Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

C706Secure Software Design Study Guide Rated A+.docx, Exams of Nursing

C706Secure Software Design Study Guide Rated A+.docx

Typology: Exams

2023/2024

Available from 06/12/2024

samuel-waweru-2
samuel-waweru-2 🇺🇸

346 documents

1 / 13

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
C706Secure Software Design Study
Guide Rated A+
C706Secure Software Design Study
Guide Rated A+
Confidentiality - Information is not made available or disclosed to unauthorized
individuals, entities, or processes. Ensures unauthorized persons are not able to
read private and sensitive data. It is achieved through cryptography.
Integrity - Ensures unauthorized persons or channels are not able to modify the
data. It is accomplished through the use of a message digest or digital signatures.
Availability - The computing systems used to store and process information, the
security controls used to protect information, and the communication channels used
to access information must be functioning correctly. Ensures system remains
operational even in the event of a failure or an attack. It is achieved by providing
redundancy or fault tolerance for a failure of a system and its components.
Ensure Confidentiality - Public Key Infrastructure (PKI) and
Cryptography/Encryption
Ensure Availability - Offsite back-up and Redundancy
Ensure Integrity - Hashing, Message Digest (MD5), non repudiation and digital
signatures
Software Architect - Moves analysis to implementation and analyzes the
requirements and use cases as activities to perform as part of the development
process; can also develop class diagrams.
Security Practitioner Roles - Release Manager,
Architect, Developer, Business Analyst/Project Manager
Release Manager - Deployment
Architect - Design
Developer - Coding
Business Analyst/Project Manager - Requirements Gathering
Red Team - Teams of people familiar with the infrastructure of the company and
the languages of the software being developed. Their mission is to kill the system as
the developers build it.
pf3
pf4
pf5
pf8
pf9
pfa
pfd

Partial preview of the text

Download C706Secure Software Design Study Guide Rated A+.docx and more Exams Nursing in PDF only on Docsity!

Guide Rated A+

C706Secure Software Design Study

Guide Rated A+

Confidentiality - ✔Information is not made available or disclosed to unauthorized individuals, entities, or processes. Ensures unauthorized persons are not able to read private and sensitive data. It is achieved through cryptography. Integrity - ✔️Ensures unauthorized persons or channels are not able to modify the data. It is accomplished through the use of a message digest or digital signatures. Availability - ✔️The computing systems used to store and process information, the security controls used to protect information, and the communication channels used to access information must be functioning correctly. Ensures system remains operational even in the event of a failure or an attack. It is achieved by providing redundancy or fault tolerance for a failure of a system and its components. Ensure Confidentiality - ✔️Public Key Infrastructure (PKI) and Cryptography/Encryption Ensure Availability - ✔️Offsite back-up and Redundancy Ensure Integrity - ✔️Hashing, Message Digest (MD5), non repudiation and digital signatures Software Architect - ✔️Moves analysis to implementation and analyzes the requirements and use cases as activities to perform as part of the development process; can also develop class diagrams. Security Practitioner Roles - ✔️Release Manager, Architect, Developer, Business Analyst/Project Manager Release Manager - ✔️Deployment Architect - ✔️Design Developer - ✔️Coding Business Analyst/Project Manager - ✔️Requirements Gathering Red Team - ✔️Teams of people familiar with the infrastructure of the company and the languages of the software being developed. Their mission is to kill the system as the developers build it.

