Secure Lifecycle Flashcards
1
Q
SDLC phases
A
- Requirement Analysis
- Design
- Implementation
- Testing
- Evolution
- Repeat
2
Q
SDLC: Requirement analysis
A
- Define scope of project and security/privacy boundaries
- Define security specification, identify assets, assess environment, and specify use/abuse cases
-> Threat modeling
-> Security requirements
-> Third party dependencies
3
Q
SDLC: Design
A
- The classic design phase focuses on functionality requirements
-> here we make security concerns an integral part of the analysis - Continuously update threat model as requirements change
- Security design review
- Design documentation
4
Q
SDLC: Implementation
A
- During implementation, the design may be slightly refined and the security documents must be updated accordingly along with continuous reviews and analysis
-> Code reviews
-> Static analysis
-> Vulnerability scanning
-> Unit tests
-> Accountability (version control)
-> Coding standards
-> Continuous integration
5
Q
SDLC: Testing
A
- Completed components are rigorously tested before they are finally integrated into the prototype
-> Fuzzing
-> Dynamic analysis
-> Third party penetration testing
6
Q
SDLC: Release
A
- Before release of the final prototype, verify the base assumptions from the initial requirement analysis and design
-> Security review
-> Privacy review
-> Review all licensing agreements
7
Q
SDLC: Maintenance
A
- After shipping software, continuously maintain security properties
-> Track third-party software
-> Provide vulnerability disclosure contacts
-> Regression testing
-> Deploy updates securely
