Chapter 2 - Secure Software Requirements Flashcards
What quality attributes should secure software have?
Reliability
Resiliency
Recoverability
What is Reliability?
An attribute of secure software. The software functions as it is expected to.
What is Resiliency?
An attribute of secure software. The software doesn’t violate any security policy and can withstand the actions of threat agents and user errors.
What is Recoverability?
The software can restore operations to what the business expects by containing and limiting damage caused by threats that materialize.
What is a RTM?
Requirements Traceability Matrix
What are some internal sources of software requirements?
Policies Standards Guidelines Patterns Practices
What are some external sources of software requirements?
Regulations
Compliance initiatives
Geographical requirements
Who is ultimately responsible for software risk?
The business owner.
What are confidentiality requirements?
Those that address protection against disclosure of data or information that are personal or sensitive to unauthorized individuals.
What are the two broad data classifications?
Public and non-public
What is another name for public data?
`Directory information
What are the most common forms of covert secret writing?
Steganography and digital watermarking.
What is masking?
A weak form of confidentiality protection in which original information is askterisked or Xed out.
What are the three methods for which confidentiality requirements need to be developed?
In transit
In processing
In storage
What are integrity requirements?
Requirements that address reliability assurance and prevention of unauthorized modification.
What do integrity controls assure?
Reliability (the software does what it should), accuracy, completeness, and consistency.
What is even parity?
Addition of a parity bit to data such that there is an even number of 1 bits in the data.
What is odd parity?
Addition of a parity bit to data such that there is an odd number of 1 bits in the data.
What is the strongest form of data integrity?
Hashing.
What are availability requirements?
those software requirements that ensure the protection against destruction of the software system and/or data, thereby assisting in the prevention against DoS to authorized users.
What are availability requirements?
those software requirements that ensure the protection against destruction of the software system and/or data, thereby assisting in the prevention against DoS to authorized users.
What is MTD?
Maximum Tolerable Downtime
What is RTO?
Recovery Time Objective
RTO is the amount of time by which the system or software needs to be restored back to the expected state of business operations for authorized business users when it goes down.
Where should MTD and RTO be stated?
The SLA (Service Level Agreeemnt)
What is BIA?
Business Impact Analysis.
A qualitative or quantitiative analysis of the cost of failure of the software to operate. This can include loss of credibility, confidence, or brand reputation.
What is a single point of failure?
Having no redundancy capabilities
What is replication?
Master/slave or primary/secondary scheme in which there is one master or primary node and updates are propagated to the slaves or secondary node either actively or passively.
What is active/active replication?
Active/active replication implies that updates are made to both the master and slave systems at the same time.
What is active/passive replication?
the updates are made to the master node first and then the replicas are pushed the changes subsequently.
What is authentication?
Validating an entity’s claim. Typically identity claims or credentials are validated against a trusted source.
What are the most common forms of authentication?
Anonymous Basic Digest Integrated Client certificates Forms Tokens Smart cards Biometrics
What is anonymous authentication?
No prompting for credentials. Implies unlinkability (no way to link a user or system to their actions). Generally avoid unless there’s a reason to have it.
What is Basic Authentication
HTTP BasicAuth. Credentials are transmitted in base 64. Avoid, because easily decoded.
What is Digest Authentication?
Challenge/response. Does not send credentials in clear text, but sends a hash of the original credential. Can’t be asily spoofed.