Section 4 - Software Testing Flashcards
What is the tool that is used to verify security in the code during the final Phase of SDL (A5)
Vulnerability Scanning
cost effective and should be run at various times through the SDL
Is Code-Assisted Penetration Testing White or black box
White Box
This does require indpepndence
What are the 4 phase process of penetration testing
Assess
Identify
Evaluate and Plan
Deploy
What are the main activities during A5
Policy Compliance Analysis
Open-Source Licensing review
Final Security Review
Final Privacy Rule
What is the 4-step process of the Final Security Review in A5
Assess Resource Availability
Identify Feature Eligibility
Evaluation and Plan for Remediation
Release and Ship
What last step before shipping is typically verified concurrently with final security review
Final Privacy Review
Know Privacy Impact Rating
P1 High Privacy Risk - stores or transfers PII
P2 - One time user initiated sole transfer of data
P3 - no behaviors of privacy concerns
What are the key success factors before you Ship (A5)
Final Review of Compliance requirements
Vulnerability Scanning
Penetration Testing
Final Open Source licenses review
Final Security Review
Final Privacy Review
Customer Engagement Framework
Final Deliverable of Ship Phase
Updated Compliance Analysis
Security Testing Report
Remediation Reports
Open-Source Licensing review report
Final Security/Privacy Report
Details on Customer Engagement
What is the difference between Application and Software security
software security is about building secure software. Application security is about protecting software and the systems it runs on
Where should the software security group sit within an organization
A group of its own within engineering/software development with dotted-line relationship to CSO/CISO
Preference is to report to the software quality group
Typical SDL Phases
A1 Concept
A2 Planning
A3 Design & Development
A4 Readiness
A5 Release & Launch
What is “technical debt”
money and resources to remediate legacy systems and code
What are the key success factors and deliverables Post Release
External Vulnerability disclosure response
Post Release Certs
Third Party Reviews
Strategy/proces for legacy code, M&A, EOL
What are the top 4 Software Dev Environments that you will deploy your SDL
Agile - Iterative
DevOps - combining two disciplines with continuous integration (CI/CD)
Cloud - Mostly PaaS - REST and API’s
Digital Enterprise
What is the framework developed by OWASP and how is it tailored.
OpenSAMM (Software Assurance Maturity Model)
Roadmap and well defined model
96 page description of each core activity and corresponding security process
Designed with flexibility in mind and can be used by all size organizations
Governance
Construction
Verification
Deployment
Each of these core activities have 12 practices that determine overall maturity
Scoring based on
0 - starting point and unfulfilled
1 - Initial understand and add hoc
2 - Increase efficient and/or effective
3 - comprehensive mastery