Software Development Security Flashcards
What is a distributed application?
An application that consists of components that reside on separate, networked systems.
What are the 3 distinct issues to be aware of when securing distributed systems?
- Software integrity
- Data integrity
- Access Control
What is an agent in relation to distributed systems?
A software component in a distributed system that performs a particular service
Patch Management, Host base Intrusion Detection systems and Performance & Capacity Management Systems are all examples of what?
Agents in a distributed system
What is an applet in a distributed system?
A component that’s downloaded and executed by a web browser
What are the two most common applets?
Java and Active X
Java code runs in a constrained environment meaning that it can only communicate with the host from which it was downloaded? What is this commonly known as?
A sandbox
How does the security philosophy for Active X differ to that of Java?
The person running the web browser gets to determine whether they trust all Active X applets coming from a particular server. Digital certificates prove whether the Active X applet is genuine.
Which of the following applets doesn’t use a concept of a sandbox? Java or Active X?
Active X
Mobile code thats downloaded from a server and run on a client is otherwise known as what?
An applet
Should Active X be blocked by enterprises?
Yes
What is Web 2.0?
web features such as wikis, blogs, web services, mashups, communities, information sharing, etc. that utilises different features on other websites.
In terms of applets, what is a mashup?
A web page or applications that combines functionality from external applications through their published Application Programming Interfaces (API)
An online map that displays locations that come from different online applications implement what?
Mashups
What is the principle of an Object-oriented environment?
Objects after they are written, can be used again and again making an enterprises entire software development more efficient over time
What is encapsulation with regards an object oriented environment?
inner workings of the object are hidden
What term is used to describe an object performing a function?
A method
What term is used to describe an object that is running?
An instance (also refers to an object that is a member of a class of objects)
What is a behaviour in relation to an object oriented environment?
The result of an object having received a message
A template that defines the methods and variables to be included in a particular type of object is known as what?
A class
Real world example of a class?
Class = Cake Object = Chocolate Cake Method = recipe
the tree structure of a collection of classes and objects is known as what?
Class hierarchy
What is delegation in relation to OO?
An object that delegates a message to another object that contains the correct method. Happens when an object doesn’t have the requested method.
An object that gets some of it’s characteristics from a class is known as what?
Inheritance
How do objects communicate with one another?
Through messages
What is Multi-inheritance?
When an object inherits characteristics from more than one class
What is the basic unit in OO?
The Object
What is Poly-instantiation?
the process of developing one object from another object, but with different values in the new object
What is Polymorphism?
the ability to hide implementation details behind a common message interface. permits objects to be added to the system without having to re-write existing procedures
What are the 4 most common types of databases in use today?
Relational
Hierarchical
Object-oriented
Network
What is one way of simplifying security issues in a database, by allowing granular access, but through a virtual table using fields and rows from one or more tables in the database.
A View
What does aggregation mean with regards databases?
the process of combining separate low sensitive data items to produce a high sensitive data item
Which concept refers to the ability of someone to deduce or infer something about sensitive data that beyond normal reach because of its sensitivity level
Inference
An application that cites the existence of highly sensitive information within it to users is know as what?
Inference
What is a database of databases known as?
Data dictionary
What 3 things can you control with a data dictionary?
- create or re-create tables
- manage security access
- a control point for managing the schema of an applications database
What is the difference between a data warehouse and production database?
production database used for business operations, whereas data warehouse is used for research, decision support, planning, etc.
Why should a production database not be used for data warehousing purposes?
can impact the performance of normal business operations.
In a data warehouse, figuring out trends about customers/business activities is commonly known by which two terms?
Data Mining
Business Intelligence
Data mining can be used to detect fraud. true or false?
true
Which type of database is arranged in a tree structure with parent records at the top of the database and child records at successive layers? Relational Hierarchical Object-oriented Network
Hierarchical
Which type of database is an improvement to the design of hierarchical databases where records can be networked to other records via paths that don’t follow the normal tree structure?
Relational
Object-oriented
Network
Network
Which type of database has relationships between datasets with the freedom of a network database, but without the constraints of a hierarchical database?
