Software Development Security

Question 1

Which phase of security development should security considerations take place?

Answer 1

All

Question 2

Which of the following is not an example of computer-aided software engineering (CASE)?

A. program editors
B. version-control mechanisms
C. static code analysis software
D. manual code review
E. debugger

Answer 2

D

Question 3

Which of the following are secure software development best practices? (Choose all that apply)

A. OWSAP
B OWASP
C. BSI
D. ISO/IEC 27034
E. ISO/IEC 27055

Answer 3

B, C, D

Question 4

What are the top three in the top 10 OWASP web application security risks.

A. Insecure Direct Object Reference
B. Cross-Site Request Forgery (CSRF)
C Cross-Site Scripting (XSS)
D. Injection
E. Sensitive Data exposure
F. Security Misconfiguration
G. Broken Authentication and Session Management
H. Using Components with Known Vulnerabilities

Answer 4

C, D, G

Question 5

This is the act of sending random data to the target program in order to trigger failures.

Answer 5

Fuzzing

Question 6

List the five maturity levels in CMMI.

Answer 6

1 = Initial
2 = Repeatable
3 = Defined
4 = Managed
5 = Optimizing

Question 7

This SDLC model emphasizes verification and validation at each phase.

Answer 7

V-Model

Question 8

In this SDLC model, multiple development cycles are carried out on a piece of software throughout its development stages.

Answer 8

Incremental

Question 9

This SDLC model takes an iterative approach that emphasizes risk analysis per iteration.

Answer 9

Spiral

Question 10

This SDLC model creates a sample of the code for proof-of-concept purposes. Not really used to produce production code.

Answer 10

Prototyping

Question 11

This SDLC model combines prototyping and iterative development procedures with the goal of accelerating the software development process

Answer 11

Rapid Application

Question 12

This SDLC model has iterative and incremental development processes that encourage team-based collaboration and flexibility and adaptability instead of a strict process structure.

Answer 12

Agile

Question 13

This is the term for a multidisciplinary development team with representatives from many or all the stakeholder populations.

Answer 13

IPT

Integrated Product Team

Question 14

Various levels of testing should be carried out during development. Which of following is not a testing type?

A. Acceptance
B. Regression
C. Aggregation
D. Integration
E. Unit

Answer 14

C

Acceptance testing = Ensuring code meets customer requirements

Regression testing = Testing after changes take place

Integration = verifying components work together in the production environment.

Unit = testing individual components. Mature developers develop unit tests for their modules before they even start coding or in parallel. Known as TEST-DRIVEN development.

Question 15

This type of software development testing verifies components work together in the production environment.

Answer 15

Integration testing

Question 16

This type of software development testing takes place after changes.

Answer 16

Regression testing

Question 17

This type of software development testing is done to ensure code meets customer requirements.

Answer 17

Acceptance testing

Question 18

Which of the following tasks does not belong in the requirements gathering phase of SDLC? (You can choose more than one)

A. Threat modeling
B. Security risk assessment
C. Privacy risk assessment
D. Risk-level acceptance
E. Static analysis

Answer 18

A, E

Question 19

Which of the following tasks belongs in the development phase of SDLC? (You can choose more than one)

A. Threat modeling
B. Security risk assessment
C. Privacy risk assessment
D. Risk-level acceptance
E. Static analysis

Answer 19

E

Question 20

Which of the following tasks belongs in the design phase of SDLC? (You can choose more than one)

A. Threat modeling
B. Security risk assessment
C. Privacy risk assessment
D. Attack surface analysis
E. Static analysis

Answer 20

A, D

Question 21

Which of the following tasks belongs in the Testing/validation phase of SDLC? (You can choose more than one)

A. Threat modeling
B. Dynamic analysis
C. Regression Testing
D. Attack surface analysis
E. Static analysis

Answer 21

B, C

Question 22

At this level of CMMI, the company has formal processes in place to collect and analyze quantitative data and metrics are defined and fed into the process-improvement program.

A. Optimizing
B. Managed
C. Defined
D. Repeatable

Answer 22

B

Question 23

At this level of CMMI, a formal management structure is in place and the company can properly repeat processes throughout each project, but the company does not have formal process models defined.

