WGU C706 Secure Software Design Study Guide
2022
1.Confidentiality: Information is not made available or disclosed to
unauthorized individuals, entities, or processes. Ensures unauthorized
persons are not able to read private and sensitive data. It is achieved
through cryptography.
2.Integrity: Ensures unauthorized persons or channels are not able to
modify the data. It is accomplished through the use of a message
digest or digital signatures.
3.Availability: The computing systems used to store and process
information, the security controls used to protect information, and the
communication channels used to access information must be
functioning correctly. Ensures system remains operational even in the
event of a failure or an attack. It is achieved by providing redundancy
or fault tolerance for a failure of a system and its components.
4.Ensure Confidentiality: Public Key Infrastructure (PKI) and
Cryptography/En- cryption
5.Ensure Availability: Offsite back-up and Redundancy
6.Ensure Integrity: Hashing, Message Digest (MD5), non repudiation
and digital signatures
7.Software Architect: Moves analysis to implementation and analyzes
the re- quirements and use cases as activities to perform as part of
the development process; can also develop class diagrams.
8.Security Practitioner Roles: Release Manager,
Architect, Developer, Business Analyst/Project
Manager
9.Release Manager: Deployment
10.Architect: Design
11.Developer: Coding
12.Business Analyst/Project Manager: Requirements Gathering
13.Red Team: Teams of people familiar with the infrastructure of the
company and the languages of the software being developed. Their
mission is to kill the system as the developers build it.
14.Static Analysis: A method of computer program debugging that is
done by examining the code without executing the program. The
process provides an understanding of the code structure, and can help
to ensure that the code adheres to industry standards. It’s also
referred as code review.
15.MD5 Hash: A widely used hash function producing a 128-bit hash
value. Initially designed to be used as a cryptographic hash function,
it has been found
to suffer from extensive vulnerabilities. It can still be used as a
checksum to verify data integrity, but only against unintentional
corruption.
16.SHA-256 (Secure Hash Algorithm): One of a number of cryptographic
hash functions. A cryptographic hash is like a signature for a text or a
data file. Generates an almost-unique, fixed size 32-byte
(32 X 8) hash. Hash is a one-way function – it cannot be decrypted.
17.Advanced Encryption Standard (AES): A symmetric encryption
algorithm. The algorithm was developed by two Belgian
cryptographers Joan Daemen and Vincent Rijmen. Designed to be
efficient in both hardware and software, and supports a block length
of 128 bits and key lengths of 128, 192, and 256 bits.
18.Algorithms used to verify integrity: MD5 Hash, SHA-256
19.Algorithm used to verify confidentiality: Advanced Encryption
Standard (AES)
20.Stochastic: unintentional or accidental
21.safety-relevant faults: stochastic (i.e., unintentional or accidental)
22.security-relevant faults: “Sponsored,” i.e., intentionally created and
activated through conscious and intentional human agency.
23.Fuzz Testing: Used to see if the system has solid exception handling
to the input it receives. Is the use of malformed or random input into a
system in order to intentionally produce failure. This is a very easy
process of feeding garbage to the system when it expects a formatted
Confidentiality
Information is not made available or disclosed to unauthorized individuals, entities, or processes. Ensures unauthorized persons are not able to read private and sensitive data. It is achieved through cryptography.
Integrity
Ensures unauthorized persons or channels are not able to modify the data. It is accomplished through the use of a message digest or digital signatures.
Availability
The computing systems used to store and process information, the security controls used to protect information, and the communication channels used to access information must be functioning correctly. Ensures system remains operational even in the event of a failure or an attack. It is achieved by providing redundancy or fault tolerance for a failure of a system and its components.
Ensure Confidentiality
Public Key Infrastructure (PKI) and Cryptography/Encryption
Ensure Availability
Offsite back-up and Redundancy
Ensure Integrity
Hashing, Message Digest (MD5), non repudiation and digital signatures
Software Architect
Moves analysis to implementation and analyzes the requirements and use cases as activities to perform as part of the development process; can also develop class diagrams.
