Software Development Security Flashcards
Which phase of security development should security considerations take place?
All
Which of the following is not an example of computer-aided software engineering (CASE)?
A. program editors B. version-control mechanisms C. static code analysis software D. manual code review E. debugger
D
Which of the following are secure software development best practices? (Choose all that apply)
A. OWSAP B OWASP C. BSI D. ISO/IEC 27034 E. ISO/IEC 27055
B, C, D
What are the top three in the top 10 OWASP web application security risks.
A. Insecure Direct Object Reference B. Cross-Site Request Forgery (CSRF) C Cross-Site Scripting (XSS) D. Injection E. Sensitive Data exposure F. Security Misconfiguration G. Broken Authentication and Session Management H. Using Components with Known Vulnerabilities
C, D, G
This is the act of sending random data to the target program in order to trigger failures.
Fuzzing
List the five maturity levels in CMMI.
1 = Initial 2 = Repeatable 3 = Defined 4 = Managed 5 = Optimizing
This SDLC model emphasizes verification and validation at each phase.
V-Model
In this SDLC model, multiple development cycles are carried out on a piece of software throughout its development stages.
Incremental
This SDLC model takes an iterative approach that emphasizes risk analysis per iteration.
Spiral
This SDLC model creates a sample of the code for proof-of-concept purposes. Not really used to produce production code.
Prototyping
This SDLC model combines prototyping and iterative development procedures with the goal of accelerating the software development process
Rapid Application
This SDLC model has iterative and incremental development processes that encourage team-based collaboration and flexibility and adaptability instead of a strict process structure.
Agile
This is the term for a multidisciplinary development team with representatives from many or all the stakeholder populations.
IPT
Integrated Product Team
Various levels of testing should be carried out during development. Which of following is not a testing type?
A. Acceptance B. Regression C. Aggregation D. Integration E. Unit
C
Acceptance testing = Ensuring code meets customer requirements
Regression testing = Testing after changes take place
Integration = verifying components work together in the production environment.
Unit = testing individual components. Mature developers develop unit tests for their modules before they even start coding or in parallel. Known as TEST-DRIVEN development.
This type of software development testing verifies components work together in the production environment.
Integration testing
This type of software development testing takes place after changes.
Regression testing
This type of software development testing is done to ensure code meets customer requirements.
Acceptance testing
Which of the following tasks does not belong in the requirements gathering phase of SDLC? (You can choose more than one)
A. Threat modeling B. Security risk assessment C. Privacy risk assessment D. Risk-level acceptance E. Static analysis
A, E
Which of the following tasks belongs in the development phase of SDLC? (You can choose more than one)
A. Threat modeling B. Security risk assessment C. Privacy risk assessment D. Risk-level acceptance E. Static analysis
E
Which of the following tasks belongs in the design phase of SDLC? (You can choose more than one)
A. Threat modeling B. Security risk assessment C. Privacy risk assessment D. Attack surface analysis E. Static analysis
A, D
Which of the following tasks belongs in the Testing/validation phase of SDLC? (You can choose more than one)
A. Threat modeling B. Dynamic analysis C. Regression Testing D. Attack surface analysis E. Static analysis
B, C
At this level of CMMI, the company has formal processes in place to collect and analyze quantitative data and metrics are defined and fed into the process-improvement program.
A. Optimizing
B. Managed
C. Defined
D. Repeatable
B
At this level of CMMI, a formal management structure is in place and the company can properly repeat processes throughout each project, but the company does not have formal process models defined.
A. Optimizing
B. Managed
C. Defined
D. Repeatable
D
At this level of CMMI, the company has budgeted and integrated plans for continuous process improvement.
A. Optimizing
B. Managed
C. Defined
D. Repeatable
A
Any decent software configuration management system comes with “versioning,” but some systems also allow check out of complete or partial code, make changes, and then commit their changes back to the master repository as needed and update their own personal copies to stay up to date with changes other people made. This is called ______________.
Synchronization
This type of programming provides modularity, reusabilty, and more granular control within the programs themselves compared to classical programming languages.
Object-oriented programming
OOP
This type of XSS attack exploits the lack of proper input or output validation on dynamic websites.
nonpersistent XSS
This type of XSS attack involves modifying the original client-side JavaScript.
DOM
This type of XSS attack is when a the attacker loads malicious code on a server that attacks visiting browsers.
persistent XSS
What is the purpose of a DBMS?
Database Management System
The software that controls the access restrictions, data integrity, redundancy, and different types of manipulation available for a database.
