Domain 8: Software Development Security Flashcards

Initiation & Planning

• Define requirements
• Create project plan and estimate costs
• Identify risks
• Obtain management approval

Acquisition & Development

• Perform analysis & design
• Include controls for risks
• Conduct programming & testing
• Prepare documentation

Deployment

• Execute QA & security testing
• Conduct user acceptance testing
• Complete certification & accreditation
• Roll out to production

Operation & Maintenance

• Implement change management
• Maintain configuration management
• Ensure backups are in place

Decommissioning

• Retire the system
• Dispose of data securely

• Tests system features and safeguards
• Ensures system meets organizational requirements
• Applies to in-house or COTS systems

• Management approval to deploy system
• May include conditions or limitations
• Acts as a "seal of approval"

Assessment/Evaluation & Authorization

• Builds security into each phase of SDLC
• Proactive approach to secure systems
• Leads to better, safer applications

• Linear, sequential development
• Each phase must be completed before the next begins

• Iterative development with risk analysis
• Cycle:
  1. Requirements
  2. Risk Analysis
  3. Prototype
  4. Validation
  5. Repeat with refined requirements

1. Deliver working software frequently
2. Welcome changes, even late
3. Daily cooperation between business & devs
4. Focus on technical excellence
5. Emphasize teamwork

• Designed for large organizations
• Enables coordination across multiple teams
• Supports collaboration and effective product delivery

• Popular Agile development framework

Scrum Roles:

1. Product Owner – Visionary, often the customer
2. Scrum Master / Team Coach – Facilitator/manager
3. Scrum Team – Developers

• Emphasizes rapid prototyping
• Uses iterative delivery

• Focuses on minimizing waste
• Maximizes productivity
• Similar to Agile

• Iterative: Spiral, Agile, Scrum, RAD, Lean
  → Multiple rounds of development
• Non-Iterative: Waterfall
  → Each phase is discrete and finalized

• Combines Development, Operations, and QA
• Based on Lean and Agile principles
• Goal: Shorten development cycle and enable continuous delivery

• Integrates security into every phase of DevOps
• Maintains focus on security best practices

• Analyzes custom-built apps for embedded open-source components
• Checks for:
  • Version updates
  • Vulnerabilities
  • Licensing requirements
• Used in IT and software engineering

• A complete list of components, libraries, and modules in a software product
• Helps detect malicious implants or unauthorized files

• Organizes data in a tree-like structure
• Examples:
  • Windows Registry
  • Microsoft Active Directory

• Examples: MongoDB, DynamoDB
• Stores unstructured data (e.g., documents)
• Uses key-value pairs
• Commonly used to index the internet

• Examples: MS SQL Server, Oracle
• Structured using tables with columns and rows

Table Terminology

• Columns = Fields / Attributes / Degrees
• Rows = Records / Tuples

Primary Key Rules (Entry Integrity)

1. Must be unique
2. Cannot be empty

Foreign Key Rules (Referential Integrity)

• Must match a primary key in another table
• Ensures linked records between tables

• Hidden copy of DB, delayed updates
• Used for high availability
• Can rebuild using transaction logs
• Not accessible by users

• Copies transactions to backup site
• Used for disaster recovery
• Transactions can be replayed to restore DB

• Frequent copying of DB between servers
• Ensures data consistency across locations
• Supports shared access to current data

• Large databases storing high volumes of data
• Aggregates data from multiple sources
• Used for specialized analysis techniques

• Technique to search through data warehouses
• Identifies correlated information and patterns

DDL (Data Definition Language)

• Defines DB structure/schema
• Used for:
  • Creating tables
  • Modifying columns
  • Deleting DB objects

DML (Data Manipulation Language)

• Manages table records
• Used for:
  • Adding
  • Updating
  • Deleting records

DCL (Data Control Language)

• Manages user access permissions
• Assigns privileges to users

TCL (Transaction Control Language)

• Controls DB transactions
• Used for:
  • Applying changes
  • Rolling back changes

DQL (Data Query Language)

• Retrieves data using SELECT command

• Occurs when two users/processes lock resources and wait on each other
• Example:
  • User #1 locks Record A, waits for B
  • User #2 locks Record B, waits for A
• Results in a stalemate

• Combines non-sensitive info to deduce sensitive info
• Relies on human deduction
• Produces an educated guess

• Combines lower-classified data to derive higher-classified info
• Key traits:
  1. Uses machine processing
  2. Involves classification levels
  3. Produces a definite value

Atomicity

• All changes take effect or none do

Consistency

• Maintains internal and external consistency

Isolation

• Ensures concurrent operations don’t interfere

Durability

• Completed transactions are permanent

• Descriptive data about other data
• Example: File metadata includes creation date, file type, access permissions

1GL – Machine Languages

• Binary code
• Hardware-specific

2GL – Assembly Languages

• Human-readable machine code
• Uses assemblers
• Still hardware-specific

3GL – High-Level Languages

• Machine-independent
• Examples: C, C++, Python, Java
• Uses compilers/interpreters

4GL – Very High-Level Languages

• Application-specific
• Examples: SQL, macros

5GL – Fifth Generation Languages

• Based on AI problem solving
• May use neural networks
• Cutting-edge technology

Objects contain:

• Procedures (methods): Perform actions
• Data (attributes): Store information

Inheritance

• Objects can derive data/functions from other objects

Polymorphism

• Objects can take on many forms

• A collection of methods defining object behavior
• Acts as a template or "master" object

