Section 1 Software Security and SDLC Flashcards
Software Security vs Application Security
Software - building security into software through SDL in an SDLC where Application Security is about protecting the software and the systems on which it runs after release
3 Most Important Goals of SDL
CIA Model
Definition of SDL
Security Development Lifecycle Man
Secure Development Process composed of security best practices based on comparative research on Microsoft’s SDL and alternative models developed since 2004
Two primary goals of SDL (Security Development Lifecyle)
Reduce the number of security vulnerabilities and privacy problems
Reduce the severity of vulnerabilities that remain
T or F Static Code Analysis can point out design flaws in code
False -using Taint analysis to look for unfiltered or Un sanitized input in source code
T or F Secure Code is Quality Code
False and the corollary is also false. You must know to write quality code before you can write secure code
What is a methodical approach for assessing and documenting the weaknesses of security risks associated with an application?
Threat Modeling
What is the name for the exit and entry points of an application
Attack Surface
What are the typical 8 Phases of SDLC
Planning
Requirements
Design
Implementation
Testing
Deployment
Maintenance
End of Life
Name 5 software development models
Code and Fix
Waterfalls
Agile
Iterative
Spiral
Advantage and Disadvantages of Code and Fix
Little or no overhead (no modeling)
Dangerous - can’t measure quality or risks
For temporary projects
Which model is synchronous and step by step
Waterfall
Advantage
Simple and Easy to understand and manage in clearly defined phases
Disadvantage
Very rigid model so challenge to produce software
Hard to produce software
Requirements are well documented and clear and fixed
T or F Agile is not fully a model but more made up of values and principles
True
Values
Individuals and Interactions
Customer Collaboration
Working Software
Response
Principles
Satisfy the Customer
Welcome Changing Requirements
Frequently deliver working software
Business Folks and Deliver work daily
Build projects around motivated individuals
Face to face communication
Working software measure progress
Everyone maintains a constant pace
Attention to excellence and good design
Simplicity
Self-organizing teams
Reflection - at intervals
What is the model that is performed over multiple builds
Iterative
this model is best for when you have
Clear Requirements
Some enhancements may evolve.
Time to Market Contstrains
New Technology
Resources aren’t available
Features/Goals
Pros
Progress can be measured
Less costly for changes
Testing and debugging is easy
Easier to manage risks
good for large projects
Cons
More resources might be required
Not suitable for change
More management attention
Not good for small projects
Which model combines waterfall with Interative
Spiral
4 phases
good for budget contstraints
medium to high risk projects
long term commitment
Customer unsure of requirements
complex requirements
Expecting significant changes
Pros
Allows for add-ons and change requests
requirements are captured accurately
development is divided in small parts
Cons
Management is more complex
end of project wont be known early
Process is complex
Name the two most popular software security models
BSIMM - Building Security in Maturity Model - real world data and broken down into 12 categories
OWASP Open SAMM - flexible and prescriptive model and uses scorecards
What is the on standards that rolls previous ones and encompasses IT security holistically and encompasses everything from physical security to compliance
ISO 27001
this has allowed organizations to consolidate multiple security efforts under on standard.
What is the ISO standard that has also consolidated of software security standards frameworks similar to ISO 27001
ISO 27034
Risk based framework
What is the name of the non-profit that is dedicated to increasing trust in information and communications technologe and services through the advancement of software assurance methods
Software Assurance Forum for Excellence in Code (SAFECode)
Which department in the US in conjuction with Carnegie Mellon’s Software Engineering Institute developed a Software Assurance Programs
Department of Homeland Security (DHS)
SwA - seeks to reduce software vulnerabilities, minimize exploitation, and address way to improve routine development and deployment of trustworthy software projects.
Where did the Common Weakness Enumeration come from
Joint effort of DHS with the NSA and managed my MITRE.
