DEV Flashcards by lv hv

set of best practices for programmers to seek in all application or database design: Atomicity, Consistency, Isolation, Durability

ACID test

How well did you know this?

Not at all

Perfectly

Authenticode, relies on digital signatures, annoying dialogs people click away

Active X

How well did you know this?

Not at all

Perfectly

a library of commands maintained by a system for other programs to use, provides consistency and integrity for the programs

Application Programming Interface

How well did you know this?

Not at all

Perfectly

is the tool that converts a high level language into machine language

Assembler

How well did you know this?

Not at all

Perfectly

Converts machine-code into binary machine instructions. Translate assembly language into machine language.

Assembler - DEV

How well did you know this?

Not at all

Perfectly

low-level programming language with a few simple operations this code is harder to maintain, less readable, and has the potential to be substantially longer

Assembly Code

How well did you know this?

Not at all

Perfectly

indivisible, data field must contain only one value that either all transactions take place or none do

Atomicity

How well did you know this?

Not at all

Perfectly

Program installed by an attacker to enable him to come back on a later date without going through the proper authorization channels, maintenance hook for developers sometimes

Backdoor

How well did you know this?

Not at all

Perfectly

Results exhibited by an object in response to a msg

Behavior

How well did you know this?

Not at all

Perfectly

Most significant byte is stored first. SPARC uses this architecture.

Big Endian

How well did you know this?

Not at all

Perfectly

When a Windows system experiences a dangerous failure and enters a full secure state (reboot)

Blue Screen of Death

How well did you know this?

Not at all

Perfectly

Moves or overwrites the boot sector with the virus code

Boot sector

How well did you know this?

Not at all

Perfectly

Attacks the MBR - the portion of bootable media that the computer uses to load the operating system during the boot process. MBR viruses store the majority of their code on another portion of the storage media

boot sector infector

How well did you know this?

Not at all

Perfectly

organized group of compromised computers

Botnet

How well did you know this?

Not at all

Perfectly

an area of memory allocated with a fixed size. It is commonly used as a temporary holding zone when data is transferred between two devices that are not operating at the same speed or workload.

Buffer

How well did you know this?

Not at all

Perfectly

Occurs when an area that has been allocated a specific storage space has more data copied to it than it can handle. Two classes include heap and stack overflow.

Buffer Overflow

How well did you know this?

Not at all

Perfectly

program code that is in between the high level language code understood by humans and machine code read by computers.

Byte Code

How well did you know this?

Not at all

Perfectly

An attribute that is a unique identifier within a given table, one is chosen to be the primary and the others are alternate. Subset of attributes that can be used to uniquely identify any record in a table. No two records in the same table will ever contain the same values for all attributes. Each table may have one or more, which are chosen from column headings.

Candidate Key

How well did you know this?

Not at all

Perfectly

Tool for development, if concerned about security

CASE

How well did you know this?

Not at all

Perfectly

a business managers and software engineer’s process to protect the organization from development-related issues. Has three components: Request, Change, and Release Control

Change Management Process

How well did you know this?

Not at all

Perfectly

part of a transaction control for a database which informs the database of the last recorded transaction

Checkpoint

How well did you know this?

Not at all

Perfectly

OOP concept of a template that consist of attributes and behaviors

Class

How well did you know this?

Not at all

Perfectly

converts source code to an executable

compiler

How well did you know this?

Not at all

Perfectly

Write code correctly first time, quality thru design

Cleanroom

How well did you know this?

Not at all

Perfectly

Is an opposing coding stance that keeps source code confidential. Can be reverse engineered or decompiled

Closed source

Is one that is proprietary with no third-party product support, does not define if it's code can be viewed

Closed system

Peer-driven process that includes multiple developers, may be automated, may review several hundred lines an hour, done after it's developed

Code Review

Ability to perform without use of other programs, strength of the relationship between the purposes of methods within the same class

Cohesion

Support exchange of objects amongst programs. This used to be called OLE. DCOM is the network variant (distributed)

COM, Common Object Model

infected code is stored not in the host program, but in a separate files. Takes advantage of search order of an OS

Companion virus

converts source code to an executable

Compiler

Translates higher level program into an executable file

Complier - DEV

Appended to executables

Compression

Periodic, should be conducted to ensure that the actual production environment is consistent with the accounting records and that no unauthorized changes have taken place.

