Secure Software Design - C706

______________illustrates the flow of activities through the SDL.

Architect ⇒ Design ⇒ Code ⇒Test

Identify security code review objectives perform preliminary scan review code for security issues review for security issues unique to the architecture

Code Review 4 steps

Inflexible Do business their way Unknown functionality no visiibility into source code cost licensing maintenance

Disadvantages of 3rd party software

Configuration Identification: During the configuration identification process, administrators document the configuration of covered software products throughout the organization. Configuration Control: The configuration control process ensures that changes to software versions are made in accordance with the change control and configuration management policies. Updates can be made only from authorized distributions in accordance with those policies. Configuration Status Accounting: Formalized procedures are used to keep track of all authorized changes that take place. Configuration Audit: A periodic configuration audit should be conducted to ensure that the actual production environment is consistent with the accounting records and that no unauthorized configuration changes have taken place.

In addition to the change management process, security administrators should be aware of the importance of configuration management. This process is used to control the version(s) of software used throughout an organization and formally track and control changes to the software configuration. It has four main components:

What represents an example of a vendor customization?

Reports Access controls Privacy regulations Interoperability with other systems

Tools that look for a fixed set of patterns or rules in the code in a manner similar to virus-checking programs

Static analysis tools

______________is the analysis of computer software that is performed without actually executing programs. It is predominantly used to perform analysis on a version of the source code; however, this kind of analysis may also be done on some form of the object code

Static program analysis

RiskDREAD=(DAMAGE+REPRODUCIBILITY+EXPLOITABILITY+AFFECTEDUSERS+DISCOVERABILITY)/59

The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories

_______________provides guidance to help organizations embed security within their processes, including application lifecycle processes, that help to secure applications running in the environment. It is a risk-based framework to continuously improve security through process integration and improvements in managing applications. It takes a process approach by design.

The ISO/IEC 27034 standard

______________ is dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods.

The NIST SAMATE (Software Assurance Metrics and Tool Evaluation) project

Before you can begin developing__________you will need to evaluate what regulatory legislation or policies are applicable to the software you are developing. In some models this is called the data sensitivity assessment.

a privacy impact assessment (PIA),

Generally speaking, if there is no architectural change, then ______________can be bypassed. This assumes that the existing architecture went through security assessment and threat modeling.

architectural analysis and threat modeling

The role of an audit is to provide assurance to management of the effectiveness of the security program and __________

compliance with regulations.

Three primary tools are basic to the SDL, which are categorized as ____________

fuzzing, static, and dynamic analysis tools.

Request Control: The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks. Change Control: The change control process is used by developers to re-create the situation encountered by the user and analyze the appropriate changes to remedy the situation. It also provides an organized framework within which multiple developers can create and test a solution prior to rolling it out into a production environment. Change control includes conforming to quality control restrictions, developing tools for update or change deployment, properly documenting any coded changes, and restricting the effects of new code to minimize diminishment of security. Release Control: Once the changes are finalized, they must be approved for release through the release control procedure. An essential step of the release control process is to double-check and ensure that any code inserted as a programming aid during the change process (such as debugging code and/or back doors) is removed before releasing the new software to production. Release control should also include acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.

he change management process has three basic components:

The _______is that once software has been through a SDL, you can re-use the software code any way you want. This presumption is false because any architectural changes that have occurred after release of a software product will likely introduce new attack vectors in the previously secure code. For this reason, software code must be put through the SDL process again when there is a new use of the software or an architectural change to the code post-release.

misconception

The goal of threat modeling is to gain an understanding of the __________by decomposing it and understanding how it interacts with external entities.

software application

................These attacks can be either ________,where the attacker grants himself privileges,

vertical

Plaintext passwords/weak passwords in configuration files Default accounts on the stack (Apache, Tomcat, operating systems) Sensitive information in log files Input validation (XSS, SQLi) Parameter tampering for Web applications Insecure services used by the software team (e.g., Telnet) Security configurations for various services (e.g., NFS)

. Below are a few examples of issues that QA security testing should look for:

12) __________covers all projects that have meaningful security and privacy risks and is analyzed in each phase and updated to cover new threats and practices. Specifically, activities and standards in the policy have been refreshed in each SDL phase and have incorporated lessons learned from root-cause analysis of security incidents, adapted to the changing threat environment, and will have resulted in tools and technique improvements.

