Software Development Lifecycle (SDLC) Security Phases and Assessments, Exams of Software Engineering

The phases of the software development lifecycle (sdlc) with a focus on security. It covers key aspects such as security assessments, threat modeling, and various security-related frameworks and standards like iso/iec 27034, safecode, and nist publications. The document also includes information on functional and non-functional requirements, change management, and threat risk modeling processes, providing a comprehensive overview of integrating security into the sdlc. It is useful for understanding how to build secure applications by embedding security within the development processes. It also includes questions and answers about the topic.

Typology: Exams

2024/2025

Available from 09/19/2025

davian-Willis
davian-Willis 🇺🇸

4.7

(3)

4.4K documents

1 / 27

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
SDLCvRoadvmapvPhasesv-vcorrectvanswer-
1.)v*Phasevzero*v(projectvinception)vorvPlanningv=vlegalvrequirementsvandvcompanyv
policies
2.)v*Systemvrequirements*v=videntifyvthreatsvandvvulnerabilities
3.)v*Systemvdesign*v=vsecurityvmeasures/controlsvneeded
4.)v*Development*v(implementation/
coding)v=vcodevscanningvvalidatevsecurityvfeatures/peervreview
5.)v*Test*v=vdynamicvanalysisvfullvsystemvtestingvtovmeasurevresultsvagainstvplan
6.)v*Deployment*v=voperationsvreadyvtovinstallvandvlaunchvapplication
7.)v*Maintenance*
SDLv=vSecurityvDevelopmentvLifecyclevPhasesv-vcorrectvanswer-
A1v=vSecurityvAssessment
A2v=vArchitecture
A3v=vDesignv&vDevelopment
A4v=vShip
A5v=vPost-ReleasevSupportv(PRSA)
Phasesvofv"ApplicationvDevelopment"v-vcorrectvanswer-
1.)v*Requirementsvgatheringvandvanalysis*v=vmapvoutvnon-
functionalvrequirementsv(mapvsecurityvandvprivacyvneeds)
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b

Partial preview of the text

Download Software Development Lifecycle (SDLC) Security Phases and Assessments and more Exams Software Engineering in PDF only on Docsity!

SDLCvRoadvmapvPhasesv-vcorrectvanswer- 1.)vPhasevzerov(projectvinception)vorvPlanningv=vlegalvrequirementsvandvcompanyv policies 2.)vSystemvrequirementsv=videntifyvthreatsvandvvulnerabilities 3.)vSystemvdesignv=vsecurityvmeasures/controlsvneeded 4.)vDevelopmentv(implementation/ coding)v=vcodevscanningvvalidatevsecurityvfeatures/peervreview 5.)vTestv=vdynamicvanalysisvfullvsystemvtestingvtovmeasurevresultsvagainstvplan 6.)vDeploymentv=voperationsvreadyvtovinstallvandvlaunchvapplication 7.)vMaintenance SDLv=vSecurityvDevelopmentvLifecyclevPhasesv-vcorrectvanswer- A1v=vSecurityvAssessment A2v=vArchitecture A3v=vDesignv&vDevelopment A4v=vShip A5v=vPost-ReleasevSupportv(PRSA) Phasesvofv"ApplicationvDevelopment"v-vcorrectvanswer- 1.)vRequirementsvgatheringvandvanalysisv=vmapvoutvnon- functionalvrequirementsv(mapvsecurityvandvprivacyvneeds)

2.)vSystemsvdesignvandvdetailvdesignsv=vthreatvmodelingvandvdesignvreviews 3.)vSoftwarevcodingvandvreviews 4.)vTestingvsteps 5.)vDeploymentvstep NFR=Non-FunctionalvRequirements ThevNFRsvarevthenvmappedvagainstvthesevcriticalvsecurityvandvresiliencevgoals:v- vcorrectvanswer-1.)vConfidentialityvandvprivacy 2.)vIntegrity 3.)vAvailability 4.)vNonrepudiation 5.)vAuditing TechnicalvThreatvModeling:v-vcorrectvanswer- 1.vFunctionalvdecompositionv=vDFDsvandvdefiningvtrustvboundaries 2.vCategorizingvthreatsv=vtypesvofvthreatsvandvtheirvimpact 3.vRankingvthreatsv 4.vMitigationvplanning CMMv=vCapabilityvMaturityvModelingv-vcorrectvanswer-1.)vInitialv(chaosv- vnovorganization) 2.)vRepeatablev(disciplinedvprocess) 3.)vDefinedv(standard,vconsistentvprocess) 4.)vManagedv(predictablevprocess) 5.)vOptimizingv(Continuouslyvimprovingvprocess) PITACv-vcorrectvanswer-President'svInformationvTechnologyvAdvisoryvCommittee TwCv-vcorrectvanswer- TrustworthyvComputingv>>vThevteamvatvMicrosoftvthatvdevelopedvthevSDLC SAMMv-vcorrectvanswer-SoftwarevAssurancevMaturityvModelv(OWASP)v- vtailorsvsecurityvtovriskvforvspecificvorganization ISO/IECv 27034 v-vcorrectvanswer-EmbedsvsecurityvwithinvSDLC standardvprovidesvguidancevtovhelpvorganizationsvembedvsecurityvwithinvtheirvproce sses,vincludingvapplicationvlifecyclevprocesses,vthatvhelpvtovsecurevapplicationsvrunn ingvinvthevenvironment. SAFECodev-vcorrectvanswer- ThevSoftwarevAssurancevForumvforvExcellencevinvCodev(SAFECode)visvavnonprofitv organizationvdedicatedvtovincreasingvtrustvinvinformationvandvcommunicationsvtechn