In a relational database the ___________ is how a specific row is located from other parts of the database. It is a column that makes each row unique.
primary key
think “Item ID #” for the IOF
Relational database
Tuple = \_\_\_\_\_\_\_\_\_\_\_ Attributes = \_\_\_\_\_\_\_\_\_\_\_
Rows
Columns
This type of database uses a tree-like structure to define relationships between data elements, using a parent/child relationship.
hierarchical database
Which type of database programming language defines the structure and schema?
DDL
Data definition language
Structure = table size, key placement, views, and data element relationships
schema = type of data that will be held and manipulated, and their properties.
Which type of database programming language defines queries that enable users to access the data within the database?
QL
ad hoc query language
Which type of database programming language contains all the commands that enable a user to view, manipulate, and use the database (view, add, modify, sort, and delete commands)?
DML
Data manipulation language
Which type of database programming language defines the internal organization of the database?
DCL
data control language
This is a central repository that describes data elements within a database and their relationships.
Data Dictionary
An attribute of one table that is related to the primary key of another table.
Foreign key
Defines the structure of the database.
schema
Hierarchial databases are useful for mapping ___________ relationships.
A. one-to-one
B. one-to-many
c. many-to-one
d. many-to-many
B
The _________ model is almost always employed when building indexes for relational databases.
hierarchical
Database integrity is provided by concurrency mechanisms. One concurrency control is ______, which prevents users from accessing and modifying data being used by someone else.
locking
_________ integrity makes sure that a tuple is uniquely identified by a primary key.
A. Semantic
B. Hierarchical
C. Entity
D. Referential
Entity integrity
_________ integrity ensures that every foreign key refers to an existing primary key.
A. Semantic
B. Hierarchical
C. Entity
D. Referential
Referential integrity
Category of programming language that is written in binary.
Machine language
A category of programming language that is not portable, is low-level, and is a symbolic representation of machine-level instructions
Assembly language
Converts assembly code to machine code.
Assemblers
Converts high-level language statements into the necessary machine-level format for specific processors to understand.
Compilers
In the right kind of environment, this can perform the last step of transforming high-level code to machine-level code. Improves portability and handles memory management, but requires that the ___________ be installed on the local machine.
interpreter
If there is a problem with a transaction, a database __________ cancels changes and returns the database to its previous state.
rollback
For databases….
A ___________ operation completes a transaction and executes all changes just made by the user.
commit
When the database software fills up a certain amount of memory, a _____________ is initiated, which saves the data from the memory segment to a temporary file. If a glitch is experienced, the software will try to use this information to restore the user’s working environment to its previous state.
A. Rollback point
B. Commit point
C. Checkpoint
D. Savepoint
checkpoint
_______ are used to make sure that if a system failure occurs, or if an error is detected, the database can attempt to return to a point before the system crashed. Can be configured to occur by time interval, a specific user action, or a number of transactions or changes to the database.
A. Rollback point
B. Commit point
C. Checkpoint
D. Savepoint
savepoint
The act of combining information from separate sources to form new data that the subject does not have the clearance or permission to access.
aggregation
The ability to derive information not explicitly available
inference
A technique used to hide specific cells that contain information that could be used in an inference attack.
cell suppression
A technique of inserting bogus information in the hopes of misdirecting an attacker or confusing a matter enough that the actual attack will not be fruitful.
noise and pertubation
This involves diving the database into parts, which makes it harder for an unauthorized individual to find connecting pieces to infer something they shouldn’t.
partitioning
Like operating systems, databases can employ DAC or MAC so that ______ is/are displayed according to group membership, user rights, or security label.
A. data
B. tables
C. views
D. files
views
This is a process of allowing a table to have multiple rows with the same primary key. The different instances can be distinguished by their security levels or classification. The purpose is to hide higher confidential information from lower level access users who still need access to some of the data to perform a function.
polyinstantiation
Online transaction processing (OTP) records transactions as they occur (in real time), which usually updates more than one database in a distributed environment. In order to maintain integrity, database software in an OTP environment should implement an ACID test. What does ACID stand for?
Atomicity - Divides transactions into units of work and ensures that all modifications take place or none. Either the changes are committed or database is rolled back.
Consistency - A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases.
Isolation - Transactions execute in isolation until completed without interacting with other transactions.
Durability - Once the transaction is verified accurate on all systems, it is committed and the database can not be rolled back.
This type of program performs useful functionality apparent to the user and malicious functionality without the user knowing it.
Trojan horse
Bayesian filtering can help reduce this ubiquitous problem.
Spam
Heuristic detection approaches in antimalware products include static analysis and dynamic analysis where an AV allows a piece of the suspected code to run in a sandbox or virtual machine, sometimes called an ____________ .
emulation buffer
Which of the following would not be effective mitigation of zero-day attacks.