12) SDL policy compliance

Assess resource availability. In this step, the resources that will be required and available in order to conduct the final security review are identified. The ability to enforce the quality gates required before the software can be released is also assessed. Minimum acceptable levels of security as it relates to quality are established through quality gates. Having the quality gates early in the SDLC process so that security risks are understood early in the SDL process helps ensure that vulnerabilities are identified and fixed early, which will avoid unnecessary work and delays later in the process. The SDL and development team must show compliance with the quality gates as part of the final security review. If security has truly been built into the SDLC process as a result of the SDL, the time required to complete the final security review will be minimal; if not, more time and resources will be required, which might delay the ability to release and ship on time. Identify feature eligibility. During this step, security tasks that are eligible for work in the final security review are identified. Feature eligibility should have been done earlier in the SDL process, to avoid unfinished security work in the final security review. Scrutiny should have also been given to areas or sub-teams where vulnerabilities have not been reported yet during the SDL process but that historically have a history of vulnerabilities with high scores that could bring a surprise task to the teams during the final security review. Evaluate and plan for remediation. During this step, the stakeholders responsible for the tasks identified in the previous step are notified, and scheduling for the final security review is set. Release and ship. The product security review is completed after all SDL requirements, such as fuzzing, vulnerability scans, secure coding policies review, and other current security practices, as well as any exceptions to quality gates or vulnerabilities, have been formally reviewed and approved. Functional regression will have typically taken place during the final security review as well. Regression testing is used to discover new software vulnerabilities or regressions from what was already discovered, hence the term regression. These regressions can be a result of changes in the existing functional and nonfunctional areas of the software or the system after changes have been made. In short, regression testing assesses whether a change in one part of the software has resulted in a change in other parts of the software or system it interacts with.

4 step final security review process

__________is a format to express functional and nonfunctional requirements for applications (recall the types of functional and nonfunctional requirements as defined in Lesson 3). A user story documents what a specific type of user wants to do with an application and under what conditions. It is written as a testable statement. One example of a user story for a functional requirement might be, "As a user, I would like to authenticate myself to the application so I can view and edit my own profile."

A user story

During _________ any policy that exists outside the domain of the SDL policy is reviewed (or reviewed again). This may include policies from outside the development organization that carry security and privacy requirements and guidelines to be adhered to when developing software or applications anywhere within the organization.

A4

Advantages of Dynamic Code Analysis Limited scope of what can be foundApplication must be footprinted to find the test area.That can cause areas to be missed.You can only test what you have found. No access to actual instructions being executedThe tool is exercising the application.Pattern matching on requests and responses. Requires only a running system to perform a test No requirement to have access to source code or binary code No need to understand how to write software or execute buildsTools tend to be more "fire and forget." Tests a specific operational deploymentCan find infrastructure, configuration, and patch errors that static analysis tools will miss. Identifies vulnerabilities in a runtime environment Automated tools provide flexibility on what to scan for. Allows for analysis of applications without access to the actual code Identifies vulnerabilities that might have been false negatives in the static code analysis Permits validation of static code analysis findings Can be conducted on any application9,10 Limitations of Dynamic Code Analysis Automated tools provide a false sense of security that everything is being addressed. Automated tools produce false positives and false negatives. Automated tools are only as good as the rules they are using to scan with. As for static analysis, there are not enough trained personnel to thoroughly conduct dynamic code analysis. It is more difficult to trace the vulnerability back to the exact location in the code, taking longer to fix the problem.11,12

