Software Security

Question 1

Data normalization

Answer 1

ensures that attributes in a database table depend only on the primary key.

It removes redundant data and improves the integrity and availability of the database.

Question 2

Which testing technique focuses only on testing the design and internal logical structure of the software product rather than its functionality?

Answer 2

white-box testing

Question 3

Which test design typically focuses on testing functional requirements?

Answer 3

black-box testing

Question 4

Which database feature ensures that the entire transaction is executed to ensure data integrity?

Answer 4

two-phase commit

Question 5

Rapid Application Development (RAD)

Answer 5

rapidly develops software via the use of prototypes, “dummy” GUIs, back-end databases, and more.

The goal of RAD is quickly meeting the business need of the system; technical concerns are secondary.

The customer is heavily involved.

It relies on tools that enable quick development Such as: GUI builders, CASE, DBMS, OO.

Question 6

Joint Analysis Development (JAD)

Answer 6

helps developers to work directly with users to develop a working application.

disadvantage is involvement of large numbers of users may lead to political pressures that influence against security considerations.

Question 7

what is degree?

Answer 7

the number of columns in a table

Question 8

What is cardinality?

Answer 8

is the number of rows.

Question 9

What is Atomic values?

Answer 9

mean that at every row/column position in every table there is always exactly one data value and never a set of values.

Question 10

What is Open Database Connectivity (ODBC)?

Answer 10

an application programming interface (API) that can be configured to allow any application to query databases. The

Question 11

What are the security issues with ODBC?

Answer 11

 The username and password for the database are stored in plaintext.
 The actual call and the returned data are sent as cleartext over the network.
 Calling applications must be checked to ensure they do not attempt to combine data from multiple data sources, thus allowing data aggregation.
 Calling applications must be checked to ensure they do not attempt to exploit the ODBC drivers and gain elevated system access.

Question 12

What is OLE DB?

Answer 12

method of linking data from different databases together.

Question 13

What is ORB?

Answer 13

Object Request Brokers (ORBs), which can be used to locate objects: they act as object search engines.

ORBs are middleware. Common object brokers included COM, DCOM, and CORBA.

Question 14

What is Normalization?

Answer 14

it removes redundancies in the data, and ensures that attributes in a database table depend only on the primary key.

This makes the database consistent and easy to maintain and improves the integrity and availability of the database.

Question 15

What is the risk of metadata?

Answer 15

risk of privacy violations and integrity of data.

Question 16

What is OLAP

Answer 16

an Online Analytical Processing (OLAP) designed to record all of the business transactions of an organization as they occur in real-time and concurrently.

Question 17

How compromising database views happen?

Answer 17

difficulty in verifying how the software performs the view processing.

The view just limits the data the user sees; it does not
limit the operations that may be performed on the views.

the layered model frequently used in database interface design may provide multiple alternative routes to the same data, not all of which may be protected.

Question 18

What is Atomicity?

Answer 18

is when all the parts of a transaction’s execution are either all committed or all rolled back—do it all or not at all.

Question 19

What is Consistency?

Answer 19

occurs when the database is transformed from one valid state to another valid state based on user-defined integrity constraints.

Question 20

What is Isolation?

Answer 20

the process guaranteeing the results of a transaction are invisible to the transactions until the transaction is complete.

Question 21

What is durability?

Answer 21

ensures the results of a completed transaction are permanent and can survive future system and media failures.

Question 22

What OLAP is necessary?

Answer 22

used when databases are clustered to provide fault-tolerance and higher performance.

The main goal of OLTP is to ensure that transactions happen properly or they don’t happen at all by rolling back using transaction logs.

Question 23

What is security concerns for OLTP systems?

Answer 23

concurrency and atomicity.

Question 24

What is Noise and perturbation?

Answer 24

a technique of inserting bogus information in the hopes of misdirecting an attacker enough that the actual attack will not be fruitful.

Question 25

What is the benefit of database view.?

Answer 25

used to provide a constrained user interface, by implementing least privilege, need-to-know and provide content-dependent access restrictions.

Question 26

What is CORBA?

Answer 26

an open object-oriented standard architecture developed by the Object Management Group (OMG), vendor neutral networked object broker competing with Microsoft’s DCOM.

enforces fundamental object-oriented design, as low-level details are encapsulated (hidden) from the client.

Question 27

What are the characteristics of CORBA?

Answer 27

communicate via a message interface, described by the
interface definition language (IDL).

a middleware that establishes a client–server relationship

enables applications to communicate with one another no matter where the applications are located or who developed them.

enforces fundamental object-oriented design, as low-level details are encapsulated from the client.

Question 28

What is Dynamic Data Exchange (DDE)?

Answer 28

enables applications to work in a client/server model by providing direct communication between two applications using interprocess communication (IPC).

Question 29

Verification phase

Answer 29

include activities to verify compliance of the system with security requirements.

Verification determines if the product accurately represents and meets the design specifications given to the developers.

This step ensures that the specifications are properly met and closely followed by the development team.

Question 30

Validation phase

Answer 30

determines if the product provides the necessary solution intended real-world problem.

It validates whether or not the final product is what the user expected in the first place and whether or not it solve the problem it intended to solve.

Verification -> Validation

Question 31

Timestamping

Answer 31

provides a window of time indicating how long a message is valid.

Question 32

Nonce

Answer 32

is a random value that is used to periodically authenticate the receiving system.

Question 33

To ensure integrity.

Answer 33

You need to implement time and date stamps in an application program while transactions are being recorded

Question 34

Software Capability Maturity Model (CMM)

Answer 34

a maturity framework for evaluating and improving the software development process. Carnegie Mellon University’s (CMU) Software Engineering Institute (SEI) developed the model.

The goal of CMM is to develop a methodical framework for creating quality software
that allows measurable and repeatable results

Question 35

The five levels of CMM

Answer 35

initial
Repeatable
Defined
Managed
Optimizing

Question 36

Artificial neural networks

Answer 36

simulate neural networks found in humans and animals.

capable of making a single decision based on thousands
or more inputs.

Question 37

An artificial neural network learns by

Answer 37

example via a training function; synaptic weights are changed via an iterative process until the output node fires correctly for a given set of inputs.

Used for “fuzzy” solutions, where exactness is not always required (or possible), such as predicting the weather.

Question 38

Genetic algorithms and programming

Answer 38

instead of being coded by a programmer, they evolve to solve a problem.

It seeks to replicate nature’s evolution, where animals evolve to solve problems

Question 39

What is the purpose of automicity in an online transaction processing (OLTP) environment?

Answer 39

It ensures that only complete transactions take place.

Question 40

What should you do to ensure the stability of the test environment?

Answer 40

Separate the test and development environments.

Question 41

Which database feature limits user and group access to certain information based on the user privileges and the need to know?

Answer 41

database views

Question 42

What are tuples?

Answer 42

rows or records in a relational database

Question 43

How is assurance achieved?

Answer 43

using verification and validation

Question 44

What is the process of identifying, controlling, and auditing changes that are made to a trusted computing base (TCB)?

Answer 44

configuration management

Question 45

What are the Spiral model steps ?

Answer 45

1) product design,
2) system requirements,
3) concept of operations,
4) implementation.

Each round included multiple repeated steps, including prototype development and a risk analysis. A risk analysis is performed each round to lower the overall risk of the project. The spiral ended with successful implementation of the project.