Secure Software Design: SDLC, BSIMM, and OWASP SAMM Overview, Exams of Software Engineering

A concise overview of secure software design principles, methodologies, and frameworks. It covers key aspects of the software development life cycle (sdlc) with a focus on security considerations at each phase. Additionally, it introduces the building security in maturity model (bsimm) and the owasp software assurance maturity model (samm) as tools for enhancing software security practices. The document also touches on various testing techniques, threat modeling approaches, and roles involved in ensuring software security throughout the development process. It is useful for students and professionals seeking to understand the fundamentals of secure software design and its practical applications.

Typology: Exams

2025/2026

Available from 12/17/2025

mindshaper
mindshaper šŸ‡ŗšŸ‡ø

1.3K documents

1 / 5

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
/
5
D487 - Secure Software Design
1.
SDLC
Phase
1:
planning
-
a
vision
and
next
steps
are
created
2.
SDLC
Phase
2:
requirements - necessary software requirements are determined
3.
SDLC
Phase
3:
design - requirements are prepared for the technical design
4.
SDLC
Phase
4:
implementation
-
the
resources
involved
in
the
application
from
a
known
resource
are
determined
5.
SDLC
Phase
5:
testing
-
software
is
tested
to
verify
its
functions
through
a
known
environment
6.
SDLC
Phase
6:
deployment
-
security
is
pushed
out
7.
SDLC
Phase
7:
maintenance
-
ongoing
security
monitoring
is
implemented
8.
SDLC
Phase
8:
end
of
life
-
the
proper
steps
for
removing
software
completely
are
considered
9.
BSIMM:
a study of real-world software security that allows you to develop your software security over time
10.
OWASP
SAMM:
flexible
framework
for
building
security
into
a
software
development
organization
11.
Static
Analysis:
the
analysis
of
computer
software
that
is
performed
without
executing
programs
12.
Dynamic
Analysis:
the
analysis
of
computer
software
that
is
performed
when
executing
programs
on
a
real
or
virtual
processor
in
real
time
13.
Fuzz
Testing:
automated or semi-automated testing that provides invalid, unexpected, or random data to the
computer software program
14.
Waterfall
Development:
software development methodology that breaks down development activities
into linear sequential phases; each phase
depends on the deliverables of the previous one and corresponds to a specialization of tasks
15.
Waterfall
Phases
(typical):
plan
->
build
->
test
->
review
->
deploy
pf3
pf4
pf5

Partial preview of the text

Download Secure Software Design: SDLC, BSIMM, and OWASP SAMM Overview and more Exams Software Engineering in PDF only on Docsity!

1 /

D487 - Secure Software Design

1. SDLC Phase 1: planning - a vision and next steps are created

2. SDLC Phase 2: requirements - necessary software requirements are determined

3. SDLC Phase 3: design - requirements are prepared for the technical design

4. SDLC Phase 4: implementation - the resources involved in the application from a known resource are

determined

5. SDLC Phase 5: testing - software is tested to verify its functions through a known environment

6. SDLC Phase 6: deployment - security is pushed out

7. SDLC Phase 7: maintenance - ongoing security monitoring is implemented

8. SDLC Phase 8: end of life - the proper steps for removing software completely are considered

9. BSIMM: a study of real-world software security that allows you to develop your software security over time

10. OWASP SAMM: flexible framework for building security into a software development organization

11. Static Analysis: the analysis of computer software that is performed without executing programs

12. Dynamic Analysis: the analysis of computer software that is performed when executing programs on a real

or virtual processor in real time

13. Fuzz Testing: automated or semi-automated testing that provides invalid, unexpected, or random data to the computer software program

14. Waterfall Development: software development methodology that breaks down development activities into linear sequential phases; each phase

depends on the deliverables of the previous one and corresponds to a specialization of tasks

15. Waterfall Phases (typical): plan -> build -> test -> review -> deploy

2 /

16. Iterative Waterfall Development: each phase of a project is broken down into its own waterfall

phases

17. Agile Development: software development methodology that delivers functionality in rapid iterations called timeboxes, requiring limited planning

but frequent communication

18. Scrum: framework for Agile that prescribes for teams to break work into goals to be completed within sprints

19. Scrum Master (Scrum Role): responsible for ensuring a Scrum team is operating as ettectively as

possible by keeping the team on track, planning and leading meetings, and working out any obstacles the team might face

20. Product Owner (Scrum Role): ensures the Scrum team aligns with overall product goals by managing

the product backlog by ordering work by priority, setting the product vision for the team, and communicating with external stakeholders to translate their needs to the team

21. Development Team (Scrum Role): professionals who do the hands-on work of completing the tasks in a Scrum sprint by lending their

expertise to program, design, or improve products

22. Lean Development: software development methodology that focuses on further isolating risk to the level of an individual feature

23. V-Model: a variation of the waterfall model, where the stage is turned back upwards after the coding phase

24. Extreme Programming (XP): an Agile methodology that is intended to improve software quality and

responsiveness

25. Software Security Architect: ensures that the stakeholder security requirements necessary to protect the organization's mission and business

processes are adequately addressed

26. Software Security Champion: an expert on promoting security awareness, best practices, and sim- plifying software security

27. Software Security Evangelist: an expert to promote awareness of products to the wider software community

28. Functional Requirements: describe what the system will do and its core purpose

4 /

46. SonarQube: open-source platform for static code analysis that can detect bugs, code smells, vulnerabilities,

and hotspots in over 25 programming languages

47. Spider: identifies inputs and supplies those to the scanning components of the security tool

48. PSIRT: the team that receives, investigates, and reports security vulnerabilities

49. Phase A1: Security Assessment - the project team identifies the product risks and creates a project outline for

security milestones

50. Phase A2: Architecture - examines security from perspective of business risks

51. Phase A3: Design and Development - analyze and test software to determine security and privacy issues as you

make informed decisions moving forward with your software

52. Phase A4: Design and Development - build onto the proper process of security testing and continue to analyze necessities at the security level

53. Phase A5: Ship - verifies that the product complies with security policies

54. Policy Compliance Analysis: done in A5 - final review of security and compliance requirements

55. Open-Source Licensing Review: done in A5 - final review of open-source software used in the stack

56. Final Security Review: done in A5 - final review of compliance against all security requirements identified

during the SDL cycle - passed, passed with exceptions, not passed and requires escalation

57. Final Privacy Review: done in A5 - final review of compliance against all privacy requirements identified during the SDL cycle

58. Customer Engagement Framework: defines the process for sharing security-related information with customers

59. PRSA1: External Vulnerability Disclosure Response - stakeholders are clearly identified and a RACI matrix should be created

60. PRSA2: Third-Party Security Reviews - security assessment performed by groups other than internal testing teams

61. PRSA3: Post-Release Certifications - certifications from external parties to demonstrate the security posture of products or services

5 /

62. PRSA4 & PRSA5: Security Strategy for Legacy Code, M&A, and EOL Plans - strategy to mitigate security risk from legacy code and M&As

63. Governance (OpenSAMM function): centered on how organizations manage overall software development activities

64. Construction (OpenSAMM function): centered around how organizations define goals and create software within development projects

65. Verification (OpenSAMM function): centered around how an organization checks and tests arti- facts produced through software

development

66. Deployment (OpenSAMM function): centered around how an organization releases software

67. BSIMM Categories: governance, intelligence, software security development life cycle touchpoints, and

deployment