WGU D487 Secure Software Design Assessment 2024-2025

WGU D487 Secure Software Design Assessment 2024-2025 Mohammad_Uddin20Teacher Created 24/02/25 Save Share Overview of Secure Software Design Security Development Lifecycle (SDL) Key Deliverables in SDL Vulnerability Management and Remediation The SDL is a framework that integrates security into the software development process, ensuring that security is considered at every phase.• Key phases include: Requirements, Design, Implementation, Verification, and Release.• Each phase has specific deliverables that contribute to the overall security posture of the software.• The SDL emphasizes the importance of privacy compliance and security testing throughout the development lifecycle.• Organizations must adapt their SDL to address emerging threats and vulnerabilities effectively.•

Privacy Compliance Report: Details the progress of personal information

requirements and compliance with regulations.• Updated Threat Modeling Artifacts: Contains technical reports on newly identified vulnerabilities, essential for risk assessment.• Security Test Execution Report: Summarizes the results of security tests conducted during the verification phase.• Give it a go

Identifying Vulnerabilities Remediation Strategies Testing and Quality Assurance Types of Software Testing Handling Exceptions and Errors Incident Response and Post-Release Activities Vulnerabilities can be discovered through various means, including penetration testing, code reviews, and functional testing.• Common vulnerabilities include buffer overflows, cross-site scripting (XSS), and improper input validation.• Organizations must maintain an updated inventory of third-party libraries to mitigate risks associated with external dependencies.•

Parameterization of Queries: Essential for preventing SQL injection attacks by

ensuring that user inputs are treated as data, not executable code.• Input Validation: Critical for ensuring that only expected data types and formats are accepted, reducing the risk of malicious uploads.• Strong Hashing Functions: Organizations should enforce the use of strong, salted hashing functions for storing passwords to enhance security.• Functional Testing: Validates that the software functions according to specified requirements, including security features.• Regression Testing: Ensures that new code changes do not adversely affect existing functionalities, including security controls.• Integration Testing: Tests the interaction between different software modules to identify security issues that may arise from their integration.• Proper exception handling is crucial to prevent unauthorized access to sensitive areas of the application.• Organizations should ensure that user privileges are restored after exceptions to maintain security integrity.• Error messages should be scrubbed of sensitive information to prevent information leakage.•

Incident Response Process Post-Release Security Strategies Overview of Software Security Development Life Cycle (SDL) Key Phases of SDL Importance of Security Reviews The Product Security Incident Response Team (PSIRT) plays a vital role in addressing reported vulnerabilities.• Upon confirming a vulnerability, the next step is to identify resources and schedule a fix promptly.• Communication with stakeholders, including customers, is essential to maintain trust and transparency.• Security Strategy for M&A Products: Ensures that acquired products comply with organizational security policies.•

External Vulnerability Disclosure Response Process: Outlines how to handle

vulnerabilities reported by external entities, including a RACI matrix for stakeholder involvement.• Post-Release Certifications: Validate that the software meets security standards after deployment.• The SDL consists of several key phases including requirements gathering, design, implementation, verification, and release.• Each phase has specific security activities that must be performed to ensure the software is secure before release.• The phases are iterative, especially in agile methodologies, allowing for continuous improvement and adaptation of security practices.• Security reviews are critical checkpoints in the SDL to ensure that all identified vulnerabilities are addressed before product release.• The final security review assesses whether all security issues have been resolved and if the software meets SDL requirements.• Different outcomes of the security review include 'Passed', 'Passed with exceptions', and 'Not passed', which dictate the next steps for the development team.•

Security Requirements and Compliance Types of Security Requirements Policy Compliance Analysis Implementing Security Controls Threat Modeling and Security Practices Threat Modeling Steps Every-sprint requirements: These are ongoing requirements that must be validated in each sprint, such as input validation.• One-time requirements: These are specific to a particular release and do not recur in future sprints.•

Bucket requirements: These are requirements that can be addressed at any time

during the development process, such as performing RPC fuzz testing.• This activity involves reviewing new security requirements based on identified threats or changes in organizational guidelines.• It ensures that the software complies with internal policies and external regulations before release.• The analysis helps in identifying gaps in security practices and aligning them with best practices.• Security controls are measures taken to mitigate risks and protect information systems.• Examples include digital signatures for data integrity, audit trails for accountability, and access control measures.• The importance of regular audits and updates to security controls to adapt to new threats.•

Case Study: The implementation of digital signatures in software development to

prevent data tampering.•

Example: Using service accounts with limited privileges to enhance security in

application configurations.• Threat modeling involves identifying potential threats, vulnerabilities, and security requirements for a software product.•