SDLC
Fuzz Testing Tools
Codenomicon and Peach Fuzzing Tool
12 Categories
How many categories is BSIMM broken into?
A4 Design & Development (2)
Policy Compliance Analysis -Security test case execution -Static analysis -Dynamic analysis -Fuzz testing -Manual code review Privacy validation and remediation
Generic Risk Model
Risk = Likelihood x Impact
Fuzzing (Fuzz Testing)
What is a black-box software testing technique, which can be automated or semiautomated, that provides invalid, unexpected, or random data to the inputs of a computer software program?
OWASP Software Assurance Maturity Model (SAMM)
What is a flexible and prescriptive framework for building security into a software development organization allowing for self-assessment of security assurance programs and then the use of roadmaps to improve that is aligned with the specific organization's risks?
Information security Exposure
What is a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network?
Information Security Vulnerability
What is a mistake in software that can be used directly by a hacker to gain access to a system or network?
NIST SAMATE (Software Assurance Metrics And Tool Evaluation)
What is a project dedicated to improving software assurance by developing methods to enable software tool evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods?
ISO/IEC 27034 - Standard for Application Security
What is a standard that offers a concise, internationally recognized way to get transparency into a vendor/supplier's software security management process?
Cigital BSIMM (Building Security in Maturity Model)
What is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve efforts over time?
Agile Method
What is a time-boxed iterative approach that facilitates a rapid and flexible response to change, which in turn encourages evolutionary development and delivery while promoting adaptive planning, development, teamwork, collaboration, and process adaptability throughout the lifecycle?
Bugtraq
What is an electronic security mailing list that provides information on security vulnerabilities as well as security bulletins and announcements from vendors?
ISO/IEC 27001
What is an information security management system (ISMS) standard that specifies a management system intended to bring information security under formal management control? The leading standard for ISMS
National Vulnerability Database (NVD)
What is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP)?
Dynamic Analysis (Testing)
What is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time?
Static Analysis (Testing)
What is the analysis of computer software that is performed without actually executing programs? Predominantly used to perform analysis of source code
Software Security Architects
What position handles product security escalations, train development team members, provide internal/external customer responses, and solve complex software application issues in SaaS and cloud environments? They have 5-10 years of experience in development and coding.
Software Security Champions
What position has these responsibilities: -Enforce the SDL -Review/assist SSA in analysis, reviews and modeling -Tools Expert (static, dynamic, fuzzing) -Collocate -Attend Meetings and also typically have a minimum of 3-5 years of experience in software development?
Least Privilege
What principle requires that in a particular abstraction layer of a computing environment, every module must be able to access only the information and resources that are necessary for its legitimate purpose?
Software Security Evangelist
What role acts as a SSC in training and as an advocate for the overall software product security program promulgated policy, enforcing policy, and evangelizing the overall SDL process?
MITRE Corporation Common Computer Vulnerabilities and Exposures (CVE)
What us a list of information security vulnerabilities and exposures that aim to provide common names for publicly known problems?
CERT (Computer Emergency Response Team)
Who provides timely alerts on security vulnerabilities as well as a weekly summarized bulletin on vulnerabilities?
DREAD Categories (5)
(Damage+Reproducibility+Exploitability/Vulnerability+Affected users+Discoverability)/5
SAST Products/Tools
-Coverity -HP Fortify Static Code Analyzer -IBM Security AppScan Source -klocwork -Parasoft -Veracode
PASTA Methodology (7)
-Define Objectives -Define Technical Scope -Application Decomposition -Threat Analysis -Vulnerability and Weakness Analysis -Attack Modeling -Risk and Impact Analysis
PRSA Post-Review Support
-External vulnerability disclosure response -3rd party reviews -Post-release certification -Internal review for new product combinations or cloud deployment -Security architectural reviews and tool-based assessment of current, legacy and M&A products and solutions
DAST Products/Tools
-HP Webinspect -HP QAinspect -IBM Security AppScan Enterprise -Veracode -Whitehat Sentinel Source
Application Security Frame Categories (9)
-Input and Data Validation -Authentication -Authorization -Configuration Management -Sensitive Data -Session Management -Cryptography -Exception Management -Auditing and Logging
A2 Architecture
-Policy Compliance Analysis -SDL Policy assessment and scoping -Threat modeling/architecture security analysis -Open source selection (if needed) -Privacy information gathering and analysis
A3 Design & Development (1)
-Policy Compliance Analysis -Security Test plan composition -Static Analysis -Threat model updating -Design security analysis and review -Privacy implementation assessment
A5 Ship
-Policy compliance analysis -Final security review -Vulnerability scan -Penetration testing -Open source licensing review -Final Security review -Final Privacy review
A1 Security Assessment
-Software Security Team is looped in early -Software Security Team hosts a discovery meeting -Software Security Team creates an SDL project plan -Privacy Impact Assessment (PIA) plan initiated
Lean Development Principles
1) Eliminate waste 2) Amplify learning 3) Decide as late as possible 4) Deliver as fast as possible 5) Empower the team 6) Build integrity in 7) See the whole
Software Assurance Forum for Excellence in Code (SAFECode)
A nonprofit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. A global industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services.
SDL Activities and Best Practices MODEL
A1 - Security Assessment A2 - Architecture A3&A4 - Design and Development A5 - Ship PRSA - Post-Release Support