Software Development and Testing Flashcards
Supply chain risk management in the development
and testing phase involves
The validation of conformance to requirements, code
review, access control of code repositories, assuring the integrity of the build tools and environment, and testing for secure code.
Conformance to stated security requirements must be validated and verified and this can be accomplished
using
Regression tests, penetration tests, and certification & accreditation activities.
Security code review
It validates and verifies the integrity of the software code, components, and configurations, in a software
supply chain.
How to detect malicious code and logic includes malware such as embedded backdoors, logic bombs, Trojan horses, that are implanted in the code.
Security code review, including code, components, and configurations.
Some recommended strategies for security code reviews to be effective are:
Perform a code review on changed/modified code before approving it to be checked back into the version control system; Perform a code review on exercised code paths; Partner with the development team members of the supplier; Document the detected vulnerable code issues and malicious threats in code in an issue tracking database.
How to protect the Code Repository Security.
In additional to physical security and disaster recovery controls, hardening of the servers to mitigate remote theft and tampering, least privilege configuration of these servers, and access control lists (ACLs).
Static Source Code Analyzers
Examines the source code to find out weaknesses that can lead to exploitable vulnerabilities. E.g. bugScout, Clang Static Analyzer, CodeCenter, CodeSecure, Coverity SAVETM, FindBugs, FindSecurityBugs, Rational AppScan Source Edition, Rough Auditng Tool for Security (RATS), Source Code Analyzer (Fortify), HP QAInspect
Static Byte Code Scanners
Detect vulnerabilities in the byte code. E.g. FindBugs, FxCop, Gendarme, and Moonwalker.
Static Binary Code Scanners
Detect vulnerabilities through disassembly and pattern recognition. Advantages: (I) it does not need the source code and (II) it can detect vulnerabilities added by the compiler. E.g. IDA Pro, SecurityReview (Veracode), and Microsoft’s CAT.NET.
Dynamic Vulnerability Scanning Tools
Scan networks and software applications for exploitable weaknesses at runtime, when the software is operational. E.g. Nessus, Core Impact, NeXpose, QualysGuard, GFI LanGuard, and SAINT.
Web application vulnerability scanners
Tools used to automatically scan and detect web application vulnerabilities such as injection flaws, scripting issues, session mismanagement, cookie
poisoning and theft, request forgeries, framework vulnerabilities, weak cryptographic functions, hidden form field manipulation, fail open authentication and information disclosure threats. E.g. BurpSuite, w3af, Nikto, Paros proxy, AppScan, HP WebInspect, Samurai Web Testing Framework (Samurai WTF).
Malware Detection and Combat Tools
They are used to discover the presence of malicious software (malware) or malicious code (malcode), such as computer viruses, worms, Trojan horses,
spyware, adware, logic bombs, backdoors, in code, scripts, or content and remove them. E.g. Microsoft Baseline Security Analyzer (MBSA), Microsoft Process Explorer (formerly Sysinternals), Trend Micro’s HiJackThis, Microsoft’s Malicious Software Removal Tool (MSRT), SUPERAntiSpyware, Malwarebyte’s Anti-Malware (MBAM).
Security Compliance Validation Tools
They are are used to determine how well an prescribed security plan is compliant with regulatory or privacy mandates. E.g. PCI DSS Self-Assessment Questionnaire (SAQ).
Which controls should be in place to manage software supply chain risks during the acceptance phase of the acquisition lifecycle?
Anti-tampering resistance controls, and authenticity and anti-counterfeiting
controls.
What is Anti-Tampering Resistance and Controls?
When software is published and disseminated in a supply chain, it is important to make sure that it cannot be tampered and when it is tampered, it must be reversible.
