Chapter 8: Software Development Security (Domain 8) 393
Chapter 8: Software Development Security (Domain 8)
- B. Coupling is a description of the level of interaction between objects. Cohesion is the
strength of the relationship between the purposes of methods within the same class. When
you are developing an object-oriented model, it is desirable to have high cohesion and low
coupling. - D. Botnets are used for a wide variety of malicious purposes, including scanning the
network for vulnerable systems, conducting brute-force attacks against other systems, and
sending out spam messages. - C. Code review takes place after code has been developed, which occurs after the design
phase of the system’s development lifecycle (SDLC). Code review may use a combination
of manual and automated techniques, or rely solely on one or the other. It should be a
peer-driven process that includes developers who did not write the code. Developers
should expect to complete the review of around 300 lines per hour, on average. - D. A social engineering attack may trick a user into revealing their password to the
attacker. Other attacks that depend on guessing passwords, such as brute-force attacks,
rainbow table attacks, and dictionary attacks, are unlikely to be successful in light of the
organization’s strong password policy. - C. One of the responsibilities of the release control process is ensuring that the process
includes acceptance testing that confirms that any alterations to end-user work tasks are
understood and functional prior to code release. The request control, change control, and
configuration control processes do not include acceptance testing. - B. Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in
a user’s browser by attempting to force the submission of authenticated requests to third-
party sites. Session hijacking attacks attempt to steal previously authenticated sessions
but do not force the browser to submit requests. SQL injection directly attacks a database
through a web application. Cross-site scripting uses reflected input to trick a user’s
browser into executing untrusted code from a trusted site. - A. The SDLC consists of seven phases, in the following order: conceptual definition,
functional requirements determination, control specifications development, design review,
code review, system test review, and maintenance and change management. - D. The error message shown in the figure is the infamous “Blue Screen of Death” that
occurs when a Windows system experiences a dangerous failure and enters a fail secure
state. If the system had “failed open,” it would have continued operation. The error
described is a memory fault that is likely recoverable by rebooting the system. There is no
indication that the system has run out of usable memory. - D. Software threat modeling is designed to reduce the number of security-related design and
coding flaws as well as the severity of other flaws. The developer or evaluator of software
has no control over the threat environment, because it is external to the organization.