Domain 8. Software Development security Flashcards
Aggregation
When a user does not have the clearance or permission to access specific information, but she does have the permission to access components of this information. She can then figure out the rest and obtain restricted information.
Inference
Ability to derive information that is not explicitly available
Polyinstatiation
Multiple instances of information depending of the clearence
Primary key
Unique identifier for each record
Normalization
Process of removing duplicates and ensuring that each attribute only describes the primary key
Entity integrity
PK field cant be null
Cardinality
Number of rows in the relations
Degree
Number of columns in the relations
Attribute
column
Tuple
Collection of attributes (raw)
ACID
Atomicity
Consistency
Isolation
Durability
DB Checkpoint
Known good point from which the DB can recover
DB Savepoint
Temporary backup that can be configured based on variables (time interval, number of transactions, etc)
DB Cell suppression
Technique used to hide specific cells
DB view
used to permit, allow or restrict users from viewing specific fields or records
External consistency
External consistency ensures that the data stored in the database is consistent with the real world.
Decision Support System (DSS)
The Decision Support System (DSS) is what some of the books are referring to as the Delphi Method or Delphi Technique
Acceptance
confirms that users’ needs have been met by the supplied solution
Accreditation
is the formal acceptance of security, adequacy, authorization for operation and acceptance of existing risk. Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode using a prescribed set of safeguards to an acceptable level of risk.
Certification
is the formal testing of security safeguards and assurance is the degree of confidence that the implemented security measures work as intended. The certification is a Comprehensive evaluation of the technical and nontechnical security features of an IS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified security requirements.
Assurance
Assurance is the descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the Security Targets (ST) and Protection Profiles (PP), respectively.
Stealth viruses
accept incoming scan attempts by the antivirus engine and forwards them to the original file which of course, is normal and uninfected. (And therefore not a threat.)
Shell Virus
Shell viruses create a “shell” around the compromised file and intercept calls to that program. It may pass the commands along to the compromised program and let the output from that program proceed but it can overwrite or alter the output.
Unit Testing
Unit testing is the testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensures internal operation of the programs according to the specification.
Bind Value
A bind value is a value that can be bound to a placeholder declared within an SQL statement. Usage of Bind Values or Variable can improve the security within your database
ISC2 SDLC
Project Initiation and Planning
Functional Requirements Definition
System Design Specification
Development and Implementation
Documentations and Common Program Controls
Testing and Evaluation Control, certification and accreditation (C&A)
Transition to production (Implementation)
And there are two phases that will extend beyond the SDLC, they are:
Operation and Maintenance Support (O&M)
Revisions and System Replacement (Disposal)
Atomicity
Atomicity - Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible (“atomic”), and an aborted transaction does not happen
Consistency
Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.
Isolation
Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction.[citation needed]
Durability
- Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.
