8. Software Development Security Flashcards
(49 cards)
Which IP protocol is secure and how?
IPv6 is inherently secure, as it uses IP Sec. IP Sec is a framework for traffic including the support for encryption, authentication, authorization and integrity.
What are the software development methodologies?
- Waterfall
- Prototyping
- Spiral
- Agile
Define Waterfall
Software development methodology.
Phase based approach. Best for small projects
Pros: define before code
Cons: adjusting scope during project can kill it.
Define Prototyping
A software development methodology.
A cyclical approach to development. Makes a working model and expand off of it to fit what customer wants.
Pros: users interact with model and give feedback
Cons: tendency for superficial analysis
Define Spiral
A software development methodology
Combo of waterfall and prototyping. Good for large projects.
Pros: a usable software is produced early in the cycle.
Cons: costly. Risk analysis requires highly specific expertise.
Define Agile
A software development methodology
Current popular model. Have new objective every ~2 weeks
Pros: fewer defects, greater flexibility instant feedback.
Cons: less documentation, less focus on system design. Harder to track.
Define distributed computing
An architecture style.
- Client-server. Ie. thin/fat clients.
- Peer-to-peer. Ie. file sharing systems.
Define Service Orientated Architecture
An architecture and a vision on how heterogeneous applications should be developed and integrated into the enterprise.
Share a formal contract.
Reusable, autonomous, stateless, discoverable.
Define Rich Internet Applications
An architecture style.
Web applications
What are main threats of rich internet applications?
client side: XSS and CSRF
Server side: code injection and aggregation
What is polyinstatiation?
Lying.
What is aggregation?
Collecting of information.
Define ubiquitous computing.
Wireless networking.
Ie. RFID, NFC, and LBS (location based services)
Define monitoring
Validation of compliance to regulations and other governance requirements.
Demonstrates due diligence and due care on the part of the organization towards its shareholders.
What are the characteristics of good metrics?
Consistency Quantitative Objectivity Relevance Inexpensive
Define auditing
Important detective controls that can be used to correlate information after an event.
Used to ensure policies are being followed and are effective.
What is Code injection?
An OWASP Vulnerability
Injection flaws in code that occur when untrusted data is sent to an interpreter as part of a command or quart.
What is Broken Authentication & Session Management?
An OWASP Vulnerability
Application functions related to authentication that are not implemented correctly and allow attackers to compromise information to assume others identities.
What is XSS?
An OWASP Vulnerability
Cross Site Scripting
Whenever an application takes untrusted data and sends it to a web browser without proper validation.
What is Insecure Direct Object References?
An OWASP Vulnerability
Unauthorized user or process which can invoke the internal functionality of the software by manipulating parameters and other object values.
What are security misconfigurations?
An OWASP Vulnerability
When a configuration is not set to its secure settings.
What is Sensitive Data Exposure?
An OWASP Vulnerability
When web applications do not adequately protect sensitive data.
Ie. Insufficient protection for data-at-rest, data-in-transit, or data-in-use.
What is missing function level access control?
An OWASP Vulnerability
When a web app does not reverify the access rights with each new function accessed.
What is CSRF?
An OWASP Vulnerability
Forcing a logged-on victims browser to send a forged HTTP request, including cookies and authentication information.
