Section 1 Software Security and SDLC Flashcards

1
Q

Software Security vs Application Security

A

Software - building security into software through SDL in an SDLC where Application Security is about protecting the software and the systems on which it runs after release

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3 Most Important Goals of SDL

A

CIA Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Definition of SDL
Security Development Lifecycle Man

A

Secure Development Process composed of security best practices based on comparative research on Microsoft’s SDL and alternative models developed since 2004

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Two primary goals of SDL (Security Development Lifecyle)

A

Reduce the number of security vulnerabilities and privacy problems

Reduce the severity of vulnerabilities that remain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

T or F Static Code Analysis can point out design flaws in code

A

False -using Taint analysis to look for unfiltered or Un sanitized input in source code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

T or F Secure Code is Quality Code

A

False and the corollary is also false. You must know to write quality code before you can write secure code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a methodical approach for assessing and documenting the weaknesses of security risks associated with an application?

A

Threat Modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the name for the exit and entry points of an application

A

Attack Surface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the typical 8 Phases of SDLC

A

Planning
Requirements
Design
Implementation
Testing
Deployment
Maintenance
End of Life

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name 5 software development models

A

Code and Fix
Waterfalls
Agile
Iterative
Spiral

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Advantage and Disadvantages of Code and Fix

A

Little or no overhead (no modeling)
Dangerous - can’t measure quality or risks

For temporary projects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which model is synchronous and step by step

A

Waterfall

Advantage
Simple and Easy to understand and manage in clearly defined phases

Disadvantage
Very rigid model so challenge to produce software

Hard to produce software
Requirements are well documented and clear and fixed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

T or F Agile is not fully a model but more made up of values and principles

A

True
Values
Individuals and Interactions
Customer Collaboration
Working Software
Response

Principles
Satisfy the Customer
Welcome Changing Requirements
Frequently deliver working software
Business Folks and Deliver work daily
Build projects around motivated individuals
Face to face communication
Working software measure progress
Everyone maintains a constant pace
Attention to excellence and good design
Simplicity
Self-organizing teams
Reflection - at intervals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the model that is performed over multiple builds

A

Iterative
this model is best for when you have
Clear Requirements
Some enhancements may evolve.
Time to Market Contstrains
New Technology
Resources aren’t available
Features/Goals

Pros
Progress can be measured
Less costly for changes
Testing and debugging is easy
Easier to manage risks
good for large projects

Cons
More resources might be required
Not suitable for change
More management attention
Not good for small projects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which model combines waterfall with Interative

A

Spiral
4 phases
good for budget contstraints
medium to high risk projects
long term commitment
Customer unsure of requirements
complex requirements
Expecting significant changes

Pros
Allows for add-ons and change requests
requirements are captured accurately
development is divided in small parts

Cons
Management is more complex
end of project wont be known early
Process is complex

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Name the two most popular software security models

A

BSIMM - Building Security in Maturity Model - real world data and broken down into 12 categories
OWASP Open SAMM - flexible and prescriptive model and uses scorecards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the on standards that rolls previous ones and encompasses IT security holistically and encompasses everything from physical security to compliance

A

ISO 27001

this has allowed organizations to consolidate multiple security efforts under on standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the ISO standard that has also consolidated of software security standards frameworks similar to ISO 27001

A

ISO 27034
Risk based framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the name of the non-profit that is dedicated to increasing trust in information and communications technologe and services through the advancement of software assurance methods

A

Software Assurance Forum for Excellence in Code (SAFECode)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which department in the US in conjuction with Carnegie Mellon’s Software Engineering Institute developed a Software Assurance Programs

A

Department of Homeland Security (DHS)

SwA - seeks to reduce software vulnerabilities, minimize exploitation, and address way to improve routine development and deployment of trustworthy software projects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Where did the Common Weakness Enumeration come from

A

Joint effort of DHS with the NSA and managed my MITRE.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What specific areas do NIST provide for secure software models

A

Software Assurance Metrics and Tool Evaluation (SAMATE) - dedicated to improving software assurance by developmenting methods to enable software tool evaluations, measuring the effectiveness of tools and techniques

NIST 800-64 - Security Considerations in the System Development Life Cycle - assist Federal government agencies in integrating essential Information Technology

National Vulnerability Database - using the Security Content Automation Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems

A

Common Computer Vulnerabilities and Exposures (CVE)

CVE Feeds the NVD
CVE is sponsored by US Department of of Homeland Security
MITRE maintains CVE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the vulnerability identifiers for a commercially operated database used for security advisories called

A

Bugtraq

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the list of top security vulnerabilities with step by step instructions

A

SANS institute Top Cyber Security Risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are the 3 primary types of tools that are essential to the SDL

A

Fuzzing - black box testing on compiled code sending random, invalid or unexpected data to a program and see what results come back.

