



















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The phases of the software development lifecycle (sdlc) with a focus on security. It covers key aspects such as security assessments, threat modeling, and various security-related frameworks and standards like iso/iec 27034, safecode, and nist publications. The document also includes information on functional and non-functional requirements, change management, and threat risk modeling processes, providing a comprehensive overview of integrating security into the sdlc. It is useful for understanding how to build secure applications by embedding security within the development processes. It also includes questions and answers about the topic.
Typology: Exams
1 / 27
This page cannot be seen from the preview
Don't miss anything!




















SDLCvRoadvmapvPhasesv-vcorrectvanswer- 1.)vPhasevzerov(projectvinception)vorvPlanningv=vlegalvrequirementsvandvcompanyv policies 2.)vSystemvrequirementsv=videntifyvthreatsvandvvulnerabilities 3.)vSystemvdesignv=vsecurityvmeasures/controlsvneeded 4.)vDevelopmentv(implementation/ coding)v=vcodevscanningvvalidatevsecurityvfeatures/peervreview 5.)vTestv=vdynamicvanalysisvfullvsystemvtestingvtovmeasurevresultsvagainstvplan 6.)vDeploymentv=voperationsvreadyvtovinstallvandvlaunchvapplication 7.)vMaintenance SDLv=vSecurityvDevelopmentvLifecyclevPhasesv-vcorrectvanswer- A1v=vSecurityvAssessment A2v=vArchitecture A3v=vDesignv&vDevelopment A4v=vShip A5v=vPost-ReleasevSupportv(PRSA) Phasesvofv"ApplicationvDevelopment"v-vcorrectvanswer- 1.)vRequirementsvgatheringvandvanalysisv=vmapvoutvnon- functionalvrequirementsv(mapvsecurityvandvprivacyvneeds)
2.)vSystemsvdesignvandvdetailvdesignsv=vthreatvmodelingvandvdesignvreviews 3.)vSoftwarevcodingvandvreviews 4.)vTestingvsteps 5.)vDeploymentvstep NFR=Non-FunctionalvRequirements ThevNFRsvarevthenvmappedvagainstvthesevcriticalvsecurityvandvresiliencevgoals:v- vcorrectvanswer-1.)vConfidentialityvandvprivacy 2.)vIntegrity 3.)vAvailability 4.)vNonrepudiation 5.)vAuditing TechnicalvThreatvModeling:v-vcorrectvanswer- 1.vFunctionalvdecompositionv=vDFDsvandvdefiningvtrustvboundaries 2.vCategorizingvthreatsv=vtypesvofvthreatsvandvtheirvimpact 3.vRankingvthreatsv 4.vMitigationvplanning CMMv=vCapabilityvMaturityvModelingv-vcorrectvanswer-1.)vInitialv(chaosv- vnovorganization) 2.)vRepeatablev(disciplinedvprocess) 3.)vDefinedv(standard,vconsistentvprocess) 4.)vManagedv(predictablevprocess) 5.)vOptimizingv(Continuouslyvimprovingvprocess) PITACv-vcorrectvanswer-President'svInformationvTechnologyvAdvisoryvCommittee TwCv-vcorrectvanswer- TrustworthyvComputingv>>vThevteamvatvMicrosoftvthatvdevelopedvthevSDLC SAMMv-vcorrectvanswer-SoftwarevAssurancevMaturityvModelv(OWASP)v- vtailorsvsecurityvtovriskvforvspecificvorganization ISO/IECv 27034 v-vcorrectvanswer-EmbedsvsecurityvwithinvSDLC standardvprovidesvguidancevtovhelpvorganizationsvembedvsecurityvwithinvtheirvproce sses,vincludingvapplicationvlifecyclevprocesses,vthatvhelpvtovsecurevapplicationsvrunn ingvinvthevenvironment. SAFECodev-vcorrectvanswer- ThevSoftwarevAssurancevForumvforvExcellencevinvCodev(SAFECode)visvavnonprofitv organizationvdedicatedvtovincreasingvtrustvinvinformationvandvcommunicationsvtechn
