D487 - Secure Software Design

D487 - Secure Software Design 5.0 (2 reviews) Students also studied Terms in this set (67) Western Governors UniversityD 487 Save

D487 STUDYY

70 terms pawlowskithomas Preview

WGU D487 PRE-ASSESSMENT: SEC...

60 terms Shaun_Krause Preview

D487: Secure Software Design Ques...

58 terms chadl97Preview

D487 -

190 term cha Practice questions for this set Learn1 / 7Study using Learn the mechanism used to step through logical conditions in the code SDLC Phase 1planning - a vision and next steps are created SDLC Phase 2requirements - necessary software requirements are determined SDLC Phase 3design - requirements are prepared for the technical design Choose an answer 1Static Analysis2Cyclomatic Complexity Analysis 3Threat Analysis4Control Flow Analysis Don't know?

SDLC Phase 4implementation - the resources involved in the application from a known resource are determined SDLC Phase 5testing - software is tested to verify its functions through a known environment SDLC Phase 6deployment - security is pushed out SDLC Phase 7maintenance - ongoing security monitoring is implemented SDLC Phase 8end of life - the proper steps for removing software completely are considered BSIMMa study of real-world software security that allows you to develop your software security over time OWASP SAMMflexible framework for building security into a software development organization Static Analysisthe analysis of computer software that is performed without executing programs Dynamic Analysisthe analysis of computer software that is performed when executing programs on a real or virtual processor in real time Fuzz Testingautomated or semi-automated testing that provides invalid, unexpected, or random data to the computer software program Waterfall Developmentsoftware development methodology that breaks down development activities into linear sequential phases; each phase depends on the deliverables of the previous one and corresponds to a specialization of tasks Waterfall Phases (typical)plan -> build -> test -> review -> deploy Iterative Waterfall Developmenteach phase of a project is broken down into its own waterfall phases Agile Developmentsoftware development methodology that delivers functionality in rapid iterations called timeboxes, requiring limited planning but frequent communication Scrumframework for Agile that prescribes for teams to break work into goals to be completed within sprints Scrum Master (Scrum Role)responsible for ensuring a Scrum team is operating as effectively as possible by keeping the team on track, planning and leading meetings, and working out any obstacles the team might face Product Owner (Scrum Role)ensures the Scrum team aligns with overall product goals by managing the product backlog by ordering work by priority, setting the product vision for the team, and communicating with external stakeholders to translate their needs to the team Development Team (Scrum Role)professionals who do the hands-on work of completing the tasks in a Scrum sprint by lending their expertise to program, design, or improve products

Lean Developmentsoftware development methodology that focuses on further isolating risk to the level of an individual feature V-Modela variation of the waterfall model, where the stage is turned back upwards after the coding phase Extreme Programming (XP)an Agile methodology that is intended to improve software quality and responsiveness Software Security Architectensures that the stakeholder security requirements necessary to protect the organization's mission and business processes are adequately addressed Software Security Championan expert on promoting security awareness, best practices, and simplifying software security Software Security Evangelistan expert to promote awareness of products to the wider software community Functional Requirementsdescribe what the system will do and its core purpose Non-Functional Requirementsdescribe any constraints or restrictions on a design but do not impact the core purpose of the system Privacy Impact Assessmentprocess that evaluates issues and privacy impact rating in relation to the privacy of PII in the software Product Risk Profilehelps to determine the actual cost of the product from different perspectives Requirement Traceability Matrixa table that lists all of the security requirements DREAD modeldamage, reproducibility, exploitability, affected users, discoverability PASTAthe process for attack simulation and threat analysis; gives a software security team a repeatable framework for identifying threats STRIDEclassifies threats into categories: spoofing, tampering, repudiation, information disclosed, denial of service, and elevation of privilege Application Decompositiondetermining the fundamental functions of an app Trikea unified conceptual framework for security auditing Alpha Level Testingtesting done by the developers themselves Beta Level Testingtesting done by those not familiar with the actual development of the system Black Box Testingtests from an external perspective with no prior knowledge of the software Gray Box Testinganalyzes the source code for the software to help design the test cases

White Box Testingtests from an internal perspective with full knowledge of the software Abstract Syntax Tree (AST)the basis for software metrics and issues to be generated at a later stage Control Flow Analysisthe mechanism used to step through logical conditions in the code Data Flow Analysisthe mechanism used to trace data from the points of input to the points of output SonarQubeopen-source platform for static code analysis that can detect bugs, code smells, vulnerabilities, and hotspots in over 25 programming languages Spideridentifies inputs and supplies those to the scanning components of the security tool PSIRTthe team that receives, investigates, and reports security vulnerabilities Phase A1Security Assessment - the project team identifies the product risks and creates a project outline for security milestones Phase A2Architecture - examines security from perspective of business risks Phase A3Design and Development - analyze and test software to determine security and privacy issues as you make informed decisions moving forward with your software Phase A4Design and Development - build onto the proper process of security testing and continue to analyze necessities at the security level Phase A5Ship - verifies that the product complies with security policies Policy Compliance Analysisdone in A5 - final review of security and compliance requirements Open-Source Licensing Reviewdone in A5 - final review of open-source software used in the stack Final Security Reviewdone in A5 - final review of compliance against all security requirements identified during the SDL cycle - passed, passed with exceptions, not passed and requires escalation Final Privacy Reviewdone in A5 - final review of compliance against all privacy requirements identified during the SDL cycle Customer Engagement Frameworkdefines the process for sharing security-related information with customers PRSA1External Vulnerability Disclosure Response - stakeholders are clearly identified and a RACI matrix should be created PRSA2Third-Party Security Reviews - security assessment performed by groups other than internal testing teams