CH9 SSDLC

Question 1

Software is hard to get right
Lines of code per updating linux kernel version is increasing
Increase in:

Answer 1

Code size
Code complexity
Number of products
Product versions
Used technologies (languages, frameworks, libs)
Usually software companies avoid deleting code, for backwards compatibility. They instead add new patches to the code, for stability all while ensuring this compatibility
Javascript has many trivial bugs

Question 2

All software has bugs

Answer 2

By transivity, all software has some vulnerability

Question 3

SAP’s two-staged security expert model

Answer 3

• central security team, defines the security global processes such as the SAP Secure Development Lifecycle (SSDLC)
• local security champions in each development area or team supporting the devs, architects and product owners implementing said SSDLC

Question 4

Main Steps in SAP SDLC

Answer 4

Preparation
Training
Development
Security Testing
Transition
Utilization

Question 5

Preparation SAP SDLC

Answer 5

Identifying application specific risks, third party components

Question 6

Development

Answer 6

Security Measures Plan describing all planned activity to mitigate security risks identified in preparation

Security testing execution with documented results

Question 7

Transition

Answer 7

Security Validation acting like the first customer executing a security analysis and security test of the product

contains
architectural analysis
code reviews
penetration testing

Question 8

Utilization

Answer 8

Security response team handles communication with customers and external researchers with respect to reported vulnerabilities

covers own code and 3rd party components

Question 9

Secure Development LifeCycle adapted for cloud and agile software development approaches

Answer 9

Cyclic progression of:
Risk identification
Plan Security Measures
BUILD
Secure Development
Security Testing
Security Validation
RELEASE
Security Response

Tackles in sprints