Types of Security Requirements

Question 1

Core Security Requirements

Answer 1

Confidentiality, Integrity, Availability, Authentication, Authorization, Accountability

Question 2

General Security Requirements

Answer 2

Session Management, Error/Exceptions Management, Configuration Parameters Management

Question 3

Operational Security Requirements

Answer 3

Deployment environment, Archiving, Anti-piracy

Question 4

Other Security Requirements

Answer 4

Sequencing & Timing, International, Procurement

Question 5

Confidentiality Requirements

Answer 5

address protection against the unauthorized discplosure of data or information that are private/sensitive

Question 6

Data classification

Answer 6

public (directory), non-public

Question 7

Confidentiality controls

Answer 7

secret writing (i.e. overt and covert), and masking

Question 8

Secret writing goal

Answer 8

to prevent the disclosure of the information deemed secret, includes overt cryptographic mechanism (encryption and hashing) or covert (steganography, digital watermarking - e.g. hinding)

Question 9

Describe covert

Answer 9

steganography is invisible writing (camuflaging - military spionage), digital watermarking is embedded information in audio, video or pictures - used for copyright, deterring and preventing unauthorized copying of media.

Question 10

Masking

Answer 10

This is primarily used to protect against shoulder surfing attacks, which are characterized by someone looking over another’s shoulder and observing sensitive information (e.g. hiding password when typing, last 4 creditcard numbers).

Question 11

non-public data state

Answer 11

In transit (transmitted), In processing (held in computer memory or media for processing), Storage (at rest)

Question 12

time bound confidentiality

Answer 12

some information may require protection only for a certain period of time (e.g. during merge or acquisition)

Question 13

Integrity requirements

Answer 13

address two primary areas of software security (reliability and protection/prevention) against unauthorized modifications

Question 14

Integrity refers to

Answer 14

system integrity and data integrity

Question 15

data integrity

Answer 15

information and programs can be changed only in a specified and authorized manner by authorized personnel.

Question 16

Example system integrity violation

Answer 16

SQL Injection that makes the software act or respond in a manner not originally designed.

Question 17

Integrity security controls

Answer 17

input validation, CRC and hashing

Question 18

Input validatoin check

Answer 18

provides a high degree of protection against injection flaws and provides both system and data integrity.

Question 19

CRC

Answer 19

useful in the detection of errors or changes made to data when it is transmitted.

Question 20

Hashing

Answer 20

mainly used for integrity assurance, it can also provide confidentiality assurance

Question 21

Availability requirements

Answer 21

ensure the protection against destruction of the software system and/or data, thereby assisting in the prevention against DoS to authorized users.

Question 22

MTD

Answer 22

Maximum Tolerable Downtime - measure of the maximum amount of time that the software can be in a state of not providing expected service

Question 23

RTO

Answer 23

Recovery Time Objective - amount of time by which the system or software needs to be restored back to the expected state of business operations for authorized business users

Question 24

RPO

Answer 24

the maximum allowed data or productivity loss when the system becomes disrupted or down

Question 25

BIA

Answer 25

Bussiness Impact Analysis - determine the adverse impact that the unavailability of software will have on business operations

Question 26

Authentication requirements

Answer 26

verify and assure the legitimacy and validity of the identity (a person, a process, a hardware device) that is presenting entity claims for verification.

Question 27

authentication credentials

Answer 27

different factors or a combination of factors that include knowledge, ownership or characteristics.

Question 28

authentication forms

Answer 28

anonymous, basic, digest, integrated, client certificates, forms, token, smart cards, biometrics

Question 29

basic authentication

Answer 29

HTTP - client browser prompting the user to supply their credentials.

Question 30

digest authentication

Answer 30

challenge/response mechanism - send a message digest (hash value) and compare the hash values of what was previously established

Question 31

integrated authentication

Answer 31

NT challenge/response authentication, implemented in standalone authentication mechanism or in conjunction with Keberos authentication.

Question 32

client certification-based authentication

Answer 32

validate the identify of the certificate holder. the current standard for digital certificates is ITU X.509

Question 33

forms authentication

Answer 33

users to supply username and password for authentication purposes - it is advisable to first cryptographically protect the data being transmitted in addition to implementation transport layer security (TLS) such as SSL or network layer security such as IPSec

Question 34

OTP

Answer 34

One Time (dynamic) passwords (OTP) provide the maximum strength of authentication security and OTP tokens (also known as key fobs) require two factors, knowledge (something you know) and ownership (something you have).

Question 35

FIPS 201

Answer 35

Personal Identity Verification standard provides guidance that the enrollment data in systems implementing biometric based authentication needs to be changed periodically

Question 36

Biometric - Type I error

Answer 36

False Rejection error where a valid and legitimate enrollee is denied (rejected) access

Question 37

Biometric - Type II error

Answer 37

False Acceptance error where an imposter is granted (accepted) access.

