Section 4 - Software Testing Flashcards
What is the tool that is used to verify security in the code during the final Phase of SDL (A5)
Vulnerability Scanning
cost effective and should be run at various times through the SDL
Is Code-Assisted Penetration Testing White or black box
White Box
This does require indpepndence
What are the 4 phase process of penetration testing
Assess
Identify
Evaluate and Plan
Deploy
What are the main activities during A5
Policy Compliance Analysis
Open-Source Licensing review
Final Security Review
Final Privacy Rule
What is the 4-step process of the Final Security Review in A5
Assess Resource Availability
Identify Feature Eligibility
Evaluation and Plan for Remediation
Release and Ship
What last step before shipping is typically verified concurrently with final security review
Final Privacy Review
Know Privacy Impact Rating
P1 High Privacy Risk - stores or transfers PII
P2 - One time user initiated sole transfer of data
P3 - no behaviors of privacy concerns
What are the key success factors before you Ship (A5)
Final Review of Compliance requirements
Vulnerability Scanning
Penetration Testing
Final Open Source licenses review
Final Security Review
Final Privacy Review
Customer Engagement Framework
Final Deliverable of Ship Phase
Updated Compliance Analysis
Security Testing Report
Remediation Reports
Open-Source Licensing review report
Final Security/Privacy Report
Details on Customer Engagement
What is the difference between Application and Software security
software security is about building secure software. Application security is about protecting software and the systems it runs on
Where should the software security group sit within an organization
A group of its own within engineering/software development with dotted-line relationship to CSO/CISO
Preference is to report to the software quality group
Typical SDL Phases
A1 Concept
A2 Planning
A3 Design & Development
A4 Readiness
A5 Release & Launch
What is “technical debt”
money and resources to remediate legacy systems and code
What are the key success factors and deliverables Post Release
External Vulnerability disclosure response
Post Release Certs
Third Party Reviews
Strategy/proces for legacy code, M&A, EOL
What are the top 4 Software Dev Environments that you will deploy your SDL
Agile - Iterative
DevOps - combining two disciplines with continuous integration (CI/CD)
Cloud - Mostly PaaS - REST and API’s
Digital Enterprise
What is the framework developed by OWASP and how is it tailored.
OpenSAMM (Software Assurance Maturity Model)
Roadmap and well defined model
96 page description of each core activity and corresponding security process
Designed with flexibility in mind and can be used by all size organizations
Governance
Construction
Verification
Deployment
Each of these core activities have 12 practices that determine overall maturity
Scoring based on
0 - starting point and unfulfilled
1 - Initial understand and add hoc
2 - Increase efficient and/or effective
3 - comprehensive mastery
What are the 3 Governance Core Practices in OWASP OpenSAMM
Strategy and Metrics
Policy and Compliance
Education and Guidance
What are the 3 Construction Core Practices in OWASP OpenSAMM
Threat Assessment
Security Requirements
Secure Architecture
What are the 3 Verification Core Practices in OWASP OpenSAMM
Design Review
Code Review
Security Testing
What are the 3 Deployment Core Practices in OWASP OpenSAMM
Vulnerability Management
Environment Hardening
Operational Enablement
What is one of the main uses of OpenSAMM
Help organizations build software security assurance programs
Which maturity model has a Software Security Group
BSIMM
12 practices divided in 4 categories
Governance
Intelligence
SSDL touchpoints
Deployment
Which maturity model is focused on security education and mentoring vs policing for security errors
BSIMM vs OpenSAMM
When should threat modeling take place in SDL
Design and Architectural phase
What is a seven step recipe for conducting threat modeling and application risk analysis
SANs Insitute Cyber Defense
What is a method/technique for brainstorming threats from advesearies
STRIDE
Risk analysis would be DREAD
What global knowledge base of tactics and teqniques can be used to save time protecting IT assets
MITRE ATT&CK and D3FEND
D3FEND is a knowledge base framework providing defensive techniques
