Chapter 4- Software Development Security Flashcards Preview

My Notes of CISSP CBK > Chapter 4- Software Development Security > Flashcards

Flashcards in Chapter 4- Software Development Security Deck (93)
Loading flashcards...
1

SDLC Basic Phases

Project Initiation and Planning; Functional Requirements Definition; System Design Specification; Developmnet and Implementation; Documentation and common program controls; Testing and evaluation control (C&A); Transistion to production (implementation)

2

SLC

Extends above SDLC - Operations and maintenance support; revisions and system replacement; project initiation and planning

3

Project Initiation

Security activities should be done in parallel

4

Functional Requirements

Security requirements should be formalized

5

System Design Specifications

security features designed, generally based on the overall security architecture for the company

6

Development and Implementation

code should be analyzed to eliminate common vulnerabilities that might lead to security exploits and other risks

7

Documentation and Common Program Controls

types of logging the program should be doing

8

Acceptance

tested to ensure it meets all the functional and security requirements. Testing is to ensure that the application meets its security requirements and specifications and uncover all design flaws that would violate security policy. Run independently in a production simulation environment. First Phase of C&A

9

Testing and Evaluation Controls

bounds checking and data validation - test data should not be production data. test all changes

10

C&A

Certification and Accreditation - Certification is the process of evaluating security stance of the software and against a set of security standards or policies. Verify conversion. Accreditation - Acceptable level of risk is determined. Provisional accreditation is for a specific period and outlines specific changes. Full means no changes required.

11

Transition to Production (implementation)

obtain security accreditation, train users, implement, parallel operations if necessary.

12

Revisions and System Replacement

Changes must follow SDLC and be recorded in change managment system. Reviews should inlcude security planning and procedures - application audits should be conducted periodically including documentatin security incidents and system failures.

13

CMM

Capability Maturity Model for Software - focuses on quality management process and has 5 maturity levels. ISO 9000 includes software development quality standards

14

Waterfall life-cycle method

oldest method - list of activities that must be completed before the next phase begins

15

Structured Programming Development

promotes discipline, allows introspection, and provides controlled flexibility - requires defined processes and modular development - each phase is subject to reviews and appraisals

16

Spiral Method

nested version of the Waterfall method. - Plan DO Check Act sub phases

17

Clean room

method of controlling defects - focuses defect prevention. more time spent in early phases.

18

Iterative development

successive refinements of requirements, design, and coding

19

Prototyping

simplified version, release for review, user feed back build better second version

20

Modified Prootype model

ideal for Web app development - deployed in quick time frame

21

Rapid application development

strict time limits on each phase - rapid prototyping

22

Joint Analysis Development

developers work directly with users to develop a working application

23

Exploratory Model

set of requirements built with what is currently available

24

CASE

computer-aided software engineering - use computers and utilities to help with systematic analysis, desing, development, implementation and maintenance of software

25

Component based development

standardized building blocks to assemble rather than develop

26

Reuse model

built from existing components.

27

Extreme programming

values of simplicity, communication and feedback - fairly structured

28

DBMS

a suite of application programs that typically manage large structured sets of persistant data. 4 elements - database engine, hardware platform, application software and users

29

Transaction persistence

state of the database is the same after a transaction has occured and transaction should be durable

30

Fault Tolerance and recovery

in case of failure data should remain int its original state. Two types of recovery - rollback and shadowing. Rollback - incomplete transactions are backed out. Shadow requires the use of transaction logging to indetify the last good transaction.