Section 1 Software Security and SDLC

Question 1

Software Security vs Application Security

Answer 1

Software - building security into software through SDL in an SDLC where Application Security is about protecting the software and the systems on which it runs after release

Question 2

3 Most Important Goals of SDL

Answer 2

CIA Model

Question 3

Definition of SDL
Security Development Lifecycle Man

Answer 3

Secure Development Process composed of security best practices based on comparative research on Microsoft’s SDL and alternative models developed since 2004

Question 4

Two primary goals of SDL (Security Development Lifecyle)

Answer 4

Reduce the number of security vulnerabilities and privacy problems

Reduce the severity of vulnerabilities that remain

Question 5

T or F Static Code Analysis can point out design flaws in code

Answer 5

False -using Taint analysis to look for unfiltered or Un sanitized input in source code

Question 6

T or F Secure Code is Quality Code

Answer 6

False and the corollary is also false. You must know to write quality code before you can write secure code

Question 7

What is a methodical approach for assessing and documenting the weaknesses of security risks associated with an application?

Answer 7

Threat Modeling

Question 8

What is the name for the exit and entry points of an application

Answer 8

Attack Surface

Question 9

What are the typical 8 Phases of SDLC

Answer 9

Planning
Requirements
Design
Implementation
Testing
Deployment
Maintenance
End of Life

Question 10

Name 5 software development models

Answer 10

Code and Fix
Waterfalls
Agile
Iterative
Spiral

Question 11

Advantage and Disadvantages of Code and Fix

Answer 11

Little or no overhead (no modeling)
Dangerous - can’t measure quality or risks

For temporary projects

Question 12

Which model is synchronous and step by step

Answer 12

Waterfall

Advantage
Simple and Easy to understand and manage in clearly defined phases

Disadvantage
Very rigid model so challenge to produce software

Hard to produce software
Requirements are well documented and clear and fixed

Question 13

T or F Agile is not fully a model but more made up of values and principles

Answer 13

True
Values
Individuals and Interactions
Customer Collaboration
Working Software
Response

Principles
Satisfy the Customer
Welcome Changing Requirements
Frequently deliver working software
Business Folks and Deliver work daily
Build projects around motivated individuals
Face to face communication
Working software measure progress
Everyone maintains a constant pace
Attention to excellence and good design
Simplicity
Self-organizing teams
Reflection - at intervals

Question 14

What is the model that is performed over multiple builds

Answer 14

Iterative
this model is best for when you have
Clear Requirements
Some enhancements may evolve.
Time to Market Contstrains
New Technology
Resources aren’t available
Features/Goals

Pros
Progress can be measured
Less costly for changes
Testing and debugging is easy
Easier to manage risks
good for large projects

Cons
More resources might be required
Not suitable for change
More management attention
Not good for small projects

Question 15

Which model combines waterfall with Interative

Answer 15

Spiral
4 phases
good for budget contstraints
medium to high risk projects
long term commitment
Customer unsure of requirements
complex requirements
Expecting significant changes

Pros
Allows for add-ons and change requests
requirements are captured accurately
development is divided in small parts

Cons
Management is more complex
end of project wont be known early
Process is complex

Question 16

Name the two most popular software security models

Answer 16

BSIMM - Building Security in Maturity Model - real world data and broken down into 12 categories
OWASP Open SAMM - flexible and prescriptive model and uses scorecards

Question 17

What is the on standards that rolls previous ones and encompasses IT security holistically and encompasses everything from physical security to compliance

Answer 17

ISO 27001

this has allowed organizations to consolidate multiple security efforts under on standard.

Question 18

What is the ISO standard that has also consolidated of software security standards frameworks similar to ISO 27001

Answer 18

ISO 27034
Risk based framework

Question 19

What is the name of the non-profit that is dedicated to increasing trust in information and communications technologe and services through the advancement of software assurance methods

Answer 19

Software Assurance Forum for Excellence in Code (SAFECode)

Question 20

Which department in the US in conjuction with Carnegie Mellon’s Software Engineering Institute developed a Software Assurance Programs

Answer 20

Department of Homeland Security (DHS)

SwA - seeks to reduce software vulnerabilities, minimize exploitation, and address way to improve routine development and deployment of trustworthy software projects.

Question 21

Where did the Common Weakness Enumeration come from

Answer 21

Joint effort of DHS with the NSA and managed my MITRE.

