1
Q
When in the development cycle should security be addressed?
A
Security should be addressed in each phase of system development.
It should not be addressed only at the end of development because of the added cost time and effort and the lack of functionality.
2
Q
Attack surface
A
The attack surface is the collection of possible entry points for an attacker.
The reduction of this surface reduces the possible ways that an attacker can exploit a system.
3
Q
Threat modeling
A
Threat modeling is a systematic approach used to understand how different threats could be realized and how a successful compromise could take place.
4
Q
Computer-aided software engineering
A
Computer-aided software engineering refers to any type of software that allows for the automated development of software which can come in the form of:
- Program editors
- Debuggers
- Code analyzers
- Version-control mechanisms
The goals are to increase development speed and productivity and reduce errors.
5
Q
Software testing levels (list 6)
A
- Unit testing (testing individual components)
- Integration testing (verifying components work together in the production environment)
- Acceptance testing (ensuring code meets customer requirements)
- Regression testing (testing after changes take place)
- Static analysis testing (reviewing programming code)
- Dynamic analysis testing (reviewing code during execution)
6
Q
Fuzzing
A
Fuzzing is the act of sending random data to the target program in order to trigger failures.
7
Q
Zero-day vulnerabilities
A
Zero-day vulnerabilities are vulnerabilities that do not currently have a resolution or solution.
8
Q
What does the ISO/IEC 27034 standard cover?
A
The ISO/IEC 27034 standard covers the following items:
- Application security overview and concepts
- Organization normative framework
- Application security management process
- Protocols and application security control data structure
- Case studies
- Application security assurance prediction
9
Q
OWASP
A
The Open Web Application Security Project (OWASP) is an organization dedicated to helping the industry develop more secure software.
10
Q
IPT
A
An integrated product team (IPT) is a multidisciplinary development team with representatives from many or all the stakeholder populations.
11
Q
CMMI Model levels
A
- 1 = Initial
- 2 = Repeatable
- 3 = Defined
- 4 = Managed
- 5 = Optimizing
12
Q
CMMI
A
CMMI (Capability Maturity Model Integration) is a process improvement approach that provides organizations with the essential elements of effective processes which will improve their performance.
13
Q
Change management vs. change control
A
Change management is a systematic approach to deliberately regulating the changing nature of projects.
Change control which is a subpart of change management deals with controlling specific changes to a system.
14
Q
SDLC methodologies
A
- Waterfall (sequential approach that requires each phase to complete before the next one can begin)
- V-shaped (emphasizes verification and validation at each phase)
- Prototyping (creating a sample of the code for proof-of-concept purposes)
- Incremental (multiple development cycles are carried out on a piece of software throughout its development stages)
- Spiral (iterative approach that emphases risk analysis per iteration)
- Rapid Application Development (combines prototyping and iterative development procedures with the goal of accelerating the software development process)
- Agile (iterative and incremental development processes that encourage team-based collaboration where flexibility and adaptability are used instead of a strict process structure)
15
Q
SCM
A
Software configuration management (SCM) is the task of tracking and controlling changes in the software through the use of
- Authentication
- Revision control
- Establishment of baselines
- Auditing
It has the purpose of maintaining software integrity and traceability throughout the software development life cycle.
16
Q
Generations of programming languages
A
- Generation one is machine language (binary format)
- Generation two is assembly language (which is translated by an assembler into machine code)
- Generation three is high-level language (which provides a level of abstraction)
- Generation four is a very high-level language (which provides more programming abstraction)
- Generation five is natural language (which is translated using artificial intelligence)
17
Q
Data modeling
A
Data modeling is a process used to define and analyze data requirements needed to support the business processes within the scope of corresponding systems and software applications.
18
Q
Object-oriented programming
A
Object-oriented programming provides:
- Modularity
- Reusability
- More granular control within the programs themselves
compared to classical programming languages.
