Chapter 1 - Secure Software Concepts

Question 1

What is the iron triangle?

Answer 1

Schedule, Scope, and Cost.

Question 2

What are the core security concepts?

Answer 2

Confidentiality, Integrity, Availability.

Question 3

What is authentication?

Answer 3

The security concept that answers the question “Are you who you claim to be.”

Question 4

What is nonrepudiation?

Answer 4

Deniability of actions taken by either a user or software on behalf of a user.

Question 5

What is a clipping level?

Answer 5

A predetermined, baseline level of allowable errors, such as user errors.

Question 6

What is economy of mechanism?

Answer 6

Keep it simple. Complexity -> greater vulnerabilities.

Question 7

What is complete mediation?

Answer 7

A security principle that ensures that authority is not circumvented in subsequent requests of an object by a subject by checking for authorization (rights and privileges) upon every request for the object.

Question 8

Least Common Mechanisms

Answer 8

The security principle of least common mechanisms disallows the sharing of mechanisms that are common to more than one user or process if the users and processes are at different levels of privilege

Question 9

What is a vulnerability?

Answer 9

A weakness or flaw that could be accidently triggered or intentionally exploited by an attacker, resulting in the breach or breakdown of the security polic

Question 10

What is a threat?

Answer 10

A threat is merely the possibility of an unwanted, unintended, or harmful event occurring.

Question 11

What is a threat agent?

Answer 11

Anyone or anything that has the potential to make a threat materialize is known as the threat source or threat agent.

Question 12

What is an attacK?

Answer 12

When the threat agent actively and intentionally causes a threat to happen, it is referred to as an “attack” and the threat agents are commonly referred to as “attackers.”

Question 13

How do you quantify risk?

Answer 13

Risk is conventionally expressed as the product of the probability of a threat source/agent taking advantage of a vulnerability and the corresponding impact.

Question 14

What is SLE?

Answer 14

It is calculated as the product of the value of the asset (usually expressed monetarily) and the exposure factor, which is expressed as a percentage of asset loss when a threat is materialized.

Question 15

What is SLE?

Answer 15

It is calculated as the product of the value of the asset (usually expressed monetarily) and the exposure factor, which is expressed as a percentage of asset loss when a threat is materialized.

SLE = ASSET VALUE ($) × EXPOSURE FACTOR (%)

Question 16

What is exposure factor?

Answer 16

percentage of asset loss when a threat is materialized.

Question 17

What is ARO?

Answer 17

The ARO is an expression of the number of incidents from a particular threat that can be expected in a year.

Question 18

What is ALE?

Answer 18

ALE is an indicator of the magnitude of risk in a year. ALE is a product of SLE × ARO

Question 19

When should you accept risk?

Answer 19

When the cost of mitigating the risk exceeds the risk of accepting it.

Question 20

What are the 4 risk management options?

Answer 20

Avoid
Transfer
Mitigate
Accept

Question 21

What is crossover error rate?

Answer 21

The point at which the false rejection rate equals the false acceptance rate.

Question 22

What should a security policy specify?

Answer 22

What needs to be protected and the repercussions of noncompliance. Goals and objectives.

Question 23

What are the benefits of adopting a coding standard?

Answer 23

Consistency in style, improved code readability, and maintainability are some of the nonsecurity related benefits one gets when they follow a coding standard.

Question 24

What is instrumentation?

Answer 24

Instrumentation is the inline commenting of code that is used to describe the operations undertaken by a code section.

Question 25

What are the 12 PCI-DSS foundational requirements?

Answer 25

1: Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data
4. Encrypt transmissions of candholder data across open, public networks.
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
7. Restrict acces to cardholder data by business need to know.
8> Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes
12 Maintain a policy that addresses information security

Question 26

What is NIST SP 800-64?

Answer 26

Security considerations in the System Development LifeCycle.

Question 27

What is NIST 800-12?

Answer 27

Introduction to Computer Security

Question 28

What are the categories of information system security controls?

Answer 28

Management, operational, and technology.

Question 29

What is NIST 800-14?

Answer 29

Generally Accepted Principles and Practices for Securing IT Systems

Question 30

What is NIST 800-30?

Answer 30

Risk Management Guide for IT

Question 31

What is NIST 800-100?