What specific areas do NIST provide for secure software models
Software Assurance Metrics and Tool Evaluation (SAMATE) - dedicated to improving software assurance by developmenting methods to enable software tool evaluations, measuring the effectiveness of tools and techniques
NIST 800-64 - Security Considerations in the System Development Life Cycle - assist Federal government agencies in integrating essential Information Technology
National Vulnerability Database - using the Security Content Automation Protocol
What is the list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems
Common Computer Vulnerabilities and Exposures (CVE)
CVE Feeds the NVD
CVE is sponsored by US Department of of Homeland Security
MITRE maintains CVE
What are the vulnerability identifiers for a commercially operated database used for security advisories called
Bugtraq
What is the list of top security vulnerabilities with step by step instructions
SANS institute Top Cyber Security Risks
What are the 3 primary types of tools that are essential to the SDL
Fuzzing - black box testing on compiled code sending random, invalid or unexpected data to a program and see what results come back.
Static Analysis - automation tools that goes through uncompiled code. Also known as static application security testing (SAST)
Dynamic Analysis - analysis of compiled programs in a run time environment. find security flaws while running programs Able to find false negatives. Also known as DAST
Is the principal of least privilege and protecting users privacy key parts of the SDL
Yes
What can be an invaluable resource for assessing the effectiveness of of an organization’s software security program
Metrics
In Agile what are the small increments that require minimal planning called
Timeboxes - 1 to 4 weeks with multiple iterations
In Agile what is the iterative and incremental software development method for managing software projects and product or application development called
Scrum
Takes an empirical approach accepting that problems cannot be fully understood or defined and focuses on maximizing rapid delivery by timeboxing each sprint
What are the outlines in Code Review
Scope and Budget Constraints
Categorize vulnerabilities - OWASP Top 10
Recommendations based on findings - find false positives
Name the Types of Code Reviews
Static vs Dynamic code review
Manual peer review
User acceptance Testing (UAT) - Beta
Fuzz Testing
Fault Injection - directly inserts faults
Mutation Testing - small mods to program
Stress/Load Testing
Security regression - do changes cause issues
Formal Method - mathematical model
Name the Reverse Engineering Techniques
Decomposing Code
Obfuscating Code
Reverse Engineering Labs
What replaced SOAP/XML
REST and HTTPS
What features come with Security Assertion Markup Language
Single Sign on (SSO)
Assertions - contains validation
Binding Communications over Network Protocol - typically HTTP
Are Snowflake Systems good?
No. each one is different and that is not manageable.
Who introduced the Waterfall Model
Winston Royce
What is the modified version of waterfall model that is non-linear
V-Model
Paul Brook
Verification on one side and validation on other side
similar advantages and disadvantages as Waterfall
What are the Agile Manifesto Core Values
Individuals over process and tools
Working software over documentation
Customer collaboration over contract negotiation
Responding to change vs following a plan
What are the 3 groups of Agile Manifesto principles
Regular Delivery of Software
Team Communicaiton
Excellence in Design
What are the principles in Regular Delivery of Software
Highest priority is to satisfy the customer through early and continuous delivery of valuable software
Deliver working software frequently from a preference to shorter cycle
Working software is the primary measure of progress
Agile process promotes sustainable development.
Agile Principles in Team Communication
Business People and Development must work daily throughout the project
The most efficient effective method of conveying information to and with a development team is face to face
The best architecutre requirements and designs emerge from self-organizing teams
Build projects around motivated individuals. Give them the environment and support they need and trust to get job done
at regular intervals the team reflects on how to become more effective then tunes and adjusts it behavior accordingly
Name the Principles of Excellence in Design
Continuous attention to technical excellence and good design enhances agility
Simplicity, that are to maximizing the amount of work not done is essential
Agile process harness change for customers competitive advantage
Name the Agile Methodologies
Scrum - lightweight Management
Extreme Programming (XP) - disciplined approach
Crystal - most lightweight.
