Chapter 1 - Secure Software Concepts Flashcards

1
Q

What is the iron triangle?

A

Schedule, Scope, and Cost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the core security concepts?

A

Confidentiality, Integrity, Availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is authentication?

A

The security concept that answers the question “Are you who you claim to be.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is nonrepudiation?

A

Deniability of actions taken by either a user or software on behalf of a user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a clipping level?

A

A predetermined, baseline level of allowable errors, such as user errors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is economy of mechanism?

A

Keep it simple. Complexity -> greater vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is complete mediation?

A

A security principle that ensures that authority is not circumvented in subsequent requests of an object by a subject by checking for authorization (rights and privileges) upon every request for the object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Least Common Mechanisms

A

The security principle of least common mechanisms disallows the sharing of mechanisms that are common to more than one user or process if the users and processes are at different levels of privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a vulnerability?

A

A weakness or flaw that could be accidently triggered or intentionally exploited by an attacker, resulting in the breach or breakdown of the security polic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a threat?

A

A threat is merely the possibility of an unwanted, unintended, or harmful event occurring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a threat agent?

A

Anyone or anything that has the potential to make a threat materialize is known as the threat source or threat agent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an attacK?

A

When the threat agent actively and intentionally causes a threat to happen, it is referred to as an “attack” and the threat agents are commonly referred to as “attackers.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How do you quantify risk?

A

Risk is conventionally expressed as the product of the probability of a threat source/agent taking advantage of a vulnerability and the corresponding impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is SLE?

A

It is calculated as the product of the value of the asset (usually expressed monetarily) and the exposure factor, which is expressed as a percentage of asset loss when a threat is materialized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is SLE?

A

It is calculated as the product of the value of the asset (usually expressed monetarily) and the exposure factor, which is expressed as a percentage of asset loss when a threat is materialized.

SLE = ASSET VALUE ($) × EXPOSURE FACTOR (%)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is exposure factor?

A

percentage of asset loss when a threat is materialized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is ARO?

A

The ARO is an expression of the number of incidents from a particular threat that can be expected in a year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is ALE?

A

ALE is an indicator of the magnitude of risk in a year. ALE is a product of SLE × ARO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When should you accept risk?

A

When the cost of mitigating the risk exceeds the risk of accepting it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the 4 risk management options?

A

Avoid
Transfer
Mitigate
Accept

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is crossover error rate?

A

The point at which the false rejection rate equals the false acceptance rate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What should a security policy specify?

A

What needs to be protected and the repercussions of noncompliance. Goals and objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the benefits of adopting a coding standard?

A

Consistency in style, improved code readability, and maintainability are some of the nonsecurity related benefits one gets when they follow a coding standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is instrumentation?

A

Instrumentation is the inline commenting of code that is used to describe the operations undertaken by a code section.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the 12 PCI-DSS foundational requirements?

A

1: Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data
4. Encrypt transmissions of candholder data across open, public networks.
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
7. Restrict acces to cardholder data by business need to know.
8> Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
12 Maintain a policy that addresses information security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is NIST SP 800-64?

A

Security considerations in the System Development LifeCycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is NIST 800-12?

A

Introduction to Computer Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are the categories of information system security controls?

A

Management, operational, and technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is NIST 800-14?

A

Generally Accepted Principles and Practices for Securing IT Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is NIST 800-30?

A

Risk Management Guide for IT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is NIST 800-100?

A

Information Security Handbook: A Guide for Managers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is ISO/IEC 27000:2009

A

Information Security Management System (ISMS) Overview and Vocabulary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is ISO/IEC 27000:2009

A

Information Security Management System (ISMS) Overview and Vocabulary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is ISO/IEC 27001:2005

A

Information Security Management Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is ISO/IEC 27002:2005

A

Code of Practice for Information Security Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is ISO/IEC 27005:2008

A

Information Security Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is ISO/IEC 27006:2007

A

Requirements for Bodies Providing Audit and Certification of Information Security Management Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is ISO/IEC 15408

A

Evaluating Criteria for IT Security (Common Criteria)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What are EALs?

A

Evaluation Assuarnce Levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What are SFRs?

A

In the Common Criteral, they are Security Functional Requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What are SARs?

A

In Common Criterial, Security Assurance Requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is a PP?

A

Protection Profile in the Common Critera.

Used to create a set of reusable, generalized security requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is CC EAL 1?

A

Functionally tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is CC EAL 2?

A

Structurally tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is CC EAL 3?

A

Methodically tested and checked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What is CC EAL 4?

A

Methodically designed, tested, and reviewed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What is CC EAL 5?

A

Semiformally designed and tested

48
Q

What is CC EAL 6?

A

Semiformally verified design and tested

49
Q

What is CC EAL 7?

A

Formally verified design and tested

50
Q

What is IOS/IEC 21827:2008

A

System Security Engineering Capability Maturity Model® (SSE-CMM)

51
Q

What is ISO/IEC 9216?

A

Software Engineering Product Quality

52
Q

What are the six quality characteristics specified by ISO/IEC 9216?

