Section 2: Software Requirements and Risks Flashcards

1
Q

What is the first phase of Security Development Lifecycle (SDL)

A

This phase (A1) is called a security assessment phase

Identifies the product risk profile and the needed SDL activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the part of the kickoff that address the overlooked data privacy requirements

A

Privacy Impact Assessment

before developing a PIA you will need to evaluate what regulatory, legislative, or policies are applicable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 4 C’s of Privacy Design

A

Comprehension
Consciousness
Control
Consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the Security Assessment (A1) key success factors and metrics

A

as the first phase of the SDL it is discovery in nature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the deliverables for A1

A

Here is the list of key deliverables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What should be measured in every phase of the SDL

A

Metrics such as:
Time in weeks when software security teams was looped in
Percent of stakeholder participation in SDL activities
Percent of security measures met

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the Document Security Requirements

A

RTM - Requirements Traceability Matrix
Formal acceptance of risk by Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what is the key tenant of the Zachman Framework

A

Understand Business mission and goals first and go top down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Other Top down planning models

A

TOGAF
SABSA Model - security focus vs business focus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of tests we can use to test a transactional database

A

ACID Test
One result at a time - Atomicity
Consistency with application
one record change at time - Isolation
Transaction needs to be committed - Durability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 3 Compliance Requirements

A

Legal - Privacy, Secrecy, IP, Uptime, Accuracy

Regulatory - enforced by agencies (Fed, local, state)

Industry Standards - PCI-DSS and PA-DSS, OWASP,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the most complex and difficult part of the SDL

A

Threat Model and Architectural Security Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of the software security policy

A

Define what needs to be protected and how.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the 5 steps of Threat Modeling

A

Identify security objectives
Survey the application
Decompose it
Identify Threats
Identify Vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

For Threat Modeling what do you use to break down your product architecture and is the first step?

A

Data Flow Diagrams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are STRIDE Threat Categories

A

Spoofing of identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege

this is a methodology of threat categorization and was popularized by Microsoft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a DREAD an acronym for?

A

Components:
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Purpose: The DREAD model provides a systematic way to evaluate and prioritize risks based on these five factors. Each factor is scored, and the cumulative score helps in determining the severity of a particular risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The use of __________ is a traditional approach to threat assessment and can help you identify additional potential threats

A

Attack Trees and attack patterns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the Risk Model used by Microsoft for assessing vulnerabilities

A

DREAD
Damage
Reproducibility
Exploitability
Affected users
Discoverability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Name another Thread Modeling Methodology similar to STRIDE and DREAD

A

Trike
main difference is that it is a risk-based approach with a distinct implementation

It allows for a high level of automation
methodology as well as of a too
targeted towards auditing teams
asset-centric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a newer application threat modeling methodology that is seven step process and aligns with both business objective with technical requirements but also takes into account compliance requirements and

A

PASTA
Seven step process and platform agnostic

The threat-modeling tool called ThreatModeler supports this methodology

Targeted towards medium to large orgnizaitons, mature companies with security knowledge

Outcome is geared towards management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the industry standard for assessing the severity of computer system security vulnerabilities

A

Common Vulnerability Scoring System (CVSS)

typically used by an internal software security group to respond to a security researcher or other source that has notified you that your software has a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a complex risk methodology that originated from Carnegie Mellon University

A

OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation

Risk Analysis framework
Targeted towards large organizations
Largest and most complex
that is why OCTAVE-S was developed
OCTAVE Allegro - focus on information assets
Asset-Centrix approach
Not a pure threat modeling since riks are mitigated
Does not focus on technical risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the key success factors for this second phase of the SDL

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the 3 approaches to Threat Modeling

A

Asset-Centric
Attacker-Centric
Application-Centric

26
Q

What is another name of Asset-Centric approach

A

Risk-Centric
If you dont know what to protect how can you protect it.

27
Q

Advantages and disadvantages of Asset-Centrix

A

Advantages
Centered around assets
Focused towards business ipact
Well suited for risk assessment and auditor (PASTA, TRIKE)
Natural Fit

Disadvantages
Not centered around the application
mapping assets to threats is difficult

28
Q

What are the advantages and disadvantages of Attacker-Centrix

A

Advantages
Makes threat and attacks visible
Movie-plot threat brainstorming is fun
good for Penetration Testing

Disadvantages
Easy to miss technical threats
can be unrealistic
most biased one
Attacker thinking required
most teams do not have the level of security professional

29
Q

What are the advantages and disadvantages of Application-Centrix

A

Advantages
Provides a common understanding of the application
spread of knowledge

Disadvantages
Documentation is necessary
Difficult to see ‘own’ vulnerability
Threats may sound abstract

30
Q

PASTA Advantages vs Disadvantages of

A

Advantages
Great for business integration
Mature, well described
Lots of documentation
Tooling available

Disadvantages
Specialized input necessary
Time consuming
each step generates output
a lot of intermediate models
output depends on dynamic input

31
Q

Microsoft Threat Modeling Details

A

Threat modeling framework
incorrectly named STRIDE - classification
Developer Driven
Application-Centric
simple and lightweight
practical approach
plain language
widely adopted

