Domain 8. Software Development Security

Question 1

It not only focuses on the development life cycle of applications and how security needs to be involved right from the start and throughout the development phases of applications and systems, but also during the entire life of the applications, including the operations phases and decommissioning and disposal phases. In other words, security needs to be involved during an application’s entire life cycle, not just the development phase.

Answer 1

Software Development Security

Question 2

Complete each phase of development, before flowing—waterfalling—down to the next phase, until the process is complete. This model does not allow a previous phase to be revisited.

Answer 2

Waterfall

Question 3

A logical programming approach that is said to be foundational to object-oriented programming. Structured programming places heavy emphasis on structured control flow and aims to improve clarity, quality, and development time.

Answer 3

Structured Programming Development

Question 4

Divide the development process into multiple, rapid iterations of defining, developing, and deploying, with heavy customer interaction throughout the process.

Answer 4

Agile

Question 5

A version of the Agile methodology that is designed to allow large organizations with many teams to collaborate and effectively deliver software.

Answer 5

Scaled Agile Framework

Question 6

A risk-driven development process that follows an iterative model while also including elements of waterfall. The spiral model follows defined phases to completion and then repeats the process; this model resembles a spiral when mapped to paper.

Answer 6

Spiral Method

Question 7

Development process intended to produce software with a certifiable level of reliability by focusing on defect prevention.

Answer 7

Cleanroom

Question 8

Is a set of best practices that focus on building key capabilities and benchmarking them to drive business performance. It essentially helps an organization to understand how mature their processes are, what they do well and what they need to improve.

Answer 8

Capability Maturity Model Integration (CMMI)

Question 9

The Six CMMI Maturity Levels:

Answer 9

Maturity Level 0: Incomplete

Maturity Level 1: Initial

Maturity Level 2: Managed

Maturity Level 3: Defined

Maturity Level 4: Quantitatively Managed

Maturity Level 5: Optimizing

Question 10

The Six CMMI Maturity Levels (Level 0: Incomplete):

Answer 10

This phase is unknown and ad hoc, indicating that work may not be getting completed.

Question 11

The Six CMMI Maturity Levels (Level 1: Initial):

Answer 11

This is a reactive and unpredictable stage. It indicates that work is getting finished, but often coming in over budget and late.

Question 12

The Six CMMI Maturity Levels (Level 2: managed):

Answer 12

This stage indicates that projects are managed and planned. The tasks are performed, key metrics are taken, and the project is controlled.

Question 13

The Six CMMI Maturity Levels (Level 3: defined):

Answer 13

In this phase, the organization is being proactive as opposed to reactive. There are standards across the organization that guide programs, portfolios and projects.

Question 14

The Six CMMI Maturity Levels (Level 4: Quantitatively managed):

Answer 14

This is a controlled and measured stage. It indicates that an organization is driven by data, using it to measure performance improvement objectives. These objectives meet the needs of stakeholders and are predictable.

Question 15

The Six CMMI Maturity Levels (Level 5: optimizing):

Answer 15

This phase is flexible and stable. The organization is focused on continually improving and it is able to pivot when change and opportunity present themselves. The stability of the organization allows it to innovate and be agile.

Question 16

To be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. And supports the complete software life cycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature.

Answer 16

OWASP’s Software Assurance Maturity Model (SAMM)

Question 17

SAMM three maturity levels:

Answer 17

Level 1: Initial Implementation

Level 2: Structured Realization

Level 3: Optimized Operation

Question 18

Looks at software assurance from the high-level perspective of five business functions:

1. Governance
2. Design
3. Implementation
4. Verification
5. Operations

Answer 18

SAMM

Question 19

Refer to hyper focused testing of new application code/features by pushing out the changes to a small subset of users versus pushing out to all users.

Answer 19

Canary Testing and Deployments

Question 20

Is a software application that serves as an umbrella for purposes of software development. It’s essentially a one-stop shop that provides the tools programmers need to perform their development tasks. Typical __ include the following:

Code editor, compiler, debugger, automation tools.

