Software Development Security Flashcards
What is a virus?
Piece of code that attaches itself to another piece of code.
What are the majority of todays viruses doing?
Building/ running botnets.
What is a Logic Bomb?
Like a Zero Day. Code that lies dormant until defined activation event.
What is an agent?
Human run piece of autonomous/ distributed code.
What is an Applet?
Code sent from a server to run on a client.
What technology can create Active X controls?
Java, C++, VB, C
What is a key security difference between Java and Active X?
Java has a Sandbox function to limit memory access and ActiveX does not.
What is Cardinality in a relational database?
Number of rows in a table.
What is the Degree in a relational database?
Number of columns in a table.
What is the “domain” in a relational database table?
The allowable values of a database field.
What is a candidate key?
Fields/ attributes that can uniquely identify a record in a database.
What is a primary key?
Key identity fields for a database table.
What is a foreign key?
Enforces the relationships between two or more tables.
What is the ACID model for database transactions?
A - Atomic transactions (all or nothing)
C - Consistency of transactions
I - Isolation (one transaction at a time)
D - Durability (Once done they stay done)
What is concurrency control?
Use of things like record locks to ensure data is not overwritten.
What is cell suppression?
Encryption of a specific field to impose security.
What is polyinstantiation?
Two or more identical rows in a database designed for different classification levels.
What is noise or perturbation?
Insertion of false or misleading data into a database to thwart a confidentiality attack.
What is ODBC
database access layer to ease database interaction.
Name some example aggregation methods in SQL?
avg(), min(), max(), count(), sum()
What is an inference attack?
The combination of non-sensitive data to derive sensitive information.
What is metadata?
Data about data. More powerful than the actual data itself.
What is Primary Memory
RAM
What is secondary storage?
HDD, CD, tape, etc
What is an example of virtual storage?
RAM disk
What is a covert channel attack?
reading system memory or disks to gather information.
What is an expert system?
The accumulation of knowledge from experts on a particular subject to apply consistent decision making.
What is a knowledge base?
Series of rules in the form of if/ then statements.
What is an inference engine?
Use of logical reasoning and/ or fuzzy logic to draw conclusions.
What is a decision support system?
a knowledge based system that analyzes business data in such a way to ease decision making.
What is a neural network?
System with “chain” of computational units to mimic the human brain.
What is an assurance process?
Method to assure trust in a new system.
What is a limit check?
Method to ensure entered data does not fall outside of its expected range.
What is fail secure?
When a system crashes a fail secure ensures the system is not left in an insecure state.
What is fail open?
System fails into an open or insecure state.
Name the different levels of programming languages and provide examples of each.
1GL - Machine 2GL - Assembler 3GL - C, C++ 4GL - SQL 5GL - VB
Name the processes in the Software Development Lifecycle.
Conceptual Definition Functional Requirements Controls definition. Design review Code review System test review Maintenance/ change management
Waterfall Methodology
Sequential step-wise
Spiral Methodology
Higher repetition than waterfall.
Agile Methodology
…
Name the stages of Software Maturity
1 - Initial... nothing defined 2 - Repeatable... basic processes 3 - Defined... defined processes 4 - Managed... quantitative methods used 5 - Optimizing... anomalies removed
What is the IDEAL model?
Initiating - Outline needs Diagnosing - Analyze current state Establishing - Develop plans from diag phase Acting - "Do" phase Learning - QA process.
What happens during Request Control?
Users request, developers prioritize, and managers do cost/ benefit.
What is change control
Organized framework that allows multiple developers to work effectively together.
What is release control?
Orderly process to roll code forward.
What happens during configuration management?
Configuration identification
Configuration control
Configuration status accounting
Configuration Audit
What is white-box testing
Code walk
What is black-box testing
End user perspective review
What is grey-box testing
Combination of white and black box testing
What is static code testing
Use of automation to find flaws.
What is dynamic code testing?
Test of run time environment. used when code is not available.
Name of layers in a protection ring
Layer 0 - OS reside here. Protected.
Layer 1 & 2 - Device drivers & other OS
Layer 3 - Application space (user mode, protected mode)
What is encapsulation?
Development of increasingly complicated objects that draw from lower level objects.
What is compartmented security mode?
System that can process two or more types of data.
What is dedicated security mode?
Can process only specific classifications at a time.
What is multi-level security mode?
Allowed to process more than one type of information.
What is system high security mode?
Allowed to process only information that all users are cleared for.