M&Av=vMonitoringv&vAssessment ChangevManagementv-vcorrectvanswer- 1.)vRequestvControl:vuservrequestvmods,vmanagersvdovcost/ benefitvanalysis,vdevsvprioritizevtasks 2.)vChangevControl:vdevsvre- createvthevsituationvencounteredvbyvavuservandvanalyzevchangesvtovfix 3.)vReleasevControl:vapprovalvrequiredvviavreleasevcontrolvprocedures 4.)vConfigurationvIdentification:vdocumentvthevconfiguration 5.)vConfigurationvControl:vcontrolsvchangesvinvversionsvviavcontrolvprocess 6.)vConfigurationvStatusvAccounting:vformalizedvproceduresvtrackvallvchanges 7.)vConfigurationvAudit:vperiodicvconfigvaudit WaterfallvModelv-vcorrectvanswer-1.)vSystemvRequirements 2.)vSoftwarevRequirements 3.)vPreliminaryvDesign 4.)vDetailedvDesign 5.)vCodevandvDebug 6.)vTesting 7.)vOperationsvandvMaintenance LeanvdevelopmentvcanvbevsummarizedvbyvsevenvprinciplesvbasedvonvLeanvmanufa cturingvprinciplevconcepts:v-vcorrectvanswer-(1)veliminatevwaste, (2)vamplifyvlearning, (3)vdecidevasvlatevasvpossible, (4)vdelivervasvfastvasvpossible, (5)vempowervthevteam, (6)vbuildvintegrityvin,vand (7)vseevthevwhole. Functionalvrequirementsv-vcorrectvanswer- Functionalvrequirementsvdescribevwhatvanvapplicationvmustvdovtovservevavbusinessv need.vForvexample,vanvapplicationvmustvbevablevtovallowvavconsumervtovcompletevth eirvtransactionvonvthevsitevusingvavcreditvcard. Nonfunctionalvrequirementsv(NFRs)v-vcorrectvanswer- Nonfunctionalvrequirementsv(NFRs)vaddressvhowvwellvthevfunctionalvrequirementsva revmet,vorvtovputvitvanothervway,vtheyvconstrainvthevfunctionalvrequirementsvtovspeci fiedvoperatingvranges.vNonfunctionalvrequirementsvaddressvareasvsuchvasvcapacityv planning,vuptime,vresponsevtimes,vmaintainability,vandvportabilityv(web,vmobile,vetc.).

