Security+ 1 Flashcards

1
Q

CMMI : Initial, Managed, Defined, Quantitatively managed, optimizing. Used now for product development, supply chain management, acquisition and service delivery along with software development.

IDEAL Model : Initiating, Diagnosing, Establishing, Action, learning.

DevOps Goals : build collaborative relationships, embrace automation, facilitate rapid release of code, provide stable operating environment. Works with Agile.

Infrastruture as Code : use scripts to create resources. Increases scalability of environments, reduces user error, facilitates testing of new code.

A

info …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Change Management : code for software is changed w/appropriate testing and approvals. Request control : manages, evaluates, and prioritizes inbound requests from customers. Change Control : grants permission for developers to make changes to application code. Release Control : moves the code from development environment to production. Staging environment : code sent from testing environment to be ready for production use.

A

Change Management …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

DevOps Tools : continuous validation = performs software testing as soon as developers update code, Continuous integration = maintains linkages between different code elements, Continuous delivery = auto moves code into proper environments, Continuous deployment = auto releases code for production use, Continuous monitoring = ensures code is working properly and trigger auto remedy if issues arise.

A

DevOps Tools …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
Fagan Process (Code Review) = planning : includes preparing materials, identifying participants, and scheduling the review. 
Overview : assigning roles to participants and providing an overview of software. Preparation : participants independently examine code for potential defects. Meeting : reviews discuss and formally identify any code defects. Rework : correct any defects found during meeting (if too many defects goes back to planning stage for review). Follow-up : leader verifies that defects were resolved and completes project documentation.
A

info …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Software Model Validation : are we building the right software? / Software verification : are we building the software correctly?

Stress Testing : use automated scripts to verify system capacity, may be run internally or through 3rd party, verifies system can handle max expected load, determines max capacity of system.

UAT = users test software in test environment before releasing to actual public wide scale. Also known as beta testing.

Regression Testing = checks for unexpected side effects.

A

Software etc …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Static Code Testing : use automated techniques to analyze code for errors and security flaws w/o actually executing the code.

Dynamic Code Testing : executes code to verify its functioning correctly and doesnt have security flaws.

Synthetic transactions : supply input to code with known expected outputs.

A

info …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Fuzzing : software testing technique that feeds software many different input values in attempt to cause unpredictable state or unauthorized access. Input Sources : Developer-supplied input/developer-supplied script, generation fuzzing = can generate input values randomly or from a specification, mutation fuzzing = can analyze real input and modify those real values.

Code Repositories : store software source code files in secure location, coordinate changes among multiple developers, perform version control (rollback etc), promote code reuse.

A

Fuzzing Etc …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Integrity Management = uses hash functions to verify code has not been changed.

Libraries = contain shared software code.

SDKS : provide programming resources, collections of software libraries w/documentation, example and other resources to get developers running in a development environment. Also has special utilities for developers to design and test code.

APIs = allows interaction w/remote services for developers and code.

A

info …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Injection Flaws = insert unwanted transaction code.

Broken Authentication = exploits session
management.

XML External Entities : allows remote code execution.

Broken Access Control : allow unauthorized access.
Insecure Deserialization : allows API exploitation.

A

info …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

parametrized query = SQL template is precompiled on a database server. This protects against injection attacks. Stored

Procedure = database input is pre-compiled so injection is not likely.

Salting (passwords) = adds random value to passwords prior to hashing to protect against rainbow table attacks.
TLS encrypts web traffic including passwords.

A

info …

How well did you know this?
1
Not at all
2
3
4
5
Perfectly