By the end of this course you will be able to
- Build security in as an emerging property at every SDLC phase rather than adding it later (shift-left principle).
- Compare development methodologies (waterfall, V-shaped, iterative, spiral, Agile, RAD, MPM, DevOps, DevSecOps) and recommend the one best suited to a given context.
- Assess development process maturity using maturity models (SW-CMM) and plan their continuous improvement.
- Distinguish and apply software security assessment techniques: SAST, DAST, IAST, RASP, regression testing and IV&V.
- Master programming concepts relevant to security: OOP (inheritance, encapsulation, polymorphism, polyinstantiation), source/object/intermediate code, strong data typing.
- Assess and manage the risks of acquired software: COTS, open-source software, software libraries, citizen programmers and code reuse.
- Secure databases: models, the ACID test, and controls against aggregation, inference, query/bypass attacks via polyinstantiation and view-based access controls.
- Apply secure coding rules (input validation, defensive programming, blocked/allowed lists) to prevent buffer overflow, injection and TOCTOU.
- Identify and classify threats to mobile code, the web (XML, REST, API) and malware families (virus, worm, ransomware, APT, living off the land).
- Conduct data-centric threat modeling and advise management on how much security to build in by design.
Prerequisites : A general grasp of security concepts (CIA triad, defense in depth, least privilege) from Domain 1 is recommended. The secure architecture and protection mechanisms (TCB, reference monitor, covert channels) from Domain 3, along with the cryptography and data protection principles from Domain 2, greatly help understanding. No programming experience is required: this domain targets the security professional who advises and assesses, not the software engineer who codes. Basic familiarity with development vocabulary (compilation, source code, databases, web APIs) is enough.
Suggested path
This path unfolds across 4 sessions of roughly 3 to 4 hours each, about 13 hours total. Work through the modules in order: each session closes its checkpoints before moving on. Always redo the end-of-module checkpoints - they cement the exam traps. Once all 9 modules are done, run the full quiz (150+ questions) as a final review to validate the whole domain.
-
Session 1 - SDLC, methodologies and maturity
MODULE 1 · MODULE 2 · MODULE 3
Build security into the SDLC (shift-left), compare waterfall, Agile, spiral, DevOps/DevSecOps, and place processes on a maturity model (SW-CMM).
-
Session 2 - Development ecosystems and effectiveness
MODULE 4 · MODULE 5
Secure development ecosystems (IDE, CI/CD, software libraries, source code) and assess security effectiveness via SAST, DAST, IAST, RASP and IV&V.
-
Session 3 - Acquired software and secure coding
MODULE 6 · MODULE 7
Assess the impact of acquired software (COTS, open-source, code reuse, citizen programmers) and apply secure coding guidelines (input validation, defensive programming).
-
Session 4 - Databases, web, malware and SDS
MODULE 8 · MODULE 9
Secure databases (ACID, aggregation, inference, polyinstantiation), master mobile code, the web (XML, REST, API), the malware landscape and software-defined security (SDS).
Security in the SDLC: foundations
Prerequisites : None. Entry point of the domain.
The security of a software system is neither a module bolted on at the end nor a product you buy: it is an emergent property that must be present at every step of planning, development, and operation. This module lays the foundations of Domain 8. We first see WHERE vulnerabilities live (the ring model and the OSI stack), how to find them (threat modeling, STRIDE), and the particular threat surface introduced by the web's mobile code. We then place software in its environment and its three temporal perspectives, and dismantle the false dilemma of "fast and cheap versus slow but secure": the cost of a fix explodes the longer it is delayed. Most exploitable vulnerabilities are self-inflicted - errors in requirements, design, and code left undetected at test time. Fixing them early is the security professional's highest-leverage opportunity.
1.1 Where vulnerabilities live: ring model and OSI stack
Domain 3 introduced the ring model to show how layers of function stack up to produce the systems and information architectures organizations depend on. Hardware carries its own software, firmware, burned into ROM. Operating systems drive families of hardware through device drivers, without the OS having to handle low-level details. That is exactly the logic of OSI Layers 1 and 2: they encapsulate hardware details and expose to higher layers the functions they need. Layer by layer, the system builds up to Layer 7, where the user and their applications consume services rendered by software running on many different systems.
The key point for the exam: each layer depends on lower layers for its encapsulated security controls, but it also INHERITS their vulnerabilities. If an exploitable error exists in a lower layer (firmware, driver, network stack), every layer above inherits it, knowingly or not. Conversely, the inner (or lower) layers of the ring or stack must be protected from the consequences of attacks targeting vulnerabilities above them. Security is therefore never the business of a single layer: it is vertical defense in depth.
Software exists at every level of the ring, and that software often depends on configuration files, scripts, and initialization (default) values. A typical application program may comprise tens of thousands of files of executable code, parameter data, scripts, and other data. Each of these files is a potential risk surface: vulnerability hides not only in code, but also in the configuration and data that drive that code.
- Each layer depends on lower layers for its controls AND inherits their vulnerabilities.
- Lower layers must also be protected from attacks coming from upper layers.
- Software exists at every level of the ring: firmware, drivers, OS, applications.
- A typical app = tens of thousands of files (executable, config, scripts, data).
- Risk lives not only in code, but also in configuration and data.
1.2 Threat modeling and STRIDE
Threat modeling, as defined by OWASP, is the security process by which potential threats - or the absence of safeguards - are identified, categorized, and analyzed. Concretely, you create abstractions of the system to spot the boundaries (perimeters) between subsystems and between the system and its external environment. Software, hardware, data, and people are all crossing points of those boundaries. Threat modeling means looking at an environment, system, or application from the attacker's viewpoint and determining the vulnerabilities they might exploit.
The most widespread model is STRIDE, a mnemonic for six threat categories: Spoofing (impersonating an identity), Tampering (modifying something on disk, network, data, or code), Repudiation (denying having performed an action), Information disclosure (exposing information to someone unauthorized), Denial of service (exhausting or degrading a service), and Elevation of privilege (gaining privileges without authorization). With STRIDE, the professional decomposes the system into relevant components, analyzes each component's susceptibility to those threats, then identifies mitigations. Other models pursue the same ends: PASTA, LINDDUN (privacy-oriented), and Trike.
The threat surface is the total of crossing points for a given boundary: TCP/IP ports, login services, query fields on a web page, attachment points for removable media. Each crossing is an opportunity to apply a control technique within an overall risk mitigation strategy. Data-centric threat modeling (NIST SP 800-154, 2016) shifts the focus from the system to the data: it models the authorized movement, locations, execution, and input/output of data, which maps directly to protecting data in transit, at rest, and in use.
Classic exam trap: threat modeling serves to IDENTIFY, CATEGORIZE, and ANALYZE threats. It is NOT mitigation. Mitigation is the step that follows, not a step of threat modeling itself. Confusing the two is a frequent multiple-choice error.
- Threat modeling = identify + categorize + analyze threats (OWASP).
- STRIDE = Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- You look at the system from the attacker's viewpoint; you decompose into components.
- Other models: PASTA, LINDDUN (privacy), Trike. Threat surface = sum of crossing points.
- NIST SP 800-154 = data-centric: protect data in transit, at rest, in use.
1.3 Mobile code and executable content
Web applications expand the threat surface by extending our systems' architecture with mobile code, also called executable content. Mobile code is a file (or set of files) sent by one system to one or more client systems; once opened by software already installed on the client, it controls the execution of the client's software or is directly executed by the client's CPU. The historical distinction is sharp: traditional client-server architectures kept code in place (different functions on clients and servers) while only data moved. Web architectures, by contrast, DEPEND on mobile code to work.
Each time a browser connects to a server, the server downloads onto the user's machine files containing the control logic and data needed to render the page, provides input fields, validates those inputs, and sends data back to the server. Mobile code comes in many types: the most common are JavaScript, Java Archive (JAR files), XML files, and API requests. The HTML files of the page itself and CSS style sheets are also executable content. Apps, applets, widgets, add-ons, and browser add-ins are further examples. Bots are an emerging class: they use limited machine learning capabilities to assist user requests, automate workflows, or validate input quality.
Nearly every action through a web app opens both the client's threat surface AND the server's: the mobile code sent by the server must cross the client's threat surface to be rendered, but data entered in fields and returned by a submit or post - which can itself be mobile code - crosses the server's threat surface. Remember: nearly all species of malware are mobile code, or executable content, or exploit the built-in systems and architectural features that make mobile code possible. Mobile code is therefore not one risk among many: it is the very mechanism most web attacks hijack.
- Mobile code = executable content sent to and run by the client.
- Classic client-server: code stays in place, only data moves.
- The web DEPENDS on mobile code: every page downloads logic + data.
- Types: JavaScript, JAR, XML, API, HTML, CSS, applets, widgets, add-ons, bots.
- A web app opens both client AND server surfaces; nearly all malware IS mobile code.
1.4 The software environment and the three temporal perspectives
The software environment, broadly understood, gathers all the elements, activities, information, people, and systems that affect how software is created, used, modified, and ultimately disposed of. This environment may be limited to an organization that is the sole creator and user of its software, or span an entire market for COTS (commercial off-the-shelf) software. It includes anyone who can read or reverse-engineer the code, its users, and even those affected by the software without using it directly. It often encompasses legal, regulatory, and external factors. Telling example: during the COVID-19 pandemic, patients could access telemedicine only once the software environment for medical insurance billing had been modified to allow it. The software environment is thus complex and reaches far beyond code alone.
The life cycle model adds another source of complexity: three different temporal perspectives. First, design and development: this is where the most self-inflicted vulnerabilities are created, which may go undetected at test and assessment. The threat surface here is smaller and easier to control than at any other stage. This phase can last days, months, or years.
Second, runtime during operational use: both the individual moments of use by each user, and the days, months, or years a given version is made available. This is when the threat surface is MAXIMAL and risk control is hardest for developers, maintainers, and security teams. Third, after one version is replaced or retired by another: the system expands with each new version and each local adaptation. Discovery of a vulnerability in any version still in service can endanger the latest edition as well as earlier ones. This overlapping-support phase often spans years. Exam takeaway: the threat surface is not constant - it is minimal at design, maximal at runtime, and persists as long as older versions remain deployed.
- The software environment includes code, people, law, COTS market, reverse engineers.
- Three temporal perspectives: design/dev, runtime, after retirement.
- Design/dev: most vulnerabilities created, but threat surface minimal and controllable.
- Runtime: MAXIMAL threat surface, hardest risk control.
- After retirement: a vulnerability in an old version can threaten the latest edition.
1.5 The time/quality trade-off and the cost of late changes
For decades, organizations believed in a dilemma: get software fast and cheap but sacrificing critical functions like security, or later, more robust and secure, but at far higher cost. The birth of the internet reflects this choice and the implicit belief that no middle ground existed. It is a false dilemma: most exploitable vulnerabilities are self-inflicted, created as errors in requirements, design, and code, and left undetected by errors in testing, verification, and assessment - then left for an attacker to find and exploit. Many organizations have avoided this false dilemma by choosing approaches that satisfy business needs with reliable, resilient, and secure software.
The economic reason is the rising cost of late change. When an error is found and fixed in the phase where it was introduced, its cost is the baseline: "1x." Found one phase later, the cost rises; found in operations or maintenance, it explodes - not only because of rework, but because it then impacts business and mission objectives. The curve runs from 1x to near-exponential growth. Jumping straight from idea to code (construction-only) looks cheapest but is not: the more deliberate, front-loaded analysis of security, reliability, and safety is well worth the effort.
Much of these defects come from data. Classic errors persist: poor handling of loops and conditionals, wrong data types, misuse of one module's data/code by another, poor handling of special cases and exceptions, incomplete parameter sets between modules. The central problem: input data out of range, incomplete, or in range but incorrect causes abnormal behavior. Hence the phrase "garbage in, garbage out" - running an activity with no effective control of data quality.
NIST Draft SP 800-154 - Guide to Data-Centric System Threat Modeling (2016) establishes data-centric threat modeling as a methodology: it focuses on the authorized movement, locations, execution, and input/output of data, which maps to protecting data in transit, at rest, and in use. It reminds us that poorly controlled input can expose other data, allow arbitrary code execution, corrupt storage, or terminate the application; and that misuse of system utilities to read or extract data can be a step in exfiltration. Key principle for the exam: protecting the INFORMATION in the system is the end; protecting software, hardware, people, and premises are only the means.
- False dilemma: you can be reliable, resilient AND secure; most vulnerabilities are self-inflicted.
- Fix cost: 1x at origin, exponential growth the longer you wait.
- In operations/maintenance, cost explodes because it hits business/mission objectives.
- "Garbage in, garbage out": without input quality control, outputs are wrong; classic data errors.
- Protecting information is the END; protecting software/hardware/people/premises are MEANS.
Case studies
All or part? A young professional's dilemma
Context : A young security professional, mentored by a seasoned colleague, Jens, is finding his footing in his organization's software development program. He discovers a heterogeneous estate: in-house applications, COTS, applets, bots, and no clear view of what should be redeveloped or replaced to reach the desired security posture. Two questions nag him, which he puts to Jens.
Question : First question: should ALL of the organization's software be secured, or only a part deemed critical? Second question: why do business needs so often seem to ignore security risk?
Show analysis and answer
On the first question, the right answer is: all (option A). Because each layer inherits the vulnerabilities of lower layers and nearly all malware exploits the mobile code present everywhere, an unsecured software element - even a minor one - can become the crossing point by which an attacker reaches the rest. You cannot declare a component "non-critical" until you have modeled its place in the overall threat surface. Securing "a part" leaves boundaries open.
On the second question, the right answer (option D) rests on three forces: cost, speed to market, and competitive pressure. Business needs identify new software capabilities to create or maintain a competitive advantage; delivering fast and at lowest cost often trumps risk analysis, reproducing the false dilemma "fast and cheap versus secure." The security professional's role here is to inform these trade-offs, not endure them: showing that the cost of a late fix explodes justifies investing in security early.
Takeaway : All software must be secured, because vulnerability inheritance and the ubiquity of mobile code make any component potentially exploitable. And if the business seems to ignore risk, it is rarely negligence: cost, speed to market, and competitive pressure weigh in - hence the value of a professional able to quantify the rising cost of late change.
- Secure ALL software: no component can be isolated from the overall threat surface.
- Business needs ignore risk because of cost, speed to market, and competitive pressure.
- The security professional advises trade-offs by quantifying the cost of late change.
Protecting information is the end, not the software
Trap: believing the goal is to protect software, hardware, people, or premises. Those are MEANS. The end, the real object of security, is the INFORMATION the system processes. We protect code, machines, staff, and sites because they serve to protect information - never the reverse. On the exam, if an option frames protecting software or hardware as the purpose, be wary: the correct answer almost always points back to protecting information.
Data in transit vs at rest vs in use
Trap: confusing the three data states. In transit = data moving over a network or between components (protect with transport encryption, TLS). At rest = data stored (disk, database, backup; protect with storage encryption and access control). In use = data being processed in memory by a process (the hardest to protect; enclaves, memory isolation). Data-centric threat modeling (NIST SP 800-154) reasons precisely about these three states. An exam question about "data being computed" targets in use, not at rest.
Threat modeling is NOT mitigation
Official quiz trap: threat modeling means to IDENTIFY, CATEGORIZE, and ANALYZE threats (and the absence of safeguards). Mitigation - deciding and putting countermeasures in place - is NOT a step of threat modeling; it comes afterward, based on the model. When a question asks "which of these is NOT a step of threat modeling?", the answer is Mitigation. Identify, categorize, and analyze, yes; mitigate, no.
Checkpoint — Checkpoint
-
Which of these is NOT a step of threat modeling?
- A Identify the threats
- B Categorize the threats
- C Analyze the threats
- D Mitigate the threats
Answer & rationale
Answer : D — Mitigate the threats
Mitigation is not a step of threat modeling. Threat modeling identifies, categorizes, and analyzes threats (and the absence of safeguards) - options A, B, C. Mitigation comes afterward, based on the model, and is a distinct risk-response activity.
-
In the ring model aligned with the OSI stack, which statement is correct about an upper layer (e.g., application)?
- A It is isolated from lower-layer defects and cannot inherit them.
- B It depends on lower layers for its controls but also inherits their vulnerabilities.
- C It contains no software, only user data.
- D It protects the lower layers without ever needing protection itself.
Answer & rationale
Answer : B — It depends on lower layers for its controls but also inherits their vulnerabilities.
Each layer depends on lower layers for its encapsulated controls AND inherits their vulnerabilities (B). A is wrong: vulnerability inheritance is precisely the key point. C is wrong: software exists at every ring level. D is wrong: lower layers must also be protected from attacks coming from upper layers.
-
Why do web architectures open both the client and the server threat surfaces?
- A Because code stays in place on the server and only data moves.
- B Because the mobile code sent by the server crosses the client's surface, and submitted data crosses the server's surface.
- C Because browsers never execute code and merely display text.
- D Because bots entirely replace the server.
Answer & rationale
Answer : B — Because the mobile code sent by the server crosses the client's surface, and submitted data crosses the server's surface.
The web DEPENDS on mobile code: the server sends the client control logic and data that must cross the client's threat surface to be rendered, while entered data sent back (which may be mobile code) crosses the server's threat surface (B). A describes traditional client-server, not the web. C is wrong: browsers execute mobile code (JavaScript, etc.). D is wrong and off-topic.
-
A security defect introduced during requirements is only found in the operations phase. What does the cost-of-change model predict?
- A The fix cost stays at 1x regardless of the discovery phase.
- B The cost drops because the system is now stable in production.
- C The cost rises sharply, to a near-exponential value, because it also hits business objectives.
- D The cost depends only on the number of code lines changed.
Answer & rationale
Answer : C — The cost rises sharply, to a near-exponential value, because it also hits business objectives.
The later a defect is found, the more its fix costs: 1x at the origin phase, near-exponential growth in operations/maintenance, because it forces rework and hits business and mission objectives (C). A and B contradict the curve. D ignores the business impact, which is precisely what makes the operational cost explode.
Key takeaways
- Vulnerabilities live at every layer of the ring model and OSI stack; any upper layer inherits the defects of lower layers.
- Threat modeling identifies, categorizes, and analyzes threats (STRIDE, PASTA, LINDDUN, Trike); it does NOT include mitigation.
- Mobile code (JavaScript, JAR, XML, applets, widgets, bots) makes the web work and opens both client AND server surfaces.
- The software environment has three temporal perspectives: design/dev (minimal surface), runtime (maximal surface), after retirement (overlapping support).
- A fix's cost grows from 1x to exponential; protecting information is the end, software/hardware/people/premises are the means.
Development methodologies
Prerequisites : Module 1.
A development methodology is the managed set of activities that translates end users' functional needs into a software system. This module walks through the classic waterfall SDLC and its phases, the SLC versus SDLC distinction, then the iterative and lean models (RAD, spiral, prototyping, Agile, DevOps, DevSecOps) along with the IPT and IPPD cross-disciplinary approaches. The recurring theme is constant: security must be integrated from start to finish, and the best security is the one designed into the system, not bolted on afterward. You will also learn to choose a method suited to the organizational/industry context and to the trade-off between competitive window and risk.
2.1 The classic waterfall SDLC: SLC vs SDLC and its phases
The classic software development life cycle (SDLC), born in the 1950s and institutionalized in government acquisition standards such as the Department of Defense's MIL-STD-2167, is the waterfall model. When people say 'the SDLC' without qualification, they almost always mean this waterfall model. It is a serial, phased approach where each phase is completed and documented before the next begins; the transition between phases is marked by a formal decision event, often a milestone or approval, with identification, status accounting and managed resolution of remaining open items. Each unresolved item represents a risk to the program.
The generally accepted waterfall phases are: project initiation and planning; functional requirements definition; system design specifications; development and implementation; documentation and common program controls; testing and evaluation control (certification and accreditation); transition to production. As the word 'development' implies, the SDLC ends at implementation (placing into production). The system life cycle (SLC) covers the entire life of the system and adds two phases beyond that: operations and maintenance support (after installation), then decommissioning/disposal and system replacement.
Exam trap: do not confuse SLC and SDLC. The SDLC ends at placing into production; operations & maintenance and decommissioning belong to the SLC, not the SDLC. Another trap: in a strict waterfall, the later an error is found, the more its fix cost explodes - the maximum impact occurs in the operations & maintenance phase. This justifies the front-loaded analysis and testing effort of waterfall for high-reliability systems (nuclear, space, aviation).
- 'The SDLC' = the classic waterfall model by default.
- The SDLC ends at production; the SLC continues with O&M and decommissioning.
- Each phase is completed and documented before the next, with a decision milestone.
- The later an error is found, the costlier it is; maximum impact in O&M.
- Waterfall suits high-reliability systems thanks to its front-loaded analysis.
2.2 Security at every phase of the SDLC
Security is not a phase: it runs in parallel with every phase of the methodology. In project initiation and planning, the project justification is endorsed by management (objectives, scope, cost, schedule); understanding the security requirements begins here, and security activities proceed in parallel. In functional requirements definition, you formalize functional AND nonfunctional requirements (security, reliability, safety) with all stakeholders (owners, compliance, privacy). Beware: waterfall struggles with nonfunctional requirements and emerging properties, which can only be assessed by analysis - ignoring them is a reasoning fallacy. In system design specifications, you design the architecture, outputs and interfaces; data flows (input, data flow, output) and security features are built into the design. In development and implementation, code is written (from scratch, approved libraries, snippets); you need coding standards, validated libraries, strict code reuse rules, and above all time allocated to code review before moving on.
The acceptance phase is a formal, structured handover to the customer, measured against the agreed requirements specification baseline. Several independent teams may step in: IV&V (independent verification and validation) examines, tests and analyzes the system at the customer's direction, focusing on selected requirements or critical elements; SV&V (selected/specialized verification and validation) specifically targets security, reliability, safety or other emerging properties; OT&E (operational testing and evaluation) evaluates the system as the operations team will actually use it, with concepts and procedures provided by the customer. Risk caveat: the further these independent teams stray from contractual requirements, the more the issues found are costly surprises to fix.
Transition to production does not belong to traditional waterfall (performed by the customer organization): security accreditation, user training/awareness, installation, data conversions, sometimes parallel operations. Operation and maintenance (an SLC phase): monitoring, continuity, redundancy, defect correction, testing backup/recovery procedures, and periodic recertification - especially upon significant changes (data classification, physical environment, new hardware/OS/software, new external interfaces). Decommissioning: withdrawal from service and proper disposal of hardware and software. Trap: a maintenance change must never disable or weaken a required existing security control.
- Security runs in parallel with every phase, not as a separate block.
- Functional requirements: also capture nonfunctional and emerging properties.
- Acceptance: IV&V (general), SV&V (targeted security/safety), OT&E (real usage).
- Transition to production and O&M do not belong to the traditional SDLC.
- A maintenance change must never weaken a required existing control.
2.3 Iterative and other models: from structured programming to cleanroom
Strict waterfall proved too rigid: on multi-year programs (FAA, DoD's WWMCCS) the real world moved on before test entry and the requirements baseline was no longer valid. Iterative development answers this by allowing successive refinements of requirements, design and code, provided a change control mechanism and a controlled scope. Security risk: in a changing environment it is hard to guarantee that security provisions remain valid - if anything changes, security requirements may need to change too. The Spiral method is a nested version of waterfall: each phase is run as a waterfall, but four substages based on the Deming PDCA cycle (Plan, Do, Check, Act) are added to it. The key novelty: a risk assessment review (the Check) at each phase, with cost/schedule revision and a continue/cancel decision point each turn.
