D487 STUDY GUIDE
Building Security In Maturity Model (BSIMM) - Answers :A study of real-world software
security initiatives organized so that you can determine where you stand with your
software security initiative and how to evolve your efforts over time
SAMM - Answers :offers a roadmap and a well-defined maturity model for secure
software development and deployment, along with useful tools for self-assessment and
planning.
Core OpenSAMM activities - Answers :Governance
Construction
Verification
Deployment
static analysis - Answers :Source code of an application is reviewed manually or with
automatic tools without running the code
dynamic analysis - Answers :Analysis and testing of a program occurs while it is being
executed or run
Fuzzing - Answers :Injection of randomized data into a software program in an attempt
to find system failures, memory leaks, error handling issues, and improper input
validation
OWASP ZAP - Answers :-Open-source web application security scanner
-Can be used as a proxy to manipulate traffic running through it (even https)
ISO/IEC 27001 - Answers :Specifies requirements for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving a documented information
security management system
ISO/IEC 17799 - Answers :ISO/EIC is a joint committee that develops and maintains
standards in the IT industry. is an international code of practice for information security
management. This section defines confidentiality, integrity and availability controls.
ISO/IEC 27034 - Answers :A standard that provides guidance to help organizations
embed security within their processes that help secure applications running in the
environment, including application lifecycle processes
Software security champion - Answers :a developer with an interest in security who
helps amplify the security message at the team level
, waterfall methodology - Answers :a sequential, activity-based process in which each
phase in the SDLC is performed sequentially from planning through implementation and
maintenance
Agile Development - Answers :A software development methodology that delivers
functionality in rapid iterations, measured in weeks, requiring frequent communication,
development, testing, and delivery.
Scrum - Answers :an agile project management framework that helps teams structure
and manage their work through a set of values, principles, and practices
Daily scrum - Answers :daily time-boxed event of 15 minutes, or less, for the
Development Team to re-plan the next day of development work during a Sprint.
Updates are reflected in the Sprint Backlog.
Sprint review - Answers :A meeting that occurs after each sprint to show the product or
process to stakeholders for approval and to receive feedback.
Sprint retrospective - Answers :an opportunity for the Scrum Team to inspect itself and
create a plan for improvements to be enacted during the next Sprint.
Sprint planning - Answers :A collaborative event in Scrum in which the Scrum team
plans the work for the current sprint.
Threat Modeling Steps - Answers :Identify security objectives
Survey the application
Decompose it
Identify threats
Identify Vulnerabilities
Scrum master - Answers :A person who ensures that the team is productive, facilitates
the daily Scrum, enables close cooperation across all roles and functions, and removes
barriers that prevent the team from being effective
Communication security - Answers :New standard for managing traffic and sessions
DREAD - Answers :D - Damage potential
R - Reproducibility
E - Exploitability
A - Affected users
D - Discoverability
Throttling - Answers :a technique that ensures that the flow of data being sent into a
target can be digested at an acceptable rate
Data classification requirement - Answers :credit cards, pii, phi
Building Security In Maturity Model (BSIMM) - Answers :A study of real-world software
security initiatives organized so that you can determine where you stand with your
software security initiative and how to evolve your efforts over time
SAMM - Answers :offers a roadmap and a well-defined maturity model for secure
software development and deployment, along with useful tools for self-assessment and
planning.
Core OpenSAMM activities - Answers :Governance
Construction
Verification
Deployment
static analysis - Answers :Source code of an application is reviewed manually or with
automatic tools without running the code
dynamic analysis - Answers :Analysis and testing of a program occurs while it is being
executed or run
Fuzzing - Answers :Injection of randomized data into a software program in an attempt
to find system failures, memory leaks, error handling issues, and improper input
validation
OWASP ZAP - Answers :-Open-source web application security scanner
-Can be used as a proxy to manipulate traffic running through it (even https)
ISO/IEC 27001 - Answers :Specifies requirements for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving a documented information
security management system
ISO/IEC 17799 - Answers :ISO/EIC is a joint committee that develops and maintains
standards in the IT industry. is an international code of practice for information security
management. This section defines confidentiality, integrity and availability controls.
ISO/IEC 27034 - Answers :A standard that provides guidance to help organizations
embed security within their processes that help secure applications running in the
environment, including application lifecycle processes
Software security champion - Answers :a developer with an interest in security who
helps amplify the security message at the team level
, waterfall methodology - Answers :a sequential, activity-based process in which each
phase in the SDLC is performed sequentially from planning through implementation and
maintenance
Agile Development - Answers :A software development methodology that delivers
functionality in rapid iterations, measured in weeks, requiring frequent communication,
development, testing, and delivery.
Scrum - Answers :an agile project management framework that helps teams structure
and manage their work through a set of values, principles, and practices
Daily scrum - Answers :daily time-boxed event of 15 minutes, or less, for the
Development Team to re-plan the next day of development work during a Sprint.
Updates are reflected in the Sprint Backlog.
Sprint review - Answers :A meeting that occurs after each sprint to show the product or
process to stakeholders for approval and to receive feedback.
Sprint retrospective - Answers :an opportunity for the Scrum Team to inspect itself and
create a plan for improvements to be enacted during the next Sprint.
Sprint planning - Answers :A collaborative event in Scrum in which the Scrum team
plans the work for the current sprint.
Threat Modeling Steps - Answers :Identify security objectives
Survey the application
Decompose it
Identify threats
Identify Vulnerabilities
Scrum master - Answers :A person who ensures that the team is productive, facilitates
the daily Scrum, enables close cooperation across all roles and functions, and removes
barriers that prevent the team from being effective
Communication security - Answers :New standard for managing traffic and sessions
DREAD - Answers :D - Damage potential
R - Reproducibility
E - Exploitability
A - Affected users
D - Discoverability
Throttling - Answers :a technique that ensures that the flow of data being sent into a
target can be digested at an acceptable rate
Data classification requirement - Answers :credit cards, pii, phi