M&Av=vMonitoringv&vAssessment ChangevManagementv-vcorrectvanswer- 1.)vRequestvControl:vuservrequestvmods,vmanagersvdovcost/ benefitvanalysis,vdevsvprioritizevtasks 2.)vChangevControl:vdevsvre- createvthevsituationvencounteredvbyvavuservandvanalyzevchangesvtovfix 3.)vReleasevControl:vapprovalvrequiredvviavreleasevcontrolvprocedures 4.)vConfigurationvIdentification:vdocumentvthevconfiguration 5.)vConfigurationvControl:vcontrolsvchangesvinvversionsvviavcontrolvprocess 6.)vConfigurationvStatusvAccounting:vformalizedvproceduresvtrackvallvchanges 7.)vConfigurationvAudit:vperiodicvconfigvaudit WaterfallvModelv-vcorrectvanswer-1.)vSystemvRequirements 2.)vSoftwarevRequirements 3.)vPreliminaryvDesign 4.)vDetailedvDesign 5.)vCodevandvDebug 6.)vTesting 7.)vOperationsvandvMaintenance LeanvdevelopmentvcanvbevsummarizedvbyvsevenvprinciplesvbasedvonvLeanvmanufa cturingvprinciplevconcepts:v-vcorrectvanswer-(1)veliminatevwaste, (2)vamplifyvlearning, (3)vdecidevasvlatevasvpossible, (4)vdelivervasvfastvasvpossible, (5)vempowervthevteam, (6)vbuildvintegrityvin,vand (7)vseevthevwhole. Functionalvrequirementsv-vcorrectvanswer- Functionalvrequirementsvdescribevwhatvanvapplicationvmustvdovtovservevavbusinessv need.vForvexample,vanvapplicationvmustvbevablevtovallowvavconsumervtovcompletevth eirvtransactionvonvthevsitevusingvavcreditvcard. Nonfunctionalvrequirementsv(NFRs)v-vcorrectvanswer- Nonfunctionalvrequirementsv(NFRs)vaddressvhowvwellvthevfunctionalvrequirementsva revmet,vorvtovputvitvanothervway,vtheyvconstrainvthevfunctionalvrequirementsvtovspeci fiedvoperatingvranges.vNonfunctionalvrequirementsvaddressvareasvsuchvasvcapacityv planning,vuptime,vresponsevtimes,vmaintainability,vandvportabilityv(web,vmobile,vetc.).
discoveryvmeetingv-vcorrectvanswer- ThevdiscoveryvmeetingvisvessentiallyvanvSDLvkick- offvmeetingvwherevthevkeyvSDLCvstakeholdersvgetvonvthevsamevpagevatvthevbeginni ngvofvthevprocessvsovthatvsecurityvisvbuiltvinvrathervthanvboltedvonvpost-release. ThevSDLvprojectvplanv-vcorrectvanswer- ThevSDLvprojectvplanvshouldvoutlinevsecurityvmilestonesvbasedvonvthevinformation vgainedvduringvthevdiscoveryvphasevandvintegratevthemvintovthevoverallvSDLCvsched ulevtovallowvpropervplanningvasvchangesvoccur.vAsvinvthevdiscoveryvphase,vactivities vmayvbevmorevinvtermsvofvdecisionsvtranslatedvintovmilestonesvthatvwillvbevfollowedv byvsecurityvactivities. KeyvSuccessvFactorsvforvSDLvA SecurityvAssessmentv-vcorrectvanswer- 1.)vAccuracyvofvplannedvSDLvactivitiesv=vallvSDLvactivitiesvarevaccuratelyvidentified 2.)vProductvriskvprofilev=v$$$$$ $vmanagementvunderstandsvthevtruevcostvofvdevelopingvthevproduct 3.)vAccuracyvofvthreatvprofilev=vmitigatingvstepsvandvcountermeasuresvarevinvplace 4.)vCoveragevofvrelevantvregulations,vcertifications,vandvcompliancevframeworks 5.)vCoveragevofvsecurityvobjectivesvneededvforvsoftwarev=v"mustvhave"vsecurityvobje ctivesvarevmet DeliverablesvforvPhasevA SecurityvAssessmentv-vcorrectvanswer- 1.)vProductvriskvprofilev=vestimatevactualvcostvofvthevproduct 2.)vSDLvprojectvoutlinev(milestonesvandvmapping)v=vmapvSDLvtovdevelopmentvsche dule 3.)vApplicablevlawsvandvregulationsvobtainvformalvsign-offvfromvstakeholders 4.)vThreatvprofilevguidevSDLvactivitiesvtovmitigatevthreats Certificationvrequirementsv=vlistvrequirementsvforvproductvandvopsvcertifications 5.)vListvofv3rdvpartyvsoftwarev=videntifyvdependencevonvthirdvpartyvsoftware 6.)vMetricsvtemplatev=vestablishvcadencevforvregularvreportingvtovexecs softwarevsecurityvpolicyv-vcorrectvanswer- Thevpurposevofvavsoftwarevsecurityvpolicyvisvtovdefinevwhatvneedsvtovbevprotectedv andvhowvitvwillvbevprotected,vincludingvreviewingvandvincorporatingvpoliciesvfromvou tsidevthevSDLvthatvmayvimpactvthevdevelopmentvprocess.