Security Practitioner Roles
Release Manager,
Architect, Developer, Business Analyst/Project Manager
Release Manager
Deployment
Architect
Design
Developer
Coding
Business Analyst/Project Manager
Requirements Gathering
Red Team
Teams of people familiar with the infrastructure of the company and the languages of the software being developed. Their mission is to kill the system as the developers build it.
Static Analysis
A method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards. It’s also referred as code review.
MD5 Hash
A widely used hash function producing a 128-bit hash value. Initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.
SHA-256 (Secure Hash Algorithm)
One of a number of cryptographic hash functions. A cryptographic hash is like a signature for a text or a data file. Generates an almost-unique, fixed size 32-byte
(32 X 8) hash. Hash is a one-way function – it cannot be decrypted.
Advanced Encryption Standard (AES)
A symmetric encryption algorithm. The algorithm was developed by two Belgian cryptographers Joan Daemen and Vincent Rijmen. Designed to be efficient in both hardware and software, and supports a block length of 128 bits and key lengths of 128, 192, and 256 bits.
Algorithms used to verify integrity
MD5 Hash, SHA-256
Algorithm used to verify confidentiality
Advanced Encryption Standard (AES)
Stochastic
unintentional or accidental
safety-relevant faults
stochastic (i.e., unintentional or accidental)
security-relevant faults
“Sponsored,” i.e., intentionally created and activated through conscious and intentional human agency.
Fuzz Testing
Used to see if the system has solid exception handling to the input it receives. Is the use of malformed or random input into a system in order to intentionally produce failure. This is a very easy process of feeding garbage to the system when it expects a formatted input, and it is always a good idea to feed as much garbage as possible to an input field.
Three (3) Tier
Removes the business logic from the client end of the system. It generally places the business logic on a separate server from the client. The data access portion of the system resides separately from both the client and the business logic platform.
T-MAP
Defines a set of threat-relevant attributes for each layer or node. These can be classified as probability-relevant, size-of-loss relevant, or descriptive. These are primarily derived from Common Vulnerability Scoring System (CVSS). USC’s Threat Modeling based on Attacking Path analysis is a risk management approach that quantifies total severity weights of relevant attacking paths for COTS-based systems. Its strengths lie in its ability to maintain sensitivity to an organization’s business value priorities and IT environment, to prioritize and estimate security investment effectiveness and evaluate performance, and to communicate executive-friendly vulnerability details as threat profiles to help evaluate cost efficiency.
Trike
An open source conceptual framework, methodology, and tool set designed to auto-generate repeatable threat models. Its methodology enables the risk analyst to accurately and completely describe the security characteristics of the system, from high-level architecture to low-level implementation of details. It also requires building a defensive model of the subject system.
SDL Threat Modeling Tool
This free tool builds on Microsoft Visio and provides a tool for constructing graphic representations for the system without requiring expertise in security and also has the capability of graphically representing a software system and identifying vulnerabilities.
Vulnerability Mapping
Used to determine the most likely locations within the system in development where an attacker will strike. This is done on the design phase of the SDLC.
V3
The highest level of vulnerability. This is a very likely target for an attacker, such as free text input in a form. These are the highest priory for a security plan for the system and these should all be mitigated and accounted for by established control systems in development.
V2
A moderate level vulnerability. These are possible but not probable targets. These will include inter-process communications on the server or traffic within the trust boundary of the system. Eavesdropping is the most significant risk in this situation. These vulnerabilities should always be mitigated in the system, but in a trade off analysis, strict control may not be necessary as long as a procedure is in place to fail safely and protect any private or confidential data.
V1
The lowest priority level of vulnerability. These are unlikely venues of attack with little risk if they are exploited. Failing safely is the most important concern at this level, because the data associated with this vulnerability has no value, and the process involved is not mission critical, such as a transmission failure in an HTML header coming from the system; the highest risk is that the customer will
not properly see the page and it would have to be reloaded. These vulnerabilities can be largely ignored, but they should be noted in the system specification in case functionality is altered by a later system update or interaction because this may allow them to become more significant.
