Domain 8: Software Development Security Flashcards
DAST
Dynamic Application Security Testing
Scans, enumerates, and runs synthetic transactions agains apps runtime services to assess security
Buffer overflow
A buffer overflow occurs when an application buffer is populated with data that exceeds the capacity allocated to it, causing the excess data to “overflow” into adjacent memory (thereby overwriting it with the excess data). Buffer overflow attacks exploit this to overwrite memory locations that contain application code with malicious code (that is incorporated into the excess data).
Agile
The Agile model allows for developers to jump from one process to another, editing as they desire based upon customer needs.
Developed in mid 1990s
Waterfall
The waterfall method does not allow developers to go backward and fix changes, making any development typically permanent.
6 total stages:
- System requirements / Feasibility
- Software requirements / Analysis
- Design
- Code and debug / Implement
- Testing
- Operations and maintenance
Developed in 1970
Spiral software development
The spiral method will allow a developer to eventually come back and fix something, but they won’t have more than a few chances and they must wait to implement the changes.
The spiral model has an emphasis on risk analysis and prototyping.
Developed in 1988
Integrated development environment
These refer to development environments that are designed to help maximize developer productivity and provide re-usable components with the same or similar interfaces. They typically present a single architecture in which the development can be done. An IDE typically has these components:
Sometimes linux distros can be considered an IDE as well.
Source code editor
Build automation tools
Debuggers
Class browser
Object browser
Class hierarchy diagram
Version control to help develop graphical user interfaces
Fail-Secure
The fail-secure failure state puts the system into a high level of security (and, in some cases, disables it entirely) until an administrator has the chance to diagnose the issue and restore the device to regular operation. T
Capability Maturity Model (CMM)
The software capability maturity model is based on the principle that a mature software development process will produce quality software.
5 categories of maturity level.
T/F Viruses can reproduce without a legit host application.
False
SCMM
Software Capability Maturity Model
Same as CMM -capability maturity model
The software capability maturity model is based on the principle that a mature software development process will produce quality software.
Object-Oriented Programming
Object-Oriented Programming (OOP) relies on the relationship between classes and objects. Objects inherit information from their assigned class. This allows programmers to be more efficient with their code. OOP code scales better and is easier to modify.
Examples, Java, .NET, C++, Python
Referential Integrity
Database concept
Requires that the foreign key be equal to the valid primary key of a different table.
Foreign Key = value that references the primary key of a tuple in a different table
Primary Key = unique value for each tuple in a table. Usually the first column of a table but not always.
Types of Databases
Relational,
Object-oriented
Hierarchal
Relational DB
Consists of flat, two-dimensional tables of rows and columns. Similar to a spreadsheet file. Provides for one to one data structure/mapping.
Relation = the entire table
Attribute = column
Tuple = row
Domain of an attribute = number of allowable values that attribute can take
Hierarchal DB
Combines records and fields that are related into a logical tree structure. Results in a ‘one to many’ data model where each node may have zero, one, or many children but only one parent.
Object Oriented DB
Designed to resolve some of the limitations of large relational databases. Object-oriented databases don’t employ advanced language such as SQL but support modeling and the creation of data as objects.
Works with traditional database information and also complex data types such as diagrams, schematic drawings, videos, and sound and text documents.
SAMM
Software Assurance Maturity Model
A software assurance maturity model (SAMM) ensures proper development practices in software by combining five major aspects of the process into a framework to promote security. Essentially, SAMM ensures software development includes governance, design, implementation, verification, and operations.
IDEAL Software Dev model - what does it stand for? How many phases?
The IDEAL software development model has 5 phases. The phases are as follows:
Initiating
Diagnosing
Establishing
Acting
Learning
Interpreted vs Compiled languages
Compiled language: programmer uses a tool called complier to convert source code int an executable file for use on specified OS. Example, C, Java, Fortran
Interpreted: Code is distributed in the original code as intended by programmer. User could conceivably open source file and see exact code. Ex. Python, R, JavaScript, VBScript
Security Onion
SIEM/IDS/IPS tool
Try…Catch function
Is an example of error handling used in software development. It’s a form of input handling in the event a user enters an unexpected input value.
Exception handling is closely related to error handling, except the exception handling technique doesn’t seek to execute the code in error. Error handling does in fact execute the code in error in an attempt to still manage it properly.
Error Handling
Inclusion of code that attempts to handle errors when they arise before they cause harm or interrupt execution.
Exception Handling
Programmer codes in mechanisms to anticipate and defend against errors in order to avoid termination of execution.
Inheritance
The process whereby an object receives some of its characteristics from a class.
What is a Row called in a relational database?
Tuple OR records
Output Encoding
Output encoding is an application security technique used to ensure that certain characters within form inputs are processed as data and not potentially misinterpreted as programming syntax (which could be used to inject malicious code, if processed).
For example: The conversion of certain characters within website form inputs (e.g., ‘) into their HTML character entity reference equivalents (e.g., &apos) prior to processing.
SDx
Software Defined Everything: Software-defined everything (SDx) refers to replacing hardware with software through virtualization.
i.e. VMs, SD Networking, Virtual SAN.
ACID Test
Atomicity, Consistency, Isolation, Durability (ACID) are a set of properties that ensure data written to the database is accurate and trustworthy.
Atomicity – Ensures that the entire transaction is successful or it is rolled back. If a portion of the transaction fails, everything is rolled back as if none of the transaction took place.
Consistency – Ensures that transactions cannot bring the database from a valid state to an invalid state. All records must follow the database rules. For example, records must have a primary key.
Isolation – Ensures that concurrent transactions do not interfere with each other.
Durability – Ensures that the changes will remain after a transaction is completed and cannot be rolled back.
