Domain 8, Understanding, applying, enforcing software security Flashcards
(119 cards)
1
Q
XP, Extreme programming
A
XP utilizes a concept known as pair programming, which pairs developers. Uses refactoring code - a way of removing obsolete, redundant, or unneeded code to improve software’s functionality
Has five core practices
2
Q
Object
A
black box that combines code and data, sends and receives messages.
3
Q
Object-oriented protramming
A
Treats a program as a series of connected objects.
4
Q
Procedural languages
A
use subroutines, procedures, and functions
5
Q
Spiral Model
A
Software dev model designed to control risk. Based off of the Waterfall model, with improvements.
6
Q
Systems development life cycle, SDLC
A
A dev model that focuses on security in every phase
7
Q
Waterfall model
A
An application dev model that uses rigid phases, when one ends, the next begins. No going back a step once one ends.
M
8
Q
SEI Capability maturity model
A
Software maturity model. Goal to develop a methodical framework for creating quality software which allows measurable and repeatable results.
9
Q
Machine code
A
1s and 0s, machine/cpu dependent
10
Q
Source Code
A
Computer programming language which is written in text and must be translated to the machine code
11
Q
Assembler
A
Converts assembly language into machine language
12
Q
Complier
A
Converts an entire program into machine code. Produces an entire program written in machine code.
13
Q
Interpreters
A
Converts code into machine code line by line. Simply feeds commands line by line from source code to interpreted machine language.
14
Q
First gen language
A
machine code
15
Q
2nd gen language
A
Assembly
16
Q
3rd gen language
A
COBOL, C, Basic
17
Q
Fourth gen language
A
ColdFusion, Progress 4GL, Oracle Reports
18
Q
CASE
A
Computer Aided Software Engineering. Uses computers to assist in the creation and maintenance of other computer programs
19
Q
Computer Aided Software Engineering - Tools
A
Supports only specific tasks in the software production process
20
Q
Workbenches
A
Support one or a few software process activities by integrating several tools in a single application
21
Q
Environments
A
(Integrated Development Environment) Support all or at least part of the software production process with a collection of tools and workbenches
22
Q
free software gratis - AKA Freeware
A
software that is free of charge
23
Q
Free software libre
A
free to alter the program
24
Q
shareware
A
free for X amount of days
25
crippleware
pay to enable locked features
26
crippleware
pay to enable locked features
27
Prototyping
Iteerative aproach to
28
Prototyping
Iteerative aproach to
29
NIST SP 800-14
NIST process for systems development life cycle
1. operation and maintenance
2. secure disposal/decomissioning
30
NIST SP 800-14
NIST process for systems development life cycle
1. operation and maintenance
2. secure disposal/decomissioning
31
Code repository Security Controls
Largely falls under the other corporate security controls discussed previously. Defense in depth, secure authentication, firewalls, version control, etc.
32
Software Change MGMT
Broader than Software Config Mgmt. Tracks changes across an entire software dev program as it is developed, maintained, and eventually retired
33
Software Config managment
Narrower than Software Change Mgmt.
Tracks changes to specific software
34
NIST 80-128
Guide for security focused config mgmt.
35
NIST 80-128
Guide for security focused config mgmt.
36
Config congrol board, CCB
Group of qualified people responsible for controlling and approving changes
37
Config item identification
methodology for selecting and naming config items that need to be placed under CM.
38
Config change control
PRocess fo rmanging updates to the baseline config
39
Config monitoring
process for assessing or testing the level of compliance.
40
DevOps
Traditionally there was separation of duties between devs, QA teams, and production teams.
DevOps flips this around, having Operations and development engineers work together in entire service lifecycle.
41
Object oriented Design
treats projects as a series of connected objects that communicate to each other.
42
Cornerstone OOP Concept - Inheritance
way to reuse code of existing projects, establish a subtype from an existing project.
43
Cornerstone OOP Concept - Delegation
one object relying on another to provide a set of functionalities
44
Cornerstone OOP Concept - Polymorphism
ability to create a variable/function/object that has more than one form
45
Cornerstone OOP Concept - Polyinstantiation
Two instances with the same name that contains different data.
i.e. two different accounts may have a variable of the name, "account number" but the values would be different.