Several 'lean' models speed up production. RAD (Rapid Application Development) is a refined form of prototyping with strict time limits per phase and efficient tools; risk: decisions made too fast leading to poor design. Prototyping builds a simplified version of the application, has it reviewed, folds in feedback, and iterates until the owner is satisfied. The Modified Prototype Model (MPM) is a refined form ideal for the web: basic functionality deployed fast, maintenance chained right after, the application evolving with the organization rather than frozen. The Reuse model builds the application from already-tested existing components (ideal in OO); it is arguably the most widespread approach yet often the most poorly managed. Component-based development assembles standardized building blocks already tested for security (largely replaced by OOP).
Other methods round out the picture. Structured programming (1970s, before OOP): heavy use of reused subroutines and block structures, discipline, reviews/approvals at each phase - still-sound principles but rarely used as-is. JAD (Joint Analysis Development): facilitation techniques involving all stakeholders at each critical phase. The Exploratory model: requirements built with available resources and many assumptions - security must be prioritized because structure is lacking. CASE (Computer-Aided Software Engineering): automation via formal languages at each step with a database linking phases (Space Shuttle Mission Control) - fell out of use. Cleanroom bets on defect prevention rather than defect removal: write the code correctly the first time, quality through design - the same logic as 'security baked in'. Extreme Programming (XP): values of simplicity, communication, feedback; developers always working in pairs; small fully-integrated releases; owners and security involved in defining needs ahead of developers.
Exam trap: Spiral = nested waterfall with PDCA and a risk review at each phase (not to be confused with a plain iterative model). Cleanroom = defect PREVENTION (not removal/correction).
- Iterative: successive refinements + change control; risk that security goes stale.
- Spiral = nested waterfall with PDCA and a risk review at each phase.
- RAD/Prototyping/MPM = speed, risk of poor design if decisions are too fast.
- Cleanroom = defect prevention (right the first time), not defect removal.
- XP = pair programming, small releases, security involved upstream.
2.4 Agile, Scrum and DevOps
Agile development answers teams and needs that grow and evolve: it favors small team environments, collaborative iterative learning, building, testing and deploying operational capabilities. Its patterns - Scrum, sprint, or SAFe - manage change and produce working, reliable, verifiable functions. A sprint is a short, time-boxed cycle producing a deliverable increment. Agile can handle security considerations well, provided the agile team works effectively with information security experts. Recall from module 1: Agile delivers more working software, faster, but is rightly criticized for not delivering better quality or more secure software by default.
DevOps combines 'development' and 'operations' (and typically quality assurance). Built on lean/agile principles, it has business owners, dev, ops and QA collaborate to deliver software continuously, so the business can react quickly to market opportunities and customer feedback. Google, IBM, Amazon and Microsoft all have implementations driving their core business. DevOps rests on four common principles: develop and test against 'production-like' systems (capture realistic behaviors before production readiness); deploy with repeatable, reliable processes (automation is essential: continuous, automated, frequent deployment and testing, which lowers deployment failure risk); monitor and validate operational quality (move monitoring forward early in the cycle, with meaningful metrics captured at each deployment); amplify feedback loops (create channels so all stakeholders can access and act on feedback).
Exam trap: DevOps is not DevSecOps. DevOps prioritizes the rapid delivery of new versions above all else; security, safety and resilience are often deprioritized and delegated to other processes. It is precisely this gap that DevSecOps fixes (see next lesson).
- Agile: Scrum/sprint/SAFe; fast and working, but not more secure by default.
- DevOps = dev + ops + QA collaborating for continuous delivery.
- 4 DevOps principles: prod-like, repeatable/reliable deploys, quality monitoring, amplify feedback.
- Automation is essential for repeatable and reliable deployments.
- DevOps prioritizes speed; security is often delegated to other processes.
2.5 DevSecOps and shift-left
While DevOps was becoming popular, organizations facing stricter security and safety requirements pushed a different approach. The term SecOps was coined to take the lessons of the classic waterfall and integrate security activities into every step of the process. Where DevOps prioritized rapid delivery at the expense of security, SecOps delivers more secure code by handling security requirements at every stage - at the cost of more time. DevSecOps merges these two models: it moves the security requirements leverage to the left of the timeline (the shift-left), giving each cycle turn earlier opportunities to address and deliver priority security needs into production.
Shift-left is the central idea: rather than auditing security after development (post-hoc), security activities - threat modeling, scanning, testing, monitoring - are moved into the upstream design and requirements phases. Comparing the DevOps diagram with the DevSecOps diagram shows the explicit inclusion of security concerns, activities and professionals throughout the pipeline. Key aspect: the development team (which should include security members) is responsible for security testing and for resolving security issues found during development and testing. Many organizations continually adapt DevSecOps principles to their culture, co-adapting culture and processes to become more security-oriented.
Exam trap (official Q8): DevOps = fast delivery, security delegated to other processes; DevSecOps = security integrated at every step via shift-left. If the question contrasts 'fast but security outsourced' with 'security integrated early and everywhere', the 'integrated at every step' answer is DevSecOps.
- DevSecOps merges DevOps and SecOps by moving security to the left.
- Shift-left = security from design and requirements, not post-hoc.
- The dev team (with security members) owns security testing and resolution.
- DevSecOps explicitly includes security and professionals across the pipeline.
- Official Q8: 'security integrated at every step' = DevSecOps, not DevOps.
2.6 Cross-disciplinary approaches: IPT and IPPD
In the 1980s, many organizations implemented waterfall wrongly: separate teams per phase, with no one but the project management team having an overall view. After costly failures, it became clear that involving the right knowledge, experience and perspectives end to end is a better way to develop complex systems. Two cross-disciplinary approaches are commonly used: the Integrated Product Team (IPT) and Integrated Product and Process Development (IPPD).
An IPT is a team of stakeholders with varied skills working together to achieve a defined process or product. It draws from many disciplines across the organization and the business/mission area to engage diverse viewpoints consistently throughout the system life cycle. Its members provide enough representation from all stakeholders - owners, management, developers, designers, contractors, security professionals - to ensure effective collaboration achieving the required result. The core idea is stakeholder engagement and viewpoint diversity throughout development.
IPPD recognizes that, in many complex projects, the right choices of management methodology, manufacturing approach and test/verification strategy cannot be made while the project is still being thought through; high-risk technologies or unproven algorithms may need exploration via demonstrators before clear requirements can be specified. It is a management technique combining essential acquisition activities through skilled teams to optimize the design, manufacturing and supportability processes, from concept through post-production support. IPPD facilitates multi-skilled members working together via the IPT concept: representatives from all functional disciplines - engineering, manufacturing, management, finance, procurement, legal, security - brought together with a team leader to identify and resolve issues and make sound, timely decisions. Trap: IPPD optimizes both the product AND the processes (design, manufacturing, support), whereas IPT primarily aims for stakeholder diversity; IPPD relies on IPT as its building block.
- IPT and IPPD answer the failures of phase-siloed waterfall teams.
- IPT = cross-disciplinary stakeholder team, viewpoint diversity end to end.
- IPPD = management technique optimizing both product AND processes.
- IPPD relies on the IPT concept as its building block.
- Security is one of the disciplines represented on the team.
2.7 Choosing a methodology: end-to-end security and risk trade-off
There is no universally superior methodology. The choice must be based on the organization's requirements: some models suit long, complex projects better, others short ones. An application may require specific activities to succeed, and the organization may need to meet standards or processes imposed by its industry or government. It is often wise to combine several models to properly develop requirements in a cost-effective way. Manual key point: it is not that a formalized SDLC must be used, but rather that the entire development process must involve security. The number and nature of the phases are not of primary importance.
The universal rule, valid across all models: security must be included from the start and maintained to the end - not only of the development process, but to the end of the system's full life cycle. The best security is always the one designed into the system, not added afterward.
Industries frequently change their minds about their most urgent development needs: sometimes new functionality several times a day, sometimes emphasis on security, safety or auditability. The methodology choice may be driven by management's perception of a competitive-advantage window or, conversely, of an accentuated risk/liability window - more than by other principles. The security professional must keep a sensitivity to these nonstop shifts in emphasis. Exam trap: the question 'when to involve security?' has the answer 'immediately, from the start' - never after initiation, coding or defining test criteria.
- No method is universally best; choose based on requirements.
- Combining several models is often the cost-effective choice.
- What matters is not a formal SDLC but that the process involves security.
- Security from start to end of the full life cycle; designed in, not bolted on.
- The choice is often driven by the competitive window vs risk/liability trade-off.
Case studies
Jens's project-initiation security checklist
Context : Jens has created an initial checklist to identify the most important considerations so HelloWorld can address its security requirements from the project initiation phase. The list includes: information of exceptional value or sensitivity needing special protection? proprietary functionality or intellectual property (IP) to safeguard and separate from the processed data? low-value data but higher-value output? an identified owner who has determined the information's value? special legal, regulatory or compliance requirements? classifications/categorizations per the asset classification system? exposure of sensitive information during operation? special controls on output displays/reports? data processed/stored/transmitted over public or untrusted networks? physically controlled areas required? interconnected systems considered secure? impact on the organization's operations and culture? business continuity needs? the system reviewed through the Business Impact Analysis (BIA) lens? The list is only a starting point, and the team asks for your input.
Question : How would you respond to Jens? Is the checklist complete, and what additional question(s) would you add regarding the organization's security requirements?
Show analysis and answer
Jens's checklist is a good starting point: it covers information value/sensitivity, IP, ownership assignment, legal/regulatory framing, classification, exposure on public networks, physical areas, interconnections, and anchoring in the BIA. But an initiation checklist remains a sample; it can be enriched. Relevant additional questions: what privacy and personal-data protection requirements apply (GDPR, etc.) and does the system process personal data? what level of authentication assurance and access control will be required? what are the data retention and secure-destruction constraints? will the system interact with third parties/suppliers and what is their security posture (supply chain)? what logging, audit and traceability requirements apply for compliance? The key is that these questions be raised at initiation, in parallel with project activities, because understanding the security requirements begins here - and adding them later costs far more.
Takeaway : An initiation checklist is never exhaustive: it is a tool to surface security requirements early. Ask the security questions at initiation, in parallel with the project, rather than discovering them after coding.
- Understanding security requirements begins at initiation.
- The checklist covers value/IP/owner/legal/classification/networks/BIA.
- Always enrich it: privacy, access control, retention, supply chain, audit.
- Security activities run in parallel with each phase, not after.
MLZ Systems's Waxbill UAV: which methodology?
Context : Schneider-Antman, the project manager, advises MLZ Systems on the methodology to adopt for developing the flight software of their new Waxbill UAV (drone). MLZ has long experience with waterfall on its high-reliability embedded programs. Management is hesitant: should they stay with waterfall, or switch to a faster approach (Agile/DevOps) to meet a tight competitive window against a rival?
Question : What are the strengths and weaknesses of waterfall for the Waxbill? What alternatives should be considered, and what do you recommend?
Show analysis and answer
Waterfall strengths for a UAV: the front-loaded, analysis- and test-intensive approach suits high-reliability flight systems where safety is critical; each phase is completed and tested before the next, leaving time to address nonfunctional requirements (safety, reliability) and to organize a rigorous acceptance (IV&V, SV&V, OT&E). Weaknesses: rigidity in the face of requirement changes; late and costly error detection; difficulty coping with nonfunctional/emerging properties; risk that a competitive window closes before delivery. Alternatives: Spiral adds a PDCA risk review at each phase and a continue/cancel decision point, useful for a risky system; an iterative model with change control allows requirement refinement; Agile/DevOps would deliver faster but not more secure by default, which is risky for flight software. Recommendation: for a UAV where safety dominates, keep a waterfall or spiral backbone rather than switching abruptly. Above all, using the method the team already masters reduces risk; changing method midstream adds complexity and risk. If speed is mandated, integrate security via a disciplined DevSecOps rather than pure DevOps.
Takeaway : Using the method the team masters reduces risk; switching methodology adds complexity and risk. For a safety-critical system, favor waterfall/spiral and, if speed is mandated, DevSecOps rather than pure DevOps.
- Front-loaded waterfall suits high-reliability/safety-critical systems.
- Its weaknesses: rigidity, late detection, competitive window.
- Spiral/iterative as more flexible alternatives with risk management.
- Using the team's mastered method reduces risk; switching increases it.
DevOps vs DevSecOps
DevOps aims for rapid, continuous delivery; security is often deprioritized and delegated to other processes. DevSecOps integrates security at every step via shift-left, moving security requirements upstream in the cycle. If the prompt contrasts 'fast but security elsewhere' with 'security integrated early and everywhere', the latter describes DevSecOps (official Q8).
Waterfall vs V-shaped vs Iterative vs Agile
Waterfall = serial phases, each completed AND tested before moving to the next (Q3). V-shaped pairs each development phase with a mirrored test phase. Iterative allows successive refinements of requirements/design/code via change control. Agile delivers in small collaborative increments (Scrum/sprint) while embracing change. The waterfall tell in a question: 'each phase is finished before the next'.
Spiral = nested waterfall with PDCA and risk review
Spiral is not a plain iterative model: it is a nested version of waterfall where each phase is run as a waterfall, augmented with four PDCA substages (Plan, Do, Check, Act). Its distinguishing trait is the risk assessment review (the Check) at each phase, with cost/schedule revision and a continue/cancel decision point. If a question mentions 'risk review and PDCA each turn', it is Spiral.
Checkpoint — Checkpoint
-
When should security be involved in the software development life cycle?
- A Once all business needs are planned and approved, after project initiation.
- B After core coding, the security team assesses gaps and risks.
- C Immediately from the start, to integrate security into design and implementation.
- D After the development team sets the testing criteria.
Answer & rationale
Answer : C — Immediately from the start, to integrate security into design and implementation.
C is correct: security must be involved immediately from the start to be built into design and implementation. Adding security later is costly and difficult (knock-on effect, new testing phase). A, B and D all place security too late - after initiation, after coding or after defining test criteria - contradicting the 'security designed in, not added later' principle.
-
Which characteristic identifies the waterfall model?
- A Each phase is completed and tested before the next one begins.
- B Each development phase is paired with a mirrored test phase.
- C Requirements are continuously refined via change control.
- D Software is delivered in successive small collaborative increments.
Answer & rationale
Answer : A — Each phase is completed and tested before the next one begins.
A is correct: waterfall is a serial, phased approach where each phase is completed (and tested) before the next, bounded by a decision milestone. B describes V-shaped. C describes iterative. D describes Agile. The waterfall hallmark is fully finishing one phase before moving to the next.
-
Which statement correctly distinguishes DevOps from DevSecOps?
- A DevOps integrates security at every step; DevSecOps prioritizes speed.
- B DevOps prioritizes rapid delivery and delegates security; DevSecOps integrates security at every step (shift-left).
- C DevOps and DevSecOps are identical, only the name differs.
- D DevSecOps removes the monitoring phase present in DevOps.
Answer & rationale
Answer : B — DevOps prioritizes rapid delivery and delegates security; DevSecOps integrates security at every step (shift-left).
B is correct: DevOps favors the rapid delivery of new versions and deprioritizes/delegates security to other processes, while DevSecOps integrates security activities at every step by moving the leverage left (shift-left). A reverses the two. C is false: the difference is substantial, not cosmetic. D is false: DevSecOps keeps monitoring and adds security to it.
-
What distinguishes the Spiral method from classic waterfall?
- A It removes all testing phases to save time.
- B It is a nested waterfall adding PDCA substages and a risk review at each phase.
- C It forbids any iteration and freezes requirements from the start.
- D It delivers software several times a day like Agile.
Answer & rationale
Answer : B — It is a nested waterfall adding PDCA substages and a risk review at each phase.
B is correct: Spiral is a nested version of waterfall where each phase is run as a waterfall, augmented with four substages based on the Deming PDCA cycle (Plan, Do, Check, Act), with a risk assessment review and a continue/cancel decision point at each phase. A is false (Spiral adds risk analysis, it does not remove testing). C describes strict waterfall. D describes DevOps/Agile.
Key takeaways
- 'The SDLC' means classic waterfall; it ends at production, the SLC continues with O&M and decommissioning.
- Security runs in parallel with every phase; IV&V/SV&V/OT&E structure acceptance.
- Spiral = nested waterfall + PDCA + risk review; Cleanroom = defect prevention.
- DevOps = speed, security delegated; DevSecOps = security at every step via shift-left.
- IPT = cross-disciplinary stakeholder team; IPPD optimizes product AND processes and relies on IPT.
- Method choice depends on requirements and the competitive-window vs risk trade-off; security must be designed in, from start to end.
Maturity models & governance
Prerequisites : Modules 1-2.
A maturity model is a formalized way to measure the reliability, repeatability, and quality of a set of business processes. It distills decades of quality management lessons drawn from many industries. Applied to secure software development, it lets an organization understand its current processes, assess improvement opportunities, and set quantified targets with a plan and schedule. This module covers the SEI's Capability Maturity Model for Software (SW-CMM) and its five levels, then the security-focused models: OWASP SAMM and BSIMM, distinguishing the prescriptive from the descriptive approach.
3.1 The SW-CMM and its five levels
The Capability Maturity Model for Software (SW-CMM) was released by the Software Engineering Institute (SEI) in 1991. Although software development has evolved greatly since, the model stays useful: it lets an organization measure its current development capability and formulate an improvement plan. The CMM centers on quality management processes and describes an evolutionary path from chaotic, unstructured processes toward mature, disciplined, optimized ones. Each step along the way should yield better, faster, cheaper software, where 'better' covers any quality measure leadership chooses to focus on, including security and safety characteristics.
The five levels follow a strict order. Level 1 Initial: good practices can be repeated but stay ad hoc, chaotic; success depends on individuals. Level 2 Repeatable: best practices are repeatable and rapidly transferred across organization groups, because they are defined to cross project boundaries; this is the basic project management level. Level 3 Defined: standard processes are formalized, all new development follows strict, standardized, well-understood and proactive processes. Level 4 Managed: quantitative, measurable objectives are set for tasks, numerical measures are calculated and maintained as a baseline, reducing deviations from objectives. Level 5 Optimizing: practices are continuously improved and optimized, feedback from one phase positively impacts the others; this is the continuous improvement focus.
Exam trap: do not swap Defined (level 3, standardized and documented processes) and Managed (level 4, quantitative measures). Remember the 'chaotic to optimized' progression and the distinguishing pair Managed = you measure, Optimizing = you continuously improve.
- SW-CMM: SEI, 1991, five levels, chaotic to optimized.
- Order: 1 Initial, 2 Repeatable, 3 Defined, 4 Managed, 5 Optimizing.
- Level 1 Initial = ad hoc, success depends on individuals.
- Level 4 Managed = quantitative measures; Level 5 Optimizing = continuous improvement.
- Do not swap Defined (3) and Managed (4).
3.2 SAMM, BSIMM, and CMMI
The Software Assurance Maturity Model (SAMM) is run by OWASP. Developed in the late 2000s, it is an open framework that helps an organization of any size formulate and implement a software security strategy. An organization uses it to evaluate its existing software security practices or to build a security program in successive iterations. SAMM rests on four core functions: Governance, Construction, Verification, and Operation. These functions span a wide range of activities: product management, requirements gathering, architecture and design, quality assurance, deployment, and production operations. Each function breaks down into several security practices, and each practice is split into three maturity levels, from the lowest (unfulfilled practice) to the highest (comprehensive mastery of the practice).
BSIMM (Building Security In Maturity Model) plays a complementary but different role. It is a descriptive, observational model: it describes what real firms actually do regarding software security, measuring activities observed in the field. SAMM, by contrast, is prescriptive: it recommends what an organization should do to improve. The trap is confusing the two logics: SAMM says 'here is how to improve yourself', BSIMM says 'here is what others do'. You often compare your BSIMM score to an industry benchmark; you follow your SAMM journey as a roadmap.
Finally, CMMI (Capability Maturity Model Integration) is the generic successor of the SW-CMM. Where SW-CMM specifically targeted software development, CMMI generalizes and integrates the maturity approach across other domains (services, management, acquisition). For the exam, remember the lineage SW-CMM (1991, software) then CMMI (broader integrated model), and the SAMM/BSIMM distinction rather than CMMI internals.
- SAMM: OWASP, open framework, late 2000s.
- SAMM = 4 core functions: Governance, Construction, Verification, Operation.
- Each SAMM practice has 3 maturity levels (unfulfilled to mastery).
- BSIMM = descriptive (observes real firms); SAMM = prescriptive.
- CMMI = generic, integrated successor of SW-CMM.
Case studies
At what CMM level is this team?
Context : An organization assesses its secure development maturity. One team regularly ships quality code: it applies sound review and testing practices and gets good results. But these practices are documented nowhere, are not formalized as standard processes, and depend entirely on a few experienced individuals. When those people are away, quality collapses. No quantitative measures are collected.
Question : At what SW-CMM level is this team, and why not a higher level?
Show analysis and answer
The team is at Level 1 Initial. The decisive marker is that success depends on individuals and practices stay ad hoc, undocumented, and non-transferable. Good results are not enough to move up: what matters is the nature of the process, not the one-off quality of the deliverable. The team is not at Level 2 Repeatable because its practices are not defined to be transferred across groups and projects; they do not survive the experts' absence. It is not at Level 3 Defined because nothing is formalized or standardized, nor at Level 4 Managed because no quantitative measure is set as a baseline. To reach Level 2, the organization must define and document these practices so they cross project boundaries independently of individuals.
Takeaway : Maturity is judged on the process, not on a single deliverable's quality. Practices that depend on individuals and are undocumented stay Level 1 Initial, even when results are good.
- Ad hoc, undocumented, person-dependent practices = Level 1 Initial.
- Moving to Level 2 Repeatable requires defined, transferable processes.
- Deliverable quality does not determine the maturity level.
The order of CMM levels (do not swap Defined and Managed)
The exact order is: 1 Initial, 2 Repeatable, 3 Defined, 4 Managed, 5 Optimizing. The classic exam trap is swapping Defined and Managed, or thinking measurement comes before standardization. Settle it cleanly: Defined (level 3) means standardized, formalized processes; Managed (level 4) means quantitative measures and numerical objectives; Optimizing (level 5) means continuous improvement. Another Level 1 Initial cue: 'ad hoc, chaotic, depends on individuals'.
SAMM (prescriptive) vs BSIMM (descriptive)
SAMM (OWASP) is prescriptive: an open framework recommending what an organization should do to build and improve application security, structured in four core functions (Governance, Construction, Verification, Operation). BSIMM is descriptive: it is based on observing real firms and describes what they actually do, serving as a benchmark. If the question mentions an 'observational' model or 'comparison to what peers do', it is BSIMM. If it mentions a 'roadmap' or a 'framework to formulate a strategy', it is SAMM.
Checkpoint — Checkpoint
-
An organization has set quantitative measurable objectives for its development tasks, calculates and maintains these measures as a baseline, and reduces deviations from objectives. At what SW-CMM level is it?
