Domain 8: Software Development Security CISSP Cheat Sheet Series

Software Development Lifecycle (SDLC) Programming Language Types Data Warehousing and Data Mining Change Management Process
Understand and integrate security throughout the software development Machine Data Develop organizational framework where users can
Direct instructions to processor - binary representation Combine data from multiple sources. Request
lifecycle (SDLC) Languages Warehousing request modifications, conduct cost/ benefit analysis by
Control
Assembly Use of symbols, mnemonics to represent binary codes - Arrange the data into a format easier to make business management, and task prioritization by developers
Data Mining
Development Methodologies Language ADD, PUSH and POP decisions based on the content. Develop organizational framework where developers can
Change
• No key architecture design Processor independent programming languages - use create and test a solution before implementation in a
• Problems fixed as they occur
High-Level
IF, THEN and ELSE statements as
Database Threats Control
production environment.
Build and fix Language
• No formal feedback cycle part of the code logic Aggregation The act of combining information from various sources. Release
Change approval before release
• Reactive not proactive Generation 4 languages further reduce amount of code Inference Process of information piecing Control
Very high-level
• Linear sequential lifecycle required - programmers can focus on algorithms. • Content Dependent Access Control: access is based on
• Each phase is completed before moving on
language
Python, C++, C# and Java Access the sensitivity of the data
Configuration Management Process
Waterfall
• No formal way to make changes during cycle Natural Generation 5 languages enable system to learn and Control • Context Dependent Access Control: access via Software Version A methodology for storing and tracking changes
• Project ends before collecting feedback and re-starting language change on its own - AI location, time of day, and previous access history. Control (SVC) to software
• Based on the waterfall model • Database Views: set of data a user or group can see Configuration The labelling of software and hardware
Access
V-shaped
• Each phase is complete before moving on Database Architecture and Models Control
• Database Locks: prevent simultaneous access Identification configurations with unique identifiers
• Verification and validation after each phase • Polyinstantiation: prevent data interference violations Verify modifications to software versions
Uses attributes (columns) and tuples (rows) to Mechanisms
• No risk analysis phase Relational Model in databases Configuration Control comply with the change control and
organize data
• Rapid prototyping - quick sample to test the current configuration management policies.
project Hierarchical Parent child structure. An object can have one child, A•C•I•D Ensure that the production environment is
• Evolutionary prototyping - incremental improvements to Model multiple children or no children. Configuration Audit
Database roll back if all operations are not completed, consistent with the accounting records
Prototyping Atomicity
a design Similar to hierarchical model but objects can have transactions must be completed or not completed at all
Network Model
• Operational prototypes - incremental improvements multiple parents. Consistency Preserve integrity by maintaining consistent transactions Capability Maturity Model
intended for production
Transaction keeps separate from other transactions until 1. Initiating – informal processes,
• Multiple cycles (~ multiple waterfalls) Object-Oriented Has the capability to handle a variety of data types Isolation Reactive
complete 2. Repeatable – project management processes
• Restart at any time as a different phase Model and is more dynamic than a relational database.
Incremental Durability Committed transaction cannot be roll backed 3. Defined – engineering processes, project planning,
• Easy to introduce new requirements
quality assurance, configuration management practices
• Delivers incremental updates to software Proactive
Object-Relational Combination of object oriented and relational Traditional SDLC 4. Managed – product and process improvement
• Iterative Model models. 5. Optimizing – continuous process improvement
Analysis, High-level design, Detail Design, Construction,
• Risk analysis during development Steps
testing, Implementation
Spiral • Future information and requirements considered for risk Project Management Tools
analysis Database Interface Languages • Initiation: Feasibility, cost analysis, risk analysis,
• Allows for testing early in development Management approval, basic security controls Type of bar chart that illustrates the relationship
Gantt chart
Open Database • Functional analysis and planning: Requirement between projects and schedules over time.
Rapid • Rapid prototyping Local or remote communication via API
Connectivity (DOBC) definition, review proposed security controls Program Evaluation Project-scheduling tool used to measure the
Application • Designed for quick development
• System design specifications: detailed design specs, Review Technique capacity of a software product in development
Development • Analysis and design are quickly demonstrated Java Database Java API that connects to a database, Phases
Examine security controls (PERT) which uses to calculate risk.
(RAD) • Testing and requirements are often revisited Connectivity (JDBC) issuing queries and commands, etc • Software development: Coding. Unit testing Prototyping,
• Umbrella term - multiple methods Phases of object-oriented design
DB API allows XML applications to interact Verification, Validation
• Highlights efficiency and iterative development XML
Agile with more traditional databases • Acceptance testing and implementation: security OORA (Requirements
• User stories describe what a user does and why Define classes of objects and interactions
testing, data validation Analysis)
• Prototypes are filtered down to individual features Object Linking and
Embedding Database (OLE is a replacement for ODBC Object-oriented technology (OOT) - Identify classes and objects which are common
DevOps (Development & Operations) DB) OOA (Analysis) to any applications in a domain - process of
Terminology discovery
Software Development • Quality Assurance • IT
OOD (Design) Objects are instances of classes
Operations Knowledge Management Objects contain both data and the instructions that work
OOP (Programming) Introduce objects and methods
on the data.
Two main components: 'Knowledge base' and the ORBs (Object Request Work as middleware locators and distributors
Encapsulation Data stores as objects
Software Development Methods 'Inference engine'
Message Informs an object to perform an action.