Answer 20

Integrated Development Environment (IDE)

Question 21

Refers to the time when code is being executed on a computer.

Answer 21

Runtime

Question 22

Focuses on quick preliminary testing after a change is made to identify any simple failures of the most important existing functionality that worked before the change was made.

Answer 22

Smoke testing

Question 23

Involves automating many of the steps for committing code to a repository, as well as automating much of the testing. This allows code changes to be frequently integrated into the shared source code and ensures that a bunch of testing gets done easily.

Answer 23

CI/CD Process

“Continuous Integration”

Question 24

Also involves automating the integration and testing of code changes, but it also includes delivery, automating the release of these validated changes into the repository.

Answer 24

CI/CD Process

“Continuous delivery”

Question 25

Takes things a step further and automatically releases the code changes into production so that they can be used by customers. With continuous deployment, code changes can be automatically put into production without further human intervention, as long as it passes through all of the testing and there are no issues. If there is an error in any of these steps, the changes will get sent back to the developer.

Answer 25

CI/CD Process "Continuous Deployment"

Question 26

Focuses on managing changes in software and is part of the overall configuration/change management. Like other configuration/change management activities, __ best practices include baseline establishment and revision control, build and process management, and the facilitation of strong teamwork among the software development team.

Answer 26

Software Configuration Management (SCM)

Question 27

Most notable benefits of SCM:

Answer 27

1. Process to systematically manage, organize, and control the changes in the documents, codes, and so on during the SDLC 2. Part of overall configuration management/change management 3. Increased productivity while minimizing mistakes

Question 28

A storage location for software and application source code

Answer 28

Code repositories

Question 29

The ability of an object—a piece of code—to inherit characteristics of previously created objects.

Answer 29

Inheritance

Question 30

The idea that an object—a piece of code—can be placed inside another. Other objects can be called by doing this, and objects can be protected by encapsulating or wrapping them in other objects.

Answer 30

Encapsulation

Question 31

Like a polymorphic virus that can change its behavior to avoid detection, __ in programming refers to code that can change based upon requirements. Think of it as “smart code” that can understand the environment and respond accordingly to meet the needs presented by objects in the environment.

Answer 31

Polymorphism

Question 32

Refers to something being instantiated into multiple separate or independent instances.

Answer 32

Polyinstantiation

Question 33

Types of Obfuscation:

Answer 33

1. Lexical Obfuscation: modifies the look of the code (changing comments, removing debugging information, and changing the format of the code). Easiest but weakest form of obfuscation. 2. Data Obfuscation: Modifies the data structure 3. Control Flow Obfuscation: Modifies the flow of control through the code (reordering statements, methods, loops, and creating irrelevant conditional statements).

Question 34

Single row of a two-dimensional table within a relational database.

Answer 34

Tuple

Question 35

Single column of a two-dimensional table within a relational database.

Answer 35

Attribute

Question 36

The intersection of a row (tuple) and a column (attribute) is a single __ of data.

Answer 36

Field

Question 37

One or more columns whose values uniquely identify a tuple (row) within a relational database. For example, AuthorID in the authors table.

Answer 37

Primary Key

Question 38

One or more columns whose values in a table refer to the primary key in another table. AuthorID would be the primary key in the authors table. Any books in the books table by an author would have a __ referring to the author in the authors table.

Answer 38

Foreign Key

Question 39

Ability for multiple processes to access or change shared data at the same time.

Answer 39

Concurrency

Question 40

Prevent data corruption when multiple users try to write to the database simultaneously. A record can be locked.

Answer 40

Lock Controls

Question 41

Relates to how information and transactions in an relational database management systems (RDBMS) environment should be treated.

Answer 41

ACID (atomicity, consistency, isolation, durability)

Question 42

ACID:

Answer 42

A (Atomicity): All changes take effect or None at all C (Consistency): Consistent with the Rules I (Isolation): Transactions are Invisible to other users until complete D (Durability): Completed changes will not be Lost

Question 43

Is data about other data

Answer 43

Metadata

Question 44

Software Assurance Phases for Acquisition:

Answer 44

1. Planning/requirements 2. Contracting 3. Acceptance 4. Monitoring and Follow-on

Question 45

Takes place when application input information exceeds the storage space—the buffer—allocated to store that information. __ conditions are not uncommon and typically can only be fixed through application of a software patch.

