Domain 8, Understanding, applying, enforcing software security

Question 1

XP, Extreme programming

Answer 1

XP utilizes a concept known as pair programming, which pairs developers. Uses refactoring code - a way of removing obsolete, redundant, or unneeded code to improve software’s functionality

Has five core practices

Question 2

Object

Answer 2

black box that combines code and data, sends and receives messages.

Question 3

Object-oriented protramming

Answer 3

Treats a program as a series of connected objects.

Question 4

Procedural languages

Answer 4

use subroutines, procedures, and functions

Question 5

Spiral Model

Answer 5

Software dev model designed to control risk. Based off of the Waterfall model, with improvements.

Question 6

Systems development life cycle, SDLC

Answer 6

A dev model that focuses on security in every phase

Question 7

Waterfall model

Answer 7

An application dev model that uses rigid phases, when one ends, the next begins. No going back a step once one ends.

M

Question 8

SEI Capability maturity model

Answer 8

Software maturity model. Goal to develop a methodical framework for creating quality software which allows measurable and repeatable results.

Question 9

Machine code

Answer 9

1s and 0s, machine/cpu dependent

Question 10

Source Code

Answer 10

Computer programming language which is written in text and must be translated to the machine code

Question 11

Assembler

Answer 11

Converts assembly language into machine language

Question 12

Complier

Answer 12

Converts an entire program into machine code. Produces an entire program written in machine code.

Question 13

Interpreters

Answer 13

Converts code into machine code line by line. Simply feeds commands line by line from source code to interpreted machine language.

Question 14

First gen language

Answer 14

machine code

Question 15

2nd gen language

Answer 15

Assembly

Question 16

3rd gen language

Answer 16

COBOL, C, Basic

Question 17

Fourth gen language

Answer 17

ColdFusion, Progress 4GL, Oracle Reports

Question 18

CASE

Answer 18

Computer Aided Software Engineering. Uses computers to assist in the creation and maintenance of other computer programs

Question 19

Computer Aided Software Engineering - Tools

Answer 19

Supports only specific tasks in the software production process

Question 20

Workbenches

Answer 20

Support one or a few software process activities by integrating several tools in a single application

Question 21

Environments

Answer 21

(Integrated Development Environment) Support all or at least part of the software production process with a collection of tools and workbenches

Question 22

free software gratis - AKA Freeware

Answer 22

software that is free of charge

Question 23

Free software libre

Answer 23

free to alter the program

Question 24

shareware

Answer 24

free for X amount of days

Question 25

crippleware

Answer 25

pay to enable locked features

Question 26

crippleware

Answer 26

pay to enable locked features

Question 27

Prototyping

Answer 27

Iteerative aproach to

Question 28

Prototyping

Answer 28

Iteerative aproach to

Question 29

NIST SP 800-14

Answer 29

NIST process for systems development life cycle

1. operation and maintenance
2. secure disposal/decomissioning

Question 30

NIST SP 800-14

Answer 30

NIST process for systems development life cycle

1. operation and maintenance
2. secure disposal/decomissioning

Question 31

Code repository Security Controls

Answer 31

Largely falls under the other corporate security controls discussed previously. Defense in depth, secure authentication, firewalls, version control, etc.

Question 32

Software Change MGMT

Answer 32

Broader than Software Config Mgmt. Tracks changes across an entire software dev program as it is developed, maintained, and eventually retired

Question 33

Software Config managment

Answer 33

Narrower than Software Change Mgmt.

Tracks changes to specific software

Question 34

NIST 80-128

Answer 34

Guide for security focused config mgmt.

Question 35

NIST 80-128

Answer 35

Guide for security focused config mgmt.

Question 36

Config congrol board, CCB

Answer 36

Group of qualified people responsible for controlling and approving changes

Question 37

Config item identification

Answer 37

methodology for selecting and naming config items that need to be placed under CM.

Question 38

Config change control

Answer 38

PRocess fo rmanging updates to the baseline config

Question 39

Config monitoring

Answer 39

process for assessing or testing the level of compliance.

Question 40

DevOps

Answer 40

Traditionally there was separation of duties between devs, QA teams, and production teams.

DevOps flips this around, having Operations and development engineers work together in entire service lifecycle.

Question 41

Object oriented Design

Answer 41

treats projects as a series of connected objects that communicate to each other.

Question 42

Cornerstone OOP Concept - Inheritance

Answer 42

way to reuse code of existing projects, establish a subtype from an existing project.

Question 43

Cornerstone OOP Concept - Delegation

Answer 43

one object relying on another to provide a set of functionalities

Question 44

Cornerstone OOP Concept - Polymorphism

Answer 44

ability to create a variable/function/object that has more than one form

Question 45

Cornerstone OOP Concept - Polyinstantiation

Answer 45

Two instances with the same name that contains different data.

i.e. two different accounts may have a variable of the name, “account number” but the values would be different.

Question 46

Coupling and Cohesion

Answer 46

highly coupled object- requires other objects to do anything.