STRIDEv-vthreatvmodelv-vcorrectvanswer- ThevfirstvstepvinvSTRIDEvisvtovdecomposevyourvsystemvintovrelevantvcomponents,vth envanalyzeveachvcomponentvforvsusceptibilityvtovthevthreats,vandvfinally,vmitigatevthe vthreats -Spoofing -Tampering -Repudiation -InformationvDisclosure -DenialvofvService -EscalationvofvPrivilege DREADv(quantifyvthreat)v-vthreatvmodelv-vcorrectvanswer- Risk=Probability×DamagevPotential WebvApplicationvSecurityvFrameworkv=vApplicationvSecurityvFramev(ASF)vcategorie s:v-vcorrectvanswer-1.)vInputvvalidation 2.)vAuthentication 3.)vAuthorization 4.)vConfigurationvManagement 5.)vSensitivevData 6.)vSessionvManagement 7.)vCryptography 8.)vExceptionvManagement 9.)vAuditingvandvLogging GREv=vGenericvRiskvModelvwhichvconsidersvlikelihoodv-vcorrectvanswer- Riskv=vLikelihoodvxvImpact Trikev-vcorrectvanswer- Trikevisvavunifiedvconceptualvframeworkvforvsecurityvauditingvfromvavriskvmanageme ntvperspectivevthroughvthevgenerationvofvthreatvmodelsvinvavreliable,vrepeatablevman ner.vTrikevdiffersvinvthatvitvusesvavrisk- basedvapproachvwithvdistinctvimplementation,vthreat,vandvriskvmodels,vinsteadvofvusi ngvthevSTRIDE/ DREADvaggregatedvthreatvmodelv(attacks,vthreats,vandvweaknesses). highvlevelsvofvautomationvpossible PASTAv(ProcessvforvAttackvSimulationvandvThreatvAnalysis)v-vcorrectvanswer- PASTAvisvavseven- stepvprocessvthatvisvapplicablevtovmostvapplicationvdevelopmentvmethodologiesvand visvplatform-agnostic. 1.)vDefinevobjectives 2.)vDefinevtechnicalvscope 3.)vApplicationvdecomposition 4.)vThreatvAnalysis
5.)vVulnerabilityvandvweaknessvanalysis 6.)vAttackvmodeling 7.)vRiskvandvimpactvanalysis CommonvVulnerabilityvScoringvSystemv(CVSS)v-vcorrectvanswer- ThevNationalvInfrastructurevAdvisoryvCouncilv(NIAC)vcommissionedvCVSSvtovsuppor tvthevglobalvVulnerabilityvDisclosurevFramework.vCVSSvisvcurrentlyvmaintainedvbyvth evForumvofvIncidentvResponsevandvSecurityvTeamsv(FIRST).vThevCVSSvmodelvisvd esignedvtovprovidevendvusersvwithvanvoverallvcompositevscorevrepresentingvthevsev erityvandvriskvofvavvulnerability.vItvshouldvbevnotedvthatvthevCVSSvisvnotvavthreatvm odelingvmethodologyvandvisvnotvusedvtovfindvorvreducevthevattackvsurfacevorvtovhel pvspecifyvrisksvwithinvavpiecevofvcode.vItvis,vrather,vavriskvscoringvsystemvandvitvad dsvcomplexitiesvthatvdon'tvexistvinvSTRIDEvandvDREAD.vItvisvusedvtovcalculatevrisk svthatvarevidentifiedvpost-productvreleasevinvadditionvtovenvironmentalvfactors. OCTAVEv(OperationallyvCriticalvThreat,vAsset,vandvVulnerabilityvEvaluation)v- vcorrectvanswer- ItvisvavveryvcomplexvriskvmethodologyvapproachvoriginatingvfromvCarnegievMellonvU