Download Agile and Software Assurance Test Prep: Questions and Answers and more Exams Human Resource Management in PDF only on Docsity!
C706 Test Prep Questions and Answers with
Verified Solutions
AGILE ✔✔1. Short releases
- Delayed design
- Involve users along the way
- Minimal documentation
- Informal/frequent documentation
- Constant change Why AGILE? ✔✔1. shorten development cycles
- adaptability
- more efficient; less duplication AGILE Methodologies ✔✔1. Extreme Programming (XP)
- Crystal
- Unified Process
- Scrum
- Open Source Extreme Programming (XP) Core Values ✔✔1. Frequent communication between team and customer
- Simplicity in design and code
- Small iterations
- Continuous unit testing
- Courage Extreme Programming (XP) Key Pieces ✔✔1. Pair programmers
- Coding standards
- Sustainable pace = 40hrs. / week
- Collective ownership Extreme Programming (XP) Planning ✔✔Business = Scope, priorities, release scope/date Techies = Estimates, consequences, process *Done with story cards Crystal Creator ✔✔Alistair Cockburn XP Creator ✔✔Kent Beck Crystal Project Basics ✔✔1. Project size = # of devs
- Criticality = $ from malfunction
Scrum Framework ✔✔Must have:
- Team roles
- Events
- Artifacts
- Rules Scrum Methods ✔✔Iterative using sprints (1 month or less dev effort) Scrum Roles ✔✔1. Product owner: voice of customer
- Dev team: 3-10 devs
- Scrum Master: dev coach keeps them on track Scrum Events ✔✔1. Sprint planning meeting: product owner and devs decide what is in sprint
- Daily Scrum: short 15 min mtg. daily track
- Sprint review: inspect products and backlog
- Sprint retrospective: lessons learned on last day of sprint Scrum Aritfacts ✔✔1. Product backlog
- Sprint backlog
- Increment: the current project of all sprints
- Burn down chart: log in current spring backlog SOAR ✔✔State of the Art Report Assurance of security as a property in software. A snapshot of software security assurance discipline. CNSS - Software Assurance ✔✔Level of confidence that software is free from vulnerabilities and functions in intended manner DoD - Software Assurance ✔✔The level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software NASA - Software Assurance ✔✔The planned and systematic set of activities that ensure that software processes and products conform to requirements, standards, and procedures. MITRE's Plover ✔✔Preliminary List of Vulnerabilities Examples for Researchers AVDL ✔✔Application Vulnerability Description Language OVAL ✔✔Works with CVE using XML and SQL. Language that tool can use to query CVE to look for vulnerabilities
SV Formula ✔✔BCWP-BCWS CV Formula ✔✔BCWP-ACWP Waterall ✔✔1. sequential - non-iterative
- All requirements in 1st step
- Document driven (lots of docs)
- Specific identifiable stages
- entry level developers with limited exposure Waterfall Phases ✔✔1. Conception
- Initiation
- Analysis
- Design
- Construction
- Testing
- Production/Implementation
- Maintenance Waterfall Methodology Security Concerns ✔✔1. Requirement Analysis: Define security concerns
- Design: Misuse cases and vulnerability mapping
- Construction and Implementation: Secure coding practice
- Testing: Penetration Assessment
- Installation: Final security review
- Operation or Maintenance: Periodic security review and updates Non-repudiation ✔✔Sender cannot deny having sent the message Software Assurance ✔✔Ensure processes, procedures, and products used to produce and sustain software conform to all requirements and standards. Sandboxing ✔✔Isolating trusted processes and proper handling of errors and exceptions Task Refinement ✔✔Specific security activities must be identified when integrating security requirements in a work breakdown structure Release Manager ✔✔Conducts code review process as one of the parts or process of the software development. Can also be assigned task of deploying finished product after project completion T-MAP ✔✔Threat Modeling based on Attacking Path analysis. Risk based approach.
Tester Role ✔✔Responsibility to prepare a document plan that will verify that a systems code performs the proper actions that it was designed to do. STRIDE ✔✔Classification scheme for characterizing/measuring known threats/vulnerabilities according to the kinds of exploit that are used (or motivation of the attacker). - End Result STRIDE (S) ✔✔Spoofing Identity STRIDE (T) ✔✔Tampering with Data STRIDE (R) ✔✔Repudiation STRIDE (I) ✔✔Information Disclosure STRIDE (D) ✔✔Denial of Service STRIDE (E) ✔✔Elevation of Privilege DREAD ✔✔Risk assessing security threats. Using a number system like 1-10 to rank. DREAD (D) ✔✔Damage - how bad would an attack be? Ranks the extent of harm that occurs if a vulnerability is exploited.
DREAD (R) ✔✔Reproducibility - how easy is it to reproduce the attack? Ranks how often an attempt at exploiting a vulnerability really works. DREAD (E) ✔✔Exploitability/Vulnerability - how much work is it to launch the attack? Measures the effort required to launch the attack. DREAD (A) ✔✔Affected users - how many people will be impacted? Measures the number of installed instances of the system affected by an exploit. DREAD (D-2) ✔✔Discoverability - how easy is it to discover the threat? States the likelihood that a vulnerability will be found by security researchers or hackers. Threat Model ✔✔Diagram and description that tells a story of how an attacker could exploit the vulnerability. Sequence Diagram ✔✔Detailed breakdown of the communication that will occur between actors and system objects or components. T-Map Specifics ✔✔Defines a set of threat-relevant attributes for each layers or nodes. These attributes can be classified as either probability-relevant, size-of-loss relevant, or descriptive. These class attributes are primarily derived from Common Vulnerability Scoring System (CVSS).
