Domain 8: Software Development Security

Question 1

DAST

Answer 1

Dynamic Application Security Testing

Scans, enumerates, and runs synthetic transactions agains apps runtime services to assess security

Question 2

Buffer overflow

Answer 2

A buffer overflow occurs when an application buffer is populated with data that exceeds the capacity allocated to it, causing the excess data to “overflow” into adjacent memory (thereby overwriting it with the excess data). Buffer overflow attacks exploit this to overwrite memory locations that contain application code with malicious code (that is incorporated into the excess data).

Question 3

Agile

Answer 3

The Agile model allows for developers to jump from one process to another, editing as they desire based upon customer needs.

Developed in mid 1990s

Question 4

Waterfall

Answer 4

The waterfall method does not allow developers to go backward and fix changes, making any development typically permanent.

6 total stages:

1. System requirements / Feasibility
2. Software requirements / Analysis
3. Design
4. Code and debug / Implement
5. Testing
6. Operations and maintenance

Developed in 1970

Question 5

Spiral software development

Answer 5

The spiral method will allow a developer to eventually come back and fix something, but they won’t have more than a few chances and they must wait to implement the changes.

The spiral model has an emphasis on risk analysis and prototyping.

Developed in 1988

Question 6

Integrated development environment

Answer 6

These refer to development environments that are designed to help maximize developer productivity and provide re-usable components with the same or similar interfaces. They typically present a single architecture in which the development can be done. An IDE typically has these components:

Sometimes linux distros can be considered an IDE as well.

Source code editor
Build automation tools
Debuggers
Class browser
Object browser
Class hierarchy diagram
Version control to help develop graphical user interfaces

Question 7

Fail-Secure

Answer 7

The fail-secure failure state puts the system into a high level of security (and, in some cases, disables it entirely) until an administrator has the chance to diagnose the issue and restore the device to regular operation. T

Question 8

Capability Maturity Model (CMM)

Answer 8

The software capability maturity model is based on the principle that a mature software development process will produce quality software.

5 categories of maturity level.

Question 9

T/F Viruses can reproduce without a legit host application.

Answer 9

False

Question 10

SCMM

Answer 10

Software Capability Maturity Model

Same as CMM -capability maturity model

The software capability maturity model is based on the principle that a mature software development process will produce quality software.

Question 11

Object-Oriented Programming

Answer 11

Object-Oriented Programming (OOP) relies on the relationship between classes and objects. Objects inherit information from their assigned class. This allows programmers to be more efficient with their code. OOP code scales better and is easier to modify.

Examples, Java, .NET, C++, Python

Question 12

Referential Integrity

Answer 12

Database concept

Requires that the foreign key be equal to the valid primary key of a different table.

Foreign Key = value that references the primary key of a tuple in a different table

Primary Key = unique value for each tuple in a table. Usually the first column of a table but not always.

Question 13

Types of Databases

Answer 13

Relational,

Object-oriented

Hierarchal

Question 14

Relational DB

Answer 14

Consists of flat, two-dimensional tables of rows and columns. Similar to a spreadsheet file. Provides for one to one data structure/mapping.

Relation = the entire table
Attribute = column
Tuple = row
Domain of an attribute = number of allowable values that attribute can take

Question 15

Hierarchal DB

Answer 15

Combines records and fields that are related into a logical tree structure. Results in a ‘one to many’ data model where each node may have zero, one, or many children but only one parent.

Question 16

Object Oriented DB

Answer 16

Designed to resolve some of the limitations of large relational databases. Object-oriented databases don’t employ advanced language such as SQL but support modeling and the creation of data as objects.

Works with traditional database information and also complex data types such as diagrams, schematic drawings, videos, and sound and text documents.

Question 17

SAMM

Answer 17

Software Assurance Maturity Model

A software assurance maturity model (SAMM) ensures proper development practices in software by combining five major aspects of the process into a framework to promote security. Essentially, SAMM ensures software development includes governance, design, implementation, verification, and operations.

Question 18

IDEAL Software Dev model - what does it stand for? How many phases?

Answer 18

The IDEAL software development model has 5 phases. The phases are as follows:

Initiating
Diagnosing
Establishing
Acting
Learning

Question 19

Interpreted vs Compiled languages

Answer 19

Compiled language: programmer uses a tool called complier to convert source code int an executable file for use on specified OS. Example, C, Java, Fortran

Interpreted: Code is distributed in the original code as intended by programmer. User could conceivably open source file and see exact code. Ex. Python, R, JavaScript, VBScript

Question 20

Security Onion

Answer 20

SIEM/IDS/IPS tool

Question 21

Try…Catch function

Answer 21

Is an example of error handling used in software development. It’s a form of input handling in the event a user enters an unexpected input value.

