CISSP-8-Software-Development-Security
Software Development Models
1) Build and Fix 2) Waterfall 3) V-Shaped 4) Prototyping 5) Incremental 6) Spiral 7) Rapid Application Development (RAD) 8) Agile Not uncommon that organizations to adopt and customize for their own liking
Software Requirement Models
1) Informational 2) Functional 3) Behavioral
Programming Language Generations
1) Machine 2) Assembly 3) High-level 4) Very High-level 5) Natural The higher the language the more abstraction
Software Development Life Cycle (SDLC)
1) Requirements Gathering 2) Design 3) Development 4) Testing / Validation / Deployment 5) Release / Maintenance
Testing Types
1) Unit 2) Integration 3) Acceptance 4) Regression 5) Fuzzing 6) SAST/DAST/Manual
Common Weakness Enumeration (CWE)
A MITRE initiative, which it describes as "A Community-Developed Dictionary of Software Weakness Types," collaborates with the SANS Institute to maintain a list of the top most dangerous software errors
Capability Maturity Model Integration (CMMI)
A comprehensive, integrated set of guidelines for developing software that describes procedures, principles and practices that underlie development process maturity 0) Incomplete 1) Initial / Ad-hoc 2) Repeatable 3) Defined / Documented 4) Quantitatively Managed / Managed 5) Optimized Hint: IR DQ Optimized
Buffer Overflow
A condition that exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer Lack of good input/output validation Can cause DoS and privilege escalation
Statement of Work (SOW)
A document routinely employed in the field of project management as it defines project-specific activities, deliverables and timelines for a vendor providing services to the customer
Sprint
A fixed-duration development interval that is usually (but not always) two weeks in length Promises delivery of a very specific set of features, chosen by the team and/or customer
Capability Maturity Model (CMM)
A general model that allows for maturity-level identification and maturity improvement steps 1) Initial 2) Repeatable 3) Defined 4) Manaaged 5) Optimizing CMMI is one example that brought many of these models together
Privilege Escalation
A method of exploiting a running process or configuration setting in order to gain access to resources that would normally not be available to the process or its user
Cleanroom
A model that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing This approach is used for high-quality and mission-critical applications that will be put through a strict certification process (NO ERRORS ALLOWED)
Reuse Model
A model that evolves by gradually modifying pre-existing prototypes to customer specifications instead of building from scratch
Exploratory Model
A model that is used in instances where clearly defined project objectives have not been presented Instead of focusing on explicit tasks, the this model relies on covering a set of specifications likely to affect the final product's functionality
Rapid Application Development (RAD)
A model that puts less emphasis on planning and more emphasis on an adaptive process, where prototypes are often used in addition to or sometimes even in place of design specifications Combines the use of prototyping and iterative development procedures with the goal of accelerating the software development process Well suited for (although not limited to) developing software that is driven by user interface requirements Places strict time limits on each phase of a project
Joint Application Development (JAD)
A model that uses a team approach in application development in a workshop-oriented environment which may include people other than developers, executives and SMEs
Spiral Model
A model that uses an iterative approach to software development and places emphasis on "risk analysis" - iteration of waterfalls - with each a more mature prototype than brefore The model is made up of four phases: 1) Determine Objectives 2) Identify and Resolve Risks 3) Develop and Test 4) Plan the Next Iteration (customer input) Within this model the angular aspect represents progress and the radius of the spirals represents cost This is a good model for complex projects that have fluid requirements Plan Do Check Act (PDCA)
Incremental Model
A model where the product is designed, implemented and tested incrementally (a little more is added each time) until the product is finished, involving both development and maintenance Multiple development cycles are carried out on a piece of software throughout its development stages and each phase provides a usable version of software This model is best used when issues pertaining to risk, program complexity, funding and functionality requirements need to be understood early in the lifecycle
Integrated Product Team (IPT)
A multidisciplinary development team by multiple stakeholders from different groups Developers, testers, SMEs, customers, etc. More agile, decisions are made across groups instead of hierarchical A management technique that works well using the JAD model
Kanban
A production scheduling system developed by Toyota to more efficiently support just-in-time delivery that was later adopted as an agile methodology for software Stresses visual tracking tasks so that the team knows what to prioritize at what point in time in order to deliver the right features right on time