Advantages and disadvantages of Dynamic Code analysis

Access to the actual instructions the software will be executingNo need to guess or interpret behaviorFull access to all of the software's possible behaviors Can find exact location of weaknesses in the code Can be conducted by trained software assurance developers who fully understand the code Allows quick turnaround for fixes Relatively fast if automated tools are used Automated tools can scan the entire code base. Automated tools can provide mitigation recommendations, reducing research time. Permits weaknesses to be found earlier in the development lifecycle, reducing the cost to fix5,6 Limitations of Static Code Analysis Requires access to source code or at least binary code and typically needs access to enough software artifacts to execute a build Typically requires proficiency in running software builds Will not find issues related to operational deployment environments Time-consuming if conducted manually Automated tools do not support all programming languages. Automated tools produce false positives and false negatives. There are not enough trained personnel to thoroughly conduct static code analysis. Automated tools can provide a false sense of security that everything is being addressed. Automated tools are only as good as the rules they are using to scan with. Does not find vulnerabilities introduced in the runtime environment7,8

Advantages and limitations of Static Code

_____________ has two roles, as an SSC in training and as an evangelist for the overall software product security program promulgated policy, including enforcing the policy and evangelizing the overall SDL process.

An SSE (software security evangelist)

Protecting the software and the systems on which it runs after release, after dev is complete

Application security

Ways to mitigate STRIDE Spoofing identity

Appropriate authentication Protect secret data Don't store secret

Ways to mitigate STRIDE Tampering with data

Appropriate authorization Hashes MACs Digital signatures Tamper-resistant protocols

__________________________do not have working software until very late in the cycle, assume they know everything upfront, minimize changes through a change control board (i.e., assume that change is bad and can be controlled), put most responsibility on the project manager (PM), optimize conformance to schedule and budget, generally use weak controls, and allow realization of value only upon completion. They are driven by a PM-centric approach under the belief that if the processes in the plan are followed, then everything will work as planned.

Aspects of Waterfall include the following:

Ensures that the user is who he or she claims to be and that the data come from the appropriate place

Authentication

Ensures that the user has the appropriate role and privilege to view data

Authorization

Ways to mitigate STRIDE Info disclosure:

Authorization Privacy-enhanced protocols Encryption Protect secrets Don't store secrets

_________This is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time. It is a set of best practices that Cigital developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success. There are 12 practices organized into four domains. These practices are used to organize the 109 BSIMM activities (BSIMM 4 has a total of 111 activities).

BSIMM ( short for Building Security In Maturity Model.)

Three core elements of security

Confidentiality, integrity, and availability (the C.I.A. model

_____________ enables us to harden software, systems, services and devices and lock them down thus reducing risk to the environment. Components of configuration management include hardening standards and guidelines, reviewing application dependencies on services, looking at user and administrator interfaces, security change management and so on. Questions are along the following lines:

Configuration management

_________________The focus of this on how data moves through the software solution and what happens to the data as it moves, giving us a better understanding of how the software works and its underlying architecture by providing a visual representation of how the software processes data.

Data flow diagram:

Key tasks during the discovery meeting include the following:

Develop an initial project outline for security milestones, which will be integrated into the development project schedule and will allow proper planning as changes occur. Identify the sources for the security requirements, such as relevant laws, regulations, standards, and customer requirements. Identify any required certification and/or accreditation requirements and the resources required for them. Identify any third-party or open-source software that will be required. Identify the common security controls that will be used for the software being developed, including those that will be needed if the software is to be used in a SaaS/cloud environment or as part of a larger solution using multiple software products. Identify and define the required security reporting metrics in both tactical and strategic (business) terms. Develop an initial framework of key security milestones, including time frames or development triggers that will signal a security step is approaching. Define the security responsibilities of the core software security team, the software security champions, developers, privacy team, and any other stakeholders required to support security during the SDL/SDLC process. Identify and document the software security design, architecture, and security coding practices to be used.

has the ability to detect dependencies that are not detectable using static analysis—for example, dynamic dependencies using reflection dependency injection, etc. allows the collection of temporal information. allows the possibility of dealing with runtime values. allows the identification of vulnerabilities in a runtime environment. allows the use of automated tools to provide flexibility on what to scan for. allows the analysis of applications for which you do not have access to the actual code. allows identifying vulnerabilities that might be false negatives in the static code analysis. permits validating static code analysis findings. can be conducted on any applicatio

Dynamic analysis is based on system execution (binary code), often using instrumentation. The advantages of dynamic analysis are that it:

___________ is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time. The objective is to find security errors in a program while it is running, rather than by repeatedly examining the code offline.

