CISSP-8-Software-Development-Security

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Software Development Models

1) Build and Fix 2) Waterfall 3) V-Shaped 4) Prototyping 5) Incremental 6) Spiral 7) Rapid Application Development (RAD) 8) Agile Not uncommon that organizations to adopt and customize for their own liking

Software Requirement Models

1) Informational 2) Functional 3) Behavioral

Programming Language Generations

1) Machine 2) Assembly 3) High-level 4) Very High-level 5) Natural The higher the language the more abstraction

Software Development Life Cycle (SDLC)

1) Requirements Gathering 2) Design 3) Development 4) Testing / Validation / Deployment 5) Release / Maintenance

Testing Types

1) Unit 2) Integration 3) Acceptance 4) Regression 5) Fuzzing 6) SAST/DAST/Manual

Common Weakness Enumeration (CWE)

A MITRE initiative, which it describes as "A Community-Developed Dictionary of Software Weakness Types," collaborates with the SANS Institute to maintain a list of the top most dangerous software errors

Capability Maturity Model Integration (CMMI)

A comprehensive, integrated set of guidelines for developing software that describes procedures, principles and practices that underlie development process maturity 0) Incomplete 1) Initial / Ad-hoc 2) Repeatable 3) Defined / Documented 4) Quantitatively Managed / Managed 5) Optimized Hint: IR DQ Optimized

Buffer Overflow

A condition that exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer Lack of good input/output validation Can cause DoS and privilege escalation

Statement of Work (SOW)

A document routinely employed in the field of project management as it defines project-specific activities, deliverables and timelines for a vendor providing services to the customer

Sprint

A fixed-duration development interval that is usually (but not always) two weeks in length Promises delivery of a very specific set of features, chosen by the team and/or customer

Capability Maturity Model (CMM)

A general model that allows for maturity-level identification and maturity improvement steps 1) Initial 2) Repeatable 3) Defined 4) Manaaged 5) Optimizing CMMI is one example that brought many of these models together

Privilege Escalation

A method of exploiting a running process or configuration setting in order to gain access to resources that would normally not be available to the process or its user

Cleanroom

A model that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing This approach is used for high-quality and mission-critical applications that will be put through a strict certification process (NO ERRORS ALLOWED)

Reuse Model

A model that evolves by gradually modifying pre-existing prototypes to customer specifications instead of building from scratch

Exploratory Model

A model that is used in instances where clearly defined project objectives have not been presented Instead of focusing on explicit tasks, the this model relies on covering a set of specifications likely to affect the final product's functionality

Rapid Application Development (RAD)

A model that puts less emphasis on planning and more emphasis on an adaptive process, where prototypes are often used in addition to or sometimes even in place of design specifications Combines the use of prototyping and iterative development procedures with the goal of accelerating the software development process Well suited for (although not limited to) developing software that is driven by user interface requirements Places strict time limits on each phase of a project

Joint Application Development (JAD)

A model that uses a team approach in application development in a workshop-oriented environment which may include people other than developers, executives and SMEs

Spiral Model

A model that uses an iterative approach to software development and places emphasis on "risk analysis" - iteration of waterfalls - with each a more mature prototype than brefore The model is made up of four phases: 1) Determine Objectives 2) Identify and Resolve Risks 3) Develop and Test 4) Plan the Next Iteration (customer input) Within this model the angular aspect represents progress and the radius of the spirals represents cost This is a good model for complex projects that have fluid requirements Plan Do Check Act (PDCA)

Incremental Model

A model where the product is designed, implemented and tested incrementally (a little more is added each time) until the product is finished, involving both development and maintenance Multiple development cycles are carried out on a piece of software throughout its development stages and each phase provides a usable version of software This model is best used when issues pertaining to risk, program complexity, funding and functionality requirements need to be understood early in the lifecycle

Integrated Product Team (IPT)

A multidisciplinary development team by multiple stakeholders from different groups Developers, testers, SMEs, customers, etc. More agile, decisions are made across groups instead of hierarchical A management technique that works well using the JAD model

