Mod 3

Question 1

Define DevOps

Answer 1

a collaborative effort to improve the qualtiy and velocity of the service lifecycle

Question 2

The speed at which teams work across the life cycle is?

Answer 2

Velocity

Question 3

What are the responsibilities of Developers?

Answer 3

Plan
Code
Build
Test

Question 4

What are the responsibilities of Operations?

Answer 4

Release
Deploy
Operate
Monitor

Question 5

Describe the mindsets of Dev and Ops

Answer 5

Devs - want change
Ops - want stability

Question 6

What are the 3 pillars DevOps rely on to achieve success?

Answer 6

Culture,
Automation,
Measurement

Question 7

What are the 3 priorities for developing a DevOps culture?

Answer 7

Collaborative,
Transparent,
Change Oriented

Question 8

Between Dev and Ops, who’s more focused on the earlier phases of the lifecycle?

Answer 8

Dev

Question 9

Between Dev and Ops, who’s more focused on the later phases of the lifecycle?

Answer 9

Ops

Question 10

Development success is measaured by…

Answer 10

rate of change,
lines of code,
number of commits,
…

Question 11

Operations success is measured by…

Answer 11

service uptime & performance

Question 12

Between Dev and Ops, who is responsible for service delivery?

Answer 12

Both

Question 13

What’s the key difference between DevOps and DevSecOps

Answer 13

DevSecOps says to build security in, not to leave security as an after-the fact stage

Question 14

Define cyber security

Answer 14

the prcatice of defending and protecting data from malicious attacks

Question 15

The 4 types of security that typically fall under cyber security are:

Answer 15

Network security
Application security
Information security
Operational security

Question 16

Application security focuses on…

Answer 16

keeping sofware and devices free of threats.

Question 17

Information security focuses on…

Answer 17

protecting the integrity and privacy of data in storage and transit.

Question 18

Operational security focues on…

Answer 18

training end users on operating the system, as well as handling and protecting data assets.

Question 19

Define network security

Answer 19

the process of taking preventative measures to protect the underlying networking infrastrucutre from unauthorized access and/or abuse

Question 20

What is the goal of network security?

Answer 20

to protect data from point to point

Question 21

Define application security

Answer 21

the process of making apps more secure by enhancing their security

Question 22

Define information security

Answer 22

protecting data and information at rest and in transit

Question 23

Define operational security

Answer 23

protecting the system being used in operation

Question 24

List 4 cyber security concepts

Answer 24

Defense in Depth
Strong Authentication
Device Hardening
Reducing Attack Surface

Question 25

Name a method that improves communication and deployment of sofware between Dev and Ops.

Answer 25

Continuous Integration and Continuous Deployment (CI/CD)

Question 26

The security concept that "adds layered security" is...

Answer 26

defense in depth.

Question 27

In other forms of software engineering, shutting down a system to avoid failure is a good idea. Why is it not a good idea during a security attack?

Answer 27

shutting down the system may be the goal of the attack as a shut down or reboot can give the attacker total control of a system

Question 28

Name the 9 different types of security requirements from notes

Answer 28

Identification reqs Authentication & Authorization reqs Immunity reqs Integrity reqs Intrusion Detection reqs Non-repudiation reqs Privacy reqs Security Auditing reqs System Maintenance Security reqs

Question 29

Instances of threats to a system are known as...

Answer 29

misuse cases

Question 30

Who are the two agents in a misuse case?

Answer 30

Actor and Attacker

Question 31

Type of threat where the attacker gains access to an asset

Answer 31

Interception threat

Question 32

Type of threat where the attacker makes part of a system unavailable

Answer 32

Interruption threat

Question 33

Type of threat where a system asset is tampered with

Answer 33

Modification threat

Question 34

Type of threat where false information is added to a system

Answer 34

Fabrication threat

Question 35

What separates a security user story from a regular user story?

Answer 35

In most cases user stories are malleable, discardable, and pertains only to the application at hand. Security user stories are not like this. Security user stories should not be modified. They should not be discarded. They can be re-used.

Question 36

What's the hardest part of DevOps?

Answer 36

creating a shared culture between Dev and Ops

Question 37

Data that travels over a network of some kind that must be secured is known as...

Answer 37

data in transit

Question 38

Describe Defense in Depth

Answer 38

multiple layers of security controls

Question 39

Describe Device Hardening

Answer 39

reduce internal and external attack vectors

Question 40

What's the benefit of String Authentication?

Answer 40

degrades the adversary's ability to maneuver on information networks

Question 41

Software Security Requirements are difficult to capture because compared to other forms of software systems engineering, an attacker...

Answer 41

has knowlege of system weaknesses, can probe controls over time to discover vulnerabilities, can conceal the cause of a system failure, may actually want you to shut the system down

Question 42

DevOps Qualification: Documentation correct is related to what type of task?

Answer 42

Installation

Question 43

DevOps Qualification: Installs on target environment(s) is related to what type of task?

Answer 43

Installation

Question 44

DevOps Qualification: Functions according to operation specs in selected environments is related to what type of task?

Answer 44

Operational

Question 45

DevOps Qualification: Performs consistently for day-to-day routine is related to what type of task?

Answer 45

Performance

Question 46

What type of threat is a brute-force password guessing program?

Answer 46

Fabrication threat

Question 47

What type of threat is a denial of service attack?

Answer 47

Interruption threat

Question 48

What type of threat is a trojan horse attack (alterning a common operating system tool to produce an attack)?

Answer 48

Modification threat

Question 49

What type of threat is a phising attack?

Answer 49

Fabrication threat

Question 50

Best practices for employing user stories for security include:

Answer 50

emplying themes to group cross-cutting stories, keeping track of security debt, write stories in the affirmative, create or reuse libraries of common security user stories

Question 51

What's not a goal of the Information Security Forum (ISF)?

Answer 51

helping to write ISO standards