19
Q
Objects (OOP)
A
Objects are members or instances of classes. The classes dictate the objects ’ data types structure and acceptable actions.
20
Q
Object communication
A
In OOP objects communicate with each other through messages and a method is functionality that an object can carry out. Objects can communicate properly because they use standard interfaces.
21
Q
Polymorphism
A
Polymorphism is when different objects are given the same input and react differently.
22
Q
Data hiding
A
Data and operations internal to objects are hidden from other objects which is referred to as data hiding. Each object encapsulates its data and processes.
23
Q
Low coupling
A
If an object does not require much interaction with other modules it has low coupling.
24
Q
Object programming design
A
The best programming design enables objects to be as independent and as modular as possible; therefore the higher the cohesion and the lower the coupling the better.
25
ORB
An object request broker (ORB) manages communications between objects and enables them to interact in a heterogeneous and distributed environment.
26
CORBA
Common Object Request Broker Architecture (CORBA) provides a standardized way for objects within different applications platforms and environments to communicate. It accomplishes this by providing standards for interfaces between objects.
27
COM
Component Object Model (COM) provides an architecture for components to interact on a local system. Distributed COM (DCOM) uses the same interfaces as COM but enables components to interact over a distributed or networked environment.
28
ODBC
Open Database Connectivity (ODBC) enables several different applications to communicate with several different types of databases by calling the required driver and passing data through that driver.
29
OLE
Object linking and embedding (OLE) enables a program to call another program (linking) and permits a piece of data to be inserted inside another program or document (embedding).
30
SOA
Service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. Service interactions are self-contained and loosely coupled so that each interaction is independent of any other interaction.
31
Java security
Java security employs a sandbox so the applet is restricted from accessing the user’s hard drive or system resources. Programmers have figured out how to write applets that escape the sandbox.
32
SOAP
SOAP allows programs created with different programming languages and running on different operating systems to interact without compatibility issues.
33
XSS attack examples (list 3)
There are three main types of cross-site scripting (XSS) attacks:
* Nonpersistent XSS (exploiting the lack of proper input or output validation on dynamic websites)
* Persistent XSS (attacker loads malicious code on a server that attacks visiting browsers)
* DOM (attacker uses the DOM environment to modify the original client-side JavaScript).
34
DBMS
A database management system (DBMS) is the software that controls the access restrictions data integrity redundancy and the different types of manipulation available for a database.
35
Primary key
A database primary key is how a specific row is located from other parts of the database in a relational database.
36
View
A view is an access control mechanism used in databases to ensure that only authorized subjects can access sensitive information.
37
Relational database
A relational database uses two-dimensional tables with rows (tuples) and columns (attributes).
38
Hierarchical database
A hierarchical database uses a tree-like structure to define relationships between data elements using a parent/child relationship.
39
Database internal languages (List 3)
Most databases have a data definition language (DDL) a data manipulation language (DML) a query language (QL) and a report generator.
40
Data dictionary
A data dictionary is a central repository that describes the data elements within a database and their relationships.
41
How is database integrity provided?
Database integrity is provided by concurrency mechanisms. One concurrency control is locking which prevents users from accessing and modifying data being used by someone else.
42
Entity integrity vs. Referential integrity
Entity integrity makes sure that a row or tuple is uniquely identified by a primary key and referential integrity ensures that every foreign key refers to an existing primary key.
43
Rollback
A rollback cancels changes and returns the database to its previous state. This takes place if there is a problem during a transaction.
44
Commit staement
A commit statement saves all changes to the database.
45
Checkpoint
A checkpoint is used if there is a system failure or problem during a transaction. The user is then returned to the state of the last checkpoint.
46
Aggregation
Aggregation can happen if a user does not have access to a group of elements but has access to some of the individual elements within the group. Aggregation happens if the user combines the information of these individual elements and figures out the information of the group of data elements which is at a higher sensitivity level.
47
Inference
Inference is the capability to derive information that is not explicitly available.
48
How are inference attacks commonly prevented?
