Chapter 13: Software Development Security Flashcards

1
Q

Software Development Life Cycle (SDLC)

A

The process of building software from conception to deployment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The Steps of the SDLC

A

Inception
Requirements Gathering
System Design
Development
Testing
Deployment

Training is not a part of the cycle but should be used to ensure that employees at all steps are properly security minded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Requirements gathering

A

Accounts for regulations and standards that must be complied with. Accounts for adherence to organizational desires and policies. Is the point at which you should be considering the CIA triad, auditing requirements, nonrepudiation, and the like.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

System Design

A

This is the stage at which threat modeling should be employed to detect both design related and implementation related vulnerabilities. The process consists of the following:

Functional Decomposition: uses data flow diagrams to evaluate what attack surface (attackable points) is available and to outline what is moving across untrusted components where and when in the data flow process

Categorizing Threats

Ranking Threats

Mitigation Planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Development (Coding)

A

Security steps built in to this phase include:

Static analysis: using automated tools to look for issues

Peer review: developers putting additional sets of human eyes onto code as its being written

Unit testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Testing

A

Requires using all of the security cases, use cases, etc, to build realistic testing scenarios to flush out issues. This could involve pen testers, dynamic analysis (automatic exploit checking).

Sometimes results in a loop of test-fail-fix-test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Deployment

A

Final security reviews, and finalizing of plans to deal with inevitable bugs and security updates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

OpenSAMM

A

Framework to help ensure security processes become a part of the SDLC. Scalable down to individual projects or up to entire organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly