Topic 1 Flashcards
What does Confidentiality assure?
Assures that only authorized individuals are able to view information.
What does Availability assure?
Assures that the data or the systems, are available for the authorized user when required.
What does Integrity assure?
Assures that only authorized individuals are able to change information.
List the two CIA extension
Non-repudiation (assures non-denial of communication) and Authenticity (assures the identity of the communicating party.)
Define vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Define threat
Any situation with the potential to adversely impact organizational operations and assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
What is Applications Security?
Measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
List the Secure Design Considerations
** Least Privilege*
– Allow each user/process minimum privileges to do their work.
** Separation of Duties*
– Assign different people as programmer and code reviewer.
** Defense in Depth*
– Design software that will not break down even if one security mechanism has been broken(redundant).
** Fail Secure*
– Design your program to recover or terminate safely upon
any form of failure.
** Psychological Acceptability*
– Security protection mechanism should be easy to use.
Example of a Secure Design Processes
Threat Modelling is to systematically identify and rate the threats that are most likely to affect your system.
Threat Modeling Steps
- Defining security requirements
- Creating an application diagram
- Identify the threats (STRIDE)
- Mitigating threats
- Validating that the threats have been mitigated
List some of the Common Software Vulnerabilities
– Buffer overflows
– Unvalidated input
– Race conditions
– Access-control problems
– Weaknesses in authentication, authorization, or cryptographic implementations
List some examples of Defensive Coding Practices
- Attack Surface Evaluation and Reduction
- Input Validation
- Canonicalization
- Use of Recommended Cryptographic Algorithms
- Exception Management
Secure Software Processes (during Implementation)
** Version Control*
– When code is checked out by someone for changes, no one else can make changes to the code until it has been checked in
** Code Analysis*
– Inspecting code for exploitable weaknesses
– Static Code Analysis: inspection without code execution (e.g. Fortify)
– Dynamic Code Analysis: inspection during code execution (e.g.BoundsChecker)
** Code/Peer Review*
– Inspecting for insecure code and inefficient code
List Secure Software Testing
- Threat modeling
- Automated tools
- Manual source code analysis and review
- Brute force testing (e.g. fuzzing)
- Penetration testing
Microsoft SDL Practices
- Provide Training
- Define Security Requirements
- Define Metrics and Compliance Reporting
- Perform Threat Modeling
- Establish Design Requirements
- Define and Use Cryptography Standards
- Manage the Security Risk of Using Third-Party
Components - Use Approved Tools
- Perform Static Analysis Security Testing (SAST)
- Perform Dynamic Analysis Security Testing (DAST)
- Perform Penetration Testing
- Establish a Standard Incident Response Process