A

functionality, reliability, usability, efficiency, maintainability, and portability

53
Q

What does FIPS 140-2 specify?

A

Security Requirement for Cryptographic Modules

54
Q

What does FIPS 197 specify?

A

Advanced Encryption Standard

55
Q

What does FIPS 201 specify?

A

Personal Identity Verification (PIV) of Federal Employees and Contractors

56
Q

What is AES?

A

The AES algorithm is a symmetric block cipher that can be used to encrypt (convert humanly intelligible plaintext to unintelligible form called cipher text) and decrypt (convert cipher text to plaintext).

57
Q

What are the OWASP top 10?

A
  1. Injection
  2. Cross site scripting
    3 Broken authentication and session management
    4 Insecure direct object references
    5 Cross-site request forgery
  3. Security misconfiguration
  4. Failure to restrict URL access
  5. Unvalidated redirects and forwards
  6. insecure cryptographic storage
  7. insufficient transport layer protection
58
Q

What is OCTAVE?

A

Operationally Critical Threat, Asset, and Vulnerability Evaluation

59
Q

Who devleoped OCTAVE?

A

Carnegie Mellon

60
Q

What are the phases of Octave?

A
  1. Build asset-based threat profiles
  2. Identify infrasturcture vulnerabilities
  3. Develop security strategy and plans
61
Q

What is STRIDE?

A

a threat modeling methodology (Howard & LeBlanc, 2003) that is performed in the design phase of software development in which threats are grouped into the following six broad categories

62
Q

What are the 6 categories of threats in STRIDE?

A
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
63
Q

What is DREAD?

A

A risk calculation or rating methodology

64
Q

What are the five dimensions of DREAD?

A
Damage Potential
Reproducability
Exploitability
Affected users
Discoverability
65
Q

What is OSSTMM

A

Open Source Security Testing Methodology Manual

66
Q

What is OSSTMM

A

Open Source Security Testing Methodology Manual

67
Q

What is a STAR? What produces it?

A

A Security Test Audit Report. OSSTMM

68
Q

What is FHM?

A

The Flaw Hypothesis Method (FHM) is as the name suggests a vulnerability prediction and analysis method that uses comprehensive penetration testing to test the strength of the security of the software.

69
Q

What are the phases of FHM?

A

Phase 1: Hypothesizing potential flaws in software
Phase 2: Confirmation of flaws by conducting actual simulation penetration tests and desk checking tests.
Phase 3:Generalization of confirmed flaws to uncover other possibilities of weaknesses in the software.
Phase 4: Addressing the discovered flaws in the software to mitigate risk

70
Q

What are the phases of FHM?

A

Phase 1: Hypothesizing potential flaws in software
Phase 2: Confirmation of flaws by conducting actual simulation penetration tests and desk checking tests.
Phase 3:Generalization of confirmed flaws to uncover other possibilities of weaknesses in the software.
Phase 4: Addressing the discovered flaws in the software to mitigate risk

71
Q

What is Six Sigma

A

A methodology that measures quality with a target of no more than 3.4 defects per million opportunities.

72
Q

What are the key submethodologies in Six Sigma?

A

DMAIC (define, measure, analyze, improve, and control), which is used for incremental improvement of existing processes that are below Six Sigma quality.

DMADV (define, measure, analyze, design, and verify), which is used to develop new processes for Six Sigma products and services.

73
Q

What is CMMI

A

Capability Maturity Model Integration

74
Q

What is SCAMPI?

A

STandard CMMI Appraisal Method for Process Improvement

75
Q

What are the 5 CMMI levels

A

Initial (Level 1): Processes are ad hoc, poorly controlled, reactive, and highly unpredictable.

Repeatable (Level 2): Also reactive in nature, the processes are grouped at the project level and are characterized as being repeatable and managed by basic project management tracking of cost and schedule.

Defined (Level 3): Level 2 maturity level deals with processes at the project level, but in this level, the maturity of the organizational processes is established and improved continuously. Processes are characterized, well understood, and proactive in nature.

Managed Quantitatively (Level 4): In this level, the premise for maturity is that what cannot be measured cannot be managed and so the processes are measured against appropriate metrics and controlled.

Optimizing (Level 5): In this level, the focus is on continuous process improvements through innovative technologies and incremental improvements.

76
Q

What is the Zachman Framework?

A

a 6 × 6 matrix that factors in six reification transformations (strategist, owner, designer, builder, implementer, and workers) along the rows and six communication interrogatives (what, how, where, who, when, and why) as columns.

77
Q

Describe SABSA.

A

Sherwood Applied Business Security Architecture

a framework for developing risk-based enterprise security architectures and for delivering security solutions that support business initiatives.

based on the premise that security requirements are determined from the analysis of the business requirements.

Has layers:
View/Security Architecture Level

Business/Contextual

Architect/Conceptual

Designer/Logical

Builder/Physical

Tradesman/Component

Facilities manager/Operational

78
Q

Describe SABSA.

