database designer.

Answer 10

Primary Keys

Question 11

What is used to enforce relationships between two table, also known as referential integrity.

Answer 11

Foreign Keys

Question 12

What ensures that if one table contains a foreign key, it corresponds to a still-existing primary key in the other table in the relationship.

Answer 12

Referential Integrity

Question 13

What are two common RDMS attacks?

Answer 13

Aggregation
Inference

Question 14

What is the ability to create sensitive information by combining non-sensitive from separate sources?

Answer 14

Aggregation Attacks

Question 15

What is the ability to deduce or assume sensitive information from observing non-sensitive pieces of information?

Answer 15

Inference Attacks

Question 16

What can prevent an aggregation attack?

Answer 16

Need-to-know and least privilege

Question 17

What can prevent an inference attack?

Answer 17

Blurring data and database partitioning

Question 18

What allows a systems to stimulate additional primary memory resources through the use of secondary storage?

Answer 18

Virtual Memory

Question 19

What consists of more inexpensive, nonvolatile storage resources available to a sys for long-term use?

Answer 19

Secondary storage

Question 20

What allows the operating sys to request contents from any point within the media?

Answer 20

Random Access Storage

Question 21

What are examples of random access storage?

Answer 21

RAM and Hard Drives

Question 22

What requires scanning through the entire media from the beginning to reach a specific address?

Answer 22

Sequential Access Storage

Question 23

What are example/s of sequential access storage?

Answer 23

Magnetic Tape

Question 24

What allows a sys to stimulate secondary storage resources through the use of primary storage.

Answer 24

Virtual Storage

Question 25

What consists of two main components: a knowledge base that contains a series of "if/then" rules and an inference engine that uses that information to draw conclusions about other data.

Answer 25

Expert Systems

Question 26

What simulate functions of the human mind by arranging a series of layered calculations to solve problems and require extensive training on a particular problem before they can offer solutions.

Answer 26

Neural Networks

Question 27

What uses several iterations of waterfall model to produce a number of fully specified and tested prototypes?

Answer 27

Spiral Model

Question 28

What are the four principles of the agile model?

Answer 28

Individuals and Interactions Working software Customer collaboration Responding to change

Question 29

What are the seven stages of the waterfall model?

Answer 29

System Requirements Software Requirements Preliminary Design Detailed Design Code and Debug Testing Ops & Maintenance

Question 30

What are the steps and plans of the software capability maturity model (SW-CMM)?

Answer 30

Initial: No Plan Repeatable: Basic lifecycle mgmt Defined: Formal, documented SW development processes Managed: Quantitative measures to gain detailed understanding Optimized: Continuous development process, w/ feedback loops

Question 31

What are the steps and process of the IDEAL model?

Answer 31

Initiating: Business reasons outlined Diagnosing: Engineers analyze current state of org Establishing: Org takes recommendations & develops plan for changes Acting: Plan is put into action Learning: Org continuously analyzes efforts and results and proposes new actions

Question 32

What provides an organized framework within which users can request modifications?

Answer 32

Request Control

Question 33

What is used by developers to re-create the situation encountered by the user and analyze the appropriate changes to remedy the situation.

Answer 33

Change Control

Question 34

What are four main propagation techniques viruses use?

Answer 34

File Infection Service Injection Boot Sector Infection Macro Infection

Question 35

What infects different types of executable files and trigger when the operating sys attempts to execute them?

Answer 35

File Infection

Question 36

What can escape detection by injecting themselves into trusted runtime processes of the OS, such as svchost.exe, winlogin.exe, and explorer.exe.

Answer 36

Service Injection

Question 37

What can infect the legitimate boot sector and are loaded into memory during the OS load process?

Answer 37

Boot Sector Infection

Question 38

What can infect and spread through code in macros?

Answer 38

Macro Infection

Question 39

What uses signature-based detection algorithms to look for telltale patterns of known viruses?

Answer 39

Antiviruses Software

Question 40

What is freely available on the internet and used as a 2nd step by attackers to exploit know vulnerabilities in various OSs enabling attackers to elevate privileges?

Answer 40

Rootkit Attack

Question 41

What type of web application attack uses unexpected input to a web app to gain unauthorized access to an underlying database?

Answer 41

SQL Injection Attack

Question 42

What type of web app attack injection that uses malicious scripts into otherwise benign and trusted sites?

Answer 42

Cross-site Scripting (XSS)

Question 43

What are some network reconnaissance techniques?

Answer 43

IP Probes Port Scans Vulnerability Scans

Question 44

What are automated tools simply used to attempt to ping each address in a range?

Answer 44

IP Probes

Question 45

What scans a sys for open/listening ports, often web servers, file servers and other servers supporting critical operations?

Answer 45

Port Scans

Question 46

What ring level is the kernel?

Answer 46

Ring 0

Question 47

What ring level are device drivers?

Answer 47

Ring 1 and Ring 2

Question 48

What ring level are applications?

Answer 48

Ring 3

Question 49

What is the software development lifecycle?

Answer 49

Requirements Analysis Design Implementation Testing Evolution

Question 50

What represents several mutually independent security apps, processes, or services that operate toward a single common goal?

Answer 50

Concentric Circle Security

Question 51

What type of attack is an act of exploiting holes in unpatched or poorly configured software you buy and install?

Answer 51

Shrink Wrap Code Attacks