A. Optimizing
B. Managed
C. Defined
D. Repeatable

Answer 23

D

Question 24

At this level of CMMI, the company has budgeted and integrated plans for continuous process improvement.

A. Optimizing
B. Managed
C. Defined
D. Repeatable

Answer 24

A

Question 25

Any decent software configuration management system comes with “versioning,” but some systems also allow check out of complete or partial code, make changes, and then commit their changes back to the master repository as needed and update their own personal copies to stay up to date with changes other people made. This is called ______________.

Answer 25

Synchronization

Question 26

This type of programming provides modularity, reusabilty, and more granular control within the programs themselves compared to classical programming languages.

Answer 26

Object-oriented programming

OOP

Question 27

This type of XSS attack exploits the lack of proper input or output validation on dynamic websites.

Answer 27

nonpersistent XSS

Question 28

This type of XSS attack involves modifying the original client-side JavaScript.

Answer 28

DOM

Question 29

This type of XSS attack is when a the attacker loads malicious code on a server that attacks visiting browsers.

Answer 29

persistent XSS

Question 30

What is the purpose of a DBMS?

Answer 30

Database Management System

The software that controls the access restrictions, data integrity, redundancy, and different types of manipulation available for a database.

Question 31

In a relational database the ___________ is how a specific row is located from other parts of the database. It is a column that makes each row unique.

Answer 31

primary key

think “Item ID #” for the IOF

Question 32

Relational database

Tuple = \_\_\_\_\_\_\_\_\_\_\_
Attributes = \_\_\_\_\_\_\_\_\_\_\_

Answer 32

Rows

Columns

Question 33

This type of database uses a tree-like structure to define relationships between data elements, using a parent/child relationship.

Answer 33

hierarchical database

Question 34

Which type of database programming language defines the structure and schema?

Answer 34

DDL
Data definition language

Structure = table size, key placement, views, and data element relationships

schema = type of data that will be held and manipulated, and their properties.

Question 35

Which type of database programming language defines queries that enable users to access the data within the database?

Answer 35

QL

ad hoc query language

Question 36

Which type of database programming language contains all the commands that enable a user to view, manipulate, and use the database (view, add, modify, sort, and delete commands)?

Answer 36

DML

Data manipulation language

Question 37

Which type of database programming language defines the internal organization of the database?

Answer 37

DCL

data control language

Question 38

This is a central repository that describes data elements within a database and their relationships.

Answer 38

Data Dictionary

Question 39

An attribute of one table that is related to the primary key of another table.

Answer 39

Foreign key

Question 40

Defines the structure of the database.

Answer 40

schema

Question 41

Hierarchial databases are useful for mapping ___________ relationships.

A. one-to-one
B. one-to-many
c. many-to-one
d. many-to-many

Answer 41

B

Question 42

The _________ model is almost always employed when building indexes for relational databases.

Answer 42

hierarchical

Question 43

Database integrity is provided by concurrency mechanisms. One concurrency control is ______, which prevents users from accessing and modifying data being used by someone else.

Answer 43

locking

Question 44

_________ integrity makes sure that a tuple is uniquely identified by a primary key.

A. Semantic
B. Hierarchical
C. Entity
D. Referential

Answer 44

Entity integrity

Question 45

_________ integrity ensures that every foreign key refers to an existing primary key.

A. Semantic
B. Hierarchical
C. Entity
D. Referential

Answer 45

Referential integrity

Question 46

Category of programming language that is written in binary.

Answer 46

Machine language

Question 47

A category of programming language that is not portable, is low-level, and is a symbolic representation of machine-level instructions

Answer 47

Assembly language

Question 48

Converts assembly code to machine code.

Answer 48

Assemblers

Question 49

Converts high-level language statements into the necessary machine-level format for specific processors to understand.

Answer 49

Compilers

Question 50

In the right kind of environment, this can perform the last step of transforming high-level code to machine-level code. Improves portability and handles memory management, but requires that the ___________ be installed on the local machine.

Answer 50

interpreter

Question 51

If there is a problem with a transaction, a database __________ cancels changes and returns the database to its previous state.

Answer 51

rollback

Question 52

For databases….