Answer 31

Information Security Handbook: A Guide for Managers

Question 32

What is ISO/IEC 27000:2009

Answer 32

Information Security Management System (ISMS) Overview and Vocabulary

Question 33

What is ISO/IEC 27000:2009

Answer 33

Information Security Management System (ISMS) Overview and Vocabulary

Question 34

What is ISO/IEC 27001:2005

Answer 34

Information Security Management Systems

Question 35

What is ISO/IEC 27002:2005

Answer 35

Code of Practice for Information Security Management

Question 36

What is ISO/IEC 27005:2008

Answer 36

Information Security Risk Management

Question 37

What is ISO/IEC 27006:2007

Answer 37

Requirements for Bodies Providing Audit and Certification of Information Security Management Systems

Question 38

What is ISO/IEC 15408

Answer 38

Evaluating Criteria for IT Security (Common Criteria)

Question 39

What are EALs?

Answer 39

Evaluation Assuarnce Levels

Question 40

What are SFRs?

Answer 40

In the Common Criteral, they are Security Functional Requirements.

Question 41

What are SARs?

Answer 41

In Common Criterial, Security Assurance Requirements.

Question 42

What is a PP?

Answer 42

Protection Profile in the Common Critera.

Used to create a set of reusable, generalized security requirements.

Question 43

What is CC EAL 1?

Answer 43

Functionally tested

Question 44

What is CC EAL 2?

Answer 44

Structurally tested

Question 45

What is CC EAL 3?

Answer 45

Methodically tested and checked

Question 46

What is CC EAL 4?

Answer 46

Methodically designed, tested, and reviewed

Question 47

What is CC EAL 5?

Answer 47

Semiformally designed and tested

Question 48

What is CC EAL 6?

Answer 48

Semiformally verified design and tested

Question 49

What is CC EAL 7?

Answer 49

Formally verified design and tested

Question 50

What is IOS/IEC 21827:2008

Answer 50

System Security Engineering Capability Maturity Model® (SSE-CMM)

Question 51

What is ISO/IEC 9216?

Answer 51

Software Engineering Product Quality

Question 52

What are the six quality characteristics specified by ISO/IEC 9216?

Answer 52

functionality, reliability, usability, efficiency, maintainability, and portability

Question 53

What does FIPS 140-2 specify?

Answer 53

Security Requirement for Cryptographic Modules

Question 54

What does FIPS 197 specify?

Answer 54

Advanced Encryption Standard

Question 55

What does FIPS 201 specify?

Answer 55

Personal Identity Verification (PIV) of Federal Employees and Contractors

Question 56

What is AES?

Answer 56

The AES algorithm is a symmetric block cipher that can be used to encrypt (convert humanly intelligible plaintext to unintelligible form called cipher text) and decrypt (convert cipher text to plaintext).

Question 57

What are the OWASP top 10?

Answer 57

1. Injection
2. Cross site scripting
   3 Broken authentication and session management
   4 Insecure direct object references
   5 Cross-site request forgery
3. Security misconfiguration
4. Failure to restrict URL access
5. Unvalidated redirects and forwards
6. insecure cryptographic storage
7. insufficient transport layer protection

Question 58

What is OCTAVE?

Answer 58

Operationally Critical Threat, Asset, and Vulnerability Evaluation

Question 59

Who devleoped OCTAVE?

Answer 59

Carnegie Mellon

Question 60

What are the phases of Octave?

Answer 60

1. Build asset-based threat profiles
2. Identify infrasturcture vulnerabilities
3. Develop security strategy and plans

Question 61

What is STRIDE?

Answer 61

a threat modeling methodology (Howard & LeBlanc, 2003) that is performed in the design phase of software development in which threats are grouped into the following six broad categories

Question 62

What are the 6 categories of threats in STRIDE?

Answer 62

Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege

Question 63

What is DREAD?

Answer 63

A risk calculation or rating methodology

Question 64

What are the five dimensions of DREAD?

Answer 64

Damage Potential
Reproducability
Exploitability
Affected users
Discoverability

Question 65

What is OSSTMM

Answer 65

Open Source Security Testing Methodology Manual

Question 66

What is OSSTMM

Answer 66

Open Source Security Testing Methodology Manual

Question 67

What is a STAR? What produces it?