- A Level 3 Defined
- B Level 4 Managed
- C Level 5 Optimizing
- D Level 2 Repeatable
Answer & rationale
Answer : B — Level 4 Managed
Quantitative measures set as a baseline characterize Level 4 Managed. Defined (3) is process formalization/standardization without numerical measurement. Optimizing (5) adds continuous improvement on top of measurement. Repeatable (2) concerns only repeatability and transfer of practices.
-
What are the four core functions of OWASP SAMM?
- A Plan, Do, Check, Act
- B Governance, Construction, Verification, Operation
- C Initial, Repeatable, Defined, Managed
- D Identify, Protect, Detect, Respond
Answer & rationale
Answer : B — Governance, Construction, Verification, Operation
SAMM is built on four core functions: Governance, Construction, Verification, Operation, each broken into practices over three maturity levels. Plan/Do/Check/Act is the Deming cycle. Initial/Repeatable/Defined/Managed are SW-CMM levels. Identify/Protect/Detect/Respond evokes NIST CSF functions.
-
A CISO wants to compare their organization's security level to what other firms in the sector actually do, based on observed activities. Which model is descriptive and suited to this comparison?
- A SAMM, because it is prescriptive
- B BSIMM, because it is descriptive and observational
- C SW-CMM, because it has five levels
- D CMMI, because it is generic
Answer & rationale
Answer : B — BSIMM, because it is descriptive and observational
BSIMM is descriptive and observational: it measures what real firms do, making it an industry benchmark. SAMM is prescriptive (it tells you what to do), so it is unsuited to an observational comparison. SW-CMM measures generic process maturity but is not a cross-firm security benchmark. CMMI is the integrated successor of SW-CMM, not an observational peer model.
Key takeaways
- A maturity model measures and structures process improvement, from chaotic to optimized.
- SW-CMM (SEI, 1991): 1 Initial, 2 Repeatable, 3 Defined, 4 Managed, 5 Optimizing.
- Managed = quantitative measures; Optimizing = continuous improvement; do not swap Defined and Managed.
- Undocumented, person-dependent practices stay Level 1 Initial.
- SAMM (OWASP) prescriptive, 4 core functions; BSIMM descriptive and observational; CMMI generic successor of SW-CMM.
Software development ecosystems
Prerequisites : Modules 1-3.
The development ecosystem covers everything around writing code: languages and the translation chain, libraries and reuse, tools and IDEs, runtime environments, application security testing, database controls, and configuration management. Most organizations rely heavily on third-party components (libraries, frameworks): a time-saver but a source of risk when you inherit others' mistakes. This module covers the security implications of managing development, deployment, and support: maturity of tool sets, risks and benefits of code repositories, value of IDEs, SAST/DAST/IAST/RASP tools, environment separation, OS/hardware support (TCB, reference monitor, security kernel), DBMS controls, and configuration management with CI/CD.
4.1 Languages, translation, libraries, and IDEs
A program written in a source language must be translated into machine-executable instructions. We distinguish compiled languages (fully translated to machine code before execution by a compiler) from interpreted languages (translated line by line at execution time by an interpreter). Between the two, some platforms produce intermediate code: Java source is compiled to bytecode, then run by the virtual machine. The useful level cue for the exam is the generation scale: Assembly (a low-level language, processed by an assembler) is closest to the machine, where one statement maps to a single processor instruction; higher-level languages (compiled or interpreted) translate one statement into several machine instructions.
A software library is a repository of prewritten code: classes, procedures, scripts, and other programming elements the developer calls rather than rewriting. A library hierarchy exists: OS and hardware libraries (vendor-supplied, with digitally signed updates), programming language libraries (supplied by the IDE or tool sets), development frameworks (such as .NET), in-house, project-specific, or customer-specific libraries (proven code harvested from internal projects), and third-party open-source libraries. The latter range from reputable sources to code of uncertain pedigree (blogs, forums) that must be inspected for back doors, Trojans, or logic bombs before any reuse. Software reuse trades risk for time: reusing too quickly without inspection introduces an exploitable vulnerability; over-inspecting cancels the time saved. Junior programmers sometimes spend more time searching for a reusable snippet than writing good code themselves.
Programming tools (debuggers, build tools, source code editors, static code analysis tools, revision control, unit testing) are often bundled in an IDE (Integrated Development Environment). An IDE combines many tools in one environment: it typically includes a source code editor, build automation tools, and a debugger, and may offer a class browser, object browser, and class hierarchy diagram for object-oriented development. Source code analysis tools look for security flaws in source code (and sometimes compiled code); it is best to use them during the first development phases to fix errors close to where they are introduced. Finally, the sandbox protects execution of mobile code: it limits memory and CPU and isolates suspect code. In the Java model, the Java security manager enforces the sandbox limits; sandbox applets can perform only a set of safe operations, while privileged applets (signed by a certificate the user accepts) can run outside the sandbox with extended access to the client.
- Compiled = translated before execution; interpreted = line by line at runtime.
- Intermediate code: Java source to bytecode run by the JVM.
- Assembly = lowest-level language, one statement = one machine instruction.
- Libraries: OS/hardware, language, frameworks, in-house, third-party open-source.
- Software reuse: inspect uncertain sources (back doors, Trojans, logic bombs) first.
- IDE = source code editor + build automation + debugger (+ class browser in OO).
- Sandbox applets = safe operations; signed privileged applets = outside sandbox.
4.2 Application security testing: SAST, DAST, IAST, RASP
Several application security analysis approaches coexist and complement one another. SAST (Static Application Security Testing) analyzes source code without executing it: it looks for common programming errors, compliance with guidelines and templates, and error sources visible in the source. Because it does not run the code, calling it 'security testing' is a slight misnomer; however, it is easy to deploy, scales well, runs early in the writing cycle, and even helps with refactoring. DAST (Dynamic Application Security Testing) does the opposite: it executes the unit, module, or whole application and injects a variety of tests to drive the code beyond its limits. This is the fuzz testing approach, which runs tens of thousands of test cases against the application, where manual testing covered only a few.
IAST (Interactive Application Security Testing) is a hybrid approach: it brings testing to web and mobile apps, where SAST and DAST struggle. IAST works with agents embedded in the software under test, letting the engine inspect the application's logic down into the library routines it calls, checking they are used correctly. Its limitation is coverage of serverless applications using non-HTTP interfaces. RASP (Runtime Application Security Protection) is more of a protection tool: its agents and instrumentation in the code can terminate execution if a potential security violation is detected during testing.
These tools share common limits: many vulnerabilities (authentication problems, access control issues, insecure use of cryptography) are hard to find automatically; false positive rates are high (useful for fine-tuning the tools); configuration issues often escape analysis because they are not represented in code; and code that cannot be compiled is hard to analyze. The exam trap is the SAST/DAST pair: SAST is static, reads source code, sits early in the cycle (shift-left); DAST is dynamic, tests the running application via fuzz testing.
- SAST = static, source code, no execution, early in the cycle.
- DAST = dynamic, running application, fuzz testing (thousands of cases).
- IAST = hybrid, embedded agents, inspects down to library routines.
- RASP = runtime protection, can terminate execution on violation.
- Limits: authentication/access control/crypto and config hard to detect, high false positives.
4.3 Separation and control of environments
Software development relies on three key environments: the development environment (where analysts and programmers write, compile, and initially test the application), the quality assurance environment (QA, where users and the quality team run functional tests, ideally on a configuration simulating production as closely as possible), and the production environment. Other environments exist (test, staging), but the security stake is the same: control how each environment accesses the application and data, then keep the environments separate and isolated. People working in one environment must be restricted to it: it is generally accepted that a developer should never have access to production. Blended environments combine one or more of these individual environments and are the hardest to control, hence risky.
Classic protection measures are physical isolation of each environment, physical or temporal separation of data, access control lists, content-dependent access controls, role-based constraints, accountability, and separation of duties. Virtualization generalizes this isolation: virtual environments are defined containing the right mix of virtual machines (with OSs, application platforms, and supports) for each configuration tested. All of this is simply applying least privilege to the security of the development process, the first necessary step toward more secure software.
To run a program you need a runtime system: the set of hardware and software components that lets an application run, whatever the language. Every language has a runtime system, whether compiled, interpreted, or invoked via API. The JRE (Java Runtime Environment) is the example: it comprises the JVM (Java virtual machine), the platform core classes, and the supporting libraries needed to run a Java program. The runtime system is also the gateway by which the program interacts with the runtime environment, which holds the state values accessible during execution. Finally, code repository security is an asset to protect like any other: a combination of logical and physical access controls, plus protection of the integrity and availability of the content. Offshoring development complicates this protection, since the code and environment may escape the enterprise's direct inspection.
- Three environments: development, QA, production, kept separate.
- QA must simulate production as closely as possible for functional tests.
- Blended environment = hardest to control, hence risky.
- Separation = least privilege; the developer never accesses production.
- JRE = JVM + core classes + supporting libraries to run Java.
- Code repository = asset protected by logical and physical controls.
4.4 Safer deployment: TCB, reference monitor, security kernel
The deployment phase offers security levers through the right choice of hardware, OS, and configuration. At the core of this security is the Trusted Computing Base (TCB): the set of hardware, software, and firmware components of an architecture responsible for supporting the security policy and object isolation. When designed and coded properly, all the system's security features form the TCB. It can contain trusted paths (secure communication channels between the user or program and the TCB, which the TCB protects from any compromise) and trusted shells (whatever happens in the shell stays confined to that channel).
The reference monitor is the element that enforces security between subjects (users) and objects (data or resources). It is an abstract machine that mediates, or controls, all access subjects have to objects, ensuring any subject trying to access an object holds the appropriate rights. The reference monitor is a concept; its concrete implementation is the security kernel. The security kernel is made of all the TCB components (software, hardware, firmware) and implements the reference monitor mechanism and the security policy. In a layered architecture, the kernel sits at the lowest, most primitive level: it is the small portion of the OS through which all references to information and all authorization changes must pass.
To be implemented correctly, the security kernel must meet three fundamental requirements: completeness (all access to information must go through the kernel), isolation (the kernel must be protected from any unauthorized access), and verifiability (the kernel must be proven to meet its design specifications). To measure confidence in the TCB's security capabilities, evaluation criteria are used, such as TCSEC (Trusted Computer System Evaluation Criteria) and the current Common Criteria. Above this core come cryptographic approaches: PKI (public key infrastructure) and digital signatures, certificate and key management, HSMs (hardware security modules) for robust key storage, and integration with access control and identity management. A negative rule applies: never let developers or administrators build their own cryptographic solutions. Policies must also cover shadow IT and BYOx (bring your own everything), often driven by citizen developers.
- TCB = all HW/SW/firmware components supporting the security policy.
- Reference monitor = abstract concept mediating subject-to-object access.
- Security kernel = concrete implementation of the reference monitor, lowest level.
- Kernel: three requirements = completeness, isolation, verifiability.
- Evaluation criteria: TCSEC and Common Criteria measure assurance.
- Crypto: PKI, signatures, certificates, HSM; do not roll your own crypto.
- Include shadow IT and BYOx in security policies.
4.5 DBMS controls as software security
The DBMS (database management system) provides security controls to prevent unauthorized access and improper modifications by authorized users, based on identification, authentication, authorization, and accountability. The first mechanism is lock control: the DBMS controls who can read and write data by placing locks on rows or objects. When two processes try to access the same resource simultaneously and that resource cannot handle more than one request without breaking integrity, a deadlock may occur: the system cannot release the resource to either transaction and refuses both. To avoid it, the DBMS gives a write lock to one transaction (for example on the last seat of a flight) and queues the other. Locks can be granular: by table, row, record, or even field.
Other DBMS access controls complement locks. View-based access control logically divides the database: a trusted front end assigns each user type a view that hides unauthorized sensitive data, with possible granularity on rows and columns. Grant and revoke manages permissions: a user with grant authority can grant permissions to others; without the grant option, they cannot pass that authority on. The notable security feature is the revoke's cascade effect: revoking a user's rights also revokes all rights that user had granted. Metadata also acts as a gatekeeper: the data dictionary is a central repository of information about the enterprise's databases (sensitivity, classification); it does not directly control access but informs risk management.
OLTP (Online Transaction Processing) handles a high volume of real-time transactions against databases, with many concurrent users (airline reservations, finance, retail). It relies on the DBMS's concurrency and atomicity requirements (the ACID test: atomicity, consistency, isolation, durability). OLTP acts as a monitoring system: it detects a process abort, restarts it, and backs out a transaction if needed. Two important security features: the transaction log records a transaction's information before processing, then marks it processed; on failure, the transaction is recovered and reapplied via the log. Checkpoint restart uses the logs to restart the machine by replaying to the last checkpoint (last known good transaction), all following transactions being reapplied before reopening data access.
- Lock control: only one user writes a datum at a time (table/row/field granularity).
- Deadlock: two processes block on the same indivisible resource.
- View-based access control: trusted front end hides sensitive data.
- Grant/revoke: without the grant option, no passing on; revoke = cascade effect.
- Data dictionary = central metadata (sensitivity, classification), not a direct access control.
- OLTP = real-time transactions, ACID; transaction log and checkpoint restart for recovery.
4.6 Configuration management, change management, and CI/CD
Configuration management (CM) means monitoring and managing changes to a program or its documentation. Its goal is to guarantee the integrity of the code, its availability, and use of the correct version of every component (code, design documents, documentation, control files). CM reviews every change through four activities: identifying (identify the changes), controlling (each change goes through documentation reviewed and approved by an authorized person, the change management or RFC, request for change), accounting (record and report the configuration throughout the procedures), and auditing (verify the change and ensure it does not affect the security policy). A CM plan defines the configuration items under CM, their naming, how they enter and leave the controlled set, how an item may change, and how CM tools enforce these rules. In a project, CM limits changes to the scope; failing CM leads to scope creep, where requirements change continuously and the project never finishes.
Software Configuration Management (SCM) applies these principles to source code: version control, branching, and merging that let several teams work without conflicts, plus stable builds. It is the right tool when an organization manages its versions poorly, unlike a plain document management system that offers neither branching nor merging.
Continuous Integration (CI) and Continuous Delivery (CD) automate and coordinate the pipeline processes, from writing code to running the finished software in production. The pipeline chains: coding a software unit, unit test, build and integration of units into subsystems, then into a complete application, followed by more testing, and finally deployment of the build package. The exam trap distinguishes the two: CI integrates and tests code frequently in the repository; CD deploys to production. Done well with strong security-team involvement, CI/CD are major building blocks of a DevSecOps approach, making change management more seamless, auditable, and enforceable. Two security challenges: the CI/CD chain itself must pass a security assessment, and it can feed the pressure to deliver faster at the expense of security. Finally, control granularity must address both program and user: if a user cannot access object X but has a program that can, the security mechanisms are bypassed (low granular system). The answer is least privilege, separation of duties, and reasonable access limits.
- CM = identify, control (approved RFC), account, audit changes.
- CM plan defines configuration items, naming, change rules.
- Poor CM = scope creep (drifting requirements).
- SCM = version control, branching, merging for source code.
- CI = integrates and tests frequently in the repository; CD = deploys to production.
- CI/CD = DevSecOps building blocks; the chain itself must be security-assessed.
- Granularity: address program AND user, otherwise controls are bypassed.
Case studies
HelloWorld: getting code versions under control
Context : HelloWorld is growing and manages its code versions poorly: frequent conflicts and inconsistencies when merging changes from several teams, difficulty tracking changes and maintaining stable releases for clients. Leadership proposes four options: (1) implement a Software Configuration Management (SCM) system, (2) use a centralized Document Management System (DMS) to track all developer changes, (3) rely on manual processes and shared network folders for version control, (4) outsource version control and merging to a specialized third-party provider.
Question : Which approach should Jens adopt to improve version control, merge code efficiently, and maintain stable releases, and how should he respond to each proposal?
Show analysis and answer
The recommended option is the SCM system (option 1). Configuration management systems are specifically designed to manage and track changes in development projects: they provide version control, essential for handling multiple versions and maintaining stable builds, and ease merging code from different teams while reducing conflicts and errors. The centralized DMS (option 2) is insufficient: it helps organize documentation but lacks the advanced source code management features, namely branching, merging, and version control. Manual processes with shared folders (option 3) are inefficient and error prone for a growing company: they handle neither version control, nor accurate change tracking, nor multi-team merging. Outsourcing to a third party (option 4) may bring specialized expertise but stays impractical for ongoing development: it introduces dependency on an external actor over a core development process, with risks of lost control, collaboration, and late updates.
Takeaway : For version control, branching, and multi-team merging, an SCM system is the right tool. A DMS, manual processes, or outsourcing do not provide the necessary source code management controls and introduce control or dependency risks.
- An SCM system handles version control, branching, merging, and stable builds.
- A centralized DMS lacks branching/merging: insufficient for code.
- Manual processes and shared folders: inefficient and error prone.
- Outsourcing a core development process creates dependency and loss of control.
SAST (static) vs DAST (dynamic)
SAST is static: it analyzes source code without running it, looks for programming errors and compliance with guidelines, and sits early in the writing cycle (shift-left), making it easy to deploy and scalable. DAST is dynamic: it executes the application and injects tests to drive it beyond its limits, via fuzz testing (tens of thousands of cases). If the question mentions 'source code', 'without execution', or 'early in the cycle', it is SAST. If it mentions 'running application', 'fuzz testing', or 'test injection', it is DAST. Also do not confuse them with IAST (hybrid, embedded agents, web and mobile) and RASP (runtime protection that can terminate execution on violation).
CI (integration) vs CD (deployment)
Continuous Integration (CI) and Continuous Delivery (CD) do not name the same step. CI integrates and tests code frequently in the repository: developers push their code often, and it is automatically built and tested to catch integration conflicts early. CD takes over downstream: it deploys the code to production (or keeps it deployable at any time). The classic trap (official quiz Q9) is assigning production deployment to CI: no, deployment is CD. Remember: CI = integrate and test in the repo, CD = deploy to production. The CI/CD pipeline coordinates and automates the whole chain, from writing code to finished software in operation.
The lowest-level language = Assembly
The language closest to the machine is Assembly (a low-level, second-generation language), processed by an assembler: one statement maps to a single processor instruction. This is the key to settling the trap (official quiz Q5): in higher-level languages, both compiled (fully translated before execution) and interpreted (translated line by line at runtime), one statement translates into several machine instructions. If the question asks for the 'lowest-level' language or the one where 'one statement = one instruction', the answer is Assembly, not a compiled or interpreted language. Also do not confuse it with intermediate code (Java bytecode), which is neither pure source nor pure machine code.
Checkpoint — Checkpoint
-
Which of the following can be stored within a software repository?
- A Prewritten code
- B Scripts
- C Procedures
- D All of the above
Answer & rationale
Answer : D — All of the above
A software repository acts as a central code store: a developer adds a library to gain functionality or automate a process without rewriting everything. It contains prewritten code, scripts, procedures, but also classes and other programming elements. No single option is complete, so the answer is 'all of the above'.
-
A team frequently pushes code into the repository, where it is automatically built and tested to catch conflicts early, but deployment to production is a separate practice. What are these two practices respectively called?
- A CD for integration, CI for deployment
- B CI for integration and testing, CD for production deployment
- C SAST for integration, DAST for deployment
- D SCM for integration, RFC for deployment
Answer & rationale
Answer : B — CI for integration and testing, CD for production deployment
Continuous Integration (CI) integrates and tests code frequently in the repository; Continuous Delivery (CD) deploys to production. Option 1 swaps the two. SAST/DAST are security testing techniques, not the CI/CD pipeline. SCM is the software configuration management system and RFC a request for change, unrelated to this split.
-
Which language is closest to the machine, where one statement maps to a single processor instruction?
- A A high-level compiled language
- B An interpreted language
- C Assembly
- D Java bytecode (intermediate code)
Answer & rationale
Answer : C — Assembly
Assembly is the lowest-level language: one statement equals a single machine instruction. In higher-level compiled or interpreted languages, one statement translates into several instructions. Java bytecode is intermediate code run by the JVM, not the lowest level written by the developer.
-
An organization wants to scan its source code for programming errors, without running the application, as early as possible in the development cycle. Which approach fits?
- A DAST, because it runs the application via fuzz testing
- B SAST, because it analyzes source code without executing it
- C RASP, because it terminates execution on violation
- D IAST, because it covers non-HTTP serverless applications
Answer & rationale
Answer : B — SAST, because it analyzes source code without executing it
SAST (Static Application Security Testing) analyzes source code without execution and runs early in the cycle (shift-left), matching the need exactly. DAST is dynamic and runs the application (fuzz testing). RASP is runtime protection, not static source-code analysis. IAST is hybrid and in fact struggles with non-HTTP serverless applications.
Key takeaways
- Compiled vs interpreted vs intermediate code (bytecode); Assembly = lowest-level language, one statement = one instruction.
- Software reuse trades risk for time: inspect third-party sources before any reuse; the IDE bundles editor, build automation, and debugger.
- SAST (static, source code, early) vs DAST (dynamic, execution, fuzz); IAST hybrid; RASP protects at runtime.
- Keep development/QA/production separate; blended = risky; the developer never accesses production.
- TCB = HW/SW/firmware of the security policy; reference monitor (concept) implemented by the security kernel (completeness, isolation, verifiability).
- DBMS controls: locks, deadlock, view-based access control, grant/revoke (cascade), data dictionary, OLTP (transaction log, checkpoint restart).
- CM = identify/control/account/audit; SCM for code; CI integrates/tests in the repo, CD deploys to production.
Effectiveness of software security
Prerequisites : Modules 1-4.
Building secure software is not enough: you must prove it is secure and that it stays secure. This module covers the effectiveness of software security (objective 8.3), that is the ongoing assessment of security controls across the life cycle. It opens with the permanent trade-off between assurance and cost, time, and resources, then with comparing risk to business needs through the four steps discover, evaluate, agree, document. It stresses the maxim 'if you can't measure it, you can't manage it': without robust configuration management (CM), assessment loses its anchor. It then covers auditing and logging of changes backed by uniquely identifiable configuration items (CIs), software assurance as both process AND result, the functional vs nonfunctional requirements distinction, and the four families of software risk assessment. It dives into certification and accreditation (Security Authorization), then testing: acceptance, regression, security assessment, and test data best practices. The Equifax / Apache Struts case shows concretely the cost of failing to apply a critical patch.
5.1 Balancing assurance, cost, and business needs
Assessing the effectiveness of software security is, first of all, applied risk management. Every step, from the birth of an idea to the system's retirement, aims at attaining sufficient confidence: the software is secure enough, safe enough, and fast enough for users' needs, and stays within budget and schedule. Because systems are increasingly distributed and rely on shared open protocols, interfaces, and open-source code, the trade-off between breach risk and the complexity, difficulty, and cost of building more securely grows harder every day.
The security professional is only an advisor: security does not dictate what the business does, it lets the business operate safely. To compare risk to business needs, the organization follows four steps. Discover: consult stakeholders (interviews, questionnaires, working groups) about what they do and the tools they use; this phase often must be repeated to get consistent answers. Evaluate: assess those answers, because leaders rarely articulate clearly what they do and the answers are often wrong. Agree: form assumptions to reconcile the views; if all parties agree, produce the business plans. Document: record the process and plan, which become the working model.
Exam pitfall: this four-step process does not consider risk - it reflects what the business says it needs. Once the decision is made and implemented, it falls to the security team (apart from the security architect) to make the plan secure. To steer all this, the principle 'if you can't measure it, you can't manage it' demands robust configuration management (CM) and configuration control (CC) processes: without measurement, there is no security management.
