Software Dev Sec Flashcards

1
Q

ORB

A

Object request broker: used to locate object; object search engines; middleware; include COM, DCOM, CORBA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

Defined

A

s/w process for both mgt and engineering activites id socumented, standardized and integrated into standard s/w process for org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

genetic programming

A

seeks to replicate nature’s evolution; creates random programs and assigns them a task of solving a problem

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

4 s/w freedoms

A

freedom to 1. use the s/w for any purpose 2. change the s/w to suit your needs 3. share the s/w w/ friends and neighbors 4. share the changes you make

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

compilers

A

take source code, such as C or basic and compile it into machine code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

PHP RFI

A

PHP Remote file inclusion: altering normal PHP URLs and variables to include and execute remote content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

optimized

A

continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

repeatable

A

basic proj mgt process are establishe to track cost, schedule, and funtionality; necessary process discipline is in place to repeat earlier successes on similar projects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ANN

A

artificial neural networks: expert system that simulates neural networks found in humans and animals; seek to duplicate biological neural networks; leanrs by example via training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

types of CASE software

A
  1. tools: support onlyl specific tasks in s/w production process 2. workbenches: support 1 or a few s/w process activities by integrating several tools in a single application 3. environments: support all or at least part of the s/w production process w/collection of tools and workbenches
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

bayesian filtering

A

commonly used to ID spam

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Agile Manifesto values

A
  1. individuals and interactions over process and tools 2 working s/w over comprehensive doc 3. customer collaboration over contract negotiation 4. responding to change over following a plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

scrum

A

named for way Rugby is played. No baton race in track, instead whole team works to move the project by passing ball back and forth as needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

datawarehouse

A

large collection of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

COM

A

component object model: ORB that locates objects on a local system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SQL injection

A

manipulation of a back end SQL server via a front end web server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

s/w testing levels

A

unit, installation, integration, regression, acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

white box s/w testing

A

gives the tester access to program source code, data structures, variables, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

XSS

A

cross site scripting: leverages third-party execution of web scripting languages such as javascript within the security context of a trusted site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

source code

A

computer programming language instructions that are written in text that must be translated into machine code before execution by the CPU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

open source

A

software publishes source code publicly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

expert systems

A
  1. knowledge base of if/then statements 2. inference engine that follows the tree formed by knowledge base and fires a rule when there is a match
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

traceability matrix

A

used to map customer’s req’ts to s/w testing plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

primary key

A

unique value in each tuple in a table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

black box testing

A

gives test no internal details

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

dynamic testing

A

tests the code while executing it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

installation testing

A

testing s/w as it is installed and first operated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

4GL

A

fourth generation language: computer languages designed to increase programmer’s efficiency by automating creation of computer code; GUI focused; focus on creation of databases, reports, websites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

closed source

A

software is typically released in executable form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

average # mistakes in computer code

A

10-50 mistakes per 1000 lines of code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

database replication

A

mirrors a live database, allowing simultaneous reads and writes to multiple replicated databases by clients

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

relational database

A

contains 2-dimensional tables of related data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

privilege escalation

A

allow an attacker with (typically limited) access to be able to access additional resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

shareware

A

fully functional proprietary s/w that may be initially used free, but requires you to pay if you continue to use it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

normalization

A

seeks to make the data in a database table logically concise, organized, and consistent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

interpreted languages

A

compiled on the fly each time the program is run

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

integration testing

A

testing multiple s/w components as they are combined into a working system; subsets may be tested, or big bang integration testing tests all integrated s/w components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

entity integrity

A

each tuple has a unique primary key that is not null

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

crippleware

A

partially functioning proprietary s/w, often with key features disabled; must pay to get the full bologna

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

assembly language

A

low-level computer programming laguage; uses short mnemonics that match to machine language instructions

33
Q

referential integrity

A

every foreign key in a secondary table matches a primary key in the parent table

34
Q

RAD

A

rapid application development: develops s/w via use of prototypes, dummy GUIs, back-end databases; goal is quickly meeting business needs of the suystem, technical concerns are secondary

35
Q

Object

A

a “black box” that combines code and data and sends and receives messages

36
Q

genetic algorithms

A

refer to creating shorter pieces of code called chromosomes

37
Q

foreign key

A

key in a related database table that matches a primary key in a parent database; foreign key is the local table’s primary key

37
Q

database view

A

results of a database query

39
Q

DCOM

A

distributed common object model: ORB that locates objects over a network

40
Q

CASE

A

computer aided software engineering: uses programs to assist in the creation and mx of other computer programs

41
Q

TD

A

top down programming: startes with broadest and highest level requirements and works down toward the low-=level technical implementation details

42
Q

responsible disclosure

A

practice of privately sharing vulnerability info with a vendor and w/holding public release until a patch is available