Answer 67

A Security Test Audit Report. OSSTMM

Question 68

What is FHM?

Answer 68

The Flaw Hypothesis Method (FHM) is as the name suggests a vulnerability prediction and analysis method that uses comprehensive penetration testing to test the strength of the security of the software.

Question 69

What are the phases of FHM?

Answer 69

Phase 1: Hypothesizing potential flaws in software
Phase 2: Confirmation of flaws by conducting actual simulation penetration tests and desk checking tests.
Phase 3:Generalization of confirmed flaws to uncover other possibilities of weaknesses in the software.
Phase 4: Addressing the discovered flaws in the software to mitigate risk

Question 70

What are the phases of FHM?

Answer 70

Phase 1: Hypothesizing potential flaws in software
Phase 2: Confirmation of flaws by conducting actual simulation penetration tests and desk checking tests.
Phase 3:Generalization of confirmed flaws to uncover other possibilities of weaknesses in the software.
Phase 4: Addressing the discovered flaws in the software to mitigate risk

Question 71

What is Six Sigma

Answer 71

A methodology that measures quality with a target of no more than 3.4 defects per million opportunities.

Question 72

What are the key submethodologies in Six Sigma?

Answer 72

DMAIC (define, measure, analyze, improve, and control), which is used for incremental improvement of existing processes that are below Six Sigma quality.

DMADV (define, measure, analyze, design, and verify), which is used to develop new processes for Six Sigma products and services.

Question 73

What is CMMI

Answer 73

Capability Maturity Model Integration

Question 74

What is SCAMPI?

Answer 74

STandard CMMI Appraisal Method for Process Improvement

Question 75

What are the 5 CMMI levels

Answer 75

Initial (Level 1): Processes are ad hoc, poorly controlled, reactive, and highly unpredictable.

Repeatable (Level 2): Also reactive in nature, the processes are grouped at the project level and are characterized as being repeatable and managed by basic project management tracking of cost and schedule.

Defined (Level 3): Level 2 maturity level deals with processes at the project level, but in this level, the maturity of the organizational processes is established and improved continuously. Processes are characterized, well understood, and proactive in nature.

Managed Quantitatively (Level 4): In this level, the premise for maturity is that what cannot be measured cannot be managed and so the processes are measured against appropriate metrics and controlled.

Optimizing (Level 5): In this level, the focus is on continuous process improvements through innovative technologies and incremental improvements.

Question 76

What is the Zachman Framework?

Answer 76

a 6 × 6 matrix that factors in six reification transformations (strategist, owner, designer, builder, implementer, and workers) along the rows and six communication interrogatives (what, how, where, who, when, and why) as columns.

Question 77

Describe SABSA.

Answer 77

Sherwood Applied Business Security Architecture

a framework for developing risk-based enterprise security architectures and for delivering security solutions that support business initiatives.

based on the premise that security requirements are determined from the analysis of the business requirements.

Has layers:
View/Security Architecture Level

Business/Contextual

Architect/Conceptual

Designer/Logical

Builder/Physical

Tradesman/Component

Facilities manager/Operational

Question 78

Describe SABSA.

Answer 78

Sherwood Applied Business Security Architecture

a framework for developing risk-based enterprise security architectures and for delivering security solutions that support business initiatives.

based on the premise that security requirements are determined from the analysis of the business requirements.

Has layers:
View/Security Architecture Level

Business/Contextual

Architect/Conceptual

Designer/Logical

Builder/Physical

Tradesman/Component

Facilities manager/Operational

Question 79

What is SOX?

Answer 79

Sarbanes–Oxley (SOX) Act

enacted in 2002 to improve quality and transparency in financial reporting and independent audits and accounting services for public companies.

Question 80

BASEL II

Answer 80

European Financial Regulatory Act that was originally developed to protect against financial operations risks and fraud.

Question 81

Gramm–Leach–Bliley Act (GLBA)

Answer 81

a financial privacy act that aims to protect consumers’ personal financial information (PFI) contained in financial institutions.

Question 82

HIPAA

Answer 82

Health Insurance Portability and Accountability Act

Question 83

Data Protection Act

Answer 83

declares that personal data protection is a fundamental human right and requires that personal data that are no longer necessary for the purposes they were collected in the first place must either be deleted or modified so that they no longer can identify the individual that the data were originally collected from.