- Effectiveness assessment is applied risk management across the whole life cycle.
- The four business-needs steps: discover, evaluate, agree, document.
- This process does not consider risk: it describes what the business thinks it needs.
- Security advises, it does not dictate; making the plan secure falls to the security team.
- 'If you can't measure it, you can't manage it' justifies the need for robust CM/CC.
5.2 Auditing and logging of changes
Change management and change control must first decide at what level of granularity the system elements are defined, enumerated, managed, and controlled. This establishes the set of configuration items (CIs) formally subjected to CM decision-making and to CC enforcement and audit. The whole process depends on the system's other security processes to rigorously prevent tampering with the contents of a CI.
A software CI must be uniquely identifiable, and that identifier is linked to the version control processes used during integration and delivery. Enumerating the system must reveal the precise CIs and their version identification. Without this specificity and granularity, enumeration loses its ability to produce audit-worthy findings: you cannot claim a system matches its baseline if you do not know exactly which versioned elements compose it.
Change control traditionally relies on change logs, fed by file-system and application logs kept by the OSs, by CM/CC system agents, or other means. Audits then step through these change logs to verify that the result of all logged changes matches the enumerated baseline of the current system. Exam pitfall: an audit does not merely observe that changes happened, it verifies that they bring the system back to the expected authorized state (the baseline). This is how you assess security effectiveness through auditing and logging - the answer to the 8.3 profile scenario.
- CM first defines granularity, fixing the set of managed CIs.
- A software CI must be uniquely identifiable and linked to version control.
- Without precise identification/versioning, no audit-worthy findings.
- CC relies on change logs (OS, CM/CC agents, applications).
- Audit verifies that logged changes match the enumerated baseline.
5.3 Software assurance: process, result, and assessment types
Software assurance (or software quality assurance) establishes that a system: performs all intended and required functions; performs no unintended or unauthorized functions; is free from security vulnerabilities, exploitable or not; and is protected against insertion of errors in design, code, form, function, and data at any time in the life cycle. It is both a process - the planned, systematic set of activities to gather data about the software, evaluate it, and determine its overall quality - AND a result: the confidence stakeholders can have in the software's ability to fulfill their needs securely. This confidence is comparable to a warranty of fitness.
Many security needs are poorly evaluated by software quality assurance because analysts treat them as nonfunctional requirements. Functional requirements are the specific things the system must do (correctly process a purchase transaction): code is written to accomplish them. Nonfunctional requirements are characteristics of overall form or attributes of behavior that result from the design; most security requirements have been considered nonfunctional - no specific code is written because there is no 'function' to carry out. Security is also an emerging property: it stems from the whole design rather than an isolated module. Effective processes are organized around workflows (tasks, triggers, reporting) and metrics based on use cases, which are security-performance benchmarks in known situations.
There are four types of software risk assessment to know. Certification and accreditation: upfront analysis of needs, requirements, and design, with acceptance testing against the baseline; costly, it is falling out of favor. Risk management frameworks: NIST, ISO, and other formalized frameworks covering the whole risk decision cycle. Software process CMMs: SEI models characterizing business processes end-to-end by their reliability, repeatability, and achievement of quality metrics. Software quality assurance (software assurance): like C&A, it establishes how well the software meets its requirements without exposing the organization to undue risk. The common thread is a due-diligence question: what confidence can we have that the software is safe, secure, and fit for use?
- Software assurance = process (gather/evaluate/qualify) AND result (confidence, warranty of fitness).
- Functional = specific coded task; nonfunctional = overall characteristic like security.
- Security is often nonfunctional and an emerging property of the whole design.
- Workflows and use-case-based metrics measure effectiveness.
- Four types: C&A, risk management frameworks (NIST/ISO), software process CMMs (SEI), software quality assurance.
5.4 Certification and Accreditation (Security Authorization)
Certification and accreditation, sometimes called Security Authorization, separates two distinct decisions. Certification is the formal process of evaluating the security capabilities of the software or system against a predetermined set of security standards or policies; it can also examine how well the system meets its security-related functional requirements. In other words, certification is the comprehensive technical security analysis of the system, whose result contains an analysis of technical and nontechnical security capabilities and countermeasures and the extent to which the system meets the requirements.
Accreditation is the formal management decision regarding the results of certification, used as authorization to move into production. It usually requires a designated accrediting authority (DAA) to review and approve, authorizing the system in production for a specific period. Exam pitfall: certification = technical analysis (the 'what' and 'how' of security); accreditation = management decision/authorization (the business 'go'). Management may accredit a system that failed certification, or refuse to accredit a system certified as compliant - the final decision is managerial, not technical.
There are two types of accreditation. Provisional accreditation applies for a specific period and lists the changes required to reach full accreditation. Full accreditation implies that no changes are required for the decision. For valuable testing, the application must be tested in an environment that simulates production as closely as possible, testing security capabilities and simulating security problems that may arise - this is the first phase of the C&A process. Usage: mostly government environments (and their customer agencies), which have strict C&A and authorization-to-operate requirements; most commercial organizations see no benefit against the administrative burden.
- Certification = technical analysis; accreditation = management decision.
- Accreditation requires a DAA and authorizes production for a period.
- Management may accredit an uncertified system or refuse a certified one.
- Provisional = temporary with required changes; full = no change required.
- Mostly government use; too heavy for most commercial organizations.
5.5 Testing, verification, and security assessment
Testing uses a system (or its components) in a scripted, controlled way to verify that a set of inputs and initial conditions produces the required results. It occurs at many steps to verify correct design, correct implementation, and fitness for use, including security characteristics. Acceptance testing (originally 'functional testing') is a formal test conducted by the customer's end-user teams to decide whether to accept the system: it answers 'can we use it for our business needs?'. It differs from unit tests, written and run by the developers themselves, which answer 'does it behave according to functional requirements?'. Each test (a case) yields a pass or fail; accepting a system with known discrepancies and a resolution plan is common.
Regression testing verifies that a change or addition has not negatively affected existing functionality: catching bugs accidentally reintroduced in a new build and ensuring already-eradicated bugs stay eradicated. Security regression testing verifies that a new set of modifications has not re-exposed the system to previously known exploitable vulnerabilities - sometimes a security patch undoes the mitigations of a previous update. Security assessment testing, including ethical penetration testing, applies throughout the operational life span; it evaluates the system's present state and actual use, which has often evolved beyond the original requirements, and inspects that designed-in security controls still work against current threats.
Test data best practices are exam classics. Never use production data (privacy, need-to-know); if unavoidable, the data owner must sign off and strict usage controls are negotiated. Include data at the edges of acceptable ranges, in between, and beyond what is expected, with fuzz testing (random, not 'expected' data). Also test with known good data to verify expected behavior. Do bounds checking of field size, time, and date to prevent buffer overflows. Sanitize test data so sensitive data is not exposed to unauthorized testers. Review data before and after each test, and always maintain clear segregation between test and production environments.
Tests are also classified by how much internal knowledge the tester has. Black-box testing assumes no knowledge of internal code and exercises the system from the outside (close to DAST and external pentest). White-box testing has full access to source code and design (close to SAST and code review). Grey-box testing combines both: partial knowledge (for example accounts or schemas) to focus the tests. Choosing the right mix by risk and criticality strengthens coverage.
- Acceptance testing = customer/end-user, business needs; unit test = developers, requirements.
- Regression testing: do not reintroduce bugs or reopen known vulnerabilities.
- Security assessment testing (ethical pen test) spans the whole operational life.
- Never use production data; if unavoidable, data owner sign-off + usage controls.
- Fuzz testing, bounds checking, sanitization, test/prod segregation are key rules.
- Black-box (no code, cf. DAST), white-box (with code, cf. SAST), grey-box (partial knowledge).
Case studies
Jens: assessing effectiveness via auditing and logging
Context : Jens is asked to explain how to assess the effectiveness of software security at HelloWorld Inc. by relying on auditing and logging of changes, and to lay out methods for risk analysis and mitigation.
Question : How can Jens assess the effectiveness of software security via auditing and logging of changes?
Show analysis and answer
Jens must first have CM fix the granularity of elements, defining the set of managed configuration items (CIs). Each software CI must be uniquely identifiable and linked to version control, so enumeration reveals the precise CIs and their versions. Change control then feeds change logs (OS, CM/CC agents, applications). Jens has the audit step through these logs to verify that the result of all changes matches the current system's enumerated baseline. Where changes do not return the system to the expected authorized state, there is a discrepancy to triage. These findings feed risk analysis and steer mitigation. The traceability also provides a paper trail that can reveal otherwise unnoticed intrusions or tampering.
Takeaway : Without uniquely identifiable, versioned CIs, auditing yields no actionable findings: change identity and traceability are the foundation of any effectiveness assessment.
- CM fixes granularity and the set of CIs.
- Audit compares logged changes to the enumerated baseline.
- Triaged discrepancies feed risk mitigation.
Equifax and Apache Struts (CVE-2017-5638)
Context : Apache Struts 1, an open-source MVC framework developed in May 2000 by Craig McClanahan, extends the Java API by separating the model (which talks to the database) from the view (the HTML page). On March 10, 2017, the U.S. NVD published CVE-2017-5638, a critical vulnerability in the Jakarta multipart parser allowing remote arbitrary code execution. The framework fix was released on March 6, 2017, but within days attackers were trying to exploit the flaw. In May 2017, two months after the patch, a web vulnerability in Struts led to the Equifax breach, exposing the sensitive data of 143 million U.S. citizens: names, Social Security numbers, birth dates, addresses, driver's license and credit card numbers, as well as UK and Canadian residents.
Question : Why did Equifax not apply the patch even though it was available?
Show analysis and answer
The patch was too complex and labor-intensive to deploy. Hundreds of applications depended on Struts; fixing the vulnerability would have required rebuilding those applications and extensively retesting them with the new patch, a costly operation that did not seem worthwhile. This is exactly the assurance-versus-cost/time/resources trade-off, badly resolved: the real risk (RCE over ultra-sensitive data) was underestimated against the immediate cost. Without a precise inventory of the CIs depending on Struts nor automated regression testing, the effort looked disproportionate, and the two-month window was enough for attackers.
Takeaway : Patch management of third-party dependencies is a top-tier supply chain risk: one unpatched open-source dependency can wipe out the assurance of an entire system. Effective CI inventory and regression testing make patching a critical dependency tractable rather than prohibitive.
- CVE-2017-5638: RCE via Struts' Jakarta multipart parser.
- Patch released March 6, 2017; Equifax breach in May 2017 (143M citizens).
- Perceived patch cost outweighed real risk - a bad trade-off.
- CI inventory and regression testing make dependency patching tractable.
Acceptance testing vs regression testing
Do not confuse them. Acceptance testing is run by the customer / end-users to decide whether to accept the system: it answers 'can we use it for our business needs?'. Regression testing verifies that a change or addition has not broken existing functionality or reopened an already-fixed bug or vulnerability. Memo: acceptance = fitness for business needs (customer-oriented); regression = no regression of the existing (change-oriented). Unit tests, by contrast, are run by developers and answer 'does it behave according to functional requirements?'.
Certification vs accreditation
Do not confuse them. Certification is the comprehensive technical analysis: evaluating the system's security capabilities against predetermined standards. Accreditation is the formal management decision on the certification results, the authorization to go to production issued by a DAA. Memo: certification = technical (the 'what/how'); accreditation = managerial (the 'go'). Exam consequence: management may accredit a system that failed certification, or refuse a system certified as compliant - the final decision is managerial.
Functional vs nonfunctional requirements
Do not confuse them. A functional requirement is a specific task the system must perform (process a transaction): code is written to carry it out and it is directly traceable and testable. A nonfunctional requirement is an overall characteristic or attribute of behavior (security, performance) resulting from the design; there is no dedicated 'function', so it is evaluated by analysis rather than a function test. Memo: functional = what the system does (coded, traceable); nonfunctional = how it is, including security, often an emerging property.
Checkpoint — Checkpoint
-
What is the main goal of assessing the effectiveness of software security?
- A Continuously evaluate and improve the software's security measures
- B Replace configuration management with one-off audits
- C Guarantee the total absence of functional bugs
- D Transfer security responsibility to developers
Answer & rationale
Answer : A — Continuously evaluate and improve the software's security measures
The goal is to evaluate and improve security measures across the life cycle (applied, ongoing risk management). B is wrong: assessment relies on CM, it does not replace it. C confuses security with functional quality, and no system is guaranteed bug-free. D is wrong: security advises and assesses, it does not offload onto developers.
-
Which technique analyzes source code without executing it?
- A Static analysis (SAST)
- B Dynamic analysis (DAST)
- C Fuzz testing
- D Acceptance testing
Answer & rationale
Answer : A — Static analysis (SAST)
Static analysis (SAST) examines source code without running it. B (DAST) evaluates runtime behavior. C (fuzz testing) injects random data into a running system. D (acceptance testing) is run by the customer to decide acceptance, and it executes.
-
What is the purpose of dynamic analysis (DAST)?
- A Evaluate the software's behavior at runtime
- B Inspect source code line by line at rest
- C Decide the authorization to move to production
- D Define the granularity of configuration items
Answer & rationale
Answer : A — Evaluate the software's behavior at runtime
Dynamic analysis evaluates software behavior while it runs. B describes static analysis (code at rest). C describes accreditation (a management decision). D belongs to configuration management, not a code-analysis technique.
-
In Security Authorization, who makes the decision to authorize production use?
- A Management via accreditation (often a DAA)
- B The technical team via certification
- C Developers via unit tests
- D The data owner via data sanitization
Answer & rationale
Answer : A — Management via accreditation (often a DAA)
Accreditation is the formal management decision that authorizes production, usually by a designated accrediting authority (DAA). B is wrong: certification is the technical analysis, not the authorization decision. C is about unit testing of functions. D is about protecting test data, unrelated to authorization.
Key takeaways
- Assessing effectiveness = applied, ongoing risk management; without measurement (CM), no management.
- Business needs are built via discover, evaluate, agree, document - without considering risk, which security adds afterward.
- Uniquely identifiable, versioned CIs let auditing produce findings against the baseline.
- Software assurance = process AND result; security is often nonfunctional and an emerging property.
- Certification (technical) and accreditation (management) are distinct; the final decision is managerial.
- Acceptance (customer), regression (no-regression), and security assessment (ongoing pen test) cover different needs.
- Never use production data in test; fuzz testing, bounds checking, sanitization, and test/prod segregation are the rule.
- Equifax / Struts: an unapplied dependency patch is a major supply chain risk.
Security of acquired software
Prerequisites : Modules 1-5.
Most of the software an organization depends on is not written by its own developers: COTS, open source, third-party development, managed services and cloud. Software assurance therefore does not stop at the internal dev team's door; it must extend to everything that is bought, leased or inherited. This module covers objective 8.4: acquisition through third-party development and its four-phase process, assessment of open source and orphaned systems, merger-and-acquisition concerns, due diligence on commodity systems and COTS, and the shared responsibility of managed and cloud services. We add modern supply-chain practices (SCA, SBOM) that extend this reasoning.
6.1 Acquisition via third-party development: the four phases
When an organization contracts a third party to develop a system, customize existing software or tailor a commercial platform, the acquisition process becomes the lever to enforce software assurance. Security must be designed in from the start: the best security is always engineered into the application, not bolted on afterward. The contract's nature (open-ended or fixed) reflects the uncertainty in development, test and acceptance test; a fully fixed contracting baseline is often overly optimistic because few software projects ship on time, within budget and with all requirements met.
Software assurance during acquisition follows four phases. (1) Planning: identify the need, do sizing/scoping, run risk assessments, compete alternative implementations, estimate ROI against the internal hurdle rate (a project not exceeding this minimum return needs an overriding reason to be approved), then write the software requirements into the Statement of Work (SOW) and an acquisition strategy with bidder screening criteria. (2) Contracting: issue the solicitation or Request for Proposal (RFP) with the SOW and terms and conditions (acceptance conditions, prequalification, certifications), evaluate proposals, then negotiate and award the contract. (3) Monitoring, acceptance and deployment: set the work schedule, apply change management / configuration control, and review and accept deliverables - assurance case deliverables must prove compliance with the contract's risk mitigation strategies. (4) Ongoing use and support: sustainment (risk management, assurance case management, change management) then disposal or decommissioning.
Exam trap: a vendor claiming a high CMM is not automatically secure. Most CMMs do not explicitly address safety and security; a supplier with mature process capability may still fail to exercise practices critical to software assurance. The security professional must verify that software assurance is genuinely built into the supplier's process capabilities, matching the organization's risk mitigation needs.
When the organization depends on bespoke software whose source code it does not own, a software escrow protects continuity: a trusted third party (escrow agent) holds the source code and documentation, and releases it to the customer under predefined contractual conditions, typically vendor bankruptcy, end of support or a serious breach. It is a key supply-chain control to negotiate during the contracting phase, alongside the SOW and the assurance case.
- Four phases: Planning, Contracting, Monitoring/Acceptance/Deployment, Ongoing use & support.
- SOW = requirements in the contract; RFP = solicitation sent to suppliers.
- ROI compared to the internal hurdle rate to decide on a project.
- Security must be designed in from the start.
- A high CMM does not guarantee software assurance: verify explicitly.
- Software escrow: a third party holds source code, released to the customer if the vendor goes bankrupt or drops support.
6.2 Open source and orphaned systems
Open-source software is source code made available to everyone, usually developed by and for the community under varied licenses to drive adoption. Advocates believe openness improves security, expressed in Linus's law: with enough eyeballs on the code, all bugs become shallow. The idea is that review by other developers quickly finds and fixes vulnerabilities. Critics counter that nothing guarantees every flaw will be found, no matter how many reviewers; releasing the code does not remove vulnerabilities, and automatically assuming reliability creates a false sense of security. Dishonest programmers may find flaws without disclosing them, sometimes to exploit them or blackmail the vendor.
The debate is unsettled, but one principle holds: security by obscurity does not work. Hiding a technology does not protect it for long. Whether a program ships as source or only as an executable, observation, reverse engineering, disassembly, trial and error and random chance can reveal vulnerabilities. Open source is therefore neither inherently safer nor inherently more dangerous: it requires its own assessment.
A special case is orphaned software. An organization sometimes gets stuck with elements the original manufacturer no longer supports and for which no effective third-party support exists. In 2019 and 2020, UK doctors' offices had to stay on Windows XP because replacing XP-dependent clinical devices was beyond budget. Exam trap: do not confuse legacy with orphaned. A legacy system is still supported (in-house or by a third party) and remains, within reason, remediable. A technological orphan is generally unsupportable; it must be replaced or abandoned. Even without source code or documentation, assessment is still worthwhile: CVE data reveals potential vulnerabilities that can sometimes be mitigated by other means. Ultimately, refactoring the entire business process that depends on the orphaned technology is often the best bet.
- Linus's law: many eyes = shallow bugs; but open source does not guarantee zero vulnerabilities.
- Security by obscurity does not work: reverse engineering and chance find flaws.
- Legacy = still supported, remediable; orphaned = unsupportable, replace/abandon.
- Example: UK doctors' offices stuck on Windows XP (orphaned).
- Without source code, CVE still enables assessment; refactor the business process as a last resort.
6.3 Mergers and acquisitions: inherited risks
In a merger or acquisition (M&A), the new owner inherits both the good and the questionable assets of the absorbed organization: information systems, IT infrastructure, data and people. Security assessment of the combined architectures is hard. Organizational culture differences translate into different documentation expectations and standards, which can make incompatible or incomplete the configuration management and baseline identification, the asset inventories (enumeration of systems, software licenses, revision levels) and the risk inventories with their control strategies.
The riskiest unknown is often invisible: the acquired organization may carry an undocumented legacy of data breaches, intrusions, malware and compromised identities/access-control information. Tacit knowledge of these risks may already have walked out the door with employees who left before the takeover. The Marriott case (2016-2020) illustrates this trap: by absorbing the operations and IT infrastructure of other hotel chains, the company inherited pre-existing exposures.
Exam trap: security is rarely a priority in an M&A. The acquiring organization faces intense cost-control pressure to absorb and make the new business profitable, and has little appetite for allocating resources to a thorough security assessment of properties under consideration. The security professional must anticipate: require security due diligence before signing, and treat inherited identities and incompatible CM as first-order risks, not as a post-merger detail.
- An M&A inherits questionable assets: undocumented breaches, malware, compromised identities.
- CM, asset and risk inventories often incompatible or incomplete.
- Tacit knowledge of risks leaves with departing employees.
- Example: Marriott 2016-2020.
- Security is rarely a post-acquisition priority: require due diligence before signing.
6.4 Commodity systems and COTS: due diligence
The vast majority of software in use within an organization are commercial products sold or licensed as commodities: these are COTS (commercial-off-the-shelf), firmware or embedded products - motherboard or controller firmware, OSs, standalone applications, productivity suites, application platforms. The organization is just one of thousands of customers and almost never has the capital to influence the developer to meet its specific security needs. Being one-size-fits-all by nature, COTS security is often too generic, or simply nonexistent.
The security professional is not helpless, though: the choice of product, and even of reseller, can and should be influenced by security considerations. Exploit CVE data - for the target product but also for other products from the same vendor. Research the vendor's reputation: responsiveness to vulnerability reports, speed of issuing updates, and use of signed update packages to distribute them. The same due care that keeps the system safe in operation should serve as due diligence before endorsing the decision to buy, lease or license it.
Exam trap (CYU 8.4): is COTS more dangerous than bespoke software written in-house? The expected answer is yes: its one-size-fits-all nature increases the potential for security faults, because security there is generic or absent. It can be considered, but only after a thorough risk assessment. Do not fall for the reverse reasoning ("COTS has necessarily gone through rigorous testing"), which is false.
- COTS = standard commercial product; security often generic or nonexistent (one-size-fits-all).
- You rarely influence the developer: due diligence happens at selection time.
- Due diligence: CVE of the product AND the vendor, reputation, signed updates.
- CYU 8.4: yes, COTS is more dangerous than bespoke (answer A).
- Trap: believing COTS necessarily went through rigorous testing (false).
6.5 Managed services and cloud: shared responsibility
Managed services let an organization focus on its core business, free up internal IT resources and obtain capabilities that would otherwise have required internal teams. Providers are third parties called managed service providers (MSPs). Possibilities are many: an ERP (enterprise resource planning) system is one example; a provider specialized in security monitoring and incident response is a managed security service provider (MSSP).
Cloud services deliver capabilities on demand over the internet, sparing the customer from acquiring and maintaining the infrastructure. As-a-service offerings include Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). In all these models, security and compliance are a shared responsibility between provider and customer: the higher toward SaaS, the more the provider owns the stack (hardware, runtime, application); the lower toward IaaS, the more the customer keeps responsibility (OS, middleware, data, configuration). Benefits are efficiency, cost reduction, flexibility and on-demand scalability; the most notable for the business is the shift from capital expenditure (CapEx) to operational expenditure (OpEx).
Exam trap: shared responsibility does not mean the provider owns all security. In IaaS, the customer remains responsible for the operating system, the data and the configuration; a misconfigured storage bucket is the customer's fault, not the provider's. Know where the responsibility line sits for each SaaS / PaaS / IaaS model.
- MSP = managed services; MSSP = managed security (monitoring, IR); ERP = example.
