Chapter 8: Software Development Security (Domain 8) 397
- B. Web application firewalls (WAFs) sit in front of web applications and watch for
potentially malicious web attacks, including cross-site scripting. They then block that
traffic from reaching the web application. An intrusion detection system (IDS) may detect
the attack but is unable to take action to prevent it. DLP and VPN solutions are unable to
detect web application attacks. - C. Input validation verifies that user-supplied input does not violate security conditions
and is the most effective defense against cross-site scripting attacks. Bounds checking
is a form of input validation, but it is used to ensure that numeric input falls within an
acceptable range and is not applicable against cross-site scripting attacks. Peer review and
OS patching are both good security practices but are unlikely to be effective against a
cross-site scripting attack. - C. Durability requires that once a transaction is committed to the database it must be
preserved. Atomicity ensures that if any part of a database transaction fails, the entire
transaction must be rolled back as if it never occurred. Consistency ensures that all
transactions are consistent with the logical rules of the database, such as having a primary
key. Isolation requires that transactions operate separately from each other. - A. Pass-around reviews are often done via email or using a central code review system,
allowing developers to review code asynchronously. Pair programming requires two
programmers to work together, with one writing code and the other reviewing and
tracking progress. Team reviews are typically done in a group, and Fagan inspection is
a formal review process that would involve both the developer and a team to review the
code using a formal process. - B. Multipartite viruses use multiple propagation mechanisms to defeat system security
controls but do not necessarily include techniques designed to hide the malware from
antivirus software. Stealth viruses tamper with the operating system to hide their
existence. Polymorphic viruses alter their code on each system they infect to defeat
signature detection. Encrypted viruses use a similar technique, employing encryption to
alter their appearance and avoid signature detection mechanisms. - C. User acceptance testing (UAT) is typically the last phase of the testing process. It
verifies that the solution developed meets user requirements and validates it against use
cases. Unit testing, integration testing, and system testing are all conducted earlier in the
process leading up to UAT. - D. Functional requirements specify the inputs, behavior, and outputs of software. Derived
requirements are requirements developed from other requirement definitions. Structural
and behavioral requirements focus on the overall structure of a system and the behaviors it
displays. - C. The Open Web Application Security Project (OWASP) is widely considered as the most
authoritative source on web application security issues. They publish the OWASP Top Ten
list that publicizes the most critical web application security issues.