Configuration Audit

Ensures that changes to software versions are made in accordance with policies. Updates can be made only from authorized distributions in accordance with those policies.

Configuration Control

Administrators document covered software products throughout the organization.

Configuration Identification

Used to control the version( s) of software used throughout an organization and formally track and control changes

Configuration Management Process

property that data is represented in the same manner at all times

Consistency

Broker architecture enables programs written in different languages and using different platforms and OS’s through IDL (Interface Definition Language)

CORBA, Common object request

Effect on other modules. Level of interaction between objects

Coupling

Is a way to receive information in an unauthorized manner, information flood that is not protected by a security mechanism

Covert channels

Processes communicate via storage space on the system; Writing to storage by one process and reading by another of lower security level.

Covert Storage Channel

One process relays to another by modulating its use of system resources. Typing rhythm of Morse Code is an example

Covert timing channel

malware that uses the trust on a website to redirect users to untrusted websites which captures data or installs more malware

Cross Site Scripting

attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated request to third-party sites.

CSRF (XSRF) Cross Site Request Forgery

false memory reference

Dangling pointer

a description of a database

Data Dictionary

malware that makes small random changes to many data points

Data Diddler

a feature of object oriented programming languages. Classes and variables may be marked private, which restricts outside access to the internal workings of a class.

Data Hiding

small data warehouse

Data marts

specifies the way data will be stored in memory

Data Type

z-Mixing data with different classification levels and/ or need-to-know requirements and is a significant security challenge. Often, administrators will deploy a trusted front end to add multilevel security to a legacy or insecure DBMS

Database Contamination

Process of splitting a single database into multiple parts, each with a unique and distinct security level or type of content

Database Partitioning

a copy of transaction data, designed for querying and reporting

Data warehouse

a collection of information designed to reduce duplication and increase integrity

Databases

Schemas, blueprints; tables, views

DB main components

Refers to a suite of software programs that maintains and provides controlled access to data components stored in rows and columns of a table

DBMS

subset of SQL used to control access to data in a database, using GRANT and REVOKE statements

DCL - Data Control Language

enables applications to work in a client/server model by providing the inter-process communications mechanism (IPC)

DDE - Dynamic Data Exchange

defines structure and schema

DDL - Data Definition Language

a condition in which neither party is willing to stop their activity for the other to complete

Deadlock

Forwarding a request to another object

Delegation

an availability attack, to consume resources to the point of exhaustion

Denial of Service

a combination of Development and Operations, symbolizing that these functions must merge and cooperate to meet business requirements

DevOps

Attempt to force the web application to navigate up the file hierarchy and retrieve a file that should not normally be provided to a web user

Directory Traversal Attack

When one transaction reads a value from a Db that was written by another transaction that did not commit, Db concurrency issue

Dirty Reads

software tool is used to convert compiled programs in machine code to assembly code

Disassembler

an availability attack, to consume resources to the point of exhaustion from multiple vectors

Distributed Denial of Service

view, control and use the database via VIEW, ADD, MODIFY, SORT and DELETE commands

DML - Data Manipulation Language

what is will remain, persistence

Durability

Created on the fly by software in an Object Oriented Programming environment. Preassembled code that is a self-contained module

Dynamic Lifetime Objects

a programming component that runs on Win32 systems and contains functionality that is used by many other programs

DLL - Dynamic Link Library

a feature of object-oriented programming, provides a logical structure to a program and allows for easy methods of inheritance

Encapsulation

Seek to embody accumulated knowledge on a particular subject and apply it in a consistent fashion to future decisions. Has two main components: the knowledge base and the inference engine.