Highly coherent object - can run independently

Question 47

object request broker

Answer 47

used to locate objects. Act as search engines.

COM, DCOM, and CORBA

Question 48

CORBA

Answer 48

common object request broker architecture.

Question 49

OOA and OOD

Answer 49

Object oriented analysis and design. Very high level conceptual visualization of how a project or program should work.

Question 50

Software Vulnerabilities: Hard Coded Creds

Answer 50

backdoor user/pass leftover from production. AKA Maintenance hook.

Question 51

SQL injection

Answer 51

manipulation of back end server via front end web server

Question 52

Software Vulnerability: Directory Path Traversal

Answer 52

escaping from the root of a web server by referencing other directories.

Question 53

Full disclosure

Answer 53

If you find a vulnerability, you need to disclose. Full disclosure goes public.

Question 54

Responsible disclosure

Answer 54

privately share with vendor.

Question 55

Relational Database model

Answer 55

two-dimentional, table is called a relation.

Tables have rows and columns. Row = tuple, column = attribute, cell = value

Question 56

Primary Key

Answer 56

relational DB value that represents each tuple.

Question 57

Primary Key

Answer 57

relational DB value that represents each tuple.

Question 58

Foreign key

Answer 58

Relational DB. Key in a related DB that matches the primary key in a parent DB.

Question 59

Referential integrity

Answer 59

every foreign key in secondary tables matches a primary key.

Question 60

Semantic Integrity

Answer 60

Each attribute (column) value is consitent with attribute data type.

i.e. you wouldn’t put someones name as a value in the attribute for social security number.

Question 61

Entity Integrity

Answer 61

each tuple has a unique primary key that is not null.

Question 62

DB Normalization

Answer 62

seeks to make data in DB logically concise organized, and consistent. Removes redundant data.

Question 63

DB Normalization rules

Answer 63

1. first form, divide data into tables
2. second normal form, move data that is partially dependent on primary key to another table.
3. third normal form, remove data that is not dependent on primary key.

Question 64

Database Views

Answer 64

tables may be queried. results are called a DB view. Can be used to provide a constrained user interface.

Question 65

Data Dictionary

Answer 65

contains description of DB tables. Called metadata.

Question 66

DB Query languages

Answer 66

Most popular is SQL. MySQL, postGRE SQL, PL/SQL, etc.

Question 67

DB Language commands

Answer 67

DDL, data definition language.

DML, data manipulation language.

Question 68

Hierarchical DB

Answer 68

DNS is a good example

Question 69

Object Oriented Database

Answer 69

object oriented DB. Combines data with function/code. Used to manipulate the objects and their data.

Question 70

Assembly Language

Answer 70

Low-level computer language. Instructions are shor mnemonics, like ADD, SUB, and JMP. These directly match to machine code instructions.

Question 71

Closed-source software

Answer 71

Released only in executable form, source code is kept confidential.

Question 72

Open Source software

Answer 72

publishes source code openly. i.e Linux, Apache web server.

Question 73

Agile Software Development

Answer 73

Much more flexible way of software dev. Has 4 values, and 12 principles:

• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaboration over contract negotiation.
• Responding to change over following a plan.

Question 74

Scrum

Answer 74

Type of Agile development that takes a ‘holistic’ approach. A team tries to go the distance as a unit, rather than handing the project off in stages.

Contains a Scrum Team, and a Scrum Master, and a Product owner on the business side.

Question 75

Test-Driven Development

Answer 75

Type of Agile development. TDD, as the name implies, is driven by the use of test cases: first a test is written, then it is run. If it fails, code is written or refactored as needed to make the test succeed

Question 76

Key Scrum

Answer 76

Type of Agile Development

Question 77

Integrated Product Team (IPT)

Answer 77

An integrated product team (IPT) is a multitalented group of people from different disciplines responsible for delivering a product. IPTs are formed to plan, execute, and implement life cycle decisions for the system being acquired.

Question 78

Software Escrow

Answer 78

Third party stores an archive of the software. Usually negotiated as part of a contract with a proprietary software vendor.

Vendor wants it kept secret, but client may be afraid vendor goes out of business and may need access to source code.

Question 79

API Security

Answer 79

Application programming interface:

Authentication
Access Control
Input Validation
Output encoding/escaping
Cryptography
Error Handling and logging
Comms Security
HTTP Security
Security Configuration

Question 80

RAD - Rapid Application Development

Answer 80

Quickly develops software via use of prototypes/dummies. Goal is to quickly meet a business need of the system, while technical concerns are secondary.

Question 81

SDLC - Systems development life cycle

Answer 81

System development model. USed across IT industry, but focuses on security

Question 82

OWASP API Controls

Answer 82

Authentication
Access Control
Input Validation
Output Encoding
Cryptography
Error Handling/logging
Communication security
HTTP Security
Security Configuration

Question 83

Database administrator

Answer 83

manages database

Question 84

DBMS

Answer 84

Database Management System

Question 85

Relational Database

Answer 85

most common type of database.