Dynamic program analysis

Security Strategy Architecture Assessment Threat Model Design Review Test Plan

Explanation: Here are the architecture task flow for new project or a redesign:

__________ These tests include mandatory requirements to validate the security of the software and associated system(s) being tested, which must be conducted regardless of whether security issues or vulnerabilities are detected or tuning is required.

Exploratory tests. Exploratory testing

________emphasizes the personal freedom and responsibility of the individual tester to continually optimize the quality of his or her work by treating test-related learning, test design, test execution, and test result interpretation as mutually supportive activities that run in parallel throughout the project.1 The tester actively controls the design of the tests, and those tests are performed while testing to design new and better tests.

Exploratory tests. Exploratory testing

What requires communication cadence with customers that should be formalized and published so that everyone in the company is aware of it and can invoke it if needed?

External vulnerability disclosure response process

The __________ goal of the security code review process is to improve the overall security of the product and to provide output that can be used by the development team to make changes or mitigations that will achieve improved software product security.

Final

___________ describe what an application must do to serve a business need. For example, an application must be able to allow a consumer to complete their transaction on the site using a credit card.

Functional requirements

__________________which can be automated or semi-automated, which provides invalid, unexpected, or random data to the inputs of a computer software program. In other words, it finds implementation bugs or security flaws by using malformed/semi-malformed data injection in an automated fashion.

Fuzz testing or fuzzing is a black-box software testing technique

The __________ standard defines application security as a process that an organization can perform for applying controls and measurements to its applications in order to manage the risk of using them.

ISO 27034

_____________ is responsible for responding to software product security incidents involving external discoveries of post-release software product security vulnerabilities. As part of this role, the team manages the investigation of publicly discovered security vulnerabilities of their company's software products and the systems they interact with.

In relation to software security, a Product Security Incident Response Team (PSIRT)

__________________ :This approach carries less risk than a traditional Waterfall approach but is more risky and less efficient than the Agile approach. In the iterative Waterfall method, the overall project is divided into various phases, each executed using the traditional Waterfall method. Dividing larger projects into smaller identifiable phases results in a smaller scope of work for each phase, and the end deliverable of each phase can be reviewed and improved if necessary before moving to the next phase. Overall risk is thus reduced

Iterative Waterfall Development

Although_______is similar to Scrum in that it focuses on features rather than groups of features, it takes this idea one step further in that, in its simplest form, you select, plan, develop, test, and deploy one feature before you select, plan, develop, test, and deploy the next feature. The objective is to further isolate risk to the level of an individual feature.

Lean

______________ address how well the functional requirements are met, or to put it another way, they constrain the functional requirements to specified operating ranges.

Nonfunctional requirements (NFRs)

The SDL team and privacy lead must review the Microsoft SDL Privacy Questionnaire or its equivalent to determine whether a privacy disclosure is required. If the privacy lead determines that a privacy disclosure is waived or covered, then there is no need to meet this requirement. The privacy lead will give final approval for release of the privacy disclosure statement.

P1:

_______The feature, product, or service stores or transfers personally identifiable information (PII), changes settings or file type associations, or installs software.

P1: High Privacy Risk.

The privacy lead will determine if a privacy design review is being requested, provide a confirmation that the software architectural design is compliant with privacy standards applicable to this software product, or determine if an exception request is needed. The privacy lead typically works with the SDL and developer lead and legal advisor as appropriate to complete the privacy disclosure before public release of the product and ensure the privacy disclosure is posted appropriately for web-centric products.

P2:

__________he sole behavior that affects privacy in the feature, product, or service is a one-time, user-initiated, anonymous data transfer (for example, the user clicks on a link and the software goes out to a website).

P2: Moderate Privacy Risk. T

No changes affecting privacy requirements compliance have been identified, and no additional reviews or approvals are needed and the final privacy review is complete. If not, then the SDL team and privacy lead will provide a list of required changes

P3:

____________No behaviors exist within the feature, product, or service that affect privacy. No anonymous or personal data is transferred, no PII is stored on the machine, no settings are changed on the user's behalf, and no software is installed.22

P3: Low Privacy Risk.