Activity Diagram
Capable of expressing resolution efforts to malformed input and potential attacks in a way other documentation at the system level cannot. The caveat is that these do not contain class calls and references; they only provide a visualization of the process logic.
Kiviat Diagram
Provides a visual comparison of multiple attributes and can visualize and report the information on a single artifact based on monitored information.
Identify the Assets
A threat model process that allows the company to identify the part that needs to be protected from unauthorized users.
Agile Model
Describes a set of principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. It promotes adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change. Supports the definition and continuing evolution of many software development methods, avoids life cycle activities, focuses on built-a- little, test-a-little and field-a-little. It also supports informal communication and Incremental design.
Types of Vulnerability Mapping
Activity Diagram, Kiviat Diagram, Identify the Assets, Agile Model, V1, V2, V3
Agile attributes
Cyclical Process. Supports quick prototyping and limits the time spent thinking about the problem as a whole.
Waterfall attributes
Similar to interactive model and main components are planning, development and deployment.
Chrystal Clear attributes
Can be applied to teams of up to 6 or 8 co-located developers working on systems that are not life-critical. This family of methodologies focuses on efficiency and habitability as components of project safety. Focuses on people, not processes or artifacts. Roles may be filed by the same people, including a project manager and a business expert.
Waterfall attributes
A sequential (non-iterative / Limited Interaction) design process, used in software development, in which progress is seen as flowing down through the phases of conception, initiation, analysis, design, construction, testing, production/implementation and maintenance. All the requirements will be specified in the first step, uses a document driven approach (large amount of documentation) and has specific and identifiable stages. It also provides a resource to entry level developers with limited exposure.
Waterfall Methodology Security concerns
Requirement Analysis: Define Security Features
Design: Misuse cases and vulnerability mapping
Construction and Implementation: Secure Coding practices
Testing: Penetration Assessment
Installation: Final Security Review
Operation or Maintenance: Periodic security review and updates
Digital Signature
A mathematical scheme for demonstrating the authenticity of a message or document. Gives a recipient reason to believe that the message was created by a known sender, that the sender cannot deny having sent the message (authentication and non-repudiation), and that the message was not altered in transit (integrity). It also can be used as proof of approval by an authorized user.
Redundancy
The existence of data that is additional to the actual data and permits correction of errors in stored or transmitted data. The additional data can be simply a complete copy of the actual data, or only select pieces of data that allow detection of errors and reconstruction of lost or damaged data up to a certain level. This will make sure that all data will always be available, the data will not be lost and it will be stored at a another location for failover reasons.
Hashing:
The process of using an algorithm for verifying the integrity or authenticity of a computer file. This can be done by comparing two files bit-by-bit, but requires two copies of the same file, and may miss systematic corruptions which might occur to both files. A more popular approach is to also store checksums (message digests) of files for later comparison.
Software Assurance
Ensures that the processes, procedures, and products used to produce and sustain the software conform to all requirements and standards specified to govern those processes, procedures, and products. This can be also used to make sure that any web application meets the requirements of what it was designed to do and accessible to all that are authorized whether in the office or at a remote location.
Sandboxing, isolating trusted processes, and proper handling of errors and exceptions
Help secure a system in a high risk environment where the system is prone to attack.
DOS or DDOS
A common web server attack in which unsolicited TCP requests overwhelm the web servers’ resources and make it unavailable.
SQL SELECT query command
Can allow an attacker to access tables within that particular database without requiring elevated and/or administrator permissions and jeopardizing the structure and relevance of the data that the database contains.
Scrub all input of malicious code
One method of disallowing a SQL injection attack when handling user fields in a web from that reads or write to a database.
Characterize the system, view the system as an adversary
The two steps of the threat model that data flow approaches.
accessing ports that are not secured and/or locked down, the exploitation of default passwords
The two attacks that can affect both the operating system and databases.
