Software Development Security Flashcards

1
Q

System Development Life Cycle

5 steps

A

Initiate

Acquire / Develop

Implement

Operate / Maintain

Dispose / Decommission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Software Testing and Validation

Verification Testing

Validation Testing

A

Verification Testing - Determines whether original design specifications have been met

Validation Testing - higher level view - determines whether original purpose of software has been achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Software Testing and Validation

Integration Testing

Acceptance Testing

Regression Testing

A

Integration Testing
Assesses way that modules work together. Determines if functional and security specs have been met

Acceptance Testing
Ensures customer is satisfied with functionality of software

Regression Testing
Occurs after changes made to the code to ensure they haven’t reduced functionality or security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Software Development Security Best Practices

4 Organizations
WASC
Web Application Security Consortium

OWASP
Open Web Application Security Project

BSI (a DHS initiative)
Build Security In initiative

IEC
International Electro technical Commission

A

WASC
provides best practices for web based applications

OWASP
monitors attacks, specifically web attacks

BSI
promotes process-agnostic approach to make security recommendations for architectures, methods, code reviews, management processes

IEC
created 27034 standard, part of ISO/IEC 27000 series. These provide guidance for integrating security into development and maintenance of software applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Software Development Methods

Build and Fix Approach

A

Build and Fix

used in the past, has been discredited. Now used as a model to avoid

build version, keep modifying until user is satisfied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Software Development Methods

Waterfall Model

A

Waterfall model

Break process into individual steps and completely fulfill one before moving to the next.

Idea - Analysis - Design - Development - Test - Release

not many iterations between the steps

Doesn’t allow for change until the project is complete. Ok for small projects where requirements are completely understood, but dangerous for large projects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Software Development Methods

V-Shaped Model

(Section 7, Lecture 70 for diagram)

A

V-Shaped Model

As you go through steps of defining requirements, you validate them.

Each of these steps is verified:
System Requirements - Diagram - Software Requirements - Software Architecture - Software Detail Design - Software Code.

Rigid, like the waterfall, doesn’t allow for much flexibility, adapting to change is difficult.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Software Development Methods

Prototyping

Rapid
Evolutionary
Operational

A

Use sample code to explore specific approach to solving a problem before extensive time and cost have been invested

Rapid - discarded after use
Evolutionary - created and improved upon in a lab
Operational - developed and improved in production

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Software Development Methods

Incremental Model

A

Requirements - Design - Implement, then repeat, constantly returning to requirements and design

similar to a multi-waterfall.

Each incremental phase results in an operational deliverable

customer can respond to each build and help development team improve

Good for getting customer basic functionality quickly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Software Development Methods

Spiral Model

A

Start at the center and spiral out in a circle

Determine Objectives
Identify and Resolve Risks
Develop and Test
Plan Next Iteration

Each prototype allows new requirements to be addressed. Risk analysis ensures all issues are reviewed and analyzed so things don’t slip through the cracks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Software Development Methods

RAD (Rapid Application Development)

Agile

A

RAD
Combines prototyping and iterative procedures to accelerate the development process

less time spent upfront, emphasis is on rapidly producing prototypes so crucial knowledge can be gained through trial and error

It was created because by the time software was fully developed with other models, the requirements had changed and developers had to start over.

Build -> Demonstrate -> Refine -> repeat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Software Development Methods

Cleanroom Model

JAD (Joint Analyses Development)
aka (Joint Application Development)

A

Cleanroom
strict, formal steps and structured method. Attempts to prevent errors through extensive testing

JAD
uses team approach and workshops to agree on requirements and resolve differences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Software Development Methods

Traditional vs RAD model comparison

A

Traditional has discrete steps

RAD has quick analysis and design, then prototyping. Continue that until you get a good implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Software Development Methods

Agile vs Waterfall methods

A

Waterfall goes through each step before moving to the next, no returning to previous steps

Agile can jump back to earlier steps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Software Development Methods

Capability Maturity Model Integration

A

Level 1 - initial - reacting
Level 2 - managed - processes started but reacting
Level 3 - defined - projects tailored from std processes
Level 4 - quantitatively managed - measured processes
Level 5 - optimizing - process improvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Programming Languages