The _______created at this phase is only a preliminary version for initial system specifications and requirements, and is designed to guide developers in assessing privacy through the early stages of development. For simplicity, we have included only the privacy design principles requirements analysis and part of the initial PIA analysis.

PIA

__________ is a white-box security analysis of a software system to simulate the actions of a hacker, with the objective of uncovering potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses.

Pen testing

During this phase, any policy that exists outside the domain of the SDL policy is reviewed and might include policies from outside the development organization that set security and privacy requirements and guidelines to be adhered to when developing software or applications. What is this phase?

Policy compliance analysis

__________ is an important component of the SDL process and should be considered a system design principle of significant importance in all phases of the SDLC. A failure to protect it will lead to an erosion of trust.

Privacy

Q5: What is responsible for guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity?

Q5: Integrity

Q6: Which concept in the software life cycle understands the potential security threats to the system, determines risk, and establishes appropriate mitigations?

Q6: Threat modeling

Q7: The idea behind is simply to understand the potential security threats to the system, determine risk, and establish appropriate mitigations. When it is performed correctly, it occurs early in the project life cycle and can be used to find security design issues before code is committed.

Q7: threat modeling

_Q8: ____________is about building secure software: designing software to be secure; making sure that software is secure; and educating software developers, architects, and users about how to build security in.

Q8: software security

Q9: __________, as the name suggests, is really aimed at developing secure software, not necessarily quality software

Q9: SDL methodology

Question 4 : What is responsible for preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information?

Question 4 Confidentiality

_______________ is an iterative and incremental Agile software development method for managing software projects and product or application development. Scrum adopts an empirical approach, accepting that the problem cannot be fully understood or defined and focusing instead on maximizing the team's ability to deliver quickly and to respond to emerging requirements. This is accomplished through the use of co-located, self-organizing teams in which all disciplines can be represented. In contrast to traditional planned or predictive methodologies, this concept facilitates the ability to handle churn resulting from customers that change the requirements during project development. The basic unit of development for Scrum is called a "sprint," and a sprint can last from one week to one month.

Scrum (see Figure 2.13)

____________________ Specific roles and responsibilities include: Enforce the SDL: Assist the centralized software security group in assuring the security tenants of confidentiality, integrity, availability, and privacy are adhered to in the SDL as part of the Company X SDLC. Review: Assist the centralized software security team software security architects in conducting architecture security analysis, reviews, and threat modeling. Tools Expert: Be the representative centralized software security team software security tool expert (e.g., static and dynamic, including fuzzing) within each development team, product group, and/or business unit. Collocate: Be the eyes, ears, and advocate of the centralized software security team within each development team, product group, and business unit. Attend Meetings: Participate in monthly phone meetings and, as budgets permit, twice-a-year face-to-face meetings, as members of a global Company X team of software security champions.

Software security champions

There are many benefits to using static analysis tools. The most important reasons include the following.

Static analysis tools can scale. They can review a great deal of code very quickly, something humans cannot do very well. Static analysis tools don't get tired. A static analysis tool running for four straight hours at 2:00 a.m. is just as effective as if it runs during business hours. You can't say the same thing about human reviewers. Static analysis tools help developers learn about security vulnerabilities. In many cases you can use these tools and educational resources from the vendor to educate your development teams about software security.

Break down your product architecture using data flow diagrams Use STRIDE threat categories to identify what threats are applicable to each element of the data flow diagram. Map all threats with relevant vulnerabilities as applicable in the context of the usage scenario. Rank threats. Assign a risk rating to each threat and vulnerability to understand the impact; this will help define the priority for fixing. Use DREAD or other methodologies. Define the mitigation plan/countermeasures for each of the vulnerabilities identified. Fix the vulnerabilities that are not acceptable to the business in order of priority as decided in the preceding step

The 6 key steps involved in threat modeling are

_________________ is based on both iterative and incremental development methods. Requirements and solutions evolve through collaboration among self-organizing, cross-functional teams, and a solution resulting from every iteration is reviewed and refined regularly throughout the process. The Agile method is a time-boxed iterative approach that facilitates a rapid and flexible response to change, which in turn encourages evolutionary development and delivery while promoting adaptive planning, development, teamwork, collaboration, and process adaptability throughout the lifecycle of the project. Tasks are broken into small increments that require minimal planning. These iterations have short time frames called "time boxes" that can last from one to four weeks.