Static Analysis - automation tools that goes through uncompiled code. Also known as static application security testing (SAST)

Dynamic Analysis - analysis of compiled programs in a run time environment. find security flaws while running programs Able to find false negatives. Also known as DAST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Is the principal of least privilege and protecting users privacy key parts of the SDL

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What can be an invaluable resource for assessing the effectiveness of of an organization’s software security program

A

Metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

In Agile what are the small increments that require minimal planning called

A

Timeboxes - 1 to 4 weeks with multiple iterations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

In Agile what is the iterative and incremental software development method for managing software projects and product or application development called

A

Scrum
Takes an empirical approach accepting that problems cannot be fully understood or defined and focuses on maximizing rapid delivery by timeboxing each sprint

31
Q

What are the outlines in Code Review

A

Scope and Budget Constraints
Categorize vulnerabilities - OWASP Top 10
Recommendations based on findings - find false positives

32
Q

Name the Types of Code Reviews

A

Static vs Dynamic code review
Manual peer review
User acceptance Testing (UAT) - Beta
Fuzz Testing
Fault Injection - directly inserts faults
Mutation Testing - small mods to program
Stress/Load Testing
Security regression - do changes cause issues
Formal Method - mathematical model

33
Q

Name the Reverse Engineering Techniques

A

Decomposing Code
Obfuscating Code
Reverse Engineering Labs

34
Q

What replaced SOAP/XML

A

REST and HTTPS

35
Q

What features come with Security Assertion Markup Language

A

Single Sign on (SSO)
Assertions - contains validation
Binding Communications over Network Protocol - typically HTTP

35
Q

Are Snowflake Systems good?

A

No. each one is different and that is not manageable.

35
Q

Who introduced the Waterfall Model

A

Winston Royce

35
Q

What is the modified version of waterfall model that is non-linear

A

V-Model
Paul Brook
Verification on one side and validation on other side
similar advantages and disadvantages as Waterfall

36
Q

What are the Agile Manifesto Core Values

A

Individuals over process and tools
Working software over documentation
Customer collaboration over contract negotiation
Responding to change vs following a plan

37
Q

What are the 3 groups of Agile Manifesto principles

A

Regular Delivery of Software
Team Communicaiton
Excellence in Design

38
Q

What are the principles in Regular Delivery of Software

A

Highest priority is to satisfy the customer through early and continuous delivery of valuable software

Deliver working software frequently from a preference to shorter cycle

Working software is the primary measure of progress

Agile process promotes sustainable development.

39
Q

Agile Principles in Team Communication

A

Business People and Development must work daily throughout the project

The most efficient effective method of conveying information to and with a development team is face to face

The best architecutre requirements and designs emerge from self-organizing teams

Build projects around motivated individuals. Give them the environment and support they need and trust to get job done

at regular intervals the team reflects on how to become more effective then tunes and adjusts it behavior accordingly

40
Q

Name the Principles of Excellence in Design

A

Continuous attention to technical excellence and good design enhances agility

Simplicity, that are to maximizing the amount of work not done is essential

Agile process harness change for customers competitive advantage

41
Q

Name the Agile Methodologies

A

Scrum - lightweight Management

Extreme Programming (XP) - disciplined approach

Crystal - most lightweight.