Expert Systems

causes a software vulnerability to be triggered and leveraged by the attacker

Exploit

Allow programmers to create code using visual interfaces

Fifth-Generation Languages (5GL)

Include all machine languages

First-Generation Languages (1GL)

Represents a reference to an entry in some other table that is a primary key there. Link between the foreign and primary keys represents the relationship between the tuples. Enforces referential integrity Main Components of a Db using Db - Schemas; blueprints - tables - views

Foreign Key

Attempt to approximate natural languages and include SQL, which is used by databases

Fourth-Generation Languages (4GL)

a miniature program

Function

Define need, requirements, review proposed security controls

Functional Analysis and Planning

Bar type; shows the interrelationships over time between projects and schedules. Graphical illustration of a schedule that helps plan, coordinate, and track specific project tasks. WBS a subpart

Gantt Chart

Is similar to process isolation in purpose. Difference is this enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an operating system

Hardware segmentation

an area of memory utilized by an application and is allocated dynamically at runtime. Static variables are stored on the stack along with data allocated using the malloc interface.

Heap

Behavioral can detect new malware

Heuristic ANTI-Virus

Module largely affects many more modules

High coupling

False warnings

HOAXES

Single patch, patches provide updates to operating systems and applications

Hotfix, update, Security fix

uncheck data input which results in redirection

HTTP Response Splitting

When one transaction is using an aggregate function to summarize data stored in a Db while a second transaction is making modifications to a Db, causing incorrect information

Incorrect Summaries

to jump to a conclusion

Inference

object-oriented organization and encapsulation allow programmers to easily reuse previously written code. It saves time since programmers do not have to recode previously implemented functionality.

Inheritance

OOP concept of an object at runtime

Instance

in the case of unsigned values, this occurs when an overly large unsigned value is sent to an application that "passes" the integer back to zero or a small number

Integer Wrapping

line by line translation from a high level language to machine code

Interpreter

Reads higher level code, one line at the time to produce machine instructions

Interpreter - DEV

another subject cannot see an ongoing or pending update until it is complete

Isolation

modern, object oriented programming language. It combines a similar syntax to C and C++ with features such as platform independence and automatic garbage collection.

Java

Interpreted language that does not make use of a complier to transform code into an executable state. Java, C, and C++ are all compiled languages

JavaScript

Used by processor to execute instructions from OS

Kernel Mode

Implement a structure similar to the ring model used for operating modes and apply it to each operating system process

Layering processes

the least significant byte is stored first

Little Endian

a program that waits for a condition or time to occur that executes an inappropriate activity

Logic bomb

Executes when a certain event happens (like accessing a bank account or employee being fired) or a data/time occurs

Logic Bomb/Code Bomb

Tool used for covert channel that writes data directly after the ICMP header

LOKI

When one transaction writes a value to the Db that overwrites a value needed by transactions that have earlier precedence

Lost Updates

the hardware address of a particular computer system

MAC

program instructions based upon the CPU’s specific architecture

Machine language

Most common in office productivity documents .doc/.docx

Macro Virus

inappropriate data

Malformed input

a function call dynamically allocates n number of bytes on the heap. Many vulnerabilities are associated with the way this data is handled.

malloc

Bombing, strikes, toxin spills

Man-made Threats

Software solution to manage the myriad mobile devices that employees use to access company resources. Goals are to improve security, provide monitoring, enable remote management, and support troubleshooting

MDM - Mobile device management

a function call is used to fill a heap buffer with a specified number of bytes of a certain character

Memset

Communication to object to perform an action

Message

information about data or records

Metadata

another name for a function in languages such as Java and C#. It may be thought of as a miniature program.