43
Q

combinatorial s/w testing

A

black-box testing method that seeks to ID and test all unique combinations of s/w inputs

44
Q

managed

A

detaield measures of the s/w process nd product quality are collected, analyzed, and used to control the processs; s/w process and products are quantitively understood and controlled

45
Q

machine code

A

software that is executed directly by the CPU; series of 1’s and 0’s that translate to instructions understood by CPU

46
Q

data integrity

A

databases must ensure the intregrity of the data in the tables

47
Q

data dictionary

A

description of the database tables; aka meta data

48
Q

database schema

A

describes the attributes and values of the database tables

49
Q

backdoors

A

shortcuts in a system that allow a user to bypass seucirty checks

50
Q

DML

A

data manipulation language: used to query and update data stored in the tables

52
Q

coupling

A

highly coupled object requires lots of other objects to perform basic jobs, like math; inversely related to cohesion

53
Q

waterfall model

A

an application development model that uses rigid phases; when one phase ends, the next begins; cannot go back to previous steps;

54
Q

steps of SDLC

A

prepare sucirty plan, initiation, development/acq, implementation, ops/mx, disposal

56
Q

spiral model

A

software development model designed to dcontrol risk

57
Q

sashimi model

A

highly overlapping steps; real-world successor to watefall model; named for overlapping fish dish called sashimi

58
Q

shadow database

A

like a replicated database except shadows mirror all changes to primary database, clients can’t access the shadow

60
Q

static testing

A

tests code passively; code isn’t running; includes walkthroughs, syntax checking, code reviews

61
Q

XP core practices

A

1 palnning: specifies desired features (user story) 2. paired programming: programmers work in teams 3. 40-hr week: accurate forecast of work 4. total customer involvement: customer always available and monitors proj 5. detailed test procedures aka unit tests

61
Q

CORBA

A

common object request borker architecture: ORB; open vendor-neutral networked object broker framework; enforces fundamental OO design as low-level deatails are encapsulated from client

62
Q

regression testing

A

testing s/w after updates, modifications, or patches

63
Q

BU

A

bottom up programming: starts w/ low-level technical implementation details and works up to the concept of the complete program

64
Q

SDLC

A

system or software development lifecycle model: development model that focuses on security in every phase

65
Q

programming languge generations

A

1st: machine code 2nd: Assemby 3rd: COBOL, C Basic 4th: ColdFusion, Progress 4GL, Oracle Reports

66
Q

agile software development

A

evolved as reaction to rigid s/w dev models such as waterfall model; includes Scrum and XP

67
Q

DDL

A

data defined language: used to create, modify, and delete tables

68
Q

fuzzing

A

type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash

69
Q

CMM

A

software capability maturity model: 5 levels: initial, repeatable, defined, managed, optimizing

70
Q

XP improvements

A
  1. communication 2. simplicity 3. feedback 4. respect 5. courage
71
Q

unit testing

A

low-level tests of s/w components, such as functions, procedures, or objects

72
Q

prototyping

A

iterative apprach that breaks projects into smaller tasks creating multiple mockups of system design features

74
Q

procedural languages

A

programming languages that use subroutines, procedures, and functions

76
Q

database

A

structured collection of related data

77
Q

tuple

A

a row in a relational database

79
Q

cohesion

A

very independent object; inversely related to coupling

80
Q

buffer overflow

A

occurs when a programmer does not perform variable bounds checking

81
Q

OOP

A

Object Oriented Programming: changes the older procedural progrmaming methodology and treats programs as a series of connected objects that comm via messages, uses encapsulation

83
Q

XP

A

Extreme Programming: an agile development method that uses pairs of programmers who work off a detailed specification

84
Q

initial

A

characterized as ad hoc and occasionally even chaotic; few process defined and success depends on individual effort

85
Q

full disclosure

A

controversial practice of releasing vulnerability details publicly

86
Q

data mining

A

search for patterns in data

88
Q

acceptance testing

A

testing to sendure s/w meets the customer’s operational req’ts; when done by customer is called user acceptance testing

89
Q

freeware

A

aka “gratis” software; free as in beer; free of charge to use

90
Q

directory path traversal

A

escaping from the root of a web server into the regular file system by referencing directories

91
Q

polyinstantiation

A

two instances with the same name can contain different data; useful in multilevel security environments

92
Q

hard-coded credentials

A

backdoor username/passwords left by programmers in production code

94
Q

waterfall steps (general)

A

req’ts, analysis, design, code, test, ops, and then destruction which he left off

95
Q

semantic integrity

A

each attribute value is consistent with the attribute data type

96
Q

attribute

A

a column in a relational database

97
Q

hierarchical databases

A

form a tree

98
Q

sprial model

A

designed to conttrol risk; repeats steps of a proejcts in ever-wider spirals called rounds