Section 4 - Software Testing Flashcards

1
Q

What is the tool that is used to verify security in the code during the final Phase of SDL (A5)

A

Vulnerability Scanning

cost effective and should be run at various times through the SDL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Is Code-Assisted Penetration Testing White or black box

A

White Box

This does require indpepndence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 4 phase process of penetration testing

A

Assess
Identify
Evaluate and Plan
Deploy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the main activities during A5

A

Policy Compliance Analysis
Open-Source Licensing review
Final Security Review
Final Privacy Rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the 4-step process of the Final Security Review in A5

A

Assess Resource Availability
Identify Feature Eligibility
Evaluation and Plan for Remediation
Release and Ship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What last step before shipping is typically verified concurrently with final security review

A

Final Privacy Review

Know Privacy Impact Rating
P1 High Privacy Risk - stores or transfers PII

P2 - One time user initiated sole transfer of data

P3 - no behaviors of privacy concerns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the key success factors before you Ship (A5)

A

Final Review of Compliance requirements

Vulnerability Scanning
Penetration Testing
Final Open Source licenses review
Final Security Review
Final Privacy Review
Customer Engagement Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Final Deliverable of Ship Phase

A

Updated Compliance Analysis
Security Testing Report
Remediation Reports
Open-Source Licensing review report
Final Security/Privacy Report
Details on Customer Engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the difference between Application and Software security

A

software security is about building secure software. Application security is about protecting software and the systems it runs on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Where should the software security group sit within an organization

A

A group of its own within engineering/software development with dotted-line relationship to CSO/CISO

Preference is to report to the software quality group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Typical SDL Phases

A

A1 Concept
A2 Planning
A3 Design & Development
A4 Readiness
A5 Release & Launch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is “technical debt”

A

money and resources to remediate legacy systems and code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the key success factors and deliverables Post Release

A

External Vulnerability disclosure response
Post Release Certs
Third Party Reviews
Strategy/proces for legacy code, M&A, EOL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the top 4 Software Dev Environments that you will deploy your SDL

A

Agile - Iterative
DevOps - combining two disciplines with continuous integration (CI/CD)
Cloud - Mostly PaaS - REST and API’s
Digital Enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the framework developed by OWASP and how is it tailored.

A

OpenSAMM (Software Assurance Maturity Model)

Roadmap and well defined model
96 page description of each core activity and corresponding security process

Designed with flexibility in mind and can be used by all size organizations

Governance
Construction
Verification
Deployment

Each of these core activities have 12 practices that determine overall maturity

Scoring based on
0 - starting point and unfulfilled
1 - Initial understand and add hoc
2 - Increase efficient and/or effective
3 - comprehensive mastery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 3 Governance Core Practices in OWASP OpenSAMM

A

Strategy and Metrics
Policy and Compliance
Education and Guidance

17
Q

What are the 3 Construction Core Practices in OWASP OpenSAMM

A

Threat Assessment
Security Requirements
Secure Architecture

18
Q

What are the 3 Verification Core Practices in OWASP OpenSAMM

A

Design Review
Code Review
Security Testing

19
Q

What are the 3 Deployment Core Practices in OWASP OpenSAMM

A

Vulnerability Management
Environment Hardening
Operational Enablement

20
Q

What is one of the main uses of OpenSAMM

A

Help organizations build software security assurance programs

21
Q

Which maturity model has a Software Security Group

A

BSIMM

12 practices divided in 4 categories

Governance
Intelligence
SSDL touchpoints
Deployment

22
Q

Which maturity model is focused on security education and mentoring vs policing for security errors

A

BSIMM vs OpenSAMM

23
Q

When should threat modeling take place in SDL

A

Design and Architectural phase

24
Q

What is a seven step recipe for conducting threat modeling and application risk analysis

A

SANs Insitute Cyber Defense

25
Q

What is a method/technique for brainstorming threats from advesearies

A

STRIDE

Risk analysis would be DREAD

26
Q

What global knowledge base of tactics and teqniques can be used to save time protecting IT assets

A

MITRE ATT&CK and D3FEND

D3FEND is a knowledge base framework providing defensive techniques

27
Q
A