46
Coupling and Cohesion
highly coupled object- requires other objects to do anything.
Highly coherent object - can run independently
47
object request broker
used to locate objects. Act as search engines.
COM, DCOM, and CORBA
48
CORBA
common object request broker architecture.
49
OOA and OOD
Object oriented analysis and design. Very high level conceptual visualization of how a project or program should work.
50
Software Vulnerabilities: Hard Coded Creds
backdoor user/pass leftover from production. AKA Maintenance hook.
51
SQL injection
manipulation of back end server via front end web server
52
Software Vulnerability: Directory Path Traversal
escaping from the root of a web server by referencing other directories.
53
Full disclosure
If you find a vulnerability, you need to disclose. Full disclosure goes public.
54
Responsible disclosure
privately share with vendor.
55
Relational Database model
two-dimentional, table is called a relation.
Tables have rows and columns. Row = tuple, column = attribute, cell = value
56
Primary Key
relational DB value that represents each tuple.
57
Primary Key
relational DB value that represents each tuple.
58
Foreign key
Relational DB. Key in a related DB that matches the primary key in a parent DB.
59
Referential integrity
every foreign key in secondary tables matches a primary key.
60
Semantic Integrity
Each attribute (column) value is consitent with attribute data type.
i.e. you wouldn't put someones name as a value in the attribute for social security number.
61
Entity Integrity
each tuple has a unique primary key that is not null.
62
DB Normalization
seeks to make data in DB logically concise organized, and consistent. Removes redundant data.
63
DB Normalization rules
1. first form, divide data into tables
2. second normal form, move data that is partially dependent on primary key to another table.
3. third normal form, remove data that is not dependent on primary key.
64
Database Views
tables may be queried. results are called a DB view. Can be used to provide a constrained user interface.
65
Data Dictionary
contains description of DB tables. Called metadata.
66
DB Query languages
Most popular is SQL. MySQL, postGRE SQL, PL/SQL, etc.
67
DB Language commands
DDL, data definition language.
DML, data manipulation language.
68
Hierarchical DB
DNS is a good example
69
Object Oriented Database
object oriented DB. Combines data with function/code. Used to manipulate the objects and their data.
70
Assembly Language
Low-level computer language. Instructions are shor mnemonics, like ADD, SUB, and JMP. These directly match to machine code instructions.
71
Closed-source software
Released only in executable form, source code is kept confidential.
72
Open Source software
publishes source code openly. i.e Linux, Apache web server.
73
Agile Software Development
Much more flexible way of software dev. Has 4 values, and 12 principles:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation.
- Responding to change over following a plan.
74
Scrum
Type of Agile development that takes a 'holistic' approach. A team tries to go the distance as a unit, rather than handing the project off in stages.
Contains a Scrum Team, and a Scrum Master, and a Product owner on the business side.
75
Test-Driven Development
Type of Agile development. TDD, as the name implies, is driven by the use of test cases: first a test is written, then it is run. If it fails, code is written or refactored as needed to make the test succeed
76
Key Scrum
Type of Agile Development
77
Integrated Product Team (IPT)
An integrated product team (IPT) is a multitalented group of people from different disciplines responsible for delivering a product. IPTs are formed to plan, execute, and implement life cycle decisions for the system being acquired.
78
Software Escrow
Third party stores an archive of the software. Usually negotiated as part of a contract with a proprietary software vendor.
Vendor wants it kept secret, but client may be afraid vendor goes out of business and may need access to source code.
79
API Security
Application programming interface:
```
Authentication
Access Control
Input Validation
Output encoding/escaping
Cryptography
Error Handling and logging
Comms Security
HTTP Security
Security Configuration
```
80
RAD - Rapid Application Development
Quickly develops software via use of prototypes/dummies. Goal is to quickly meet a business need of the system, while technical concerns are secondary.
81
SDLC - Systems development life cycle
System development model. USed across IT industry, but focuses on security
82
OWASP API Controls
```
Authentication
Access Control
Input Validation
Output Encoding
Cryptography
Error Handling/logging
Communication security
HTTP Security
Security Configuration
```
83
Database administrator
manages database
84
DBMS
Database Management System
85
Relational Database
most common type of database.