Work Breakdown Structure (WBS)
A project management tool used to define and group a project's individual work elements in an organized manner A deliberate decomposition of the project into tasks and subtasks that result in clearly defined deliverables
Prototyping Model
A sample of software code or a model that can be developed to explore a specific approach to a problem before investing expensive time and resources Releases versions of an application for user review Iterative method which means that source code is written and released for review and then revised based on the review Repeats until the final version is released 1) Rapid 2) Evolutionary 3) Operational
User Story
A sentence that describes what a user wants to do and why
Threat Modeling
A systematic approach used to understand how different threats could be realized and how a successful compromise could take place
Static Analysis
A technique meant to help identify software defects or security policy violations and is carried out by examining the code without execution Cannot reveal logical errors and design flaws
Fuzzing
A technique used to discover flaws and vulnerabilities in software by sending large amounts of malformed, unexpected or random data to the target program to trigger failures
Test-driven Development (TDD)
A technique where you must first write a test that fails before you write new functional code Quickly adopted by agile software developers
Software Escrow
A third party keeps a copy of the source code, and possibly other materials, which it will release to the customer only if specific circumstances arise, mainly if the vendor who developed the code goes out of business or for some reason is not meeting its obligations and responsibilities
Assembler
A tool that converts assembly language source code into machine code
Regression Testing
After a change to a system takes place, retesting to ensure functionality, performance, and protection are not broken
Extreme Programming (XP)
An agile methodology that takes code reviews to the extreme by having them take place continuously through the use of pair programming which significantly reduces the incidence of errors and improves the overall quality of the code Unit tests are written before the code High level of customer involvement Code is written in a minimal amount in order for it to pass the unit test which reduces complexity
Pair Programming
An agile software development technique in which two programmers work together at one workstation, where one, the driver, writes code while the other, the observer or navigator, reviews each line as it is typed in
Rapid Prototyping Model
An approach that allows the development team to quickly create a prototype (sample) to test the validity of the current understanding of the project requirements A quick and dirty, throwaway approach to see if everyone is on the right path The prototype is thrown away after evaluation
Operational Prototyping Model
An extension of the evolutionary prototype method, but the this prototype is designed to be implemented within a production environment as it is being tweaked It is updated as customer feedback is gathered, and the changes to the software happen within the working site
Object
An instance of a class with possible methods and encapsulated attribute values
ISO/IEC 27034
An international standard that covers the following areas: application security overview and concepts, organization normative framework, application security management process, protocols and application security control data structure, case studies, and application security assurance prediction
Air-gaped
An isolated network accessibly internally only
Agile Model
An umbrella term for several development models which focuses on incremental and iterative development methods that promote cross-functional teamwork and continuous feedback mechanisms Lightweight when compared to traditional methods like waterfall User stories, not prototypes, but tiny functional pieces that can adapt integrate and customize existing models where needed 12 principles AUP, DSDM, XP
2GL
Assembly Language A programming language understood by the computer architecture and uses symbols (mnemonics) to represent complicate machine code (ADD/PUSH/POP) Uses assemblers to convert to machine code Requires extensive knowledge of architecture Computer architecture / processor dependent
Compiler
Converts high-level language statements into machine code format (.exe, .dll, .so) Supports various architectures
Maintenance Hook / Backdoor
Created by developers during development to allow them to bypass security controls as a matter of convenience Always check for and remove before production
Release / Maintenance
Deploying the software and then ensuring that it is properly configured, patched and monitored Things to do: 1) Final security review
V-Shaped Model
Developed after the Waterfall model that emphasizes verification and validation at each phase and testing to take place throughout the project, not just at the end This model is best used when all requirements can be understood up front and potential scope changes are small Hint: V is verification and validation