Exception handling is closely related to error handling, except the exception handling technique doesn’t seek to execute the code in error. Error handling does in fact execute the code in error in an attempt to still manage it properly.

Question 22

Error Handling

Answer 22

Inclusion of code that attempts to handle errors when they arise before they cause harm or interrupt execution.

Question 23

Exception Handling

Answer 23

Programmer codes in mechanisms to anticipate and defend against errors in order to avoid termination of execution.

Question 24

Inheritance

Answer 24

The process whereby an object receives some of its characteristics from a class.

Question 25

What is a Row called in a relational database?

Answer 25

Tuple OR records

Question 26

Output Encoding

Answer 26

Output encoding is an application security technique used to ensure that certain characters within form inputs are processed as data and not potentially misinterpreted as programming syntax (which could be used to inject malicious code, if processed).

For example: The conversion of certain characters within website form inputs (e.g., ‘) into their HTML character entity reference equivalents (e.g., &apos) prior to processing.

Question 27

SDx

Answer 27

Software Defined Everything: Software-defined everything (SDx) refers to replacing hardware with software through virtualization.

i.e. VMs, SD Networking, Virtual SAN.

Question 28

ACID Test

Answer 28

Atomicity, Consistency, Isolation, Durability (ACID) are a set of properties that ensure data written to the database is accurate and trustworthy.

Atomicity – Ensures that the entire transaction is successful or it is rolled back. If a portion of the transaction fails, everything is rolled back as if none of the transaction took place.

Consistency – Ensures that transactions cannot bring the database from a valid state to an invalid state. All records must follow the database rules. For example, records must have a primary key.

Isolation – Ensures that concurrent transactions do not interfere with each other.

Durability – Ensures that the changes will remain after a transaction is completed and cannot be rolled back.

Question 29

Logic Bomb

Answer 29

Logic bombs are programs or code that execute when certain conditions are met. It is common for IT or development personnel to hide malicious programs somewhere in a computer network that executes if their user account is ever disabled.

Question 30

Is Security a standard component/consideration of DevOps?

Answer 30

NO

Question 31

Agile Manifesto

Answer 31

The Agile Manifesto is a document created in 2001 that defines the core philosophy of the Agile development model. Has 12 principles.

Question 32

PAAS

Answer 32

Platform as a Service: Provides consumer with compute platform, including hardware and OS, and runtime environment.

Question 33

Heuristic detection

Answer 33

Heuristic detection, sometimes called behavior detection, analyzes the characteristics and structure of code to detect malware. If the code has too many negative characteristics, it will be quarantined.

Ex. looks for attempts to elevate privilege, cover electronic tracks, and alter unrelated or OS files.

Question 34

Is Python an example of PAAS?

Answer 34

Python is a platform as a service (PaaS) because it’s a programming tool serving as a platform off of which to design other programs and applications.

In context of CISSP, most coding languages may be considered PAAS.

Question 35

What gen is Assembly Language?

Answer 35

Gen 2

Assembly is a generation two language. Assembly is a very low-level language that requires intricate knowledge of the system’s architecture. Programs written in Assembly are hardware-specific and are not compatible between different central processing unit (CPU) types.

Question 36

Gen 1 code

Answer 36

written in binary

Question 37

Gen 2 code

Answer 37

Assembly

Question 38

Gen 3 code

Answer 38

Uses meaningful words in mostly English for commands; e.g. COBOL, Java, and C.

Question 39

Gen 4 code

Answer 39

report and application generators. Examples SQL, Foxpro, Focus

Question 40

Gen 5 code

Answer 40

Natural language interfaces (aka: constraint based or logic programming), requires an expert system or AI, typically has visual tools to help with programming and does not require the developer to learn a specific language.

Question 41

SQL Candidate key

Answer 41

This key can be used to identify any record.

Each table may have one or more candidate keys, but one candidate key is special, and it is called the primary key.

Question 42

Rootkit

Answer 42

A rootkit is used to achieve or maintain elevated privileges on a victim’s host. Rootkits frequently masquerade as system-level services to help remain undetected. Rootkits often have kernel-level access and are very difficult to detect or remove.

