Software Development Security

Question 1

Object-oriented programming typically uses ——–design

Answer 1

bottom-up

Question 2

Freeware is “free as in beer” (gratis) software

Answer 2

free to use

Question 3

Shareware is fully functional proprietary software that may be initially used free of charge.

Answer 3

Shareware for a specific period of time specified by the license

Question 4

Crippleware

Answer 4

s partially functioning proprietary software, often with key features disabled.

Question 5

The most prevalent of open source licenses

Answer 5

GPL

Question 6

Waterfall Model

Answer 6

it cannot go back up

Question 7

The Sashimi Model

Answer 7

based on (and a reaction to) the Waterfall Model.

Question 8

Agile methods include

Answer 8

Scrum and Extreme Programming (XP).

Question 9

Extreme Programming (XP) is an Agile development method that uses pairs of programmers who work off a detailed specification. There is a high level of customer involvement.

Answer 9

Extreme Programming improves a software project in five essential ways, communication, simplicity, feedback, respect, and courage

Question 10

The Spiral Model

Answer 10

The Spiral Model is a software development model designed to control risk.

Question 11

Rapid Application Development (RAD)

Answer 11

The goal of RAD is quickly meeting the business need of the system; technical concerns are secondary. The customer is heavily involved in the process.

Question 12

The Systems Development Life Cycle

Answer 12

initiation, development/acquisition, implementation, operation, and disposal

Question 13

An Integrated Product Team (IPT)

Answer 13

is a customer-focused group that focuses on the entire lifecycle of a project:

Question 14

Configuration Change Control

Answer 14

process for managing updates to the baseline configurations for the configuration items; and

Question 15

Aggregation attack

Answer 15

is a mathematical attack where an attacker aggregates details at a lower classification to determine information at a higher classification.

Question 16

Inference

Answer 16

but the attacker must logically deduce missing details: unlike aggregation, a mystery must be solved.

Question 17

tuple

Answer 17

a row is a database record,

Question 18

Referential integrity

Answer 18

means that every foreign key in a secondary table matches a primary key in the parent table

Question 19

Semantic integrity

Answer 19

each attribute (column) value is consistent with the attribute data type.

Question 20

Entity integrity

Answer 20

means each tuple has a unique primary key that is not null.

Question 21

Database normalization

Answer 21

seeks to make the data in a database table logically concise, organized, and consistent.

Question 22

data dictionary

Answer 22

description of the database tables

Question 23

database schema

Answer 23

it describes the attributes and values of the database tables.

Question 24

Data Definition Language (DDL)

Answer 24

DDL is used to create, modify, and delete tables.

Question 25

Data Manipulation Language (DML).

Answer 25

DML is use to query and update data stored in the tables.

Question 26

Database replication

Answer 26

mirrors a live database, allowing simultaneous reads and writes to multiple replicated databases by clients

Question 27

A shadow database

Answer 27

a shadow database mirrors all changes made to a primary database, but clients do not access the shadow

Question 28

Object-Oriented Programming (OOP)

Answer 28

changes the older structured programming methodology, and treats a program as a series of connected objects that communicate via messages

Question 29

polyinstantiation

Answer 29

means “many instances,” two instances (specific objects) with the same names that contain different data.

Question 30

Inheritance

Answer 30

Addy inherits an understanding of numbers and math from his parent class mathematical operators.

Question 31

Object Request Brokers (ORBs)

Answer 31

Common object brokers included COM, DCOM, and CORBA.

Question 32

COM

Answer 32

locates objects on a local system;

Question 33

DCOM

Answer 33

can also locate objects over a network.

Question 34

Common Object Request Broker Architecture (CORBA)

Answer 34

CORBA competes with Microsoft’s proprietary DCOM

Question 35

Object-Oriented Analysis (OOA) and Object-Oriented Design (OOD)

Answer 35

Object-Oriented Analysis (OOA) seeks to understand (analyze) a problem domain (the challenge you are trying to address) and identifies all objects and their interaction. Object-Oriented Design (OOD) then develops (designs) the solution.

Question 36

Software Capability Maturity Model (CMM)

Answer 36

maturity framework for evaluating and improving the software development process

Question 37

The five levels of CMM are described

Answer 37

Initial,Repeatable,Defined,Managed,Optimizing

Question 38

Acceptance testing

Answer 38

tests whether software meets various end-state requirements, from a user or customer, contract or compliance perspective

Question 39

Acceptance testing

Answer 39

tests whether software meets various end-state requirements, from a user or customer, contract or compliance perspective

Question 40

Expert systems consist of two main components

Answer 40

The first is a knowledge base that consists of “if/then” statements. These statements contain rules that the expert system uses to make decisions. The second component is an inference engine that follows the tree formed by the knowledge base, and fires a rule when there is a match.

Question 41

Request Control

Answer 41

The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks.

Question 42

Change Control

Answer 42

The change control process is used by developers to re-create the situation encountered by the user and analyze the appropriate changes to remedy the situation. It also provides an organized framework within which multiple developers can create and test a solution prior to rolling it out into a production environment. Change control includes conforming to quality control restrictions, developing tools for update or change deployment, properly documenting any coded changes, and restricting the effects of new code to minimize diminishment of security.

Question 43

White-Box Testing

Answer 43

hite-box testing examines the internal logical structures of a program and steps through the code line by line, analyzing the program for potential errors.

Question 44

Black-Box Testing

Answer 44

Black-box testing examines the program from a user perspective by providing a wide variety of input scenarios and inspecting the output. Black-box testers do not have access to the internal code. Final acceptance testing that occurs prior to system delivery is a common example of black-box testing.

Question 45

Gray-Box Testing

Answer 45

Gray-box testing combines the two approaches and is popular for software validation. In this approach, testers examine the software from a user perspective, analyzing inputs and outputs. They also have access to the source code and use it to help design their tests. They do not, however, analyze the inner workings of the program during their testing.

Question 46

Static Testing

Answer 46

Static testing evaluates the security of software without running it by analyzing either the source code or the compiled application.

Question 47

Dynamic Testing D

Answer 47

ynamic testing evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else

Question 48

Atomicity

Answer 48

Database transactions must be atomic—that is, they must be an “all-or-nothing” affair. If any part of the transaction fails, the entire transaction must be rolled back as if it never occurred.

Question 49

Consistency

Answer 49

All transactions must begin operating in an environment that is consistent with all of the database’s rules (for example, all records have a unique primary key). When the transaction is complete, the database must again be consistent with the rules, regardless of whether those rules were violated during the processing of the transaction itself. No other transaction should ever be able to use any inconsistent data that might be generated during the execution of another transaction.

Question 50

Isolation

Answer 50

The isolation principle requires that transactions operate separately from each other. If a database receives two SQL transactions that modify the same data, one transaction must be completed in its entirety before the other transaction is allowed to modify the same data. This prevents one transaction from working with invalid data generated as an intermediate step by another transaction.

Question 51

Durability

Answer 51

Database transactions must be durable. That is, once they are committed to the database, they must be preserved. Databases ensure durability through the use of backup mechanisms, such as transaction logs