Chapter 6 - Software Acceptance

Question 1

What is V&V

Answer 1

Validation and Verification

Question 2

What is C&A

Answer 2

Certification and Accrediation

Question 3

What is Software Acceptance?

Answer 3

Software acceptance is the process of officially or formally accepting new or modified software components that, when integrated, form the information system.

Question 4

What are the objectives of software acceptance?

Answer 4

• Verification that the software meets specified functional and assurance requirements
• Verification that the software is operationally complete and secure as expected
• Obtaining the approvals from the system owner
• Transference of responsibility from the development team or company (vendor) to the system owner, support staff, and operations personnel if the software is deployed internally

Question 5

What are the guiding principles of software ready for release?

Answer 5

• Be secure by design, default, and deployment (Howard and LeBlanc, 2003)
• Complement existing defense in depth protection
• Run with least privilege
• Be irreversible and tamper-proof
• Isolate and protect administrative functionality and security management interfaces (SMIs)
• Have nontechnical protection mechanisms in place

Question 6

What is SD3?

Answer 6

Shorthand for “Secure in Design, Default, and Deployment”. The mantra for defense-in-depth.

Question 7

Why are EULA’s considered ineffective?

Answer 7

They are deterrent controls, not preventive.

Question 8

How can you prevent reverse engineering?

Answer 8

Code obfuscation and anti-tampering techniques. Previentive controls like EULAs, DMCA, etc, offer more than nothing, but the book calls them ineffective.

Question 9

What is RCE?

Answer 9

Reverse Code Enginering, aka reverse engineering code.

Question 10

Why is formal software acceptance important?

Answer 10

It’s the final checkpoint for discovering the existence of missed and unforeseen security vulnerabilities and for validating the presence of security controls that will address known threats.

Question 11

What items should be considered before accepting sftware built in-house?

Answer 11

Completion: Are all functional and security requirements completed?

Change management: Is there a process in place to handle change requests?

Approval to deploy/release: Have all required authorities signed off

Risk acceptance and exception policy: Is residual risk acceptance tracked if it’s not within the threshold

Documentation: Is all necessary documentation in place?

Question 12

What is a RTM?

Answer 12

Requirements Traceability Matrix

Question 13

What is a RTM?

Answer 13

Requirements Traceability Matrix

Question 14

What is the purpose of software completion criteria?

Answer 14

Ensuring that the functional and security requirements captured during the requirements gathering phase have been fully met.

Question 15

What security related milestones should be considered as completion criteria?

Answer 15

• Generation of the requirements traceability matrix (RTM) that includes security requirements besides functional requirements in the requirement phase
• Completion of the threat model during the design phase
• Review and sign-off on the security architecture at the end of the design phase
• Review of code for security vulnerabilities after the development phase
• Completion of security testing at the end of the application testing phase
• Completion of documentation before the deployment phase commences

Question 16

All security-related milestones should include?

Answer 16

An actual deliverable, like a RTM, threat model, security architecture design, code review report, security test report) that can be tracked.

Question 17

What should a threat model include?

Answer 17

documented threat lists and associated controls

Question 18

What should the architecture review sign off include?

Answer 18

the various components of the security profile and principles of secure design

Question 19

What larger process is change management part of?

Answer 19

Configuration management

Question 20

What is a PMO?

Answer 20

Program Managment Office

Question 21

What is a CCB

Answer 21

Configuration/Change Board.

Question 22

What should be verified as part of the software acceptance process?

Answer 22

• Change requests are evaluated for impact on the overall security of the software.
• The asset management database is updated with the new/updated software information.
• The change is requested formally, and evaluated and approved by appropriate signatory authorities.

Question 23

Who should accept risk?

Answer 23

The business owner, not an IT official.

Question 24

What elements should a risk acceptance tempalte use?

Answer 24

Risk, actions, issues, decisions.

Question 25

What is an AO?

Answer 25

Authorizing Official

Question 26

What are the options to address risk?

Answer 26

Accept, Transfer, Mitigate, Avoid

Question 27

How might you avoid risk?

Answer 27

Stop using the affected software.