Answer 45

Buffer Overflows

Question 45

Unintentional communications path that has the opportunity of disclosing confidential or sensitive information. Two types of covert channels exist: timing and storage.

Answer 45

Covert Channels

Question 46

The ability to overwrite storage where secure and sensitive information has been written or stored. Most applications don’t have the ability to overwrite storage where sensitive information has been written, which can lead to this information being available or viewable by other applications.

Answer 46

Memory/Object Reuse

Question 47

Is code that is downloaded to a system and then run on the system. This may happen because of clicking a link on a webpage or in an email. Once the link is clicked, the code downloads to the machine and runs locally, and therefore it is referred to as “mobile” code. If the code is malicious, serious harm could follow. A protective measure is to test the code in a sandbox environment first.

Answer 47

Executable Mobile Code

Question 48

Refers to time-of-check time-of-use, and it may also be referred to as “race condition.” This occurs when a time gap exists between when a value is checked/enforced and when the value is used. This gap leaves room for malicious activity to occur.

Answer 48

TOCTOU

Question 49

Are intentionally put in place by developers so they can quickly access an application to perform legitimate work. They’re sometimes also referred to as maintenance hooks.

Answer 49

Backdoors/Trapdoors

Question 50

Input that does not meet certain criteria or rules. Data or input validation functionality should exist in applications and check data before it is accepted. In fact, inadequate input validation is one of the leading causes of attacks on web applications, and it routinely shows up in OWASP’s Top 10 vulnerabilities list.

Answer 50

Malformed Input

Question 51

Is a term that politely refers to normal users having access to powerful programming and similar tools. A perfect example of this is giving users access to SQL query tools, so they can perform their own queries against the contents of a database instead of relying on somebody to do the work for them. As a result, these users often have access to very functional and powerful tools without commensurate security skills to protect their activities. Policies, security awareness, training, and education can help alleviate and bridge this gap.

Answer 51

Citizen Developers

Question 52

Is a common problem with application and happens when information sent to a storage buffer exceeds the capacity of the buffer.

Answer 52

Buffer overflow

Question 53

Can be used to protect against buffer overflows.

Answer 53

Address space layout randomization (ASLR)

Question 54

Another way to protect against buffer overflows.

Answer 54

Parameter/bounds checking

Question 55

Provide a way for applications to communicate with each other; act as translators.

Answer 55

Application Programming Interfaces (APIs)

Question 56

Two of the most common APIs are:

Answer 56

Representational State Transfer (REST): - NEWER - more flexible and lighter weight alternative to SOAP - HTTP based - Easy to learn and use - Fast in processing - Output can take several forms, including CSV, JSON, RSS, and XML Simple Object Access Protocol (SOAP): - OLDER, originally developed by Microsoft - more rigid and standardized - XML-based - Extensible through use of WS standards - Strong error handling

Question 57

Indicate the level of relatedness between units of a code base

Answer 57

Coupling

Question 58

Indicate the level of relatedness between the code that makes up a unit of code

Answer 58

Cohesion

Question 59

Meaning units of code can stand alone and are not dependent on other units of code to function.

Answer 59

Low coupling

Question 60

Meaning the code that makes up a unit of software is highly related.

Answer 60

High Cohesion

Question 61

Refers to something being instantiated into multiple separate or independent instances and can be used to prevent unauthorized inference.

Answer 61

Polyinstantiation

Question 62

Testing method that analyzes source code

Answer 62

Static Application Security Testing (SAST)

Question 63

Examines an application while it’s running

Answer 63

Dynamic Application Security Testing (DAST)

Question 64

Combines elements of both SAST and DAST (testing performed as the application is running (DAST) with access to code (SAST))

Answer 64

Interactive Application Security Testing (IAST)