Common attempts to prevent inference attacks are
* Partitioning the database
* Cell suppression
* Adding noise to the database.
49
Polyinstantiation
Polyinstantiation is the process of allowing a table to have multiple rows with the same primary key. The different instances can be distinguished by their security levels or classifications.
50
Data warehousing
Data warehousing combines data from multiple databases and data sources.
51
Data mining
Data mining is the process of searching filtering and associating data held within a data warehouse to provide more useful information to users.
52
Data mining tools
Data-mining tools produce metadata which can contain previously unseen relationships and patterns.
53
Virus
A virus is an application that requires a host application for replication.
54
Macro viruses
Macro viruses are common because the languages used to develop macros are easy to use and they infect Microsoft Office products which are everywhere.
55
Polymorphic virus
A polymorphic virus tries to escape detection by making copies of itself and modifying the code and attributes of those copies.
56
Worm
A worm does not require a host application to replicate.
57
Logic bomb
A logic bomb executes a program when a predefined event takes place or a date and time are met.
58
Trojan horse
A Trojan horse is a program that performs useful functionality apparent to the user and malicious functionally without the user knowing it.
59
Botnets
Botnets are networks of bots that are controlled by C & C servers and bot herders.
60
When is antimalware software most effective?
Antimalware software is most effective when it is installed in every entry and end point and covered by a policy that delineates user training as well as software configuration and updating.
61
How do you assess the security of acquired software?
Assessing the security of acquired software in addition to internal or third-party tests requires that we assess the reliability and maturity of the vendor.
62
What is object-oriented programming (OOP)?
Object-oriented programming (OOP) is a modular form of programming that enables pieces of software to be reused and interchanged between programs. Object-oriented programming was developed as a more efficient method of writing programs or applications compared to classical, non-object oriented programming. OOP has been widely embraced because it is more efficient and results in lower programming costs. OOP is based on classes and objects. The programmer develops the class and all of its characteristics and attributes. These attributes and characteristics within the class are inherited as specific objects are instantiated.
63
The Capability Maturity Model (CMM) describes the procedures and practices that underlie software development process maturity. Name the five maturity levels defined by CMM.
Level 1: Initial Level 2: Repeatable Level 3: Defined Level 4: Managed Level 5: Optimizing The initial state is often referred to as “ad hoc.” There are essentially no development processes or defined methodologies. There is no assurance of consistency, and quality is unpredictable. In the repeatable state, a structure is in place, including a management hierarchy, change control procedures, and some form of quality control. Steps are followed that allow the company to effectively repeat processes throughout each project. The company does not yet have formal process models defined.In the defined state, formal processes have been developed and documented. Procedures exist to define the processes to be followed in order to execute projects. A system exists to enable the organization to assess and improve on established processes. In the managed state, formal processes are established to gather and analyze data and metrics in order to maintain an effective program of process improvement. In the optimizing state, a system has been developed and funded which is integrated into the development lifecycle and allows for continuous process improvement.
64
What is the Common Object Request Broker Architecture (CORBA)?
CORBA is an established intercomponent communication architecture in use today and an industry standard that enables programs to communicate regardless of which language they are written in or what platform or operating system they are running on. CORBA allows various software platforms and hardware environments to work together and communicate with each other no matter where the application is located or who developed it.
65
The waterfall software development lifecycle (SDLC) is one of the more well-known SDLC models. Describe the waterfall SDLC.
In the waterfall model, developers are limited to going back only one stage; therefore, the process flows logically from one stage to the next. The waterfall SDLC is probably the most well-known software development process. It is a classical method using discrete phases of development that require formal reviews and documentation before moving into the next phase of the project. An advantage of this method is that it provides a sense of order and is easily documented; however, it does not scale to large projects.
66
The spiral software development lifecycle (SDLC) is similar to the waterfall SDLC, but with a few key differences. Describe the spiral SDLC.