discoveryvmeetingv-vcorrectvanswer- ThevdiscoveryvmeetingvisvessentiallyvanvSDLvkick- offvmeetingvwherevthevkeyvSDLCvstakeholdersvgetvonvthevsamevpagevatvthevbeginni ngvofvthevprocessvsovthatvsecurityvisvbuiltvinvrathervthanvboltedvonvpost-release. ThevSDLvprojectvplanv-vcorrectvanswer- ThevSDLvprojectvplanvshouldvoutlinevsecurityvmilestonesvbasedvonvthevinformation vgainedvduringvthevdiscoveryvphasevandvintegratevthemvintovthevoverallvSDLCvsched ulevtovallowvpropervplanningvasvchangesvoccur.vAsvinvthevdiscoveryvphase,vactivities vmayvbevmorevinvtermsvofvdecisionsvtranslatedvintovmilestonesvthatvwillvbevfollowedv byvsecurityvactivities. KeyvSuccessvFactorsvforvSDLvA SecurityvAssessmentv-vcorrectvanswer- 1.)vAccuracyvofvplannedvSDLvactivitiesv=vallvSDLvactivitiesvarevaccuratelyvidentified 2.)vProductvriskvprofilev=v$$$$$ $vmanagementvunderstandsvthevtruevcostvofvdevelopingvthevproduct 3.)vAccuracyvofvthreatvprofilev=vmitigatingvstepsvandvcountermeasuresvarevinvplace 4.)vCoveragevofvrelevantvregulations,vcertifications,vandvcompliancevframeworks 5.)vCoveragevofvsecurityvobjectivesvneededvforvsoftwarev=v"mustvhave"vsecurityvobje ctivesvarevmet DeliverablesvforvPhasevA SecurityvAssessmentv-vcorrectvanswer- 1.)vProductvriskvprofilev=vestimatevactualvcostvofvthevproduct 2.)vSDLvprojectvoutlinev(milestonesvandvmapping)v=vmapvSDLvtovdevelopmentvsche dule 3.)vApplicablevlawsvandvregulationsvobtainvformalvsign-offvfromvstakeholders 4.)vThreatvprofilevguidevSDLvactivitiesvtovmitigatevthreats Certificationvrequirementsv=vlistvrequirementsvforvproductvandvopsvcertifications 5.)vListvofv3rdvpartyvsoftwarev=videntifyvdependencevonvthirdvpartyvsoftware 6.)vMetricsvtemplatev=vestablishvcadencevforvregularvreportingvtovexecs softwarevsecurityvpolicyv-vcorrectvanswer- Thevpurposevofvavsoftwarevsecurityvpolicyvisvtovdefinevwhatvneedsvtovbevprotectedv andvhowvitvwillvbevprotected,vincludingvreviewingvandvincorporatingvpoliciesvfromvou tsidevthevSDLvthatvmayvimpactvthevdevelopmentvprocess.

STRIDEv-vthreatvmodelv-vcorrectvanswer- ThevfirstvstepvinvSTRIDEvisvtovdecomposevyourvsystemvintovrelevantvcomponents,vth envanalyzeveachvcomponentvforvsusceptibilityvtovthevthreats,vandvfinally,vmitigatevthe vthreats -Spoofing -Tampering -Repudiation -InformationvDisclosure -DenialvofvService -EscalationvofvPrivilege DREADv(quantifyvthreat)v-vthreatvmodelv-vcorrectvanswer- Risk=Probability×DamagevPotential WebvApplicationvSecurityvFrameworkv=vApplicationvSecurityvFramev(ASF)vcategorie s:v-vcorrectvanswer-1.)vInputvvalidation 2.)vAuthentication 3.)vAuthorization 4.)vConfigurationvManagement 5.)vSensitivevData 6.)vSessionvManagement 7.)vCryptography 8.)vExceptionvManagement 9.)vAuditingvandvLogging GREv=vGenericvRiskvModelvwhichvconsidersvlikelihoodv-vcorrectvanswer- Riskv=vLikelihoodvxvImpact Trikev-vcorrectvanswer- Trikevisvavunifiedvconceptualvframeworkvforvsecurityvauditingvfromvavriskvmanageme ntvperspectivevthroughvthevgenerationvofvthreatvmodelsvinvavreliable,vrepeatablevman ner.vTrikevdiffersvinvthatvitvusesvavrisk- basedvapproachvwithvdistinctvimplementation,vthreat,vandvriskvmodels,vinsteadvofvusi ngvthevSTRIDE/ DREADvaggregatedvthreatvmodelv(attacks,vthreats,vandvweaknesses). highvlevelsvofvautomationvpossible PASTAv(ProcessvforvAttackvSimulationvandvThreatvAnalysis)v-vcorrectvanswer- PASTAvisvavseven- stepvprocessvthatvisvapplicablevtovmostvapplicationvdevelopmentvmethodologiesvand visvplatform-agnostic. 1.)vDefinevobjectives 2.)vDefinevtechnicalvscope 3.)vApplicationvdecomposition 4.)vThreatvAnalysis

5.)vVulnerabilityvandvweaknessvanalysis 6.)vAttackvmodeling 7.)vRiskvandvimpactvanalysis CommonvVulnerabilityvScoringvSystemv(CVSS)v-vcorrectvanswer- ThevNationalvInfrastructurevAdvisoryvCouncilv(NIAC)vcommissionedvCVSSvtovsuppor tvthevglobalvVulnerabilityvDisclosurevFramework.vCVSSvisvcurrentlyvmaintainedvbyvth evForumvofvIncidentvResponsevandvSecurityvTeamsv(FIRST).vThevCVSSvmodelvisvd esignedvtovprovidevendvusersvwithvanvoverallvcompositevscorevrepresentingvthevsev erityvandvriskvofvavvulnerability.vItvshouldvbevnotedvthatvthevCVSSvisvnotvavthreatvm odelingvmethodologyvandvisvnotvusedvtovfindvorvreducevthevattackvsurfacevorvtovhel pvspecifyvrisksvwithinvavpiecevofvcode.vItvis,vrather,vavriskvscoringvsystemvandvitvad dsvcomplexitiesvthatvdon'tvexistvinvSTRIDEvandvDREAD.vItvisvusedvtovcalculatevrisk svthatvarevidentifiedvpost-productvreleasevinvadditionvtovenvironmentalvfactors. OCTAVEv(OperationallyvCriticalvThreat,vAsset,vandvVulnerabilityvEvaluation)v- vcorrectvanswer- ItvisvavveryvcomplexvriskvmethodologyvapproachvoriginatingvfromvCarnegievMellonvU niversity'svSoftwarevEngineeringvInstitutev(SEI)vinvcollaborationvwithvthevSEIvComput ervEmergencyvResponsevTeamv(CERT).vOCTAVEvfocusesvonvorganizationalvrisk,v notvtechnicalvrisk.vAsvwithvCVSSvscoring,vOCTAVEvdoesvnotvincludevthreatvriskvmo delingvandvisvusedvprimarilyvtovenumeratevrisk. AS/NZSvISOv31000:2009v-vcorrectvanswer-ThevAustralian/ NewvZealandvStandardvAS/ NZSv4360,vfirstvissuedvinv 1999 vandvrevisedvinv2004,vwasvthevworld'svfirstvformalvsta ndardvforvdocumentingvandvmanagingvriskvandvisvstillvonevofvthevfewvformalvstandar dsvforvmanagingvit.vISOv31000:2009vprovidesvprinciplesvandvgenericvguidelines.vItv isvnotvspecificvtovanyvindustryvorvsector. ThreatvxvProbabilityvxvBusinessvImpactv=vRisk mixedvsourcev-vcorrectvanswer- Therevhasvbeenvanvincreasingvtrendvinvthevsoftwarevindustryvovervthevlastvfewvyears vtovdrawvonvthevstrengthsvofvbothvopen- sourcevandvproprietaryvsoftwarevtovdelivervthevhighestvvaluevatvthevlowestvcost.vThev blendvofvbothvisvcalledvmixedvsourcevandvisvbecomingvavdominantvpracticevinvindustr y. analysisvphasev-vcorrectvanswer- ThevanalysisvphasevdeterminesvhowvPIIvwillvbevhandledvtovensurevthatvitvconformsvt ovapplicablevlegal,vregulatory,vandvpolicyvrequirementsvregardingvprivacy;vwhatvthevr isksvandveffectsvofvcollecting,vmaintaining,vandvdisseminatingvprivacyvinformationvinvi dentifiablevformsvinvthevsoftwarevandvoverallvsystemvbeingvdevelopedvorvonevthatvitv potentiallyvinterfacesvwithvinvavcloudvorvSaaSvenvironment;vandvexaminesvandvevalu atesvprotectionsvandvalternativevprocessesvforvhandlingvinformationvtovmitigatevpote ntialvprivacyvrisks

Property- basedv(whitevbox)v>>vvalidatesvimplementationvfunctionalityvsatisfiesvspecifications Sourcevcodevfaultvinjectionv(whitevbox,vgrayvbox)v>>vtestsvallvcodevpathsvincludingve rrorvhandling Dynamicvcodevanalysisv(grayvbox) Binaryvfaultvinjectionv(grayvbox,vblackvbox)v>>vruntimevanalysisvexecutingvcodevandv injectionvfaults Fuzzvtestingv(blackvbox)v>>vrandomvinputs Binaryvcodevanalysisv(blackvbox)v>>vanalyzevmachinevcodevtovoutlinevbehaviors,vco ntrolvandvdatavflows,vcallvtrees,vandvexternalvfunctionvcalls Bytevcodevanalysisv(blackvbox)v>>vusedvlikevsourcevcodevanalyzers,vbutvdetectvvuln svinvbytevcode Blackvboxvdebuggingv(blackvbox)v>>vdebuggervforvlowvlevelvlanguagesvsuchvasvCvor vASMv=vmonitorvstart,vstop,vbreakpoints,vandvmodifyvvalues Vulnerabilityvscanningv(blackvbox)v>>vcommercialvorvopenvsourcevscanningvtools Penetrationvtestingv(blackvbox)v>>vsecurityvevaluatorsvattemptsvtovcircumventvsecuri tyvfeatures PrivacyvImplementationvAssessmentv-vcorrectvanswer- P1v=vHighvPrivacyvRiskv=vthinkvPII P2v=vModeratevPrivacyvRiskv=vthinkvonevtimevdatavtransfer P3v=vLowvPrivacyvRiskv=vthinkvnovriskvbecausevtherevisvNOvPIIvorvdatavtransfer KeyvSuccessvFactors: A3v=vDesignvandvDevelopmentv-vcorrectvanswer- 1.)vComprehensivevsecurityvtestvplanv=vmappingvtypesvofvsecurityvtestingvrequiredv atvdifferentvstagesvofvSDLC 2.)vEffectivevthreatvmodelingv=vIdentifyingvthreatsvtovthevsoftware 3.)vDesignvsecurityvanalysisv=vAnalysisvofvthreatsvtovvariousvsoftwarevcomponents 4.)vPrivacyvimplementationvassessmentv=veffortvrequiredvforvimplementationvofvpriv acy-relatedvcontrolsvbasedvonvassessment