Dynamic Systems Development method (DSDM)

Feature Drive Design (FDD)

Lean Software Development

Kanban

42
Q

What are the roles in Agile Team

A

Software development teams first and members of department second

Product and Domain experts

Team member with cross functional skills

Leadership role - scrum master for eg

Agile coach or mentor

43
Q

T or F Agile is faster and cheaper than waterfall

A

False

it is more flexible and customer centric. ‘

Embrace Change

44
Q

What is an agile software methodology for developing to improve software quality and responsiveness to changing customer Requirements

A

Extreme Programming (XP)

SCRUM

45
Q

What are the 4 Basic Programming activities of XP

A

Writing the application code

Testing the System - unit testing

Listening to your customers and users

Designing your systems to reduce to coupling so you limit interdepencencies

46
Q

What are the 5 values of XP

A

Communications is essential to any project

Build for Simplicity

Learning from Feedback

Having Courage -

Having Respect for the team and project

47
Q

What are XP 3 main principles

A

Feedback loop is critical (unit testing)

Assuming Simplicity - rejects waterfall ideas. client has more control

Embracing Change - unlike waterfall

48
Q

What are the 4 Groups of Practices

A

Fine-scale feedback
Continuous Process
Shared Understanding
Programmer Welfare

49
Q

What are the 4 practices within Fine scale Feedback?

A

Pair Programming - developers
Planning game - once per iteration
Test-driven development
Whole team

50
Q

What are the 3 practices of continuous process

A

Continuous integration
Refactoring or design improvement
small releases

51
Q

4 Practices for Shared Undersanding

A

Coding Standards
Collective code ownership
Simple design
System metaphor - consistent story

52
Q

What is the one practice for Programmers Welfare

A

Sustainable pace - 40 hour work week and no OT

53
Q

What are the 5 sections of XP Rules

A

Planning
Managing
Designing
Coding
Testing

54
Q

What are the Rules for Planning section

A

User stories are written
Release planning
Make frequent small releases
Project divided into iterations
Iteration planning starts each iteration

55
Q

What are the Rules for Managing section

A

Give the team an open work space
Set a sustainable pace
A stand-up meeting starts each day
The project velocity is measured
Move people around - cross training
Fix XP when it break

56
Q

What are Rules for Designing section

A

Simplicity
Choose a system metaphor
Used Class Responsibilities and Collaboration cards (CRC)
Create spike solutions to reduce risk when developers do not know answers
No Functionality is added early
Refactoring whenever possible - small transformations

57
Q

What are the rules for the Coding Section

A

Customer is always available - part of team

Code written to agreed standards
Code the unit test first - before coding
Production code is pair (two programmers) programmed
Only one pair integrates code at a time
Integrated and committing code often - hours
Use a dedicated integration machine - physical token to releasing code
Use collective ownership

58
Q

What are the rules for Testing

A

Unit testing is the cornerstone
All code must pass all unit tests
When a bug is found tests are created
Acceptance tests are run often and the score is published - black box tests

59
Q

What is the lightweight agile project framework

A

Scrum
flexible - holistic - team to reach a common goal
name from Rugby

60
Q

Which method uses Sprints

A

Scrum
3 Areas
Roles
Ceremonies
Artifacts

61
Q

What are the 3 main Scrum Roles

A

Product Owner - key stakeholder typically. Maintains product backlog
Scrum Master - coach and enforces values and practices. Process owner
Scrum team - cross disciplined team 5-9 people

62
Q

What are the 4 Scrum Ceremenoies

A

Scrum Planning Meeting
Sprint Review - what was accomplished - demo typically
Sprint Retrospective - lessons learned
Daily Scrum - morning and stands in a virtual circle now.

63
Q

What are the 3 Scrum artifacts

A

Product Backlog - Prioritized feature list. bug and feature are the same
Sprint Backlog - stories picked from backlog, Estimate of task hours - Jira
Burn down chart - tracks progress over time

64
Q

Describe XP vs Scrum

A

Scrum does not integrate any engineering practices. less complicated

65
Q

What is the heart of the scrum proces?

A

Sprint
2-4 weeks
time boxed in that time frame
Prioritizes user stories in that sprint
Daily Standup meeting

66
Q

Is Scrum a framework or Methodology

A

Technically a framework
Framework provides general guidelines
Methodology is more prescriptive

67
Q

What unique values does Scrum have separate from Agile

A

Commitment and Team Accountability
Focus on priorities for that sprint
Openness - collaboration.
Respect - high regard to ourselves and, others and resources entrusted to us
Courage - daring and endurance to our best

68
Q

How should you store your application user credentials in your application database?

A

Store Credentials using salted hashes

69
Q

What happens during dynamic code review

A

Programmers monitor system memory, functional behavior, response times and overall performance

70
Q
A