Section 4 - Software Testing

Question 1

What is the tool that is used to verify security in the code during the final Phase of SDL (A5)

Answer 1

Vulnerability Scanning

cost effective and should be run at various times through the SDL

Question 2

Is Code-Assisted Penetration Testing White or black box

Answer 2

White Box

This does require indpepndence

Question 3

What are the 4 phase process of penetration testing

Answer 3

Assess
Identify
Evaluate and Plan
Deploy

Question 4

What are the main activities during A5

Answer 4

Policy Compliance Analysis
Open-Source Licensing review
Final Security Review
Final Privacy Rule

Question 5

What is the 4-step process of the Final Security Review in A5

Answer 5

Assess Resource Availability
Identify Feature Eligibility
Evaluation and Plan for Remediation
Release and Ship

Question 6

What last step before shipping is typically verified concurrently with final security review

Answer 6

Final Privacy Review

Know Privacy Impact Rating
P1 High Privacy Risk - stores or transfers PII

P2 - One time user initiated sole transfer of data

P3 - no behaviors of privacy concerns

Question 7

What are the key success factors before you Ship (A5)

Answer 7

Final Review of Compliance requirements

Vulnerability Scanning
Penetration Testing
Final Open Source licenses review
Final Security Review
Final Privacy Review
Customer Engagement Framework

Question 8

Final Deliverable of Ship Phase

Answer 8

Updated Compliance Analysis
Security Testing Report
Remediation Reports
Open-Source Licensing review report
Final Security/Privacy Report
Details on Customer Engagement

Question 9

What is the difference between Application and Software security

Answer 9

software security is about building secure software. Application security is about protecting software and the systems it runs on

Question 10

Where should the software security group sit within an organization

Answer 10

A group of its own within engineering/software development with dotted-line relationship to CSO/CISO

Preference is to report to the software quality group

Question 11

Typical SDL Phases

Answer 11

A1 Concept
A2 Planning
A3 Design & Development
A4 Readiness
A5 Release & Launch

Question 12

What is “technical debt”

Answer 12

money and resources to remediate legacy systems and code

Question 13

What are the key success factors and deliverables Post Release

Answer 13

External Vulnerability disclosure response
Post Release Certs
Third Party Reviews
Strategy/proces for legacy code, M&A, EOL

Question 14

What are the top 4 Software Dev Environments that you will deploy your SDL

Answer 14

Agile - Iterative
DevOps - combining two disciplines with continuous integration (CI/CD)
Cloud - Mostly PaaS - REST and API’s
Digital Enterprise

Question 15

What is the framework developed by OWASP and how is it tailored.

Answer 15

OpenSAMM (Software Assurance Maturity Model)

Roadmap and well defined model
96 page description of each core activity and corresponding security process

Designed with flexibility in mind and can be used by all size organizations

Governance
Construction
Verification
Deployment

Each of these core activities have 12 practices that determine overall maturity

Scoring based on
0 - starting point and unfulfilled
1 - Initial understand and add hoc
2 - Increase efficient and/or effective
3 - comprehensive mastery

Question 16

What are the 3 Governance Core Practices in OWASP OpenSAMM

Answer 16

Strategy and Metrics
Policy and Compliance
Education and Guidance

Question 17

What are the 3 Construction Core Practices in OWASP OpenSAMM

Answer 17

Threat Assessment
Security Requirements
Secure Architecture

Question 18

What are the 3 Verification Core Practices in OWASP OpenSAMM

Answer 18

Design Review
Code Review
Security Testing

Question 19

What are the 3 Deployment Core Practices in OWASP OpenSAMM

Answer 19

Vulnerability Management
Environment Hardening
Operational Enablement

Question 20

What is one of the main uses of OpenSAMM

Answer 20

Help organizations build software security assurance programs

Question 21

Which maturity model has a Software Security Group

Answer 21

BSIMM

12 practices divided in 4 categories

Governance
Intelligence
SSDL touchpoints
Deployment

Question 22

Which maturity model is focused on security education and mentoring vs policing for security errors

Answer 22

BSIMM vs OpenSAMM

Question 23

When should threat modeling take place in SDL

Answer 23

Design and Architectural phase

Question 24

What is a seven step recipe for conducting threat modeling and application risk analysis

Answer 24

SANs Insitute Cyber Defense

Question 25

What is a method/technique for brainstorming threats from advesearies

Answer 25

STRIDE

Risk analysis would be DREAD

Question 26

What global knowledge base of tactics and teqniques can be used to save time protecting IT assets

Answer 26

MITRE ATT&CK and D3FEND

D3FEND is a knowledge base framework providing defensive techniques