This model incorporates risk management as an element of the prototyping process and takes the form of a spiral where each loop represents a phase of the process. The spiral software development lifecycle (SDLC) builds upon the waterfall method with an emphasis on risk analysis, prototypes, and simulations at different phases of the development cycle. This method periodically revisits previous stages to update and verify design requirements.
67
What purpose do savepoints and checkpoints serve in software applications?
Savepoints and checkpoints are similar in nature. Both are used so that if the application endures a glitch, it has the necessary tools to bring the user back to his working environment without losing any data. A savepoint is used to periodically save the state of the application and the user’s information, while a checkpoint saves data held in memory to a temporary file.
68
Within the context of object-oriented programming, what is polyinstantiation?
Polyinstantiation is a method used within object-oriented programming (OOP) that allows different users to have access to different capabilities based on a class system (for example, security classification). Polyinstantiation is widely used by the governments and military units. Instantiation is what happens when an object is created from a class. Polyinstantiation allows multiple objects to be made from the same class. Additional copies are modified to show different attributes, and users are granted access to the different instances based on security level of access classifications.
69
Describe object linking and embedding (OLE).
Object linking and embedding (OLE) enables different objects such as spreadsheets or images to be embedded within other files. Object linking and embedding uses the component object model (COM) to allow different objects to be linked or embedded within other documents or files. OLE also provides the basis for inserting URLs within files that allow the reader to click to jump to the respective website or resource. Using OLE, for example, an Excel spreadsheet can be inserted or embedded within a Word document.
70
What are CASE tools?
Computer-aided software engineering (CASE) tools, is a general term for many types of tools used by programmers, developers, project managers, and analysts that help them make application development faster and with fewer errors. CASE tools automate many of the manual tasks in software engineering. Different tools provide managerial, administrative, and technical help in software projects. Some examples of CASE tools are translators, compilers, assemblers, linkers, and loaders.
71
What is an artificial neural network (ANN)?
An artificial neural network (ANN) is a form of artificial intelligence. ANNs are electronic models designed to mirror the neural structure of a human brain. The purpose of an ANN is to enable computers to recognize patterns and learn from experience like a human brain. The ANN is built on many computing units that stimulate small amounts of memory, and neurons. The neurons process the input using training rules that allow the system to learn from examples and provide the computer with an ability to generalize. Some of the features of neural networks follow: Constructs knowledge base from large amounts of raw training data Dynamic learning processes Inductive reasoning Parallel processing Qualitative and quantitative knowledge
72
What is the Capability Maturity Model (CMM)?
CMM provides a framework for measuring the maturity of established development capabilities. The Capability Maturity Model (CMM) was developed at the Carnegie Mellon University Software Engineering Institute (SEI). CMM describes the underlying procedures and practices of software development process maturity. CMM helps software developers improve development processes by providing an evolutionary path from ad hoc design to a systematic, repeatable approach to software development. Working toward a more formal, disciplined development approach reduces development timeframes, provides better project management capabilities, and improves overall project quality.
73
Security is an important aspect of any development project. Regardless of which software development lifecycle (SDLC) model is used, where is the best place to incorporate security?
It is less costly and more stable to incorporate security into development at every step rather than attempting to add or fix security after the fact. Security should be integrated in the beginning stages of architecting the software, before any programming is started. Security should be addressed in the data gather requirements and all further stages. This proactive mindset toward security ensures that security issues do not happen in the first place, or happen much less frequently.
74
What are the five common types of database architectures in use today?
- Relational -Hierarchical -Network -Object-oriented -Object-relational
75
List the four specific benefits of object-oriented programming (OOP).
Modularity Deferred commitment Reusability Naturalness Modularity offers autonomous objects and cooperation through exchanges of messages.Deferred commitment means that the internal components of an object can be redefined without changing other parts of the system.Reusability allows the programmer to refine classes through inheritance and reuse objects from other programs.Naturalness signifies that object-oriented analysis, design, and modeling maps to business needs and solutions.