Kanban

A production scheduling system developed by Toyota to more efficiently support just-in-time delivery that was later adopted as an agile methodology for software Stresses visual tracking tasks so that the team knows what to prioritize at what point in time in order to deliver the right features right on time

Work Breakdown Structure (WBS)

A project management tool used to define and group a project's individual work elements in an organized manner A deliberate decomposition of the project into tasks and subtasks that result in clearly defined deliverables

Prototyping Model

A sample of software code or a model that can be developed to explore a specific approach to a problem before investing expensive time and resources Releases versions of an application for user review Iterative method which means that source code is written and released for review and then revised based on the review Repeats until the final version is released 1) Rapid 2) Evolutionary 3) Operational

User Story

A sentence that describes what a user wants to do and why

Threat Modeling

A systematic approach used to understand how different threats could be realized and how a successful compromise could take place

Static Analysis

A technique meant to help identify software defects or security policy violations and is carried out by examining the code without execution Cannot reveal logical errors and design flaws

Fuzzing

A technique used to discover flaws and vulnerabilities in software by sending large amounts of malformed, unexpected or random data to the target program to trigger failures

Test-driven Development (TDD)

A technique where you must first write a test that fails before you write new functional code Quickly adopted by agile software developers

Software Escrow

A third party keeps a copy of the source code, and possibly other materials, which it will release to the customer only if specific circumstances arise, mainly if the vendor who developed the code goes out of business or for some reason is not meeting its obligations and responsibilities

Assembler

A tool that converts assembly language source code into machine code

Regression Testing

After a change to a system takes place, retesting to ensure functionality, performance, and protection are not broken

Extreme Programming (XP)

An agile methodology that takes code reviews to the extreme by having them take place continuously through the use of pair programming which significantly reduces the incidence of errors and improves the overall quality of the code Unit tests are written before the code High level of customer involvement Code is written in a minimal amount in order for it to pass the unit test which reduces complexity

Pair Programming

An agile software development technique in which two programmers work together at one workstation, where one, the driver, writes code while the other, the observer or navigator, reviews each line as it is typed in

Rapid Prototyping Model

An approach that allows the development team to quickly create a prototype (sample) to test the validity of the current understanding of the project requirements A quick and dirty, throwaway approach to see if everyone is on the right path The prototype is thrown away after evaluation

Operational Prototyping Model

An extension of the evolutionary prototype method, but the this prototype is designed to be implemented within a production environment as it is being tweaked It is updated as customer feedback is gathered, and the changes to the software happen within the working site

Object

An instance of a class with possible methods and encapsulated attribute values

ISO/IEC 27034

An international standard that covers the following areas: application security overview and concepts, organization normative framework, application security management process, protocols and application security control data structure, case studies, and application security assurance prediction

Air-gaped

An isolated network accessibly internally only

Agile Model

An umbrella term for several development models which focuses on incremental and iterative development methods that promote cross-functional teamwork and continuous feedback mechanisms Lightweight when compared to traditional methods like waterfall User stories, not prototypes, but tiny functional pieces that can adapt integrate and customize existing models where needed 12 principles AUP, DSDM, XP

2GL

Assembly Language A programming language understood by the computer architecture and uses symbols (mnemonics) to represent complicate machine code (ADD/PUSH/POP) Uses assemblers to convert to machine code Requires extensive knowledge of architecture Computer architecture / processor dependent

Compiler

Converts high-level language statements into machine code format (.exe, .dll, .so) Supports various architectures

Maintenance Hook / Backdoor

Created by developers during development to allow them to bypass security controls as a matter of convenience Always check for and remove before production

Release / Maintenance

Deploying the software and then ensuring that it is properly configured, patched and monitored Things to do: 1) Final security review

V-Shaped Model

Developed after the Waterfall model that emphasizes verification and validation at each phase and testing to take place throughout the project, not just at the end This model is best used when all requirements can be understood up front and potential scope changes are small Hint: V is verification and validation