- Cloud: SaaS, PaaS, IaaS; key business benefit = CapEx to OpEx.
- Shared responsibility: the split depends on the model (SaaS most on the provider).
- In IaaS the customer keeps OS, data and configuration.
- Trap: a misconfiguration (open bucket) remains the customer's responsibility.
6.6 Supply chain: SCA and SBOM
The objective-8.4 reasoning - we depend on software we do not write - extends into modern software supply chain risk management. An application is no longer a monolithic block: it aggregates dozens or hundreds of third-party and open-source components (libraries, frameworks, containers). Each brings its own vulnerabilities and its own licenses. Managing this risk requires knowing precisely what you ship.
Software Composition Analysis (SCA) is the tooling that automatically scans a project's dependencies to identify third-party components, correlate them with known vulnerabilities (CVE) and flag license issues. It extends the CVE logic of COTS due diligence, but applied to the product's internal components rather than the whole purchased product. The Software Bill of Materials (SBOM) is the formal, machine-readable inventory of all those components and their versions - a software nomenclature. Its purpose: when a major vulnerability hits a widespread library, the organization can query its SBOMs to know within minutes which products are affected, instead of auditing code blindly.
Exam trap: do not confuse SCA with SAST. SAST (static application security testing) analyzes your own source code for defects; SCA analyzes the third-party components you reuse. SBOM is not a scanning tool but an ingredient list; that transparency is what makes supply-chain incident response fast and reliable.
- SCA scans third-party dependencies and correlates them with CVE and licenses.
- SBOM = machine-readable software nomenclature of components and versions.
- SBOM purpose: quickly identify products affected by a component vulnerability.
- Do not confuse SCA (third-party components) with SAST (your own code).
Case studies
HelloWorld: all acquired software, same level of risk?
Context : Although HelloWorld builds custom information-management systems, the company must also acquire and use software from various sources: COTS, open source, third-party development and managed services (SaaS, IaaS, PaaS). During a presentation, the CEO challenges Jens.
Question : Do all these forms of software present the same level of risk, and how should Jens assess their security impact and verify alignment with HelloWorld's standards?
Show analysis and answer
No, not necessarily: different risks have different effects. All risks must be considered, but the security professional should prioritize the most harmful. A flaw in financial software is far worse than a flaw in an email client: possibly the same likelihood, but incomparable impact. Jens should therefore map each acquired source to the criticality of the function it carries, then apply a proportionate assessment: CVE data and vendor reputation for COTS, independent assessment and monitoring for open source, software-assurance requirements in the SOW for third-party, and clarifying the shared-responsibility boundary for SaaS/PaaS/IaaS services. The through-line is a thorough risk assessment paired with software assurance measures, not uniform treatment.
Takeaway : Not all acquired software is equal in risk: prioritize by impact (criticality of the function), not by source. Tailor the assessment to the acquisition model.
- Varied risks = varied effects; prioritize the most harmful.
- Flaw in financial software > flaw in email client.
- A thorough risk assessment drives alignment with standards.
COTS vs bespoke: which is more dangerous?
Context : During an architecture review, the team debates whether using COTS exposes the company more than bespoke development done in-house.
Question : Is COTS more dangerous than bespoke software written in-house? A. Yes, COTS increases the potential of security faults. B. No, COTS typically has gone through rigorous security testing. C. No, and assuming otherwise is costly to enterprises seeking efficiencies. D. Yes, COTS can never be safe.
Show analysis and answer
The correct answer is A. The one-size-fits-all nature of COTS often makes security too generic or nonexistent, which increases the potential of faults. It can be considered, but only after a thorough risk assessment. B is wrong: nothing guarantees rigorous testing. D is too absolute: COTS is not doomed to insecurity, it requires due diligence. C reverses reality: the increased risk is real, not a costly belief.
Takeaway : COTS more dangerous than bespoke: yes (answer A), because of one-size-fits-all - but manageable through due diligence and risk assessment.
- Answer A: COTS increases the potential of faults.
- Cause: one-size-fits-all, generic or absent security.
- Due diligence (CVE, reputation, signed updates) compensates.
Legacy vs orphaned (technological orphan)
Do not confuse the two. A legacy system is old but still supported (in-house or by a third party) and remains, within reason, remediable. An orphaned system, or technological orphan, is no longer supported by anyone and is generally unsupportable: eventually it must be replaced or abandoned, or the entire dependent business process refactored. Example: UK doctors' offices stuck on Windows XP. Even when orphaned, CVE data can still be exploited to mitigate.
Linus's law vs the reality of open source
Linus's law ("many eyes" make bugs shallow) argues for openness, and it is true that security by obscurity does not work. But the exam expects the nuance: releasing the code does not guarantee all vulnerabilities will be found, and the automatic assumption of reliability creates a false sense of security. Open source is neither inherently safer nor more dangerous than proprietary: it requires its own assessment.
COTS vs bespoke (CYU 8.4)
Classic trap question: is COTS more dangerous than in-house bespoke? Answer A - yes. One-size-fits-all makes security generic or nonexistent, hence increased fault potential. Do not pick the option claiming COTS necessarily underwent rigorous testing (false), nor the absolutist "never safe" option: the risk is real but manageable through due diligence (CVE, vendor reputation, signed updates) after risk assessment.
Checkpoint — Checkpoint
-
Is COTS more dangerous than bespoke software developed in-house?
- A Yes, COTS increases the potential of security faults.
- B No, COTS typically has gone through rigorous security testing.
- C No, and assuming so is costly to enterprises seeking efficiencies.
- D Yes, COTS can never be safe.
Answer & rationale
Answer : A — Yes, COTS increases the potential of security faults.
A is correct: the one-size-fits-all nature of COTS often makes security too generic or nonexistent, increasing fault potential (CYU 8.4). B is false, no rigorous testing is guaranteed. C reverses the real risk. D is too absolute: COTS stays manageable through due diligence.
-
What are, in order, the four phases of software acquisition via third-party development?
- A Planning; Contracting; Monitoring, acceptance and deployment; Ongoing use and support.
- B Contracting; Planning; Deployment; Disposal.
- C RFP; SOW; ROI; Sustainment.
- D Design; Build; Test; Maintain.
Answer & rationale
Answer : A — Planning; Contracting; Monitoring, acceptance and deployment; Ongoing use and support.
A is correct and follows the manual's order. B swaps Planning and Contracting and truncates the end. C confuses artifacts (RFP, SOW, ROI) with phases. D describes a generic development cycle, not the acquisition process.
-
In the cloud model, who is responsible for the operating system and data configuration in IaaS?
- A The customer, who keeps responsibility for the OS, data and configuration.
- B The provider, who owns all security as in SaaS.
- C Nobody: responsibility disappears in the cloud.
- D An MSSP mandatorily appointed by the provider.
Answer & rationale
Answer : A — The customer, who keeps responsibility for the OS, data and configuration.
A is correct: shared responsibility leaves the IaaS customer the OS, data and configuration (a misconfigured bucket is the customer's fault). B confuses IaaS with SaaS. C is false, responsibility is shared, not voided. D invents a nonexistent obligation.
-
What is the main purpose of a Software Bill of Materials (SBOM)?
- A Machine-readably inventory components and versions to quickly identify products affected by a vulnerability.
- B Statically analyze your own source code for defects.
- C Replace risk assessment during an M&A.
- D Guarantee that open-source software is vulnerability-free.
Answer & rationale
Answer : A — Machine-readably inventory components and versions to quickly identify products affected by a vulnerability.
A is correct: the SBOM is the inventory of components and versions; when a flaw hits a widespread library, you query SBOMs to know within minutes which products are affected. B describes SAST. C is false, an SBOM does not replace a risk assessment. D contradicts the fact that no inventory removes vulnerabilities.
Key takeaways
- Third-party acquisition follows four phases (Planning, Contracting, Monitoring/Acceptance/Deployment, Ongoing use & support); the SOW carries requirements, the RFP solicits suppliers, ROI is compared to the hurdle rate.
- A high CMM does not prove software assurance: verify it explicitly.
- Linus's law argues for open source and security by obscurity does not work, but openness does not guarantee zero vulnerabilities.
- Legacy = still supported/remediable; orphaned = unsupportable, to replace or abandon (UK Windows XP).
- An M&A inherits hidden risks (incompatible CM, undocumented breaches, compromised identities); Marriott case 2016-2020.
- COTS is more dangerous than bespoke (one-size-fits-all) but manageable through due diligence (CVE, reputation, signed updates).
- Cloud SaaS/PaaS/IaaS: shared responsibility and CapEx to OpEx shift; SCA and SBOM manage supply-chain risk.
Secure coding: weaknesses and attacks
Prerequisites : Modules 1-6.
Software vulnerabilities are self-induced: by those who design, those who program, those who deploy and those who use the software. To effectively support their organization's security posture, the security professional does not need to become a software engineer, but does need a working knowledge of the fundamentals: how software is built, translated and deployed, and how each of those layers opens exploitable vulnerabilities. This module covers the first part of objective 8.5: from source code to executable code and arbitrary-code-execution attacks; procedural vs object-oriented and language generations; OO concepts (encapsulation, inheritance, polymorphism, polyinstantiation) and distributed OO systems (CORBA, ORB, RMI, EJB, DCOM); the trust spectrum of code providers and mobile code; common exploitable errors (buffer overflow, malformed input, SQL injection, XSS); covert channels and memory/object reuse; and time-based attack vectors (social engineering, TOCTOU, race conditions, between-the-lines, trapdoors).
7.1 From source code to executable code
The development process translates users' ideas into a set of instructions and data that a computer executes. This translation stacks several layers, each moving away from the users' "business speak" toward the binary digits manipulated by hardware. Four forms of code structure this descent. Source code is a set of statements written in human-readable form (words, numbers, operators, punctuation) following the syntax (structure) and semantics (meaning) of a given language; many correct, complete source programs can implement the same design. Executable code, also called object code, is the binary representation of the machine instruction set the CPU and target hardware execute directly.
Intermediate code sits between human-readable source code and the binary values loadable into memory. Its main use is machine independence or portability: since CPUs have different instruction sets, specialized software (a runtime engine) is required for each CPU type. Java P-Code (bytecode) and Microsoft's Common Intermediate Language (CIL) are the two canonical examples. Arbitrary code, by contrast, is not a form of language: saying a vulnerability enables "arbitrary code execution" only means the attacker can fool the CPU into executing a different instruction set than the designers intended.
Translation tools are grouped by what they produce (Figure 8.13). Assemblers translate one statement into one machine instruction and produce files of executable code (.exe); benefits: source-code protection, repeatable execution, direct hardware view, fast execution. Compilers translate one statement into many instructions, also producing .exe; business-logic-oriented view, moderate speed. Interpreters translate one statement into many intermediate opcodes as real-time streams, translated at runtime (Java runtime system); key benefit: increased portability across architectures and statement-level debug/traceback. Exam trap: most exploitable vulnerabilities are introduced at the source-code level (errors translating design into the language), rarely by the tools themselves - even though malware-infested versions of these tools do exist.
- Source = readable; object/executable = CPU binary; intermediate = portable; arbitrary = unintended instructions.
- Intermediate code (Java P-Code, CIL) gives machine independence via a runtime engine.
- Arbitrary code execution = fooling the CPU into running a different instruction set.
- Assembler = 1 to 1; compiler = 1 to many; interpreter = 1 to intermediate opcodes at runtime.
- Most vulnerabilities arise at the source-code level, rarely from the tools.
7.2 Making machines execute instructions
In the early days of programming, developers coded the object (machine or binary) program directly, writing opcodes in binary and loading those strings into memory for execution. Assembly language made this easier: there is a direct correspondence between assembly mnemonics and specific opcodes (MOV for move, CMP for compare, DEC for decrement, ADD), but the files are formatted in a relatively readable way rather than as strings of hexadecimal or binary numbers. Assembly is called low-level because one line (one statement) translates, in almost all cases, into a single machine instruction, and it is specific to a given CPU.
High-level languages raise the level of abstraction: their source code is more comprehensible to people. A skilled programmer expresses complex operations concisely, and if they follow standard coding frameworks, the code stays legible and therefore maintainable. Figure 8.14 summarizes the paths from human idea to machine execution. Compiled languages (FORTRAN, Modula) require two steps: write the readable source code, then compile it into object code (sometimes via linkers and utilities); the source cannot be run directly. Interpreted languages shorten the cycle: the interpreter translates source into machine language at the moment of execution.
The trade-off is clear. A compiled program is native for the CPU, runs directly from object code and therefore runs far faster; some compilers also optimize the code. An interpreted program pays in performance because translation is redone each run, but gains portability: as long as an interpreter exists for the target platform, the application runs on varied machines (scripting languages are the example). Exam trap: do not confuse "compiled = fast but platform-bound" with "interpreted = portable but slower"; the exam regularly tests this speed/portability opposition.
- Assembly = low-level, 1 statement = 1 instruction, bound to a specific CPU.
- Compiled: 2 steps (source then object code), not directly runnable, but fast.
- Interpreted: runtime translation each run, slower but portable.
- Scripting languages = examples of portability through interpretation.
- Trap: speed (compiled) vs portability (interpreted) opposition.
7.3 Procedural vs object-oriented and language generations
Two ways of thinking about work structure programming. Procedural thinking reasons in sequences of steps (with conditional branches, loops, sequence controls): procedural programming emphasizes the logical flow of steps. A procedure is a set of software performing a specific function, requiring specific inputs and producing defined outputs (including error signals), and can call other procedures. Object-oriented thinking reasons in named packages of ideas, steps, data and logic: each package need not know the inside of others. Object-oriented programming (OOP) defines an object as a set of software offering methods, internal to the object, that external code can request be performed. Both approaches encourage code reuse, adding/changing functionality, refactoring, data modeling, data quality standards and security practices (preapproved libraries).
Languages are also classified by level of abstraction (closeness to the binary) and by data type enforcement: a language's ability to prevent operations on incompatible types. You cannot add "3" to a person's name; adding 3 to a date requires deciding whether it means days, months or years. Strong typing therefore protects the programmer from type errors. Add data protection / data hiding (preventing one unit from reading or altering another's private data) and code protection / logic hiding (preventing reading or altering another unit's source, intermediate or executable code).
Language generations frame the history. 1GL: machine language, opcodes, object code executed directly by the CPU - rare today, except malware reverse engineering and binary payload crafting. 2GL: assembly language, symbols abbreviating instructions, direct hardware interaction (kernels, device drivers) - also valuable to attackers. 3GL: HOLs using meaningful words (COBOL, FORTRAN, BASIC, Java, C). 4GL: report generators, application generators, drag-and-drop "codeless" platforms, scripting languages. 5GL: natural language interfaces, logic or constraint-based languages, sometimes leaning on AI (NLP, machine learning), largely obsolete by the 1990s. Exam trap: remember the mapping 1GL machine, 2GL assembly, 3GL HOL, 4GL generators/codeless, 5GL natural language, and that each generation introduces security and reliability controls absent from the prior one.
Two design-quality metrics shape how code is split into modules or objects: coupling measures the degree of dependency between modules, and cohesion measures how strongly the elements of one module serve a single responsibility. The design goal is low coupling (independent modules, changeable in isolation) and high cohesion (each module does one thing well). Code with high coupling and low cohesion is fragile: a change ripples everywhere, safe reuse becomes impossible and the attack surface grows. Encapsulation directly promotes low coupling and high cohesion.
- Procedural = step sequence; OOP = objects with methods, interest is in objects not actions.
- Strong typing (data type enforcement) blocks operations on incompatible types.
- Data hiding protects private data; logic/code hiding protects code.
- 1GL machine, 2GL assembly, 3GL HOL (COBOL, Java, C), 4GL generators/codeless, 5GL natural language.
- Each generation adds security/reliability controls absent from the prior one.
- Sound design: low coupling + high cohesion; encapsulation directly supports both.
7.4 Object-oriented concepts and distributed OO systems
OOP flips the perspective: the interest is in the objects to manipulate rather than the logic that manipulates them. An object is a block of statements offering methods to work on data; it encapsulates both the data and the processing instructions, and can be reused in any program that needs it (Java, Python, C++, C#, Ruby, Smalltalk). Four characteristics dominate. Encapsulation: a class defines only the data it is concerned with, and an instance cannot accidentally access other data - this is data hiding. Inheritance: define subclasses sharing some or all of the super class's characteristics; if security is well implemented in the high class, subclasses inherit it. Polymorphism: an object can "take many forms" based on use, so a change does not ripple into every application - but beware, secure methods can be lost through polymorphism, to assess carefully.
Polyinstantiation is the OO characteristic most useful to security. It creates a new version of an object under the same identifier/key, so different user processes hold their own local copy; it lets different versions of the same resource exist at different classification levels. It thereby prevents lower-level users or processes from knowing a higher level exists. This is precisely what prevents inference: inference is a user's ability to deduce more sensitive information by observing authorized information. Polyinstantiation counters inference attacks against databases by letting several versions coexist at distinct classifications.
Distributed OO systems split the application into logical components spread across machines, which communicate and call each other on demand, with code downloaded from remote machines transparently. Examples: CORBA, Java RMI, EJB (a Sun model providing a CORBA-like environment via APIs and relying on RMI), and DCOM. To standardize locating, initiating and sending requests to objects, the Object Management Group (OMG) created the Object Request Broker (ORB), the central piece of CORBA (Figure 8.15). The ORB sits between client and server, independent of processor or language; security-wise, it handles all requests and can enforce policies. The CORBA security service covers four policy types: access control, data protection, non-repudiation, auditing. Exam trap: associate ORB with CORBA/OMG, and remember polyinstantiation is the answer to the keyword "inference".
- Encapsulation = data hiding; inheritance = inheriting characteristics and security.
- Polymorphism = many forms; watch for loss of secure methods.
- Polyinstantiation = versions at different classification levels: PREVENTS inference.
- ORB (created by OMG) is the central piece of CORBA, CPU/language-independent.
- Distributed OO: CORBA, RMI, EJB (on RMI), DCOM; CORBA security = access control, data protection, non-repudiation, auditing.
7.5 Who writes your source code? The trust spectrum
Asking "who writes your source code?" is the same as asking how you assure the security and integrity of your software supply chain. Providers fall on a decreasing trust spectrum. At the top, major hardware and systems vendors generally have robust, trustworthy processes ensuring product integrity and security. Next come applications software providers, sometimes large companies serving millions, whose secure updates and support add to trustworthiness. Third-party developers produce custom software or tailor a commercial product, but should be engaged only if there is agreement on how to provide and assess security. In-house developers work within a formalized quality assurance, configuration management and security assessment framework, offering as much control and accountability as the organization chooses to invest.
Subsequent layers become less and less secure. Open-source providers offer variable, sometimes nonexistent post-download support, and not always through verifiable means like signed downloads (also shareware or freeware). Citizen programmers - members of the organization who codify their knowledge into scripts or 4GL programs, often from examples found online and lightly modified - operate almost always beyond the reach of software quality, configuration management or security assessment processes, with little regard for security. At the very bottom, mobile code is the least inherently trustworthy form: the receiving system's owners have no visibility or influence over its development.
Mobile code (also called executable content, mobile agents, downloadable code, active capsules) moves the code itself, not just data, often without the user's explicit action or consent. Exam distinction: mobile agents migrate host to host at times and places of their own choosing, with high autonomy, hence hard to counter if malicious; applets are downloaded following a user action then executed start to finish on their machine (ActiveX, Java applets, in-browser scripts). Since the code will ultimately run locally, two controls limit risk: running the code in a restricted environment where it cannot do harm (sandbox), and using cryptographic authentication (certificates and signatures) to authenticate where the code comes from. The sandbox limits access to system resources (file system, CPU, network).
- Decreasing trust: major vendors > application vendors > third-party > in-house > open-source > citizen programmers > mobile code.
- Mobile code moves the code, not the data, often without user consent.
- Mobile agent = autonomous, migrates on its own; applet = downloaded on action, run locally.
- Two mobile-code controls: sandbox (restrict resources) and cryptographic signature (authenticate source).
- Citizen programming = outside governance, significant risk.
7.6 Buffer overflow and exploitable input errors
A buffer is a contiguous storage area used to transfer data from one device, program or process to another. A buffer overflow condition exists when that buffer receives more data than it was designed to hold: too much text in a dialog box, an over-long URL, an oversized network packet. The application then overflows the memory allocated to the buffer and writes the excess into system memory, which may be reserved for instruction processing. If the attack is done cleverly, the excess contains machine-language instructions: at the next execution step, the attacker's code runs (Figure 8.16). Often sloppy code lets a loop write beyond the buffer's declared 16 bytes; the vulnerability exists if the source can push more than 16 bytes without the software noticing, writing the 17th byte outside the buffer. The desired result is to put the attack instructions into memory and have them execute - this is arbitrary code execution, typically used to elevate privileges.
A buffer overflow is technically a form of malformed input. Safe software must do two things: accept input only if it passes a series of well-defined constraint checks (else reject it), and never misbehave, fail abnormally or allow arbitrary code execution when input does not meet all constraints. Malformed input attacks provide inconsistent data to induce a malfunction: a banking app may accept a maximum withdrawal of £10,000, but attempting to enter £11,000 must never crash it. Defensive programming translates the business logic about acceptable and harmful input into code that processes the good and safely blocks injections. Subtlety: a blocked URL expressed in ASCII rather than Unicode may slip past the firewall while the browser converts it without difficulty.
Controls against incomplete parameter checking go beyond testing each parameter in isolation: the receiving software must test the full set of values for consistency, validity and completeness (a false invoice attack may use a nonexistent but format-valid customer ID). Buffer overflows are prevented at several levels: enforce bounds checking (forbid access beyond the buffer), use a strong-typing language isolating code from data, and properly detect/intercept errors (even a divide-by-zero can open an exploit). Two injection attacks stem from the same flaw: SQL injection, where syntactic structures fool filters into seeing the query as a comment rather than an instruction, returning more information than intended; and cross-site scripting (XSS), where a site accepting user input (a blog) fails to detect that the input is active scripting later run on other users.
- Buffer overflow: too much data exceeds the buffer and overwrites instruction memory.
- Attack goal: put code in memory and run it = arbitrary code execution (privilege elevation).
- Buffer overflow = form of malformed input; defense = constraint checks + do not crash.
- Countermeasures: bounds checking, strong typing (isolates code/data), error handling, defensive programming.
- SQL injection (fooled filter) and XSS (active scripting) stem from failed input validation.
7.7 Covert channels and memory reuse
A covert channel (or covert path) is a communication channel between two or more processes that transfers information in violation of a security policy or requirement. It often uses transmission means not considered communications, making it undetectable or unblocked by routine security methods. It is created two ways: wittingly, by the cooperative, deliberate design of the two processes to create and manage the channel; or unwittingly, by a hostile process exploiting hitherto unrecognized information exposures of the target system. By facilitating the surreptitious passing of information, covert channels serve to exfiltrate sensitive data but also as a command-and-control mechanism in an advanced persistent threat (APT) attack.
Two types contrast. The covert storage channel (CSC) involves the direct or indirect use (read/write) of a storage location by one process and use of the same location by another: memory locations, shared disk sectors, cache, or unused bits in network-traffic headers. The CSC may violate policy directly (if the hostile process runs at a lower security level) or indirectly (a link in an exfiltration pipeline). The covert timing channel (CTC) alters the timing of a resource's behavior to pass information to an observing process, like modulating information onto a pulse train; example: stretching the response time to a handshake to just short of the timeout to signal. CTCs are often hard to detect. Every covert channel relies on a shared resource: identify them in design by spotting shared resources open to abuse, then decide which to mitigate (redesign, stricter access controls).
