Security+ 1 Flashcards
CMMI : Initial, Managed, Defined, Quantitatively managed, optimizing. Used now for product development, supply chain management, acquisition and service delivery along with software development.
IDEAL Model : Initiating, Diagnosing, Establishing, Action, learning.
DevOps Goals : build collaborative relationships, embrace automation, facilitate rapid release of code, provide stable operating environment. Works with Agile.
Infrastruture as Code : use scripts to create resources. Increases scalability of environments, reduces user error, facilitates testing of new code.
info …
Change Management : code for software is changed w/appropriate testing and approvals. Request control : manages, evaluates, and prioritizes inbound requests from customers. Change Control : grants permission for developers to make changes to application code. Release Control : moves the code from development environment to production. Staging environment : code sent from testing environment to be ready for production use.
Change Management …
DevOps Tools : continuous validation = performs software testing as soon as developers update code, Continuous integration = maintains linkages between different code elements, Continuous delivery = auto moves code into proper environments, Continuous deployment = auto releases code for production use, Continuous monitoring = ensures code is working properly and trigger auto remedy if issues arise.
DevOps Tools …
Fagan Process (Code Review) = planning : includes preparing materials, identifying participants, and scheduling the review. Overview : assigning roles to participants and providing an overview of software. Preparation : participants independently examine code for potential defects. Meeting : reviews discuss and formally identify any code defects. Rework : correct any defects found during meeting (if too many defects goes back to planning stage for review). Follow-up : leader verifies that defects were resolved and completes project documentation.
info …
Software Model Validation : are we building the right software? / Software verification : are we building the software correctly?
Stress Testing : use automated scripts to verify system capacity, may be run internally or through 3rd party, verifies system can handle max expected load, determines max capacity of system.
UAT = users test software in test environment before releasing to actual public wide scale. Also known as beta testing.
Regression Testing = checks for unexpected side effects.
Software etc …
Static Code Testing : use automated techniques to analyze code for errors and security flaws w/o actually executing the code.
Dynamic Code Testing : executes code to verify its functioning correctly and doesnt have security flaws.
Synthetic transactions : supply input to code with known expected outputs.
info …
Fuzzing : software testing technique that feeds software many different input values in attempt to cause unpredictable state or unauthorized access. Input Sources : Developer-supplied input/developer-supplied script, generation fuzzing = can generate input values randomly or from a specification, mutation fuzzing = can analyze real input and modify those real values.
Code Repositories : store software source code files in secure location, coordinate changes among multiple developers, perform version control (rollback etc), promote code reuse.
Fuzzing Etc …
Integrity Management = uses hash functions to verify code has not been changed.
Libraries = contain shared software code.
SDKS : provide programming resources, collections of software libraries w/documentation, example and other resources to get developers running in a development environment. Also has special utilities for developers to design and test code.
APIs = allows interaction w/remote services for developers and code.
info …
Injection Flaws = insert unwanted transaction code.
Broken Authentication = exploits session
management.
XML External Entities : allows remote code execution.
Broken Access Control : allow unauthorized access.
Insecure Deserialization : allows API exploitation.
info …
parametrized query = SQL template is precompiled on a database server. This protects against injection attacks. Stored
Procedure = database input is pre-compiled so injection is not likely.
Salting (passwords) = adds random value to passwords prior to hashing to protect against rainbow table attacks.
TLS encrypts web traffic including passwords.
info …