Question 22

What specific areas do NIST provide for secure software models

Answer 22

Software Assurance Metrics and Tool Evaluation (SAMATE) - dedicated to improving software assurance by developmenting methods to enable software tool evaluations, measuring the effectiveness of tools and techniques

NIST 800-64 - Security Considerations in the System Development Life Cycle - assist Federal government agencies in integrating essential Information Technology

National Vulnerability Database - using the Security Content Automation Protocol

Question 23

What is the list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems

Answer 23

Common Computer Vulnerabilities and Exposures (CVE)

CVE Feeds the NVD
CVE is sponsored by US Department of of Homeland Security
MITRE maintains CVE

Question 24

What are the vulnerability identifiers for a commercially operated database used for security advisories called

Answer 24

Bugtraq

Question 25

What is the list of top security vulnerabilities with step by step instructions

Answer 25

SANS institute Top Cyber Security Risks

Question 26

What are the 3 primary types of tools that are essential to the SDL

Answer 26

Fuzzing - black box testing on compiled code sending random, invalid or unexpected data to a program and see what results come back.

Static Analysis - automation tools that goes through uncompiled code. Also known as static application security testing (SAST)

Dynamic Analysis - analysis of compiled programs in a run time environment. find security flaws while running programs Able to find false negatives. Also known as DAST

Question 27

Is the principal of least privilege and protecting users privacy key parts of the SDL

Answer 27

Yes

Question 28

What can be an invaluable resource for assessing the effectiveness of of an organization’s software security program

Answer 28

Metrics

Question 29

In Agile what are the small increments that require minimal planning called

Answer 29

Timeboxes - 1 to 4 weeks with multiple iterations

Question 30

In Agile what is the iterative and incremental software development method for managing software projects and product or application development called

Answer 30

Scrum
Takes an empirical approach accepting that problems cannot be fully understood or defined and focuses on maximizing rapid delivery by timeboxing each sprint

Question 31

What are the outlines in Code Review

Answer 31

Scope and Budget Constraints
Categorize vulnerabilities - OWASP Top 10
Recommendations based on findings - find false positives

Question 32

Name the Types of Code Reviews

Answer 32

Static vs Dynamic code review
Manual peer review
User acceptance Testing (UAT) - Beta
Fuzz Testing
Fault Injection - directly inserts faults
Mutation Testing - small mods to program
Stress/Load Testing
Security regression - do changes cause issues
Formal Method - mathematical model

Question 33

Name the Reverse Engineering Techniques

Answer 33

Decomposing Code
Obfuscating Code
Reverse Engineering Labs

Question 34

What replaced SOAP/XML

Answer 34

REST and HTTPS

Question 35

What features come with Security Assertion Markup Language

Answer 35

Single Sign on (SSO)
Assertions - contains validation
Binding Communications over Network Protocol - typically HTTP

Question 35

Are Snowflake Systems good?

Answer 35

No. each one is different and that is not manageable.

Question 35

Who introduced the Waterfall Model

Answer 35

Winston Royce

Question 35

What is the modified version of waterfall model that is non-linear

Answer 35

V-Model
Paul Brook
Verification on one side and validation on other side
similar advantages and disadvantages as Waterfall

Question 36

What are the Agile Manifesto Core Values

Answer 36

Individuals over process and tools
Working software over documentation
Customer collaboration over contract negotiation
Responding to change vs following a plan

Question 37

What are the 3 groups of Agile Manifesto principles

Answer 37

Regular Delivery of Software
Team Communicaiton
Excellence in Design

Question 38

What are the principles in Regular Delivery of Software

Answer 38

Highest priority is to satisfy the customer through early and continuous delivery of valuable software

Deliver working software frequently from a preference to shorter cycle

Working software is the primary measure of progress

Agile process promotes sustainable development.

Question 39

Agile Principles in Team Communication

Answer 39

Business People and Development must work daily throughout the project

The most efficient effective method of conveying information to and with a development team is face to face

The best architecutre requirements and designs emerge from self-organizing teams

Build projects around motivated individuals. Give them the environment and support they need and trust to get job done

at regular intervals the team reflects on how to become more effective then tunes and adjusts it behavior accordingly

Question 40

Name the Principles of Excellence in Design

Answer 40

Continuous attention to technical excellence and good design enhances agility

Simplicity, that are to maximizing the amount of work not done is essential

Agile process harness change for customers competitive advantage

Question 41

Name the Agile Methodologies

Answer 41

Scrum - lightweight Management

Extreme Programming (XP) - disciplined approach

Crystal - most lightweight.

