Secure Software Design: Key Concepts and SDLC Phases, Exams of Nursing

Key concepts in secure software design, including the software development life cycle (sdlc) phases, various software development methodologies (waterfall, agile, scrum), and security roles. It also covers threat modeling techniques (dread, pasta, stride), testing types (black box, white box), and security assessment phases. This resource is useful for understanding the fundamentals of building security into software development processes. It provides a structured overview of essential terms and practices in the field of secure software design, making it a valuable reference for students and professionals alike. The document also touches on governance, construction, verification, and deployment within the context of software security.

Typology: Exams

2024/2025

Available from 09/19/2025

davian-Willis
davian-Willis 🇺🇸

4.7

(3)

4.4K documents

1 / 14

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1 /
14
D487 - SECURE
SOFTWARE DESIGN
TEST WITH COMPLETE
SOLUTIONS
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe

Partial preview of the text

Download Secure Software Design: Key Concepts and SDLC Phases and more Exams Nursing in PDF only on Docsity!

1 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

2 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

  1. SDLC Phase 1: planning - a vision and next steps are created
  2. SDLC Phase 2: requirements - necessary software requirements are determined
  3. SDLC Phase 3: design - requirements are prepared for the technical design
  4. SDLC Phase 4: implementation - the resources involved in the application from a known resource are determined
  5. SDLC Phase 5: testing - software is tested to verify its functions through a known environment
  6. SDLC Phase 6: deployment - security is pushed out
  7. SDLC Phase 7: maintenance - ongoing security monitoring is implemented

4 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

  1. Waterfall Development: software development methodology that breaks down development activities into linear sequential phases; each phase depends on the deliverables of the previous one and corresponds to a specialization of tasks
  2. Waterfall Phases (typical): plan -> build -> test -> review -> deploy
  3. Iterative Waterfall Development: each phase of a project is broken down into its own waterfall phases
  4. Agile Development: software development methodology that delivers function- ality in rapid iterations called timeboxes, requiring limited planning but frequent communication
  5. Scrum: framework for Agile that prescribes for teams to break work into goals to be completed within sprints
  6. Scrum Master (Scrum Role): responsible for ensuring a Scrum team is oper- ating as effectively as possible by keeping the team on track,

5 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

planning and leading meetings, and working out any obstacles the team might face

  1. Product Owner (Scrum Role): ensures the Scrum team aligns with overall product goals by managing the product backlog by ordering work by priority, setting the product vision for the team, and communicating with external stakeholders to translate their needs to the team

7 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

  1. Software Security Evangelist: an expert to promote awareness of products to the wider software community
  2. Functional Requirements: describe what the system will do and its core pur- pose
  3. Non-Functional Requirements: describe any constraints or restrictions on a design but do not impact the core purpose of the system
  4. Privacy Impact Assessment: process that evaluates issues and privacy impact rating in relation to the privacy of PII in the software
  5. Product Risk Profile: helps to determine the actual cost of the product from different perspectives
  6. Requirement Traceability Matrix: a table that lists all of the security require- ments
  7. DREAD model: damage, reproducibility, exploitability, affected users,

8 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

discover- ability

  1. PASTA: the process for attack simulation and threat analysis; gives a software security team a repeatable framework for identifying threats
  2. STRIDE: classifies threats into categories: spoofing, tampering, repudiation, information disclosed, denial of service, and elevation of privilege
  3. Application Decomposition: determining the fundamental functions of an app
  4. Trike: a unified conceptual framework for security auditing
  5. Alpha Level Testing: testing done by the developers themselves
  6. Beta Level Testing: testing done by those not familiar with the actual develop- ment of the system
  7. Black Box Testing: tests from an external perspective with no prior knowledge of the software

10 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

components of the security tool

  1. PSIRT: the team that receives, investigates, and reports security vulnerabilities
  2. Phase A1: Security Assessment - the project team identifies the product risks and creates a project outline for security milestones
  3. Phase A2: Architecture - examines security from perspective of business risks
  4. Phase A3: Design and Development - analyze and test software to determine security and privacy issues as you make informed decisions moving forward with your software
  5. Phase A4: Design and Development - build onto the proper process of security testing and continue to analyze necessities at the security level
  6. Phase A5: Ship - verifies that the product complies with security policies

11 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

  1. Policy Compliance Analysis: done in A5 - final review of security and compli- ance requirements
  2. Open-Source Licensing Review: done in A5 - final review of open- source software used in the stack
  3. Final Security Review: done in A5 - final review of compliance against all secu- rity requirements identified during the SDL cycle - passed, passed with exceptions, not passed and requires escalation
  4. Final Privacy Review: done in A5 - final review of compliance against all privacy requirements identified during the SDL cycle
  5. Customer Engagement Framework: defines the process for sharing securi- ty-related information with customers
  6. PRSA1: External Vulnerability Disclosure Response - stakeholders are clearly identified and a RACI matrix should be created
  7. PRSA2: Third-Party Security Reviews - security assessment

13 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

  1. PRSA3: Post-Release Certifications - certifications from external parties to demonstrate the security posture of products or services
  2. PRSA4 & PRSA5: Security Strategy for Legacy Code, M&A, and EOL Plans - strategy to mitigate security risk from legacy code and M&As
  3. Governance (OpenSAMM function): centered on how organizations manage overall software development activities
  4. Construction (OpenSAMM function): centered around how organizations de- fine goals and create software within development projects
  5. Verification (OpenSAMM function): centered around how an organization checks and tests artifacts produced through software development
  6. Deployment (OpenSAMM function): centered around how an organization releases software

14 /

SOFTWARE DESIGN

TEST WITH COMPLETE

SOLUTIONS

  1. BSIMM Categories: governance, intelligence, software security development life cycle touchpoints, and deployment