Domain 8, Understanding, applying, enforcing software security Flashcards

1
Q

XP, Extreme programming

A

XP utilizes a concept known as pair programming, which pairs developers. Uses refactoring code - a way of removing obsolete, redundant, or unneeded code to improve software’s functionality

Has five core practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Object

A

black box that combines code and data, sends and receives messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Object-oriented protramming

A

Treats a program as a series of connected objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Procedural languages

A

use subroutines, procedures, and functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Spiral Model

A

Software dev model designed to control risk. Based off of the Waterfall model, with improvements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Systems development life cycle, SDLC

A

A dev model that focuses on security in every phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Waterfall model

A

An application dev model that uses rigid phases, when one ends, the next begins. No going back a step once one ends.

M

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SEI Capability maturity model

A

Software maturity model. Goal to develop a methodical framework for creating quality software which allows measurable and repeatable results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Machine code

A

1s and 0s, machine/cpu dependent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Source Code

A

Computer programming language which is written in text and must be translated to the machine code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Assembler

A

Converts assembly language into machine language

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Complier

A

Converts an entire program into machine code. Produces an entire program written in machine code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Interpreters

A

Converts code into machine code line by line. Simply feeds commands line by line from source code to interpreted machine language.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

First gen language

A

machine code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

2nd gen language

A

Assembly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

3rd gen language

A

COBOL, C, Basic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Fourth gen language

A

ColdFusion, Progress 4GL, Oracle Reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

CASE

A

Computer Aided Software Engineering. Uses computers to assist in the creation and maintenance of other computer programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Computer Aided Software Engineering - Tools

A

Supports only specific tasks in the software production process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Workbenches

A

Support one or a few software process activities by integrating several tools in a single application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Environments

A

(Integrated Development Environment) Support all or at least part of the software production process with a collection of tools and workbenches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

free software gratis - AKA Freeware

A

software that is free of charge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Free software libre

A

free to alter the program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

shareware

A

free for X amount of days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

crippleware

A

pay to enable locked features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

crippleware

A

pay to enable locked features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Prototyping

A

Iteerative aproach to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Prototyping

A

Iteerative aproach to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

NIST SP 800-14

A

NIST process for systems development life cycle

  1. operation and maintenance
  2. secure disposal/decomissioning
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

NIST SP 800-14

A

NIST process for systems development life cycle

  1. operation and maintenance
  2. secure disposal/decomissioning
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Code repository Security Controls

A

Largely falls under the other corporate security controls discussed previously. Defense in depth, secure authentication, firewalls, version control, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Software Change MGMT

A

Broader than Software Config Mgmt. Tracks changes across an entire software dev program as it is developed, maintained, and eventually retired

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Software Config managment

A

Narrower than Software Change Mgmt.

Tracks changes to specific software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

NIST 80-128

A

Guide for security focused config mgmt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

NIST 80-128

A

Guide for security focused config mgmt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Config congrol board, CCB

A

Group of qualified people responsible for controlling and approving changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Config item identification

A

methodology for selecting and naming config items that need to be placed under CM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Config change control

A

PRocess fo rmanging updates to the baseline config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Config monitoring

A

process for assessing or testing the level of compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

DevOps

A

Traditionally there was separation of duties between devs, QA teams, and production teams.

DevOps flips this around, having Operations and development engineers work together in entire service lifecycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Object oriented Design

A

treats projects as a series of connected objects that communicate to each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Cornerstone OOP Concept - Inheritance

A

way to reuse code of existing projects, establish a subtype from an existing project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Cornerstone OOP Concept - Delegation

A

one object relying on another to provide a set of functionalities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Cornerstone OOP Concept - Polymorphism

A

ability to create a variable/function/object that has more than one form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Cornerstone OOP Concept - Polyinstantiation

A

Two instances with the same name that contains different data.

i.e. two different accounts may have a variable of the name, “account number” but the values would be different.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Coupling and Cohesion

A

highly coupled object- requires other objects to do anything.

Highly coherent object - can run independently

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

object request broker

A

used to locate objects. Act as search engines.

COM, DCOM, and CORBA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

CORBA

A

common object request broker architecture.

49
Q

OOA and OOD

A

Object oriented analysis and design. Very high level conceptual visualization of how a project or program should work.

50
Q

Software Vulnerabilities: Hard Coded Creds

A

backdoor user/pass leftover from production. AKA Maintenance hook.