• An object created from a class
• Uses the class’s methods and structure

• Also called Data Hiding in OOP
• Only includes necessary data for an object
• Hides irrelevant or sensitive data

• A form of encapsulation used in databases
• Creates multiple versions of data for different classification levels
• Prevents inference attacks
• Allows same primary key across versions

• Has a published API
• Allows third-party integration

• Proprietary
• No third-party support or access

• Source code is viewable and distributable
• May be free or fee-based

• Sanitizes incoming data to ensure safety
• Must be done on the back-end
• WAFs can help protect public-facing services

• Front-end routines to check input validity
• Prevents accidental errors during data entry

• A form of Input Validation
• Ensures a variable stays within a specific range
• Example: If asking for age, only allow values between 18–150

Memory Buffer Overflow

• Too much data sent → memory overflow → crash or remote code execution
• Mitigation: Input Validation

Cross-Site Scripting (XSS)

• Malicious code injected into websites → runs in users' browsers
• Mitigation: Input Validation

Cross-Site Request Forgery (CSRF/XSRF)

• Session hijacking via fake requests that appear legitimate

SQL Injection (SQLi)

• Malicious SQL commands entered via input fields
• Example: '; shutdown with nowait; --
• Mitigation: Sanitize input on back-end

SQLi Clues

• Keywords: SELECT, UPDATE, DROP
• Logic tricks: 1=1;--
• Dangerous commands: shutdown with nowait;--

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable & Outdated Components
7. Identification & Authentication Failures
8. Software & Data Integrity Failures
9. Security Logging & Monitoring Failures
10. Server-Side Request Forgery (SSRF)

• Malicious code that replicates by attaching to programs/files
• Requires human interaction to spread (e.g., email, USB)

Macro Virus

• Targets macros in productivity software (Word, Excel, etc.)

Boot Sector Virus

• Overwrites boot sector
• Loads into RAM before OS starts

Multipartite Virus

• Uses multiple infection methods
• Can infect both boot sector and files

Armored Virus

• Uses obfuscation to hide its code
• Designed to evade analysis

Retro Virus

• Attacks or disables antivirus software

Stealth Virus

• Avoids detection by hiding its presence

Companion Virus

• Adds a pointer to a host program
• Pointer runs a separate malicious file

Polymorphic / Metamorphic Virus

• Constantly changes shape
• Alters file names, locations, signatures, etc. to avoid detection

• Self-replicating malware
• Spreads via network vulnerabilities
• Doesn’t require user interaction or infected files

• Famous worm targeting Iranian nuclear systems

• Software sent over a network
• Executes on the local system

• Mini-programs sent from server to client
• Perform specific tasks locally

• Java-based applets
• Run in a sandbox for isolation

• Microsoft’s version of applets
• Full system access (less secure than Java applets)

• Exploits system resources
• May monopolize or misuse them

• Malicious code triggered by specific time or condition
• Often inserted by insiders

• Malware hidden inside legitimate software
• User unknowingly installs it

• Opens a backdoor for remote attacker access

• Grants admin-level access to attackers
• Hides its presence in the system

• Replaces critical system files
• Interferes with kernel functions

• Distributed attack using zombie bots
• Controlled by a master handler

• Encrypts or blocks access to data
• Demands ransom to restore access or prevent data leak

• Uses victim’s computing resources to mine cryptocurrency
• Done without victim’s knowledge

• Stealthy, long-term network intrusions
• Often state-sponsored
• Goal: Espionage

• Runs in RAM only, no files written to disk
• Uses existing system tools
• Hard to detect due to lack of signatures

1. Signature Scanning

• Detects known threats via signatures
• Examples: Antivirus, IDS

2. Heuristic Scanning

• Detects suspicious behavior
• Useful for new/unknown malware

3. Change Detection Tools

• Monitors for unauthorized changes
• Example: Tripwire

• Secret data transfer that violates security policies

• Hidden access bypass created during development
• Also called maintenance hook

• Destructive act, often by insiders
• Targets systems or data

• Maliciously flashes BIOS with unauthorized version

• Alters input data to commit fraud
• Affects databases, documents, programs

• Attacker takes over a victim’s session
• Often by stealing or guessing session-ID

Prevention Tips:

1. Use randomized IDs
2. Use high-entropy (mix of characters)
3. Use time-based tokens that expire

• Occurs when processes must execute in a specific order
• Failure leads to errors or delays

• Program fails to release unused memory
• Causes performance issues or crashes

• TOC: When system checks object state
• TOU: When system uses the object
• Delay between check and use can cause bugs

• Performed by developers
• Tests individual units of code

• Performed by customers/users
• Validates system meets requirements

• Tests new and old features
• Ensures updates don’t break existing functionality

• Also called Segregation of Duties
• Prevents collusion/fraud by separating roles (e.g., coders vs. testers)

• Open framework for software security strategy
• Helps with:
  • Evaluating current practices
  • Building assurance programs
  • Measuring improvements
  • Defining security activities

• Third-party holds source code
• Protects client if developer goes out of business

Change Control Steps

1. Submit formal change request
2. Analyze request (cost, feasibility, impact, security)
3. Develop implementation strategy
4. Obtain management approval
5. Develop and document the change

Change Management Steps
6. Test the change

1. Deploy the change
2. Review and verify (roll back if needed)
3. Report results to management

Note:
A Change Management Board (CMB) ensures safety, accountability, and supports separation of duties.