Memory or object reuse poses a related risk. Memory management allocates, de-allocates then reallocates sections to different processes (RAM, cache, disk). If residual information remains when a section is reassigned, the next process can read and reuse that data: this is a memory leak, a typical CSC example (most often unwitting). It applies to any resource where data can be stored: main memory, file storage, hardware buffers, and especially the paging/swap file, often left unprotected and rich in sensitive information. Data remanence controls limit or even eliminate this risk: from hardware/firmware up through applications, every element must ensure its memory resources' content is randomized, zeroed or otherwise overwritten before being allocated to another process. Exam trap: a memory leak and an unprotected page/swap file are CSC examples, not CTC.
- Covert channel = transfer violating a policy, often invisible to routine controls; used for exfiltration and APT C2.
- Witting = deliberately designed; unwitting = exploited by chance.
- CSC = shared storage (memory, disk, header bits); CTC = timing modulation.
- Memory leak and unprotected swap = CSC examples (unwitting).
- Data remanence: randomize, zero or overwrite memory before reallocating it.
7.8 Time-based attack vectors: TOCTOU, race conditions, backdoors
Attacks against distributed systems often rely on two complementary levers. Social engineering emotionally manipulates a victim (deception, intimidation, pulling rank, exploiting guilt or the desire to help) to obtain information or access and bypass controls; it paves the way for more sophisticated technical attacks. End-user training and awareness are the first and best line of defense, beyond email phishing alone.
Time of Check vs Time of Use (TOCTOU) exploits a change in control information between when security functions check a variable and when that variable is used. Example: an employee logged in that morning is fired, the account disabled, but since they did not log off, the session keeps its privileges - hence the importance of deprovisioning. In Figure 8.17, Process 1 validates credentials to open file A (unsecure) and Process 2 accesses the file; the attacker redirects Process 2 to a secure file (payroll) after authorization but before execution. Countermeasure: software locking (a lock on the file/resource) prevents file substitution during access validation.
A race condition exists when two tasks each depend on the other's completion for their input, and must run in the right order (Process 1 then Process 2). If an attacker disrupts that order, they manipulate the combined result: for example, forcing authorization to run before authentication would grant access without authenticating identity. The fix is to enforce atomic operations and not split critical tasks. The difference is subtle but crucial: in a race condition, the attacker controls the outcome by forcing two processes to run out of sequence; in a TOCTOU, the attacker inserts themselves between two executing processes to redirect the second. The between-the-lines attack is a different family: the attacker exploits tapped telecommunication lines (piggybacking on an active line) to inject false data - not to be confused with a backdoor, a race condition or a buffer overflow. Finally, trapdoor, backdoor and maintenance hook name a hidden means of transferring control left in the code, offering unintended entry that bypasses authentication.
- Social engineering manipulates the victim and paves the way for technical attacks; awareness = best defense.
- TOCTOU: control information changes between check and use; fix = software locking.
- Race condition: execution order forced out of sequence; fix = atomic operations.
- Distinction: race condition = wrong order; TOCTOU = insertion between two processes to redirect the second.
- Between-the-lines = tapped telecom line + false data; trapdoor/backdoor/maintenance hook = hidden entry.
Case studies
Copying input into a 16-byte array
Context : A developer reviews a C module written by a colleague. The code copies user input (typed into a form field) directly into a local array declared at 16 bytes, using a copy loop, without ever checking the input size before writing it. The upstream field enforces no server-side length limit. The developer wonders what vulnerability this code introduces and how to fix it properly.
Question : What is the vulnerability, by what mechanism can it be exploited, and which secure-coding countermeasures should be applied?
Show analysis and answer
The vulnerability is a buffer overflow. The 16-byte array is a buffer; because the loop writes without bounds checking, a 17-byte-or-longer input overflows the allocated area and writes the 17th byte and beyond onto adjacent memory - potentially memory reserved for instruction processing. Exploitation mechanism: an attacker pushes an oversized input whose excess contains machine-language instructions; at the next execution step, the CPU runs that injected code. This is arbitrary code execution, typically used to elevate privileges. Technically it is also a form of malformed input, since the software accepts input that meets no length constraint.
The fix acts at several levels. First, bounds checking: forbid any write beyond the 16 bytes (copy at most 15 useful bytes + terminator, or reject the over-long input) - in C, replace an unbounded copy with a length-bounded copy and explicitly test the size. Then strong typing / data type enforcement and isolation of code from data, ideally via a language or framework that separates them. Finally defensive programming: validate the input against well-defined constraint checks, cleanly reject what fails, and never crash nor allow arbitrary execution on noncompliant input. Validation must be server-side, since client-side length control is bypassable.
Takeaway : A buffer written without bounds checking is a buffer overflow waiting to happen: the excess can overwrite instruction memory and lead to arbitrary code execution. The fix combines bounds checking, strong typing/code-data isolation and defensive programming, validated server-side.
- An array written without checking input size is an exploitable buffer overflow.
- The excess can hold machine instructions run at the next step = arbitrary code execution (privilege elevation).
- A buffer overflow is technically a form of malformed input.
- Countermeasures: bounds checking, strong typing + code/data isolation, defensive programming, server-side validation.
Source vs object vs intermediate vs arbitrary code
Four terms the official quiz (Q4) contrasts. Source code = human-readable, follows a language's syntax and semantics. Object code (= executable code) = binary representation executed directly by the CPU. Intermediate code = portable form between source and binary, run via a runtime engine for machine independence (Java P-Code/bytecode, Microsoft CIL). Arbitrary code is NOT a language: it is the trickery-induced execution of instructions not intended by the designers ("arbitrary code execution"). Do not treat arbitrary code as a 4th language form: it is an attack outcome, not a compilation step.
TOCTOU vs race condition
Two timing attacks the exam likes to conflate. In a TOCTOU (Time of Check vs Time of Use), the attacker inserts BETWEEN check and use: control information changes between the check and the use, and the attacker redirects the second process (e.g., to a payroll file). Fix: software locking. In a race condition, the attacker forces an incorrect ORDER between two processes that should run in sequence (e.g., authorization before authentication). Fix: atomic operations. Memo: TOCTOU = insertion between check and use; race condition = order inversion.
Between-the-lines attack
Target of quiz Q7. The between-the-lines attack exploits tapped telecommunication lines (piggybacking on an active line) to inject false data into the session. Do not confuse it with: a backdoor (hidden entry left in code), a race condition (forced execution order), or a buffer overflow (buffer overrun). The discriminating keyword is the idea of an intercepted telecom line + data injection into the stream.
The OO concept that prevents inference
Targeted by quiz Q6. Among encapsulation, inheritance, polymorphism and polyinstantiation, only polyinstantiation prevents inference. It creates a new version of an object under the same identifier/key, letting different versions of the same information exist at different classification levels - preventing a lower level from deducing a higher level exists. Reminder: inference = deducing sensitive information by observing authorized information. Do not answer "encapsulation" (that is data hiding) nor "polymorphism" (multiple forms): the keyword inference calls for polyinstantiation.
Checkpoint — Checkpoint
-
Which statement correctly distinguishes source code from object code?
- A Source code is human-readable; object code is the binary representation executed directly by the CPU
- B Source code is binary; object code is human-readable
- C Both are portable forms run by a runtime engine
- D Object code means unintended instructions executed by trickery
Answer & rationale
Answer : A — Source code is human-readable; object code is the binary representation executed directly by the CPU
Source code follows syntax and semantics and is human-readable; object (= executable) code is the binary representation executed directly by the CPU. B inverts them. C describes intermediate code (portable, runtime engine). D describes arbitrary code execution, not object code.
-
Which object-oriented concept helps prevent inference?
- A Polyinstantiation
- B Encapsulation
- C Inheritance
- D Polymorphism
Answer & rationale
Answer : A — Polyinstantiation
Polyinstantiation creates versions of an object at different classification levels under the same identifier, preventing a lower level from deducing a higher one exists: that is what prevents inference. Encapsulation is data hiding; inheritance passes characteristics to subclasses; polymorphism allows many forms - none addresses inference.
-
An attacker taps active telecommunication lines and injects false data into the session. Which attack is this?
- A Between-the-lines attack
- B Buffer overflow
- C Race condition
- D Backdoor
Answer & rationale
Answer : A — Between-the-lines attack
The between-the-lines attack exploits tapped telecom lines to inject false data into an active session. A buffer overflow overruns a memory buffer; a race condition forces an incorrect execution order; a backdoor is a hidden entry left in code - none matches line tapping + injection.
-
When a vulnerability lets an attacker fool a CPU into executing an alternate, unintended instruction set, this is called:
- A Arbitrary code execution
- B Intermediate code generation
- C Strong typing enforcement
- D Polyinstantiation
Answer & rationale
Answer : A — Arbitrary code execution
Arbitrary code execution precisely means fooling the CPU into running a different instruction set than the designers intended (often via memory overwrite from a buffer overflow). Intermediate code is a portable form; strong typing is a type control; polyinstantiation is an OO concept - none is this attack outcome.
-
Which sentence correctly distinguishes a TOCTOU from a race condition?
- A TOCTOU: the attacker inserts between check and use to redirect the second process; race condition: the attacker forces an incorrect execution order
- B TOCTOU: the attacker forces an incorrect execution order; race condition: the attacker overflows a buffer
- C Both refer to code injection via a buffer overflow
- D TOCTOU is fixed by atomic operations; race condition by cryptographic signature
Answer & rationale
Answer : A — TOCTOU: the attacker inserts between check and use to redirect the second process; race condition: the attacker forces an incorrect execution order
In a TOCTOU, the attacker inserts between check and use (control information changes) and redirects the second process; fix: software locking. In a race condition, they force two processes to run out of sequence; fix: atomic operations. B inverts the definitions; C confuses with buffer overflow; D pairs the wrong fixes.
Key takeaways
- Source = readable, object/executable = CPU binary, intermediate = portable (runtime engine), arbitrary = unintended instructions run by trickery.
- Assembler (1 to 1), compiler (1 to many), interpreter (opcodes at runtime, portability); vulnerabilities mostly at the source-code level.
- OO: encapsulation = data hiding, inheritance, polymorphism, and polyinstantiation which PREVENTS inference; ORB is the central piece of CORBA/OMG.
- Decreasing provider trust down to mobile code; mobile-code controls = sandbox + cryptographic signature.
- Buffer overflow = overrun overwriting instruction memory toward arbitrary code execution; fix: bounds checking, strong typing, defensive programming.
- Covert channels (CSC storage, CTC timing; witting/unwitting) and data remanence (randomize/zero/overwrite); TOCTOU (between check and use) vs race condition (forced order), and between-the-lines (telecom line + false data).
Databases and concepts
Prerequisites : Modules 1-7.
Databases concentrate an organization's most valuable information, which makes them a prime target. This module covers database and data warehouse threats (with the central aggregation/inference trap), DBMS architecture, the major database models (hierarchical, network, graph, relational, object-oriented), the ACID test, interface and connection technologies (SQL, XML, ODBC, JDBC, OLE DB, ADO, the 3-tier approach) and advanced analytics (metadata, OLAP, data mining, KDD, knowledge management). The security thread: polyinstantiation as the countermeasure to inference.
8.1 Threats to databases and data warehouses
Databases and data warehouses expose a rich attack surface. The flagship threat is the aggregation / inference pair. Aggregation means combining nonsensitive data from separate sources to produce sensitive information: a user assembles two unclassified fragments and obtains a classified whole they are not entitled to, because the sensitivity of the combination exceeds that of the parts. Inference goes further: it is the ability to deduce more sensitive information than you should be allowed. Being able to aggregate often opens the door to inference.
The other threats: bypass attacks circumvent front-end controls (DBMS and query engine) by routes other than the interface or CLI; compromise of database views, when a user reaches restricted views or modifies one (a view limits what is seen, not the operations allowed); alternative but not equivalent access routes, since the layered model offers several paths to the same data (view, direct query, direct file access) not all equally protected; data contamination through malformed inputs at the field, record, transaction or file level.
Deadlocking (the 'deadly embrace') occurs when two concurrent processes each hold a lock on an object and wait for the other's lock; the system aborts one transaction (ideally the cheapest to roll back) to break the situation. Then come DoS (a query or table scan that saturates tables), improper modification (an integrity issue), interception of data in transit during remote access, query attacks (tools or malformed SQL to bypass the trusted front end and its views), direct physical/logical server access, TOCTOU (code changes the data between query approval and display) and web-based attacks (static or dynamic pages exposing sensitive data via 'show code'). Trap: aggregation and inference are the terms the exam expects here, do not confuse them with plain unauthorized access.
- Aggregation = combine nonsensitive into sensitive; inference = deduce the forbidden from it.
- A view limits what is seen, not the operations performed on it.
- A deadlock is resolved by aborting the transaction cheapest to roll back.
- Alternative access routes (view, direct query, file) are not all protected.
- Database TOCTOU: data changes between query approval and display.
8.2 The database and data warehouse environment
A database is a repository of organized, valuable information. Historically, organizations managed files, which were hard to maintain and prone to errors and inconsistencies. Database architectures answered this, with the DBMS (Database Management System) at their heart: a suite of applications that manages databases and their environment. The heart of the DBMS is the database engine, the core application that performs the CRUD functions (create, read, update, delete) and makes data available for display or export while preserving confidentiality, integrity and availability.
The database itself is a large, structured collection of persistent, related data tables. From the OS perspective it is a set of file spaces managed by the DBMS, not meaningfully readable as a normal file by other applications. The full environment may include VMs, middleware between applications and the engine, utilities and, increasingly, a web front end. Each added component raises complexity and security requirements: you secure an architecture by securing each of its components.
As organizations multiplied databases, they consolidated data into data warehouses to give analytics, trending and reporting a richer context. A data lake is a large collection of data not yet put into the common format of a warehouse; a data farm is where predictive analytics generates data between known or observed points. The whole set of internet-interconnected sources is loosely called big data. Trap: data lake = raw data not commonly structured; data warehouse = integrated, structured data for analysis.
- The database engine performs CRUD at the heart of the DBMS.
- A data warehouse integrates data from several databases for analytics.
- Data lake = raw, not commonly structured; data farm = data generated by predictive analytics.
- You secure an architecture by securing each of its components.
- To the OS, a database is a set of files not usefully readable outside the DBMS.
8.3 Hierarchical, network and graph models
A database model describes the relationships between data entities and provides the organizing framework. Every model must meet minimum requirements: transaction persistence (the post-transaction state is durable), fault tolerance and recovery via rollback (cleanly backing out incomplete or invalid transactions) and shadowing (reapplying transactions to a prior version, using transaction logging), sharing among multiple concurrent users without harming integrity, and security controls (confidentiality, integrity, availability, access controls, view definitions). Do not confuse: a database model describes the organization/structure/architecture the DBMS offers, while a data model describes the data types specific to an organization (a 'customer' data model lists name, address, etc.).
The hierarchical model is the oldest (1950s-60s). It stores data in records carrying field values, groups instances of the same record into a record type, and links them through parent-child relationships in a tree structure. Powerful and adaptable for organizing dissimilar data, but hard to extend when new business functions appear.
The network model (also called CODASYL, 1959, which led to COBOL) represents data as a network of records and sets joined by linked lists. Record types are the equivalent of tables in the relational model, and set types express the relationship between two record types. More performant than hierarchical for some functions, but less flexible than relational. Today it has two strong uses: high-performance/high-volume parallel storage (clouds, search engines) and graph databases. The graph model represents nodes (objects) and labeled arcs describing the nature of the connection; Neo4J is used in insider threat detection, anti-money-laundering and COVID-19 contact tracing. Trap: 'network' does not mean a computer network but a network of links between records.
- Hierarchical = parent-child tree, the oldest and least extensible.
- Network = CODASYL, a network of links (not a computer network), basis of graph databases.
- Graph = nodes and labeled arcs (Neo4J: insider threat, anti-money-laundering).
- Rollback backs out the incomplete; shadowing reapplies to a prior version via logging.
- Database model = DBMS structure; data model = the organization's data types.
8.4 The relational model, object-oriented and the ACID test
The relational model structures data in two-dimensional tables (or relations): columns represent the variables, rows hold data instances, organized using normal forms that let tables be linked together. It offers three elements: data structures (tables/relations), integrity rules on allowable values, and manipulation agents providing the relational mathematical basis. Vocabulary to master: each table is a set (an unordered collection); each row is a tuple (record) holding attributes (fields), one per column; one attribute is designated the primary key, others can also be keys. A tuple is found by matching values or via the primary index; filtering produces a subset; a join links two or more tables via specified attributes. Relational has become dominant in DBMSs.
The object-oriented (OO) model stores data as objects, collections of public and private elements together with the operations (methods) executable on them. Because the object carries its own operations, any call to data potentially has the full range of functions available, hence a strong security requirement. The OO model does not necessarily need a high-level language like SQL since the functions are contained within the objects, avoiding the language overhead. The natural evolution, the object-relational model, is a hybrid combining the advantages of relational and OO and offering a migration path.
Models are often evaluated via the ACID test: Atomicity (a transaction is all-or-nothing, indivisible), Consistency (the transaction honors integrity constraints and leaves the database consistent), Isolation (concurrent transactions stay invisible to each other until they complete) and Durability (committed effects are permanent). Central trap: Isolation = invisibility until completion, not to be confused with Atomicity (all-or-nothing), Consistency (integrity constraints) or Durability (permanence).
- Relational = tables/tuples/attributes; one attribute is the primary key; relational is dominant.
- A join links two or more tables via specified attributes.
- The OO model carries methods in objects and does not necessarily need SQL.
- Object-relational = relational + OO hybrid with a migration path.
- ACID: Isolation = transactions invisible to others until completion (do not confuse).
8.5 Interface languages and database connections
Interface languages (often called query languages) let users, administrators and applications request services from the DBMS. The connection must always go through authentication and authorization. SQL, created at IBM in the early 1970s for relational systems, remains the lingua franca of databases. It establishes three concepts: schemas (the database structure, including access controls), tables (columns and rows) and views (down-selections of rows/columns created dynamically per user, implementing security policies and access granularity such as separation of duties or data classification). SQL breaks into three sublanguages: DDL (Data Definition Language) to create databases, tables, views and keys, reserved for administrators; DML (Data Manipulation Language) to query, insert, delete and update data; DCL (Data Control Language) to establish and control access to data. Since DCL carries the security-control aspect, the security professional should pay attention to it.
Markup languages are not programming languages: they express how data should be formatted. HTML describes a page's layout. XML, the most recognized after HTML, provides data storage and transport over networks and interfaces web pages (front end) with databases (back end); it is an example of mobile code and is often used to define metadata. Embedded XML must be inspected and framed by trustworthy frameworks.
To connect applications to databases: ODBC (Open Database Connectivity, from Microsoft) is the dominant means of standardized access; it translates application commands into those of the target database system, allowing a change of DBMS with little modification, but because it operates as a system entity it is vulnerable (plaintext credentials, cleartext data, sometimes inadequate access verification, aggregation across sources). JDBC (Java Database Connectivity, from Sun) connects Java programs to databases, directly or via ODBC. OLE DB, based on COM (Component Object Model), links data across various DBMSs and runs as client or server middleware. ADO (ActiveX Data Objects, from Microsoft) is a high-level interface that simplifies OLE DB use (a front-end client or a middle-tier business object), criticized for its unrestricted system access, mitigated by sandboxing in recent browsers. Finally, the tiered approach (3-tier: presentation, business logic, data) strengthens security because the user does not touch the data directly but goes through the business logic layer; the risk is losing the database's security features in the translation by the middle layer. Trap: ODBC does not rely on HTTP, unlike REST APIs.
- DDL creates (admins), DML queries/modifies, DCL controls access (security focus).
- Views are dynamic and enforce separation of duties and data classification.
- XML interfaces the web front end with the database back end and defines metadata (mobile code).
- ODBC = dominant standardized, non-HTTP access; credentials/data often in clear.
- 3-tier protects because the user goes through business logic, not directly to the data.
8.6 Internet access, analytics and knowledge discovery
Metadata is information that describes other information, literally 'data about the data'. It provides a systematic way to describe resources and improves search precision. It reveals unseen relationships between data, lets previously unrelated data be correlated and gives the keys to a data warehouse's critical data. Since the warehouse is generally at the highest classification level while its users are not, non-public data must be removed from the metadata: you abstract the correlations without exposing the underlying data. Warehouse data is exploited via OLAP, data mining or KDD.
OLAP (Online Analytical Processing) lets the analyst formulate queries then define further ones based on the results, roaming through the data before presenting information to management. Data mining runs queries against the warehouse to reveal hidden relationships, patterns, correlations and trends using mathematical and statistical techniques. Risks: privacy harm when mining individual data, and data contamination when collection/transformation/loading errors produce inaccurate relationships. Positive aspect: mining audit logs to spot abnormal events. Knowledge management efficiently manages an enterprise's information and resources to produce business intelligence, often relying on the data warehouse and now on AI.
KDD (Knowledge Discovery in Databases) is a mathematical, statistical and visualization method to identify valid, useful patterns and derive meaningful information, usually obtained through AI techniques rather than standard queries. Its approaches include the probabilistic model (graphs, uncertainty), the statistical approach (rule discovery, of which OLAP is an example), classification (grouping by similarity, removing redundancy) and deviation and trend analysis (filtering, e.g. an IDS). As an inference countermeasure, polyinstantiation creates multiple versions of a record at different classification levels, preventing the deduction of sensitive information. KDD security controls: protect the knowledge base as any database, routinely verify outputs match expected outcomes from inputs, route rule changes through change control, rerun queries if an output looks suspicious, fold risk into decisions and establish a baseline of expected performance. Trap: KDD = visualization and pattern identification for decisions; data mining = extraction of hidden relationships.
- Metadata = data about the data; strip the non-public before exposure.
- OLAP = iterative queries; data mining = hidden patterns; KDD = AI visualization/patterns.
- Polyinstantiation = multiple versions per classification level, countermeasure to inference.
- Data mining can contaminate data and threaten privacy.
- KDD controls: protect the knowledge base, rule change control, baseline, reverification.
Case studies
The VIP patient deduced by aggregation
Context : An analyst at a hospital is only authorized to consult nonclassified aggregated data. By cross-referencing two datasets available to them - the operating-room schedule (slots, rooms, procedure types) and the staff attendance list - they manage to isolate a procedure and, step by step, deduce the identity of a VIP patient admitted discreetly. None of the sources was sensitive individually, but their combination became so.
Question : This is aggregation leading to inference. Which mechanism best prevents this deduction of sensitive information: polyinstantiation, view-based access control or aggregation control?
Show analysis and answer
View-based access control restricts what the analyst sees, but here they legitimately see data that is already nonclassified: views do not block correlation between two authorized sources. Controlling aggregation (limiting the number or combination of cross queries) helps but is hard to calibrate and does not erase already deducible information. Polyinstantiation is the exam's intended countermeasure to inference: by maintaining multiple versions of the same record at different classification levels, a low-level user sees a consistent but non-revealing 'cover story' version while the true data stays at a higher level. The analyst can then no longer infer the VIP patient because the datasets they cross do not point to the real sensitive data.
