Section 2: Software Requirements and Risks

Question 1

What is the first phase of Security Development Lifecycle (SDL)

Answer 1

This phase (A1) is called a security assessment phase

Identifies the product risk profile and the needed SDL activities

Question 2

What is the part of the kickoff that address the overlooked data privacy requirements

Answer 2

Privacy Impact Assessment

before developing a PIA you will need to evaluate what regulatory, legislative, or policies are applicable

Question 3

What are the 4 C’s of Privacy Design

Answer 3

Comprehension
Consciousness
Control
Consent

Question 4

What are the Security Assessment (A1) key success factors and metrics

Answer 4

as the first phase of the SDL it is discovery in nature

Question 5

What is the deliverables for A1

Answer 5

Here is the list of key deliverables.

Question 6

What should be measured in every phase of the SDL

Answer 6

Metrics such as:
Time in weeks when software security teams was looped in
Percent of stakeholder participation in SDL activities
Percent of security measures met

Question 7

What are the Document Security Requirements

Answer 7

RTM - Requirements Traceability Matrix
Formal acceptance of risk by Management

Question 8

what is the key tenant of the Zachman Framework

Answer 8

Understand Business mission and goals first and go top down

Question 9

Other Top down planning models

Answer 9

TOGAF
SABSA Model - security focus vs business focus

Question 10

What type of tests we can use to test a transactional database

Answer 10

ACID Test
One result at a time - Atomicity
Consistency with application
one record change at time - Isolation
Transaction needs to be committed - Durability

Question 11

What are the 3 Compliance Requirements

Answer 11

Legal - Privacy, Secrecy, IP, Uptime, Accuracy

Regulatory - enforced by agencies (Fed, local, state)

Industry Standards - PCI-DSS and PA-DSS, OWASP,

Question 12

What is the most complex and difficult part of the SDL

Answer 12

Threat Model and Architectural Security Analysis

Question 13

What is the purpose of the software security policy

Answer 13

Define what needs to be protected and how.

Question 14

What are the 5 steps of Threat Modeling

Answer 14

Identify security objectives
Survey the application
Decompose it
Identify Threats
Identify Vulnerabilities

Question 15

For Threat Modeling what do you use to break down your product architecture and is the first step?

Answer 15

Data Flow Diagrams

Question 16

What are STRIDE Threat Categories

Answer 16

Spoofing of identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege

this is a methodology of threat categorization and was popularized by Microsoft

Question 17

What is a DREAD an acronym for?

Answer 17

Components:
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Purpose: The DREAD model provides a systematic way to evaluate and prioritize risks based on these five factors. Each factor is scored, and the cumulative score helps in determining the severity of a particular risk.

Question 18

The use of __________ is a traditional approach to threat assessment and can help you identify additional potential threats

Answer 18

Attack Trees and attack patterns

Question 19

What is the Risk Model used by Microsoft for assessing vulnerabilities

Answer 19

DREAD
Damage
Reproducibility
Exploitability
Affected users
Discoverability

Question 20

Name another Thread Modeling Methodology similar to STRIDE and DREAD

Answer 20

Trike
main difference is that it is a risk-based approach with a distinct implementation

It allows for a high level of automation
methodology as well as of a too
targeted towards auditing teams
asset-centric

Question 21

What is a newer application threat modeling methodology that is seven step process and aligns with both business objective with technical requirements but also takes into account compliance requirements and

Answer 21

PASTA
Seven step process and platform agnostic

The threat-modeling tool called ThreatModeler supports this methodology

Targeted towards medium to large orgnizaitons, mature companies with security knowledge

Outcome is geared towards management

Question 22

What is the industry standard for assessing the severity of computer system security vulnerabilities

Answer 22

Common Vulnerability Scoring System (CVSS)

typically used by an internal software security group to respond to a security researcher or other source that has notified you that your software has a vulnerability

Question 23

What is a complex risk methodology that originated from Carnegie Mellon University

Answer 23

OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation

Risk Analysis framework
Targeted towards large organizations
Largest and most complex
that is why OCTAVE-S was developed
OCTAVE Allegro - focus on information assets
Asset-Centrix approach
Not a pure threat modeling since riks are mitigated
Does not focus on technical risks

Question 24

What is the key success factors for this second phase of the SDL

Answer 24

Question 25

What are the 3 approaches to Threat Modeling

Answer 25

Asset-Centric
Attacker-Centric
Application-Centric

Question 26

What is another name of Asset-Centric approach

Answer 26

Risk-Centric
If you dont know what to protect how can you protect it.

Question 27

Advantages and disadvantages of Asset-Centrix

Answer 27

Advantages
Centered around assets
Focused towards business ipact
Well suited for risk assessment and auditor (PASTA, TRIKE)
Natural Fit

Disadvantages
Not centered around the application
mapping assets to threats is difficult

Question 28

What are the advantages and disadvantages of Attacker-Centrix

Answer 28

Advantages
Makes threat and attacks visible
Movie-plot threat brainstorming is fun
good for Penetration Testing

Disadvantages
Easy to miss technical threats
can be unrealistic
most biased one
Attacker thinking required
most teams do not have the level of security professional

Question 29

What are the advantages and disadvantages of Application-Centrix

Answer 29

Advantages
Provides a common understanding of the application
spread of knowledge

Disadvantages
Documentation is necessary
Difficult to see ‘own’ vulnerability
Threats may sound abstract

Question 30

PASTA Advantages vs Disadvantages of

Answer 30

Advantages
Great for business integration
Mature, well described
Lots of documentation
Tooling available