5.)vPolicyvcompliancevreviewv(updates)v=vupdatesvforvpolicyvcompliancevasvrelated vtovphasev 3 Deliverables A3v=vDesignvandvDevelopmentv-vcorrectvanswer- 1.)vUpdatedvthreatvmodelingvartifactsv=vdatavflowvdiagrams,velements,vthreatvlistin g 2.)vDesignvsecurityvreviewv=vmodificationsvtovdesignvofvsoftwarevcomponentsvbase dvonvsecurityvassessments 3.)vSecurityvtestvplansv=vplanvtovmitigate,vaccept,vorvtoleratevrisk 4.)vUpdatedvpolicyvcompliancevanalysisv=vanalysisvofvadherencevtovcompanyvpolici es 5.)vPrivacyvimplementationvassessmentvresultsv=vrecommendationsvfromvprivacyva ssessment Completevmediationv-vcorrectvanswer- Whereveveryvrequestvbyvavsubjectvtovaccessvanvobjectvinvavcomputervsystemvmustv undergovavvalidvandveffectivevauthorizationvprocedure Openvdesignv-vcorrectvanswer- Anvaccessvcontrolvsystemvdesignvevaluatedvandvtestedvbyvavlargevnumbervofvexpert svprovidingvavmorevsecurevauthenticationvmethodvthanvonevthatvhasvnotvbeenvwidely vassessed Psychologicalvacceptabilityv-vcorrectvanswer- Thisvrefersvtovtheveasevofvusevandvintuitivenessvofvthevuservinterfacevthatvcontrolsva ndvinteractsvwithvthevaccessvcontrolvmechanism A3vpolicyvcompliancevanalysisv-vcorrectvanswer- A3vpolicyvcompliancevanalysisvisvavcontinuationvofvthevA2vpolicyvcompliancevreview. vDuringvthisvphase,vanyvpolicyvthatvexistsvoutsidevthevdomainvofvthevSDLvpolicyvisvre viewed.vThesevmightvincludevpoliciesvfromvoutsidevthevdevelopmentvorganizationvth atvsetvsecurityvandvprivacyvrequirementsvandvguidelinesvtovbevadheredvtovwhenvdev elopingvsoftwarevorvapplications. SDLv=vA4v-vcorrectvanswer-SDLv=vA4v=vDesignvandvDevelopment vAllvpriorvprocessesvarevreviewedvagain! vAllvpriorvprocessesvarevreviewedvagain!v-vcorrectvanswer- Duringvthisvphase,vanyvpolicyvthatvexistsvoutsidevthevdomainvofvthevSDLvpolicyvisvre viewedv(orvreviewedvagain).vThisvmayvincludevpoliciesvfromvoutsidevthevdevelopmen tvorganizationvthatvcarryvsecurityvandvprivacyvrequirementsvandvguidelinesvtovbevadh eredvtovwhenvdevelopingvsoftwarevorvapplicationsvanywherevwithinvthevorganization.