Takeaway : When aggregation leads to inference, the countermeasure the exam expects is polyinstantiation, not just view or aggregation control.
- Aggregating nonsensitive sources can produce sensitive information.
- Inference deduces the forbidden from the aggregate.
- Polyinstantiation is the reference countermeasure to inference.
Aggregation vs inference vs polyinstantiation
Central trap of the domain. Aggregation is the act of combining nonsensitive facts from separate sources to obtain sensitive information (the whole is worth more than the sum of its parts). Inference is the ability to deduce or infer information one is not entitled to, often enabled by aggregation. Polyinstantiation is not a threat but the countermeasure: it maintains multiple versions of a record at different classification levels so a low-level user cannot infer the sensitive data. Remember: aggregation = combine, inference = deduce, polyinstantiation = the defense.
ACID: Isolation is not Atomicity
Frequent exam question. Isolation guarantees that concurrent transactions stay invisible to each other until they complete: no transaction sees another's intermediate results. Do not confuse it with Atomicity (the transaction is all-or-nothing, indivisible), Consistency (the transaction honors integrity constraints and leaves the database consistent) or Durability (committed effects are permanent, even after a failure). If the stem mentions invisibility until the transaction ends, the answer is Isolation.
KDD vs data mining
Data mining runs queries against a data warehouse to extract hidden relationships, patterns and correlations using mathematical and statistical techniques. KDD (Knowledge Discovery in Databases) takes that data and uses mathematical, statistical and especially visualization methods, usually via AI, to identify valid patterns and turn them into understandable, actionable information. Exam cue: if the stem mentions visualization to identify patterns, the answer is KDD; if it is the raw extraction of relationships, it is data mining.
Checkpoint — Checkpoint
-
Which data warehouse analysis technique relies on mathematical, statistical and visualization methods to identify valid, useful patterns?
- A Knowledge Discovery in Databases (KDD)
- B Online Analytical Processing (OLAP)
- C Data contamination
- D Object Linking and Embedding (OLE DB)
Answer & rationale
Answer : A — Knowledge Discovery in Databases (KDD)
KDD is defined precisely as a mathematical, statistical and visualization method to identify valid, useful patterns, usually via AI. OLAP is a statistical iterative-querying approach (one example among techniques), not the visualization method intended. Data contamination is a threat (integrity errors), not an analysis technique. OLE DB is a COM-based connection technology, unrelated.
-
A low-level user could infer classified information from data they legitimately consult. Which mechanism is the reference countermeasure to inference?
- A Polyinstantiation
- B Deadlock detection
- C Rollback recovery
- D Data farming
Answer & rationale
Answer : A — Polyinstantiation
Polyinstantiation maintains multiple versions of a record at different classification levels, so a low-level user sees a non-revealing version and cannot infer the sensitive data. Deadlock detection resolves crossed locks, unrelated to inference. Rollback recovery backs out invalid transactions (recovery), not inference. Data farming generates data via predictive analytics, not a confidentiality control.
-
In the ACID test, which property guarantees that concurrent transactions stay invisible to each other until they complete?
- A Isolation
- B Atomicity
- C Consistency
- D Durability
Answer & rationale
Answer : A — Isolation
Isolation ensures a transaction does not see another's intermediate results until it completes. Atomicity guarantees all-or-nothing (an indivisible transaction). Consistency guarantees that integrity constraints are honored and the state is consistent. Durability guarantees the permanence of committed effects, even after a failure. Invisibility until completion points to Isolation.
-
What is the difference between aggregation and inference?
- A Aggregation = combining nonsensitive data to create sensitive data; inference = deducing unauthorized information
- B Aggregation = deducing the forbidden; inference = combining nonsensitive data
- C Both mean the same thing: a direct unauthorized access
- D Aggregation = encrypting data; inference = decrypting it
Answer & rationale
Answer : A — Aggregation = combining nonsensitive data to create sensitive data; inference = deducing unauthorized information
Aggregation combines nonsensitive fragments from separate sources to produce sensitive information; inference deduces more sensitive information than allowed, often enabled by aggregation. Option 2 swaps the definitions. Option 3 confuses it with plain unauthorized access. Option 4 describes encryption, unrelated.
-
In the relational model, what do you call a row of a table and the attribute that uniquely identifies that row?
- A A row is a tuple; the unique identifier is the primary key
- B A row is a schema; the unique identifier is the join
- C A row is a set type; the unique identifier is the foreign key only
- D A row is a view; the unique identifier is the DDL
Answer & rationale
Answer : A — A row is a tuple; the unique identifier is the primary key
In the relational model, each row is a tuple (record) made of attributes, and one of them is designated the primary key to identify the tuple. A schema describes the database structure, not a row. The set type belongs to the network model. A view is a down-selection, and DDL is an SQL creation sublanguage.
Key takeaways
- Aggregation = combine nonsensitive into sensitive; inference = deduce the forbidden from it; polyinstantiation = the countermeasure.
- The DBMS and its database engine (CRUD) orchestrate the database; warehouse, lake, farm and big data widen its scope.
- Five models to distinguish: hierarchical (tree), network (CODASYL), graph (Neo4J), relational (dominant, tuples/attributes/keys), object-oriented (object-relational hybrid).
- ACID: Atomicity (all-or-nothing), Consistency (integrity), Isolation (invisibility until completion), Durability (permanence).
- SQL (DDL/DML/DCL), XML, ODBC/JDBC/OLE DB/ADO and the 3-tier approach connect applications and databases; metadata, OLAP, data mining and KDD draw business intelligence from them.
Web, API, malware and SDS security
Prerequisites : Modules 1-8.
This final module covers the terrain where most attacks actually land today: the application layer exposed on the web. It opens with the web application environment - why a site is inherently vulnerable, the classic design mistakes (reinventing authentication or crypto, hard-coding, poor validation), the frequent attacks (DoS/DDoS, MITM, SQL injection, XSS, CSRF) and the OWASP Top 10 reference framework. It moves to concrete code defenses: input validation, output encoding, session management, secure coding standards (CERT/SEI, OWASP), strong data typing and reuse limited to trusted libraries. Then comes REST API security, its authentication options (Basic+TLS, OAuth 1.0a, OAuth 2) and the systematic use of HMAC SHA-2/SHA-3. It lays out the malware taxonomy (virus, worm, trojan, RAT, logic bomb, spyware, botnet, ransomware), a vocabulary the exam distinguishes finely. It closes with Software-Defined Security (SDS), the paradigm shift toward the cloud, Zero Trust Architecture and microsegmentation. Two real cases - My Pet Food Inc. and the British Airways breach (a 20 million pound ICO fine) - anchor all of this in practice.
9.1 Web application environment and the OWASP Top 10
The web application environment is where an application runs on a server and exposes the interface through which users interact with the organization. Because it is accessible to the whole internet, it becomes a prime target: statistics show most attacks now hit the application layer (the web server itself, in-house scripts, e-commerce front-ends) rather than the underlying platforms. Once the application is compromised, attacking the OS and the rest of the architecture generally becomes possible. A site is easily captured by traversal tools that follow every link to make a local copy: the very transfer of mobile code that serves the legitimate browser also serves the attacker's technical reconnaissance.
Sites suffer from classic design mistakes: trying to reinvent (hand-code) access control and authentication, designing one's own cryptography, hard-coding credentials or sensitive data into pages or scripts, poorly managing access control, and above all coding absent or flawed input validation. Each page, each link, each GET or POST operation is a point of the threat surface an attacker can discover and exploit. The most frequent attacks are: DoS and DDoS, man-in-the-middle (MITM), SQL injection, cross-site scripting (XSS) and cross-site request forgery (CSRF).
Protection strategies emerge from painful lessons: a security sign-off process for web servers, OS hardening (removing default accounts and configurations, correct permissions, up-to-date patches), vulnerability scans before deployment, IDS/IPS deployment, application proxy firewalls, disabling unnecessary documentation and libraries, securing or removing admin interfaces, access limited to authorized hosts with strong (multifactor) authentication, no hard-coded credentials, account lockout, extended logging, and encryption of all authentication traffic.
The Open Web Application Security Project (OWASP) is the reference resource for secure web development. It provides many projects (Zed Attack Proxy, Web Security Testing Guide, Cheat Sheet Series, Security Knowledge Framework) but the security professional must above all know the OWASP Top 10 web application vulnerabilities and how to mitigate them. Exam trap: OWASP is not a tool, it is a project/community; and the Top 10 is a list of risk categories, not a ranking of products.
- Most attacks target the web application layer, not the platform.
- Classic mistakes: reinventing auth/crypto, hard-coding, missing input validation.
- Frequent attacks: DoS/DDoS, MITM, SQL injection, XSS, CSRF.
- Protection: OS hardening, vulnerability scans, WAF/proxy, IDS/IPS, MFA, no hard-coded credentials.
- OWASP is a project/community; the Top 10 is a list of risk categories to know and mitigate.
9.2 Web code defenses and secure coding standards
Because of the accessibility of web systems, input validation becomes the essential defense: every incoming datum (and output) must be validated. Application proxy firewalls help but must handle known exploits - buffer overflows, authentication issues, scripting, passing commands to the underlying platform (SQL to the database engine), encoding issues (Unicode) and URL encoding/translation. The golden rule: the biggest challenge arises when data passes from anything to anything else - validation must be adequate at that precise moment. To input validation is added output encoding, which neutralizes data before returning it to the browser (the core defense against XSS).
Session management deserves special attention because HTTP is a stateless protocol: the sense of attachment to the server is carried by other technologies (cookies, URL data) that must be protected and validated. If cookies are used, they must always be encrypted. Time validation is part of session management: sequential, calculable or predictable cookies, session numbers or URL data must be disallowed, always using random and unique indicators. As with any application environment, validate all input and output, fail secure (closed), keep the application as simple as possible, use pen testing and secure network design, and apply defense in depth (DiD). Never: cache secure pages, trust data from the client, or automatically trust data from other servers or partners.
Secure coding guidelines & standards encourage developers to follow a set of rules determined by the organization's needs, rather than coding by personal preference or familiarity. Standards exist per language (C, C++, Java, Perl) and come from groups such as the CERT division of the SEI and OWASP. Strong data typing aids safe execution: a type-safe (strongly typed) language inserts logic at compile time preventing the misuse of a data type - arrays staying in bounds, pointers always valid, the impossibility of placing code in a string and then executing it (which prevents injection). Java performs static type checking; in C/C++, memory access through pointers is one of the main sources of vulnerabilities, hence the value of controlling or restricting their use.
Two final practices. First, limit reuse to trusted libraries: reusing a snippet is tempting but risky because the programmer may misunderstand what the code does, or the code may not function correctly - teams must set firm limits on reuse and policies on approved libraries. Second, enforcing standards has two faces: administrative (instruct, motivate, engage the team) and technical (leverage IDE features, configuration management and change tracking systems, and audits of usage if needed). Exam trap: input validation and output encoding are the two fundamental web code defenses - distinguish them, one filters what comes in, the other neutralizes what goes out.
- Input validation and output encoding are the two essential web code defenses.
- HTTP is stateless: session cookies and indicators must be encrypted, random and unpredictable.
- Principles: validate input/output, fail secure (closed), simplicity, defense in depth, never trust the client.
- Secure coding standards: CERT/SEI and OWASP; strong data typing prevents injection (static type checking in Java).
- Limit reuse to trusted libraries; enforce standards both administratively AND technically.
9.3 REST API security and authentication options
APIs (Application Programming Interfaces) are the connectors that let different components communicate - like a messenger carrying information between the applications of a system so it works seamlessly. IoT is the perfect example: when a fitness wristband sends your jogging time to a site, when you unlock a car from an app, when you change your thermostat's temperature from the office, an API works behind the scenes. These APIs must be managed and secured, otherwise wrong messages influenced by attackers may reach the applications. The unifying framework is data governance: a structured, controlled development of APIs that secures all data exchanges from the very beginning of the life cycle.
Websites and web apps come in two forms: stateful (both parties track a shared sequence, like negotiating an HTTPS session) and stateless (no synchronization required, like UDP). Representational State Transfer (REST) is not an architecture but an architectural style for building services on top of the web; it uses simple HTTP to enable interaction via simplified URLs. It is precisely because REST relies on simple HTTP that protecting REST services becomes tricky: it is doable, but it demands rigorous and consistent work across the enterprise.
REST recommendations: employ the same security mechanisms as any web application (if you filter XSS on the front end, do it for your APIs too, ideally with the same tools); do not reinvent your own security solution but use a peer-reviewed framework; do not rely on single key-based authentication (except for a free read-only public API); never transmit unencrypted static keys; and ideally use HMAC (hash-based message authentication code) with SHA-2 or SHA-3, avoiding SHA-1 and MD5 because of their known weaknesses.
Three authentication options for REST APIs. Basic authentication with TLS: the simplest to implement (included in most frameworks) but the least secure; never use it without TLS, otherwise the login/password pair is easily deduced. OAuth 1.0a: the most secure of the three, it uses a cryptographic signature (typically HMAC-SHA1) combining the token secret, a nonce and other info; its great advantage is that the token secret is never sent across the wire, making it the only one of the three usable without TLS (TLS still recommended depending on sensitivity). OAuth 2: the next evolution, it removes signatures - no more cryptographic algorithms to generate them - because all encryption is now handled by TLS, which becomes mandatory. Also consider: KMIP V1.1 and HSMs for key and certificate management, and the OWASP REST Security Cheat Sheet (which recommends session tokens to protect authentication from sniffers). Exam trap: OAuth 1.0a signs (usable without TLS); OAuth 2 no longer signs and requires TLS.
REST is not the only API family: SOAP (Simple Object Access Protocol) is an older, XML-based, strict and strongly typed protocol that carries messages in an XML envelope and includes WS-Security (message-level signing, encryption, tokens). SOAP is stateful and suited to critical transactions or formal contracts (WSDL); REST is lightweight, stateless, relies on HTTP verbs and JSON, and dominates web and mobile. Exam trap: SOAP carries its own message-level security (WS-Security) independent of transport, whereas REST relies on TLS to protect data in transit.
- APIs are the connectors between components (IoT); REST is an architectural style over simple HTTP.
- Recommendations: same mechanisms as the web, do not reinvent, HMAC with SHA-2/SHA-3, avoid SHA-1/MD5.
- Basic auth: simple but weak, never without TLS.
- OAuth 1.0a: HMAC-SHA1 signature, token secret never transmitted, the only option usable without TLS.
- OAuth 2: signatures removed, all encryption rests on TLS, which becomes mandatory.
- SOAP (XML, WS-Security, stateful) vs REST (HTTP/JSON, stateless, secured by TLS).
9.4 Malware taxonomy
Malware compromises a system's integrity, often by attaching to programs or executable files and delivering a payload that erases data, alters it, opens covert channels or exfiltrates information - this is the negative payload. Malware succeeds largely thanks to its social engineering component. At the heart of the taxonomy: the virus, a program written to copy and disperse itself without the user's cooperation; Fred Cohen's definition (1984) describes it as a program that modifies other programs to include a version of itself. Key exam point: a virus requires user action (double-clicking an attachment, launching a program) to infect. Virus types include: file infectors (infect program/object files; system infectors targeting the OS are a subcategory), boot sector infectors (replace the master boot record), macro viruses (via VBA in Word/Excel, infect data files like NORMAL.DOT), script viruses (standalone interpreted .vbs files, e.g. LoveLetter), multipartite (infect several object types or reproduce in several ways, e.g. Nimda), companion viruses (create a copy with another extension, e.g. .COM before a .EXE) and email viruses (exploit mail functions, e.g. Melissa).
The worm reproduces and spreads like a virus but differs fundamentally: it spreads WITHOUT user action, traversing networks of its own accord by exploiting known vulnerabilities. Needing no human involvement, it spreads far faster (worldwide in hours or even minutes). The first notable worm was the Morris Internet Worm of 1988. The trojan (Trojan horse) pretends to do something useful while performing an undocumented malicious action; it does not reproduce. The Remote Access Trojan (RAT) is installed remotely after deployment to give the attacker full control of the target host without alert; it is not viral (does not spread on its own) but can be dropped as a virus payload, and often makes the host a member of a botnet. DDoS zombies are compromised machines in the middle, unaware they are part of a distributed DoS attack.
The logic bomb stays dormant until a specific condition (a date, the state of a database) then activates its negative payload; hard to implant after the fact, it is coded into an application under development or maintenance, involves neither reproduction nor social engineering, and a classic example is the salami scam (siphoning fractions of a cent across many transactions). Spyware and adware sit at the legitimate borderline: initially marketing tools tracking browsing habits, grown intrusive, they are often called PUP/PUA (potentially unwanted programs/applications) to focus on the lack of consent rather than alleged harm. The hoax is a fake virus alert pushing you to forward it to all your contacts (a kind of self-perpetuating spam). Pranks and Easter eggs (hidden functions) are jokes without malicious intent but consume resources and complicate integrity.
The botnet is a network of automated bots acting together toward an often malicious goal; its distributed nature and techniques like fast-flux (rapid rotation of domain names and IP addresses) make it hard to detect and neutralize; bots are usually dropped by trojans. Finally, ransomware encrypts the victim's files and sells the decryption key (often in Bitcoin); a variant, living off the land (a non-malware attack), uses no malware but native system capabilities (such as file system encryption tools) for the same result. Exam trap: virus = user action required and modifies other programs; worm = autonomous spread over the network, no user action.
- Virus: modifies other programs and requires user action; types: file/boot/macro/script/multipartite/companion/email.
- Worm: spreads on its own over the network without user action (Morris Internet Worm, 1988).
- Trojan: pretends to be useful, does not reproduce; RAT: full remote control, non-viral, makes the host a zombie/botnet member.
- Logic bomb: triggered by a condition, no reproduction or social engineering (salami scam).
- Botnet: coordinated bots (fast-flux); ransomware: encrypts files, living off the land variant uses no malware.
9.5 Software-Defined Security (SDS) and Zero Trust
Software-Defined Security (SDS) is a major paradigm shift in how we think about and secure information systems architectures. In simple terms, it is the difference between the client-server model resting on an on-premises server and a fully cloud-based model, with no on-site architecture beyond the internet point of presence and local access points. The client-server model extended to the internet required perimeter thinking, layered defenses (DiD), and it trusted entities moving laterally within a layer. Around 2018, the market cried that defense in depth is dead to signal the need for SDS against sophisticated attackers. The nuance, quickly added: it is not the layers that are the problem, but that traditional DiD has no effective control over lateral movement within a layer, nor any real defense against the insider threat.
For a globe-spanning enterprise (50 sites, 10,000 users, cloud assets, microsegmentation requiring hundreds of firewalls, routers, NIPS/NIDS driven by SIEMs and SOAR), shifting to SDS brings several advantages: it centralizes the control plane for all network segments, reducing overhead while enabling rapid enterprise-wide changes; it favors virtualized security appliances, reducing hardware and vendor dependence; it makes security policies on-demand, agile and adaptable; it can eliminate older converged protocols like MPLS via virtual overlays; and it shifts threat intelligence from reactive to predictive by combining machine and human learning. Properly implemented, SDS also offers a bridgehead to holistic all-source risk management.
It must be stressed that traditional component-level elements have not disappeared: access to Layer 2 internet services and, above all, the fundamental problem of identity management and access control remain. Every user, human or nonhuman, and every device, software entity or process must be subject to the full suite of IAM controls - this is the rock on which SDS must stand before becoming holistic. Several ideas are now established at the core of SDS: identity management is absolutely vital; entities (not just users) must be the level at which identity is defined and tracked; defense must become proactive; systems must be agile; access management must push down to the lowest-level asset; and the Zero Trust Architecture (ZTA) both enables SDS and is required by it. ZTA uses microsegmentation and IAM functions; it is not a mere relabeling of DiD - for instance, highly localized segments are defined per IoT type, with trusted agents acting as brokers between an IoT segment and the rest (warehouse sensors have no reason to access HR or finance systems).
SDS and assessment raise two fundamental, intertwined questions: (1) are the systems the organization depends on operating as required to meet both compliance needs AND the reality of today's threat environment? (2) are the SDS and other security processes we have put in place working correctly? The first belongs to Domain 6; the second is a special case of the third-party security assessment problem - placing all your security capabilities into the virtual hands of an SDS installation requires considerable trust, and that system must be treated as a high-value, mission-critical asset. The choice of an SDS vendor, in-house or as a managed service, must factor in assessment and compliance needs from the start. Exam trap: SDS and ZTA do not mean the perimeter or layers are dead; they fix DiD's blind spot - lateral movement - by putting identity management at the center.
- SDS: shift from the on-premise client-server model to a centralized, virtualized cloud model.
- Defense in depth is dead is nuanced: DiD does not control lateral movement or the insider threat.
- SDS advantages: centralized control plane, virtualized appliances, agile policies, predictive threat intelligence.
- ZTA and microsegmentation rest on identity management of entities (not just users).
- SDS assessment: 2 questions (systems compliant/secure? SDS processes correct?); treat SDS as a mission-critical asset.
Case studies
My Pet Food Inc.: security posture of an online shop
Context : My Pet Food Inc. is an online pet supply store (cats, dogs, birds, reptiles, fish, specializing in raw food). Like most retail sites, it offers a catalog with an online cart. Purchases can be made as a guest or via a registered account; the personal account requires a username linked to personal details (name, phone, credit or debit card) and provides an order history. The HelloWorld team must review the weaknesses of their web applications and prepare solutions.
Question : 1. How might the website be attacked? 2. How might these attacks be mitigated, considering safeguards and countermeasures and the interaction between software, physical and technology?
Show analysis and answer
1. Prepare the organization for all types of attacks using the OWASP Top 10 Web Application Security Risks to identify vectors, and run regular penetration testing to verify protection holds. Possible attacks: Denial of Service (DoS), website defacement, theft of customer information (credit card details), man-in-the-middle (MITM), phishing, SQL injection, cross-site scripting (XSS) and malware insertion. 2. Managing users and sessions is always a starting point: understanding who is connecting, from where and for how long gives insight into potentially malicious activity. An intrusion prevention system (IPS), if correctly configured, can provide additional protection. Add input validation, encryption of sessions and card data, and OWASP-aligned hardening.
Takeaway : An online shop handling cards and CVV must treat the OWASP Top 10 as a living checklist, run regular pen testing, and make session management plus IPS its first line of defense against fraud and exfiltration.
- List attacks via the OWASP Top 10: DoS, defacement, info theft, MITM, phishing, SQLi, XSS, malware.
- Session management (who, from where, how long) is the starting point of detection.
- A well-configured IPS and regular pen testing complete the defense of an e-commerce site.
British Airways: breach, ICO fine and missing input validation
Context : On October 16, 2020, the Information Commissioner's Office (ICO) concluded that British Airways (BA) had failed to take adequate measures to protect its customers' personal data and imposed a 20 million pound fine (the largest at the time); the original fine, before the COVID-19 pandemic, was 184 million pounds (1.5% of 2018 revenue). A failure in security procedures and software led to a breach affecting 429,612 customers and staff: names, addresses, payment card details and CVV numbers exposed. Aggravating: BA never detected the attack and learned of it from a third party. Two theories prevail; the most likely per a former GCHQ researcher: attackers loaded malicious scripts onto BA's legitimate site, capturing information at the point of entry (skimming) - CVVs were collected 'live' at each booking or login.