Acquisition and Implementation
Control domain for the analysis and design phase of the SDLC.
Monitoring, Delivery and Support
The control domain for the sustainment phase of the SDLC.
Coding
Takes place in the construction phase of the SDLC.
Task Refinement
Specific security activities must be identified when integrating security requirements into a work breakdown structure for the new software development effort.
Release Manager
Conducts the code review process as one of the parts or processes of the software development. Can also deploy the finished product to the various environments at project completion.
Business Analyst
Has the SDLC role to identify the requirements of an application (example: Web Application), must be able to identify who will be impacted by such an application. Once the application is developed in a test environment, must insure that the user acceptance testing is completed and to standards.
Tester Role
Has the responsibility to prepare a document plan that will verify that a systems code performs the proper actions that it was designed to do.
SQL Injection
A technique, used to attack data-driven applications, in which nefarious statements are inserted into an entry field for execution. This can be done from any form or place that allows the attacker to enter any type of information which is somewhat connected to a database.
Beta version
The focus is reducing impacts to users, often incorporating usability testing and expectation of functionality. This software is often useful for demonstrations and previews within an organization and to prospective customers.
STRIDE categories
Spoofing Identity,
Tampering with Data, Repudiation,
Information Disclosure, Denial of Service, Elevation of Privilege
STRIDE
A classification scheme for characterizing/measuring known threats/vulnerabilities according to the kinds of exploit that are used (or motivation of the attacker). It also focuses on the end results of possible attacks rather than on the identification of each specific attack.
Spoofing Identity
A key risk for applications that have many users but provide a single execution context at the application and database level. In particular, users should not be able to become any other user or assume the attributes of another user.
Tampering with Data
Users can potentially change data delivered to them, return it, and thereby potentially manipulate client-side validation, GET and POST results, cookies, HTTP headers, and so forth. The application should not send data to the user, such as interest rates or periods, which are obtainable only from within the application itself. The application should also carefully check data received from the user and validate that it is sane and applicable before storing or using it.
Repudiation
Users may dispute transactions if there is insufficient auditing or record keeping of their activity. For example, if a user says, “But I didn’t transfer any money to this external account!”, and you cannot track his/her activities through the application, then it is extremely likely that the transaction will have to be written off as a loss. Therefore, consider if the application requires controls such as web access logs, audit trails at each tier, or the same user context from top to bottom. Preferably, the application should run with the user’s privileges, not more, but this may not be possible with many off-the-shelf application frameworks.
Information Disclosure
Users are wary of submitting private details to a system. If it is possible for an attacker to publicly reveal user data whether anonymously or as an authorized user, there will be an immediate loss of confidence and a substantial period of reputation loss. Applications must include strong controls to prevent user ID tampering and abuse, particularly if they use a single context to run the entire application.
Consider if the web browser may leak information. Some web browsers may ignore the no caching directives in HTTP headers or handle them incorrectly. Every secure application has a responsibility to minimize the amount of information stored by the web browser, just in case it leaks or leaves information behind.
In implementing persistent values, the use of hidden fields is insecure by nature. Such storage should not be relied on to secure sensitive information or to provide adequate personal privacy safeguards.
Denial of Service
The use of expensive resources such as large files, complex calculations, heavy-duty searches, or long queries should be reserved for authenticated and authorized users.
For applications that do not have this luxury, every facet of the application should be engineered to perform as little work as possible, to use fast and few database queries, to avoid exposing large files or unique links per user, in order to prevent simple attacks.
Elevation of Privilege
If an application provides distinct user and administrative roles, then it is vital to ensure that the user cannot move to a higher role. Not displaying administrative role links is insufficient. All actions should be gated through an authorization matrix, to ensure that only the permitted roles can access administrative functionality.
DREAD categories
Damage, Reproducibility, Exploitability/Vulnerability, Affected users, Discoverability
DREAD
Part of a system for risk-assessing computer security threats previously used at Microsoft and currently used by OpenStack and many other corporations. It provides a mnemonic for risk rating security threats using five categories.