niversity'svSoftwarevEngineeringvInstitutev(SEI)vinvcollaborationvwithvthevSEIvComput ervEmergencyvResponsevTeamv(CERT).vOCTAVEvfocusesvonvorganizationalvrisk,v notvtechnicalvrisk.vAsvwithvCVSSvscoring,vOCTAVEvdoesvnotvincludevthreatvriskvmo delingvandvisvusedvprimarilyvtovenumeratevrisk. AS/NZSvISOv31000:2009v-vcorrectvanswer-ThevAustralian/ NewvZealandvStandardvAS/ NZSv4360,vfirstvissuedvinv 1999 vandvrevisedvinv2004,vwasvthevworld'svfirstvformalvsta ndardvforvdocumentingvandvmanagingvriskvandvisvstillvonevofvthevfewvformalvstandar dsvforvmanagingvit.vISOv31000:2009vprovidesvprinciplesvandvgenericvguidelines.vItv isvnotvspecificvtovanyvindustryvorvsector. ThreatvxvProbabilityvxvBusinessvImpactv=vRisk mixedvsourcev-vcorrectvanswer- Therevhasvbeenvanvincreasingvtrendvinvthevsoftwarevindustryvovervthevlastvfewvyears vtovdrawvonvthevstrengthsvofvbothvopen- sourcevandvproprietaryvsoftwarevtovdelivervthevhighestvvaluevatvthevlowestvcost.vThev blendvofvbothvisvcalledvmixedvsourcevandvisvbecomingvavdominantvpracticevinvindustr y. analysisvphasev-vcorrectvanswer- ThevanalysisvphasevdeterminesvhowvPIIvwillvbevhandledvtovensurevthatvitvconformsvt ovapplicablevlegal,vregulatory,vandvpolicyvrequirementsvregardingvprivacy;vwhatvthevr isksvandveffectsvofvcollecting,vmaintaining,vandvdisseminatingvprivacyvinformationvinvi dentifiablevformsvinvthevsoftwarevandvoverallvsystemvbeingvdevelopedvorvonevthatvitv potentiallyvinterfacesvwithvinvavcloudvorvSaaSvenvironment;vandvexaminesvandvevalu atesvprotectionsvandvalternativevprocessesvforvhandlingvinformationvtovmitigatevpote ntialvprivacyvrisks
Property- basedv(whitevbox)v>>vvalidatesvimplementationvfunctionalityvsatisfiesvspecifications Sourcevcodevfaultvinjectionv(whitevbox,vgrayvbox)v>>vtestsvallvcodevpathsvincludingve rrorvhandling Dynamicvcodevanalysisv(grayvbox) Binaryvfaultvinjectionv(grayvbox,vblackvbox)v>>vruntimevanalysisvexecutingvcodevandv injectionvfaults Fuzzvtestingv(blackvbox)v>>vrandomvinputs Binaryvcodevanalysisv(blackvbox)v>>vanalyzevmachinevcodevtovoutlinevbehaviors,vco ntrolvandvdatavflows,vcallvtrees,vandvexternalvfunctionvcalls Bytevcodevanalysisv(blackvbox)v>>vusedvlikevsourcevcodevanalyzers,vbutvdetectvvuln svinvbytevcode Blackvboxvdebuggingv(blackvbox)v>>vdebuggervforvlowvlevelvlanguagesvsuchvasvCvor vASMv=vmonitorvstart,vstop,vbreakpoints,vandvmodifyvvalues Vulnerabilityvscanningv(blackvbox)v>>vcommercialvorvopenvsourcevscanningvtools Penetrationvtestingv(blackvbox)v>>vsecurityvevaluatorsvattemptsvtovcircumventvsecuri tyvfeatures PrivacyvImplementationvAssessmentv-vcorrectvanswer- P1v=vHighvPrivacyvRiskv=vthinkvPII