A ___________ operation completes a transaction and executes all changes just made by the user.

Answer 52

commit

Question 53

When the database software fills up a certain amount of memory, a _____________ is initiated, which saves the data from the memory segment to a temporary file. If a glitch is experienced, the software will try to use this information to restore the user’s working environment to its previous state.

A. Rollback point
B. Commit point
C. Checkpoint
D. Savepoint

Answer 53

checkpoint

Question 54

_______ are used to make sure that if a system failure occurs, or if an error is detected, the database can attempt to return to a point before the system crashed. Can be configured to occur by time interval, a specific user action, or a number of transactions or changes to the database.

A. Rollback point
B. Commit point
C. Checkpoint
D. Savepoint

Answer 54

savepoint

Question 55

The act of combining information from separate sources to form new data that the subject does not have the clearance or permission to access.

Answer 55

aggregation

Question 56

The ability to derive information not explicitly available

Answer 56

inference

Question 57

A technique used to hide specific cells that contain information that could be used in an inference attack.

Answer 57

cell suppression

Question 58

A technique of inserting bogus information in the hopes of misdirecting an attacker or confusing a matter enough that the actual attack will not be fruitful.

Answer 58

noise and pertubation

Question 59

This involves diving the database into parts, which makes it harder for an unauthorized individual to find connecting pieces to infer something they shouldn’t.

Answer 59

partitioning

Question 60

Like operating systems, databases can employ DAC or MAC so that ______ is/are displayed according to group membership, user rights, or security label.

A. data
B. tables
C. views
D. files

Answer 60

views

Question 61

This is a process of allowing a table to have multiple rows with the same primary key. The different instances can be distinguished by their security levels or classification. The purpose is to hide higher confidential information from lower level access users who still need access to some of the data to perform a function.

Answer 61

polyinstantiation

Question 62

Online transaction processing (OTP) records transactions as they occur (in real time), which usually updates more than one database in a distributed environment. In order to maintain integrity, database software in an OTP environment should implement an ACID test. What does ACID stand for?

Answer 62

Atomicity - Divides transactions into units of work and ensures that all modifications take place or none. Either the changes are committed or database is rolled back.
Consistency - A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases.
Isolation - Transactions execute in isolation until completed without interacting with other transactions.
Durability - Once the transaction is verified accurate on all systems, it is committed and the database can not be rolled back.

Question 63

This type of program performs useful functionality apparent to the user and malicious functionality without the user knowing it.

Answer 63

Trojan horse

Question 64

Bayesian filtering can help reduce this ubiquitous problem.

Answer 64

Spam

Question 65

Heuristic detection approaches in antimalware products include static analysis and dynamic analysis where an AV allows a piece of the suspected code to run in a sandbox or virtual machine, sometimes called an ____________ .

Answer 65

emulation buffer

Question 66

Which of the following would not be effective mitigation of zero-day attacks.

A. real-time dynamic analysis
B. heuristic detection
C. signature-based detection
D. behavior blocking

Answer 66

C

Question 67

Executes a malicious program when a certain set of conditions is met.

Answer 67

logic bomb

Question 68

What are RATs?

Answer 68

Remote Access Trojans

Question 69

Malware that is covertly installed on a target computer to gather sensitive information about a victim.

Answer 69

Spyware

Question 70

A virus requires a host to replicate. This malicious code does not.

Answer 70

Worm

Question 71

This type of virus hides the modifications it has made to files or boot records. It can use tunneling tactics or other tactics to hide it’s footprint and activities.

Answer 71

Stealth virus

Question 72

This type of virus produces varied but operational copies of itself in an attempt to defeat virus scans.

Answer 72

Polymorphic virus

Question 73

Object-Oriented programming (OOP) works with classes and objects. Table, chair, couch are objects of the class furniture. The class has a set of attributes, like color, dimension, weight, style, and cost. The attributes apply to all object members in the class. This is also called _____________.

Answer 73

instantiated

Question 74

Software written in OOP has requests sent to it, usually from another object, which creates another object to carry out some sort of functionality. The object can even be indifferent programming languages as long as the requesting object knows the API.

Answer 74

Just FYI

Question 75

What benefit of OOP does this describe?