A

Sherwood Applied Business Security Architecture

a framework for developing risk-based enterprise security architectures and for delivering security solutions that support business initiatives.

based on the premise that security requirements are determined from the analysis of the business requirements.

Has layers:
View/Security Architecture Level

Business/Contextual

Architect/Conceptual

Designer/Logical

Builder/Physical

Tradesman/Component

Facilities manager/Operational

79
Q

What is SOX?

A

Sarbanes–Oxley (SOX) Act

enacted in 2002 to improve quality and transparency in financial reporting and independent audits and accounting services for public companies.

80
Q

BASEL II

A

European Financial Regulatory Act that was originally developed to protect against financial operations risks and fraud.

81
Q

Gramm–Leach–Bliley Act (GLBA)

A

a financial privacy act that aims to protect consumers’ personal financial information (PFI) contained in financial institutions.

82
Q

HIPAA

A

Health Insurance Portability and Accountability Act

83
Q

Data Protection Act

A

declares that personal data protection is a fundamental human right and requires that personal data that are no longer necessary for the purposes they were collected in the first place must either be deleted or modified so that they no longer can identify the individual that the data were originally collected from.

84
Q

Computer Misuse Act

A

Computer misuse such as hacking, unauthorized access, unauthorized modification of contents, and disruptive activities like the introduction of viruses are designated as criminal offenses.

85
Q

California State Bill 1386

A

SB 1386 requires that personal information be destroyed when it is no longer needed by the collecting entity.

86
Q

What kind of model is Bell-LaPadula?

A

Confidentiality

87
Q

List the Confidentiality Models.

A

Bell-LaPadula

88
Q

What kind of model is Biba?

A

Integrity

89
Q

What kind of model is Clark and Wilson?

A

Integrity

90
Q

What kind of model is Brewer and Nash

A

Access Control

91
Q

What kind of model is Clark and Wilson?

A

Integrity

92
Q

What kind of model is Brewer and Nash?

A

Access Control

93
Q

What is BLP primarily concerned with?

A

The Bell-LaPadula model is primarily concerned with disclosure.

94
Q

What is the simple security property?

A

If you have read capability, you can read data at your level of secrecy or lower, but not higher. AKA, “no read up”.

95
Q

What is the star (*) security property?

A

If you have write capability, you can write data at your level of secrecy or higher, but not lower. “No write down”.

96
Q

What is the strong star security property?

A

If you have both read and write capability, you can only read and write at your level of secrecy.

97
Q

What is the Biba model primarily concernedwith?

A

Modification or alteration of data.

98
Q

What other model is Biba considered equivalent to as far as integrity goes?

A

Bell-LaPadula

99
Q

What is the invocation property?

A

It’s the difference between Biba and Bell-LaPadula. Subjects can’t send messages to objects with higher integrity.

100
Q

Describe the Clark and Wilson Model.

A

A security model that uses access triples, which require that a subject may only modify an object through a trusted program or application.

101
Q

Describe the Brewer and Nash Model.

A

Chinese Wall.

Individuals may access data as long as there is no conflict of interest. If you access data for client A, who competes with client B, you may not access client B’s data.

102
Q

What operates in Ring 0?

A

The OS/kernel.

103
Q

What operates in Ring 1?

A

I/O utilities

104
Q

What operates in Ring 2?

A

Drivers

105
Q

What operates in Ring 3?

A

User applications

106
Q

What is the “security kernel”?

A

That hardware, firmware, and software elements of a TCK.

107
Q

What are the 4 basic functions of the TCB?

A
  1. Process activiation
  2. Execution domain switching
  3. Memory protection
  4. Input/output operations
108
Q

What is the reference monitor?

A

The reference monitor is an abstract concept that enforces or mediates access relationships between subjects and objects.

109
Q

What is a subject?

A

Subjects are active entities that request a resource.

110
Q

What is an object?

A

Objects are passive entities and examples of this include a file, a program, data, or hardware.

111
Q

What attributes should the refence monitor have?

A

Tamper proof
Always invoked (can’t be circumvented)
Verifiable

112
Q

What is a rootkit?

A

Authors Hoglund and Butler in their book, Rootkits, define a rootkit as “a set (kit) of programs and code that allows an attacker to maintain a permanent or consistent undetectable access to ‘root,’ the most powerful user on a computer.”

113
Q

What is the TPM?

A

Trusted Platform Module.

the TPM is a specification used in personal computers and other systems to ensure protection against disclosure of sensitive or private information as well as the implementation of the specification itself. The implementation of the specification, currently in version 1.2, is a microcontroller commonly referred to as the TPM chip usually affixed to the motherboard (hardware) itself.

114
Q

What does the TPM chip do?

A

A TPM chip can be used to uniquely identify a hardware device and provide hardware-based device authentication. It can be complementary to smartcards and biometrics and in that sense facilitates strong multifactor authentication and enables true machine and user authentication by requiring the presentation of authorization data before disclosing sensitive or private information.

115
Q

What is the “cold boot attack?”

A

See Chapter 7.