Disadvantages
Specialized input necessary
Time consuming
each step generates output
a lot of intermediate models
output depends on dynamic input

Question 31

Microsoft Threat Modeling Details

Answer 31

Threat modeling framework
incorrectly named STRIDE - classification
Developer Driven
Application-Centric
simple and lightweight
practical approach
plain language
widely adopted

Question 32

Advantages and disadvantages of Microsoft Threat Modeling

Answer 32

Advantages
Easy to pickup
easily integrated into SDLC
very flexible

Disadvantages
More practical than academic
STRIDE classification is redundant
Does not factor in business risks

Question 33

Advantages and disadvantages of OCTAVE

Answer 33

Advantages
Improve risk-aware corporate culture
Creates orginization wide risk overview
in-depth
flexible

Disadvantages
Large and complex
Lots of paperwork
Requires “investment”

Question 34

Advantages and disadvantages of Trike

Answer 34

Advantages
automatically generates threat
consistent results
built-in tool

Disadvantages
Does not scale
not maintained anymore - 2012

Question 35

What is the simplest Threat Modeling

Answer 35

Visual Simple Threat Modeling
Two threat model types
Targeted towards agile companies

Advantages
very flexible
scalable
Process flow DFD are easier

Disadvantages
Not an open methodology
no documentation or guidance

Question 36

T or F code reviews are always good

Answer 36

False
they are an amplifier and poor culture, personalities, etc can make it bad

Question 37

What is the alternative to STRIDE

Answer 37

DESIST
Dispute
Elevation of Privilege
Spoofing
Information Disclosure
Service Denial
Tampering

Question 38

Within STRIDE what are the two variants

Answer 38

STRIDE per Element (external entity, process, data store, data flow)

STRIDE per Interaction
focus to interaction with elements. Follow data flow and where they meet

Question 39

What are the deliverables of the Architecture Phase (A2) of the SDL

Answer 39

Question 40

What is a Pull Request

Answer 40

Request to merge your code into a branch.

tyypically a review tool is uses such as GIT

The person submitting a PR request is a reviewee. If you leave comments you are a reviewer

Question 41

What is a popular SAST tool that can be a plug in for IDE

Answer 41

SonarLint
SonarQube -

Question 42

How small should my pull requests be

Answer 42

500 lines of code but decide with your team

Question 43

What is the OIR Rule

Answer 43

Observe - this function seems too long
Impact - makes it hard for me to understand

Request - I suggest to extract

Question 44

What is the difference between exceptions and errors

Answer 44

Exceptions
Logic flawas
endless loops
unresolved

Errors
code mistakes
syntax
format of data

Question 45

What are some non-functional tests

Answer 45

operating envrionment
training
support
infrastructure and procedures

Reliability, performance, and scalability

Question 46

Name common Testing Methodologies

Answer 46

OSSTMM - Open Source Security Testing Methodology Manual

ISO 27034 Objective - use process via SDLC

CMMI - Test maturity of processes. ISACA

Question 47

What does having a record with a primary key that cannot have a null record

Answer 47

That provides entity integrity

no dupes or null

Question 48

What makes up Referential keys

Answer 48

foreign keys
valid referential link

some times those are turned off

Question 49

What are the steps of Executing the Test Plan

Answer 49

Documentation
Verification
Validation

Question 50

Who manages CVSS, CVE

Answer 50

First.org and MITRE

Question 51

What is the need for scripting in OWASP ZAP

Answer 51

Custom Weakness - specific to an app
Complicated AuthN - beyond plain form
Reusable Security Testing
Custom Payloads
Automatic Tampering

Question 52

What languages built in ZAP

Answer 52

JavaScript
ZEST - visual language
Python and Ruby as add-on

Question 53

What type of scripts are built in ZAP

Answer 53

Stand Alone Scripts - triggered manually
Targeted Scrips - manual against specifc requests

Proxy Script - triggered every time
HTTP Sender Scripts -all requests

Active Scan Rules - send malicious
Passive Scan Rules - detecting sensitive information

Input Vector Scripts -

Question 54

What are the Add-on script types in ZAP

Answer 54

Fuzzer HTTP Processor
Fuzzer WebSocket Processor
Payload Generator - malicious input
Payload Process - inputs based on fuzzer

Question 55

What is the scripting language built by Mozilla Team

Answer 55

ZEST
Security and Automation specific language
Written Graphically, JSON autogenerated

Question 56

What are the 3 important components of App Scanning

Answer 56

Spider - gather inputs through hyperlink navigation and submitting forms

Passive Scanner -during spider activity it passively analyze HTTP requests and responses- insecure configuration, cookies

Active Scanner - modify HTTP requests with potential harmful inputs. hammers web app - SQL Injection

Question 57

What 4 schemes of authentication does ZAP support

Answer 57

Manual Authentication
HTTP/NTLM - Windows AD/LDAP
Form Based - most common
Script Based - JSON, OPENID

Question 58

What is the vulnerability that is based on Predictable ID’s and Broken Access Control

Answer 58

Insecure Direct Object References Vulnerability

Question 59

What is a bunch of tests that run quickly to assess whether application areas are free from well known software vulnerabilities

Answer 59

Security Regression Testing

Question 60

How many languages does sonarqube support

Answer 60

27

Continuous inspection is essential

Question 61

What does sonarqube find

Answer 61

Bubs
Code Smells
Vulnerabilities
Hot spots

Question 62

SonarQube Components details

Answer 62

Language sensor
Sonar scanner - to DB for Analytics
SonarQube Server performs analysis
Present artifacts in UI

Prevents vulnerabilities form entering codebase