Section 2: Software Requirements and Risks

Question 1

What is the first phase of Security Development Lifecycle (SDL)

Answer 1

This phase (A1) is called a security assessment phase

Identifies the product risk profile and the needed SDL activities

Question 2

What is the part of the kickoff that address the overlooked data privacy requirements

Answer 2

Privacy Impact Assessment

before developing a PIA you will need to evaluate what regulatory, legislative, or policies are applicable

Question 3

What are the 4 C’s of Privacy Design

Answer 3

Comprehension
Consciousness
Control
Consent

Question 4

What are the Security Assessment (A1) key success factors and metrics

Answer 4

as the first phase of the SDL it is discovery in nature

Question 5

What is the deliverables for A1

Answer 5

Here is the list of key deliverables.

Question 6

What should be measured in every phase of the SDL

Answer 6

Metrics such as:
Time in weeks when software security teams was looped in
Percent of stakeholder participation in SDL activities
Percent of security measures met

Question 7

What are the Document Security Requirements

Answer 7

RTM - Requirements Traceability Matrix
Formal acceptance of risk by Management

Question 8

what is the key tenant of the Zachman Framework

Answer 8

Understand Business mission and goals first and go top down

Question 9

Other Top down planning models

Answer 9

TOGAF
SABSA Model - security focus vs business focus

Question 10

What type of tests we can use to test a transactional database

Answer 10

ACID Test
One result at a time - Atomicity
Consistency with application
one record change at time - Isolation
Transaction needs to be committed - Durability

Question 11

What are the 3 Compliance Requirements

Answer 11

Legal - Privacy, Secrecy, IP, Uptime, Accuracy

Regulatory - enforced by agencies (Fed, local, state)

Industry Standards - PCI-DSS and PA-DSS, OWASP,

Question 12

What is the most complex and difficult part of the SDL

Answer 12

Threat Model and Architectural Security Analysis

Question 13

What is the purpose of the software security policy

Answer 13

Define what needs to be protected and how.

Question 14

What are the 5 steps of Threat Modeling

Answer 14

Identify security objectives
Survey the application
Decompose it
Identify Threats
Identify Vulnerabilities

Question 15

For Threat Modeling what do you use to break down your product architecture and is the first step?

Answer 15

Data Flow Diagrams

Question 16

What are STRIDE Threat Categories

Answer 16

Spoofing of identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege

this is a methodology of threat categorization and was popularized by Microsoft

Question 17

What is a DREAD an acronym for?

Answer 17

Components:
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Purpose: The DREAD model provides a systematic way to evaluate and prioritize risks based on these five factors. Each factor is scored, and the cumulative score helps in determining the severity of a particular risk.

Question 18

The use of __________ is a traditional approach to threat assessment and can help you identify additional potential threats

Answer 18

Attack Trees and attack patterns

Question 19

What is the Risk Model used by Microsoft for assessing vulnerabilities

Answer 19

DREAD
Damage
Reproducibility
Exploitability
Affected users
Discoverability

Question 20

Name another Thread Modeling Methodology similar to STRIDE and DREAD

Answer 20

Trike
main difference is that it is a risk-based approach with a distinct implementation

It allows for a high level of automation
methodology as well as of a too
targeted towards auditing teams
asset-centric

Question 21

What is a newer application threat modeling methodology that is seven step process and aligns with both business objective with technical requirements but also takes into account compliance requirements and

Answer 21

PASTA
Seven step process and platform agnostic

The threat-modeling tool called ThreatModeler supports this methodology

Targeted towards medium to large orgnizaitons, mature companies with security knowledge

Outcome is geared towards management

Question 22

What is the industry standard for assessing the severity of computer system security vulnerabilities

Answer 22

Common Vulnerability Scoring System (CVSS)

typically used by an internal software security group to respond to a security researcher or other source that has notified you that your software has a vulnerability

Question 23

What is a complex risk methodology that originated from Carnegie Mellon University

Answer 23

OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation

Risk Analysis framework
Targeted towards large organizations
Largest and most complex
that is why OCTAVE-S was developed
OCTAVE Allegro - focus on information assets
Asset-Centrix approach
Not a pure threat modeling since riks are mitigated
Does not focus on technical risks

Question 24

What is the key success factors for this second phase of the SDL

Answer 24

Question 25

What are the 3 approaches to Threat Modeling

Answer 25

Asset-Centric Attacker-Centric Application-Centric

Question 26

What is another name of Asset-Centric approach

Answer 26

Risk-Centric If you dont know what to protect how can you protect it.

Question 27

Advantages and disadvantages of Asset-Centrix

Answer 27

Advantages Centered around assets Focused towards business ipact Well suited for risk assessment and auditor (PASTA, TRIKE) Natural Fit Disadvantages Not centered around the application mapping assets to threats is difficult

Question 28

What are the advantages and disadvantages of Attacker-Centrix

Answer 28

Advantages Makes threat and attacks visible Movie-plot threat brainstorming is fun good for Penetration Testing Disadvantages Easy to miss technical threats can be unrealistic most biased one Attacker thinking required most teams do not have the level of security professional

Question 29

What are the advantages and disadvantages of Application-Centrix

Answer 29

Advantages Provides a common understanding of the application spread of knowledge Disadvantages Documentation is necessary Difficult to see 'own' vulnerability Threats may sound abstract

