Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
40 Cards in this Set
- Front
- Back
|
SSE-CMMI, WASCI, BSI, ISO/IEC
|
Organization standards
|
|
|
Versioning, Technologist, Protection Code, Protection of project - Scope-creep VS. Statement of work, Process integrity
|
Software Configuration Management
|
|
|
Project, Management based Methodology, CMMI, SLC vs/ SDLC
|
System Lifecycle
|
|
|
stops when in production
|
System development lifecycle
|
|
|
this should be protected from tampering, prirating, accidental loss, and protection against
|
Source Code
|
|
|
these are hiring controls, changes in employment, protection of privacy from employees (privacy impact rating)
|
Personnel Security
|
|
|
never test on these systems or use real data
|
Production System
|
|
|
Waterfall, Spiral Method, Clean-room, Structured Programming Development, Iterative Development, Joint Analysis Development, Prototyping
|
Software Development Methods
|
|
|
comes from manufacturating, requirements set in stone, step by step with sign offs per step
|
Waterfall Method
|
|
|
starts from middle and works out, may be scope creep
|
Spiral Method
|
|
|
QA every step as finished
|
Clean Room
|
|
|
doing a portion, building and verifying reqs
|
Prototyping
|
|
|
translates an assemply language program to machine language
|
Assembler Language
|
|
|
translates a high level language into machine language
|
Compiler
|
|
|
instead of compiling a program at once this interprets in statement by statement
|
Interpreter
|
|
|
technique that exploits a security vulnerability occurring in the database layer of an application
|
SQL Injection
|
|
|
a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users
|
Cross-Site Scripting XSS
|
|
|
pointers that do not point to a valid object of the appropriate type
|
Dangling Pointer
|
|
|
invalid hyperlink, secure web applications, javaScript attacks vs. sandbox
|
Secure Coding Issues
|
|
|
validate all input and output, fail secure, fail safe, make it simple, defense in depth, only as secure as your weakest link
|
Application Security Principles
|
|
|
Classes, objects, message, inheritance, polymorphism, polyinstantiation
|
Object-Oriented Programming Concepts
|
|
|
multiple instances, reduces inference attack,
|
polyinstantiation
|
|
|
DCOM (Microsoft), SOAP, CORBRA, EJB (Java)
|
Distributed Programming
|
|
|
these all impact what in application security?
CIA |
transaction processing
|
|
|
injection, input manipulation/malicious file execution/ information disclosure, hijacking, infrastructure, race condition
|
malware and attack types
|
|
|
these are?
keystroke logging, adware and spyware, spam, phishing, botnets, remote access trojans (RAT), URL manipulation, maintenance hooks (backdoor or trapdoor) |
malware
|
|
|
is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition
|
time-of-check-to-time-of-use
|
|
|
these help what?
eliminate duplication of data, consistency of data, netork access |
database security
|
|
|
these strore records in a single table, parent/child relationship, limited to a single tree, difficult to link
|
Hierarchial Database
|
|
|
these repressent there data in the form of network records
|
Network DBMS
|
|
|
most frequently used model, data are structured in tables, columns are variables (attributes) rows contain the specific instances (records)
|
Relational Database
|
|
|
these are methods of identifying patterns in data, KDD and AI techniques
|
Knowledge Discovery in Databases
|
|
|
looking at one piece of information and guessing
|
Inference
|
|
|
taking pieces of information to build a picture
|
aggregation
|
|
|
these are...
access controls, grants, cascading permisions, lock controls, backup and recovery |
database controls
|
|
|
these are...
constrained views, sensitive data is hidden fromun authorized users, controls located in the front end of the application |
View-Based Access Controls
|
|
|
content-based access control, commit statement, three-phase commit, database rollback, journals, logs, & error controls
|
Transaction Controls
|
|
|
Atomicity, Consistency, Isolation, Durability
|
ACID Test
|
|
|
all changes take effect or none do
|
Atomicity
|
|
|
maintain internal to external
|
Consistency
|
