Software Dev Sec

Question 1

ORB

Answer 1

Object request broker: used to locate object; object search engines; middleware; include COM, DCOM, CORBA

Question 1

Defined

Answer 1

s/w process for both mgt and engineering activites id socumented, standardized and integrated into standard s/w process for org

Question 1

genetic programming

Answer 1

seeks to replicate nature’s evolution; creates random programs and assigns them a task of solving a problem

Question 2

4 s/w freedoms

Answer 2

freedom to 1. use the s/w for any purpose 2. change the s/w to suit your needs 3. share the s/w w/ friends and neighbors 4. share the changes you make

Question 3

compilers

Answer 3

take source code, such as C or basic and compile it into machine code

Question 3

PHP RFI

Answer 3

PHP Remote file inclusion: altering normal PHP URLs and variables to include and execute remote content

Question 3

optimized

Answer 3

continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies

Question 4

repeatable

Answer 4

basic proj mgt process are establishe to track cost, schedule, and funtionality; necessary process discipline is in place to repeat earlier successes on similar projects

Question 4

ANN

Answer 4

artificial neural networks: expert system that simulates neural networks found in humans and animals; seek to duplicate biological neural networks; leanrs by example via training

Question 5

types of CASE software

Answer 5

1. tools: support onlyl specific tasks in s/w production process 2. workbenches: support 1 or a few s/w process activities by integrating several tools in a single application 3. environments: support all or at least part of the s/w production process w/collection of tools and workbenches

Question 5

bayesian filtering

Answer 5

commonly used to ID spam

Question 6

Agile Manifesto values

Answer 6

1. individuals and interactions over process and tools 2 working s/w over comprehensive doc 3. customer collaboration over contract negotiation 4. responding to change over following a plan

Question 6

scrum

Answer 6

named for way Rugby is played. No baton race in track, instead whole team works to move the project by passing ball back and forth as needed

Question 7

datawarehouse

Answer 7

large collection of data

Question 8

COM

Answer 8

component object model: ORB that locates objects on a local system

Question 8

SQL injection

Answer 8

manipulation of a back end SQL server via a front end web server

Question 8

s/w testing levels

Answer 8

unit, installation, integration, regression, acceptance

Question 9

white box s/w testing

Answer 9

gives the tester access to program source code, data structures, variables, etc

Question 10

XSS

Answer 10

cross site scripting: leverages third-party execution of web scripting languages such as javascript within the security context of a trusted site

Question 12

source code

Answer 12

computer programming language instructions that are written in text that must be translated into machine code before execution by the CPU

Question 13

open source

Answer 13

software publishes source code publicly

Question 13

expert systems

Answer 13

1. knowledge base of if/then statements 2. inference engine that follows the tree formed by knowledge base and fires a rule when there is a match

Question 14

traceability matrix

Answer 14

used to map customer’s req’ts to s/w testing plan

Question 15

primary key

Answer 15

unique value in each tuple in a table

Question 16

black box testing

Answer 16

gives test no internal details

Question 17

dynamic testing

Answer 17

tests the code while executing it

Question 17

installation testing

Answer 17

testing s/w as it is installed and first operated

Question 19

4GL

Answer 19

fourth generation language: computer languages designed to increase programmer’s efficiency by automating creation of computer code; GUI focused; focus on creation of databases, reports, websites

Question 20

closed source

Answer 20

software is typically released in executable form

Question 22

average # mistakes in computer code

Answer 22

10-50 mistakes per 1000 lines of code

Question 23

database replication

Answer 23

mirrors a live database, allowing simultaneous reads and writes to multiple replicated databases by clients

Question 24

relational database

Answer 24

contains 2-dimensional tables of related data

Question 25

privilege escalation

Answer 25

allow an attacker with (typically limited) access to be able to access additional resources

Question 26

shareware

Answer 26

fully functional proprietary s/w that may be initially used free, but requires you to pay if you continue to use it

Question 26

normalization

Answer 26

seeks to make the data in a database table logically concise, organized, and consistent.

Question 28

interpreted languages

Answer 28

compiled on the fly each time the program is run

Question 29

integration testing

Answer 29

testing multiple s/w components as they are combined into a working system; subsets may be tested, or big bang integration testing tests all integrated s/w components

Question 30

entity integrity

Answer 30

each tuple has a unique primary key that is not null

Question 32

crippleware

Answer 32

partially functioning proprietary s/w, often with key features disabled; must pay to get the full bologna

Question 33

assembly language

Answer 33

low-level computer programming laguage; uses short mnemonics that match to machine language instructions

Question 33

referential integrity

Answer 33

every foreign key in a secondary table matches a primary key in the parent table

Question 34

RAD

Answer 34

rapid application development: develops s/w via use of prototypes, dummy GUIs, back-end databases; goal is quickly meeting business needs of the suystem, technical concerns are secondary

Question 35

Object

Answer 35

a “black box” that combines code and data and sends and receives messages

Question 36

genetic algorithms

Answer 36

refer to creating shorter pieces of code called chromosomes

Question 37

foreign key

Answer 37

key in a related database table that matches a primary key in a parent database; foreign key is the local table’s primary key

Question 37

database view

Answer 37

results of a database query

Question 39

DCOM

Answer 39

distributed common object model: ORB that locates objects over a network

Question 40

CASE

Answer 40

computer aided software engineering: uses programs to assist in the creation and mx of other computer programs