Method

Essential to keep data with different requirements separate

Multilevel Security

Infects both the boot sector and executable files; becomes resident first in memory and then infects the boot sector and finally the entire system, uses two or more propagation mechanisms

Multipart virus

Class inherits characteristics from more than one parent class

Multiple Inheritance

Capable of implementing a much higher level of security. These systems are certified to handle multiple security levels simultaneously by using specialized mechanisms

Multistate systems

Fires, explosions, water, storms

Natural Threats

A popular vulnerability scanner managed by Tenable Network Security, and it combines multiple techniques to detect a wide range of vulnerabilities. It uses port scans to detect open ports and identify the services and protocols that are likely running on these systems. Once it discovers basic details about systems, it can then follow up with queries to test the systems for known vulnerabilities, such as if the system is up-to-date with current patches. Attacker can use to best identify vulnerabilities in a targeted system

Nessus

Use complex computations to replace partial functions of the human mind, Based on function of biologic neurons, Works with weighted inputs

Neural Networks

Attached to .exe

Non-resident virus

a term used to describe a programming variable which has not had a value set, this value is not necessarily the same as a value of “” or 0.

NULL

design philosophy and a type of programming language, which breaks a program into smaller units. Each unit has it’s own function.

Object Oriented Programming

unclear buffers or media

Object reuse

programs are organized into classes. Instances of classes contain data and methods which performs actions on that data.

Object-oriented

feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type. Acts as a proxy

ODBC - Open Database Connectivity

a bug is present when a buffer is set up with size n and somewhere in the application a function attempts to write n+1 bytes to the buffer. This often occurs with static buffers.

Off-by-one

Objects are the basic units, and instances of classes

OOD, Design

Employment of objects and methods If class = airplane, objects like fighter plane, cargo plane, passenger plane can be created. Method would be what a plane would do with a message like: climb, dive, and roll

OOP, Programming

Is a coding stance that allows others to view the source code of a program, distributed free or for a fee

Open source

Is one with published APIs that allow third parties to develop products to interact with it

Open system

Release into production. Certification/accreditation

Operations and Maintenance

Middleware that acts as locators and distributors of the objects across networks

ORBs, Object Request Brokers

business and technical process of applying security software updates in a regulated periodic way

Patch Management

Prevents outages from known attacks by ensuring systems are patched. Patches aren’t available for new attacks. However, it doesn’t provide the updates. Ensuring systems are patched reduces vulnerabilities but it does not eliminate them

Patch Management system

final purpose or result

Payload

project-scheduling tool used to judge the size of a software product in development and calculate the standard deviation (SD) for risk assessment. Relates the estimated lowest possible size, the most likely size, and the highest possible size of each component. Used to direct improvements in project management and software coding to produce more efficient software

PERT - Program Evaluation Review Technique

Malicious variation of official BIOS or firmware is installed that introduces remote control or other malicious features into a device. UEFI – replacement for BIOS

Phlashing

idea that program code can run on different systems without modification or recompilation

Platform Independence

Occurs when two or more rows in the same relational database table appear to have identical primary key elements but contain different data for use at differing classification levels. It is often used as a defense against inference attacks

PolyInstantiation

This is also a self-garbling where it changes the “garble” pattern each time it spreads. As a result, it is also difficult to detect

Polymorphic virus

objects or programming that looks different, but act the same. More accurately: Objects of many different classes that are related by some common super class. When different subclasses may have different methods using the same interfaces that respond differently

Polymorphism

Provide the sole tuple-level addressing mechanism within the relational model. Cannot contain a null value and cannot change or become null during the life of each entity. When the primary key of one relation is used as an attribute in another relation, it is the foreign key in that relation. Uniquely identify a record in a database

Primary Key

LIBC function for outputting data to a command-line interface

Printf

may be viewed as a sequence of instructions, where data at certain memory locations are modified at each step

Procedural Language Programs

collection of commands that are understood by a computer system and may be written in a high-level language, such as Java or C, or in a low-level assembly language

Program

Feasibility, cost, risk analysis, Management approval, basic security objectives

Project Initiation

Execution and memory space assigned to each process

Protection domain

(MIT’s MULTICS design) Ring 0 - Operating system kernel. The OS’ core. The kernel manages the HW (for example, processor cycles and memory) and supplies fundamental services that the HW does not provide. Ring 1 - Remaining parts of the operating system Ring 2 - I/O drivers and utilities Ring 3 - Applications and programs Layers 1 and 2 contain device drivers but are not normally implemented in practice. Layer 3 contains user applications. Layer 4 does not exist

Protection Rings

a state where two subjects can access the same object without proper mediation

Race condition

Extortion via the internet, typically encrypting victim’s data and files

ransomeware

Remote control programs that have the malicious code and allow for unauthorized remote access Back orifice, sub seven, net bus )

RAT, Remote Access Trojan

All foreign keys reference existing primary keys

Referential Integrity

an area on the processor used to store information. Intel architecture: eax, ebx, ecx, edx, esi, and edi.