Has Rows and Columns

Row is called a Tuple
Column is called an Attribute

Question 86

Primary Key

Answer 86

Each tuple has a primary key that is unique to that row.

Question 87

Candidate Key

Answer 87

Any attribute within a row (tuple) that is unique.

Question 88

Foreign Key

Answer 88

key in a related DB table that matches a primary key in a parent DB table.

This key is referred as ‘foreign’ from the parent DB’s point of view, but still called ‘primary key’ from the child DB’s point of view.

Question 89

Database Journal

Answer 89

log of all DB transactions. If a DB becomes corrupted, the journal can be used to revert to the most recent working version of the database.

Question 90

Database Shadowing

Answer 90

One-way mirror. clients cannot access the Shadow DB.

Question 91

Database Replication

Answer 91

mirrors a live DB, allowing simultaneous reads and writes to multiple replicated DBs. A Two-phase commit can be used to ensure integrity.

Question 92

Data Warehousing

Answer 92

large scale storage of data.

Question 93

Data mining

Answer 93

way to automate/program analysis of large quantities of data, which no human could hope to analyze on their own.

Question 94

Object Request Broker

Answer 94

Used to locate objects. Essentially a search engine.

This is a type of middleware, which connects programs to other programs.

Question 95

Examples of ORBs (Object Request Brokers)

Answer 95

CORBA (commom ORB architecture)
DCOM (Distributed Component Object Model)
COM (Component Object Model

Question 96

Software Vulnerabilities: Buffer Overflow

Answer 96

Occurs when a programmer does not perform variable bounds checking. Can be used to insert and run shell code.

Question 97

Software Vulnerabilities: SQL Injection

Answer 97

manipulation of back-end SQL server via a front-end web server. .

Question 98

Software Vunlerabiltiy: PHP Remote File Inclusion

Answer 98

altering URL to include a malicious remote file/URL for execution.

Question 99

Software Vulnerabilities: TOC/TOU race condition

Answer 99

Time of check/time of use attack. AKA Race condition. An attacker attempts to alter a condition after it’s already been checked by the OS, but before it’s used. Type of State Attack.

Question 100

Software Vulnerabilities: Cross-site Scripting XSS

Answer 100

Third-party execution of web scripting languages, within the context of a trusted site.

Exploits trust the website may have with third-party code.

Can be prevented with proper input validation.

Question 101

Software Vulnerabilities: Cross-site request Forgery XSRF/CSRF

Answer 101

Exploits the trust a user has in a website to execute code on that users computer, or to redirect them to another site

Within the context of a trusted site, exploits trust a user has with that site.

Question 102

Software Vulnerabilities: Privilege Escalation

Answer 102

Allows an attacker with typically limited access to gain access to additional resources.

Question 103

Software Vulnerabilities: Backdoor

Answer 103

Undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions.

Question 104

Software Vulnerabilities: Rootkits

Answer 104

Exploit known vulnerabilities in OS’s. Rootkit is used to expand access to the compromised system.

Question 105

Software Capability Maturity Model (CMM)

Answer 105

created by Carnegie Mellon Software Engineering Institute.

A methodical framework for creating quality software that allows measurable, and repeatable results.

Has 5 Levels. Now superceeded by SAMM (Software Assurance Maturity Model)

Question 106

SAMM Software Assurance Maturity Model

Answer 106

Maintained by OWASP.

Provides a framework for integrating security activities into a software development and maintenance process.

Has 5 business functions.

Question 107

OWASP

Answer 107

Open Web Application Security Project

Question 108

Acceptance Testing

Answer 108

users verify that the code meets their requirements and formally accept it as ready to move into production use

Question 109

security kernel

Answer 109

a small separate subsystem with the security-critical components.

It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.

It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.

It must be small enough to be able to be tested and verified in a complete and comprehensive manner.

Question 110

Input validation: Range Check

Answer 110

verify input data against predetermined upper and lower limits

Question 111

Input validation: Relationship check

Answer 111

checks compare input data to data on a master record file

Question 112

Input validation: Reasonableness check

Answer 112

checks compare input data to an expected standard

Question 113

Input validation: Transaction limits check

Answer 113

check input data against administratively set ceilings on specified transactions.

Question 114

ACID (relational Databases transactions)

Answer 114

Atomicity
Consistency
Isolation
Durability.

Question 115

Atomicity (Database)

Answer 115

Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged

Question 116

Consistency (Database)

Answer 116

ensures that any transaction will bring the database from one valid state to another.

Question 117

Isolation (Database)

Answer 117

The isolation principle requires that transactions operate separately from each other

Question 118

Durability (Database)

Answer 118

The isolation principle requires that transactions operate separately from each other

Question 119

Salami Attack

Answer 119

systematic whittling at assets in accounts or other records with financial value, where very small amounts are deducted from balances regularly and routinely