Question : 1. What types of mistakes were made in developing the BA site (input validation, session management, access control) and where? 2. Which best practices would be most important for an organization with a similar site (guest or registered checkout)? 3. Why is testing a frequent point of failure? 4. Which tests would have identified BA's vulnerability? 5. Which would be most important and how to convey it to the business?
Show analysis and answer
1. The primary failure was a lack of input validation, which allowed uploading scripts that redirected users to a spoofed site or collected information directly from BA's real site; session management could also have helped by detecting the connections and data transfer to the attackers. 2. Input validation and output sanitization are key to protecting the organization and customers; without them you expose yourself to post-form tampering, cross-site scripting and cross-site request forgery. Transmitted information must be protected by encrypted sessions AND tracked: if a UK user normally logs in from the UK but a session originates in China, why? If two sessions start simultaneously with the same credentials, which is legitimate? 3. In a world where speed of delivery (push to market) is paramount, testing is perceived as expensive and time-consuming and may be dropped, shortened or reduced. 4. Several tests would have revealed the problem: a vulnerability assessment (if the flaw was known), a website penetration test, a regression test and a misuse case test. 5. All these tests matter: you will never find every flaw, but the more you test, the more you identify - that is the argument to take to the business.
Takeaway : A lack of input validation cost BA a breach of 429,612 people (including CVVs) and a 20 million pound fine, never detected internally. The lesson: input validation and output sanitization, encrypted and tracked sessions, and testing that is not sacrificed to speed of delivery.
- The central mistake was the lack of input validation (and session management), enabling script skimming at the point of entry.
- Best practices: input validation + output sanitization, encrypted and tracked sessions (geolocation, concurrent sessions).
- Testing often fails under push-to-market pressure; vulnerability assessment, pen test, regression and misuse case would have revealed the flaw.
SQL injection vs XSS vs CSRF
Three frequent web attacks the exam makes you recognize from a scenario. SQL injection: the attacker injects SQL syntax into an input field to manipulate the server-side query (e.g. bypass authentication or read a whole table); the target is the database. Cross-site scripting (XSS): the attacker makes a malicious script run in the browser of OTHER users (e.g. a booby-trapped comment that steals visitors' cookies); the target is other victims' browsers. Cross-site request forgery (CSRF): the attacker forces an ALREADY authenticated victim's browser to send an unwanted request (e.g. a trap link triggering a transfer while the victim is logged into their bank); the target is the action performed on the victim's behalf. Mnemonic: SQLi manipulates the query (database), XSS runs script on others (browser), CSRF abuses the authenticated session (forged request). Respective defenses: input validation/parameterized queries (SQLi), output encoding (XSS), anti-CSRF tokens (CSRF).
Virus vs worm
Classic confusion between two self-reproducing malware types. The virus requires user action to infect (double-clicking an attachment, launching a program) and it modifies other programs to include a copy of itself - that is its defining mark (Fred Cohen, 1984). The worm spreads WITHOUT any user action: it traverses networks of its own accord by exploiting known vulnerabilities, hence far faster (worldwide in hours or minutes); the Morris Internet Worm (1988) is the first notable example. To decide in a scenario: if propagation needs someone to open/run something, it is a virus; if it spreads on its own over the network, it is a worm. Note: many modern threats (LoveLetter, Nimda) combine both techniques.
OAuth 1.0a vs OAuth 2
Two versions of OAuth the exam contrasts on cryptography and the need for TLS. OAuth 1.0a relies on a cryptographic signature (typically HMAC-SHA1) combining the token secret, a nonce and other request info; because the token secret is never transmitted across the wire, OAuth 1.0a is the ONLY of the three options (with Basic auth and OAuth 2) that can be safely used WITHOUT TLS - though TLS is still recommended depending on sensitivity. OAuth 2 removes signatures: there is no cryptographic algorithm to manage for signing, because all encryption is delegated to TLS, which becomes MANDATORY. To decide: cryptographic signature present and TLS optional = OAuth 1.0a; no signature and TLS enforced = OAuth 2. Do not confuse either with Basic auth (the simplest but least secure, never without TLS); and remember the HMAC SHA-2/SHA-3 recommendation (avoid SHA-1/MD5).
Checkpoint — Checkpoint
-
An attacker enters the string ' OR '1'='1 in the 'username' field of a login form and gains access without a valid password. Which attack is this?
- A Cross-site scripting (XSS)
- B SQL injection
- C Cross-site request forgery (CSRF)
- D Man-in-the-middle (MITM)
Answer & rationale
Answer : B — SQL injection
SQL injection: the attacker injects SQL syntax into a field to manipulate the server-side query and bypass authentication, targeting the database. It is not XSS (which runs a script in other users' browsers), nor CSRF (which forces a request from an already authenticated victim's browser), nor MITM (interception between two parties). Defense: input validation and parameterized queries.
-
An attacker posts a comment containing <script> on a forum; every visitor who reads the thread has their session cookies stolen. Which attack is this?
- A SQL injection
- B Cross-site request forgery (CSRF)
- C Cross-site scripting (XSS)
- D Logic bomb
Answer & rationale
Answer : C — Cross-site scripting (XSS)
Cross-site scripting (XSS): a stored malicious script runs in OTHER users' browsers, typically to steal their cookies. It is not SQLi (which targets the database via a manipulated query), nor CSRF (which forces an unwanted request from an authenticated session without running a script on the victim), nor a logic bomb (payload triggered by a condition). Defense: output encoding.
-
While a victim is logged into their bank in one tab, they click a trap link in another tab; their browser then sends a money transfer without the victim's knowledge. Which attack is this?
- A Cross-site request forgery (CSRF)
- B Cross-site scripting (XSS)
- C SQL injection
- D Phishing
Answer & rationale
Answer : A — Cross-site request forgery (CSRF)
Cross-site request forgery (CSRF): the attack forces an ALREADY authenticated victim's browser to send an unwanted request (the transfer), exploiting the active session. It is not XSS (no malicious script execution on the victim, but request abuse), nor SQLi (no database query manipulation), nor phishing (which tricks the user into handing over their own credentials). Defense: anti-CSRF tokens.
-
A malicious program spreads through a corporate network by exploiting a known vulnerability, without any user having to open or run anything. What type of malware is this?
- A Virus
- B Worm
- C Trojan
- D Logic bomb
Answer & rationale
Answer : B — Worm
Worm: it spreads on its own over the network by exploiting known vulnerabilities, WITHOUT user action (e.g. Morris Internet Worm, 1988). A virus would require user action and modify other programs; a trojan pretends to be useful and does not reproduce; a logic bomb waits for a condition to trigger its payload, without propagating. The decisive criterion is the absence of user action.
-
Which statement correctly distinguishes OAuth 1.0a from OAuth 2 for REST API security?
- A OAuth 1.0a uses a cryptographic signature and can be used without TLS; OAuth 2 removes signatures and requires TLS
- B OAuth 2 uses a cryptographic signature and can be used without TLS; OAuth 1.0a requires TLS
- C Both require TLS and use an HMAC-SHA1 signature
- D Neither uses encryption; they rely solely on Basic authentication
Answer & rationale
Answer : A — OAuth 1.0a uses a cryptographic signature and can be used without TLS; OAuth 2 removes signatures and requires TLS
OAuth 1.0a uses a cryptographic signature (typically HMAC-SHA1) and, since the token secret is never transmitted, it is the only option usable without TLS (TLS still recommended). OAuth 2 removes signatures and delegates all encryption to TLS, which becomes mandatory. Option B inverts the two versions; C is wrong because only OAuth 1.0a signs and OAuth 1.0a does not require TLS; D is wrong because OAuth is an authorization protocol distinct from Basic auth, and the general recommendation is HMAC SHA-2/SHA-3.
Key takeaways
- Most attacks target the web application layer; the OWASP Top 10 is the reference list of risks to know and mitigate.
- Input validation and output encoding are the two essential defenses; since HTTP is stateless, sessions must be encrypted, random and unpredictable.
- SQLi (manipulates the query, database), XSS (runs script on others, browser) and CSRF (abuses an authenticated session) are recognized from the scenario.
- REST APIs: same mechanisms as the web, HMAC SHA-2/SHA-3; OAuth 1.0a signs (usable without TLS), OAuth 2 removes signatures and requires TLS.
- Malware: virus (user action, modifies programs) vs worm (autonomous network spread); know RAT, logic bomb, botnet, ransomware.
- SDS shifts security to a centralized, virtualized cloud model; ZTA and microsegmentation rest on identity management of entities.
Domain summary
Nearly all of today's attacks target the software layers of distributed, internet-exposed systems. These vulnerabilities are self-induced: they are created as errors in requirements, designs and source code, then missed by flawed testing, verification and assessment, and ultimately found and exploited by attackers. The most frustrating part is that the most damaging flaws (buffer overflow, privilege escalation, missing data validation) have long been well understood, yet they recur because secure frameworks and coding standards go unused.
Data breaches can target simple files (poorly protected credential lists, logs, documents), but thefts of millions of records target databases and data warehouses. The web adds its own surface: mobile code mostly travels as readable source code, and almost all of its vulnerabilities are self-inflicted through programming or page-authoring mistakes. Security must therefore be treated as an essential element from the start and at every step: it is an ingredient, a process and an emerging property of the system and of the processes used throughout the software's life.
Organizations can avoid the false dilemma between fast/slow, cheap/expensive and risky/secure by choosing better approaches: integrating traditionally separate teams (development, QA, operations) into cross-disciplinary efforts; using secure coding guidelines, suitable languages, libraries and tools; recognizing recurring weaknesses at the source code level and instituting controls to limit them, find them early and remediate them (API protection, buffer overflows, privilege escalation, data validation); and relying on CMMs to continually improve security and quality.
Growing complexity sharpens the challenge: modern systems stack hardware platform, CPU microcode, virtual machine, OS, ORB, database and web servers, API libraries and multiple interfaces. This complexity, added for interoperability, makes it far harder to design systems that meet security requirements and to verify they still meet them in operation. Software quality assurance, testing and security assessment enable significant risk reductions, applicable to third-party development, COTS, commodity IT systems and orphaned software.
The central message is invariant: the best security is always designed into the system, never added later. Protective mechanisms and safeguards must be designed and implemented early, not backfit after tests or attacks expose weaknesses. The security professional need not become a software engineer, but must hold a working knowledge of how software is built and deployed in order to advise, assess and enforce the required security posture.
Glossary (Terms & Definitions)
The key Domain 8 terms, to master in English for the exam.
| Term | Definition |
|---|---|
| Acceptance | A formal, structured handover of the finished software system to the customer, involving test, analysis and assessment activities. |
| Accreditation | Formal declaration by a designated accrediting authority that a system is approved to operate at an acceptable level of risk, based on approved safeguards. |
| ACID Test | Data integrity enforced via atomicity, consistency, isolation and durability policies on transactions. |
| Advanced Persistent Threats | An agent or organization conducting a highly sophisticated, multi-step attack against a target over months or years toward a strategic goal. |
| Aggregation | The ability to combine nonsensitive data from separate sources to create sensitive information. |
| Blocked and Allowed Lists | Lists of blocked or allowed identities, URLs, addresses, files or programs used to control their access, use or execution (replacing blacklist/whitelist). |
| Botnets | A network of automated systems or processes (bots) working together, usually maliciously, magnifying attack power and speed. |
| Bots | An emerging class of mobile code using limited machine learning to assist user requests, automate workflows or validate input quality. |
| Buffer Overflow | A source code vulnerability allowing access to memory locations outside the buffer's allocated space, triggered by oversized input. |
| Bypass Attack | An attempt to bypass front-end database application controls to access information. |
| Certification | The comprehensive technical security analysis of a system to ensure it meets all applicable security requirements. |
| Citizen Programmers | Organization members codifying knowledge into software-like forms (macros, scripts) outside quality, CM or security control, posing a risk. |
| Code Protection or Logic Hiding | Prevents one software unit from reading or altering the source, intermediate or executable code of another unit. |
| Code Reuse | Reusing, rather than reinventing, software units already proven correct, complete, safe and secure. |
| Commercial Off-the-Shelf (COTS) | Software provided as finished products not meant for end-user alteration, extensible via scripts, macros and configuration parameters. |
| Common Object Request Broker Architecture (CORBA) | A set of standards enabling interoperability between hardware and software on different networked machines, providing object location and use. |
| Configuration Control | The process of controlling modifications to hardware, firmware, software and documentation to protect the system against improper changes. |
| Configuration Management | A set of activities establishing and maintaining the integrity of IT products by controlling their configurations throughout the life cycle. |
| Continuous Integration and Continuous Delivery (CI/CD) | Workflow automation reducing the need for manual communication and coordination between software development steps. |
| Covert Channel | A communications pathway between processes that transfers information in violation of a security policy, created deliberately or exploited unwittingly. |
| Data Contamination | An attacker's use of malformed inputs (field, record, transaction or file level) to disrupt proper system functioning. |
| Data Lake | A data warehouse incorporating multiple types or streams of unstructured or semi-structured data. |
| Data Mining | An analysis and decision-making technique extracting deeper meaning from many instances and types of data, often from a data warehouse. |
| Data Modeling | A design process identifying all data elements the system must create, store, modify, output and destroy during operational use. |
| Data Protection or Data Hiding | Restricts or prevents one software unit from reading or altering the private data of another unit. |
| Data Type Enforcement | How well a language protects the programmer from operations on dissimilar data types that would yield erroneous results. |
| Data Warehouse | A collection of data sources (internal or external databases) providing a broader information base for analysis, trending and reference. |
| Database Management System (DBMS) | A suite of applications managing databases and their environments; its engine performs CRUD operations securely (CIA). |
| Database Model | The underlying design concepts a DBMS implements, defining the organization, structure and architecture offered to users. |
| Data-Centric Threat Modeling | A methodology focused on the authorized movement, location and use of data (in transit, at rest, in use) to enforce security decisions. |
| Defensive Programming | A design and coding style translating business logic on acceptable and harmful input into code that safely blocks dangerous inputs. |
| DevOps | An approach based on lean and agile principles where business, development, operations and QA collaborate to deliver software continuously. |
| DevSecOps | A merger of phased review (waterfall) with DevOps to build in security, safety and resilience at each turn of the development cycle. |
| Dynamic Application Security Testing (DAST) | Tools that execute the unit, application or system under test to drive it to reveal a potentially exploitable vulnerability. |
| Emerging Properties | A powerful way of viewing system-level behaviors (safety, security) and answering testably how secure a system is. |
| Encapsulation | Enforcing data and code hiding by bundling data and methods; also packaging data within another structure (networking, encryption). |
| Executable Code, Object Code | The binary representation of the machine language instruction set the target CPU and hardware directly execute. |
| Extensible Markup Language (XML) | Extensions to HTML enabling data storage and transport over networks, often linking front-end web pages to back-end databases. |
| Functional Requirements | Describe a finite task or process the system must perform, often directly traceable to specific elements of the final design. |
| Hierarchical Database Model | A database model where elements and records are arranged in parent-child structures such as trees. |
| Independent Verification and Validation (IV&V) | Review, analysis and test by an objective third party confirming requirements are correctly defined (verify) and correctly implemented (validate). |
| Inheritance | A mechanism by which objects that are members of a class inherit specific characteristics of that class (e.g. a folder's read-only attribute). |
| Interactive Application Security Testing (IAST) | Testing that combines SAST and DAST to add behavioral analysis and pinpoint the source of vulnerabilities. |
| Integrated Development Environments (IDEs) | A set of applications, procedures, databases and tools giving programmers what they need to design, code, compile, test and integrate finished software. |
| Integrated Product and Process Development (IPPD) | A management technique simultaneously integrating all acquisition activities via multidisciplinary teams to optimize design and support. |
| Integrated Product Team (IPT) | A team of stakeholders with varied skills working together to achieve a defined process or product. |
| Intermediate Code | A form between human-readable source code and executable binary, mainly providing machine independence or portability (e.g. Java). |
| Knowledge Discovery in Database (KDD) | A mathematical, statistical and visualization method of identifying valid and useful patterns in data. |
| Knowledge Management | The efficient management of an enterprise's information and resources to drive business intelligence and decision-making. |
| Level of Abstraction | How closely a description (code, design) maps to the underlying object's details; lower levels carry finer-grained detail. |
| Living Off the Land | An attack using illicit access to misuse a system's native capabilities without malware, thus evading anti-malware defenses. |
| Logic Bombs | Malware inserted into a program that activates and performs the attacker's functions at a later date or when conditions are met. |
| Malformed Input Attack | Source code errors causing mishandling of out-of-range, contradictory or unauthorized input, possibly leading to arbitrary code execution. |
| Malware | A program inserted into a system, usually covertly, to compromise the confidentiality, integrity or availability of data or the OS. |
| Markup Languages | Nonprogramming languages expressing data formatting; extensible, they can become programmatic (e.g. JavaScript extends HTML). |
| Memory or Object Reuse | Reuse of memory or objects by processes; any data left in the reused object is a data remanence security risk. |
| Metadata | Information describing the format or meaning of other data, providing a systematic way to describe resources and improve retrieval. |
| Mobile Code | File(s) sent by one system to clients that, when opened by installed software, control or are directly executed by the client's CPU. |
| Modified Prototype Model (MPM) | An approach first building a simplified version of the application, iteratively refined via stakeholder feedback until satisfied. |
| Network Database Model | A database model where elements and records are linked arbitrarily (lists, clusters or other network forms). |
| Nonfunctional Requirements | Identify broad characteristics of the whole system (security, safety, privacy, resilience) without aligning to a specific subset of elements. |
| Object | An encapsulation of a set of data and the methods that can manipulate that data. |
| Object-Oriented (OO) Database Model | A model using OOP concepts (classes, instances, objects) to organize and store data and methods; schemas and views structure access. |
| Object-Oriented Programming (OOP) | Defines an object as a software set offering internal methods that external software can request, with specified inputs and outputs. |
| Open-Source Software | Software whose source code and design info are public for inspection, testing and use; licenses often allow modification and refactoring. |
| Polyinstantiation | Creates a new instance of a data item with the same key but different values, protecting distinct security levels of a shared resource. |
| Polymorphism | Lets an object take many forms based on use, so changes to it need not ripple out to every program that uses it. |
| Procedural Programming | Emphasizes the logical sequence of steps; a procedure performs a function, takes inputs, produces outputs, and can call other procedures. |
| Query Attack | Use of query tools to access data normally barred by the trusted front end, including via malformed SQL queries. |
| Ransom Attack | An attack threatening to destroy, deny or release private information assets, often encrypting them until a ransom is paid. |
| Ransomware | Malware used to facilitate a ransom attack. |
| Rapid Application Development (RAD) | A methodology building an application faster by using fewer formal methods and reusing software components. |
| Refactoring | A partial or complete rewrite of software to perform the same functions in a simpler, more efficient or maintainable form. |
| Regression Testing | Testing whether recently approved modifications have changed other approved functions or introduced unauthorized behaviors. |
| Relational Database Model | A model organizing data and records into linked tables to combine records of different structures in the same activity. |
| Representational State Transfer (REST) | A software architectural style synchronizing two applications on different systems by exchanging state information, via HTTP or HTTPS. |
| Runtime Application Security Protection (RASP) | Security agents built into an application by the developer that detect violations and can terminate it or take protective actions. |
| Sandbox | A test environment isolated logically, physically or virtually, used for development, integration, malware screening or a honeynet. |
| Scanners | Software examining suspect files for malware via signature analysis, activity monitoring, heuristics or machine learning. |
| Secure Coding Guidelines and Standards | Best practices that, correctly applied, dramatically reduce the number of exploitable vulnerabilities remaining in the deployed system. |
| Security Assessment | Testing, inspection and analysis determining how far a system meets the required security posture, as built or against real-world threats. |
| Software (Quality) Assurance | Processes determining whether software performs its intended functions, no unwanted ones, and is free of known vulnerabilities and errors. |
| Software Capability Maturity Modeling (SW-CMM) | A management process fostering continuous improvement of an organization's software development, maintenance and use processes. |
| Software Development Life Cycle (SDLC) | A framework and systematic process of steps for building, deploying and supporting software, from planning to decommissioning. |
| Software Libraries | A repository of prewritten code (classes, procedures, scripts) from vendors, trusted third parties, in-house or open-source sources. |
| Source Code | Program statements written in human-readable form following a formal language's syntax and semantics rules. |
| Spiral Method | A process improving waterfall by adding a Plan-Do-Check-Act (PDCA) cycle of substages at each SDLC phase. |
| Spyware and Adware | Monitoring and data-gathering software (PUP/PUA); spyware monitors, adware serves ads; legitimate or unwanted depending on the case. |
| Static Application Security Testing (SAST) | Tools analyzing source code (without executing it) for type errors, bounds violations and unreachable code. |
| Strong Data Typing | A language feature preventing data type mismatch errors by raising compile-time errors that force correction. |
| Threat Surface | The total set of penetrations of a boundary or perimeter surrounding system elements. |
| Time of Check versus Time of Use (TOCTOU) | An attack exploiting the delay between a security check (authentication or authorization) and the actual use of the asset. |
| Trapdoor or Backdoor | A hidden mechanism bypassing access controls, inserted by developers for maintenance or by an attacker for unauthorized access. |
| Trojans | Malware inserting backdoors or trapdoors into other programs or systems, sometimes disguised as a useful or fun application. |
| Trusted Computing Base (TCB) | All the hardware, software and firmware of an architecture specifically responsible for security and the isolation of objects. |
| View-Based Access Controls | A control logically dividing the database into views (records, fields) to hide sensitive data from unauthorized users. |
| Virus | A program designed to copy and spread itself without the user's knowledge, typically modifying other programs to contain a copy of itself. |
| Waterfall Software Development Life Cycle (SDLC) | A classic SDLC model with clear boundaries between phases, each completed and tested before the next begins. |
| Worm | A program copying and spreading itself without the user's knowledge, but without needing to modify other programs to replicate. |
Domain key takeaways
What you must remember
- Development security means integrating security into the SDLC to prevent vulnerabilities and achieve software that is secure by design: the best security is always designed into the system, never added later.
- The SDLC comprises several phases (planning, design, implementation, testing, deployment); what matters is not that a formal SDLC is used, but that the entire development process involves security.
- Secure coding practices such as input validation and error handling prevent common vulnerabilities like buffer overflow and SQL injection.
- Code reviews and testing - static code analysis (SAST) and dynamic testing (DAST) - help identify vulnerabilities early in the cycle.
- Organizations must choose their methodology based on their needs; switching methodologies adds complexity and risk (new staff, new processes).
- Maturity models (SW-CMM) are used to understand current processes, assess improvement opportunities and set targets: it is a measurement strategy.
- There are four main types of software security risk assessment: certification and accreditation, risk management frameworks, CMMs, and software (quality) assurance.
- Four phases shape acquiring software through third parties: planning, contracting, monitoring/acceptance/deployment, and ongoing use and support.
- Secure software does not stay secure if its specifications, designs, source code or build scripts can be tampered with in the pipeline: change management and configuration control are vital.
- Software-defined security (SDS) is a paradigm shift: identity (of every entity, not just users) is central, access management is pushed down to the lowest-level asset, and zero trust architecture (ZTA) both enables and requires SDS.