Brokers) for the objects
Architecture and standards that use ORBS to
Expert • Use human reasoning
Performs an action on an object in response to a CORBA (Common
Systems • Rule based knowledge base Method allow different systems and software on a
object request)
Database Systems • If-then statements message. system to interfce with eachother
• Interference system Results shown by an object in response to a Work independently without help from other
Database Define storing and manipulating data message. Defined by its methods, which are the programs
Behavior
• Forward chaining: Begins with known facts and applies functions and subroutines defined within the object • High cohesion – No integration or interaction
DBMS (database inference rule to extract more data unit it reaches to the class. Cohesion with other modules
Software program control access to data stored
management goal. A bottom-up approach. Breadth-first search Set of methods which defines the behavior of • Low cohesion – Have interaction with other
in a database. Expert Class
system) strategy. objects modules
Systems (Two
• Backward chaining: Begins with the goal, works • Coupling - Level of interaction between objects
Modes) Object An instance of a class containing methods
Hierarchical • Network • Mesh • Object-orientated backward through inference rules to deduce the
DBMS Types Inheritance Subclass accesses methods of a superclass
• Relational required facts that support the goal. A top-down
approach. Depth-first search strategy. Multiple Inherits characteristics from more than one parent Virus Types
Data definition language defines structure and Inheritance class
DDL
schema DML Accumulates knowledge by observing events, Two or more rows in the same relational database Boot record infectors, gain the most privaleged
Boot sector
Neural measuring their inputs and outcome, then predicting Polyinstantiation table appear to have identical primary key elements access and can be the most damaging
Degree of Db number of attributes (columns) in table Networks outcomes and improving through multiple iterations but contain different data
over time. Infects executable system files, BIOS and system
Object users do not need to know the information System infector
Tuple row Abstraction commands
about how the object works
DDE Dynamic data exchange Covert Channels (Storage & Timing) Process isolation
Allocation of separate memory spaces for process’s UEFI Infects a system's factory installed UEFI (firmware)
instructions and data by the operating system.
DCL Data control language. Subset of SQL. Executable content Virus stored in a specific location other than in the
ActiveX controls, Java applets, browser scripts Companion
main system folder. Example NOTEPAD.EXE
Mobile code Trusted Computer Base (TCB)
ensure semantic rules are enforced between data
Semantic integrity Virus Propagates with help from the host Any modifications to files or boot sector are hidden
types The set of all hardware, firmware, and/or software components that are Stealth
Worm Propagates without any help from the host by the virus
critical to its security. Any compromises here are critical to system
Referential integrity all foreign keys reference existing primary keys Logic Bomb/Code security.
Run when a specific event happens Multipart Infects both boot sector and executable files
Bomb
an attribute that is a unique identifier within a May need to interact with higher rings of
Input/output Attempts to hide from anti-virus by changing the
Candidate Key given table, one of the candidates key becomes Buffer Overflow Memory buffer exhaustion protection - such communications must be Self-garbling
operations encoding of its own code, a.k.a. 'garbling'
primary key and others are alternate keys Malicious code install at back end with the monitored
Backdoor
help of a front end user Execution domain Applications that invoke applications or Polymorphic The virus modifies the "garble" pattern as it spreads
Primary Key unique data identification
Covert Channel Unauthorized information gathering switching services in other domains
Resident Loads as and when a program loads to the memory
reference to another table which include primary Zombie code used to compromise thousands Monitoring of memory references to verify
Foreign Key key. Foreign and primary keys link is known as Botnet Memory protection Master boot
of systems confidentiality and integrity in storage
referential integrity. record / sector Infects the bootable section of the system
Malicious code that outwardly looks or Monitor registers, process status information, (MBR)
Trojan Process activation
behaves as harmless or necesary code and file access lists for vulnerabilities
• Incorrect Summaries • Dirty Reads • Lost
Updates Security Assessment & Testing Terms Anti-Virus Types
• Dynamic Lifetime Objects: Objects developed Browser site trust is exploited by trying to
Cross-site request A process of identifying and determining the Not able to detect new malware a.k.a. Zero-day
using software in an Object Oriented submit authenticated requests forcefully to Penetration Testing Signature based
forgery (CSRF / XSRF ) true nature if system vulnerabilities attacks
Programming environment. third-party sites.
• ODBC - Open Database Connectivity. Database Heuristic based Static analysis without relying on signatures
Cross-site scripting Uses inputs to pretend a user’s browser to Patch management Manages the deployment of patches to
feature where applications to communicate with
(XSS) execute untrusted code from a trusted site system prevent known attack vectors
different types of databases without a program
DBMS terms Attempts to obtain previously authenticated
code. System with published APIs - third parties can
• Database contamination - Mixing data with
Session Hijacking sessions without forcing browser requests Open system Protection Rings
use system
submission
different classification levels
Proprietary system - no third-party Layer 0 Operating system kernel
• Database partitioning - splitting a single SQL Injection Directly attacks a database through a web app Closed system
database into multiple parts with unique contents involvement
Layer 1 Parts of the operating system other than the kernel
• Polyinstantiation - two or more rows in the same Hotfix / Update / Updates to operating systems and Source code can be viewed, edited and
Open-source
relational database table appear to have identical Security fix applications distributed free or with attribution or fees
Layer 2 I/O drivers and utilities
primary key and different data in the table. Collection of patches for a complete operating Used to access API. Highly sensitive - same
Service Pack API Keys
system as passwords Layer 3 Applications and programs