Dynamic Systems Development method (DSDM)

Feature Drive Design (FDD)

Lean Software Development

Kanban

Question 42

What are the roles in Agile Team

Answer 42

Software development teams first and members of department second

Product and Domain experts

Team member with cross functional skills

Leadership role - scrum master for eg

Agile coach or mentor

Question 43

T or F Agile is faster and cheaper than waterfall

Answer 43

False

it is more flexible and customer centric. ‘

Embrace Change

Question 44

What is an agile software methodology for developing to improve software quality and responsiveness to changing customer Requirements

Answer 44

Extreme Programming (XP)

SCRUM

Question 45

What are the 4 Basic Programming activities of XP

Answer 45

Writing the application code

Testing the System - unit testing

Listening to your customers and users

Designing your systems to reduce to coupling so you limit interdepencencies

Question 46

What are the 5 values of XP

Answer 46

Communications is essential to any project

Build for Simplicity

Learning from Feedback

Having Courage -

Having Respect for the team and project

Question 47

What are XP 3 main principles

Answer 47

Feedback loop is critical (unit testing)

Assuming Simplicity - rejects waterfall ideas. client has more control

Embracing Change - unlike waterfall

Question 48

What are the 4 Groups of Practices

Answer 48

Fine-scale feedback
Continuous Process
Shared Understanding
Programmer Welfare

Question 49

What are the 4 practices within Fine scale Feedback?

Answer 49

Pair Programming - developers
Planning game - once per iteration
Test-driven development
Whole team

Question 50

What are the 3 practices of continuous process

Answer 50

Continuous integration
Refactoring or design improvement
small releases

Question 51

4 Practices for Shared Undersanding

Answer 51

Coding Standards
Collective code ownership
Simple design
System metaphor - consistent story

Question 52

What is the one practice for Programmers Welfare

Answer 52

Sustainable pace - 40 hour work week and no OT

Question 53

What are the 5 sections of XP Rules

Answer 53

Planning
Managing
Designing
Coding
Testing

Question 54

What are the Rules for Planning section

Answer 54

User stories are written
Release planning
Make frequent small releases
Project divided into iterations
Iteration planning starts each iteration

Question 55

What are the Rules for Managing section

Answer 55

Give the team an open work space
Set a sustainable pace
A stand-up meeting starts each day
The project velocity is measured
Move people around - cross training
Fix XP when it break

Question 56

What are Rules for Designing section

Answer 56

Simplicity
Choose a system metaphor
Used Class Responsibilities and Collaboration cards (CRC)
Create spike solutions to reduce risk when developers do not know answers
No Functionality is added early
Refactoring whenever possible - small transformations

Question 57

What are the rules for the Coding Section

Answer 57

Customer is always available - part of team

Code written to agreed standards
Code the unit test first - before coding
Production code is pair (two programmers) programmed
Only one pair integrates code at a time
Integrated and committing code often - hours
Use a dedicated integration machine - physical token to releasing code
Use collective ownership

Question 58

What are the rules for Testing

Answer 58

Unit testing is the cornerstone
All code must pass all unit tests
When a bug is found tests are created
Acceptance tests are run often and the score is published - black box tests

Question 59

What is the lightweight agile project framework

Answer 59

Scrum
flexible - holistic - team to reach a common goal
name from Rugby

Question 60

Which method uses Sprints

Answer 60

Scrum
3 Areas
Roles
Ceremonies
Artifacts

Question 61

What are the 3 main Scrum Roles

Answer 61

Product Owner - key stakeholder typically. Maintains product backlog
Scrum Master - coach and enforces values and practices. Process owner
Scrum team - cross disciplined team 5-9 people

Question 62

What are the 4 Scrum Ceremenoies

Answer 62

Scrum Planning Meeting
Sprint Review - what was accomplished - demo typically
Sprint Retrospective - lessons learned
Daily Scrum - morning and stands in a virtual circle now.

Question 63

What are the 3 Scrum artifacts

Answer 63

Product Backlog - Prioritized feature list. bug and feature are the same
Sprint Backlog - stories picked from backlog, Estimate of task hours - Jira
Burn down chart - tracks progress over time

Question 64

Describe XP vs Scrum

Answer 64

Scrum does not integrate any engineering practices. less complicated

Question 65

What is the heart of the scrum proces?

Answer 65

Sprint
2-4 weeks
time boxed in that time frame
Prioritizes user stories in that sprint
Daily Standup meeting

Question 66

Is Scrum a framework or Methodology

Answer 66

Technically a framework
Framework provides general guidelines
Methodology is more prescriptive

Question 67

What unique values does Scrum have separate from Agile

Answer 67

Commitment and Team Accountability
Focus on priorities for that sprint
Openness - collaboration.
Respect - high regard to ourselves and, others and resources entrusted to us
Courage - daring and endurance to our best

Question 68

How should you store your application user credentials in your application database?

Answer 68

Store Credentials using salted hashes

Question 69

What happens during dynamic code review

Answer 69

Programmers monitor system memory, functional behavior, response times and overall performance