Domain 8 – SOFTWARE DEVELOPMENT SECURITY

 SDLC phases are :

■ Conceptual definition
■ Functional requirements determination
■ Control specifications development
■ Design review
■ Code review walk-through
■ System test review
■ Maintenance and change management

 When Windows OS shuts down the PC (for a HW or SW problem), then the state of PC
is FAIL SECURE

 Reducing the number of threat vectors (external factors) is not a goal of software threat
modeling

 Example Diagram for the name, attributes and methods of a class

 Memory is considered primary storage

 Dynamic testing methodology typically works without access to source code

 Aggregate functions summarize large amounts of data and provide only summary information
as a result

 The stages of the SW-CMM are as follows:

Level 1: Initial (find hardworking people)
Level 2: Repeatable (Reuse of code)
Level 3: Defined (formal documented process)
Level 4: Managed (Quantitative measures)
Level 5: Optimizing (Improvements)

 Foreign keys are used to enforce referential integrity relationships between tables
 Macro viruses are commonly found on Microsoft Office product files (.doc, .xls, pptx …etc)

 Attack that use the string: ../../../../../../../../../etc/passwd is a Directory traversal attack

 Regression testing is software testing that runs a set of known inputs against an application and
then compares the results to those produced by an earlier version of the software.

 Aggregation is database security issue when a collection of facts has a higher classification than
the classification of any of those facts standing alone.

 Timing and storage two the types of covert channels that are commonly exploited by attackers.

 Worms do not require user intervention to be spread from one system to another.

 Inference attacks involve combining several pieces of non-sensitive information to gain access to
information that should be classified at a higher level. They include DEDUCTION of information.

 Web application firewalls (WAFs) sit in front of web applications and watch for potentially
malicious web attacks, including cross-site scripting. They then block that traffic from reaching
the web application.

 All database transactions have four required characteristics:

Atomicity – DB transactions must be “all-or-nothing”
Consistency - environment must be consistent with all of the database’s rules (same prim. key)
Isolation - transactions operate separately from each other
Durability - transactions that are committed to the database, must be preserved

 Pass-around reviews (software review process) are often done via email or using a central code
review system, allowing developers to review code asynchronously

 Pair programming (agile software development technique) requires two programmers to work
together, with one writing code and the other reviewing and tracking progress (work together at
one workstation).

 Stealth viruses hide themselves by actually tampering with the operating system to fool
antivirus packages into thinking that everything is functioning normally.

 Functional requirements specify what software must do by describing the inputs, behavior, and
outputs .
 The Open Web Application Security Project (OWASP) is an online community that produces
freely-available articles, methodologies, documentation, tools, and technologies in the field of
web application security.