Informational Model

Dictates the type of information to be processed and how it will be done

Verification

Did we build the product right? Determines if the product accurately represents and meets the specifications

Validation

Did we build the right product? Determines if the product provides the necessary solution for the intended real-world problem and not so much about testing

Separation of Duties

Different environmental types (development, testing, and production) should be properly separated Functionality and operations should not overlap Developers should not have access to modify code used in production

Interpreter

Does the last step of transforming high-level code to machine-level code Usually starts with a very high-level/high-level language that gets translated into an intermediate, platform-independent format, like bytecode, then this thing converts it to machine-level code for on-demand execution Advantages include platform independent and memory management is centralized

Acceptance Testing

Ensuring that the code meets customer requirements

Behavioral Model

Explains the states the application will be in during and after specific transitions

3GL

High-level Language Language more human-friendly using logic flow statements, like IF-THEN-ELSE, and mathematical operators, like + / - Computer architecture / processor independent Compiled languages (C/C++)

Garbage Collector

Identifies blocks of memory that were once allocated, but are no longer in use and deallocates the blocks and marks them as free Mitigates against object reuse DoS

Scope Creep

In project management this refers to changes, continuous or uncontrolled growth in a project's scope, at any point after the project begins Occurs when the scope of a project is not properly defined, documented or controlled

Manual Testing

Involves code auditing by security-centric programmers who try to modify the logical program structure using rogue inputs and reverse-engineering techniques Manual tests simulate the live scenarios involved in real-world attacks Could also include social engineering

Attack Surface

Is what is available to be used by an attacker against the product itself

Versioning

Keeping track of file revisions, which makes it possible to "roll back" to a previous version in case something goes wrong or needs repeating

1GL

Machine Language A programming language understood by the computer architecture (0s and 1s)

CMMI - Initial

Maturity level 1 The software process is characterized as ad hoc and occasionally even chaotic Few processes are defined, and success depends on individual effort Success is usually the result of individual heroics

CMMI - Repeatable

Maturity level 2 Basic project management processes are established to track cost, schedule and functionality The necessary process discipline is in place to repeat earlier successes on projects with similar applications

CMMI - Defined / Documented

Maturity level 3 The software process for both management and engineering activities is documented, standardized and integrated into a standard software process for the organization Projects use an approved, tailored version of the organization's standard software process for developing and maintaining software

CMMI - Quantitatively Managed / Measured

Maturity level 4 Detailed measures of the software process and product quality are collected, analyzed and used to control the process Both the software process and products are quantitatively understood and controlled

CMMI - Optimizing

Maturity level 5 Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies

Build and Fix Model

No architecture design is carried out, instead development takes place immediately with little or no planning involved No real planning up front and flaws are reactively dealt with after release with the creation of patches and updates A reactive model, not proactive

P3 (Low Privacy Risk)

No behaviors exist within the feature, product or services that affect privacy No anonymous or personal data is transferred, no PII is stored on the machine, no settings are changed on the user's behalf and no software is installed

Scrum

One of the most widely adopted agile methodologies in use today It lends itself to projects of any size and complexity and is very lean and customer focused Acknowledges the fact that customer needs cannot be completely understood and will change over time Focuses on team collaboration, customer involvement and continuous delivery

Functional Model

Outlines the tasks and functions that an application needs to carry out

Privacy Impact Rating

P1 (High Privacy Risk): (PHI/PII/Root/Installer) P2 (Moderate Privacy Risk): (One-time) P3 (Low Privacy Risk): (Nothing) Usually done after the privacy risk assessment completes

Quality

Refers to how good or bad something is for its intended purpose

Requirements Gathering

SDLC Phase 1 Determine "why" to create the software, "what" the software will do and for "whom" it will be created Things to do: 1) Security requirements 2) Security risk assessment 3) Privacy risk assessment 4) Risk-level assessment 5) Information, functional and behavioral requirements

Design

SDLC Phase 2 Deals with "how" the software will accomplish the goals identified which are encapsulated into a functional plan Things to do: 1) Attack Surface Analysis 2) Threat Modeling