51
Q

SQL injection

A

manipulation of back end server via front end web server

52
Q

Software Vulnerability: Directory Path Traversal

A

escaping from the root of a web server by referencing other directories.

53
Q

Full disclosure

A

If you find a vulnerability, you need to disclose. Full disclosure goes public.

54
Q

Responsible disclosure

A

privately share with vendor.

55
Q

Relational Database model

A

two-dimentional, table is called a relation.

Tables have rows and columns. Row = tuple, column = attribute, cell = value

56
Q

Primary Key

A

relational DB value that represents each tuple.

57
Q

Primary Key

A

relational DB value that represents each tuple.

58
Q

Foreign key

A

Relational DB. Key in a related DB that matches the primary key in a parent DB.

59
Q

Referential integrity

A

every foreign key in secondary tables matches a primary key.

60
Q

Semantic Integrity

A

Each attribute (column) value is consitent with attribute data type.

i.e. you wouldn’t put someones name as a value in the attribute for social security number.

61
Q

Entity Integrity

A

each tuple has a unique primary key that is not null.

62
Q

DB Normalization

A

seeks to make data in DB logically concise organized, and consistent. Removes redundant data.

63
Q

DB Normalization rules

A
  1. first form, divide data into tables
  2. second normal form, move data that is partially dependent on primary key to another table.
  3. third normal form, remove data that is not dependent on primary key.
64
Q

Database Views

A

tables may be queried. results are called a DB view. Can be used to provide a constrained user interface.

65
Q

Data Dictionary

A

contains description of DB tables. Called metadata.

66
Q

DB Query languages

A

Most popular is SQL. MySQL, postGRE SQL, PL/SQL, etc.

67
Q

DB Language commands

A

DDL, data definition language.

DML, data manipulation language.

68
Q

Hierarchical DB

A

DNS is a good example

69
Q

Object Oriented Database

A

object oriented DB. Combines data with function/code. Used to manipulate the objects and their data.

70
Q

Assembly Language

A

Low-level computer language. Instructions are shor mnemonics, like ADD, SUB, and JMP. These directly match to machine code instructions.

71
Q

Closed-source software

A

Released only in executable form, source code is kept confidential.

72
Q

Open Source software

A

publishes source code openly. i.e Linux, Apache web server.

73
Q

Agile Software Development

A

Much more flexible way of software dev. Has 4 values, and 12 principles:

  • Individuals and interactions over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation.
  • Responding to change over following a plan.
74
Q

Scrum

A

Type of Agile development that takes a ‘holistic’ approach. A team tries to go the distance as a unit, rather than handing the project off in stages.

Contains a Scrum Team, and a Scrum Master, and a Product owner on the business side.

75
Q

Test-Driven Development

A

Type of Agile development. TDD, as the name implies, is driven by the use of test cases: first a test is written, then it is run. If it fails, code is written or refactored as needed to make the test succeed

76
Q

Key Scrum

A

Type of Agile Development

77
Q

Integrated Product Team (IPT)

A

An integrated product team (IPT) is a multitalented group of people from different disciplines responsible for delivering a product. IPTs are formed to plan, execute, and implement life cycle decisions for the system being acquired.

78
Q

Software Escrow

A

Third party stores an archive of the software. Usually negotiated as part of a contract with a proprietary software vendor.

Vendor wants it kept secret, but client may be afraid vendor goes out of business and may need access to source code.

79
Q

API Security

A

Application programming interface:

Authentication
Access Control
Input Validation
Output encoding/escaping
Cryptography
Error Handling and logging
Comms Security
HTTP Security
Security Configuration
80
Q

RAD - Rapid Application Development

A

Quickly develops software via use of prototypes/dummies. Goal is to quickly meet a business need of the system, while technical concerns are secondary.

81
Q

SDLC - Systems development life cycle

A

System development model. USed across IT industry, but focuses on security

82
Q

OWASP API Controls

A
Authentication
Access Control
Input Validation
Output Encoding
Cryptography
Error Handling/logging
Communication security
HTTP Security
Security Configuration
83
Q

Database administrator

A

manages database

84
Q

DBMS

A

Database Management System

85
Q

Relational Database

A

most common type of database.

Has Rows and Columns

Row is called a Tuple
Column is called an Attribute

86
Q

Primary Key

A

Each tuple has a primary key that is unique to that row.