A. real-time dynamic analysis
B. heuristic detection
C. signature-based detection
D. behavior blocking
C
Executes a malicious program when a certain set of conditions is met.
logic bomb
What are RATs?
Remote Access Trojans
Malware that is covertly installed on a target computer to gather sensitive information about a victim.
Spyware
A virus requires a host to replicate. This malicious code does not.
Worm
This type of virus hides the modifications it has made to files or boot records. It can use tunneling tactics or other tactics to hide it’s footprint and activities.
Stealth virus
This type of virus produces varied but operational copies of itself in an attempt to defeat virus scans.
Polymorphic virus
Object-Oriented programming (OOP) works with classes and objects. Table, chair, couch are objects of the class furniture. The class has a set of attributes, like color, dimension, weight, style, and cost. The attributes apply to all object members in the class. This is also called _____________.
instantiated
Software written in OOP has requests sent to it, usually from another object, which creates another object to carry out some sort of functionality. The object can even be indifferent programming languages as long as the requesting object knows the API.
Just FYI
What benefit of OOP does this describe?
The internal components of an object can be redefined without changing other parts of the system.
A. Modularity
B. Deferred Commitment
C. Reusability
D. Naturalness
Deferred Commitment
The internal components of an object can be redefined without changing other parts of the system.
What benefit of OOP does this describe?
The building blocks of software are autonomous objects, cooperating through the exchange of messages.
A. Modularity
B. Deferred Commitment
C. Reusability
D. Naturalness
Modularity
What benefit of OOP does this describe?
Object-oriented analysis, design, and modeling map to business needs and solutions.
A. Modularity
B. Deferred Commitment
C. Reusability
D. Naturalness
Naturalness
What benefit of OOP does this describe?
Classes are reused by other programs, though they may be refined through inheritance.
A. Modularity
B. Deferred Commitment
C. Reusability
D. Naturalness
Resusability
In OOP, this is the functionality or procedure an object can carry out
method
Objects ____________ the attribute values, which means this information is packaged under one name and can be reused as one entity by other objects.
encapsulate
This is also what encapsulation provides in OOP. Objects can have a “shared” portion which is the API. The “private” portion of how it actually works.
data hiding
ISC2 defines this as “Two (different) objects can receive the same input and have different outputs.”
Polymorphism
The process of classifying objects that will be appropriate for a solution. A problem is analyzed to determine the classes of objects to be used in the application.
A. Data Structure
B. Data Modeling
C. Object-oriented analysis (OOA)
D. Object-oriented design (OOD)
OOA
Object-oriented analysis
This creates a representation of a real-world problem and maps it to a software solution using OOP.
A. Data Structure
B. Data Modeling
C. Object-oriented analysis (OOA)
D. Object-oriented design (OOD)
OOD
Object-oriented design
The logical relationship between data elements.
A. Data Structure
B. Data Modeling
C. Object-oriented analysis (OOA)
D. Object-oriented design (OOD)
Data Structure
A process used to define and analyze data requirements needed to support the business processes within the scope of corresponding systems and software application.
A. Data Structure
B. Data Modeling
C. Object-oriented analysis (OOA)
D. Object-oriented design (OOD)
Data Modeling
If a module carries out only one task or tasks that are very similar it is said to have high _________ . This is good because it’ll be easier to update or modify without affecting other modules.
cohesion
This is a measurement that indicates how much interaction one module requires to carry out its tasks. The lower the better… lower meaning it does not need to communicate with many other modules.
coupling
This manages communication between objects and enables them to interact in a heterogeneous and distributed environment.
A. Component Object Model (COM)
B. Object request broker (ORB)
C. Object Linking and embedding (OLE)
D. Common Object Request Broker Architecture (CORBA)
Object request broker (ORB)
This provides a standardized way for objects within different applications, platforms, and environments to communicate. It accomplishes this by providing standards for interfaces between objects.
A. Component Object Model (COM)
B. Object request broker (ORB)
C. Object Linking and embedding (OLE)
D. Common Object Request Broker Architecture (CORBA)
Common Object Request Broker Architecture (CORBA)
This provides an architecture for components to interact on a local system. The distributed version uses the same interfaces, but enables components to interact over a distributed, or networked, environment.
A. Component Object Model (COM)
B. Object request broker (ORB)
C. Object Linking and embedding (OLE)
D. Common Object Request Broker Architecture (CORBA)
Component Object Model (COM)
DCOM = Distributed COM
Enables a program to call another program (linking) and permits a piece of data to be inserted inside another program or document (embedding).
A. Component Object Model (COM)
B. Object request broker (ORB)
C. Object Linking and embedding (OLE)
D. Common Object Request Broker Architecture (CORBA)
Object Linking and embedding (OLE)