32
Q

Advantages and disadvantages of Microsoft Threat Modeling

A

Advantages
Easy to pickup
easily integrated into SDLC
very flexible

Disadvantages
More practical than academic
STRIDE classification is redundant
Does not factor in business risks

33
Q

Advantages and disadvantages of OCTAVE

A

Advantages
Improve risk-aware corporate culture
Creates orginization wide risk overview
in-depth
flexible

Disadvantages
Large and complex
Lots of paperwork
Requires “investment”

34
Q

Advantages and disadvantages of Trike

A

Advantages
automatically generates threat
consistent results
built-in tool

Disadvantages
Does not scale
not maintained anymore - 2012

35
Q

What is the simplest Threat Modeling

A

Visual Simple Threat Modeling
Two threat model types
Targeted towards agile companies

Advantages
very flexible
scalable
Process flow DFD are easier

Disadvantages
Not an open methodology
no documentation or guidance

36
Q

T or F code reviews are always good

A

False
they are an amplifier and poor culture, personalities, etc can make it bad

37
Q

What is the alternative to STRIDE

A

DESIST
Dispute
Elevation of Privilege
Spoofing
Information Disclosure
Service Denial
Tampering

38
Q

Within STRIDE what are the two variants

A

STRIDE per Element (external entity, process, data store, data flow)

STRIDE per Interaction
focus to interaction with elements. Follow data flow and where they meet

39
Q

What are the deliverables of the Architecture Phase (A2) of the SDL

A
40
Q

What is a Pull Request

A

Request to merge your code into a branch.

tyypically a review tool is uses such as GIT

The person submitting a PR request is a reviewee. If you leave comments you are a reviewer

41
Q

What is a popular SAST tool that can be a plug in for IDE

A

SonarLint
SonarQube -

42
Q

How small should my pull requests be

A

500 lines of code but decide with your team

43
Q

What is the OIR Rule

A

Observe - this function seems too long
Impact - makes it hard for me to understand

Request - I suggest to extract

44
Q

What is the difference between exceptions and errors

A

Exceptions
Logic flawas
endless loops
unresolved

Errors
code mistakes
syntax
format of data

45
Q

What are some non-functional tests

A

operating envrionment
training
support
infrastructure and procedures

Reliability, performance, and scalability

46
Q

Name common Testing Methodologies

A

OSSTMM - Open Source Security Testing Methodology Manual

ISO 27034 Objective - use process via SDLC

CMMI - Test maturity of processes. ISACA

47
Q

What does having a record with a primary key that cannot have a null record

A

That provides entity integrity

no dupes or null

48
Q

What makes up Referential keys

A

foreign keys
valid referential link

some times those are turned off

49
Q

What are the steps of Executing the Test Plan

A

Documentation
Verification
Validation

50
Q

Who manages CVSS, CVE

A

First.org and MITRE

51
Q

What is the need for scripting in OWASP ZAP

A

Custom Weakness - specific to an app
Complicated AuthN - beyond plain form
Reusable Security Testing
Custom Payloads
Automatic Tampering

52
Q

What languages built in ZAP

A

JavaScript
ZEST - visual language
Python and Ruby as add-on

53
Q

What type of scripts are built in ZAP

A

Stand Alone Scripts - triggered manually
Targeted Scrips - manual against specifc requests

Proxy Script - triggered every time
HTTP Sender Scripts -all requests

Active Scan Rules - send malicious
Passive Scan Rules - detecting sensitive information

Input Vector Scripts -

54
Q

What are the Add-on script types in ZAP

A

Fuzzer HTTP Processor
Fuzzer WebSocket Processor
Payload Generator - malicious input
Payload Process - inputs based on fuzzer

55
Q

What is the scripting language built by Mozilla Team

A

ZEST
Security and Automation specific language
Written Graphically, JSON autogenerated

56
Q

What are the 3 important components of App Scanning

A

Spider - gather inputs through hyperlink navigation and submitting forms

Passive Scanner -during spider activity it passively analyze HTTP requests and responses- insecure configuration, cookies

Active Scanner - modify HTTP requests with potential harmful inputs. hammers web app - SQL Injection

57
Q

What 4 schemes of authentication does ZAP support

A

Manual Authentication
HTTP/NTLM - Windows AD/LDAP
Form Based - most common
Script Based - JSON, OPENID

58
Q

What is the vulnerability that is based on Predictable ID’s and Broken Access Control

A

Insecure Direct Object References Vulnerability

59
Q

What is a bunch of tests that run quickly to assess whether application areas are free from well known software vulnerabilities

A

Security Regression Testing

60
Q

How many languages does sonarqube support

A

27

Continuous inspection is essential

61
Q

What does sonarqube find

A

Bubs
Code Smells
Vulnerabilities
Hot spots

62
Q

SonarQube Components details

A

Language sensor
Sonar scanner - to DB for Analytics
SonarQube Server performs analysis
Present artifacts in UI

Prevents vulnerabilities form entering codebase