87
Q

Candidate Key

A

Any attribute within a row (tuple) that is unique.

88
Q

Foreign Key

A

key in a related DB table that matches a primary key in a parent DB table.

This key is referred as ‘foreign’ from the parent DB’s point of view, but still called ‘primary key’ from the child DB’s point of view.

89
Q

Database Journal

A

log of all DB transactions. If a DB becomes corrupted, the journal can be used to revert to the most recent working version of the database.

90
Q

Database Shadowing

A

One-way mirror. clients cannot access the Shadow DB.

91
Q

Database Replication

A

mirrors a live DB, allowing simultaneous reads and writes to multiple replicated DBs. A Two-phase commit can be used to ensure integrity.

92
Q

Data Warehousing

A

large scale storage of data.

93
Q

Data mining

A

way to automate/program analysis of large quantities of data, which no human could hope to analyze on their own.

94
Q

Object Request Broker

A

Used to locate objects. Essentially a search engine.

This is a type of middleware, which connects programs to other programs.

95
Q

Examples of ORBs (Object Request Brokers)

A

CORBA (commom ORB architecture)
DCOM (Distributed Component Object Model)
COM (Component Object Model

96
Q

Software Vulnerabilities: Buffer Overflow

A

Occurs when a programmer does not perform variable bounds checking. Can be used to insert and run shell code.

97
Q

Software Vulnerabilities: SQL Injection

A

manipulation of back-end SQL server via a front-end web server. .

98
Q

Software Vunlerabiltiy: PHP Remote File Inclusion

A

altering URL to include a malicious remote file/URL for execution.

99
Q

Software Vulnerabilities: TOC/TOU race condition

A

Time of check/time of use attack. AKA Race condition. An attacker attempts to alter a condition after it’s already been checked by the OS, but before it’s used. Type of State Attack.

100
Q

Software Vulnerabilities: Cross-site Scripting XSS

A

Third-party execution of web scripting languages, within the context of a trusted site.

Exploits trust the website may have with third-party code.

Can be prevented with proper input validation.

101
Q

Software Vulnerabilities: Cross-site request Forgery XSRF/CSRF

A

Exploits the trust a user has in a website to execute code on that users computer, or to redirect them to another site

Within the context of a trusted site, exploits trust a user has with that site.

102
Q

Software Vulnerabilities: Privilege Escalation

A

Allows an attacker with typically limited access to gain access to additional resources.

103
Q

Software Vulnerabilities: Backdoor

A

Undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions.

104
Q

Software Vulnerabilities: Rootkits

A

Exploit known vulnerabilities in OS’s. Rootkit is used to expand access to the compromised system.

105
Q

Software Capability Maturity Model (CMM)

A

created by Carnegie Mellon Software Engineering Institute.

A methodical framework for creating quality software that allows measurable, and repeatable results.

Has 5 Levels. Now superceeded by SAMM (Software Assurance Maturity Model)

106
Q

SAMM Software Assurance Maturity Model

A

Maintained by OWASP.

Provides a framework for integrating security activities into a software development and maintenance process.

Has 5 business functions.

107
Q

OWASP

A

Open Web Application Security Project

108
Q

Acceptance Testing

A

users verify that the code meets their requirements and formally accept it as ready to move into production use

109
Q

security kernel

A

a small separate subsystem with the security-critical components.

It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.

It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.

It must be small enough to be able to be tested and verified in a complete and comprehensive manner.

110
Q

Input validation: Range Check

A

verify input data against predetermined upper and lower limits

111
Q

Input validation: Relationship check

A

checks compare input data to data on a master record file

112
Q

Input validation: Reasonableness check

A

checks compare input data to an expected standard

113
Q

Input validation: Transaction limits check

A

check input data against administratively set ceilings on specified transactions.

114
Q

ACID (relational Databases transactions)

A

Atomicity
Consistency
Isolation
Durability.

115
Q

Atomicity (Database)

A

Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged

116
Q

Consistency (Database)

A

ensures that any transaction will bring the database from one valid state to another.

117
Q

Isolation (Database)

A

The isolation principle requires that transactions operate separately from each other

118
Q

Durability (Database)

A

The isolation principle requires that transactions operate separately from each other

119
Q

Salami Attack

A

systematic whittling at assets in accounts or other records with financial value, where very small amounts are deducted from balances regularly and routinely