4.)vSecurityvtestingvreportsv=vfindingsvfromvdifferentvtypesvofvsecurityvtesting 5.)vRemediationvsupportv=vprovidevstatusvonvsecurityvposturevofvproducts A4vPolicyvCompliancevAnalysisv-vcorrectvanswer- Duringvthisvphase,vanyvpolicyvthatvexistsvoutsidevthevdomainvofvthevSDLvpolicyvisvre viewedv(orvreviewedvagain);vthisvmayvincludevpoliciesvfromvoutsidevthevdevelopment vorganization Manualvsecurityvcodevreviewv-vcorrectvanswer-Typicallyvdonevasvavline-by- linevinspectionvofvthevsoftwarevtovdeterminevanyvsecurityvvulnerabilitiesvinvthevsoftwa revproduct Arevflawsvvulnerabilities?v-vcorrectvanswer- Thevbasicvdesignvofvavproductvmayvcontainvflaws,vandvitvshouldvbevnotedvthatvsomev codingverrors,valthoughvtheyvmayvaffectvproductvreliability,varevnotvactualvvulnerabiliti es.vRemembervthatvthevultimatevgoalvofvsecurityvcodevreviewsvisvtovfindvcodevvulner abilitiesvthatvarevaccessiblevbyvanvattackervandvthatvmayvallowvthevattackervtovbypas svavsecurityvboundary. SDLCvRoadvmapvPhasesv-vcorrectvanswer- 1.)vPhasevzerov(projectvinception)vorvPlanningv=vlegalvrequirementsvandvcompanyvp olicies Avcirclevofvlifevcontainsvspokesvwhichvbecomesvavplantvwithvbulletsvonvit 2.)vSystemvrequirementsv=videntifyvthreatsvandvvulnerabilities Bulletsvfallvoffvandvbecomevdinnervmintsvwhichvthenvgathervintovthevshapevofvavpers on 3.)vSystemvdesignv=vsecurityvmeasures/controlsvneeded DinnervmintsvbecomevJoannavGaines 4.)vDevelopmentv(implementation/ coding)v=vcodevscanningvvalidatevsecurityvfeatures/peervreview Joannavdevelopsvlargevbreasts 5.)vTestv=vdynamicvanalysisvfullvsystemvtestingvtovmeasurevresultsvagainstvplan Avdoctorvcomesvupvandvtestsvthevsizevofvhervboobsvandvthevmilk 6.)vDeploymentv=voperationsvreadyvtovinstallvandvlaunchvapplication Hervboobsvdeploy/releasevmilk 7.)vMaintenance TimvfromvGadsdenvcomesvupvandvcommentsvonvhowvhevwouldvlikevtovmaintainvtho se SDLv-vcorrectvanswer-SDLv AvshipvinvavdockvwithvSDLvonvthevSails

A1v=vSecurityvAssessment Blueprintvghostvimagevonvthevdock A2v=vArchitecture Architectvcomesvupvwearingvoldvworldvgarb A3v=vDesignv&vDevelopmentv JoannavGainesvwalksvupvonvthevothervsidevandvbeginsvgrowingvboobies A4v=vShipv Thevshipvisvhighlightedvinvthevdockv-vlikevinvAssassinsvcreed A5v=vPost-ReleasevSupportv(PRSA) Avpostvgrowsvupvonvthevdockvlikevavlargevwoodenvtelephonevpole Phasesvofv"ApplicationvDevelopment"v-vcorrectvanswer- Phasesvofv"ApplicationvDevelopment" Anviconv(rectanglevbox)vofvanvapplicationvbeginsvtovdevelopvbreasts 1.)vRequirementsvgatheringvandvanalysis Thevbreastsvshootvoutvmintsvwhichvarevgatheredvupvbyvanvanalvcyst 2.)vSystemsvdesignvandvdetailvdesigns JoannavGainesvstopsvonvthevanalvcyst 3.)vSoftwarevcodingvandvreviews Joannavthenvbecomesv1svandv0svlikevinvthevmatrix 4.)vTestingvSteps Thevmatrixvcodevbecomesvavmanvwithvlargevballsvwhovturnsvhisvheadvtovthevsidevto vcough 5.)vDeploymentvStep Thevmatrixvcodevthenvorganismsvdeployingvcodevaroundvthevworld TechnicalvThreatvModelingv-vcorrectvanswer-TechnicalvThreatvModeling Avskullvandvcrossvbonesvwithvavpocketvprotectorvandvglasses 1.vFunctionalvdecompositionv=vDFDsvandvdefiningvtrustvboundaries Thevskullvandvcrossvbonesvdissolves 2.vCategorizingvthreatsv=vtypesvofvthreatsvandvtheirvimpact Avcatvcomesvbyvandvlicksvatvthevpuddlevofvdecomposedvthreatsvandvstartsvtovcauter izevitself 3.vRankingvthreats Thevcatvthenvbecomesvavgeneralvcatvwithvavuniformvandvrank 4.vMitigationvplanning Avgatevshutsvonvthevcatvandvthevcatvbecomesvavplant LeanvDevelopmentvPrinciplesv-vcorrectvanswer-LeanvDevelopmentvPrinciples