Question 28

How might you transfer risk?

Answer 28

Insurance

Question 29

How might you accept risk?

Answer 29

This is simply a decision, but one that should be documented.

Question 30

What should members of the exception review board include?

Answer 30

Experts from differnt teams, such as business, software development, legal, privacy, and security.

Question 31

What is the most overlooked portion of the SDLC?

Answer 31

Documentation

Question 32

What documentaiton needs to be verified as complete?

Answer 32

RTM
Threat model
Risk Acceptance Document
Exception Policy Document
Change requests
Approvals
BCP or DRP
Incident Response Plan
Installation Guide
User Training Guide/Manual

Question 33

What is TCO

Answer 33

Total Cost of Ownership, which includes the cost of support and maintenance and the investment of time and resources necessary to incorporate security when it is deployed within your organization’s computing ecosystem.

Question 34

What protection mechanisms can be used if you are outsourcing software development

Answer 34

Contractual oblications
Require the vendor to integrate security into their SDLC
Code verification (code review)

Question 35

What should be in RFP to ensure secure software?

Answer 35

Explicitly stated security requirements
RFPs should be time-bound
Evaluation criteria should be predefined and explicitly stated

Respondents should demonstrate an understanding of the requirements, a solution, experience of their personnel, valid references, resources, cost, and schedule considerations.

Question 36

What is the strongest form of Intellectual Property protection?

Answer 36

Patents

Question 37

What are the requirements for a patent?

Answer 37

It must be of practical use

It must be novel, with at least one new characteristic that is nonexistent in the domain of existing knowledge (technical field).

It must demonstrate an inventive step

It must be compliant with the law and deemed as acceptable in a court of law

Question 38

What is a trademark?

Answer 38

Trademarks are distinctive signs that can be used to identify the maker uniquely from others who produce a similar product.

Question 39

How long can trademarks last?

Answer 39

Indefinitely, but they have to be renewed.

Question 40

What is a trade secret?

Answer 40

Any confidential business information that provides a company with a competitive advantage.

The information must not be generally known, readily accessible, or reasonably ascertainable.

It must have commercial value that is lost or reduced should the information be disclosed.

It must be protected by the holder of the information (e.g., through confidentiality agreements).

Question 41

What must be done for trade secret protection to attach to software?

Answer 41

Just being in object code is not enough (cite?).

Requires developer NDAs and protection against reverse engineering.

Question 42

What is “verification”?

Answer 42

As part of the V&V process, verification ensures that the software performs as it is required and designed to do.

Question 43

What is “validation”?

Answer 43

Validation is the process of evaluating software during and/or at the end of the development process to determine whether it satisfies specified requirements.

Question 44

What mechanisms should V&V look for?

Answer 44

security protection mechanisms to ensure confidentiality, integrity of data and system, availability, authentication, authorization, auditing, secure session management, proper exception handling, and configuration management.

Question 45

What are EALs?

Answer 45

Common Criteria Evaluation Assurance Levels.

Question 46

What must a formal review include?

Answer 46

Design and code review.

Question 47

What is the Fagan process?

Answer 47

a highly structured process with several steps to determine defects in development results, such as specifications, design, and code.

Question 48

What kinds of tests are performed during V&V?

Answer 48

Error detection and acceptance.

Question 49

What is IV&V?

Answer 49

Independent Verification and Validation

Question 50

Why is it bad to rely on tools to perform V&V?

Answer 50

False positives and false negatives. Tools don’t complety emulate human experience and decision-making capability.

Question 51

What standard provides guidance for bodies providing audit and certification of an information security management system (ISMS) and is primarily intended to support software accreditation?

Answer 51

ISO/IEC 27006-2007

Question 52

Security certification should include evalution of the following at a minimum:

Answer 52

• User rights, privileges, and profile management
• Sensitivity of data and application and appropriate controls
• Configurations of system, facility, and locations
• Interconnectivity and dependencies
• Operational security mode

Question 53

What documents are considered part of the Risk Acceptance documentaiton?

Answer 53

Disaster Recovery and Business Continuity Plans

Excepiton policy and Sign Off