Question 30

PASTA Advantages vs Disadvantages of

Answer 30

Advantages Great for business integration Mature, well described Lots of documentation Tooling available Disadvantages Specialized input necessary Time consuming each step generates output a lot of intermediate models output depends on dynamic input

Question 31

Microsoft Threat Modeling Details

Answer 31

Threat modeling framework incorrectly named STRIDE - classification Developer Driven Application-Centric simple and lightweight practical approach plain language widely adopted

Question 32

Advantages and disadvantages of Microsoft Threat Modeling

Answer 32

Advantages Easy to pickup easily integrated into SDLC very flexible Disadvantages More practical than academic STRIDE classification is redundant Does not factor in business risks

Question 33

Advantages and disadvantages of OCTAVE

Answer 33

Advantages Improve risk-aware corporate culture Creates orginization wide risk overview in-depth flexible Disadvantages Large and complex Lots of paperwork Requires "investment"

Question 34

Advantages and disadvantages of Trike

Answer 34

Advantages automatically generates threat consistent results built-in tool Disadvantages Does not scale not maintained anymore - 2012

Question 35

What is the simplest Threat Modeling

Answer 35

Visual Simple Threat Modeling Two threat model types Targeted towards agile companies Advantages very flexible scalable Process flow DFD are easier Disadvantages Not an open methodology no documentation or guidance

Question 36

T or F code reviews are always good

Answer 36

False they are an amplifier and poor culture, personalities, etc can make it bad

Question 37

What is the alternative to STRIDE

Answer 37

DESIST Dispute Elevation of Privilege Spoofing Information Disclosure Service Denial Tampering

Question 38

Within STRIDE what are the two variants

Answer 38

STRIDE per Element (external entity, process, data store, data flow) STRIDE per Interaction focus to interaction with elements. Follow data flow and where they meet

Question 39

What are the deliverables of the Architecture Phase (A2) of the SDL

Answer 39

Question 40

What is a Pull Request

Answer 40

Request to merge your code into a branch. tyypically a review tool is uses such as GIT The person submitting a PR request is a reviewee. If you leave comments you are a reviewer

Question 41

What is a popular SAST tool that can be a plug in for IDE

Answer 41

SonarLint SonarQube -

Question 42

How small should my pull requests be

Answer 42

500 lines of code but decide with your team

Question 43

What is the OIR Rule

Answer 43

Observe - this function seems too long Impact - makes it hard for me to understand Request - I suggest to extract

Question 44

What is the difference between exceptions and errors

Answer 44

Exceptions Logic flawas endless loops unresolved Errors code mistakes syntax format of data

Question 45

What are some non-functional tests

Answer 45

operating envrionment training support infrastructure and procedures Reliability, performance, and scalability

Question 46

Name common Testing Methodologies

Answer 46

OSSTMM - Open Source Security Testing Methodology Manual ISO 27034 Objective - use process via SDLC CMMI - Test maturity of processes. ISACA

Question 47

What does having a record with a primary key that cannot have a null record

Answer 47

That provides entity integrity no dupes or null

Question 48

What makes up Referential keys

Answer 48

foreign keys valid referential link some times those are turned off

Question 49

What are the steps of Executing the Test Plan

Answer 49

Documentation Verification Validation

Question 50

Who manages CVSS, CVE

Answer 50

First.org and MITRE

Question 51

What is the need for scripting in OWASP ZAP

Answer 51

Custom Weakness - specific to an app Complicated AuthN - beyond plain form Reusable Security Testing Custom Payloads Automatic Tampering

Question 52

What languages built in ZAP

Answer 52

JavaScript ZEST - visual language Python and Ruby as add-on

Question 53

What type of scripts are built in ZAP

Answer 53

Stand Alone Scripts - triggered manually Targeted Scrips - manual against specifc requests Proxy Script - triggered every time HTTP Sender Scripts -all requests Active Scan Rules - send malicious Passive Scan Rules - detecting sensitive information Input Vector Scripts -

Question 54

What are the Add-on script types in ZAP

Answer 54

Fuzzer HTTP Processor Fuzzer WebSocket Processor Payload Generator - malicious input Payload Process - inputs based on fuzzer

Question 55

What is the scripting language built by Mozilla Team

Answer 55

ZEST Security and Automation specific language Written Graphically, JSON autogenerated

Question 56

What are the 3 important components of App Scanning

Answer 56

Spider - gather inputs through hyperlink navigation and submitting forms Passive Scanner -during spider activity it passively analyze HTTP requests and responses- insecure configuration, cookies Active Scanner - modify HTTP requests with potential harmful inputs. hammers web app - SQL Injection

Question 57

What 4 schemes of authentication does ZAP support

Answer 57

Manual Authentication HTTP/NTLM - Windows AD/LDAP Form Based - most common Script Based - JSON, OPENID

Question 58

What is the vulnerability that is based on Predictable ID's and Broken Access Control

Answer 58

Insecure Direct Object References Vulnerability

Question 59

What is a bunch of tests that run quickly to assess whether application areas are free from well known software vulnerabilities

Answer 59

Security Regression Testing

Question 60

How many languages does sonarqube support

Answer 60

27 Continuous inspection is essential

Question 61

What does sonarqube find

Answer 61

Bubs Code Smells Vulnerabilities Hot spots

Question 62

SonarQube Components details

Answer 62

Language sensor Sonar scanner - to DB for Analytics SonarQube Server performs analysis Present artifacts in UI Prevents vulnerabilities form entering codebase