1.)vBreakvdownvarchitecturev(DFDs) Shevkillsvanvarchitect 2.)vMapvallvthreatsvtovvulnerabilities Thevbodyvofvthevarchitectvspreadsvintovavmap 3.)vRankvThreats CindyvCrawfordvthenvbecomesvavgeneralvwithvrankvandvmedals 4.)vDefinevmitigations/countermeasures AvlargevscalevofvjusticevfallsvonvCindyvCrawfordvcontainingvrulersvandvbeanvcounter s 5.)vFixvthevvulnerabilities FixvFelixvshowsvupvandvasksvifvhevcanvhelp VulnerabilityvScanvProcessv-vcorrectvanswer-1.)vScan 2.)vReport 3.)vRemediatevorvCompensatingvControls 4.)vConfirm 5.)vReport Thenvstartvatvscanvagain.... Whatvarevthev 4 vphasesvofvpenvtesting?v-vcorrectvanswer-1.)vAssess 2.)vIdentify 3.)vEvaluatevandvPlan 4.)vDeploy FinalvProductvSecurityvReviewv 4 vstepvprocess?v-vcorrectvanswer- 1.)vAssessvresourcevavailability 2.)vIdentifyvfeatureveligibility 3.)vEvaluatevandvplanvforvremediation 4.)vReleasevandvship A1vBestvPracticesv-vcorrectvanswer-Softwarevsecurityvteamvisvloopedvinvearly Softwarevsecurityvteamvhostsvavdiscoveryvmeeting SoftwarevsecurityvteamvcreatesvanvSDLvprojectvplanv(statesvwhatvfurthervworkvwillvb evdone) PrivacyvImpactvAssessmentv(PIA)vplanvinitiated A2vBestvPracticesv-vcorrectvanswer-A2vPolicyvcompliancevanalysis

SDLvpolicyvassessmentvandvscoping Threatvmodelingv/varchitecturevsecurityvanalysis Openvsourcevsectionv(ifvneeded) Privacyvinformationvgatheringvandvanalysis A3vBestvPracticesv-vcorrectvanswer-A3vPolicyvcompliancevanalysis Securityvtestvplanvexecution StaticvAnalysis Threatvmodelvupdating Designvsecurityvanalysisvandvreview PrivacyvImplementationvAssessment A4vBestvPracticesv-vcorrectvanswer-A4vPolicyvcompliancevanalysis Securityvtestvcasevexecution StaticvAnalysis Dynamicvanalysis Fuzzvtesting Manualvcodevreview Privacyvvalidationvandvremediation A5vBestvPracticesv-vcorrectvanswer-A5vPolicyvcompliancevanalysis Finalvsecurityvreview Vulnerabilityvscan Penetrationvtesting Openvsourcevlicensingvreview Finalvsecurityvreview Finalvprivacyvreview

Questionv 19 v:vAllvofvthevfollowingvarevcountermeasuresvforvsessionvmanagementvatt acks,vEXCEPT: AvEncryptvcookiesvthatvincludevinformationvaboutvthevstatevofvthevconnection. BvImplementvpre-vandvpost-validationvcontrols. CvImplementvrandomizedvsessionvIDs. DvImplementvtimevstampsvorvtime-basedvvalidation.v-vcorrectvanswer- AnswervBvisvcorrect.Youvshouldvnotvimplementvpre-vandvpost- validationvcontrolsvasvavcountermeasurevforvsessionvmanagementvattacks.vPre- vandvpost- validationvcontrolsvarevcountermeasuresvtovusevinvparametervvalidationvattacks. Countermeasuresvforvsessionvmanagementvattacksvincludevthevfollowing:

  • vImplementvrandomizedvsessionvIDs.
  • vImplementvtimevstampsvorvtime-basedvvalidation.
  • vEncryptvcookiesvthatvincludevinformationvaboutvthevstatevofvthevconnection. Questionv 21 v:vWhichvstatementvcorrectlyvdefinesvthevobject- orientedvdatabasevmodel? AvThevrelationshipvbetweenvdatavelementsvisvinvthevformvofvavlogicalvtree. BvItvisvavhybridvbetweenvrelationalvandvobject-basedvdatabases. CvItvlogicallyvinterconnectsvremotelyvlocatedvdatabases. DvItvcanvstorevdatavthatvincludesvmultimediavclips,vimages,vvideo,vandvgraphics.v- vcorrectvanswer-AnswervDvisvcorrect. Anvobject- orientedvdatabasevisvusedvtovstorevmultiplevtypesvofvdata,vsuchvasvimages,vaudio,vvi deo,vandvdocuments.vThevdatavelementsvandvthevdifferentvcomponentsvarevreferredv tovasvobjects.vThesevobjectsvarevusedvtovcreatevdynamicvdatavcomponents.vInvanvo bject- orientedvdatabase,vthevobjectsvcanvbevdynamicallyvcreatedvaccordingvtovthevrequire mentsvandvthevinstructionsvexecuted.vThevobject- orientedvmodelvprovidesveasevofvreusingvcode,vanalyses,vandvreducedvmaintenance . Thevdistributedvdatabasevmodelvimpliesvmultiplevdatabasesvthatvarevsituatedvatvrem otevlocationsvandvarevlogicallyvconnected.vInvavdistributedvdatabasevmodel,vdatabas esvarevlogicallyvconnectedvtoveachvothervtovensurevthatvthevtransitionvfromvonevdata basevtovanothervisvtransparentvtovthevusers.vThevlogicallyvconnectedvdatabasesvapp earvasvavsinglevdatabasevtovthevusers.vThevdistributedvdatabasevmodelvallowsvdiffer entvdatabasesvsituatedvatvremotevlocationsvtovbevmanagedvindividuallyvbyvdifferentv databasevadministrators.vThisvdatabasevmodelvprovidesvscalabilityvfeatures,vsuchvas vloadvbalancingvandvfaultvtolerance.

