Software Development Security Flashcards
Object-oriented programming typically uses ——–design
bottom-up
Freeware is “free as in beer” (gratis) software
free to use
Shareware is fully functional proprietary software that may be initially used free of charge.
Shareware for a specific period of time specified by the license
Crippleware
s partially functioning proprietary software, often with key features disabled.
The most prevalent of open source licenses
GPL
Waterfall Model
it cannot go back up
The Sashimi Model
based on (and a reaction to) the Waterfall Model.
Agile methods include
Scrum and Extreme Programming (XP).
Extreme Programming (XP) is an Agile development method that uses pairs of programmers who work off a detailed specification. There is a high level of customer involvement.
Extreme Programming improves a software project in five essential ways, communication, simplicity, feedback, respect, and courage
The Spiral Model
The Spiral Model is a software development model designed to control risk.
Rapid Application Development (RAD)
The goal of RAD is quickly meeting the business need of the system; technical concerns are secondary. The customer is heavily involved in the process.
The Systems Development Life Cycle
initiation, development/acquisition, implementation, operation, and disposal
An Integrated Product Team (IPT)
is a customer-focused group that focuses on the entire lifecycle of a project:
Configuration Change Control
process for managing updates to the baseline configurations for the configuration items; and
Aggregation attack
is a mathematical attack where an attacker aggregates details at a lower classification to determine information at a higher classification.
Inference
but the attacker must logically deduce missing details: unlike aggregation, a mystery must be solved.
tuple
a row is a database record,
Referential integrity
means that every foreign key in a secondary table matches a primary key in the parent table
Semantic integrity
each attribute (column) value is consistent with the attribute data type.
Entity integrity
means each tuple has a unique primary key that is not null.
Database normalization
seeks to make the data in a database table logically concise, organized, and consistent.
data dictionary
description of the database tables
database schema
it describes the attributes and values of the database tables.
Data Definition Language (DDL)
DDL is used to create, modify, and delete tables.
Data Manipulation Language (DML).
DML is use to query and update data stored in the tables.
Database replication
mirrors a live database, allowing simultaneous reads and writes to multiple replicated databases by clients
A shadow database
a shadow database mirrors all changes made to a primary database, but clients do not access the shadow
Object-Oriented Programming (OOP)
changes the older structured programming methodology, and treats a program as a series of connected objects that communicate via messages
polyinstantiation
means “many instances,” two instances (specific objects) with the same names that contain different data.
Inheritance
Addy inherits an understanding of numbers and math from his parent class mathematical operators.
Object Request Brokers (ORBs)
Common object brokers included COM, DCOM, and CORBA.
COM
locates objects on a local system;
DCOM
can also locate objects over a network.
Common Object Request Broker Architecture (CORBA)
CORBA competes with Microsoft’s proprietary DCOM
Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD)
Object-Oriented Analysis (OOA) seeks to understand (analyze) a problem domain (the challenge you are trying to address) and identifies all objects and their interaction. Object-Oriented Design (OOD) then develops (designs) the solution.
Software Capability Maturity Model (CMM)
maturity framework for evaluating and improving the software development process
The five levels of CMM are described
Initial,Repeatable,Defined,Managed,Optimizing
Acceptance testing
tests whether software meets various end-state requirements, from a user or customer, contract or compliance perspective
Acceptance testing
tests whether software meets various end-state requirements, from a user or customer, contract or compliance perspective
Expert systems consist of two main components
The first is a knowledge base that consists of “if/then” statements. These statements contain rules that the expert system uses to make decisions. The second component is an inference engine that follows the tree formed by the knowledge base, and fires a rule when there is a match.
Request Control
The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks.
Change Control
The change control process is used by developers to re-create the situation encountered by the user and analyze the appropriate changes to remedy the situation. It also provides an organized framework within which multiple developers can create and test a solution prior to rolling it out into a production environment. Change control includes conforming to quality control restrictions, developing tools for update or change deployment, properly documenting any coded changes, and restricting the effects of new code to minimize diminishment of security.
White-Box Testing
hite-box testing examines the internal logical structures of a program and steps through the code line by line, analyzing the program for potential errors.
Black-Box Testing
Black-box testing examines the program from a user perspective by providing a wide variety of input scenarios and inspecting the output. Black-box testers do not have access to the internal code. Final acceptance testing that occurs prior to system delivery is a common example of black-box testing.
Gray-Box Testing
Gray-box testing combines the two approaches and is popular for software validation. In this approach, testers examine the software from a user perspective, analyzing inputs and outputs. They also have access to the source code and use it to help design their tests. They do not, however, analyze the inner workings of the program during their testing.
Static Testing
Static testing evaluates the security of software without running it by analyzing either the source code or the compiled application.
Dynamic Testing D
ynamic testing evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else
Atomicity
Database transactions must be atomic—that is, they must be an “all-or-nothing” affair. If any part of the transaction fails, the entire transaction must be rolled back as if it never occurred.
Consistency
All transactions must begin operating in an environment that is consistent with all of the database’s rules (for example, all records have a unique primary key). When the transaction is complete, the database must again be consistent with the rules, regardless of whether those rules were violated during the processing of the transaction itself. No other transaction should ever be able to use any inconsistent data that might be generated during the execution of another transaction.
Isolation
The isolation principle requires that transactions operate separately from each other. If a database receives two SQL transactions that modify the same data, one transaction must be completed in its entirety before the other transaction is allowed to modify the same data. This prevents one transaction from working with invalid data generated as an intermediate step by another transaction.
Durability
Database transactions must be durable. That is, once they are committed to the database, they must be preserved. Databases ensure durability through the use of backup mechanisms, such as transaction logs