P2v=vModeratevPrivacyvRiskv=vthinkvonevtimevdatavtransfer P3v=vLowvPrivacyvRiskv=vthinkvnovriskvbecausevtherevisvNOvPIIvorvdatavtransfer KeyvSuccessvFactors: A3v=vDesignvandvDevelopmentv-vcorrectvanswer- 1.)vComprehensivevsecurityvtestvplanv=vmappingvtypesvofvsecurityvtestingvrequiredv atvdifferentvstagesvofvSDLC 2.)vEffectivevthreatvmodelingv=vIdentifyingvthreatsvtovthevsoftware 3.)vDesignvsecurityvanalysisv=vAnalysisvofvthreatsvtovvariousvsoftwarevcomponents 4.)vPrivacyvimplementationvassessmentv=veffortvrequiredvforvimplementationvofvpriv acy-relatedvcontrolsvbasedvonvassessment
5.)vPolicyvcompliancevreviewv(updates)v=vupdatesvforvpolicyvcompliancevasvrelated vtovphasev 3 Deliverables A3v=vDesignvandvDevelopmentv-vcorrectvanswer- 1.)vUpdatedvthreatvmodelingvartifactsv=vdatavflowvdiagrams,velements,vthreatvlistin g 2.)vDesignvsecurityvreviewv=vmodificationsvtovdesignvofvsoftwarevcomponentsvbase dvonvsecurityvassessments 3.)vSecurityvtestvplansv=vplanvtovmitigate,vaccept,vorvtoleratevrisk 4.)vUpdatedvpolicyvcompliancevanalysisv=vanalysisvofvadherencevtovcompanyvpolici es 5.)vPrivacyvimplementationvassessmentvresultsv=vrecommendationsvfromvprivacyva ssessment Completevmediationv-vcorrectvanswer- Whereveveryvrequestvbyvavsubjectvtovaccessvanvobjectvinvavcomputervsystemvmustv undergovavvalidvandveffectivevauthorizationvprocedure Openvdesignv-vcorrectvanswer- Anvaccessvcontrolvsystemvdesignvevaluatedvandvtestedvbyvavlargevnumbervofvexpert svprovidingvavmorevsecurevauthenticationvmethodvthanvonevthatvhasvnotvbeenvwidely vassessed Psychologicalvacceptabilityv-vcorrectvanswer- Thisvrefersvtovtheveasevofvusevandvintuitivenessvofvthevuservinterfacevthatvcontrolsva ndvinteractsvwithvthevaccessvcontrolvmechanism A3vpolicyvcompliancevanalysisv-vcorrectvanswer- A3vpolicyvcompliancevanalysisvisvavcontinuationvofvthevA2vpolicyvcompliancevreview. vDuringvthisvphase,vanyvpolicyvthatvexistsvoutsidevthevdomainvofvthevSDLvpolicyvisvre viewed.vThesevmightvincludevpoliciesvfromvoutsidevthevdevelopmentvorganizationvth atvsetvsecurityvandvprivacyvrequirementsvandvguidelinesvtovbevadheredvtovwhenvdev elopingvsoftwarevorvapplications. SDLv=vA4v-vcorrectvanswer-SDLv=vA4v=vDesignvandvDevelopment vAllvpriorvprocessesvarevreviewedvagain! vAllvpriorvprocessesvarevreviewedvagain!v-vcorrectvanswer- Duringvthisvphase,vanyvpolicyvthatvexistsvoutsidevthevdomainvofvthevSDLvpolicyvisvre viewedv(orvreviewedvagain).vThisvmayvincludevpoliciesvfromvoutsidevthevdevelopmen tvorganizationvthatvcarryvsecurityvandvprivacyvrequirementsvandvguidelinesvtovbevadh eredvtovwhenvdevelopingvsoftwarevorvapplicationsvanywherevwithinvthevorganization.