Once the changes are finalized, they must be approved through procedure

Release Control

Provides an organized framework within which users can request modifications, managers can conduct cost/ benefit analysis, and developers can prioritize tasks

Request Control

Loads when a program loads in memory

Resident virus

Remove. Sanitation and destruction of unneeded data

Revisions/Disposal

transaction controls for a database, a return to a previous state

Rollback

malware that subverts the detective controls of an operating system

Rootkit

malware that makes many small changes over time to a single data point or system

Salami

a construct used to control code execution. Code executed cannot affect outside systems. This is particularly useful for security when a user needs to run mobile code, such as Java applets.

Sandbox

Include all assembly languages

Second-generation language (2GL)

Attempts to hide by garbling its code; as it spreads, it changes the way its code is encoded

Self-garbling virus

Make sure that rules are enforced on all data types, logical values that could adversely affect the structure of the database

Semantic Integrity

Builds on the principle of least privilege. Requires the use of granular access permissions; that is, different permissions for each type of privileged operation. This allows designers to assign some processes rights to perform certain supervisory functions without granting them unrestricted access to the system

Separation of privilege

Collection of unrelated patches released in a large collection

Service Pack

used by devices to communicate with software. It is normally written by the manufacturer of a hardware device to communicate with the operating system.

Service Provider Interface

byte code that executes a shell or the code that is executed when an exploit is successful

Shellcode

Cannot detect new malware

Signature based ANTI-Virus

Assumed each step could be completed and finalized without any effect from the later stages that may require rework

Simplistic Model

unused storage capacity

Slack space

Quality is a direct function of quality of development and maintenance. Procedures, principles, and practices that underlie development process maturity. 5 Levels: initiating – competent people, informal processes, ad-hoc, absence of formal process repeatable – project management processes, basic life-cycle management processes defined – engineering processes, presence of basic life-cycle management processes and reuse of code, use of requirements management, software project planning, quality assurance, configuration management practices managed – product and process improvement, quantitatively controlled Optimizing – continuous process improvement Works with an IDEAL model

Software Capability Maturity Model (CMM)

Programmers create code. Unit testing Check modules. Prototyping, Verification, Validation

Software Development

a design methodology which addresses risks early and often

Spiral

Angular = progress made Radial = cost Lower left = development plans Upper left = objectives of the plans, alternatives checked Upper right = assessing alternatives, risk analysis Lower right = final development Left horizontal axis = includes the major review required to complete each full cycle

Spiral Model

program that inappropriately collects private data or activity

Spyware

a type of malformed input that takes advantage of an appropriate true conditional logic statement adding a request for data that is against the security policy

SQL Injection

an area of memory used to hold temporary data. It grows and shrinks throughout the duration of a program’s runtime.

Stack

occurs when a buffer has been overrun in the stack space. When this happens, the return address is overwritten, allowing for arbitrary code to be executed.

Stack Overflow

Hides modifications to files or boot records and itself

Stealth virus

LIBC function call is more commonly misimplemented because it copies data from one buffer to another without any size limitation

strcpy

Social engineering best attack method to beat

Strong Passwords

Database systems commands used to create, access, and modify data

SQL - Structured Query Language

Develop detailed design specs, Review support documentation, Examine security controls

System Design Specifications

Contaminates BIOS command other system files. It is often a memory resident virus

System infector

project management process with following phases: design and development, production, distribution, operation, maintenance, retirement, and disposal

System Life Cycle

include all compiled languages

Third-Generation Languages (3GL)

Reduce the number of security-related design and coding flaws, reduce severity of non-security related files, not to reduce number of threat vectors

Threat Modeling

a race condition where the security changes during the object’s access

Time of Check/Time of Use

(Backdoors) (maintenance hooks) a programming device used in development to circumvent controls.

