Download Secure Software Design: SDLC, BSIMM, and OWASP SAMM Overview and more Exams Software Engineering in PDF only on Docsity!
1 /
D487 - Secure Software Design
1. SDLC Phase 1: planning - a vision and next steps are created
2. SDLC Phase 2: requirements - necessary software requirements are determined
3. SDLC Phase 3: design - requirements are prepared for the technical design
4. SDLC Phase 4: implementation - the resources involved in the application from a known resource are
determined
5. SDLC Phase 5: testing - software is tested to verify its functions through a known environment
6. SDLC Phase 6: deployment - security is pushed out
7. SDLC Phase 7: maintenance - ongoing security monitoring is implemented
8. SDLC Phase 8: end of life - the proper steps for removing software completely are considered
9. BSIMM: a study of real-world software security that allows you to develop your software security over time
10. OWASP SAMM: flexible framework for building security into a software development organization
11. Static Analysis: the analysis of computer software that is performed without executing programs
12. Dynamic Analysis: the analysis of computer software that is performed when executing programs on a real
or virtual processor in real time
13. Fuzz Testing: automated or semi-automated testing that provides invalid, unexpected, or random data to the computer software program
14. Waterfall Development: software development methodology that breaks down development activities into linear sequential phases; each phase
depends on the deliverables of the previous one and corresponds to a specialization of tasks
15. Waterfall Phases (typical): plan -> build -> test -> review -> deploy
2 /
16. Iterative Waterfall Development: each phase of a project is broken down into its own waterfall
phases
17. Agile Development: software development methodology that delivers functionality in rapid iterations called timeboxes, requiring limited planning
but frequent communication
18. Scrum: framework for Agile that prescribes for teams to break work into goals to be completed within sprints
19. Scrum Master (Scrum Role): responsible for ensuring a Scrum team is operating as ettectively as
possible by keeping the team on track, planning and leading meetings, and working out any obstacles the team might face
20. Product Owner (Scrum Role): ensures the Scrum team aligns with overall product goals by managing
the product backlog by ordering work by priority, setting the product vision for the team, and communicating with external stakeholders to translate their needs to the team
21. Development Team (Scrum Role): professionals who do the hands-on work of completing the tasks in a Scrum sprint by lending their
expertise to program, design, or improve products
22. Lean Development: software development methodology that focuses on further isolating risk to the level of an individual feature
23. V-Model: a variation of the waterfall model, where the stage is turned back upwards after the coding phase
24. Extreme Programming (XP): an Agile methodology that is intended to improve software quality and
responsiveness
25. Software Security Architect: ensures that the stakeholder security requirements necessary to protect the organization's mission and business
processes are adequately addressed
26. Software Security Champion: an expert on promoting security awareness, best practices, and sim- plifying software security
27. Software Security Evangelist: an expert to promote awareness of products to the wider software community
28. Functional Requirements: describe what the system will do and its core purpose
4 /
46. SonarQube: open-source platform for static code analysis that can detect bugs, code smells, vulnerabilities,
and hotspots in over 25 programming languages
47. Spider: identifies inputs and supplies those to the scanning components of the security tool
48. PSIRT: the team that receives, investigates, and reports security vulnerabilities
49. Phase A1: Security Assessment - the project team identifies the product risks and creates a project outline for
security milestones
50. Phase A2: Architecture - examines security from perspective of business risks
51. Phase A3: Design and Development - analyze and test software to determine security and privacy issues as you
make informed decisions moving forward with your software
52. Phase A4: Design and Development - build onto the proper process of security testing and continue to analyze necessities at the security level
53. Phase A5: Ship - verifies that the product complies with security policies
54. Policy Compliance Analysis: done in A5 - final review of security and compliance requirements
55. Open-Source Licensing Review: done in A5 - final review of open-source software used in the stack
56. Final Security Review: done in A5 - final review of compliance against all security requirements identified
during the SDL cycle - passed, passed with exceptions, not passed and requires escalation
57. Final Privacy Review: done in A5 - final review of compliance against all privacy requirements identified during the SDL cycle
58. Customer Engagement Framework: defines the process for sharing security-related information with customers
59. PRSA1: External Vulnerability Disclosure Response - stakeholders are clearly identified and a RACI matrix should be created
60. PRSA2: Third-Party Security Reviews - security assessment performed by groups other than internal testing teams
61. PRSA3: Post-Release Certifications - certifications from external parties to demonstrate the security posture of products or services
5 /
62. PRSA4 & PRSA5: Security Strategy for Legacy Code, M&A, and EOL Plans - strategy to mitigate security risk from legacy code and M&As
63. Governance (OpenSAMM function): centered on how organizations manage overall software development activities
64. Construction (OpenSAMM function): centered around how organizations define goals and create software within development projects
65. Verification (OpenSAMM function): centered around how an organization checks and tests arti- facts produced through software
development
66. Deployment (OpenSAMM function): centered around how an organization releases software
67. BSIMM Categories: governance, intelligence, software security development life cycle touchpoints, and
deployment