Exam (elaborations)
Secure Software Design Questions And Answers
- Course
- Institution
Secure Software Design Questions And Answers
[Show more]
Content preview
Secure Software Design Questions AndAnswers
SDL - ANSWER- Security Development Life Cycle
SDLC - ANSWER- Software Development Life Cycle
Software Security - ANSWER- Building security into the software through a SDL
(Security Development Life Cycle) in an SDLC (Software Development Life Cycle)
Application Security - ANSWER- Protecting the software and the systems on which it
runs after release
Three core elements of security - ANSWER- Confidentiality, integrity, and availability
(the C.I.A. model)
PITAC - ANSWER- President's Information Technology Advisory Committee
Quality and security - ANSWER- In terms of coding defects, the product not only has to
work right, it also has to be secure
Trustworthy Computing (TwC) - ANSWER- The team which formed the concepts that
led to the Microsoft Security Development Lifecycle
Static analysis tools - ANSWER- Tools that look for a fixed set of patterns or rules in the
code in a manner similar to virus-checking programs
Authorization - ANSWER- Ensures that the user has the appropriate role and privilege
to view data
Authentication - ANSWER- Ensures that the user is who he or she claims to be and that
the data come from the appropriate place
Threat modeling - ANSWER- To understand the potential security threats to the system,
determine risk, and establish appropriate mitigations. Applies principles such as least
privilege and defense-in-depth; requires human expertise and not tools to accomplish
Attack surface - ANSWER- The entry points and exit points of an application that may
be accessible to an attacker
- ANSWER- The majority of attacks against software take advantage of, or exploit,
some vulnerability or weakness in that software; for this reason, "attack" is often used
interchangeably with "exploit," though the Build Security In Attack Pattern Glossary
,makes a clear distinction between the two terms, with attack referring to the action
against the targeted software and exploit referring to the mechanism (e.g., a technique
or malicious code) by which that action is carried out.
- ANSWER- Availability: Ensuring timely and reliable access to and use of information.
- ANSWER- Confidentiality: Preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and proprietary
information.
- ANSWER- Integrity: Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and authenticity.
- ANSWER- Authorization and authentication are the two properties that support
confidentiality in that authorization ensures that users have the appropriate role and
privilege to view data, and authentication ensures that users are who they claim to be
and that the data come from the appropriate place.
- ANSWER- Developers must take the time to code cleanly, and eradicate every
possible security flaw before the code goes into production.
- ANSWER- The idea behind threat modeling is simply to understand the potential
security threats to the system, determine risk, and establish appropriate mitigations.
When it is performed correctly, threat modeling occurs early in the project life cycle and
can be used to find security design issues before code is committed.
- ANSWER- You cannot have quality without security or security without quality. These
two attributes complement each other, and both enhance overall software product
integrity and market value.
Techniques used in penetrating valid channels of authentication - ANSWER- Cross-Site
Scripting (XSS), Structured Query Language (SQL) injection, buffer overflow
exploitation
The most well-known SDL model - ANSWER- Trustworthy Computing Security
Development Lifecycle (SDL)
Other popular SDL models - ANSWER- Cigital Software Security Touchpoints model,
OWASP SDL, Cisco Secure Development Lifecycle (CSDL)
SDL Optimization Model - ANSWER- Enables development managers and IT
policymakers to assess the state of the security in development
Two very popular software security maturity models that have been developed and
continue to mature at a rapid rate - ANSWER- Cigital BSIMM, OWASP Open SAMM
, Building Security In Maturity Model (BSIMM) - ANSWER- A study of real-world software
security initiatives organized so that you can determine where you stand with your
software security initiative and how to evolve your efforts over time
OWASP Software Assurance Maturity Model (SAMM) - ANSWER- A flexible and
prescriptive framework for building security into a software development organization
ISO/IEC - ANSWER- International Standards Organization (ISO) / International
Electrotechnical Commission (IEC)
ISO/IEC 27034-1:2011 - ANSWER- A standard for application security which offers a
concise, internationally recognized way to get transparency into a vendor/supplier's
software security management process
ISMS - ANSWER- Information Security Management System
ISO/IEC 27001 - ANSWER- A standard that specifies a management system intended
to bring information security under formal management control
ISO/IEC 27034 - ANSWER- A standard that provides guidance to help organizations
embed security within their processes that help secure applications running in the
environment, including application lifecycle processes
SAFECode - ANSWER- A global, industry-led effort to identify and promote best
practices for developing and delivering more secure and reliable software, hardware,
and services
NCSD - ANSWER- Department of Homeland Security National Cyber Security Division
Software Assurance Program - ANSWER- The SwA Program seeks to reduce software
vulnerabilities, minimize exploitation, and address ways to improve the routine
development and deployment of trustworthy software products
NIST - ANSWER- National Institute of Standards and Technology
NSA - ANSWER- National Security Agency
SWE - ANSWER- Common Weakness Enumeration
Software Assurance Metrics And Tool Evaluation (SAMATE) - ANSWER- The project
dedicated to improving software assurance by developing methods to enable software
tool evaluations, measuring the effectiveness of tools and techniques, and identifying
gaps in tools and methods
NIST Special Publication (SP) 800-64, Security Considerations in the System
Development Life Cycle - ANSWER- Developed to assist federal government agencies
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Divinehub. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $9.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
81989 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now