Trapdoors

a program with an inappropriate second purpose

Trojan horse

Pretend to do one thing while performing another

Trojans

Row or record

Tuple

a software simulation of a platform that can execute code. It allows code to execute without being tailored to the specific hardware processor.

Virtual Machine

independent malware that requires user interaction to execute

Virus

an exposure that has the potential to be exploited. Most are specific software bugs or logic errors.

Vulnerability

Reinterpretation where verification evaluates the product during development against specification and validation refers to the work product satisfying the real-world requirements and concepts. Verification=doing the job right Validation:= doing the right job

Waterfall including Validation and Verification (V&V)

a design methodology which executes in a linear one way fashion Can be managed if developers are limited going back only one step. If rework may be done at any stage it’s not manageable. Problem: it assumes that a phase or stage ends at a specific time. System Requirements-> Software Requirements -> Analysis -> Program Design -> Coding -> Testing -> Operations & Maintenance

Waterfall

autonomous malware that requires a flaw in a service

Worm

a family of computer architectures commonly associated with Intel

x86

meant to describe an exploit that has been released on or before the corresponding vulnerability has been publicly released

0day

a distributed system’s transaction control that requires updates to complete or rollback

2-phase commit

a fundamental principle behind object-oriented programming, users of an object only need to know the proper syntax for using an object and the type of data that will be returned as a result

Abstraction

Separation of duties, security testing, data validation, bounds checking, certification, accreditation, part of release control

Acceptance Testing and Implementation

unsolicited advertising software

Adware

Summarize large amounts of data and provide only summary information as a result

Aggregate

Emphasis on customer needs for new functionality that quickly meets those needs in an iterative fashion. - Individuals and interactions over processes and tools - Working software over comprehensive documentation - Customer collaboration over contract negotiation - Responding to change over following a plan

Agile Software Development

a covert storage channel on the file attribute, also File system forks

Alternate Data Streams

a unique identifier and a secret token for authentication, generally have a set of access rights on the API associated with it

API Keys

Initiation Development/Acquisition Implementation/Assessment Operations and Maintenance Disposal

800-64

I Plan and Set Projects to Categorize Information Systems And Assess Engineering Initiate Project - Security Planning Categorize Information System Assess Business Impact Assess Privacy Impact Ensure Secure System Development

800-64 Initiation

Outputs - Supporting Documents, Common Understanding of Security Expectations, Initial Schedule of Security Activities or Decisions

Initiate Project - Security Planning

Outputs - Security Categorization, High-Level Security Requirements, Level of Effort or Rigor Estimates

Categorize Information System

Outputs - Linkage to Business Drivers, Core System Components, Initial Recovery Time and Point Objectives

Assess Business Impact

Output - Privacy Impact Assessment

Assess Privacy Impact

Outputs - Security Training for Development Team, Quality Assurance Plans, Development and Coding Standards

Ensure Secure System Development

Doctor’s Assistant’S SCissoRs needed for Preparation of Surgery Room which is FAR from Rest Medical Room Determine Acquisition Strategy System Concept Review Performance Specification Review Financial Approval or Review Risk Management Review

800-64 Initiation Phase Control Gates

ARchitect designS inSpector Documents Silly Codes interior Designer Selects Artwork Environment Is not Safe in DC so Determine Security Domains and ConTinue building Assess Risk to System Select and Document Security Controls Design Security Architecture Engineer in Security and Develop Controls Develop Security Documentation Conduct Testing

800-64 Development/Acquisition

Outputs - Risk Assessment

Assess Risk to System

Outputs - System Security Plan

Select and Document Security Controls

Outputs - List of Shared Services and Shared Risk, Schematic of Security Integration, Identification of Common Controls