4.)vSecurityvtestingvreportsv=vfindingsvfromvdifferentvtypesvofvsecurityvtesting 5.)vRemediationvsupportv=vprovidevstatusvonvsecurityvposturevofvproducts A4vPolicyvCompliancevAnalysisv-vcorrectvanswer- Duringvthisvphase,vanyvpolicyvthatvexistsvoutsidevthevdomainvofvthevSDLvpolicyvisvre viewedv(orvreviewedvagain);vthisvmayvincludevpoliciesvfromvoutsidevthevdevelopment vorganization Manualvsecurityvcodevreviewv-vcorrectvanswer-Typicallyvdonevasvavline-by- linevinspectionvofvthevsoftwarevtovdeterminevanyvsecurityvvulnerabilitiesvinvthevsoftwa revproduct Arevflawsvvulnerabilities?v-vcorrectvanswer- Thevbasicvdesignvofvavproductvmayvcontainvflaws,vandvitvshouldvbevnotedvthatvsomev codingverrors,valthoughvtheyvmayvaffectvproductvreliability,varevnotvactualvvulnerabiliti es.vRemembervthatvthevultimatevgoalvofvsecurityvcodevreviewsvisvtovfindvcodevvulner abilitiesvthatvarevaccessiblevbyvanvattackervandvthatvmayvallowvthevattackervtovbypas svavsecurityvboundary. SDLCvRoadvmapvPhasesv-vcorrectvanswer- 1.)vPhasevzerov(projectvinception)vorvPlanningv=vlegalvrequirementsvandvcompanyvp olicies Avcirclevofvlifevcontainsvspokesvwhichvbecomesvavplantvwithvbulletsvonvit 2.)vSystemvrequirementsv=videntifyvthreatsvandvvulnerabilities Bulletsvfallvoffvandvbecomevdinnervmintsvwhichvthenvgathervintovthevshapevofvavpers on 3.)vSystemvdesignv=vsecurityvmeasures/controlsvneeded DinnervmintsvbecomevJoannavGaines 4.)vDevelopmentv(implementation/ coding)v=vcodevscanningvvalidatevsecurityvfeatures/peervreview Joannavdevelopsvlargevbreasts 5.)vTestv=vdynamicvanalysisvfullvsystemvtestingvtovmeasurevresultsvagainstvplan Avdoctorvcomesvupvandvtestsvthevsizevofvhervboobsvandvthevmilk 6.)vDeploymentv=voperationsvreadyvtovinstallvandvlaunchvapplication Hervboobsvdeploy/releasevmilk 7.)vMaintenance TimvfromvGadsdenvcomesvupvandvcommentsvonvhowvhevwouldvlikevtovmaintainvtho se SDLv-vcorrectvanswer-SDLv AvshipvinvavdockvwithvSDLvonvthevSails
A1v=vSecurityvAssessment Blueprintvghostvimagevonvthevdock A2v=vArchitecture Architectvcomesvupvwearingvoldvworldvgarb A3v=vDesignv&vDevelopmentv JoannavGainesvwalksvupvonvthevothervsidevandvbeginsvgrowingvboobies A4v=vShipv Thevshipvisvhighlightedvinvthevdockv-vlikevinvAssassinsvcreed A5v=vPost-ReleasevSupportv(PRSA) Avpostvgrowsvupvonvthevdockvlikevavlargevwoodenvtelephonevpole Phasesvofv"ApplicationvDevelopment"v-vcorrectvanswer- Phasesvofv"ApplicationvDevelopment" Anviconv(rectanglevbox)vofvanvapplicationvbeginsvtovdevelopvbreasts 1.)vRequirementsvgatheringvandvanalysis Thevbreastsvshootvoutvmintsvwhichvarevgatheredvupvbyvanvanalvcyst 2.)vSystemsvdesignvandvdetailvdesigns JoannavGainesvstopsvonvthevanalvcyst 3.)vSoftwarevcodingvandvreviews Joannavthenvbecomesv1svandv0svlikevinvthevmatrix 4.)vTestingvSteps Thevmatrixvcodevbecomesvavmanvwithvlargevballsvwhovturnsvhisvheadvtovthevsidevto vcough 5.)vDeploymentvStep Thevmatrixvcodevthenvorganismsvdeployingvcodevaroundvthevworld TechnicalvThreatvModelingv-vcorrectvanswer-TechnicalvThreatvModeling