

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Definitions and explanations of key security concepts related to software development and security. It covers concepts such as accountability, auditing, authentication, authorization, availability, confidentiality, data anonymization, defense-in-depth, disposition, economy of mechanism, fail safe, integrity, least common mechanism, least privilege, leveraging existing components, non-repudiation, open design, psychological acceptability, separation of duties, and more. These concepts are essential for understanding and implementing secure software development practices.
Typology: Exams
1 / 2
This page cannot be seen from the preview
Don't miss anything!


Accountability - Correct Answer A security concept that protects against repudiation threats.
Auditing - Correct Answer A security concept that addresses the logging of transactions so that at a later time a history of transactions can be built, if needed. It answers the question, "Who (subject) did what (action) when (timestamp) and where (object)?"
Authentication - Correct Answer A security concept that verifies and validates identity information that is supplied. It answers the question "Are you who you claim to be?"
Authorization - Correct Answer A security concept that has to do with the checking of a subject's rights and privileges before granting access to the objects that the subject requests.
Availability - Correct Answer A security concept that assures protection against destruction of the data or system or denial of service. It addresses the accessibility of the
software and/or the data it handles.
Complete mediation - Correct Answer A security design principle that states that every time a subject requests access to an object, the request needs to be checked to ensure that the subject has the authority to access the object.
Confidentiality - Correct Answer A security concept that assures the protection of data against unauthorized disclosure. It ensures the secrecy and privacy of data.
Data anonymization - Correct Answer The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.
Defense-in-Depth - Correct Answer A security design principle that ensures that no single point of complete compromise exists by implementing multiple layers of risk mitigation controls. Also known as layered defense.
Disposition - Correct Answer The secure disposal of software and the data the software processes, transmits, and stores.
Economy of mechanism - Correct Answer A security design principle that states that the likelihood of vulnerabilities increases with the complexity of the software design.
Fail safe - Correct Answer A security design principle that ensures that when the software fails, the confidentiality, integrity, and availability of the software is still maintained along with rapid recovery. Also known as Fail Secure.
Integrity - Correct Answer A security concept that assures protection against unauthorized alterations (or modifications).
Least common mechanism - Correct Answer A security design principle that states that when the software is architected, the mechanisms that are common (shared) between two different users or processes must be minimized.
Least privilege - Correct Answer A security design principle in which a user or process is explicitly given only the necessary and minimum level of access rights (privileges) for a specified amount of time, in order to complete an operation.
Leveraging existing components - Correct Answer A security design principle that ensures that the attack surface is not increased and no newer vulnerabilities are introduced because existing components of code/functionality are reused (leveraged) when architecting software.
Non-repudiation - Correct Answer A security concept that addresses the deniability of actions taken by the software or the user. It ensures that the actions taken by the software on behalf of the user (intentionally or unintentionally) cannot be refuted or denied.
Open design - Correct Answer A security design principle that states that the security of the software/system should not be a secret, but be open for review.
Psychological acceptability - Correct Answer A willingness of users to accept a particular control.
Separation of duties - Correct Answer A security design principle that ensures that no one person or process can complete an operation in its entirety. It is also referred to as the compartmentalization principle.