Domain 8 Software Dev Security

Question 1

What is the NIST SP800-34 SDLC?

Answer 1

1. Initiation
2. Development/Acquisition - Also System Development cycle
3. Implementation / Assessment
4. Operations/maintenance
5. Disposal

Question 2

What is whitebox testing?

Answer 2

Verifies inner program logic. Provides complete access to the program source code, details of data structures and variables.

Question 3

What is blackbox testing?

Answer 3

Integrity testing for input and output.

Question 4

What is Function testing

Answer 4

validates the application against a checklist of requirements

Question 5

What is sociability testing

Answer 5

verifies the app can operate in its target environment

Question 6

What is the Agile Software Development Flow?

Answer 6

1. System Requirements
2. Software requirements
3. Preliminary design
4. Detailed design
5. Code and debugging
6. Testing
7. Operations and maintenance

Question 7

What is valued in the Agile Software Dev Manifesto?

Answer 7

▫Individuals and Interactions more than processes and tools.
▫ Working Software more than comprehensive documentation.
▫ Customer Collaboration more than contract
negotiation.
▫ Responding to Change more than following a plan.

Question 8

What is a scrum?

Answer 8

A scrum is part of agile softwre dev and is a framework for managing software dev. This is where sprints come from

Question 9

What are the 3 functions brought together in DevOps?

Answer 9

1. Software Dev
2. Quality Assurance
3. Technology Operations

Question 10

What are the 5 stages of the Capability Maturity Model (CMM)?

Answer 10

1. Initial
2. Repeatable
3. Defined
4. Managed (Capable)
5. Optimising

Question 11

CMM: Level 1 Initial

Answer 11

Adhoc driven and undocumented

Question 12

CMM: Level 2 Repeatable

Answer 12

Some processes are repeatable.
May have some form of change control and QA

Question 13

CMM: Level 3 Defined

Answer 13

Defined processes in place and used; Qualititative process improvement in place; However process may not be used enough and users not yet competent

Question 14

CMM: Level 4 Managed

Answer 14

Process improvement program in use; processes have metrics; users are competent with the processes

Question 15

CMM: Level 5 Optimising

Answer 15

Continuous improvement implemented and budgeted for

Question 16

What is the SAMM 5 critical business functions?

Answer 16

1. Governance
2. Design
3. Implementation
4. Verification
   S. Operations

Question 17

What chart is used when time is the major factor rather than cost?

Answer 17

PERT - Program evaluation review technique.

Question 18

What is the difference between configuration management and change management?

Answer 18

Configuration management looks at changes to a specific piece of software.

Change management looks at an entire software development program.

Question 19

What are the 3 basic components to Change Management:

Answer 19

1. Request Control
2. Change Control
3. Release Control

Question 20

When are Integrated Product Teams used?

Answer 20

IPTs are used in complex development programs/projects for review and decision making.

Question 21

What is Atomicity?

Answer 21

Results of the transaction are either all or nothing

Question 22

What is consistency?

Answer 22

transactions are processed only if they meet defined integrity constraints

Question 23

What is Isolation?

Answer 23

The final results are invisible until the original transaction is complete

Question 24

What is durability?

Answer 24

Once complete, the results of the transactions are permanent.

Question 25

What is SAST?

Answer 25

Static application security testing (SAST) is a white-box testing method used to test and analyse code, syntax and componentes of an app offline

Question 26

What is DAST?

Answer 26

Dynamic application security testing (DAST) is a form of black-box testing agaisnt live systems and apps.

Question 27

What is RASP?

Answer 27

Runtime application self-protection (RASP) is run against systems that have the ability to tune and focus their security measures based on actual environment variables and particular attack methods being used against them. It is designed to react to ongoing and active events and threats. e.g. open/close ports

Question 28

What is software risk?

Answer 28

A possibility of suffering from loss in software dev process is called software risk.

Question 29

What is loss when it comes to software risk?

Answer 29

• Increase in production costs
• The development of poor quality software
• Not completing the project on time.

Question 30

What is race condition?

Answer 30

Time of Check/Time of Use, is an example of a state attack where attacker attempts to alter a condition after it has been checked by the OS

Question 31

What is a multipartite virus?

Answer 31

Aka multipart virus, that can spread via several vectors

Question 32

What is a packer?

Answer 32

A neutral technology used to shrink the size of exes and used by malware to evade signature-based detection methods.

Question 33

What is referencial integrity?

Answer 33

every foreign key in a secondary table matches a primary key in the parent table, assuring the accuracy of cross referencing between tables

Question 34

What is Semantic integrity?

Answer 34

each attribute (column) value is consistent with the attribute data type’ assures that data in any field is of appropriate type - e.g. age is an integer

Question 35

What is entity integrity?

Answer 35

each tuple has a unique primary key that is not null

Question 36

What is an object request broker (ORB)

Answer 36

This is middleware that locates a requested object on either the local system or across a network on another server

Question 37

What is Component Object Model (COM)

Answer 37

locates object on local system

Question 38

What is Distributed component object model (DCOM)?

Answer 38

locates an object on another server

Question 39

What is a Common Object Request Broker Architecture (CORBA)?

Answer 39

an object broker framework that allows different vendor products, such as computer languages, to work seamlessly across distributed networks of diversified computers.

Question 40

What is gray box testing?

Answer 40

In a gray-box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted.

Question 41

What is regression testing?

Answer 41

Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software.

It reruns a number of test cases and compares the results to baseline results.

Question 42

What are pass-around reviews?

Answer 42

Pass-around reviews are often done via email or using a central code review system, allowing developers to review code asynchronously.

Question 43

What are the goals of software threat modelling programs?

Answer 43

Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws.

Question 44

What is the proper order of steps in the waterfall model of software development?

Answer 44

In the waterfall model, the software development process follows five sequential steps that are, in order: Requirements, Design, Coding, Testing, and Maintenance.

Question 45

What is the degree in a database?

Answer 45

The degree of a db table is the number of attributes.