Guide Rated A+

Static Analysis - ✔️A method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards. It's also referred as code review. MD5 Hash - ✔️A widely used hash function producing a 128-bit hash value. Initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. SHA-256 (Secure Hash Algorithm) - ✔️One of a number of cryptographic hash functions. A cryptographic hash is like a signature for a text or a data file. Generates an almost-unique, fixed size 32-byte (32 X 8) hash. Hash is a one-way function - it cannot be decrypted. Advanced Encryption Standard (AES) - ✔️A symmetric encryption algorithm. The algorithm was developed by two Belgian cryptographers Joan Daemen and Vincent Rijmen. Designed to be efficient in both hardware and software, and supports a block length of 128 bits and key lengths of 128, 192, and 256 bits. Algorithms used to verify integrity - ✔️MD5 Hash, SHA- Algorithm used to verify confidentiality - ✔️Advanced Encryption Standard (AES) Stochastic - ✔️unintentional or accidental safety-relevant faults - ✔️stochastic (i.e., unintentional or accidental) security-relevant faults - ✔️"Sponsored," i.e., intentionally created and activated through conscious and intentional human agency. Fuzz Testing - ✔️Used to see if the system has solid exception handling to the input it receives. Is the use of malformed or random input into a system in order to intentionally produce failure. This is a very easy process of feeding garbage to the system when it expects a formatted input, and it is always a good idea to feed as much garbage as possible to an input field. Three (3) Tier - ✔️Removes the business logic from the client end of the system. It generally places the business logic on a separate server from the client. The data access portion of the system resides separately from both the client and the business logic platform. T-MAP - ✔️Defines a set of threat-relevant attributes for each layer or node. These can be classified as probability-relevant, size-of-loss relevant, or descriptive. These are primarily derived from Common Vulnerability Scoring System (CVSS). USC's Threat Modeling based on Attacking Path analysis is a risk management approach that quantifies total severity weights of relevant attacking paths for COTS-based

Guide Rated A+

Kiviat Diagram - ✔️Provides a visual comparison of multiple attributes and can visualize and report the information on a single artifact based on monitored information. Identify the Assets - ✔️A threat model process that allows the company to identify the part that needs to be protected from unauthorized users. Agile Model - ✔️Describes a set of principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. It promotes adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change. Supports the definition and continuing evolution of many software development methods, avoids life cycle activities, focuses on built-a- little, test-a-little and field-a-little. It also supports informal communication and Incremental design. Types of Vulnerability Mapping - ✔️Activity Diagram, Kiviat Diagram, Identify the Assets, Agile Model, V1, V2, V Agile attributes - ✔️Cyclical Process. Supports quick prototyping and limits the time spent thinking about the problem as a whole. Waterfall attributes - ✔️Similar to interactive model and main components are planning, development and deployment. Chrystal Clear attributes - ✔️Can be applied to teams of up to 6 or 8 co-located developers working on systems that are not life-critical. This family of methodologies focuses on efficiency and habitability as components of project safety. Focuses on people, not processes or artifacts. Roles may be filed by the same people, including a project manager and a business expert. Waterfall attributes - ✔️A sequential (non-iterative / Limited Interaction) design process, used in software development, in which progress is seen as flowing down through the phases of conception, initiation, analysis, design, construction, testing, production/implementation and maintenance. All the requirements will be specified in the first step, uses a document driven approach (large amount of documentation) and has specific and identifiable stages. It also provides a resource to entry level developers with limited exposure. Waterfall Methodology Security concerns - ✔️Requirement Analysis: Define Security Features Design: Misuse cases and vulnerability mapping Construction and Implementation: Secure Coding practices Testing: Penetration Assessment Installation: Final Security Review Operation or Maintenance: Periodic security review and updates

Guide Rated A+

Digital Signature - ✔️A mathematical scheme for demonstrating the authenticity of a message or document. Gives a recipient reason to believe that the message was created by a known sender, that the sender cannot deny having sent the message (authentication and non-repudiation), and that the message was not altered in transit (integrity). It also can be used as proof of approval by an authorized user. Redundancy - ✔️The existence of data that is additional to the actual data and permits correction of errors in stored or transmitted data. The additional data can be simply a complete copy of the actual data, or only select pieces of data that allow detection of errors and reconstruction of lost or damaged data up to a certain level. This will make sure that all data will always be available, the data will not be lost and it will be stored at a another location for failover reasons. Hashing: - ✔️The process of using an algorithm for verifying the integrity or authenticity of a computer file. This can be done by comparing two files bit-by-bit, but requires two copies of the same file, and may miss systematic corruptions which might occur to both files. A more popular approach is to also store checksums (message digests) of files for later comparison. Software Assurance - ✔️Ensures that the processes, procedures, and products used to produce and sustain the software conform to all requirements and standards specified to govern those processes, procedures, and products. This can be also used to make sure that any web application meets the requirements of what it was designed to do and accessible to all that are authorized whether in the office or at a remote location. Sandboxing, isolating trusted processes, and proper handling of errors and exceptions - ✔️Help secure a system in a high risk environment where the system is prone to attack. DOS or DDOS - ✔️A common web server attack in which unsolicited TCP requests overwhelm the web servers' resources and make it unavailable. SQL SELECT query command - ✔️Can allow an attacker to access tables within that particular database without requiring elevated and/or administrator permissions and jeopardizing the structure and relevance of the data that the database contains. Scrub all input of malicious code - ✔️One method of disallowing a SQL injection attack when handling user fields in a web from that reads or write to a database. Characterize the system, view the system as an adversary - ✔️The two steps of the threat model that data flow approaches. accessing ports that are not secured and/or locked down, the exploitation of default passwords - ✔️The two attacks that can affect both the operating system and databases.

