Chapter 8: Software Development Security (Domain 8) 403
threats (APTs) that does not exploit vulnerabilities identified in security bulletins. While
malware authors once almost exclusively targeted Windows systems, malware now exists
for all major platforms.- B. In the waterfall model, the software development process follows five sequential steps
that are, in order: Requirements, Design, Coding, Testing, and Maintenance. - A. Atomicity ensures that database transactions execute either completely or not at all.
Consistency ensures that all transactions must begin operating in an environment that is
consistent with all of the database’s rules. The isolation principle requires that transactions
operate separately from each other. Durability ensures that database transactions, once
committed, are permanent. - D. Input validation ensures that the data provided to a program as input matches the
expected parameters. Limit checks are a special form of input validation that ensure
that the value remains within an expected range, but there was no range specified in this
scenario. Fail open and fail secure are options when planning for possible system failures. - The terms match to their definitions as follows:
- Session hijacking: C. An exploitation method that often involves cookies or keys to
gain unauthorized access to a computer or service. - Cross-site scripting: A. An attack that injects a malicious script into otherwise
trusted websites. - Cross-site request forgery: D. An attack that forces a user to execute unwanted
actions in a website or application they are currently logged in to. - SQL injection: B. An attack that is designed to execute commands against a database
via an insecure web application.
- Session hijacking: C. An exploitation method that often involves cookies or keys to
- D. Penetration tests of web-based systems may detect any possible web application
security flaw, including cross-site request forgery (XSRF), cross-site scripting (XSS), and
SQL injection vulnerabilities. - C. The DevOps approach to technology management seeks to integrate software
development, operations, and quality assurance in a seamless approach that builds
collaboration between the three disciplines. - B. Nessus is a vulnerability testing tool designed for use by security professionals but also
available to attackers. nmap may also assist attackers, but it only shows open ports and has
limited capability to identify vulnerabilities. ipconfig displays network configuration infor-
mation about a system, whereas traceroute identifies the network path between two systems. - D. Dirty reads occur when one transaction reads a value from a database that was written
by another transaction that did not commit. Lost updates occur when one transaction
writes a value to the database that overwrites a value needed by transactions that have
earlier precedence, causing those transactions to read an incorrect value. Incorrect
summaries occur when one transaction is using an aggregate function to summarize data
stored in a database while a second transaction is making modifications to the database,
causing the summary to include incorrect information. SQL injection is a web application
security flaw, not a database concurrency problem.