Dynamic Systems Development method (DSDM)
Feature Drive Design (FDD)
Lean Software Development
Kanban
What are the roles in Agile Team
Software development teams first and members of department second
Product and Domain experts
Team member with cross functional skills
Leadership role - scrum master for eg
Agile coach or mentor
T or F Agile is faster and cheaper than waterfall
False
it is more flexible and customer centric. ‘
Embrace Change
What is an agile software methodology for developing to improve software quality and responsiveness to changing customer Requirements
Extreme Programming (XP)
SCRUM
What are the 4 Basic Programming activities of XP
Writing the application code
Testing the System - unit testing
Listening to your customers and users
Designing your systems to reduce to coupling so you limit interdepencencies
What are the 5 values of XP
Communications is essential to any project
Build for Simplicity
Learning from Feedback
Having Courage -
Having Respect for the team and project
What are XP 3 main principles
Feedback loop is critical (unit testing)
Assuming Simplicity - rejects waterfall ideas. client has more control
Embracing Change - unlike waterfall
What are the 4 Groups of Practices
Fine-scale feedback
Continuous Process
Shared Understanding
Programmer Welfare
What are the 4 practices within Fine scale Feedback?
Pair Programming - developers
Planning game - once per iteration
Test-driven development
Whole team
What are the 3 practices of continuous process
Continuous integration
Refactoring or design improvement
small releases
4 Practices for Shared Undersanding
Coding Standards
Collective code ownership
Simple design
System metaphor - consistent story
What is the one practice for Programmers Welfare
Sustainable pace - 40 hour work week and no OT
What are the 5 sections of XP Rules
Planning
Managing
Designing
Coding
Testing
What are the Rules for Planning section
User stories are written
Release planning
Make frequent small releases
Project divided into iterations
Iteration planning starts each iteration
What are the Rules for Managing section
Give the team an open work space
Set a sustainable pace
A stand-up meeting starts each day
The project velocity is measured
Move people around - cross training
Fix XP when it break
What are Rules for Designing section
Simplicity
Choose a system metaphor
Used Class Responsibilities and Collaboration cards (CRC)
Create spike solutions to reduce risk when developers do not know answers
No Functionality is added early
Refactoring whenever possible - small transformations
What are the rules for the Coding Section
Customer is always available - part of team
Code written to agreed standards
Code the unit test first - before coding
Production code is pair (two programmers) programmed
Only one pair integrates code at a time
Integrated and committing code often - hours
Use a dedicated integration machine - physical token to releasing code
Use collective ownership
What are the rules for Testing
Unit testing is the cornerstone
All code must pass all unit tests
When a bug is found tests are created
Acceptance tests are run often and the score is published - black box tests
What is the lightweight agile project framework
Scrum
flexible - holistic - team to reach a common goal
name from Rugby
Which method uses Sprints
Scrum
3 Areas
Roles
Ceremonies
Artifacts
What are the 3 main Scrum Roles
Product Owner - key stakeholder typically. Maintains product backlog
Scrum Master - coach and enforces values and practices. Process owner
Scrum team - cross disciplined team 5-9 people
What are the 4 Scrum Ceremenoies
Scrum Planning Meeting
Sprint Review - what was accomplished - demo typically
Sprint Retrospective - lessons learned
Daily Scrum - morning and stands in a virtual circle now.
What are the 3 Scrum artifacts
Product Backlog - Prioritized feature list. bug and feature are the same
Sprint Backlog - stories picked from backlog, Estimate of task hours - Jira
Burn down chart - tracks progress over time
Describe XP vs Scrum
Scrum does not integrate any engineering practices. less complicated
What is the heart of the scrum proces?
Sprint
2-4 weeks
time boxed in that time frame
Prioritizes user stories in that sprint
Daily Standup meeting
Is Scrum a framework or Methodology
Technically a framework
Framework provides general guidelines
Methodology is more prescriptive
What unique values does Scrum have separate from Agile
Commitment and Team Accountability
Focus on priorities for that sprint
Openness - collaboration.
Respect - high regard to ourselves and, others and resources entrusted to us
Courage - daring and endurance to our best
How should you store your application user credentials in your application database?
Store Credentials using salted hashes
What happens during dynamic code review
Programmers monitor system memory, functional behavior, response times and overall performance
