Section 1 Software Security and SDLC Flashcards
Software Security vs Application Security
Software - building security into software through SDL in an SDLC where Application Security is about protecting the software and the systems on which it runs after release
3 Most Important Goals of SDL
CIA Model
Definition of SDL
Security Development Lifecycle Man
Secure Development Process composed of security best practices based on comparative research on Microsoft’s SDL and alternative models developed since 2004
Two primary goals of SDL (Security Development Lifecyle)
Reduce the number of security vulnerabilities and privacy problems
Reduce the severity of vulnerabilities that remain
T or F Static Code Analysis can point out design flaws in code
False -using Taint analysis to look for unfiltered or Un sanitized input in source code
T or F Secure Code is Quality Code
False and the corollary is also false. You must know to write quality code before you can write secure code
What is a methodical approach for assessing and documenting the weaknesses of security risks associated with an application?
Threat Modeling
What is the name for the exit and entry points of an application
Attack Surface
What are the typical 8 Phases of SDLC
Planning
Requirements
Design
Implementation
Testing
Deployment
Maintenance
End of Life
Name 5 software development models
Code and Fix
Waterfalls
Agile
Iterative
Spiral
Advantage and Disadvantages of Code and Fix
Little or no overhead (no modeling)
Dangerous - can’t measure quality or risks
For temporary projects
Which model is synchronous and step by step
Waterfall
Advantage
Simple and Easy to understand and manage in clearly defined phases
Disadvantage
Very rigid model so challenge to produce software
Hard to produce software
Requirements are well documented and clear and fixed
T or F Agile is not fully a model but more made up of values and principles
True
Values
Individuals and Interactions
Customer Collaboration
Working Software
Response
Principles
Satisfy the Customer
Welcome Changing Requirements
Frequently deliver working software
Business Folks and Deliver work daily
Build projects around motivated individuals
Face to face communication
Working software measure progress
Everyone maintains a constant pace
Attention to excellence and good design
Simplicity
Self-organizing teams
Reflection - at intervals
What is the model that is performed over multiple builds
Iterative
this model is best for when you have
Clear Requirements
Some enhancements may evolve.
Time to Market Contstrains
New Technology
Resources aren’t available
Features/Goals
Pros
Progress can be measured
Less costly for changes
Testing and debugging is easy
Easier to manage risks
good for large projects
Cons
More resources might be required
Not suitable for change
More management attention
Not good for small projects
Which model combines waterfall with Interative
Spiral
4 phases
good for budget contstraints
medium to high risk projects
long term commitment
Customer unsure of requirements
complex requirements
Expecting significant changes
Pros
Allows for add-ons and change requests
requirements are captured accurately
development is divided in small parts
Cons
Management is more complex
end of project wont be known early
Process is complex
Name the two most popular software security models
BSIMM - Building Security in Maturity Model - real world data and broken down into 12 categories
OWASP Open SAMM - flexible and prescriptive model and uses scorecards
What is the on standards that rolls previous ones and encompasses IT security holistically and encompasses everything from physical security to compliance
ISO 27001
this has allowed organizations to consolidate multiple security efforts under on standard.
What is the ISO standard that has also consolidated of software security standards frameworks similar to ISO 27001
ISO 27034
Risk based framework
What is the name of the non-profit that is dedicated to increasing trust in information and communications technologe and services through the advancement of software assurance methods
Software Assurance Forum for Excellence in Code (SAFECode)
Which department in the US in conjuction with Carnegie Mellon’s Software Engineering Institute developed a Software Assurance Programs
Department of Homeland Security (DHS)
SwA - seeks to reduce software vulnerabilities, minimize exploitation, and address way to improve routine development and deployment of trustworthy software projects.
Where did the Common Weakness Enumeration come from
Joint effort of DHS with the NSA and managed my MITRE.
What specific areas do NIST provide for secure software models
Software Assurance Metrics and Tool Evaluation (SAMATE) - dedicated to improving software assurance by developmenting methods to enable software tool evaluations, measuring the effectiveness of tools and techniques
NIST 800-64 - Security Considerations in the System Development Life Cycle - assist Federal government agencies in integrating essential Information Technology
National Vulnerability Database - using the Security Content Automation Protocol
What is the list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems
Common Computer Vulnerabilities and Exposures (CVE)
CVE Feeds the NVD
CVE is sponsored by US Department of of Homeland Security
MITRE maintains CVE
What are the vulnerability identifiers for a commercially operated database used for security advisories called
Bugtraq
What is the list of top security vulnerabilities with step by step instructions
SANS institute Top Cyber Security Risks
What are the 3 primary types of tools that are essential to the SDL
Fuzzing - black box testing on compiled code sending random, invalid or unexpected data to a program and see what results come back.
Static Analysis - automation tools that goes through uncompiled code. Also known as static application security testing (SAST)
Dynamic Analysis - analysis of compiled programs in a run time environment. find security flaws while running programs Able to find false negatives. Also known as DAST
Is the principal of least privilege and protecting users privacy key parts of the SDL
Yes
What can be an invaluable resource for assessing the effectiveness of of an organization’s software security program
Metrics
In Agile what are the small increments that require minimal planning called
Timeboxes - 1 to 4 weeks with multiple iterations