Guide Rated A+

Tampering with Data - ✔️Users can potentially change data delivered to them, return it, and thereby potentially manipulate client-side validation, GET and POST results, cookies, HTTP headers, and so forth. The application should not send data to the user, such as interest rates or periods, which are obtainable only from within the application itself. The application should also carefully check data received from the user and validate that it is sane and applicable before storing or using it. Repudiation - ✔️Users may dispute transactions if there is insufficient auditing or record keeping of their activity. For example, if a user says, "But I didn't transfer any money to this external account!", and you cannot track his/her activities through the application, then it is extremely likely that the transaction will have to be written off as a loss. Therefore, consider if the application requires controls such as web access logs, audit trails at each tier, or the same user context from top to bottom. Preferably, the application should run with the user's privileges, not more, but this may not be possible with many off-the-shelf application frameworks. Information Disclosure - ✔️Users are wary of submitting private details to a system. If it is possible for an attacker to publicly reveal user data whether anonymously or as an authorized user, there will be an immediate loss of confidence and a substantial period of reputation loss. Applications must include strong controls to prevent user ID tampering and abuse, particularly if they use a single context to run the entire application. Consider if the web browser may leak information. Some web browsers may ignore the no caching directives in HTTP headers or handle them incorrectly. Every secure application has a responsibility to minimize the amount of information stored by the web browser, just in case it leaks or leaves information behind. In implementing persistent values, the use of hidden fields is insecure by nature. Such storage should not be relied on to secure sensitive information or to provide adequate personal privacy safeguards. Denial of Service - ✔️The use of expensive resources such as large files, complex calculations, heavy-duty searches, or long queries should be reserved for authenticated and authorized users. For applications that do not have this luxury, every facet of the application should be engineered to perform as little work as possible, to use fast and few database queries, to avoid exposing large files or unique links per user, in order to prevent simple attacks. Elevation of Privilege - ✔️If an application provides distinct user and administrative roles, then it is vital to ensure that the user cannot move to a higher role. Not displaying administrative role links is insufficient. All actions should be gated through an authorization matrix, to ensure that only the permitted roles can access administrative functionality. DREAD categories - ✔️Damage, Reproducibility, Exploitability/Vulnerability, Affected users, Discoverability

Guide Rated A+

DREAD - ✔️Part of a system for risk-assessing computer security threats previously used at Microsoft and currently used by OpenStack and many other corporations. It provides a mnemonic for risk rating security threats using five categories. DREAD - Damage - ✔️How bad would an attack be? Ranks the extent of harm that occurs if a vulnerability is exploited. DREAD - Reproducibility - ✔️How easy is it to recreate the attack? Ranks how often an attempt at exploiting a vulnerability really works DREAD - Exploitability/Vulnerability - ✔️How much work is it to launch the attack? Measures the effort required to launch the attack. DREAD - Affected users - ✔️how many people will be impacted? Measures the number of installed instances of the system affected by an exploit. DREAD - Discoverability - ✔️How easy is it to uncover the threat? States the likelihood that a vulnerability will be found by security researchers or hackers. DREAD threat assessment - ✔️Each category is given a rating on probability and damage potential. For example, 3 for high, 2 for medium, 1 for low and 0 for none. (Rating scales running from 0 to 10 are common) The sum of all ratings for a given exploit can be used to prioritize among different exploits. Threat Model - ✔️A diagram and description that tells a story of how an attacker could exploit the vulnerability. This is not a step by step process, but a narrative approach to the attack that should help guide the mitigation techniques that need to be put in place to protect the system. It defines the security of an application and reduces the number of vulnerabilities. It has the 2 steps of identifying and prioritizing vulnerabilities. Sequence Diagram - ✔️A detailed breakdown of the communication that will occur between actors and system objects or components. Bridges the gap between the business analysis and the development analysis; this can be considered a business or development description of system functionality. SDLC Management Control Domains - ✔️Planning / Organization, Acquisition / Implementation, Delivery and Support, Monitoring Planning / Organization - ✔️Project Definition, User Requirements Definition and Systems Requirement Definition Acquisition / Implementation - ✔️User Requirements Definition, System Requirement Definition, Analysis and Design and System Build / Prototype / Pilot