76
What is a data warehousing?
Data warehousing is the practice of combining multiple databases into one centralized data repository or warehouse. Data stored in the data warehouse is normalized and formatted consistently for faster and more reliable searches. The data warehouse provides more efficient and extensive data retrieval by allowing searches to be conducted in one place against one data repository rather than having to conduct multiple queries against different databases.
77
In the context of object-oriented programming, what is polymorphism?
Polymorphism is a common component of object-oriented programming and refers to different objects responding to the same command, input, or message in different ways. When a programmer develops code, he can create a variable that can be used in different forms. The application will determine what form to use at the time of execution (run time). Since the variables can be different at execution time (when the object is used), it can receive the same input and have different outputs.
78
As part of software development methodology, there are a variety of software development lifecycle (SDLC) models. Name the five most popular software development lifecycle methodologies.
Waterfall Spiral Joint Analysis Development (JAD) Rapid Application Development (RAD) Cleanroom In the waterfall model, developers are limited to going back only one stage. The spiral model incorporates risk management as an element of the prototyping process and takes the form of a spiral where each loop represents a phase of the process. The joint analysis development (JAD) model is a highly collaborative model bringing in all the technical experts to expedite the development process. The rapid application development (RAD) model’s purpose is to streamline the development process for less complicated projects. The cleanroom model is based on mathematical specifications and produces software with a certifiable level of reliability. Cleanroom is designed to prevent software defects.
79
Within the context of object-oriented programming, what is a method?
A method is a component of object-oriented code that performs operations based on a request. A method describes the functionality of a given object. A method, for example, might be constructed to extract data from a database and populate fields in a form with the data, or perform calculations on financial data.
80
What are the differences between object-oriented analysis and object-oriented design?
Object-oriented analysis (OOA) is the process of classifying objects that will be appropriate for a solution. Object-oriented design (OOD) creates a representation of a real-world problem and maps it to a software solution using OOP. In object-oriented analysis (OOA), a problem is analyzed to determine the classes of objectsto be used in the application. Object-oriented design (OOD) creates a representation of a real-world problem and maps it to a software solution using OOP. The result of an OOD is a design that modularizes data and procedures. The design interconnects data objects and processing operations.
81
Describe the joint analysis development (JAD) SDLC.
The joint analysis development (JAD) model is a highly collaborative model that focuses on customer collaboration and brings in all the technical experts to expedite the development process. JAD development utilizes collaborative team meetings that incorporate the customer or end user into the process. It is a method that uses a team approach in application development in a workshop-oriented environment.
82
What is a logic bomb?
A logic bomb is one type of attack that can be executed against an application. Logic bombs are so named because they are like malicious code time bombs that are programmed to execute when certain conditions are met. For example, a logic bomb might be programmed to execute on a specific date or at a specific time of day, or it could be programmed to execute when a certain threshold is reached, for example, available disk space. A form of malware and typically destroy data or impact system performance in some way when executed.
83
There have been many different object-oriented programming (OOP) languages over the years. What are the two most popular ones in use today?
Java and C++ Java is a platform-independent object-oriented programming (OOP) language. Java is commonly used to write complete programs as well as smaller programs, called applets, which run within a web browser. C++ is widely used in the software industry. Some of its application domains include systems software, device drivers, embedded software, high-performance server and client applications, and entertainment software such as video games. Several groups provide both free and proprietary C++ compiler software, including the GNU Project, Microsoft, Intel, Borland, and others. The language began as enhancements to C, first adding classes.
84
What are two security considerations that you need to be aware of when protecting a database management system (DBMS)?
Database management systems must implement access control and caution against data inferencing. A DBMS must implement access controls to enforce authentication and authorization procedures. This is normally handled through use of views. If database authentication and authorization are not enforced correctly, access to data might be granted to unauthorized users. Another security concern is data inferencing, the ability for a user to deduce or infer sensitive information through access to related less sensitive information is a security issue that affects the DBMS.