The Agile approach

____________will design, plan, and implement secure coding practices and security testing methodology; ensure that practices meet software certification processes; drive the security testing of the products; test and evaluate security-related tools; and manage third-party vendors to meet those responsibilities above.

The Architect

______________is a list of information security vulnerabilities and exposures that aims to provide common names for publicly-known problems. This makes it easier to share data across separate vulnerability capabilities with a common enumeration.

The MITRE Corporation Common Computer Vulnerabilities and Exposures (CVE)

________________is a team solely dedicated to conducting security M&A assessments, third-party reviews, post-release certifications, internal reviews for new product combinations of cloud deployments, and review for legacy software that is still in use or about to be re-used.

The Product Security Incident Response Team (PSIRT)

___________ should outline security milestones based on the information gained during the discovery phase and integrate them into the overall SDLC schedule to allow proper planning as changes occur. As in the discovery phase, activities may be more in terms of decisions translated into milestones that will be followed by security activities.

The SDL project plan

_____________ is a nonprofit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services.

The Software Assurance Forum for Excellence in Code (SAFECode)

___________ determines how PII will be handled to ensure that it conforms to applicable legal, regulatory, and policy requirements regarding privacy; what the risks and effects of collecting, maintaining, and disseminating privacy information in identifiable forms in the software and overall system being developed or one that it potentially interfaces with in a cloud or SaaS environment; and examines and evaluates protections and alternative processes for handling information to mitigate potential privacy risks.

The analysis phase

__________ meeting is essentially an SDL kick-off meeting where the key SDLC stakeholders get on the same page at the beginning of the process so that security is built in rather than bolted on post-release.

The discovery

Define test scripts. Scripts are very detailed, logical steps of instructions that tell a person or tool what to do during the testing. Functional testing scripts are step-by-step instructions that depict a specific scenario or situation that the use case will encounter as well as the expected results. Secure testing scripts are scripts created specifically to test the security of the application. The basis for these scripts comes from the threat models that were generated during the design phase. Misuse cases define what needs to be protected (assets) and what types of attacks can gain access to those assets. Secure test scripts define the acts of carrying out those attacks. Define the user community. Defining the user community helps testers identify acceptable levels of failures and risk. Identify the showstoppers. Defining the must-haves and the "what-if-available" scenarios should be in the use case. If not, a revisit to the requirements might be necessary so that these specifications can be documented. Identify internal resources. Internal resources come from the company's organization, including developers, analysts, software tools, and sometimes project managers. Identify external resources. External resources are tools or people who are hired on a temporary basis to come into a project, test the application, and report findings. External resources are best suited for security testing because they typically come highly trained in secure programming techniques and they are far removed from the code and any internal politics. If external resources are needed, the test plan needs to answer the following questions: (1) What are they going to test? (2) To whom will they report? and (3) With whom will they be working?2

The following are common steps that can be used to implement a test plan regardless of the strategy, framework, or standard being used:

Does it work as expected? Test the corner and edge cases to prove that these are handled appropriately and do not disturb the expected functionality. Test abuse cases; for inputs, these will be fuzzing tests.

The functional test suite is a direct descendant of the architecture and design. Each security requirement must be thoroughly proved to have been designed and then built. Each feature, security or otherwise, must be thoroughly tested to prove that it works as designed. Describing a set of functional tests is beyond the scope of this lesson. However, we will suggest that using several approaches builds a reliable proof.

Identify security objectives. Survey the application. Decompose it. Identify threats. Identify vulnerabilities.

The threat risk modeling process has five steps, enumerated below and shown graphically in Figure 4.2. They are:

Previous2 of 2Next Question :What consists of multiple security assessments from independent parties?

Third-party security reviews

___________may require the business to change its processes to work with the software's intended design. There may also be a risk of added unknown functionality.