DREAD – Damage
How bad would an attack be? Ranks the extent of harm that occurs if a vulnerability is exploited.
DREAD – Reproducibility
How easy is it to recreate the attack? Ranks how often an attempt at exploiting a vulnerability really works
DREAD – Exploitability/Vulnerability
How much work is it to launch the attack? Measures the effort required to launch the attack.
DREAD – Affected users
how many people will be impacted? Measures the number of installed instances of the system affected by an exploit.
DREAD – Discoverability
How easy is it to uncover the threat? States the likelihood that a vulnerability will be found by security researchers or hackers.
DREAD threat assessment
Each category is given a rating on probability and damage potential. For example, 3 for high, 2 for medium, 1 for low and 0 for none. (Rating scales running from 0 to 10 are common) The sum of all ratings for a given exploit can be used to prioritize among different exploits.
Threat Model
A diagram and description that tells a story of how an attacker could exploit the vulnerability. This is not a step by step process, but a narrative approach to the attack that should help guide the mitigation techniques that need to be put in place to protect the system. It defines the security of an application and reduces the number of vulnerabilities. It has the 2 steps of identifying and prioritizing vulnerabilities.
Sequence Diagram
A detailed breakdown of the communication that will occur between actors and system objects or components. Bridges the gap between the business analysis and the development analysis; this can be considered a business or development description of system functionality.
SDLC Management Control Domains
Planning / Organization,
Acquisition / Implementation, Delivery and Support,
Monitoring
Planning / Organization
Project Definition, User Requirements Definition and Systems Requirement Definition
Acquisition / Implementation
User Requirements Definition, System Requirement Definition, Analysis and Design and System Build / Prototype / Pilot
Delivery and Support
Analysis and Design, System Build / Prototype / Pilot, Implementation and Training and Sustainment
Monitoring
User Requirements Definition, Systems Requirements Definition, Analysis and Design, System Build / Prototype / Pilot, Implementation and Training and Sustainment
Planning/ Organization
Name the domain(s) for Project Definition
Name the domain(s) for User Requirements Definition
Planning/Organization, Acquisition/Implementation, Monitoring
Name the domain(s) for System Requirements Definition
Planning/Organization, Acquisition/Implementation, Monitoring
Name the domain(s) for Analysis and Design
Acquisition/Implementation, Delivery/Support, Monitoring
Name the domain(s) for System Build/Prototype/Pilot
Acquisition/Implementation, Delivery/Support, Monitoring
Name the domain(s) for Implementation and Training
Delivery/Support, Monitoring
Name the domain(s) for Sustainment
Delivery/Support, Monitoring
Name the SDLC Phases
Project Definition, User Requirements Definition, System Requirements Definition, Analysis and Design, System Build/Prototype/Pilot, Implementation and Training, Sustainment
Requirements Analysis
A phase of the SDLC that defines security functions that an application should satisfy. The designated employee can also speak with several stakeholders to determine the expected end state of the application.
Testing Phase
Security should be involved in all phases of the SDLC, but exploitation of vulnerabilities to identify weaknesses should be done in this phase.
Incident Response Plan
An organized approach to addressing and managing the aftermath of a security breach or compromise on a system or software. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. This will take place at the operation phase of the SDLC.
Earned Value Management:
BCWS
Budget Cost Work Scheduled
Earned Value Management:
BCWP
Budget Cost of Work Performed
Earned Value Management: SV
Scheduled Variance
Earned Value Management: CV
Cost Variance
SV equation
BCWP – BCWS
CV equation
BCWP – ACWP
Earned Value Management: ACWP
Actual Cost of Work Performed
Steps in the Work Breakdown Structure (WBS):
1) Examine the set of required external deliverables.
2) Identify and list the steps and tasks needed to produce the required deliverables, including any tasks for additional intermediate deliverables needed to complete the final deliverable.
3) Sequence the identified tasks required to produce the deliverable.
4) Estimate the effort required to perform each task.
