We have now reached the last article of this series with last domain on Software Development Security. You can expect many questions based on concepts of this domain.

The objective of this domain is to test candidates’ knowledge of the secure software development life cycle and software acquisition strategy. Let’s start with important points in this domain.

  • Understand SDLC phases in detail
    • Project Initiation and Planning
    • Functional Requirements
    • Design Specifications
    • Development and Implementation
    • Testing
    • Documentation
  • Accreditation Types: Understand the following accreditation types:
    • Provisional: This is only for a limited time period with action required to implement the required changes.
    • Full: It is the final accreditation given and do not require further changes to it.
  • Understand the difference between various software development models under two heads:
    • Non-Iterative Models: Waterfall Model, Spiral Model, Cleanroom
    • Iterative Models: Rapid Application Development (RAD), Modified Prototype Model (MPM), and Joint Analysis Development (JAD).
  • Understand following points for database and data warehouse environments:
    • Database model should provide:
      • Transaction persistence
      • Fault tolerance
      • Recovery
      • Security
    • Understand the difference between following database models;
      • Hierarchical: Stores the data in series of records which have values attached
      • Network: Stores the data in form on network records and links them
      • Relational: Data is structured in a series of tables where columns represent the variables and rows represent instances of data.
      • Object Oriented: It is a collection of public and private data items and set of instructions that can be executed on data.
    • Understand the two integrity rules of relational models
      • Entity Integrity Model: Tuples must have a unique and non-null values
      • Referential Integrity Model: For any foreign key value, referenced relation must have a tuple with the same value for its primary key.
    • Online Transaction Processing (OLTP): It is designed to record all the transactions of an organization. It should be noted that concurrency and atomicity are the security concerns for OLTP.
    • Understand the ACID properties;
      • Atomicity: This property ensures that all parts of transaction are either all committed or rolled back
      • Consistency: Ensures that database is transformed from one state to another valid state
      • Isolation: Ensures transaction results are invisible to other transactions until it is complete
      • Durability: Results of completed transactions are permanent.
    • Understand the Data Control Commands:
      • COMMIT: saves the work
      • SAVEPOINT: Point in the transaction where it can be rolled back.
      • ROLLBACK: restores to the last COMMIT
  • Time of Check (TOC) Attack: This type of attack occurs when some control changes between the time the system security functions check the content of variables and the time the variables actually are used during operations. TOC attacks are avoided by the concept of software locking.
  • Race condition: It occurs when the two processes fight to obtain single resource.
  • Is is important to understand the difference between Race Condition and TOC attack: TOC attack happens as a result of inserting malicious instructions between two processes during their execution whereas in Race condition the attacker forced the processes to execute out of sequence.
  • Certification process: It is the technical evaluation or assessment of security compliance of the information systems. Certification process is followed by accreditation or authorization.
  • Code Signing Limitations;
    • Code Signing does not guarantee that the code is 100 percent secure.
    • It is not DRM
  • Understand the Software Assurance Phases
    • Planning
    • Contracting
    • Monitoring and Acceptance
    • Follow-On
  • Understand the following points on Software Protection Mechanisms
    • Reference Monitor: It runs inside the kernel and performs security access checks on objects.
    • Kernel: It enforces security policy
    • Processor Access modes: User Mode and Kernel Mode
  • Understand the difference between following malware types:
    • Worms, Hoaxes, Trojans, Botnet, Logic Bombs, Spyware, Adware.
  • Understand the following type pf Viruses:
    • Multipartite Virus: It is used to indicate a virus that was able to infect both sectors and program files.
    • File Infectors: They infect object files in multiple ways (appending, overwriting etc.)
    • Systems Infectors: They infect system files.
    • Script Virus: They are standalone virus and can be executed by interpreter.
  • Strengths and Weakness of Source Code Analysis Tools:
    • Strengths
      • Good Scalability
      • Comes packaged with rules, signatures etc.
      • Good error description, possible fix etc.

CISSP Instant Pricing- Resources

  • Weakness
    • Not good for all types of security vulnerabilities
    • False positives counts are always on the higher side.
    • Not good to find configuration flaws
    • Depends hugely on complied code.
  • Understand the covert Channel and its types: It is a communication channel that allows two processes to communicate only by violating security policy.
    • Covert Storage Channel: This involves the reading of (direct or indirect) storage location by processes
    • Covert Timing Channel: Timing with which processes acquire resources can be used to send signals.
  • Understand the OOPS concept: Encapsulation, Inheritance, polymorphism etc.

That’s all the points for this domain and is the conclusion of the CISSP series. I will write one more article, which will have 50 questions where you can test your learning skills.