Design Security Architecture

Outputs - Documented in Place Security Control Specification, List of Variations from Plan, Potential Test Scenarios

Engineer in Security and Develop Controls

Output - Additional Security Documentation

Develop Security Documentation

Output - Test Results and Implications

Conduct Testing

Agent of Dteam Reads Player’s Rating For TomoRrow Rowing Match Race Architecture or Design Review Performance Review Functional Test Review Risk Management Review

800-64 Development/Acquisition Phase Control Gates

IS Enterprise or Starship ASSimilated Integrate Security into Environments or Systems Access System Security

800-64 Implementation/Assessment

Outputs - Verified List of Operational Security Controls, Completed System Documentation

Integrate Security into Environments or Systems

Outputs - Security Assessment Report, Input for POA&M

Access System Security

Some Tablets are Ready for Roaming like anDRRoid Finish Please Soon and Fund Riches so I can Travel to Delaware or CAlifornia System Test Readiness Review Deployment Readiness Review Final Project Status and Financial Review IT Deployment or Connection Approval

800-64 Implementation/Assessment Phase Control Gates

Review OR Pass Configuration to Management Committee in CC e-Mail Review Operational Readiness Perform Configuration Management and Control Conduct Continuous Monitoring

800-64 Operations and Maintenance

Output - Evaluation of Security Implications due to Changes

Review Operational Readiness

Outputs - CCB Decisions, Updated Security Documentation, Security Evaluations

Perform Configuration Management and Control

Outputs - POA&M Review, Documented Results of Continuous Monitoring, Revised Security Authorization Package, Security Reauthorization Decision

Conduct Continuous Monitoring

Operational Readiness Review for Change Control Board to conduct Plan Of Actions and Milestones Review to determine Authorization Decision Operational Readiness Review Change Control Board POA&M Review Authorization Decision

800-64 Operations and Maintenance Phase Control Gates

BE Determined Troll even though you are SMall Ensure IP for DHS and CS Build and Execute Disposal or Transition Plan Sanitize Media Ensure Information Preservation Dispose of Hardware and Software Close System

800-64 Disposal

Output - Disposal/Transition Plan

Build and Execute Disposal or Transition Plan

Output - Media Sanitization Records

Sanitize Media

Outputs - Index of Information, Location, Retention Attributes

Ensure Information Preservation

Disposition Records for Hardware and Software

800-64 Dispose of Hardware and Software

Documentation Verifying System Closure

Close System

Some Clean Rooms for Clowns, CowBoys are Sure to be Ready for their Coming System Closure Review Change Control Board Security Review of Closure

800-64 Disposal Phase Control Gates

System Security Engineering

800-160 SSE

System Life Cycle Processes

Agreement Processes Organizational Project-Enabling Processes Technical Management Processes Technical Processes

Agreement Processes

Acquisition Supply

Organizational Project-Enabling Processes

our prince Leaves Monarchy In Frustration. Please May Harry Ride Quickly Maybe Kissing Meghan. LM Life Cycle Model Management IF Infrastructure Management PM Portfolio Management HR Human Resource Management QM Quality Management KM Knowledge Management

Technical Management Processes

Tech Managers Configure and PRIMP for Dairy Queen CM Configuration Management PL Project Planning RM Risk Management IM Information Management MS Measurement PA Project Assessment and Control DM Decision Management QA Quality Assurance

Technical Processes

BAss SNeaks SR ARound DEan SAys IP INsults VEry TRicky VAlues OPen MAd DShield Business or mission analysis (BA) Stakeholders needs and requirements (SN) System requirements definition (SR) Architecture definition (AR) Design definition (DE) System Analysis (SA) Implementation (IP) Integration (IN) Verification (VE) Transition (TR) Validation (VA) Operation (OP) Maintenance (MA) Disposal (DS)

Security Design Principles

Security Architecture and Design Security Capability and Intrinsic Behavior Life Cycle Security