Avobject-relationalvdatabasevisvavhybridvbetweenvanvobject- orientedvbasedvdatabasevandvavrelationalvdatabase,vandvinheritsvpropertiesvfromvbot h.vAnvobject- relationalvdatabasevallowsvdevelopersvtovintegratevthevdatabasevwithvtheirvownvcust omvdatavtypesvandvmethods. Invavhierarchicalvdatabase,vthevdatavisvorganizedvinvavlogicalvtreevstructurevrathervth anvbyvusingvrowsvandvcolumns.vRecordsvandvfieldsvarevrelatedvtoveachvothervinvavp arent- childvtreevstructure.vAvhierarchicalvdatabasevtreevstructurevcanvhavevbranchesvandvl eavesvwherevleavesvarevthevdatavfieldsvandvthevdatavisvaccessedvthroughvwell- definedvaccessvpathsvbyvusingvrecordvgroupsvthatvactvasvbranches.vAvhierarchicalvd atabasevisvusedvwherevonevtovmanyvrelationshipsvexist. Questionv 24 v:vHowvdoesvanvActiveXvcomponentvenforcevsecurity? AvbyvusingvAuthenticode Bvbyvusingvmacrovlanguages Cvbyvusingvobjectvcodes Dvbyvusingvsandboxesv-vcorrectvanswer-Explanation:vAnswervAvisvcorrect. AuthenticodevisvusedvbyvthevActiveXvtechnologyvofvMicrosoftvtovenforcevsecurity.vAc tiveXvrefersvtovavsetvofvcontrolsvthatvusersvcanvdownloadvinvthevformvofvavplug- invtovenhancevavfeaturevofvanvapplication.vThevprimaryvdifferencevbetweenvJavavapp letsvandvActiveXvcontrolsvisvthatvthevActiveXvcontrolsvarevdownloadedvsubjectvtovacc eptancevbyvavuser.vThevActiveXvtrustvcertificatevalsovstatesvthevsourcevofvthevplug- invsignaturesvofvthevActiveXvmodules. Javavappletsvusevsandboxesvtovenforcevsecurity.vAvsandboxvisvavsecurityvschemevth atvpreventsvJavavappletsvfromvaccessingvunauthorizedvareasvonvavuser'svcomputer.v WhenvavuservaccessesvavWebvpagevthroughvavbrowser,vclassvfilesvforvanvappletvare vdownloadedvautomatically,vevenvfromvuntrustedvsources.vTovcountervthisvpossiblevt hreat,vJavavprovidesvavcustomizablevsandboxvandvenforcesvthevexecutionvofvthevap plicationvwithinvthevsandbox.vThisvpreventsvJavavappletsvfromvaccessingvunauthoriz edvareasvonvavuser'svcomputervorvsystemvresourcesvoutsidevthevsandbox.vSandboxv protectionsvincludevpreventingvreadingvandvwritingvtovavlocalvdisk,vprohibitingvthevcre ationvofvavnewvprocess,vpreventingvthevestablishmentvofvavnetworkvconnectionvtovav newvhost,vandvpreventingvthevloadingvofvavnewvdynamicvlibraryvandvdirectlyvcallingva vnativevmethod.vThevsandboxvsecurityvfeaturesvarevdesignedvintovthevJavavVirtualvM achinev(JVM).vThesevfeaturesvarevimplementedvthroughvarrayvboundsvchecking,vstr ucturedvmemoryvaccess,vtype- safevreferencevcastvchecking,vcheckingvforvnullvreferences,vandvautomaticvgarbagev collection.vThesevchecksvarevdesignedvtovlimitvmemoryvaccessesvtovsafe,vstructured voperations. Avhostilevappletvisvanvactivevcontentvmodulevusedvtovexploitvsystemvresources.vHost ilevappletsvcodedvinvJavavcanvposevavsecurityvthreatvtovcomputervsystemsvifvthevexe cutablesvare