Chapter 20

Question 1

Programming language generations

Answer 1

Gen 1: Machine language; 0 and 1 computer directly understands
Gen 2: Assembly language; mnemonics
Gen 3: Structured, object oriented, etc.
Gen 4: Domain-specific
Gen 5: AI, natural language

Question 2

Compiled vs Interpreted

Answer 2

Compiled - no source code, but easier to hide malware
Interpreted - need source code

Question 3

Run-time environment

Answer 3

Portable across different OS platforms

Question 4

Software libraries

Answer 4

Re-usable code; need to be aware of origins of source code

Question 5

Software failure mitigation

Answer 5

Input validation
Authen and session mgmt
Error handling
Logging
Fail secure

Question 6

SDLC

Answer 6

Conceptual definition
Functional specifications - input/behavior/output
Controls specifications
Design
Coding
Code review
Test
Maintain and change mgmt

Question 7

SDLC models

Answer 7

Iterative Waterfall - with feedback for one phase back only
Spiral - repeated waterfall iterations; each one delivering a prototype until finished product

Question 8

Agile development

Answer 8

Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan

Scrum, scrum master, sprints

Question 9

Agile - 12 principles

Answer 9

1. Highest priority - satisfy customer thru early delivery
2. Welcome changes
3. Deliver working software frequently
4. Business and dev work together
5. Build around motivated people - provide support and trust
6. Face-to-face communication
7. Primary measure of progress is working software
8. Maintain constant pace indefinitely
9. Attention to technical excellence and good design
10. Maximize work not done
11. Self-organizing teams produce best
12. Regular review and adjust

Question 10

SW-CMM
(Software Capability Maturity Model)

Answer 10

Lvl 1: Initial
Lvl 2: Repeatable - basic lifecycle mgmt, reusable code, repeatable project outcomes
Lvl 3: Defined - standard processes, orgranizational processes, training program
Lvl 4: Managed - use metrics, quantitative measurement and quality mgmt
Lvl 5: Optimizing - change mgmt

Question 10

Scaled Agile Framework (SAFe)

Answer 10

• apply Agile principles and practices to large enterprises

4 configuration levels:
1. Essential SAFe - traditional Agile; Agile release trains (ART) in 8-12 week program increments
2. Large solution SAFe - vast systems; multiple ARTs
3. Portfolio SAFe - strategic direction translated to actions
4. Full SAFe - combi of all

Question 11

SAMM - software assurance maturity model

Answer 11

5 business functions:
- Governance - strategy, compliance, metrics, training, policy
- Design - threat assessment, security req, security arch
- Implementation - secure building, secure deploy
- Verification - testing
- Operations - incident mgmt, operational mgmt env mgmt

Total of 15 security practices

Question 12

IDEAL

Answer 12

Initiating
Diagnosing
Establishing
Acting
Learning

Question 13

Change Management

Answer 13

Request control processes - request, cost/benefit, prioritize
Change control processes - test and document
Release control processes - approvals, user acceptance, deployment

Question 14

Software Configuration Management (SCM)

Answer 14

Configuration identification - document configurations
Configuration Control - authorize changes, versioning
Configuration status accounting - change tracking
Configuration Audit - regular check for unauth changes

Question 15

DevOps
DevSecOps

Answer 15

Dev/QA/Ops
Dev/QA/Sec/Ops

Continuous integration / continuous delivery (CI/CD)

Question 16

SW testing methodologies

Answer 16

White box testing - access to code; analyze inner workings
Black box testing - from user perspective; input scenarios; no access to code
Gray box testing - combi of white and black; source code for test design; does not analyze inner workings

Question 17

Commercial off the shelf software (COTS)
Open source software (OSS)

Answer 17

Must test for security vulnerabilities

• Conduct own testing
• Rely on vendor test results
• or 3rd party testing

Question 18

DBMS data models

Answer 18

Hierarchical - one-to-many
Distributed - data store on different DB’s; many-to-many
Relational

Question 19

Relational DB’s

Answer 19

2D table
row and column - relation
Row - cardinality
Column (Field) - degree
Domain - range of values of attribute (field)

Candidate keys
Primary key
Alternate keys
Foreign key - enforce Referential Integrity, key is a primary key in the referenced table

Question 20

SQL

Answer 20

DDL - data description language; create/mod schema
DML - data manipulation language; interaction with data in schema

Question 21

ACID model

Answer 21

RDBMS transactions must be:
1. Atomic - all or nothing; if any part of transactions fails, entire trans must be rolled back
2. Consistent - db rules must be maintained before and after transaction
3. Isolation - current transaction must complete before exec the next
4. Durability - changes must be preserved; via transaction logs for back up mechanism

Question 22

DB contamination

Answer 22

DB contains data of different security levels

Question 23

Concurrency

Answer 23

Lock access to data for transaction; prevents dirty reads and lost updates

Question 24

DB security mechanisms

Answer 24

Cell suppression Polyinstantiation Noise and perturbation

Question 25

ODBC

Answer 25

Allows apps to communicate with diff DB types

Question 26

No SQL DB's

Answer 26

Key/value Graphical Document - key/document

Question 27

Expert systems

Answer 27

2 components: Knowledge base Inference engine

Question 28

Machine learning

Answer 28

2 types: 1. Supervised learning - develop model based on provided data (data set with correct answers) 2. Unsupervised learning - provide unlabeled data to develop model

Question 29

Neural Networks

Answer 29

Chain of decisions to come up with output Extension of machine learning Deep learning Training period Use Delta rule to learn from experience