Domain 8. Software Development security

Question 1

Aggregation

Answer 1

When a user does not have the clearance or permission to access specific information, but she does have the permission to access components of this information. She can then figure out the rest and obtain restricted information.

Question 2

Inference

Answer 2

Ability to derive information that is not explicitly available

Question 3

Polyinstatiation

Answer 3

Multiple instances of information depending of the clearence

Question 4

Primary key

Answer 4

Unique identifier for each record

Question 5

Normalization

Answer 5

Process of removing duplicates and ensuring that each attribute only describes the primary key

Question 6

Entity integrity

Answer 6

PK field cant be null

Question 7

Cardinality

Answer 7

Number of rows in the relations

Question 8

Degree

Answer 8

Number of columns in the relations

Question 9

Attribute

Answer 9

column

Question 10

Tuple

Answer 10

Collection of attributes (raw)

Question 11

ACID

Answer 11

Atomicity
Consistency
Isolation
Durability

Question 12

DB Checkpoint

Answer 12

Known good point from which the DB can recover

Question 13

DB Savepoint

Answer 13

Temporary backup that can be configured based on variables (time interval, number of transactions, etc)

Question 14

DB Cell suppression

Answer 14

Technique used to hide specific cells

Question 15

DB view

Answer 15

used to permit, allow or restrict users from viewing specific fields or records

Question 16

External consistency

Answer 16

External consistency ensures that the data stored in the database is consistent with the real world.

Question 17

Decision Support System (DSS)

Answer 17

The Decision Support System (DSS) is what some of the books are referring to as the Delphi Method or Delphi Technique

Question 18

Acceptance

Answer 18

confirms that users’ needs have been met by the supplied solution

Question 19

Accreditation

Answer 19

is the formal acceptance of security, adequacy, authorization for operation and acceptance of existing risk. Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode using a prescribed set of safeguards to an acceptable level of risk.

Question 20

Certification

Answer 20

is the formal testing of security safeguards and assurance is the degree of confidence that the implemented security measures work as intended. The certification is a Comprehensive evaluation of the technical and nontechnical security features of an IS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified security requirements.

Question 21

Assurance

Answer 21

Assurance is the descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the Security Targets (ST) and Protection Profiles (PP), respectively.

Question 22

Stealth viruses

Answer 22

accept incoming scan attempts by the antivirus engine and forwards them to the original file which of course, is normal and uninfected. (And therefore not a threat.)

Question 23

Shell Virus

Answer 23

Shell viruses create a “shell” around the compromised file and intercept calls to that program. It may pass the commands along to the compromised program and let the output from that program proceed but it can overwrite or alter the output.

Question 24

Unit Testing

Answer 24

Unit testing is the testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensures internal operation of the programs according to the specification.

Question 25

Bind Value

Answer 25

A bind value is a value that can be bound to a placeholder declared within an SQL statement. Usage of Bind Values or Variable can improve the security within your database

Question 26

ISC2 SDLC

Answer 26

Project Initiation and Planning
Functional Requirements Definition
System Design Specification
Development and Implementation
Documentations and Common Program Controls
Testing and Evaluation Control, certification and accreditation (C&A)
Transition to production (Implementation)

And there are two phases that will extend beyond the SDLC, they are:
Operation and Maintenance Support (O&M)
Revisions and System Replacement (Disposal)

Question 27

Atomicity

Answer 27

Atomicity - Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible (“atomic”), and an aborted transaction does not happen

Question 28

Consistency

Answer 28

Consistency - The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

Question 29

Isolation

Answer 29

Isolation - The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction.[citation needed]

Question 30

Durability

Answer 30

• Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.