The internal components of an object can be redefined without changing other parts of the system.

A. Modularity
B. Deferred Commitment
C. Reusability
D. Naturalness

Answer 75

Deferred Commitment

The internal components of an object can be redefined without changing other parts of the system.

Question 76

What benefit of OOP does this describe?

The building blocks of software are autonomous objects, cooperating through the exchange of messages.

A. Modularity
B. Deferred Commitment
C. Reusability
D. Naturalness

Answer 76

Modularity

Question 77

What benefit of OOP does this describe?

Object-oriented analysis, design, and modeling map to business needs and solutions.

A. Modularity
B. Deferred Commitment
C. Reusability
D. Naturalness

Answer 77

Naturalness

Question 78

What benefit of OOP does this describe?

Classes are reused by other programs, though they may be refined through inheritance.

A. Modularity
B. Deferred Commitment
C. Reusability
D. Naturalness

Answer 78

Resusability

Question 79

In OOP, this is the functionality or procedure an object can carry out

Answer 79

method

Question 80

Objects ____________ the attribute values, which means this information is packaged under one name and can be reused as one entity by other objects.

Answer 80

encapsulate

Question 81

This is also what encapsulation provides in OOP. Objects can have a “shared” portion which is the API. The “private” portion of how it actually works.

Answer 81

data hiding

Question 82

ISC2 defines this as “Two (different) objects can receive the same input and have different outputs.”

Answer 82

Polymorphism

Question 83

The process of classifying objects that will be appropriate for a solution. A problem is analyzed to determine the classes of objects to be used in the application.

A. Data Structure
B. Data Modeling
C. Object-oriented analysis (OOA)
D. Object-oriented design (OOD)

Answer 83

OOA

Object-oriented analysis

Question 84

This creates a representation of a real-world problem and maps it to a software solution using OOP.

A. Data Structure
B. Data Modeling
C. Object-oriented analysis (OOA)
D. Object-oriented design (OOD)

Answer 84

OOD

Object-oriented design

Question 85

The logical relationship between data elements.

A. Data Structure
B. Data Modeling
C. Object-oriented analysis (OOA)
D. Object-oriented design (OOD)

Answer 85

Data Structure

Question 86

A process used to define and analyze data requirements needed to support the business processes within the scope of corresponding systems and software application.

A. Data Structure
B. Data Modeling
C. Object-oriented analysis (OOA)
D. Object-oriented design (OOD)

Answer 86

Data Modeling

Question 87

If a module carries out only one task or tasks that are very similar it is said to have high _________ . This is good because it’ll be easier to update or modify without affecting other modules.

Answer 87

cohesion

Question 88

This is a measurement that indicates how much interaction one module requires to carry out its tasks. The lower the better… lower meaning it does not need to communicate with many other modules.

Answer 88

coupling

Question 89

This manages communication between objects and enables them to interact in a heterogeneous and distributed environment.

A. Component Object Model (COM)
B. Object request broker (ORB)
C. Object Linking and embedding (OLE)
D. Common Object Request Broker Architecture (CORBA)

Answer 89

Object request broker (ORB)

Question 90

This provides a standardized way for objects within different applications, platforms, and environments to communicate. It accomplishes this by providing standards for interfaces between objects.

A. Component Object Model (COM)
B. Object request broker (ORB)
C. Object Linking and embedding (OLE)
D. Common Object Request Broker Architecture (CORBA)

Answer 90

Common Object Request Broker Architecture (CORBA)

Question 91

This provides an architecture for components to interact on a local system. The distributed version uses the same interfaces, but enables components to interact over a distributed, or networked, environment.

A. Component Object Model (COM)
B. Object request broker (ORB)
C. Object Linking and embedding (OLE)
D. Common Object Request Broker Architecture (CORBA)

Answer 91

Component Object Model (COM)

DCOM = Distributed COM

Question 92

Enables a program to call another program (linking) and permits a piece of data to be inserted inside another program or document (embedding).

A. Component Object Model (COM)
B. Object request broker (ORB)
C. Object Linking and embedding (OLE)
D. Common Object Request Broker Architecture (CORBA)

Answer 92

Object Linking and embedding (OLE)