85
When an application has been developed, the product eventually enters the maintenance stage. Describe considerations in managing change and the process used to evaluate updates and changes.
The first item to consider is that not all requested changes should be made. The first stage in change management is to establish the priorities of requests and estimate the cost of the changes requested. After a business case is made for the change, the change manager should begin by documenting the need and creating a development plan for the changes When the changes have been made, testing is necessary to ensure other required functionality and security was not impacted by the new updates.
86
Within the context of object-oriented programming, what is encapsulation?
Encapsulation is a tool used within object-oriented programming (OOP) that allows an object to have a shared portion and a private portion. The shared portion of an object is the interface (API) that enables it to interact with other components. Messages enter through the interface to specify the requested operation, or method, to be performed. The private part of an object is how it actually works and performs the requested operations. Other components need not know how each object works internally—only that it does the job requested of it. The private portion of an object is protected by programming code and a “black box” approach, which is encapsulation.
87
Describe a DBMS.
A database is a collection of data stored in a meaningful way. A database management system (DBMS) is the software that manages databases. DBMSs provides high-level commands to data definition and data manipulation in a database. A DBMS is the software used to control access restrictions, manipulate data, and perform other administrative functions on a database. DBMSs are used to manage large sets of structured data with ad hoc query capabilities. The DBMS is also able to manage the security controls of the data stored in the database.
88
As part of software development, it might be necessary to develop a prototype. What is a prototype?
A prototype is a proof of concept deliverable that demonstrates the basic functionality and feasibility of follow-on development efforts. During the phases of a software development lifecycle (SDLC), it is often necessary to build a model that illustrates the requirements and demonstrates the current state of the project. The ability to work with a prototype enables both the development team and the customer to make sure the requirements are understood and being met. The prototype provides an opportunity to identify any issues and clarify requirements if necessary. The prototype also enables testing to begin earlier in the development process, so errors or problems can be uncovered and addressed.
89
How does the rapid application development (RAD) software development lifecycle (SDLC) model compress the timeframe required to complete a project?
RAD reuses existing modular software components and defers design improvements for future revisions. The rapid application development (RAD) model’s purpose is to streamline the development process for less complicated projects. It is a method to determine user requirements and develop systems quickly to satisfy immediate needs. By reusing existing modular software components and deferring design improvements for future revisions, RAD is an effective SDLC methodology for quickly completing projects without sacrificing quality.
90
What is a worm, and how does it differ from a virus?
A worm is a type of malware that can impact vulnerable applications or systems. Unlike a virus, a worm is capable of replicating itself and propagating from system to system. Worms can sap system resources, which may impact system performance. They are also malicious code, which means they typically perform some destructive action affecting applications or data on vulnerable systems.
91
What is an expert or knowledge-based system?
An expert or knowledge-based system is a tool used to programmatically solve problems. This system is a form of artificial intelligence that exhibits reasoning similar to that of a human expert to solve a problem. It accomplishes this reasoning from a knowledge base of data related to the issue being addressed. Algorithms and rules are used to assess a problem and make inferences based on the information contained in the knowledge base. Expert systems operate in two modes: forward chaining, which acquires information and comes to a conclusion, and backward chaining, which backtracks to determine if a hypothesis is correct. Some of the features of expert systems are: Static precoded knowledge base Meta rules add some adaptability Deductive reasoning Sequential, “if/then” processing Usually address qualitative knowledge Rule based, domain specific, rigid logic Needs a human expert
CISSP
flashcards
Decks in class (8)
# Cards
-
Domain 1: Security and Risk Management218
-
Domain 2: Asset Security50
-
Domain 3: Security Architecture and Engineering156
-
Domain 4: Communication and Network Security113
-
Domain 5: Identity and Access Management97
-
Domain 6: Security Assessment and Testing44
-
Domain 7: Security Operations106
-
Domain 8: Software Development Security91
