Software Development Security

Question 1

What is a virus?

Answer 1

Piece of code that attaches itself to another piece of code.

Question 2

What are the majority of todays viruses doing?

Answer 2

Building/ running botnets.

Question 3

What is a Logic Bomb?

Answer 3

Like a Zero Day. Code that lies dormant until defined activation event.

Question 4

What is an agent?

Answer 4

Human run piece of autonomous/ distributed code.

Question 5

What is an Applet?

Answer 5

Code sent from a server to run on a client.

Question 6

What technology can create Active X controls?

Answer 6

Java, C++, VB, C

Question 7

What is a key security difference between Java and Active X?

Answer 7

Java has a Sandbox function to limit memory access and ActiveX does not.

Question 8

What is Cardinality in a relational database?

Answer 8

Number of rows in a table.

Question 9

What is the Degree in a relational database?

Answer 9

Number of columns in a table.

Question 10

What is the “domain” in a relational database table?

Answer 10

The allowable values of a database field.

Question 11

What is a candidate key?

Answer 11

Fields/ attributes that can uniquely identify a record in a database.

Question 12

What is a primary key?

Answer 12

Key identity fields for a database table.

Question 13

What is a foreign key?

Answer 13

Enforces the relationships between two or more tables.

Question 14

What is the ACID model for database transactions?

Answer 14

A - Atomic transactions (all or nothing)
C - Consistency of transactions
I - Isolation (one transaction at a time)
D - Durability (Once done they stay done)

Question 15

What is concurrency control?

Answer 15

Use of things like record locks to ensure data is not overwritten.

Question 16

What is cell suppression?

Answer 16

Encryption of a specific field to impose security.

Question 17

What is polyinstantiation?

Answer 17

Two or more identical rows in a database designed for different classification levels.

Question 18

What is noise or perturbation?

Answer 18

Insertion of false or misleading data into a database to thwart a confidentiality attack.

Question 19

What is ODBC

Answer 19

database access layer to ease database interaction.

Question 20

Name some example aggregation methods in SQL?

Answer 20

avg(), min(), max(), count(), sum()

Question 21

What is an inference attack?

Answer 21

The combination of non-sensitive data to derive sensitive information.

Question 22

What is metadata?

Answer 22

Data about data. More powerful than the actual data itself.

Question 23

What is Primary Memory

Answer 23

RAM

Question 24

What is secondary storage?

Answer 24

HDD, CD, tape, etc

Question 25

What is an example of virtual storage?

Answer 25

RAM disk

Question 26

What is a covert channel attack?

Answer 26

reading system memory or disks to gather information.

Question 27

What is an expert system?

Answer 27

The accumulation of knowledge from experts on a particular subject to apply consistent decision making.

Question 28

What is a knowledge base?

Answer 28

Series of rules in the form of if/ then statements.

Question 29

What is an inference engine?

Answer 29

Use of logical reasoning and/ or fuzzy logic to draw conclusions.

Question 30

What is a decision support system?

Answer 30

a knowledge based system that analyzes business data in such a way to ease decision making.

Question 31

What is a neural network?

Answer 31

System with “chain” of computational units to mimic the human brain.

Question 32

What is an assurance process?

Answer 32

Method to assure trust in a new system.

Question 33

What is a limit check?

Answer 33

Method to ensure entered data does not fall outside of its expected range.

Question 34

What is fail secure?

Answer 34

When a system crashes a fail secure ensures the system is not left in an insecure state.

Question 35

What is fail open?

Answer 35

System fails into an open or insecure state.

Question 36

Name the different levels of programming languages and provide examples of each.

Answer 36

1GL - Machine
2GL - Assembler
3GL - C, C++
4GL - SQL
5GL - VB

Question 37

Name the processes in the Software Development Lifecycle.

Answer 37

Conceptual Definition
Functional Requirements
Controls definition.
Design review
Code review
System test review
Maintenance/ change management

Question 38

Waterfall Methodology

Answer 38

Sequential step-wise

Question 39

Spiral Methodology

Answer 39

Higher repetition than waterfall.

Question 40

Agile Methodology

Answer 40

…

Question 41

Name the stages of Software Maturity

Answer 41

1 - Initial... nothing defined
2 - Repeatable... basic processes
3 - Defined... defined processes
4 - Managed... quantitative methods used
5 - Optimizing... anomalies removed

Question 42

What is the IDEAL model?

Answer 42

Initiating - Outline needs
Diagnosing - Analyze current state
Establishing - Develop plans from diag phase
Acting - "Do" phase
Learning - QA process.

Question 43

What happens during Request Control?

Answer 43

Users request, developers prioritize, and managers do cost/ benefit.

Question 44

What is change control

Answer 44

Organized framework that allows multiple developers to work effectively together.

Question 45

What is release control?

Answer 45

Orderly process to roll code forward.

Question 46

What happens during configuration management?

Answer 46

Configuration identification
Configuration control
Configuration status accounting
Configuration Audit

Question 47

What is white-box testing

Answer 47

Code walk

Question 48

What is black-box testing

Answer 48

End user perspective review

Question 49

What is grey-box testing

Answer 49

Combination of white and black box testing

Question 50

What is static code testing

Answer 50

Use of automation to find flaws.

Question 51

What is dynamic code testing?

Answer 51

Test of run time environment. used when code is not available.

Question 52

Name of layers in a protection ring

Answer 52

Layer 0 - OS reside here. Protected.
Layer 1 & 2 - Device drivers & other OS
Layer 3 - Application space (user mode, protected mode)

Question 53

What is encapsulation?

Answer 53

Development of increasingly complicated objects that draw from lower level objects.

Question 54

What is compartmented security mode?

Answer 54

System that can process two or more types of data.

Question 55

What is dedicated security mode?

Answer 55

Can process only specific classifications at a time.

Question 56

What is multi-level security mode?

Answer 56

Allowed to process more than one type of information.

Question 57

What is system high security mode?

Answer 57

Allowed to process only information that all users are cleared for.