Machine

Assembly

High-Level

Very-High-Level

Natural

A

Machine - deliver instructions directly to processor

Assembly - uses symbols or mnemonics to represent sections of binary code

High-Level - uses abstract statements (if then else) and are processor independent

Very High - abstract algorithms that hide some complexity from the programmer

Natural - use these to create software that can solve problems on its own, instead of needing a programmer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Object Oriented Programming

Modularity
Definition
Reusability
Maps

A

modularity in design through autonomous objects

definition of internal components without impacting other parts of system

reusability of components

readily maps to business needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Programming Concepts

Polymorphism

Cohesion

Coupling

Data Structure

A

Polymorphism - capability of different objects with a common name to react to same message or input with a different output

cohesion - how many different tasks a model can carry out

Coupling - how much interaction one module requires from another to do its job

Data Structure - logical relationship between elements of data

19
Q

Distributed Object Oriented Systems

CORBA
Common Object Request Broker Architecture

COM
Component Object Model

A

CORBA
open object oriented standard developed by Object Management Group (OMG). Uses Object Request Broker (ORB) to implement exchanges among objects in a heterogenous distributed environment

COM
model for communication between processes on the same computer

20
Q

Distributed Object Oriented Systems

DCOM
Distributed Component Object Model

OLE
Object Linking and Embedding

Java EE
Java Enterprise Edition

SOA
Service Oriented Architecture

A

DCOM
model for communicating between processes in different parts of the network

OLE
method for sharing objects on local computer that uses COM as its foundation

Java EE
a DCOM that relies on Java

SOA
operates on theory of providing web-based communication without each application needing redundant code to be written per application

21
Q

Mobile Code

definition and two examples

A

Transferred across network, executed on remote system or device

Java applet

ActiveX

22
Q

Database Architecture and Models

3 Models

Relational
Hierarchical
Network

A

Relational
Uses attributes and tuples (columns, rows) to organize data in two dimensional tables. Each cell where attribute and tuple intersect, is a record

Hierarchical
Data organized into hierarchy. An object can have one child, multiple children or none. Children are objects that are subsets of the parent

Network
Like hierarchical, data organized into hierarchy but the objects can have multiple parents

23
Q

Database Architecture and Models

Object Oriented Model

Object Relational Model

A

Object Oriented
Has capability to handle variety of data types, more dynamic than relational

Object Relational
Marriage of Object Oriented and Relational Models. A relational database with a software interface written in an OOP language

24
Q

Database Interface Languages

Open Database Connectivity (ODBC)
Java Database Connectivity (JDBC)
XML
Object Linking and Embedding Database (OLE DB)

A

ODBC - API that allows communication with databases locally or remotely

JDBC - allows Java applications to communicate with database

XML - DB API allows XML applications to interact with more traditional databases like relational ones

OLE DB - replaces ODBC extending its functionality to non-relational databases

25
Q

Data Warehouses and Data Mining

Data Warehousing
Data Mining

A

Data Warehousing
combines data from multiple databases in a central location called a warehouse, where you perform analysis

Data Mining
using special tools to organize data into a format that lets you make business decisions from the content

26
Q

Database Threats

Aggregation
Inference

A

Aggregation - combining information, particularly from lower levels that let you learn about higher levels

Inference - piecing information together

If a user doesn’t have access to a set certain objects but does have access to some of them individually, they can piece that data together and learn something they don’t have access to

27
Q

Database and Application Access Control

Content-Dependent access control

Context-Dependent access control

A

Content-Dependent access control
bases access on sensitivity of data. Cost of this is an increased processing overhead. Example - department manager knows salaries of those in his department but not others.

Context-Dependent access control
bases access on multiple factors to prevent inference. Can be function of factors like location, time of data, previous access history

28
Q

Database and Application Access Control

Content-Dependent access control

Context-Dependent access control

A

Content-Dependent access control
bases access on sensitivity of data. Cost of this is an increased processing overhead. Example - department manager knows salaries of those in his department but not others.

