.png){kind=logo}
D487 STUDYY
- studiers today 4.9 (7 reviews)
Students also studied Terms in this set (70) Western Governors UniversityD 487 Save
WGU D487 PRE-ASSESSMENT: SEC...
60 terms Shaun_Krause Preview
D487: Secure Software Design Ques...
58 terms chadl97Preview D487 - Secure Software Design 190 terms chadl97Preview
D488 -
1,074 ter Spa Practice questions for this set Learn1 / 7Study using Learn qa inspect Building Security In Maturity Model (BSIMM)A study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time SAMMoffers a roadmap and a well-defined maturity model for secure software development and deployment, along with useful tools for self-assessment and planning.Choose an answer 1hp analysis2dynamic tool 3random data brute force peach tool4gray box Don't know?
Core OpenSAMM activitiesGovernance Construction Verification Deployment static analysisSource code of an application is reviewed manually or with automatic tools without running the code dynamic analysisAnalysis and testing of a program occurs while it is being executed or run FuzzingInjection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation OWASP ZAP-Open-source web application security scanner -Can be used as a proxy to manipulate traffic running through it (even https) ISO/IEC 27001Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system ISO/IEC 17799ISO/EIC is a joint committee that develops and maintains standards in the IT industry. is an international code of practice for information security management.This section defines confidentiality, integrity and availability controls.ISO/IEC 27034A standard that provides guidance to help organizations embed security within their processes that help secure applications running in the environment, including application lifecycle processes Software security championa developer with an interest in security who helps amplify the security message at the team level waterfall methodologya sequential, activity-based process in which each phase in the SDLC is performed sequentially from planning through implementation and maintenance Agile DevelopmentA software development methodology that delivers functionality in rapid iterations, measured in weeks, requiring frequent communication, development, testing, and delivery.Scruman agile project management framework that helps teams structure and manage their work through a set of values, principles, and practices Daily scrumdaily time-boxed event of 15 minutes, or less, for the Development Team to re- plan the next day of development work during a Sprint. Updates are reflected in the Sprint Backlog.Sprint reviewA meeting that occurs after each sprint to show the product or process to stakeholders for approval and to receive feedback.Sprint retrospectivean opportunity for the Scrum Team to inspect itself and create a plan for improvements to be enacted during the next Sprint.
Sprint planningA collaborative event in Scrum in which the Scrum team plans the work for the current sprint.Threat Modeling StepsIdentify security objectives Survey the application Decompose it Identify threats Identify Vulnerabilities Scrum masterA person who ensures that the team is productive, facilitates the daily Scrum, enables close cooperation across all roles and functions, and removes barriers that prevent the team from being effective Communication securityNew standard for managing traffic and sessions DREADD - Damage potential R - Reproducibility E - Exploitability A - Affected users D - Discoverability Throttlinga technique that ensures that the flow of data being sent into a target can be digested at an acceptable rate Data classification requirementcredit cards, pii, phi Process of Attack Simulation and Threat Analysis (PASTA) Define the Objectives Define the Technical Scope Decompose the Application Analyze the Threats Vulnerability Analysis Attack Analysis Risk and Impact Analysis STRIDESpoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege White-boxA test where the tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications.Gray-boxa testing technique in which the tester has limited knowledge of the internal workings of the software.Black-boxa testing technique in which the internal workings of the software are not known to the tester.
Fail-safea design feature or practice that, in the event of a specific type of failure, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people Privacy compliance reportprovide progress against privacy requirements provided in earlier stages and assess any changes to identify & add any new requirements SDLCSoftware Development Life Cycle. A software development process. Many different models are available.bucketa data type that groups objects together Staticgoing over the source code dynamicwhile the code is compiled and becomes object code fuzzersrandom data brute force peach tool static toolhp analysis hp web inspectdynamic tool qa inspectdynamic tool ibm appcscandynamic tool veracodedynamic tool whitehatdynamic tool sentinel sourcedynamic tool cvsshow serious the threat is from the vendor NVDnational vul database. provides cvss with a score for known vul CVEcommon vul exposures. provides identifiers for threats so you can be alterted if it's on your system SDLsecurity assessment, architecture, design and development, ship, post release support functionalmeets business need non functionalsecurity, privacy and compliance
.png)