6. SecureSoftwareDevelopement - Control Questions Flashcards
What is the CVE?
○ publicly available database of known vulnerabilities
Why is developing secure software difficult?
○ The table is tilted
■ Developer constraints: time, resource, functionality
■ Attacker constraints: motivation and preparedness
○ Security testing is challenging
■ Functional testing: how the system should work
■ Security testing: how the system should NOT work
○ Weak business motivation
■ Measurement is difficult → no customer enforced competition
○ End-users suffer
■ Developers are not motivated enough
● Outline the stages of Microsoft’s Secure Development Lifecycle!
ábra
● Outline the stages of Microsoft’s Secure Development Lifecycle!
○ Development team: who does the actual development of the product
○ Development Team Security Contact: member of the dev team, security advisor contacts this person with security info
○ Security advisor:
■ point of contact between the devs and sec team (if there is one)
■ holds SDL kick-off meeting
■ hold design and threat-model reviews with the dev team
■ analyzes security related bugs
■ addresses security and privacy questions/ideas
○ Security Leadership Team: regular communication about security and privacy bug counts, updates, security status in general
● What is a bug tracking system?
What is required for successful bug tracking?
○ Database about bugs
○ Include security/privacy related info as well!
○ Required fields: ábra
● What does the design principle “economy of mechanism” say?
○ The more complex the SW, the greater chance of bugs
○ Smaller code base is easier to maintain
● What does the design principle “fail-safe defaults” say?
○ White-listing approach
■ Initially: access is denied
■ If access is requested, check that it is permitted
○ Result: false negative
■ Access is denied, when it should have been permitted
● What does the design principle “complete mediation” say?
○ Check every access to every object
● What does the design principle “separation of privilege” say?
○ Multiple conditions should be met before granting permissions
■ Systems are more robust and flexible
● Single check may fail or be subverted
○ Prerequisite: compartmentalization
■ Break the system down into smaller components
■ Each component can check a condition
● What does the design principle “least privilege” say?
○ Programs should run with the minimum amount of privilige that is necessary to accomplish the task
○ Limits the damage from accidents and errors
● What does the design principle “open design” say?
○ Don’t depend on the secrecy of the design
○ That is security by obscurity
● What does the design principle “least common mechanism” say?
○ Minimize the amount of mechanism
■ Common to more than one user, and
■ Depended on by all users
○ Sharing is a channel to information transmission
● What does the design principle “psychological acceptability” say?
○ If users do not accept it, they will bypass it
○ Consider the human in the loop!
○ Interaction with the system should be easy and intuitive
○ Resource access should remain easy
● What is the attack surface of the software?
○ Consider the attack surface of the software!
■ All paths for data/commands into and out of the application
■ Code that protects these paths
■ All valuable data used in the application
■ Code that protects these data
● Your software detects that the input is corrupted. What should the software do?
○ Input: filtering and validation
■ – Terminate on suspicious input, don’t try to fix it !
■ – Whitelist strategy