Chapter 1 - Secure Software Concepts Flashcards
What is the iron triangle?
Schedule, Scope, and Cost.
What are the core security concepts?
Confidentiality, Integrity, Availability.
What is authentication?
The security concept that answers the question “Are you who you claim to be.”
What is nonrepudiation?
Deniability of actions taken by either a user or software on behalf of a user.
What is a clipping level?
A predetermined, baseline level of allowable errors, such as user errors.
What is economy of mechanism?
Keep it simple. Complexity -> greater vulnerabilities.
What is complete mediation?
A security principle that ensures that authority is not circumvented in subsequent requests of an object by a subject by checking for authorization (rights and privileges) upon every request for the object.
Least Common Mechanisms
The security principle of least common mechanisms disallows the sharing of mechanisms that are common to more than one user or process if the users and processes are at different levels of privilege
What is a vulnerability?
A weakness or flaw that could be accidently triggered or intentionally exploited by an attacker, resulting in the breach or breakdown of the security polic
What is a threat?
A threat is merely the possibility of an unwanted, unintended, or harmful event occurring.
What is a threat agent?
Anyone or anything that has the potential to make a threat materialize is known as the threat source or threat agent.
What is an attacK?
When the threat agent actively and intentionally causes a threat to happen, it is referred to as an “attack” and the threat agents are commonly referred to as “attackers.”
How do you quantify risk?
Risk is conventionally expressed as the product of the probability of a threat source/agent taking advantage of a vulnerability and the corresponding impact.
What is SLE?
It is calculated as the product of the value of the asset (usually expressed monetarily) and the exposure factor, which is expressed as a percentage of asset loss when a threat is materialized.
What is SLE?
It is calculated as the product of the value of the asset (usually expressed monetarily) and the exposure factor, which is expressed as a percentage of asset loss when a threat is materialized.
SLE = ASSET VALUE ($) × EXPOSURE FACTOR (%)
What is exposure factor?
percentage of asset loss when a threat is materialized.
What is ARO?
The ARO is an expression of the number of incidents from a particular threat that can be expected in a year.
What is ALE?
ALE is an indicator of the magnitude of risk in a year. ALE is a product of SLE × ARO
When should you accept risk?
When the cost of mitigating the risk exceeds the risk of accepting it.
What are the 4 risk management options?
Avoid
Transfer
Mitigate
Accept
What is crossover error rate?
The point at which the false rejection rate equals the false acceptance rate.
What should a security policy specify?
What needs to be protected and the repercussions of noncompliance. Goals and objectives.
What are the benefits of adopting a coding standard?
Consistency in style, improved code readability, and maintainability are some of the nonsecurity related benefits one gets when they follow a coding standard.
What is instrumentation?
Instrumentation is the inline commenting of code that is used to describe the operations undertaken by a code section.
What are the 12 PCI-DSS foundational requirements?
1: Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data
4. Encrypt transmissions of candholder data across open, public networks.
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
7. Restrict acces to cardholder data by business need to know.
8> Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
12 Maintain a policy that addresses information security
What is NIST SP 800-64?
Security considerations in the System Development LifeCycle.
What is NIST 800-12?
Introduction to Computer Security
What are the categories of information system security controls?
Management, operational, and technology.
What is NIST 800-14?
Generally Accepted Principles and Practices for Securing IT Systems
What is NIST 800-30?
Risk Management Guide for IT
What is NIST 800-100?
Information Security Handbook: A Guide for Managers
What is ISO/IEC 27000:2009
Information Security Management System (ISMS) Overview and Vocabulary
What is ISO/IEC 27000:2009
Information Security Management System (ISMS) Overview and Vocabulary
What is ISO/IEC 27001:2005
Information Security Management Systems
What is ISO/IEC 27002:2005
Code of Practice for Information Security Management
What is ISO/IEC 27005:2008
Information Security Risk Management
What is ISO/IEC 27006:2007
Requirements for Bodies Providing Audit and Certification of Information Security Management Systems
What is ISO/IEC 15408
Evaluating Criteria for IT Security (Common Criteria)
What are EALs?
Evaluation Assuarnce Levels
What are SFRs?
In the Common Criteral, they are Security Functional Requirements.
What are SARs?
In Common Criterial, Security Assurance Requirements.
What is a PP?
Protection Profile in the Common Critera.
Used to create a set of reusable, generalized security requirements.
What is CC EAL 1?
Functionally tested
What is CC EAL 2?
Structurally tested
What is CC EAL 3?
Methodically tested and checked
What is CC EAL 4?
Methodically designed, tested, and reviewed