Relational
Object-oriented
Relational
Which type of database is part of the overall object oriented application design? Relational Hierarchical Object-oriented Network
Object-oriented
What are two characteristics of a Relational Database?
- is defined by its schema
- records are often called rows and rows are stored in tables
In a relational database what would you use to query a table to look for a specific record?
A primary key
What is a primary key?
A field in a table that contains a unique value
In relational databases, what is a foreign key?
A field in a table that points to the primary key in another table.
A sub-routine that can be accessed by software applications is know by what term?
Stored procedures
Prepared statements are basically canned statements that can be called by the application. What are they also known as?
Parametrised statements
In a relational database what 2 methods can be used to protect against SQL injection attacks?
Stored procedures and Prepared statements
What is a distributed database?
A database whose components exist in multiple physical locations
A distributed database can be network, object oriented, relational, hierarchical or any other design. True or False?
True
An action performed on a database that results in the addition, alternation or removal of data on a database is called what?
Transaction
What can be used to protect data in a database and permit users to alter certain data in that database?
Database management System
What is the dominant computer language used to manipulate data in a database?
SQL (Structured Query Language)
In databases a mechanism used to avoid collisions in which two or more programs may be trying to update the same table or row at the same time is known as what?
Locking
What is used to describe a system that can make decisions or predict the future based on historical data?
Knowledge Based System
Which type of system builds a database of past events in order to predict outcomes in future situations?
Expert Systems
Expert systems are designed to work with a degree of uncertainty. In what two ways do they do this?
- Fuzzy logic
- Certainty factors
What is fuzzy logic?
the component of an expert system that produces a quantitative result based on uncertainties. breaks down the factors influencing a decision
What is a certainty factor?
Operates on the numeric probabilities of yes/no, true/false, etc.
What is a neural network?
accumulates knowledge by observing events, measuring their input and outcome. Overtime it becomes proficient at predicting the correct outcome. Learns that input components are weighted.
What is the central component of an operating system?
The kernel
What are the 4 primary activities carried out by the kernel?
- Process Management: controls execution/termination of programs
- Memory Management: allocated memory to itself as well as running processes
- Interrupts: signal sent to the kernel to temporarily suspend processing
- Hardware Resource Management: manage process access to computer hardware.
What part of the OS permits interaction between the kernel and specific hardware connect to the computer?
Device Drivers
What are the two primary OS interfaces?
Graphical and Command Line
What are the 5 main security functions that an OS carries out on a computer?
- Authentication
- Access Control
- Process isolation
- Network communication
- File-system Access
What are the 2 objectives of a system development life-cycle?
- A system that performs its intended function correctly and securely
- A development project that’s completed on time and in budget
In which type of system development model are stages performed sequentially?
Waterfall
In a Waterfall model which of the following is used to provide a high level description of a system? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Conceptual Definition
In a Waterfall model which of the following lists required characteristics/features of a system? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Functional Requirements
In a Waterfall model at which stage should a test plan be outlined detailing characteristics of the system that should be tested? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Functional Requirements
In a Waterfall model at which stage are the "what we think we can build" statements included? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Functional Specifications
In a Waterfall model at which stage should details about authentication, authorisation, access control, confidentiality, transaction auditing, integrity, availability, etc. be contained? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Functional Specifications
In a Waterfall model at which stage would database schemas, data flow diagrams, over the wire protocols etc. be inlcuded? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Design
In a Waterfall model At which stage would unit testing (process of verifying all the modules that are built) be carried out? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Coding
What is OWASP (The Open Web Applications Security Project)?
Provides guidelines for secure coding practices
In a Waterfall model At which stage would you check for programming erros? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Code review
What is Unit Testing?
allows a tester or developer to verify the correct functioning of individual modules of an application.
In a Waterfall model At which stage is a system tested end to end? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
System test
In a Waterfall model At which stage is a system evaluated and declared fully functional? Conceptual Definition Functional Requirements Functional Specifications Design Design Review Coding Code review System test Certification & Accreditation Maintenance
Certification & Accreditation
What is the difference between certification and accreditation?
Certification is a formal system evaluation whereas accreditation is done by senior management tat have said it’s ok to put the system into production.