Question 43

DAST

Answer 43

Dynamic Application Security Testing

Question 44

ODBC

Answer 44

Open Databse Connectivity

Is a database feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type. ODBC acts as a proxy between applications and back-end database drivers, giving application programmers greater freedom in creating solutions.

Question 45

Code Versioning

Answer 45

Code versioning forces developers to document each revision or change in a codebase. All changes are tracked and saved. Organizations should use code versioning to review changes made to code or roll changes back if needed. Common examples of code version control software are GIT and SVN.

Question 46

Reasonableness check

Answer 46

A reasonableness check ensures that data outputted from software falls within the specified boundaries. For example, ensuring that a person’s height is not negative or more than 10 feet.

Question 47

COTS

Answer 47

Commercial-Off-The-Shelf [software]

Examples of well-known COTS applications include Microsoft Office, Intuit QuickBooks, and Adobe Creative Cloud.

Question 48

Software escrow

Answer 48

A software escrow process is when a third party maintains the source code in the event that a customer needs it when a vendor or company that initially developed the code no longer exists.

Question 49

Six Sigma

Answer 49

Six Sigma is a process improvement methodology, not a software development methodology. Six Sigma is focused on quality management and is part of quality assurance (QA) and testing.

Question 50

Secondary Storage

Answer 50

Secondary storage is inexpensive and nonvolatile and includes items such as hard drives, flash drives, and CDs/DVDs.

All familiar log-term storage devices that are used everyday.

Question 51

Portable Code

Answer 51

Portable code is code that can function in any environment without a compiler. This code is typically found in a runtime environment. Specifically, it is the code providing the functionality of an operating system for a virtual machine, for example. These file types can often be seen as “.iso” images.

Question 52

Session hijacking

Answer 52

Session hijacking occurs when captured authentication details are utilized by a malicious actor to assume the identity, and act on behalf of, one of the parties in that session, to the other party.

Question 53

Gantt Chart

Answer 53

Type of bar chart that shows interrelationships over time between projects and the schedule. Helps plan, coordinate, and track specific tasks.

Question 54

What is the most common character used in a SQL injection attack?

Answer 54

The single quote ‘

This is used in normal SQL queries and must be handled carefully on web forms.

Question 55

SW-CMM

Answer 55

Software Capability Maturity Model:

5 phases

1. Initial
2. Repeatable
3. Defined
4. Managed
5. Optimizing

Question 56

Scrum

Answer 56

Methodology for managing software development. Included daily standup meetings called Scrums. Sprints are short periods of intense activity of 1 to 4 weeks.

Question 57

Change management Step 1

Answer 57

Request Control

Requests for change are made, managers review, developers prioritize tasks

Question 58

Change management Step 2

Answer 58

Change Control

Develpers re-create the situation encountered by the user to analyze changes to remedy situation.

Question 59

Change management Step 3

Answer 59

Release Control

Once changes are finalized, they must be approved for relase. Double checkin gis done, and any code added as a debugging aid is removed.

Question 60

Worm vs Virus

Answer 60

Worms self-propogate independently, viruses do not. Viruses require a host action.

Question 61

Privacy by Design

Answer 61

PbD

Proactive not Reactive; Preventative not Remedial
Privacy as the Default Setting
Privacy Embedded into Design
Full Functionality — Positive-Sum, not Zero-Sum
End-to-End Security — Lifecycle Protection
Visibility and Transparency – Keep it Open
Respect for User Privacy – Keep it User-Centric

Question 62

What is a Thread

Answer 62

A thread is an individual instruction set that must be worked on by the CPU. Threads can execute in parallel with other threads that are part of the same parent process. This is known as multithreading.

Question 63

Persistent vs non-persistent XSS

Answer 63

Cross site scripting

If the XSS is injected to a site and now lives there - it’s considered persistent.

Question 64

Fagan Inspection

Answer 64

Code review process that has 6 steps.

Planning, overview, prep, inspection, rework, and follow-up

Question 65

Keep it Simple

Answer 65

AKA KISS

Idea that you don’t un-necessarily over-complicate a piece of software or a system.

Question 66

Define “Class” in Object Oriented Programming

Answer 66

Many objects with similar callable methods are considered to be in the same ‘class.’

Question 67

Cardinality - in a DB

Answer 67

number of tuples (rows) in a DB table

Question 68

Degree - in a DB

Answer 68

Degree = number of attributes (columns) in a table