Software Security Study Guide: Building Security In Maturity Model (BSIMM) and SAMM, Exams of Network security

This study guide provides a comprehensive overview of software security concepts, methodologies, and best practices. It covers key topics such as the building security in maturity model (bsimm), the software assurance maturity model (samm), and various security testing techniques. The guide also explores important security standards like iso/iec 27001 and iso/iec 27034, and delves into agile development methodologies like scrum and their impact on software security. It includes a glossary of terms and answers to common questions related to software security.

Typology: Exams

2023/2024

Available from 01/24/2025

Test-Solver
Test-Solver 🇺🇸

1

(1)

7.9K documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
D487 STUDY GUIDE FULLY SOLVED
2024.
Building Security In Maturity Model (BSIMM) - Answer A study of real-world software security initiatives
organized so that you can determine where you stand with your software security initiative and how to
evolve your efforts over time
SAMM - Answer offers a roadmap and a well-defined maturity model for secure software development
and deployment, along with useful tools for self-assessment and planning.
Core OpenSAMM activities - Answer Governance
Construction
Verification
Deployment
static analysis - Answer Source code of an application is reviewed manually or with automatic tools
without running the code
dynamic analysis - Answer Analysis and testing of a program occurs while it is being executed or run
Fuzzing - Answer Injection of randomized data into a software program in an attempt to find system
failures, memory leaks, error handling issues, and improper input validation
OWASP ZAP - Answer -Open-source web application security scanner
-Can be used as a proxy to manipulate traffic running through it (even https)
ISO/IEC 27001 - Answer Specifies requirements for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving a documented information security management system
pf3
pf4
pf5

Partial preview of the text

Download Software Security Study Guide: Building Security In Maturity Model (BSIMM) and SAMM and more Exams Network security in PDF only on Docsity!

D487 STUDY GUIDE FULLY SOLVED

Building Security In Maturity Model (BSIMM) - Answer A study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time SAMM - Answer offers a roadmap and a well-defined maturity model for secure software development and deployment, along with useful tools for self-assessment and planning. Core OpenSAMM activities - Answer Governance Construction Verification Deployment static analysis - Answer Source code of an application is reviewed manually or with automatic tools without running the code dynamic analysis - Answer Analysis and testing of a program occurs while it is being executed or run Fuzzing - Answer Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation OWASP ZAP - Answer -Open-source web application security scanner -Can be used as a proxy to manipulate traffic running through it (even https) ISO/IEC 27001 - Answer Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system

ISO/IEC 17799 - Answer ISO/EIC is a joint committee that develops and maintains standards in the IT industry. is an international code of practice for information security management. This section defines confidentiality, integrity and availability controls. ISO/IEC 27034 - Answer A standard that provides guidance to help organizations embed security within their processes that help secure applications running in the environment, including application lifecycle processes Software security champion - Answer a developer with an interest in security who helps amplify the security message at the team level waterfall methodology - Answer a sequential, activity-based process in which each phase in the SDLC is performed sequentially from planning through implementation and maintenance Agile Development - Answer A software development methodology that delivers functionality in rapid iterations, measured in weeks, requiring frequent communication, development, testing, and delivery. Scrum - Answer an agile project management framework that helps teams structure and manage their work through a set of values, principles, and practices Daily scrum - Answer daily time-boxed event of 15 minutes, or less, for the Development Team to re- plan the next day of development work during a Sprint. Updates are reflected in the Sprint Backlog. Sprint review - Answer A meeting that occurs after each sprint to show the product or process to stakeholders for approval and to receive feedback. Sprint retrospective - Answer an opportunity for the Scrum Team to inspect itself and create a plan for improvements to be enacted during the next Sprint. Sprint planning - Answer A collaborative event in Scrum in which the Scrum team plans the work for the current sprint. Threat Modeling Steps - Answer Identify security objectives

STRIDE - Answer Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege White-box - Answer A test where the tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications. Gray-box - Answer a testing technique in which the tester has limited knowledge of the internal workings of the software. Black-box - Answer a testing technique in which the internal workings of the software are not known to the tester. Fail-safe - Answer a design feature or practice that, in the event of a specific type of failure, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people Privacy compliance report - Answer provide progress against privacy requirements provided in earlier stages and assess any changes to identify & add any new requirements SDLC - Answer Software Development Life Cycle. A software development process. Many different models are available. bucket - Answer a data type that groups objects together Static - Answer going over the source code dynamic - Answer while the code is compiled and becomes object code

fuzzers - Answer random data brute force peach tool static tool - Answer hp analysis hp web inspect - Answer dynamic tool qa inspect - Answer dynamic tool ibm appcscan - Answer dynamic tool veracode - Answer dynamic tool whitehat - Answer dynamic tool sentinel source - Answer dynamic tool cvss - Answer how serious the threat is from the vendor NVD - Answer national vul database. provides cvss with a score for known vul CVE - Answer common vul exposures. provides identifiers for threats so you can be alterted if it's on your system SDL - Answer security assessment, architecture, design and development, ship, post release support functional - Answer meets business need non functional - Answer security, privacy and compliance

post release support - Answer change management process, PSIRT post release incident response team especially zero day CVSS, Public disclosures. What are the major phases of the SDLC - Answer planning, analysis, design, development, testing, implementation, and maintenance

  1. What should a Privacy Impact Assessment include? - Answer A privacy impact assessment (PIA) is an analysis of how personally identifiable information (PII) is handled to ensure compliance with appropriate regulations, determine the privacy risks associated with information systems or activities, and evaluate ways to reduce the privacy risks.
  2. How does a programmer use Data Flow Diagrams in developing software? - Answer data flow diagramming provides structure before coding begins and is one of the most helpful application architecture diagrams. Agile Development: allows developers to better visualize requirements as they build on existing wor What is a Software Security Champion - Answer a developer with an interest in security who helps amplify the security message at the team level. change management processes - Answer request, impact analysis, approve/deny, implement, review code review process - Answer two or more independent security people look over the code for bugs threat levels are determined by two things - Answer likelihood and impact