Informational Model
Dictates the type of information to be processed and how it will be done
Verification
Did we build the product right? Determines if the product accurately represents and meets the specifications
Validation
Did we build the right product? Determines if the product provides the necessary solution for the intended real-world problem and not so much about testing
Separation of Duties
Different environmental types (development, testing, and production) should be properly separated Functionality and operations should not overlap Developers should not have access to modify code used in production
Interpreter
Does the last step of transforming high-level code to machine-level code Usually starts with a very high-level/high-level language that gets translated into an intermediate, platform-independent format, like bytecode, then this thing converts it to machine-level code for on-demand execution Advantages include platform independent and memory management is centralized
Acceptance Testing
Ensuring that the code meets customer requirements
Behavioral Model
Explains the states the application will be in during and after specific transitions
3GL
High-level Language Language more human-friendly using logic flow statements, like IF-THEN-ELSE, and mathematical operators, like + / - Computer architecture / processor independent Compiled languages (C/C++)
Garbage Collector
Identifies blocks of memory that were once allocated, but are no longer in use and deallocates the blocks and marks them as free Mitigates against object reuse DoS
Scope Creep
In project management this refers to changes, continuous or uncontrolled growth in a project's scope, at any point after the project begins Occurs when the scope of a project is not properly defined, documented or controlled
Manual Testing
Involves code auditing by security-centric programmers who try to modify the logical program structure using rogue inputs and reverse-engineering techniques Manual tests simulate the live scenarios involved in real-world attacks Could also include social engineering
Attack Surface
Is what is available to be used by an attacker against the product itself
Versioning
Keeping track of file revisions, which makes it possible to "roll back" to a previous version in case something goes wrong or needs repeating
1GL
Machine Language A programming language understood by the computer architecture (0s and 1s)
CMMI - Initial
Maturity level 1 The software process is characterized as ad hoc and occasionally even chaotic Few processes are defined, and success depends on individual effort Success is usually the result of individual heroics
CMMI - Repeatable
Maturity level 2 Basic project management processes are established to track cost, schedule and functionality The necessary process discipline is in place to repeat earlier successes on projects with similar applications
CMMI - Defined / Documented
Maturity level 3 The software process for both management and engineering activities is documented, standardized and integrated into a standard software process for the organization Projects use an approved, tailored version of the organization's standard software process for developing and maintaining software
CMMI - Quantitatively Managed / Measured
Maturity level 4 Detailed measures of the software process and product quality are collected, analyzed and used to control the process Both the software process and products are quantitatively understood and controlled
CMMI - Optimizing
Maturity level 5 Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies
Build and Fix Model
No architecture design is carried out, instead development takes place immediately with little or no planning involved No real planning up front and flaws are reactively dealt with after release with the creation of patches and updates A reactive model, not proactive
P3 (Low Privacy Risk)
No behaviors exist within the feature, product or services that affect privacy No anonymous or personal data is transferred, no PII is stored on the machine, no settings are changed on the user's behalf and no software is installed
Scrum
One of the most widely adopted agile methodologies in use today It lends itself to projects of any size and complexity and is very lean and customer focused Acknowledges the fact that customer needs cannot be completely understood and will change over time Focuses on team collaboration, customer involvement and continuous delivery
Functional Model
Outlines the tasks and functions that an application needs to carry out
Privacy Impact Rating
P1 (High Privacy Risk): (PHI/PII/Root/Installer) P2 (Moderate Privacy Risk): (One-time) P3 (Low Privacy Risk): (Nothing) Usually done after the privacy risk assessment completes
Quality
Refers to how good or bad something is for its intended purpose
Requirements Gathering
SDLC Phase 1 Determine "why" to create the software, "what" the software will do and for "whom" it will be created Things to do: 1) Security requirements 2) Security risk assessment 3) Privacy risk assessment 4) Risk-level assessment 5) Information, functional and behavioral requirements
Design
