CISSP DOMAIN 8: Software Development Security

What is Software-Defined Security?

Security controlled and automated through software policies

What is CASE?

Computer-aided software engineering for high-quality development

What is Top-Down Programming?

Start with big picture, break into smaller parts

What is Bottom-Up Programming?

Build systems from smaller components upward

What is Freeware?

Software free to use

What is Shareware?

Software free initially, then requires payment

What is Crippleware?

Software with limited functionality

What is GNU License?

Allows users to run, modify, and share software freely

What is BSD License?

Permissive license with minimal restrictions

What is Apache License?

Allows modification and distribution of software

What is Waterfall Model?

Linear development process with no backtracking

What is Sashimi Model?

Overlapping waterfall phases

What is Agile?

Iterative and flexible development

What is Scrum?

Agile framework using short sprints

What is Extreme Programming (XP)?

Focus on rapid cycles and pair programming

What is Spiral Model?

Risk-driven development process

What is RAD?

Rapid application development

What is Prototyping?

Building early versions of software for feedback

What are SDLC phases?

Investigation, Analysis, Design, Build, Test, Implement

What is Source Code Escrow?

Third party holds source code

What are Code Repositories?

Storage for source code

What is API Security?

Securing communication between applications

What is NIST 800-128?

Configuration management guidance

What is a Configuration Management Plan?

Defines how systems are managed and controlled

What is a Configuration Control Board?

Approves system changes

What is Configuration Item Identification?

Identifying items to manage

What is Configuration Change Control?

Managing updates to baseline

What is Configuration Monitoring?

Ensuring compliance with baseline

What is DevOps?

Collaboration between development and operations

What is DevSecOps?

Integrating security into DevOps

What is a DBMS?

Software that manages databases

What is the Relational Model?

Data stored in tables with keys

What is Referential Integrity?

Foreign keys match primary keys

What is Entity Integrity?

Primary key is unique and not null

What is Semantic Integrity?

Data matches defined data types

What is Database Normalization?

Removing redundancy

What is First Normal Form (1NF)?

Atomic values and primary keys

What is Second Normal Form (2NF)?

Removes partial dependencies

What is Third Normal Form (3NF)?

Removes non-key dependencies

What is a Data Dictionary?

Metadata about database

What is Database Schema?

Structure of database

What is DDL?

Defines database structure

What is DML?

Manipulates data

What is a Hierarchical Database?

Tree-like structure

What is an Object-Oriented Database?

Stores objects instead of data types

What is Coupling?

Degree of dependency between modules

What is Cohesion?

How closely related functions are within a module

What is ORB?

Middleware enabling distributed object communication

What is COM?

Object interaction across environments

What is DCOM?

Networked COM

What is CORBA?

Vendor-neutral distributed object standard

What is OOA?

Object-oriented analysis

What is OOD?

Object-oriented design

What is OOM?

Object-oriented modeling

What does ACID stand for?

Atomicity, Consistency, Isolation, Durability

What is Atomicity?

All-or-nothing transactions

What is Consistency?

Data remains valid before and after transactions

What is Isolation?

Transactions do not interfere

What is Durability?

Data persists after commit

What is Broken Access Control?

Improper enforcement of access rules

What are Cryptographic Failures?

Weak or missing encryption

What is Injection?

Malicious code inserted into queries

What is Insecure Design?

Poor architecture leading to vulnerabilities

What is Security Misconfiguration?

Improper system setup

What are Vulnerable Components?

Outdated or insecure software

What are Authentication Failures?

Weak identity verification

What are Logging Failures?

Lack of monitoring/logging

What is SSRF?

Server-side request forgery

What is CSRF?

Unauthorized actions using user session

What is XSS?

Injecting scripts into web pages

What is a Buffer Overflow?

Writing beyond memory boundaries

What is a Race Condition?

Multiple processes accessing resource simultaneously

What is TOCTOU?

Time-of-check to time-of-use vulnerability

What is CMM?

Capability Maturity Model

What is CMM Level 1?

Initial (ad hoc)

What is CMM Level 2?

Repeatable

What is CMM Level 3?

Defined

What is CMM Level 4?

Managed

What is CMM Level 5?

Optimizing

What is SAMM?

Software assurance maturity model

What is Software Component Analysis?

Identifies vulnerable external components

What are Expert Systems?

Systems that mimic human decision-making