Security Architecture and Design

Clear Abstractions Hierarchical Trust Least Common Mechanisms Inverse Modification Threshold Modularity and Layering Hierarchical Protection Partially Ordered Dependencies Minimized Security Elements Efficiently Mediated Access Least Privilege Minimized Sharing Predicate Permission Reduced Complexity Self-Reliant Trustworthiness Secure Evolvability Secure Distributed Composition Trusted Components Trusted Communication Channels

Security Capability and Intrinsic Behavior

Continuous Protection Secure Failure and Recovery Secure Metadata Management Economic Security Self-Analysis Performance Security Accountability and Traceability Human Factored Security Secure Defaults Acceptable Security

Life Cycle Security

Repeatable and Documented Procedures Secure System Modification Procedural Rigor Sufficient Documentation

Identify Develop viewpoints Harmonize models, views, and secure function Relate views to design Select Manage

ARchitecture definition

Prepare Establish characteristics for system element Assess alternatives

DEsign definition

Identify problem that requires analysis Identify and validate assumptions of analysis Record results of analysis

System Analysis

Build or adapt system elements Develop training materials Record results and any anomalies Maintain traceability

Implementation

Identify training Demonstrate achievement of security aspects Commission for operation Record security aspects of transition and anomalies encountered

Transition

Define maintenance strategy Review incident reports to identify maintenance needs Implement restoration after failure Identify when maintenance is required Perform logistics support Manage maintenance and logistics

MAintenance

Initiation - Stakeholders Needs, Verification Development/Acquisition - Architecture, Design, Verification Implementation/Assessment - System Analysis, Implementation Operations/Maintenance - Transition, Maintenance

800-64 to 800-160 map

A1 Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Controls: Parameterize queries, Validate all inputs

Threat Injection

A2 Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Controls: Implement identity and authentication controls

Threat Broken Authentication

A3 Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Controls: Implement appropriate access controls, Protect data, Encryption protection of sensitive data, Error and exception handling

Threat Sensitive Data Exposure

A4 Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Controls: Validate all inputs

Threat XML External Entities (XXE)

A5 Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Controls: Enforce access controls

Threat Broken Access Control

A6 Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. Controls: Web server configuration hardening

Threat Security Misconfiguration

A7 XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Controls: Encode data

Threat Cross Site Scripting (XSS)

A8 Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Controls: Verify for security early and often

Threat Insecure Deserialization

A9 Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Controls: Take advantage of security frameworks and libraries

Threat Using Components with Known Vulnerabilities

A10 Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. Controls: Error and exception handling, Implement logging and intrusion detection

Threat Insufficient Logging and Monitoring

Software configuration management (SCM) should primarily address which of the following questions?

What constitutes a software product at any point in time?

The security-planning document developed in the development/acquisition phase of a system development life cycle contains what?

Configuration management plan Contingency plan Incident response plan Plan of actions and milestones System interconnection agreements Security tests and evaluation results Rules of behavior Risk assessment Security awareness and training plan

Boundary-value analysis is conducted in which of the following phases of a system development life cycle (SDLC)?

Implementation

Which of the following application settings used to prevent malware incidents will help stop phishing and spyware delivery?

Blocking Web browser pop-up windows Filtering spam Filtering website content

In a distributed computing environment, replicated servers could have negative impact on what?

Scalability

Which of the following security principle balances various variables such as cost, benefit, effort, value, time, tools, techniques, gain, loss, risks, and opportunities involved in a successful compromise of security features?

Work factor

Which of the following is similar to security certification and accreditation?

Quality control

What is true when dealing with security principles for securing an application environment?

Data-hiding techniques should be practiced during program testing and software maintenance. Design for protection mechanisms should be simple and small in size. Information security functions should be isolated from non-security functions.

Big bang software application testing approach

a testing approach where all the individual components or modules of a software application are tested together, often in a single, comprehensive testing phase. Unlike other testing methods that involve incremental integration and testing of components, Big Bang Testing focuses on evaluating the entire system’s functionality as a whole. This approach is typically employed after the individual units or modules have undergone unit testing. Once these units are ready for integration, they are combined in a “big bang,” and testing is carried out on the complete system.

Finite State Machines are used in what phase?

Initiation