Chapter 6 - Software Acceptance Flashcards
What is V&V
Validation and Verification
What is C&A
Certification and Accrediation
What is Software Acceptance?
Software acceptance is the process of officially or formally accepting new or modified software components that, when integrated, form the information system.
What are the objectives of software acceptance?
- Verification that the software meets specified functional and assurance requirements
- Verification that the software is operationally complete and secure as expected
- Obtaining the approvals from the system owner
- Transference of responsibility from the development team or company (vendor) to the system owner, support staff, and operations personnel if the software is deployed internally
What are the guiding principles of software ready for release?
- Be secure by design, default, and deployment (Howard and LeBlanc, 2003)
- Complement existing defense in depth protection
- Run with least privilege
- Be irreversible and tamper-proof
- Isolate and protect administrative functionality and security management interfaces (SMIs)
- Have nontechnical protection mechanisms in place
What is SD3?
Shorthand for “Secure in Design, Default, and Deployment”. The mantra for defense-in-depth.
Why are EULA’s considered ineffective?
They are deterrent controls, not preventive.
How can you prevent reverse engineering?
Code obfuscation and anti-tampering techniques. Previentive controls like EULAs, DMCA, etc, offer more than nothing, but the book calls them ineffective.
What is RCE?
Reverse Code Enginering, aka reverse engineering code.
Why is formal software acceptance important?
It’s the final checkpoint for discovering the existence of missed and unforeseen security vulnerabilities and for validating the presence of security controls that will address known threats.
What items should be considered before accepting sftware built in-house?
Completion: Are all functional and security requirements completed?
Change management: Is there a process in place to handle change requests?
Approval to deploy/release: Have all required authorities signed off
Risk acceptance and exception policy: Is residual risk acceptance tracked if it’s not within the threshold
Documentation: Is all necessary documentation in place?
What is a RTM?
Requirements Traceability Matrix
What is a RTM?
Requirements Traceability Matrix
What is the purpose of software completion criteria?
Ensuring that the functional and security requirements captured during the requirements gathering phase have been fully met.
What security related milestones should be considered as completion criteria?
- Generation of the requirements traceability matrix (RTM) that includes security requirements besides functional requirements in the requirement phase
- Completion of the threat model during the design phase
- Review and sign-off on the security architecture at the end of the design phase
- Review of code for security vulnerabilities after the development phase
- Completion of security testing at the end of the application testing phase
- Completion of documentation before the deployment phase commences
All security-related milestones should include?
An actual deliverable, like a RTM, threat model, security architecture design, code review report, security test report) that can be tracked.
What should a threat model include?
documented threat lists and associated controls
What should the architecture review sign off include?
the various components of the security profile and principles of secure design
What larger process is change management part of?
Configuration management
What is a PMO?
Program Managment Office
What is a CCB
Configuration/Change Board.
What should be verified as part of the software acceptance process?
- Change requests are evaluated for impact on the overall security of the software.
- The asset management database is updated with the new/updated software information.
- The change is requested formally, and evaluated and approved by appropriate signatory authorities.
Who should accept risk?
The business owner, not an IT official.
What elements should a risk acceptance tempalte use?
Risk, actions, issues, decisions.
What is an AO?
Authorizing Official
What are the options to address risk?
Accept, Transfer, Mitigate, Avoid
How might you avoid risk?
Stop using the affected software.
How might you transfer risk?
Insurance
How might you accept risk?
This is simply a decision, but one that should be documented.
What should members of the exception review board include?
Experts from differnt teams, such as business, software development, legal, privacy, and security.
What is the most overlooked portion of the SDLC?
Documentation
What documentaiton needs to be verified as complete?
RTM Threat model Risk Acceptance Document Exception Policy Document Change requests Approvals BCP or DRP Incident Response Plan Installation Guide User Training Guide/Manual
What is TCO
Total Cost of Ownership, which includes the cost of support and maintenance and the investment of time and resources necessary to incorporate security when it is deployed within your organization’s computing ecosystem.
What protection mechanisms can be used if you are outsourcing software development
Contractual oblications Require the vendor to integrate security into their SDLC Code verification (code review)
What should be in RFP to ensure secure software?
Explicitly stated security requirements
RFPs should be time-bound
Evaluation criteria should be predefined and explicitly stated
Respondents should demonstrate an understanding of the requirements, a solution, experience of their personnel, valid references, resources, cost, and schedule considerations.
What is the strongest form of Intellectual Property protection?
Patents
What are the requirements for a patent?
It must be of practical use
It must be novel, with at least one new characteristic that is nonexistent in the domain of existing knowledge (technical field).
It must demonstrate an inventive step
It must be compliant with the law and deemed as acceptable in a court of law
What is a trademark?
Trademarks are distinctive signs that can be used to identify the maker uniquely from others who produce a similar product.
How long can trademarks last?
Indefinitely, but they have to be renewed.
What is a trade secret?
Any confidential business information that provides a company with a competitive advantage.
The information must not be generally known, readily accessible, or reasonably ascertainable.
It must have commercial value that is lost or reduced should the information be disclosed.
It must be protected by the holder of the information (e.g., through confidentiality agreements).
What must be done for trade secret protection to attach to software?
Just being in object code is not enough (cite?).
Requires developer NDAs and protection against reverse engineering.
What is “verification”?
As part of the V&V process, verification ensures that the software performs as it is required and designed to do.
What is “validation”?
Validation is the process of evaluating software during and/or at the end of the development process to determine whether it satisfies specified requirements.
What mechanisms should V&V look for?
security protection mechanisms to ensure confidentiality, integrity of data and system, availability, authentication, authorization, auditing, secure session management, proper exception handling, and configuration management.
What are EALs?
Common Criteria Evaluation Assurance Levels.
What must a formal review include?
Design and code review.
What is the Fagan process?
a highly structured process with several steps to determine defects in development results, such as specifications, design, and code.
What kinds of tests are performed during V&V?
Error detection and acceptance.
What is IV&V?
Independent Verification and Validation
Why is it bad to rely on tools to perform V&V?
False positives and false negatives. Tools don’t complety emulate human experience and decision-making capability.
What standard provides guidance for bodies providing audit and certification of an information security management system (ISMS) and is primarily intended to support software accreditation?
ISO/IEC 27006-2007
Security certification should include evalution of the following at a minimum:
- User rights, privileges, and profile management
- Sensitivity of data and application and appropriate controls
- Configurations of system, facility, and locations
- Interconnectivity and dependencies
- Operational security mode
What documents are considered part of the Risk Acceptance documentaiton?
Disaster Recovery and Business Continuity Plans
Excepiton policy and Sign Off
