Section 2: Software Requirements and Risks Flashcards
What is the first phase of Security Development Lifecycle (SDL)
This phase (A1) is called a security assessment phase
Identifies the product risk profile and the needed SDL activities
What is the part of the kickoff that address the overlooked data privacy requirements
Privacy Impact Assessment
before developing a PIA you will need to evaluate what regulatory, legislative, or policies are applicable
What are the 4 C’s of Privacy Design
Comprehension
Consciousness
Control
Consent
What are the Security Assessment (A1) key success factors and metrics
as the first phase of the SDL it is discovery in nature
What is the deliverables for A1
Here is the list of key deliverables.
What should be measured in every phase of the SDL
Metrics such as:
Time in weeks when software security teams was looped in
Percent of stakeholder participation in SDL activities
Percent of security measures met
What are the Document Security Requirements
RTM - Requirements Traceability Matrix
Formal acceptance of risk by Management
what is the key tenant of the Zachman Framework
Understand Business mission and goals first and go top down
Other Top down planning models
TOGAF
SABSA Model - security focus vs business focus
What type of tests we can use to test a transactional database
ACID Test
One result at a time - Atomicity
Consistency with application
one record change at time - Isolation
Transaction needs to be committed - Durability
What are the 3 Compliance Requirements
Legal - Privacy, Secrecy, IP, Uptime, Accuracy
Regulatory - enforced by agencies (Fed, local, state)
Industry Standards - PCI-DSS and PA-DSS, OWASP,
What is the most complex and difficult part of the SDL
Threat Model and Architectural Security Analysis
What is the purpose of the software security policy
Define what needs to be protected and how.
What are the 5 steps of Threat Modeling
Identify security objectives
Survey the application
Decompose it
Identify Threats
Identify Vulnerabilities
For Threat Modeling what do you use to break down your product architecture and is the first step?
Data Flow Diagrams
What are STRIDE Threat Categories
Spoofing of identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
this is a methodology of threat categorization and was popularized by Microsoft
What is a DREAD an acronym for?
Components:
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
Purpose: The DREAD model provides a systematic way to evaluate and prioritize risks based on these five factors. Each factor is scored, and the cumulative score helps in determining the severity of a particular risk.
The use of __________ is a traditional approach to threat assessment and can help you identify additional potential threats
Attack Trees and attack patterns
What is the Risk Model used by Microsoft for assessing vulnerabilities
DREAD
Damage
Reproducibility
Exploitability
Affected users
Discoverability
Name another Thread Modeling Methodology similar to STRIDE and DREAD
Trike
main difference is that it is a risk-based approach with a distinct implementation
It allows for a high level of automation
methodology as well as of a too
targeted towards auditing teams
asset-centric
What is a newer application threat modeling methodology that is seven step process and aligns with both business objective with technical requirements but also takes into account compliance requirements and
PASTA
Seven step process and platform agnostic
The threat-modeling tool called ThreatModeler supports this methodology
Targeted towards medium to large orgnizaitons, mature companies with security knowledge
Outcome is geared towards management
What is the industry standard for assessing the severity of computer system security vulnerabilities
Common Vulnerability Scoring System (CVSS)
typically used by an internal software security group to respond to a security researcher or other source that has notified you that your software has a vulnerability
What is a complex risk methodology that originated from Carnegie Mellon University
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation
Risk Analysis framework
Targeted towards large organizations
Largest and most complex
that is why OCTAVE-S was developed
OCTAVE Allegro - focus on information assets
Asset-Centrix approach
Not a pure threat modeling since riks are mitigated
Does not focus on technical risks
What is the key success factors for this second phase of the SDL
What are the 3 approaches to Threat Modeling
Asset-Centric
Attacker-Centric
Application-Centric
What is another name of Asset-Centric approach
Risk-Centric
If you dont know what to protect how can you protect it.