Question 41

TD

Answer 41

top down programming: startes with broadest and highest level requirements and works down toward the low-=level technical implementation details

Question 42

responsible disclosure

Answer 42

practice of privately sharing vulnerability info with a vendor and w/holding public release until a patch is available

Question 43

combinatorial s/w testing

Answer 43

black-box testing method that seeks to ID and test all unique combinations of s/w inputs

Question 44

managed

Answer 44

detaield measures of the s/w process nd product quality are collected, analyzed, and used to control the processs; s/w process and products are quantitively understood and controlled

Question 45

machine code

Answer 45

software that is executed directly by the CPU; series of 1’s and 0’s that translate to instructions understood by CPU

Question 46

data integrity

Answer 46

databases must ensure the intregrity of the data in the tables

Question 47

data dictionary

Answer 47

description of the database tables; aka meta data

Question 48

database schema

Answer 48

describes the attributes and values of the database tables

Question 49

backdoors

Answer 49

shortcuts in a system that allow a user to bypass seucirty checks

Question 50

DML

Answer 50

data manipulation language: used to query and update data stored in the tables

Question 52

coupling

Answer 52

highly coupled object requires lots of other objects to perform basic jobs, like math; inversely related to cohesion

Question 53

waterfall model

Answer 53

an application development model that uses rigid phases; when one phase ends, the next begins; cannot go back to previous steps;

Question 54

steps of SDLC

Answer 54

prepare sucirty plan, initiation, development/acq, implementation, ops/mx, disposal

Question 56

spiral model

Answer 56

software development model designed to dcontrol risk

Question 57

sashimi model

Answer 57

highly overlapping steps; real-world successor to watefall model; named for overlapping fish dish called sashimi

Question 58

shadow database

Answer 58

like a replicated database except shadows mirror all changes to primary database, clients can’t access the shadow

Question 60

static testing

Answer 60

tests code passively; code isn’t running; includes walkthroughs, syntax checking, code reviews

Question 61

XP core practices

Answer 61

1 palnning: specifies desired features (user story) 2. paired programming: programmers work in teams 3. 40-hr week: accurate forecast of work 4. total customer involvement: customer always available and monitors proj 5. detailed test procedures aka unit tests

Question 61

CORBA

Answer 61

common object request borker architecture: ORB; open vendor-neutral networked object broker framework; enforces fundamental OO design as low-level deatails are encapsulated from client

Question 62

regression testing

Answer 62

testing s/w after updates, modifications, or patches

Question 63

BU

Answer 63

bottom up programming: starts w/ low-level technical implementation details and works up to the concept of the complete program

Question 64

SDLC

Answer 64

system or software development lifecycle model: development model that focuses on security in every phase

Question 65

programming languge generations

Answer 65

1st: machine code 2nd: Assemby 3rd: COBOL, C Basic 4th: ColdFusion, Progress 4GL, Oracle Reports

Question 66

agile software development

Answer 66

evolved as reaction to rigid s/w dev models such as waterfall model; includes Scrum and XP

Question 67

DDL

Answer 67

data defined language: used to create, modify, and delete tables

Question 68

fuzzing

Answer 68

type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash

Question 69

CMM

Answer 69

software capability maturity model: 5 levels: initial, repeatable, defined, managed, optimizing

Question 70

XP improvements

Answer 70

1. communication 2. simplicity 3. feedback 4. respect 5. courage

Question 71

unit testing

Answer 71

low-level tests of s/w components, such as functions, procedures, or objects

Question 72

prototyping

Answer 72

iterative apprach that breaks projects into smaller tasks creating multiple mockups of system design features

Question 74

procedural languages

Answer 74

programming languages that use subroutines, procedures, and functions

Question 76

database

Answer 76

structured collection of related data

Question 77

tuple

Answer 77

a row in a relational database

Question 79

cohesion

Answer 79

very independent object; inversely related to coupling

Question 80

buffer overflow

Answer 80

occurs when a programmer does not perform variable bounds checking

Question 81

OOP

Answer 81

Object Oriented Programming: changes the older procedural progrmaming methodology and treats programs as a series of connected objects that comm via messages, uses encapsulation

Question 83

XP

Answer 83

Extreme Programming: an agile development method that uses pairs of programmers who work off a detailed specification

Question 84

initial

Answer 84

characterized as ad hoc and occasionally even chaotic; few process defined and success depends on individual effort

Question 85

full disclosure

Answer 85

controversial practice of releasing vulnerability details publicly

Question 86

data mining

Answer 86

search for patterns in data

Question 88

acceptance testing

Answer 88

testing to sendure s/w meets the customer’s operational req’ts; when done by customer is called user acceptance testing

Question 89

freeware

Answer 89

aka “gratis” software; free as in beer; free of charge to use

Question 90

directory path traversal

Answer 90

escaping from the root of a web server into the regular file system by referencing directories

Question 91

polyinstantiation

Answer 91

two instances with the same name can contain different data; useful in multilevel security environments

Question 92

hard-coded credentials

Answer 92

backdoor username/passwords left by programmers in production code

Question 94

waterfall steps (general)

Answer 94

req’ts, analysis, design, code, test, ops, and then destruction which he left off

Question 95

semantic integrity

Answer 95

each attribute value is consistent with the attribute data type

Question 96

attribute

Answer 96

a column in a relational database

Question 97

hierarchical databases

Answer 97

form a tree

Question 98

sprial model

Answer 98

designed to conttrol risk; repeats steps of a proejcts in ever-wider spirals called rounds