WGU C706 SECURE SOFTWARE DESIGN STUDY GUIDE,VERY WELL EXPLAINED.
5 vues 0 achat
Cours
WGU IT C706 (ITC706)
Établissement
Western Governors University
C706 Secure Software Design Study Guide
CIA Triad:
Confidentiality: In information security, confidentiality "is the property, that information is not made available or
disclosed to unauthorized individuals, entities, or processes"
Integrity: In information security, data integrity means mainta...
that information is not made available or disclose
École, étude et sujet
Western Governors University
WGU IT C706 (ITC706)
Tous les documents sur ce sujet (1)
Vendeur
S'abonner
Classroom
Avis reçus
Aperçu du contenu
C706 Secure Software Design Study Guide
CIA Triad:
Confidentiality: In information security, confidentiality "is the property, that information is not made available or
disclosed to unauthorized individuals, entities, or processes"
Integrity: In information security, data integrity means maintaining and assuring the accuracy and completeness of data
over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This can be
also used to validate databases to make sure none of the data is corrupt or modified in an unauthorized matter.
Availability: For any information system to serve its purpose, the information must be available when it is needed. This
means that the computing systems used to store and process the information, the security controls used to protect it, and
the communication channels used to access it must be functioning correctly.
Secure Software Design Feature:
Confidentiality: Public Key Infrastructure (PKI) and Cryptography/Encryption
Availability: Offsite back-up and Redundancy
Integrity: Hashing, Message Digest (MD5), non repudiation and digital signatures
Software Architect: The software architect moves analysis to implementation and analyzes the requirements and use
cases as activities to perform as part of the development process. That person can also develop class diagrams.
Red Team: These are teams of people familiar with the infrastructure of the company and the languages of the software
being developed. Their mission is to kill the system as the developers build it.
Static Analysis: Static analysis, also called static code analysis, is a method of computer program debugging that is done
by examining the code without executing the program. The process provides an understanding of the code structure, and
can help to ensure that the code adheres to industry standards. It's also referred as code review.
MD5 Hash: The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was
initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It
can still be used as a checksum to verify data integrity, but only against unintentional corruption. (Integrity)
SHA-256: The SHA (Secure Hash Algorithm) is one of a number of cryptographic hash functions. A cryptographic hash
is like a signature for a text or a data file. SHA-256 algorithm generates an almost-unique, fixed size 256-bit (32-byte)
hash. Hash is a one-way function – it cannot be decrypted back. (Integrity)
Advanced Encryption Standard (AES): AES (acronym of Advanced Encryption Standard) is a symmetric encryption
algorithm. The algorithm was developed by two Belgian cryptographer Joan Daemen and Vincent Rijmen. AES was
Your text here
, designed to be efficient in both hardware and software, and supports a block length of 128 bits and key lengths of 128,
192, and 256 bits. (Confidentiality)
Stochastic: The analogy between safety and security is particularly close. The main difference is that safety-relevant
faults are stochastic (i.e., unintentional or accidental), whereas security-relevant faults are “sponsored,” i.e., intentionally
created and activated through conscious and intentional human agency.
Fuzz Testing: Is used to see if the system has solid exception handling to the input it receives. Is the use of malformed or
random input into a system in order to intentionally produce failure. This is a very easy process of feeding garbage to the
system when it expects a formatted input, and it is always a good idea to feed as much garbage as possible to an input
field.
Three (3) Tier: The 3 tier architecture model removes the business logic from the client end of the system. It generally
places the business logic on a separate server from the client. The data access portion of the system resides on a 3rd tier,
which is separate from both the client and the business logic platform.
T-MAP: USC’s Threat Modeling based on Attacking Path analysis (T-MAP) is a risk management approach that
quantifies total severity weights of relevant attacking paths for COTS-based systems. T-MAP’s strengths lie in its ability
to maintain sensitivity to an organization’s business value priorities and Information Technology (IT) environment, to
prioritize and estimate security investment effectiveness and evaluate performance, and to communicate executive-
friendly vulnerability details as threat profiles to help evaluate cost efficiency.
Trike: Trike is an open source conceptual framework, methodology, and toolset designed to autogenerate repeatable
threat models. Its methodology enables the risk analyst to accurately and completely describe the security characteristics
of the system, from high-level architecture to low-level implementation of details. It also requires building a defensive
model of the subject system.
SDL Threat Modeling Tool: This free tool assists in the creation of threat models. It builds on Microsoft Visio and
provides a tool for constructing graphic representation of threat models for the system without requiring expertise in
security and also has the capability of graphically representing a software system and identifying vulnerabilities.
Vulnerability Mapping:
The overall goal of performing vulnerability mapping is to determine the most likely locations within the system in
development where an attacker will strike. This is done on the design phase of the SDLC
V3: This is the highest level of vulnerability. This is a very likely target for an attacker, such as free text input in a form.
These are the highest priory for a security plan for the system and these should all be mitigated and accounted for by
established control systems in development.
V2: This is the moderate level vulnerability. These are possible but not probable targets. These will include interprocess
communications on the server or traffic within the trust boundary of the system. Eavesdropping is the most significant risk
in this situation. V2 level vulnerabilities should always be mitigated in the system, but in a trade off analysis, strict control
may not be necessary as long as a procedure is in place to fail safely and protect any private or confidential data.
V1: This is the lowest priority level of vulnerability. These are unlikely venues of attack with little risk if they are
exploited. Failing safely is the most important concern at this level, because the data associated with this vulnerability has
no value, and the process involved is not mission critical. An example of this level of vulnerability would be a
transmission failure in a common HTML header coming from the system; the highest risk here is that the customer will
Les avantages d'acheter des résumés chez Stuvia:
Qualité garantie par les avis des clients
Les clients de Stuvia ont évalués plus de 700 000 résumés. C'est comme ça que vous savez que vous achetez les meilleurs documents.
L’achat facile et rapide
Vous pouvez payer rapidement avec iDeal, carte de crédit ou Stuvia-crédit pour les résumés. Il n'y a pas d'adhésion nécessaire.
Focus sur l’essentiel
Vos camarades écrivent eux-mêmes les notes d’étude, c’est pourquoi les documents sont toujours fiables et à jour. Cela garantit que vous arrivez rapidement au coeur du matériel.
Foire aux questions
Qu'est-ce que j'obtiens en achetant ce document ?
Vous obtenez un PDF, disponible immédiatement après votre achat. Le document acheté est accessible à tout moment, n'importe où et indéfiniment via votre profil.
Garantie de remboursement : comment ça marche ?
Notre garantie de satisfaction garantit que vous trouverez toujours un document d'étude qui vous convient. Vous remplissez un formulaire et notre équipe du service client s'occupe du reste.
Auprès de qui est-ce que j'achète ce résumé ?
Stuvia est une place de marché. Alors, vous n'achetez donc pas ce document chez nous, mais auprès du vendeur Classroom. Stuvia facilite les paiements au vendeur.
Est-ce que j'aurai un abonnement?
Non, vous n'achetez ce résumé que pour €14,28. Vous n'êtes lié à rien après votre achat.