Guide Rated A+

Earned Value Management: SV - ✔️Scheduled Variance Earned Value Management: CV - ✔️Cost Variance SV equation - ✔️BCWP - BCWS CV equation - ✔️BCWP - ACWP Earned Value Management: ACWP - ✔️Actual Cost of Work Performed Steps in the Work Breakdown Structure (WBS): - ✔️1) Examine the set of required external deliverables.

  1. Identify and list the steps and tasks needed to produce the required deliverables, including any tasks for additional intermediate deliverables needed to complete the final deliverable.
  2. Sequence the identified tasks required to produce the deliverable.
  3. Estimate the effort required to perform each task.
  4. Estimate the productivity of the resources that will be applied to the tasks.
  5. Compute the time needed for each task by dividing the task effort estimates by the resource productivity estimates.
  6. Lay out the time needed for each task and "label" each task with its task name and the assigned resources; this layout of sequences of tasks with their associated time and resources essentially forms the initial schedule. Capability Maturity Model Integration (CMMI) levels: ML5 - ✔️Organizational innovations and deployment, Casual analysis and resolution, Overall testing to achieve efficiencies Capability Maturity Model Integration (CMMI) levels: ML4 - ✔️Organizational process performance, Quantitative project management Capability Maturity Model Integration (CMMI) levels: ML3 - ✔️Requirements development, Technical solution, Product integration, Verification, Validation, Organizational process focus, Organizational process definition, Organizational training, Integrated project management, Risk Management, Integrated teaming, Integrated supplier management, Decision analysis and resolution,

Guide Rated A+

Organizational environment for integration Capability Maturity Model Integration (CMMI) levels: ML2 - ✔️Requirements management, Project planning, Project monitoring and control, Supplier agreement management, Measurement and analysis, Process and product quality assurance, Configuration management NONE - ✔️Capability Maturity Model Integration (CMMI) levels: ML The Processes areas of CMMI: Project Management - ✔️1) Project Planning

  1. Project Monitoring and control
  2. Supplier agreement management
  3. Integrated project management
  4. Risk Management
  5. Integrated teaming
  6. Integrated supplier management
  7. Quantitative project management The Processes areas of CMMI: Engineering - ✔️1) Requirements development
  8. Requirements Management
  9. Technical Solution
  10. Product Integration
  11. Verification
  12. Validation The Processes areas of CMMI: Support - ✔️1) Configuration Management
  13. Process and product quality assurance
  14. Measurement and Analysis
  15. Organizational environment for integration
  16. Decision analysis and resolution
  17. Casual analysis and resolution The Processes areas of CMMI: Process Management - ✔️1) Organizational process focus
  18. Organizational process definition
  19. Organizational Training
  20. Organizational process performance
  21. Organizational innovation and deployment Rational Unified Process (RUP) - ✔️A software development methodology from Rational. Based on UML, it organizes the development of software into four phases, each consisting of one or more executable iterations of the software at that stage of development. It's also an interactive and incremental model that utilizes the divide

Guide Rated A+

Quality Assurance - ✔️Refers to all activities designed to measure and improve a product , including the whole process, training, preparation of the team, and activities associated with customer feedback.