5) Estimate the productivity of the resources that will be applied to the tasks.
6) Compute the time needed for each task by dividing the task effort estimates by the resource productivity estimates.
7) Lay out the time needed for each task and “label” each task with its task name and the assigned resources; this layout of sequences of tasks with their associated time and resources essentially forms the initial schedule.
Capability Maturity Model Integration (CMMI) levels: ML5
Organizational innovations and deployment,
Casual analysis and resolution,
Overall testing to achieve efficiencies
Capability Maturity Model Integration (CMMI) levels: ML4
Organizational process performance,
Quantitative project management
Capability Maturity Model Integration (CMMI) levels: ML3
Requirements development,
Technical solution,
Product integration,
Verification,
Validation,
Organizational process focus,
Organizational process definition,
Organizational training,
Integrated project management,
Risk Management,
Integrated teaming,
Integrated supplier management,
Decision analysis and resolution,
Organizational environment for integration
Capability Maturity Model Integration (CMMI) levels: ML2
Requirements management,
Project planning,
Project monitoring and control,
Supplier agreement management,
Measurement and analysis,
Process and product quality assurance,
Configuration management
NONE
Capability Maturity Model Integration (CMMI) levels: ML1
The Processes areas of CMMI: Project Management
1) Project Planning
2) Project Monitoring and control
3) Supplier agreement management
4) Integrated project management
5) Risk Management
6) Integrated teaming
7) Integrated supplier management
8) Quantitative project management
The Processes areas of CMMI: Engineering
1) Requirements development
2) Requirements Management
3) Technical Solution
4) Product Integration
5) Verification
6) Validation
The Processes areas of CMMI: Support
1) Configuration Management
2) Process and product quality assurance
3) Measurement and Analysis
4) Organizational environment for integration
5) Decision analysis and resolution
6) Casual analysis and resolution
The Processes areas of CMMI: Process Management
1) Organizational process focus
2) Organizational process definition
3) Organizational Training
4) Organizational process performance
5) Organizational innovation and deployment
Rational Unified Process (RUP)
A software development methodology from Rational. Based on UML, it organizes the development of software into four phases, each consisting of one or more executable iterations of the software at that stage of development. It’s also an interactive and incremental model that utilizes the divide and conquer methodology to decompose a complex problem into smaller parts. It’s also heavy with formal, established framework.
Extreme Programming (XP)
Based on four core values of communication, simplicity, feedback, and courage. It also includes fundamental principles of incremental change, embracing change and quality of work.
Scrum
A disciplined method that can be combined with other techniques.
Warm Site
Might be a designated building with servers, computers, and the needed office space, but with no active connections or running servers.
Data Encryption Standard (DES)
The formal United States national standard crypto-system for securing information; it’s an example of a Feistel cipher using a 56-bit key. It’s now considered breakable.
3-DES
The formal United States national standard crypto-system for securing information; it’s an example of a Feistel cipher using three separate 56-bit keys.
Secure Software Assurance (SSA)
Use of established quality assurance practices and fault tolerance techniques; Ability of software to operate dependably, despite the presence of sponsored faults and security as a part of the software specified in the beginning of the software development process.
White Box Testing
Source code fault injection, direct code analysis and property based testing.
Black Box Testing
Fuzz testing, byte code, assembler code and binary code scanning.
Unintentional disclosure
Occurs when your software prints too much information in response to queries or when it prints to public error logs. Internal data can often be the target of the attacker, so what you share via output in development or in production needs to be considered as a possible source of compromise.
Man in the Middle Attack (MitM, MiM attack, MitMA)
In cryptography and computer security, this is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
Attack surface in relation to threat: Network
Sniffing
Attack surface in relation to threat: Operating System
Rootkit
Attack surface in relation to threat: Programming Language
Buffer Overflow
Attack surface in relation to threat: Database Application
Injection
Quality Assurance
Refers to all activities designed to measure and improve a product , including the whole process, training, preparation of the team, and activities associated with customer feedback.