Guidelines for Software Acceptance

Question 1

Software acceptance is

Answer 1

the life cycle process of officially or formally accepting new or modified software components, which when integrated form the information system.

Question 2

Acceptance criteria must be predefined with respect to the following categories:

Answer 2

Functionality, Performance, Quality, Safety, Privacy, and Security

Question 3

Objectives of software acceptance include

Answer 3

Verification that the software meets specified functional and assurance requirements; Verification that the software is operationally complete and secure
as expected; Obtaining the approvals from the system owner; Transference of responsibility from the development team or company (vendor) to the system owner, support staff, and operations personnel if the software is deployed internally.

Question 4

Software accepted for deployment or release

must

Answer 4

be secure by design, default and deployment; complement existing defense in depth protection; run with least privilege; be irreversible and tamper-proof; isolate and protect administrative functionality and security management interfaces; and have non-technical protection mechanisms in place.

Question 5

SD3

Answer 5

secure by design, default and deployment

Question 6

EULA

Answer 6

End User Licensing Agreements - You shall not modify, translate, reverse engineer, decompile or disassemble
the Software.

Question 7

DMCA

Answer 7

Digital Millennium Copyright Act

Question 8

Reverse engineering protection is increased by

Answer 8

code obfuscation and anti-tampering techniques, which must be verified in the software before being accepted for release.

Question 9

Benefits of Accepting Software Formally

Answer 9

Final checkpoint to discover the existence of missed and unforeseen security vulnerabilities and to validate the presence of security controls that will address
known threats; ensure that the software publisher or acquirer are protected.

Question 10

Some of the major items to consider before accepting software that is built in-house for deployment/release are

Answer 10

Completion Criteria; Change Management; Approval to Deploy / Release; Risk Acceptance and Exception Policy; Documentation.

Question 11

Security related milestones include, but are not limited to the following:

Answer 11

Generation of the of the requirements traceability matrix; completion of the threat model during the design phase; review and sign-off on the security architecture at the end of the design phase; review of code for security vulnerabilities after the development
phases; completion of security testing at the end of the application testing phase; and completion of documentation before the deployment phase
commences.

Question 12

As part of the software acceptance process, the following must be verified as part of change management:

Answer 12

change requests are evaluated for impact on the overall security of the software; the asset management database is updated with the new/updated software information; and the change is requested formally, and evaluated and approved by appropriate signatory authorities.

Question 13

Risk must be accepted by whom

Answer 13

The business owner and not by officials in the IT department.

Question 14

RAID

Answer 14

Risk, Actions, Issues and Decisions

Question 15

Risk transference can be achieved by

Answer 15

Transferring the risk to someone else, e.g., an insurance company.

Question 16

Risk avoidance can be achieved by

Answer 16

Discontinuing the use of the software.

Question 17

When you cannot mitigate, transfer or avoid the risk,

the best option is to accept the risk with

Answer 17

A documented exception to policy; it must be allowed, if and only if there exists contingency plans with explicit dates specified to address the risk.

Question 18

Some of the primary objectives for documentation are

Answer 18

To make the software deployment process easy and repeatable, and to ensure that operations are not disrupted and the impact upon changes to the software is understood.

Question 19

Documents that need to be verified as complete for Software Acceptance

Answer 19

RTM; Threat Model; Risk Acceptance Document; Exception Policy Document; Change Requests; Approvals; BCP or DRP; Incident Response Plan (IRP); Installation Guide; User Training Guide/Manual.

Question 20

BCP

Answer 20

Business Continuity Plan (BCP)

Question 21

DRP

Answer 21

Disaster Recovery Plan (DRP)

Question 22

The major objective of the software V&V process is

Answer 22

To ensure that the software is reliable and that no unintended behavior is observed or can be forced.

Question 23

Verification and Validation activities

Answer 23

Reviews (Design and Code) and Testing (Error detection, Acceptance, Independent Third Party).

Question 24

The formal review process includes

Answer 24

The presentation of the materials to a review panel or board for approval before proceeding to the next phase of the life cycle.

Question 25

Fagan inspection process

Answer 25

It is a highly structured process with several steps that are to be followed to determine defects in development results, such as specifications, design and code.

Question 26

Error detection tests include

Answer 26

Unit and component level testing.

Question 27

In addition to validation tests to ensure that the software satisfies the specified requirements, verification testing must be performed to ascertain the following at a minimum:

Answer 27

Proper handling of input validation using fuzzing, proper output responses and filtration, proper error handling mechanisms, secure state transitions and management, proper handling of load and tests, resilience of interfaces, temporal (race conditions) assurance checks, spatial (locality of reference) assurance and memory management checks, and secure software recovery upon failures.

Question 28

Acceptance tests are used to

Answer 28

Demonstrate if the software is ready for its intended use or not.

Question 29

The impact upon integration of the different software components for the system can be determined by

Answer 29

Regression and/or simulation testing.

Question 30

Regression testing is performed to

Answer 30

Ensure that the software is backward compatible and that the software does not introduce any new risks to the computing environment.

Question 31

Independent third party testing of software functionality and assurance is the process in which

Answer 31

The software is reviewed, verified and validated by someone other than the developer of the software.

Question 32

Certification

Answer 32

A set of procedures that assess the suitability of software to operate in a computing environment, by evaluating both the technical and non-technical controls based on predefined criteria(e.g., Common Criteria).

Question 33

At the minimum, security certification will include assurance evaluation of the following:

Answer 33

User rights, privileges and profile management; Sensitivity of data and application and appropriate controls; Configurations of system, facility and locations; Interconnectivity and dependencies, and Operational security mode.

Question 34

Accreditation is

Answer 34

management’s formal acceptance of the system after an understanding of the risks to that system rating in the computing environment.

Question 35

Software must not be accepted as ready for release unless

Answer 35

it is certified and accredited.

Question 36

To meet the goals of software assurance, when accepting software, the acquisition phase MUST include processes to [Q2]

Answer 36

assess the presence and effectiveness of protection mechanisms.

Question 37

The process of evaluating software to determine whether the products of a given development phase satisfies the conditions imposed at the start of the phase is referred to as

Answer 37

Verification

Question 38

When there are known vulnerabilities in legacy software and there is not much you can do to mitigate the vulnerabilities, it is recommended that [Q8]

Answer 38

the business accepts the risk with a documented exception to the security policy.

Question 39

The exception to policy process must ensure

Answer 39

There is a contingency plan in place to address the risk by either replacing the software with a new version or discontinuing its use (risk avoidance).