Has Rows and Columns
Row is called a Tuple
Column is called an Attribute
86
Primary Key
Each tuple has a primary key that is unique to that row.
87
Candidate Key
Any attribute within a row (tuple) that is unique.
88
Foreign Key
key in a related DB table that matches a primary key in a parent DB table.
This key is referred as 'foreign' from the parent DB's point of view, but still called 'primary key' from the child DB's point of view.
89
Database Journal
log of all DB transactions. If a DB becomes corrupted, the journal can be used to revert to the most recent working version of the database.
90
Database Shadowing
One-way mirror. clients cannot access the Shadow DB.
91
Database Replication
mirrors a live DB, allowing simultaneous reads and writes to multiple replicated DBs. A Two-phase commit can be used to ensure integrity.
92
Data Warehousing
large scale storage of data.
93
Data mining
way to automate/program analysis of large quantities of data, which no human could hope to analyze on their own.
94
Object Request Broker
Used to locate objects. Essentially a search engine.
This is a type of middleware, which connects programs to other programs.
95
Examples of ORBs (Object Request Brokers)
CORBA (commom ORB architecture)
DCOM (Distributed Component Object Model)
COM (Component Object Model
96
Software Vulnerabilities: Buffer Overflow
Occurs when a programmer does not perform variable bounds checking. Can be used to insert and run shell code.
97
Software Vulnerabilities: SQL Injection
manipulation of back-end SQL server via a front-end web server. .
98
Software Vunlerabiltiy: PHP Remote File Inclusion
altering URL to include a malicious remote file/URL for execution.
99
Software Vulnerabilities: TOC/TOU race condition
Time of check/time of use attack. AKA Race condition. An attacker attempts to alter a condition after it's already been checked by the OS, but before it's used. Type of State Attack.
100
Software Vulnerabilities: Cross-site Scripting XSS
Third-party execution of web scripting languages, within the context of a trusted site.
Exploits trust the website may have with third-party code.
Can be prevented with proper input validation.
101
Software Vulnerabilities: Cross-site request Forgery XSRF/CSRF
Exploits the trust a user has in a website to execute code on that users computer, or to redirect them to another site
Within the context of a trusted site, exploits trust a user has with that site.
102
Software Vulnerabilities: Privilege Escalation
Allows an attacker with typically limited access to gain access to additional resources.
103
Software Vulnerabilities: Backdoor
Undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions.
104
Software Vulnerabilities: Rootkits
Exploit known vulnerabilities in OS's. Rootkit is used to expand access to the compromised system.
105
Software Capability Maturity Model (CMM)
created by Carnegie Mellon Software Engineering Institute.
A methodical framework for creating quality software that allows measurable, and repeatable results.
Has 5 Levels. Now superceeded by SAMM (Software Assurance Maturity Model)
106
SAMM Software Assurance Maturity Model
Maintained by OWASP.
Provides a framework for integrating security activities into a software development and maintenance process.
Has 5 business functions.
107
OWASP
Open Web Application Security Project
108
Acceptance Testing
users verify that the code meets their requirements and formally accept it as ready to move into production use
109
security kernel
a small separate subsystem with the security-critical components.
It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.
It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.
It must be small enough to be able to be tested and verified in a complete and comprehensive manner.
110
Input validation: Range Check
verify input data against predetermined upper and lower limits
111
Input validation: Relationship check
checks compare input data to data on a master record file
112
Input validation: Reasonableness check
checks compare input data to an expected standard
113
Input validation: Transaction limits check
check input data against administratively set ceilings on specified transactions.
114
ACID (relational Databases transactions)
Atomicity
Consistency
Isolation
Durability.
115
Atomicity (Database)
Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged
116
Consistency (Database)
ensures that any transaction will bring the database from one valid state to another.
117
Isolation (Database)
The isolation principle requires that transactions operate separately from each other
118
Durability (Database)
The isolation principle requires that transactions operate separately from each other
119
Salami Attack
systematic whittling at assets in accounts or other records with financial value, where very small amounts are deducted from balances regularly and routinely
