Software Security Flashcards Preview

CISSP > Software Security > Flashcards

Flashcards in Software Security Deck (45):

Data normalization

ensures that attributes in a database table depend only on the primary key.

It removes redundant data and improves the integrity and availability of the database.


Which testing technique focuses only on testing the design and internal logical structure of the software product rather than its functionality?

white-box testing


Which test design typically focuses on testing functional requirements?

black-box testing


Which database feature ensures that the entire transaction is executed to ensure data integrity?

two-phase commit


Rapid Application Development (RAD)

rapidly develops software via the use of prototypes, “dummy” GUIs, back-end databases, and more.

The goal of RAD is quickly meeting the business need of the system; technical concerns are secondary.

The customer is heavily involved.

It relies on tools that enable quick development Such as: GUI builders, CASE, DBMS, OO.


Joint Analysis Development (JAD)

helps developers to work directly with users to develop a working application.

disadvantage is involvement of large numbers of users may lead to political pressures that influence against security considerations.


what is degree?

the number of columns in a table


What is cardinality?

is the number of rows.


What is Atomic values?

mean that at every row/column position in every table there is always exactly one data value and never a set of values.


What is Open Database Connectivity (ODBC)?

an application programming interface (API) that can be configured to allow any application to query databases. The


What are the security issues with ODBC?

 The username and password for the database are stored in plaintext.
 The actual call and the returned data are sent as cleartext over the network.
 Calling applications must be checked to ensure they do not attempt to combine data from multiple data sources, thus allowing data aggregation.
 Calling applications must be checked to ensure they do not attempt to exploit the ODBC drivers and gain elevated system access.


What is OLE DB?

method of linking data from different databases together.


What is ORB?

Object Request Brokers (ORBs), which can be used to locate objects: they act as object search engines.

ORBs are middleware. Common object brokers included COM, DCOM, and CORBA.


What is Normalization?

it removes redundancies in the data, and ensures that attributes in a database table depend only on the primary key.

This makes the database consistent and easy to maintain and improves the integrity and availability of the database.


What is the risk of metadata?

risk of privacy violations and integrity of data.


What is OLAP

an Online Analytical Processing (OLAP) designed to record all of the business transactions of an organization as they occur in real-time and concurrently.


How compromising database views happen?

difficulty in verifying how the software performs the view processing.

The view just limits the data the user sees; it does not
limit the operations that may be performed on the views.

the layered model frequently used in database interface design may provide multiple alternative routes to the same data, not all of which may be protected.


What is Atomicity?

is when all the parts of a transaction’s execution are either all committed or all rolled back—do it all or not at all.


What is Consistency?

occurs when the database is transformed from one valid state to another valid state based on user-defined integrity constraints.


What is Isolation?

the process guaranteeing the results of a transaction are invisible to the transactions until the transaction is complete.


What is durability?

ensures the results of a completed transaction are permanent and can survive future system and media failures.


What OLAP is necessary?

used when databases are clustered to provide fault-tolerance and higher performance.

The main goal of OLTP is to ensure that transactions happen properly or they don’t happen at all by rolling back using transaction logs.


What is security concerns for OLTP systems?

concurrency and atomicity.


What is Noise and perturbation?

a technique of inserting bogus information in the hopes of misdirecting an attacker enough that the actual attack will not be fruitful.


What is the benefit of database view.?

used to provide a constrained user interface, by implementing least privilege, need-to-know and provide content-dependent access restrictions.


What is CORBA?

an open object-oriented standard architecture developed by the Object Management Group (OMG), vendor neutral networked object broker competing with Microsoft’s DCOM.

enforces fundamental object-oriented design, as low-level details are encapsulated (hidden) from the client.


What are the characteristics of CORBA?

communicate via a message interface, described by the
interface definition language (IDL).

a middleware that establishes a client–server relationship

enables applications to communicate with one another no matter where the applications are located or who developed them.

enforces fundamental object-oriented design, as low-level details are encapsulated from the client.


What is Dynamic Data Exchange (DDE)?

enables applications to work in a client/server model by providing direct communication between two applications using interprocess communication (IPC).


Verification phase

include activities to verify compliance of the system with security requirements.

Verification determines if the product accurately represents and meets the design specifications given to the developers.

This step ensures that the specifications are properly met and closely followed by the development team.


Validation phase

determines if the product provides the necessary solution intended real-world problem.

It validates whether or not the final product is what the user expected in the first place and whether or not it solve the problem it intended to solve.

Verification -> Validation



provides a window of time indicating how long a message is valid.



is a random value that is used to periodically authenticate the receiving system.


To ensure integrity.

You need to implement time and date stamps in an application program while transactions are being recorded


Software Capability Maturity Model (CMM)

a maturity framework for evaluating and improving the software development process. Carnegie Mellon University’s (CMU) Software Engineering Institute (SEI) developed the model.

The goal of CMM is to develop a methodical framework for creating quality software
that allows measurable and repeatable results


The five levels of CMM



Artificial neural networks

simulate neural networks found in humans and animals.

capable of making a single decision based on thousands
or more inputs.


An artificial neural network learns by

example via a training function; synaptic weights are changed via an iterative process until the output node fires correctly for a given set of inputs.

Used for “fuzzy” solutions, where exactness is not always required (or possible), such as predicting the weather.


Genetic algorithms and programming

instead of being coded by a programmer, they evolve to solve a problem.

It seeks to replicate nature’s evolution, where animals evolve to solve problems


What is the purpose of automicity in an online transaction processing (OLTP) environment?

It ensures that only complete transactions take place.


What should you do to ensure the stability of the test environment?

Separate the test and development environments.


Which database feature limits user and group access to certain information based on the user privileges and the need to know?

database views


What are tuples?

rows or records in a relational database


How is assurance achieved?

using verification and validation


What is the process of identifying, controlling, and auditing changes that are made to a trusted computing base (TCB)?

configuration management


What are the Spiral model steps ?

1) product design,
2) system requirements,
3) concept of operations,
4) implementation.

Each round included multiple repeated steps, including prototype development and a risk analysis. A risk analysis is performed each round to lower the overall risk of the project. The spiral ended with successful implementation of the project.