Third-party software

____________should include testing the entire stack, not just your product. That means performing testing as outlined previously, as well as continuous post-release testing. At a minimum, post-release testing should include annual penetration testing (application and software stack). Any new code released after initial release should follow the SDL requirements outlined previously

Third-party testing

The following metrics should be captured as part of this phase of the SDL: of PRSA

Time in hours to respond to externally disclosed security vulnerabilities Monthly FTE (full-time employee) hours required for external disclosure process Number of security findings (ranked by severity) after product has been released Number of customer-reported security issues per month Number of customer-reported security issues not identified during any SDL activities.

The most well-known SDL model is the __________, a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. This is considered the most mature of the top three models.

Trustworthy Computing Security Development Lifecycle

+++++++++++those with signatures to test against the runtime that supports execution of applications, and scanners that are focused on custom application code.

Vulnerability scanners tend to fall into two categories:

________________is another name for the more traditional approach to software development. This approach is typically higher-risk, more costly, and less efficient than the Agile approach that will be discussed later in this lesson. The Waterfall approach uses requirements that are already known, each stage is signed off before the next commences, and requires extensive documentation because this is the primary communication mechanism throughout the process.

Waterfall development (see Figure 2.11)

The purpose of __________ is to define what needs to be protected and how it will be protected, including reviewing and incorporating policies from outside the SDL that may impact the development process. These might include policies governing software or applications developed or applied anywhere in the organization.

a software security policy

Although there is no substitute for actual source-code review by a human, _________do have their advantages and can be used to save time and resources.

automated tools

Assuming the software security group is separate from the centralized information security group, it is important that the two groups _________on all policies and guidelines related to the development and post-release security support by the organization.

collaborate

bRinging the security team into the development process early is the most ________ way to enable risk identification, planning, and mitigation. Early identification and mitigation of security vulnerabilities and misconfigurations will result in a lower cost of security control implementation and vulnerability mitigation; provide awareness of potential engineering challenges caused by mandatory security controls; and an identification of shared security services and reuse of security strategies and tools to reduce development cost while improving security posture through proven methods and techniques.

cost-effective

...............or _____________, where the attacker uses the same level of privileges he has already been granted, but assumes the identity of another user with similar privileges

horizontal

There has been an increasing trend in the software industry over the last few years to draw on the strengths of both open-source and proprietary software to deliver the highest value at the lowest cost. The blend of both is called __________ and is becoming a dominant practice in industry.

mixed source

One goal of the SDL is to catch defects throughout the process as a _____________ filtering process rather than through a single activity or point in time, thus minimizing the remaining defects that lead to vulnerabilities. Each defect removal activity can be thought of as a filter that removes some percentage of defects that can otherwise lead to vulnerabilities in the software product.

multi-staged

A centralized group composed of __________ seasoned software security architect(s) per main software product group and __________ for each software product within that group in your software engineering development organization will be sufficient to scale.

one, one

One element of security testing is to identify ________ so that security violations and noncompliance with security requirements that could cause the software to fail or be out of compliance with any of software security requirements are avoided.

software weaknesses

The appropriate architects, developers, testers, program managers, and others who understand the software should be asked to contribute to threat models and to review them. Broad input and reviews should be ________ to ensure that the threat models are as comprehensive as possible. It is also important that all stakeholders agree on the threats and risks that are identified. If this is not the case, implementing appropriate countermeasures may prove to be difficult

solicited

Unless __________ of the development organization and the management team support the SDL, it will likely fail. It must be driven by a policy that is signed off on, promulgated, and provides support by the software development management team and ideally by the CEO.

the senior leadership

The focus of ________ should not be simply on the software product itself, but include the context of the business and the user. The implementation priorities can be limited to the software product itself after the threat modeling, analysis, and architectural security risk analysis are completed.

threat modeling

Any architectural or code changes or code/component re-uses should _________ SDL activities, though not all may be needed, depending on the significance of the changes.

trigger

Because of the ___________nature of non-web inputs, finding a single type of tool that is good for each input method is not practical. Development teams may write their own test tool.

varied

The basic design of a product may also contain flaws, so it should be noted that some coding errors, although they may affect product reliability, are not actual __________

vulnerabilities.