Question 84

Computer Misuse Act

Answer 84

Computer misuse such as hacking, unauthorized access, unauthorized modification of contents, and disruptive activities like the introduction of viruses are designated as criminal offenses.

Question 85

California State Bill 1386

Answer 85

SB 1386 requires that personal information be destroyed when it is no longer needed by the collecting entity.

Question 86

What kind of model is Bell-LaPadula?

Answer 86

Confidentiality

Question 87

List the Confidentiality Models.

Answer 87

Bell-LaPadula

Question 88

What kind of model is Biba?

Answer 88

Integrity

Question 89

What kind of model is Clark and Wilson?

Answer 89

Integrity

Question 90

What kind of model is Brewer and Nash

Answer 90

Access Control

Question 91

What kind of model is Clark and Wilson?

Answer 91

Integrity

Question 92

What kind of model is Brewer and Nash?

Answer 92

Access Control

Question 93

What is BLP primarily concerned with?

Answer 93

The Bell-LaPadula model is primarily concerned with disclosure.

Question 94

What is the simple security property?

Answer 94

If you have read capability, you can read data at your level of secrecy or lower, but not higher. AKA, “no read up”.

Question 95

What is the star (*) security property?

Answer 95

If you have write capability, you can write data at your level of secrecy or higher, but not lower. “No write down”.

Question 96

What is the strong star security property?

Answer 96

If you have both read and write capability, you can only read and write at your level of secrecy.

Question 97

What is the Biba model primarily concernedwith?

Answer 97

Modification or alteration of data.

Question 98

What other model is Biba considered equivalent to as far as integrity goes?

Answer 98

Bell-LaPadula

Question 99

What is the invocation property?

Answer 99

It’s the difference between Biba and Bell-LaPadula. Subjects can’t send messages to objects with higher integrity.

Question 100

Describe the Clark and Wilson Model.

Answer 100

A security model that uses access triples, which require that a subject may only modify an object through a trusted program or application.

Question 101

Describe the Brewer and Nash Model.

Answer 101

Chinese Wall.

Individuals may access data as long as there is no conflict of interest. If you access data for client A, who competes with client B, you may not access client B’s data.

Question 102

What operates in Ring 0?

Answer 102

The OS/kernel.

Question 103

What operates in Ring 1?

Answer 103

I/O utilities

Question 104

What operates in Ring 2?

Answer 104

Drivers

Question 105

What operates in Ring 3?

Answer 105

User applications

Question 106

What is the “security kernel”?

Answer 106

That hardware, firmware, and software elements of a TCK.

Question 107

What are the 4 basic functions of the TCB?

Answer 107

1. Process activiation
2. Execution domain switching
3. Memory protection
4. Input/output operations

Question 108

What is the reference monitor?

Answer 108

The reference monitor is an abstract concept that enforces or mediates access relationships between subjects and objects.

Question 109

What is a subject?

Answer 109

Subjects are active entities that request a resource.

Question 110

What is an object?

Answer 110

Objects are passive entities and examples of this include a file, a program, data, or hardware.

Question 111

What attributes should the refence monitor have?

Answer 111

Tamper proof
Always invoked (can’t be circumvented)
Verifiable

Question 112

What is a rootkit?

Answer 112

Authors Hoglund and Butler in their book, Rootkits, define a rootkit as “a set (kit) of programs and code that allows an attacker to maintain a permanent or consistent undetectable access to ‘root,’ the most powerful user on a computer.”

Question 113

What is the TPM?

Answer 113

Trusted Platform Module.

the TPM is a specification used in personal computers and other systems to ensure protection against disclosure of sensitive or private information as well as the implementation of the specification itself. The implementation of the specification, currently in version 1.2, is a microcontroller commonly referred to as the TPM chip usually affixed to the motherboard (hardware) itself.

Question 114

What does the TPM chip do?

Answer 114

A TPM chip can be used to uniquely identify a hardware device and provide hardware-based device authentication. It can be complementary to smartcards and biometrics and in that sense facilitates strong multifactor authentication and enables true machine and user authentication by requiring the presentation of authorization data before disclosing sensitive or private information.

Question 115

What is the “cold boot attack?”

Answer 115

See Chapter 7.