Question 38

CER

Answer 38

Crossover Error Rate - used in evaluating different biometric devices and technologies (more accurate means low CER)

Question 39

Authorization requirements

Answer 39

confirm that an authenticated entity (human, process, hardware) has the needed rights and privileges to access and perform actions on a requested resource

Question 40

Subjects

Answer 40

entities (human user, system process) that are requesting access

Question 41

Objects

Answer 41

items that subject will act upon.

Question 42

Actions

Answer 42

CRUD - Create, Read, Update or Delete data

Question 43

DAC

Answer 43

Discretionary Access Control - restricting access to objects based on the identity of subjects and/or groups to which they belong

Question 44

NDAC

Answer 44

Non-Discretionary Access Control - it is unavoidably imposed on all subjects

Question 45

MAC

Answer 45

Mandatory Access Control - access to objects is restricted to subjects based on the sensitivity (represented by a label) of the information contained in the objects. All objects shall have a sensitive label. it is based on multilevel security requirements.

Question 46

RBAC

Answer 46

Role-Based Access Control - Roles are defined by job function which can be used for authorization decisions. Roles define the trust levels of entities to perform desired operations. Access that is granted to subjects is based on roles. The resource is directly mapped to the role.

Question 47

Resource-BAC

Answer 47

Resource-Based Access Control - useful in architectures that are distributed and
multi-tiered including service oriented architectures (users are unknown)

Question 48

RBAC Separation of duties

Answer 48

no individual can be assigned to two roles that are mutually exclusive in their permissions to perform operations.

Question 49

RBAC benefit

Answer 49

Simplified subjects and objects access rights administration, Ability to represent the organizational structure, Force enterprise compliance with control policies more easily and effectively.

Question 50

Impersonation and Delegation Model

Answer 50

Resource-BAC: Allowing a secondary entity to act on one’s behalf is the principle of delegation. Kerberos uses the delegation and impersonation model where the user upon successful authentication is granted a Kerberos ticket and the ticket is delegated the privileges and rights (sets of permission) to invoke services downstream.

Question 51

Trusted Subsystem Model

Answer 51

Resource-BAC: access request decisions are granted based on the identity of a resource that is trusted instead of user identities.

Question 52

Accountability Requirements

Answer 52

assist in building a historical record of user actions. Auditing requirements not only help with forensic investigations as a detective control but can also be used for troubleshooting errors and exceptions.

Question 53

General Requirements, Session Management Requirements

Answer 53

ensure that once a session is established, it remains in a state that it will not compromise the security of the software.

Question 54

Session management requirements

Answer 54

assure that sessions are not vulnerable to brute force attacks, predictability or Man-in-the-middle hijacking attempts

Question 55

General Requirements, Errors & Exception Management Requirements

Answer 55

ensure that errors and exceptions are explicitly addressed.

Question 56

Errors & exceptions

Answer 56

potential sources of information disclosure, verbose error messages and unhandled exception reports can result in divulging internal application architecture, design and configuration information

Question 57

improper error or exception management

Answer 57

using laconic error messages and structured exception handling are examples of good security design features that can thwart security threats posed.

Question 58

General Requirements, Configuration Parameters Management Requirements

Answer 58

makeup the software needs protection against hackers - these parameters and code usually need to be initialized before the software can run.

Question 59

Operational Requirements

Answer 59

requirements that impact the most efficient operations of the software itself such as Deployment environment, archiving, anti-privay.

Question 60

Other requirements

Answer 60

Sequencing & Timing, International, Procurement

Question 61

Operational Requirements identify

Answer 61

the needed capabilities and dependencies of the software as it serves the business with their intended functionality (CONOPS is a start point).

Question 62

Deployment Environment Requirements

Answer 62

identify and capture pertinent requirements about the environment such as ports and protocols are available, deployed in an Internet, Extranet or intranet environment, software need to support single sign-on (SSO)
authentication, …

Question 63

Deployment Environment Requirements Importance

Answer 63

Identifying and capturing constraints, restrictions and requirements of the environment in which the software is expected to operate alleviate deployment challenges later

Question 64

Archiving Requirements

Answer 64

maintained either as a means for business continuity or as a need to comply with a regulatory requirement or organizational policy.

Question 65

Archiving information

Answer 65

determine location, duration and format. Some questions: where data will be stored, how much space, ensure media is not re-writable, how fast to retrieve, …

Question 66

Anti-Piracy Requirements

Answer 66

Code obfuscation, code signing, anti-tampering, licensing and IP protection mechanisms should be included as part of the requirements documentation especially

Question 67

Sequencing and Timing Requirements

Answer 67

it concerns to design flaws in software that can lead to what is commonly known as race conditions or Time of Check/Time of Use (TOC/TOU) attacks. E.g. undesirable sequence of events, infinite loops and Multiple unsynchronized threads executing simultaneously for a process

Question 68

International Requirements

Answer 68

(i) Legal requirements are those requirements that we need to pay attention to so that we are not in violation of any regulations;
(ii) Technological requirements for instance Character encoding and display direction are two important international software requirements that need to be determined (e.g. unicode, UTF-32).

Question 69

Procurement Requirements

Answer 69

when procure the software instead of building
it in-house, it is important to include software security requirements in legal protection mechanisms such as contracts and SLAs.