SDLC Phase 2 Deals with "how" the software will accomplish the goals identified which are encapsulated into a functional plan Things to do: 1) Attack Surface Analysis 2) Threat Modeling
Development
SDLC Phase 3 Programming software code to meet specifications laid out in the design phase and integrating that code with existing systems and/or libraries Things to do: 1) Automated CASE tools 2) Static analysis and code reviews
Evolutionary Prototyping Model
Similar to rapid prototyping but instead of throwing away the original prototype, the goal is to provide incremental improvement until it reaches the final product stage within a controlled lab environment Feedback that is gained through each development phase is used to improve the prototype and get closer to accomplishing the customer's needs
Unit Testing
Testing individual components in a controlled environment where programmers validate data structure, logic and boundary conditions Testers should do this and not developers to support separation of duties
Modularity
The building blocks of software are autonomous objects, cooperating through the exchange of messages
Dynamic Analysis
The evaluation of a program in real time, when it is running and is commonly carried out once a program has cleared the static analysis stage Effective for compatibility testing, detecting memory leakages, identifying dependencies and for analyzing software without having to access the software's actual source code The primary advantage of this technique is that it eliminates the need to create artificial error-inducing scenarios
P1 (High Privacy Risk)
The feature, product or service stores or transfers personally identifiable information (PII), monitors the user with an ongoing transfer of anonymous data, changes settings or file type associations or installs software
5GL
The goal is to create software that can solve problems by itself instead of a programmer having to develop code to deal with individual and specific problems Think of artificial intelligence and visual interfaces
Deferred
The internal components of an object can be redefined without changing other parts of the system
DevOps
The practice of incorporating development, IT and QA staff into software development projects to align their incentives and enable frequent, efficient, and reliable releases of software products Combines Software Development, Quality Assurance and Operations (VENN)
Change Control Steps
The process of controlling the changes that take place during the life cycle of a system and documenting the necessary activities 1) Request 2) Analyze 3) Record 4) Approve 5) Develop and Test 6) Report to Management
Abstraction
The programmer does not need to worry about the intricate details of a class or object since they are hidden from view properties can be examined and reviewed e.g., print()
P2 (Moderate Privacy Risk)
The sole behavior that affects privacy in the feature, product or service is a one-time, user-initiated anonymous data transfer (e.g., the user clicks on a link and goes out to a website)
Software Configuration Management (SCM)
The task of tracking and controlling changes in the software, part of the larger cross-disciplinary field of configuration management Includes revision control and the establishment of baselines for integrity sake
Attack Surface Analysis
To identify and reduce the amount of code and functionality accessible to untrusted users Usually done with automated tools
Computer-aided Software Engineering
Tools that programmers can use to generate code, test software and carry out debugging activities in an automated fashion Include IDEs, debuggers, code analyzers, version control, etc.
Build Security In (BSI)
U.S. Department of Homeland Security (DHS) initiative that provides best practices, tools, guidelines, rules, principles, and other resources that software developers, architects and security practitioners can use to build security into software in every phase of its development
Testing / Validation
Verifying and validating software to ensure that the software works as planned and that goals are met Things to do: 1) Dynamic analysis 2) Fuzzing 3) Manual testing 4) Unit, integration, acceptance and regression testing
Integration Testing
Verifying that components work together as outlined in design specifications
4GL
Very High-level Language Further enhance the natural language approach instigated within the previous generation language, focusing on high abstract algorithms that allow straightforward programming, reducing development times significantly Platform independent (SQL)
Waterfall Model
Very rigid, sequential approach that requires each phase to complete before the next one can begin and can be difficult to integrate changes since it is an inflexible model (can only go back one step before and no further)(7 steps) 1) Feasiblity 2) Analysis 3) Design 4) Implement 5) Test 6) Maintain Useful for smaller projects that have all of the requirements fully understood, but it is a dangerous model for complex projects, which commonly contain many variables that affect the scope as the project continues
Zero-day Vulnerabilities
Vulnerabilities that do not currently have a resolution and often not discovered yet except for, perhaps, hackers