Avskullvandvcrossvbonesvwithvavpocketvprotectorvandvglasses 1.vFunctionalvdecompositionv=vDFDsvandvdefiningvtrustvboundaries Thevskullvandvcrossvbonesvdissolves 2.vCategorizingvthreatsv=vtypesvofvthreatsvandvtheirvimpact Avcatvcomesvbyvandvlicksvatvthevpuddlevofvdecomposedvthreatsvandvstartsvtovcauter izevitself 3.vRankingvthreats Thevcatvthenvbecomesvavgeneralvcatvwithvavuniformvandvrank 4.vMitigationvplanning Avgatevshutsvonvthevcatvandvthevcatvbecomesvavplant LeanvDevelopmentvPrinciplesv-vcorrectvanswer-LeanvDevelopmentvPrinciples
1.)vBreakvdownvarchitecturev(DFDs) Shevkillsvanvarchitect 2.)vMapvallvthreatsvtovvulnerabilities Thevbodyvofvthevarchitectvspreadsvintovavmap 3.)vRankvThreats CindyvCrawfordvthenvbecomesvavgeneralvwithvrankvandvmedals 4.)vDefinevmitigations/countermeasures AvlargevscalevofvjusticevfallsvonvCindyvCrawfordvcontainingvrulersvandvbeanvcounter s 5.)vFixvthevvulnerabilities FixvFelixvshowsvupvandvasksvifvhevcanvhelp VulnerabilityvScanvProcessv-vcorrectvanswer-1.)vScan 2.)vReport 3.)vRemediatevorvCompensatingvControls 4.)vConfirm 5.)vReport Thenvstartvatvscanvagain.... Whatvarevthev 4 vphasesvofvpenvtesting?v-vcorrectvanswer-1.)vAssess 2.)vIdentify 3.)vEvaluatevandvPlan 4.)vDeploy FinalvProductvSecurityvReviewv 4 vstepvprocess?v-vcorrectvanswer- 1.)vAssessvresourcevavailability 2.)vIdentifyvfeatureveligibility 3.)vEvaluatevandvplanvforvremediation 4.)vReleasevandvship A1vBestvPracticesv-vcorrectvanswer-Softwarevsecurityvteamvisvloopedvinvearly Softwarevsecurityvteamvhostsvavdiscoveryvmeeting SoftwarevsecurityvteamvcreatesvanvSDLvprojectvplanv(statesvwhatvfurthervworkvwillvb evdone) PrivacyvImpactvAssessmentv(PIA)vplanvinitiated A2vBestvPracticesv-vcorrectvanswer-A2vPolicyvcompliancevanalysis
SDLvpolicyvassessmentvandvscoping Threatvmodelingv/varchitecturevsecurityvanalysis Openvsourcevsectionv(ifvneeded) Privacyvinformationvgatheringvandvanalysis A3vBestvPracticesv-vcorrectvanswer-A3vPolicyvcompliancevanalysis Securityvtestvplanvexecution StaticvAnalysis Threatvmodelvupdating Designvsecurityvanalysisvandvreview PrivacyvImplementationvAssessment A4vBestvPracticesv-vcorrectvanswer-A4vPolicyvcompliancevanalysis Securityvtestvcasevexecution StaticvAnalysis Dynamicvanalysis Fuzzvtesting Manualvcodevreview Privacyvvalidationvandvremediation A5vBestvPracticesv-vcorrectvanswer-A5vPolicyvcompliancevanalysis Finalvsecurityvreview Vulnerabilityvscan Penetrationvtesting Openvsourcevlicensingvreview Finalvsecurityvreview Finalvprivacyvreview
Questionv 19 v:vAllvofvthevfollowingvarevcountermeasuresvforvsessionvmanagementvatt acks,vEXCEPT: AvEncryptvcookiesvthatvincludevinformationvaboutvthevstatevofvthevconnection. BvImplementvpre-vandvpost-validationvcontrols. CvImplementvrandomizedvsessionvIDs. DvImplementvtimevstampsvorvtime-basedvvalidation.v-vcorrectvanswer- AnswervBvisvcorrect.Youvshouldvnotvimplementvpre-vandvpost- validationvcontrolsvasvavcountermeasurevforvsessionvmanagementvattacks.vPre- vandvpost- validationvcontrolsvarevcountermeasuresvtovusevinvparametervvalidationvattacks. Countermeasuresvforvsessionvmanagementvattacksvincludevthevfollowing:
Avobject-relationalvdatabasevisvavhybridvbetweenvanvobject- orientedvbasedvdatabasevandvavrelationalvdatabase,vandvinheritsvpropertiesvfromvbot h.vAnvobject- relationalvdatabasevallowsvdevelopersvtovintegratevthevdatabasevwithvtheirvownvcust omvdatavtypesvandvmethods. Invavhierarchicalvdatabase,vthevdatavisvorganizedvinvavlogicalvtreevstructurevrathervth anvbyvusingvrowsvandvcolumns.vRecordsvandvfieldsvarevrelatedvtoveachvothervinvavp arent- childvtreevstructure.vAvhierarchicalvdatabasevtreevstructurevcanvhavevbranchesvandvl eavesvwherevleavesvarevthevdatavfieldsvandvthevdatavisvaccessedvthroughvwell- definedvaccessvpathsvbyvusingvrecordvgroupsvthatvactvasvbranches.vAvhierarchicalvd atabasevisvusedvwherevonevtovmanyvrelationshipsvexist. Questionv 24 v:vHowvdoesvanvActiveXvcomponentvenforcevsecurity? AvbyvusingvAuthenticode Bvbyvusingvmacrovlanguages Cvbyvusingvobjectvcodes Dvbyvusingvsandboxesv-vcorrectvanswer-Explanation:vAnswervAvisvcorrect. AuthenticodevisvusedvbyvthevActiveXvtechnologyvofvMicrosoftvtovenforcevsecurity.vAc tiveXvrefersvtovavsetvofvcontrolsvthatvusersvcanvdownloadvinvthevformvofvavplug- invtovenhancevavfeaturevofvanvapplication.vThevprimaryvdifferencevbetweenvJavavapp letsvandvActiveXvcontrolsvisvthatvthevActiveXvcontrolsvarevdownloadedvsubjectvtovacc eptancevbyvavuser.vThevActiveXvtrustvcertificatevalsovstatesvthevsourcevofvthevplug- invsignaturesvofvthevActiveXvmodules. Javavappletsvusevsandboxesvtovenforcevsecurity.vAvsandboxvisvavsecurityvschemevth atvpreventsvJavavappletsvfromvaccessingvunauthorizedvareasvonvavuser'svcomputer.v WhenvavuservaccessesvavWebvpagevthroughvavbrowser,vclassvfilesvforvanvappletvare vdownloadedvautomatically,vevenvfromvuntrustedvsources.vTovcountervthisvpossiblevt hreat,vJavavprovidesvavcustomizablevsandboxvandvenforcesvthevexecutionvofvthevap plicationvwithinvthevsandbox.vThisvpreventsvJavavappletsvfromvaccessingvunauthoriz edvareasvonvavuser'svcomputervorvsystemvresourcesvoutsidevthevsandbox.vSandboxv protectionsvincludevpreventingvreadingvandvwritingvtovavlocalvdisk,vprohibitingvthevcre ationvofvavnewvprocess,vpreventingvthevestablishmentvofvavnetworkvconnectionvtovav newvhost,vandvpreventingvthevloadingvofvavnewvdynamicvlibraryvandvdirectlyvcallingva vnativevmethod.vThevsandboxvsecurityvfeaturesvarevdesignedvintovthevJavavVirtualvM achinev(JVM).vThesevfeaturesvarevimplementedvthroughvarrayvboundsvchecking,vstr ucturedvmemoryvaccess,vtype- safevreferencevcastvchecking,vcheckingvforvnullvreferences,vandvautomaticvgarbagev collection.vThesevchecksvarevdesignedvtovlimitvmemoryvaccessesvtovsafe,vstructured voperations. Avhostilevappletvisvanvactivevcontentvmodulevusedvtovexploitvsystemvresources.vHost ilevappletsvcodedvinvJavavcanvposevavsecurityvthreatvtovcomputervsystemsvifvthevexe cutablesvare