Development

SDLC Phase 3 Programming software code to meet specifications laid out in the design phase and integrating that code with existing systems and/or libraries Things to do: 1) Automated CASE tools 2) Static analysis and code reviews

Evolutionary Prototyping Model

Similar to rapid prototyping but instead of throwing away the original prototype, the goal is to provide incremental improvement until it reaches the final product stage within a controlled lab environment Feedback that is gained through each development phase is used to improve the prototype and get closer to accomplishing the customer's needs

Unit Testing

Testing individual components in a controlled environment where programmers validate data structure, logic and boundary conditions Testers should do this and not developers to support separation of duties

Modularity

The building blocks of software are autonomous objects, cooperating through the exchange of messages

Dynamic Analysis

The evaluation of a program in real time, when it is running and is commonly carried out once a program has cleared the static analysis stage Effective for compatibility testing, detecting memory leakages, identifying dependencies and for analyzing software without having to access the software's actual source code The primary advantage of this technique is that it eliminates the need to create artificial error-inducing scenarios

P1 (High Privacy Risk)

The feature, product or service stores or transfers personally identifiable information (PII), monitors the user with an ongoing transfer of anonymous data, changes settings or file type associations or installs software

5GL

The goal is to create software that can solve problems by itself instead of a programmer having to develop code to deal with individual and specific problems Think of artificial intelligence and visual interfaces

Deferred

The internal components of an object can be redefined without changing other parts of the system

DevOps

The practice of incorporating development, IT and QA staff into software development projects to align their incentives and enable frequent, efficient, and reliable releases of software products Combines Software Development, Quality Assurance and Operations (VENN)

Change Control Steps

The process of controlling the changes that take place during the life cycle of a system and documenting the necessary activities 1) Request 2) Analyze 3) Record 4) Approve 5) Develop and Test 6) Report to Management

Abstraction

The programmer does not need to worry about the intricate details of a class or object since they are hidden from view properties can be examined and reviewed e.g., print()

P2 (Moderate Privacy Risk)

The sole behavior that affects privacy in the feature, product or service is a one-time, user-initiated anonymous data transfer (e.g., the user clicks on a link and goes out to a website)

Software Configuration Management (SCM)

The task of tracking and controlling changes in the software, part of the larger cross-disciplinary field of configuration management Includes revision control and the establishment of baselines for integrity sake

Attack Surface Analysis

To identify and reduce the amount of code and functionality accessible to untrusted users Usually done with automated tools

Computer-aided Software Engineering

Tools that programmers can use to generate code, test software and carry out debugging activities in an automated fashion Include IDEs, debuggers, code analyzers, version control, etc.

Build Security In (BSI)

U.S. Department of Homeland Security (DHS) initiative that provides best practices, tools, guidelines, rules, principles, and other resources that software developers, architects and security practitioners can use to build security into software in every phase of its development

Testing / Validation

Verifying and validating software to ensure that the software works as planned and that goals are met Things to do: 1) Dynamic analysis 2) Fuzzing 3) Manual testing 4) Unit, integration, acceptance and regression testing

Integration Testing

Verifying that components work together as outlined in design specifications

4GL

Very High-level Language Further enhance the natural language approach instigated within the previous generation language, focusing on high abstract algorithms that allow straightforward programming, reducing development times significantly Platform independent (SQL)

Waterfall Model

Very rigid, sequential approach that requires each phase to complete before the next one can begin and can be difficult to integrate changes since it is an inflexible model (can only go back one step before and no further)(7 steps) 1) Feasiblity 2) Analysis 3) Design 4) Implement 5) Test 6) Maintain Useful for smaller projects that have all of the requirements fully understood, but it is a dangerous model for complex projects, which commonly contain many variables that affect the scope as the project continues

Zero-day Vulnerabilities

Vulnerabilities that do not currently have a resolution and often not discovered yet except for, perhaps, hackers


Kaugnay na mga set ng pag-aaral

HOSP 187 UNIT 2 EXAM STUDY GUIDE

View Set