Advantages and disadvantages of Asset-Centrix
Advantages
Centered around assets
Focused towards business ipact
Well suited for risk assessment and auditor (PASTA, TRIKE)
Natural Fit
Disadvantages
Not centered around the application
mapping assets to threats is difficult
What are the advantages and disadvantages of Attacker-Centrix
Advantages
Makes threat and attacks visible
Movie-plot threat brainstorming is fun
good for Penetration Testing
Disadvantages
Easy to miss technical threats
can be unrealistic
most biased one
Attacker thinking required
most teams do not have the level of security professional
What are the advantages and disadvantages of Application-Centrix
Advantages
Provides a common understanding of the application
spread of knowledge
Disadvantages
Documentation is necessary
Difficult to see ‘own’ vulnerability
Threats may sound abstract
PASTA Advantages vs Disadvantages of
Advantages
Great for business integration
Mature, well described
Lots of documentation
Tooling available
Disadvantages
Specialized input necessary
Time consuming
each step generates output
a lot of intermediate models
output depends on dynamic input
Microsoft Threat Modeling Details
Threat modeling framework
incorrectly named STRIDE - classification
Developer Driven
Application-Centric
simple and lightweight
practical approach
plain language
widely adopted
Advantages and disadvantages of Microsoft Threat Modeling
Advantages
Easy to pickup
easily integrated into SDLC
very flexible
Disadvantages
More practical than academic
STRIDE classification is redundant
Does not factor in business risks
Advantages and disadvantages of OCTAVE
Advantages
Improve risk-aware corporate culture
Creates orginization wide risk overview
in-depth
flexible
Disadvantages
Large and complex
Lots of paperwork
Requires “investment”
Advantages and disadvantages of Trike
Advantages
automatically generates threat
consistent results
built-in tool
Disadvantages
Does not scale
not maintained anymore - 2012
What is the simplest Threat Modeling
Visual Simple Threat Modeling
Two threat model types
Targeted towards agile companies
Advantages
very flexible
scalable
Process flow DFD are easier
Disadvantages
Not an open methodology
no documentation or guidance
T or F code reviews are always good
False
they are an amplifier and poor culture, personalities, etc can make it bad
What is the alternative to STRIDE
DESIST
Dispute
Elevation of Privilege
Spoofing
Information Disclosure
Service Denial
Tampering
Within STRIDE what are the two variants
STRIDE per Element (external entity, process, data store, data flow)
STRIDE per Interaction
focus to interaction with elements. Follow data flow and where they meet
What are the deliverables of the Architecture Phase (A2) of the SDL
What is a Pull Request
Request to merge your code into a branch.
tyypically a review tool is uses such as GIT
The person submitting a PR request is a reviewee. If you leave comments you are a reviewer
What is a popular SAST tool that can be a plug in for IDE
SonarLint
SonarQube -
How small should my pull requests be
500 lines of code but decide with your team
What is the OIR Rule
Observe - this function seems too long
Impact - makes it hard for me to understand
Request - I suggest to extract
What is the difference between exceptions and errors
Exceptions
Logic flawas
endless loops
unresolved
Errors
code mistakes
syntax
format of data
What are some non-functional tests
operating envrionment
training
support
infrastructure and procedures
Reliability, performance, and scalability
Name common Testing Methodologies
OSSTMM - Open Source Security Testing Methodology Manual
ISO 27034 Objective - use process via SDLC
CMMI - Test maturity of processes. ISACA
What does having a record with a primary key that cannot have a null record
That provides entity integrity
no dupes or null
What makes up Referential keys
foreign keys
valid referential link
some times those are turned off
What are the steps of Executing the Test Plan
Documentation
Verification
Validation
Who manages CVSS, CVE
First.org and MITRE
What is the need for scripting in OWASP ZAP
Custom Weakness - specific to an app
Complicated AuthN - beyond plain form
Reusable Security Testing
Custom Payloads
Automatic Tampering
What languages built in ZAP
JavaScript
ZEST - visual language
Python and Ruby as add-on
What type of scripts are built in ZAP
Stand Alone Scripts - triggered manually
Targeted Scrips - manual against specifc requests
Proxy Script - triggered every time
HTTP Sender Scripts -all requests
Active Scan Rules - send malicious
Passive Scan Rules - detecting sensitive information
Input Vector Scripts -
What are the Add-on script types in ZAP
Fuzzer HTTP Processor
Fuzzer WebSocket Processor
Payload Generator - malicious input
Payload Process - inputs based on fuzzer
What is the scripting language built by Mozilla Team
ZEST
Security and Automation specific language
Written Graphically, JSON autogenerated
What are the 3 important components of App Scanning
Spider - gather inputs through hyperlink navigation and submitting forms
Passive Scanner -during spider activity it passively analyze HTTP requests and responses- insecure configuration, cookies
Active Scanner - modify HTTP requests with potential harmful inputs. hammers web app - SQL Injection
What 4 schemes of authentication does ZAP support
Manual Authentication
HTTP/NTLM - Windows AD/LDAP
Form Based - most common
Script Based - JSON, OPENID
What is the vulnerability that is based on Predictable ID’s and Broken Access Control
Insecure Direct Object References Vulnerability
What is a bunch of tests that run quickly to assess whether application areas are free from well known software vulnerabilities
Security Regression Testing
How many languages does sonarqube support
27
Continuous inspection is essential
What does sonarqube find
Bubs
Code Smells
Vulnerabilities
Hot spots
SonarQube Components details
Language sensor
Sonar scanner - to DB for Analytics
SonarQube Server performs analysis
Present artifacts in UI
Prevents vulnerabilities form entering codebase
