Chapter 8: Software Development Security (Domain 8) 395
- A. Macro viruses are most commonly found in office productivity documents, such
as Microsoft Word documents that end in the .doc or .docx extension. They are not
commonly found in executable files with the .com or .exe extensions. - C. The degree of a database table is the number of attributes in the table. Victor’s table
has six attributes: the employee’s user ID, home telephone, office telephone, mobile
telephone, office location, and job title. - C. The string shown in the logs is characteristic of a directory traversal attack where
the attacker attempts to force the web application to navigate up the file hierarchy and
retrieve a file that should not normally be provided to a web user, such as the password
file. The series of “double dots” is indicative of a directory traversal attack because it is the
character string used to reference the directory one level up in a hierarchy. - C. Design reviews should take place after the development of functional and control
specifications but before the creation of code. The code review, unit testing, and functional
testing all take place after the creation of code and, therefore, after the design review. - C. Regression testing is software testing that runs a set of known inputs against an
application and then compares the results to those produced by an earlier version of the
software. It is designed to capture unanticipated consequences of deploying new code
versions prior to introducing them into a production environment. - D. Assurance, when it comes to software, is the level of confidence that software is free
from vulnerabilities, either intentionally designed into the software or accidentally inserted
at any time during its lifecycle, and that the software functions in the intended manner. It
is a term typically used in military and defense environments. - C. The change control process is responsible for providing an organized framework
within which multiple developers can create and test a solution prior to rolling it out
in a production environment. Request control provides a framework for user requests.
Release control manages the deployment of code into production. Configuration control
ensures that changes to software versions are made in accordance with the change and
configuration management policies. - D. Aggregation is a security issue that arises when a collection of facts has a higher
classification than the classification of any of those facts standing alone. An inference
problem occurs when an attacker can pull together pieces of less sensitive information and
use them to derive information of greater sensitivity. SQL injection is a web application
exploit. Multilevel security is a system control that allows the simultaneous processing of
information at different classification levels. - A. The two major classifications of covert channels are timing and storage. A covert
timing channel conveys information by altering the performance of a system component or
modifying a resource’s timing in a predictable manner. A covert storage channel conveys
information by writing data to a common storage area where another process can read
it. There is no such thing as a covert firewall channel. Memory is a type of storage, so a
memory-based covert channel would fit into the covert storage channel category.