Logic Bomb
Logic bombs are programs or code that execute when certain conditions are met. It is common for IT or development personnel to hide malicious programs somewhere in a computer network that executes if their user account is ever disabled.
Is Security a standard component/consideration of DevOps?
NO
Agile Manifesto
The Agile Manifesto is a document created in 2001 that defines the core philosophy of the Agile development model. Has 12 principles.
PAAS
Platform as a Service: Provides consumer with compute platform, including hardware and OS, and runtime environment.
Heuristic detection
Heuristic detection, sometimes called behavior detection, analyzes the characteristics and structure of code to detect malware. If the code has too many negative characteristics, it will be quarantined.
Ex. looks for attempts to elevate privilege, cover electronic tracks, and alter unrelated or OS files.
Is Python an example of PAAS?
Python is a platform as a service (PaaS) because it’s a programming tool serving as a platform off of which to design other programs and applications.
In context of CISSP, most coding languages may be considered PAAS.
What gen is Assembly Language?
Gen 2
Assembly is a generation two language. Assembly is a very low-level language that requires intricate knowledge of the system’s architecture. Programs written in Assembly are hardware-specific and are not compatible between different central processing unit (CPU) types.
Gen 1 code
written in binary
Gen 2 code
Assembly
Gen 3 code
Uses meaningful words in mostly English for commands; e.g. COBOL, Java, and C.
Gen 4 code
report and application generators. Examples SQL, Foxpro, Focus
Gen 5 code
Natural language interfaces (aka: constraint based or logic programming), requires an expert system or AI, typically has visual tools to help with programming and does not require the developer to learn a specific language.
SQL Candidate key
This key can be used to identify any record.
Each table may have one or more candidate keys, but one candidate key is special, and it is called the primary key.
Rootkit
A rootkit is used to achieve or maintain elevated privileges on a victim’s host. Rootkits frequently masquerade as system-level services to help remain undetected. Rootkits often have kernel-level access and are very difficult to detect or remove.
DAST
Dynamic Application Security Testing
ODBC
Open Databse Connectivity
Is a database feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type. ODBC acts as a proxy between applications and back-end database drivers, giving application programmers greater freedom in creating solutions.
Code Versioning
Code versioning forces developers to document each revision or change in a codebase. All changes are tracked and saved. Organizations should use code versioning to review changes made to code or roll changes back if needed. Common examples of code version control software are GIT and SVN.
Reasonableness check
A reasonableness check ensures that data outputted from software falls within the specified boundaries. For example, ensuring that a person’s height is not negative or more than 10 feet.
COTS
Commercial-Off-The-Shelf [software]
Examples of well-known COTS applications include Microsoft Office, Intuit QuickBooks, and Adobe Creative Cloud.
Software escrow
A software escrow process is when a third party maintains the source code in the event that a customer needs it when a vendor or company that initially developed the code no longer exists.
Six Sigma
Six Sigma is a process improvement methodology, not a software development methodology. Six Sigma is focused on quality management and is part of quality assurance (QA) and testing.
Secondary Storage
Secondary storage is inexpensive and nonvolatile and includes items such as hard drives, flash drives, and CDs/DVDs.
All familiar log-term storage devices that are used everyday.
Portable Code
Portable code is code that can function in any environment without a compiler. This code is typically found in a runtime environment. Specifically, it is the code providing the functionality of an operating system for a virtual machine, for example. These file types can often be seen as “.iso” images.
Session hijacking
Session hijacking occurs when captured authentication details are utilized by a malicious actor to assume the identity, and act on behalf of, one of the parties in that session, to the other party.
Gantt Chart
Type of bar chart that shows interrelationships over time between projects and the schedule. Helps plan, coordinate, and track specific tasks.
What is the most common character used in a SQL injection attack?
The single quote ‘
This is used in normal SQL queries and must be handled carefully on web forms.
SW-CMM
Software Capability Maturity Model:
5 phases
- Initial
- Repeatable
- Defined
- Managed
- Optimizing
Scrum
Methodology for managing software development. Included daily standup meetings called Scrums. Sprints are short periods of intense activity of 1 to 4 weeks.
Change management Step 1
Request Control
Requests for change are made, managers review, developers prioritize tasks
Change management Step 2
Change Control
Develpers re-create the situation encountered by the user to analyze changes to remedy situation.
Change management Step 3
Release Control
Once changes are finalized, they must be approved for relase. Double checkin gis done, and any code added as a debugging aid is removed.
Worm vs Virus
Worms self-propogate independently, viruses do not. Viruses require a host action.
Privacy by Design
PbD
Proactive not Reactive; Preventative not Remedial
Privacy as the Default Setting
Privacy Embedded into Design
Full Functionality — Positive-Sum, not Zero-Sum
End-to-End Security — Lifecycle Protection
Visibility and Transparency – Keep it Open
Respect for User Privacy – Keep it User-Centric
What is a Thread
A thread is an individual instruction set that must be worked on by the CPU. Threads can execute in parallel with other threads that are part of the same parent process. This is known as multithreading.
Persistent vs non-persistent XSS
Cross site scripting
If the XSS is injected to a site and now lives there - it’s considered persistent.
Fagan Inspection
Code review process that has 6 steps.
Planning, overview, prep, inspection, rework, and follow-up
Keep it Simple
AKA KISS
Idea that you don’t un-necessarily over-complicate a piece of software or a system.
Define “Class” in Object Oriented Programming
Many objects with similar callable methods are considered to be in the same ‘class.’
Cardinality - in a DB
number of tuples (rows) in a DB table
Degree - in a DB
Degree = number of attributes (columns) in a table
