Domain 8: Software Development Security
One of the responsibilities of the release control process is ensuring that the process
includes acceptance testing that confirms that any alterations to end-user work tasks are
understood and functional prior to code release. The request control, change control, and
configuration control processes do not include acceptance testing.
The SDLC consists of seven phases, in the following order:
i) conceptual definition
ii) functional requirements determination
iii) control specifications development
iv) design review
v) code review
vi) system test review and
vii) maintenance and change management
Assurance is the level of confidence that software is free from vulnerabilities, either
intentionally designed into the software or accidentally inserted at any time during its
lifecycle, and that the software functions in the intended manner. It is a term typically
used in military and defense environments.
Change Control is responsible for providing an organized framework within which multiple
developers can create and test a solution prior to rolling it out in a production environment.
Request control provides a framework for user requests.
Release control manages the deployment of code into production.
Configuration control ensures that changes to software versions are made in accordance with
the change and configuration management policies
Aggregation is a security issue that arises when a collection of facts has a higher
classification than the classification of any of those facts standing alone. An inference
problem occurs when an attacker can pull together pieces of less sensitive information and
use them to derive information of greater sensitivity. Multilevel security is a system
control that allows the simultaneous processing of information at different classification
levels.
The two major classifications of covert channels are timing and storage. A covert
timing channel conveys information by altering the performance of a system component or
modifying a resource’s timing in a predictable manner. A covert storage channel conveys
information by writing data to a common storage area where another process can read
it.
A multipartite virus is a fast-moving virus that uses file infectors or boot infectors to
attack the boot sector and executable files simultaneously. Most viruses either affect the
boot sector, the system or the program files. Polymorphic viruses mutate each time they
infect a system by making adjustments to their code that assists them in evading signature
detection mechanisms. Encrypted viruses also mutate from infection to infection but do so
by encrypting themselves with different keys on each device.
Durability requires that once a transaction is committed to the database it must be
preserved. Atomicity ensures that if any part of a database transaction fails, the entire
transaction must be rolled back as if it never occurred. Consistency ensures that all
transactions are consistent with the logical rules of the database, such as having a primary
key. Isolation requires that transactions operate separately from each other.
Functional requirements specify the inputs, behavior, and outputs of software. Derived
requirements are requirements developed from other requirement definitions. Structural
and behavioral requirements focus on the overall structure of a system and the behaviors it
displays.
PERT charts use nodes to represent milestones or deliverables and then show the
estimated time to move between milestones. Gantt charts use a different format with a
row for each task and lines showing the expected duration of the task
Regression testing: Testing method that is used to verify that previously tested
software performs the same way after changes are made.
Integration testing: Testing method used to validate how software modules
work together.
Unit testing: Testing method that focuses on modules or smaller sections of code
for testing.
System testing: Testing on a complete integrated product
Expert systems have two components: a knowledge bank that contains the collected
wisdom of human experts and an inference engine that allows the expert systems to
draw conclusions about new situations based on the information contained within the
knowledge bank.
In a gray box test, the tester evaluates the software from a user perspective but has
access to the source code as the test is conducted. White box tests also have access to the
source code but perform testing from a developer’s perspective. Black box tests work from
a user’s perspective but do not have access to source code.
Polyinstantiation allows the storage of multiple different pieces of information
in a database at different classification levels to prevent attackers from inferring
anything about the absence of information
Neural networks attempt to use complex computational techniques to model the
behavior of the human mind. Knowledge banks are a component of expert systems, which
are designed to capture and reapply human knowledge. Decision support systems are
designed to provide advice to those carrying out standard procedures and are often driven
by expert systems.
Rapid Application Development, or RAD, focuses on fast development and the ability
to quickly adjust to changing requirements. RAD uses four phases: requirements planning,
user design, construction, and cutover
includes acceptance testing that confirms that any alterations to end-user work tasks are
understood and functional prior to code release. The request control, change control, and
configuration control processes do not include acceptance testing.
The SDLC consists of seven phases, in the following order:
i) conceptual definition
ii) functional requirements determination
iii) control specifications development
iv) design review
v) code review
vi) system test review and
vii) maintenance and change management
Assurance is the level of confidence that software is free from vulnerabilities, either
intentionally designed into the software or accidentally inserted at any time during its
lifecycle, and that the software functions in the intended manner. It is a term typically
used in military and defense environments.
Change Control is responsible for providing an organized framework within which multiple
developers can create and test a solution prior to rolling it out in a production environment.
Request control provides a framework for user requests.
Release control manages the deployment of code into production.
Configuration control ensures that changes to software versions are made in accordance with
the change and configuration management policies
Aggregation is a security issue that arises when a collection of facts has a higher
classification than the classification of any of those facts standing alone. An inference
problem occurs when an attacker can pull together pieces of less sensitive information and
use them to derive information of greater sensitivity. Multilevel security is a system
control that allows the simultaneous processing of information at different classification
levels.
The two major classifications of covert channels are timing and storage. A covert
timing channel conveys information by altering the performance of a system component or
modifying a resource’s timing in a predictable manner. A covert storage channel conveys
information by writing data to a common storage area where another process can read
it.
A multipartite virus is a fast-moving virus that uses file infectors or boot infectors to
attack the boot sector and executable files simultaneously. Most viruses either affect the
boot sector, the system or the program files. Polymorphic viruses mutate each time they
infect a system by making adjustments to their code that assists them in evading signature
detection mechanisms. Encrypted viruses also mutate from infection to infection but do so
by encrypting themselves with different keys on each device.
Durability requires that once a transaction is committed to the database it must be
preserved. Atomicity ensures that if any part of a database transaction fails, the entire
transaction must be rolled back as if it never occurred. Consistency ensures that all
transactions are consistent with the logical rules of the database, such as having a primary
key. Isolation requires that transactions operate separately from each other.
Functional requirements specify the inputs, behavior, and outputs of software. Derived
requirements are requirements developed from other requirement definitions. Structural
and behavioral requirements focus on the overall structure of a system and the behaviors it
displays.
PERT charts use nodes to represent milestones or deliverables and then show the
estimated time to move between milestones. Gantt charts use a different format with a
row for each task and lines showing the expected duration of the task
Regression testing: Testing method that is used to verify that previously tested
software performs the same way after changes are made.
Integration testing: Testing method used to validate how software modules
work together.
Unit testing: Testing method that focuses on modules or smaller sections of code
for testing.
System testing: Testing on a complete integrated product
Expert systems have two components: a knowledge bank that contains the collected
wisdom of human experts and an inference engine that allows the expert systems to
draw conclusions about new situations based on the information contained within the
knowledge bank.
In a gray box test, the tester evaluates the software from a user perspective but has
access to the source code as the test is conducted. White box tests also have access to the
source code but perform testing from a developer’s perspective. Black box tests work from
a user’s perspective but do not have access to source code.
Polyinstantiation allows the storage of multiple different pieces of information
in a database at different classification levels to prevent attackers from inferring
anything about the absence of information
Neural networks attempt to use complex computational techniques to model the
behavior of the human mind. Knowledge banks are a component of expert systems, which
are designed to capture and reapply human knowledge. Decision support systems are
designed to provide advice to those carrying out standard procedures and are often driven
by expert systems.
Rapid Application Development, or RAD, focuses on fast development and the ability
to quickly adjust to changing requirements. RAD uses four phases: requirements planning,
user design, construction, and cutover
Comments
Post a Comment