Context-Dependent access control
bases access on multiple factors to prevent inference. Can be function of factors like location, time of data, previous access history

29
Q

Database and Application Access Control

Database Views
Database Locks
PolyInstallation

A

Database View
given set of data user can see whey access database

Database Lock
Prevents multiple users from editing the same data until the first user finishes

PolyInstallation
Process to prevent data inference violations. Enables a relation to contain multiple tuples (rows) with same primary keys with each instance distinguished by a security level. It prevents users from inferring existence of higher level data

30
Q

Monitoring for Problems

Online Transaction Processing (OLTP) System

A

OLTP is used to monitor for problems like processes that stop working.

31
Q

Monitoring for Problems

ACID test for OLTP ensures that each transaction has 4 properties before it is committed

Atomicity
Consistency
Isolation
Durability

A

Atomicity - either all operations are complete or the database changes are rolled back

Consistency - transaction follows integrity process that ensures data is consistent in all places where it exists

Isolation - Transaction doesn’t interact with other transactions until it’s complete

Durability - After it’s verified, transaction is committed and cannot be rolled back

32
Q

Knowledge Based Systems

A

Use AI to emulate human logic

Use rules-based programming to determine reactions through if-then statements and inference engine to match patterns and facts

33
Q

Software Threats and Security

Virus Types

Boot Sector 
Parasitic
Stealth
Polymorphic
Macro
Multipartite
A

multipartite - has multiple characterisitcs

34
Q

Software Threats and Security

Worms

Trojan Horse

Logic Bomb

Spyware / Adware

A

Worms - spread without user intervention

Trojan Horse - program that says it will do one thing, but does another

Logic Bomb - executes when certain event occurs

Spyware / Adware - tracks you to tailor ads and spam

35
Q

Software Threats and Security

Botnet

A

Network of computers that have been taken over by hacker.

36
Q

Software Threats and Security

Rootkit

A

Can install a backdoor

remote all entries from security logs (log scrubbing)

replace default tools with compromised versions (trojans)

Can change OS

37
Q

Software Threats and Security

Buffer Overflow
Escalation of Privileges
Backdoor

A

Buffer Overflow
Occurs when too much data accepted into a process. Can cause an error event where commands can be executed

Escalation of Privileges
Exploiting a bug or vulnerability to allow a user to receive privileges he isn’t entitled to

Backdoor
software installed by hacker that lets them return later without going through normal authentication process

38
Q

Software Threats and Security

Malware Protection

Antivirtus
Antimalware
Security Policies

A

One of the best ways is to include standards of safe internet use to your policies. Also training.

39
Q

Software Threats and Security

Software Security Effectiveness

certification
accreditation

A

Certification - process of evaluating software for its security effectiveness for the customers needs. Ratings can be a part of this.

Accreditation - formal acceptance of adequacy of a system’s overall security by the management

40
Q

Agile methodology

A

emphasis on continuous feedback and cross-functional teamwork

Don’t use prototypes, they break product down into individual features that are constantly being delivered

Agile methodologies often use “User Stories” - a sentence that describes what the user wants and why. “As I customer I want to xxx so that yyy”

Lets you take parts of all SDLC models and combine them to meet unique project needs

41
Q

Scrum methodology

A

Widely adopted Agile methodology. Good for projects of any size, very lean and customer-focused

Allows project to be reset by allowing features to be added, changed, removed at defined points (“scrums” in rugby). Customer is closely involved, so no surprises

change points happen at end of each “sprint” a typically 2-week interval

42
Q

Extreme Programming

A

Constant code reviewing. Only minimum amount of coding is used. Reduces errors and complexity

43
Q

Kanban methodology

A

wall of columns: Planned, In Progress, Done

Helps teams react to changing or unknown requirements, like all Agile models

production scheduling system from Toyota

44
Q

Capabilities Maturity Model Integration

5 maturity levels

A

Guidelines for developing software and products.

5 maturity levels, each builds on the previous one

  1. Initial
  2. Repeatable
  3. Defined
  4. Managed
  5. Optimizing