Domain 8, Understanding, applying, enforcing software security Flashcards
XP, Extreme programming
XP utilizes a concept known as pair programming, which pairs developers. Uses refactoring code - a way of removing obsolete, redundant, or unneeded code to improve software’s functionality
Has five core practices
Object
black box that combines code and data, sends and receives messages.
Object-oriented protramming
Treats a program as a series of connected objects.
Procedural languages
use subroutines, procedures, and functions
Spiral Model
Software dev model designed to control risk. Based off of the Waterfall model, with improvements.
Systems development life cycle, SDLC
A dev model that focuses on security in every phase
Waterfall model
An application dev model that uses rigid phases, when one ends, the next begins. No going back a step once one ends.
M
SEI Capability maturity model
Software maturity model. Goal to develop a methodical framework for creating quality software which allows measurable and repeatable results.
Machine code
1s and 0s, machine/cpu dependent
Source Code
Computer programming language which is written in text and must be translated to the machine code
Assembler
Converts assembly language into machine language
Complier
Converts an entire program into machine code. Produces an entire program written in machine code.
Interpreters
Converts code into machine code line by line. Simply feeds commands line by line from source code to interpreted machine language.
First gen language
machine code
2nd gen language
Assembly
3rd gen language
COBOL, C, Basic
Fourth gen language
ColdFusion, Progress 4GL, Oracle Reports
CASE
Computer Aided Software Engineering. Uses computers to assist in the creation and maintenance of other computer programs
Computer Aided Software Engineering - Tools
Supports only specific tasks in the software production process
Workbenches
Support one or a few software process activities by integrating several tools in a single application
Environments
(Integrated Development Environment) Support all or at least part of the software production process with a collection of tools and workbenches
free software gratis - AKA Freeware
software that is free of charge
Free software libre
free to alter the program
shareware
free for X amount of days
crippleware
pay to enable locked features
crippleware
pay to enable locked features
Prototyping
Iteerative aproach to
Prototyping
Iteerative aproach to
NIST SP 800-14
NIST process for systems development life cycle
- operation and maintenance
- secure disposal/decomissioning
NIST SP 800-14
NIST process for systems development life cycle
- operation and maintenance
- secure disposal/decomissioning
Code repository Security Controls
Largely falls under the other corporate security controls discussed previously. Defense in depth, secure authentication, firewalls, version control, etc.
Software Change MGMT
Broader than Software Config Mgmt. Tracks changes across an entire software dev program as it is developed, maintained, and eventually retired
Software Config managment
Narrower than Software Change Mgmt.
Tracks changes to specific software
NIST 80-128
Guide for security focused config mgmt.
NIST 80-128
Guide for security focused config mgmt.
Config congrol board, CCB
Group of qualified people responsible for controlling and approving changes
Config item identification
methodology for selecting and naming config items that need to be placed under CM.
Config change control
PRocess fo rmanging updates to the baseline config
Config monitoring
process for assessing or testing the level of compliance.
DevOps
Traditionally there was separation of duties between devs, QA teams, and production teams.
DevOps flips this around, having Operations and development engineers work together in entire service lifecycle.
Object oriented Design
treats projects as a series of connected objects that communicate to each other.
Cornerstone OOP Concept - Inheritance
way to reuse code of existing projects, establish a subtype from an existing project.
Cornerstone OOP Concept - Delegation
one object relying on another to provide a set of functionalities
Cornerstone OOP Concept - Polymorphism
ability to create a variable/function/object that has more than one form
Cornerstone OOP Concept - Polyinstantiation
Two instances with the same name that contains different data.
i.e. two different accounts may have a variable of the name, “account number” but the values would be different.
Coupling and Cohesion
highly coupled object- requires other objects to do anything.
Highly coherent object - can run independently
object request broker
used to locate objects. Act as search engines.
COM, DCOM, and CORBA