



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This study guide provides a comprehensive overview of software security concepts, methodologies, and best practices. It covers key topics such as the building security in maturity model (bsimm), the software assurance maturity model (samm), and various security testing techniques. The guide also explores important security standards like iso/iec 27001 and iso/iec 27034, and delves into agile development methodologies like scrum and their impact on software security. It includes a glossary of terms and answers to common questions related to software security.
Typology: Exams
1 / 7
This page cannot be seen from the preview
Don't miss anything!




Building Security In Maturity Model (BSIMM) - Answer A study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time SAMM - Answer offers a roadmap and a well-defined maturity model for secure software development and deployment, along with useful tools for self-assessment and planning. Core OpenSAMM activities - Answer Governance Construction Verification Deployment static analysis - Answer Source code of an application is reviewed manually or with automatic tools without running the code dynamic analysis - Answer Analysis and testing of a program occurs while it is being executed or run Fuzzing - Answer Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation OWASP ZAP - Answer -Open-source web application security scanner -Can be used as a proxy to manipulate traffic running through it (even https) ISO/IEC 27001 - Answer Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system
ISO/IEC 17799 - Answer ISO/EIC is a joint committee that develops and maintains standards in the IT industry. is an international code of practice for information security management. This section defines confidentiality, integrity and availability controls. ISO/IEC 27034 - Answer A standard that provides guidance to help organizations embed security within their processes that help secure applications running in the environment, including application lifecycle processes Software security champion - Answer a developer with an interest in security who helps amplify the security message at the team level waterfall methodology - Answer a sequential, activity-based process in which each phase in the SDLC is performed sequentially from planning through implementation and maintenance Agile Development - Answer A software development methodology that delivers functionality in rapid iterations, measured in weeks, requiring frequent communication, development, testing, and delivery. Scrum - Answer an agile project management framework that helps teams structure and manage their work through a set of values, principles, and practices Daily scrum - Answer daily time-boxed event of 15 minutes, or less, for the Development Team to re- plan the next day of development work during a Sprint. Updates are reflected in the Sprint Backlog. Sprint review - Answer A meeting that occurs after each sprint to show the product or process to stakeholders for approval and to receive feedback. Sprint retrospective - Answer an opportunity for the Scrum Team to inspect itself and create a plan for improvements to be enacted during the next Sprint. Sprint planning - Answer A collaborative event in Scrum in which the Scrum team plans the work for the current sprint. Threat Modeling Steps - Answer Identify security objectives
STRIDE - Answer Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege White-box - Answer A test where the tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications. Gray-box - Answer a testing technique in which the tester has limited knowledge of the internal workings of the software. Black-box - Answer a testing technique in which the internal workings of the software are not known to the tester. Fail-safe - Answer a design feature or practice that, in the event of a specific type of failure, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people Privacy compliance report - Answer provide progress against privacy requirements provided in earlier stages and assess any changes to identify & add any new requirements SDLC - Answer Software Development Life Cycle. A software development process. Many different models are available. bucket - Answer a data type that groups objects together Static - Answer going over the source code dynamic - Answer while the code is compiled and becomes object code
fuzzers - Answer random data brute force peach tool static tool - Answer hp analysis hp web inspect - Answer dynamic tool qa inspect - Answer dynamic tool ibm appcscan - Answer dynamic tool veracode - Answer dynamic tool whitehat - Answer dynamic tool sentinel source - Answer dynamic tool cvss - Answer how serious the threat is from the vendor NVD - Answer national vul database. provides cvss with a score for known vul CVE - Answer common vul exposures. provides identifiers for threats so you can be alterted if it's on your system SDL - Answer security assessment, architecture, design and development, ship, post release support functional - Answer meets business need non functional - Answer security, privacy and compliance
post release support - Answer change management process, PSIRT post release incident response team especially zero day CVSS, Public disclosures. What are the major phases of the SDLC - Answer planning, analysis, design, development, testing, implementation, and maintenance