D487 STUDY questions with answers
|\ |\ |\ |\
Building Security In Maturity Model (BSIMM)
|\ |\ |\ |\ |\
A study of real-world software security initiatives organized so
|\ |\ |\ |\ |\ |\ |\ |\ |\
that you can determine where you stand with your software
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
security initiative and how to evolve your efforts over time
|\ |\ |\ |\ |\ |\ |\ |\ |\
SAMM
offers a roadmap and a well-defined maturity model for secure
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
software development and deployment, along with useful tools
|\ |\ |\ |\ |\ |\ |\ |\
for self-assessment and planning.
|\ |\ |\
Core OpenSAMM activities
|\ |\
Governance
Construction
Verification
Deployment
static analysis |\
Source code of an application is reviewed manually or with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
automatic tools without running the code |\ |\ |\ |\ |\
dynamic analysis |\
Analysis and testing of a program occurs while it is being
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
executed or run |\ |\
Fuzzing
Injection of randomized data into a software program in an
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
attempt to find system failures, memory leaks, error handling
|\ |\ |\ |\ |\ |\ |\ |\ |\
issues, and improper input validation
|\ |\ |\ |\
OWASP ZAP |\
, -Open-source web application security scanner |\ |\ |\ |\
-Can be used as a proxy to manipulate traffic running through it
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
(even https) |\
ISO/IEC 27001 |\
Specifies requirements for establishing, implementing, operating,
|\ |\ |\ |\ |\ |\
monitoring, reviewing, maintaining and improving a documented |\ |\ |\ |\ |\ |\ |\
information security management system |\ |\ |\
ISO/IEC 17799 |\
ISO/EIC is a joint committee that develops and maintains
|\ |\ |\ |\ |\ |\ |\ |\ |\
standards in the IT industry. is an international code of practice
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
for information security management. This section defines
|\ |\ |\ |\ |\ |\ |\
confidentiality, integrity and availability controls. |\ |\ |\ |\
ISO/IEC 27034 |\
A standard that provides guidance to help organizations embed
|\ |\ |\ |\ |\ |\ |\ |\ |\
security within their processes that help secure applications
|\ |\ |\ |\ |\ |\ |\ |\
running in the environment, including application lifecycle
|\ |\ |\ |\ |\ |\ |\
processes
Software security champion |\ |\
a developer with an interest in security who helps amplify
|\ |\ |\ |\ |\ |\ |\ |\ |\
the security message at the team level
|\ |\ |\ |\ |\ |\ |\
waterfall methodology |\
a sequential, activity-based process in which each phase in the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
SDLC is performed sequentially from planning through
|\ |\ |\ |\ |\ |\ |\
implementation and maintenance |\ |\
Agile Development |\
A software development methodology that delivers functionality
|\ |\ |\ |\ |\ |\ |\
in rapid iterations, measured in weeks, requiring frequent
|\ |\ |\ |\ |\ |\ |\ |\
communication, development, testing, and delivery. |\ |\ |\ |\
Scrum
|\ |\ |\ |\
Building Security In Maturity Model (BSIMM)
|\ |\ |\ |\ |\
A study of real-world software security initiatives organized so
|\ |\ |\ |\ |\ |\ |\ |\ |\
that you can determine where you stand with your software
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
security initiative and how to evolve your efforts over time
|\ |\ |\ |\ |\ |\ |\ |\ |\
SAMM
offers a roadmap and a well-defined maturity model for secure
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
software development and deployment, along with useful tools
|\ |\ |\ |\ |\ |\ |\ |\
for self-assessment and planning.
|\ |\ |\
Core OpenSAMM activities
|\ |\
Governance
Construction
Verification
Deployment
static analysis |\
Source code of an application is reviewed manually or with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
automatic tools without running the code |\ |\ |\ |\ |\
dynamic analysis |\
Analysis and testing of a program occurs while it is being
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
executed or run |\ |\
Fuzzing
Injection of randomized data into a software program in an
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
attempt to find system failures, memory leaks, error handling
|\ |\ |\ |\ |\ |\ |\ |\ |\
issues, and improper input validation
|\ |\ |\ |\
OWASP ZAP |\
, -Open-source web application security scanner |\ |\ |\ |\
-Can be used as a proxy to manipulate traffic running through it
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
(even https) |\
ISO/IEC 27001 |\
Specifies requirements for establishing, implementing, operating,
|\ |\ |\ |\ |\ |\
monitoring, reviewing, maintaining and improving a documented |\ |\ |\ |\ |\ |\ |\
information security management system |\ |\ |\
ISO/IEC 17799 |\
ISO/EIC is a joint committee that develops and maintains
|\ |\ |\ |\ |\ |\ |\ |\ |\
standards in the IT industry. is an international code of practice
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
for information security management. This section defines
|\ |\ |\ |\ |\ |\ |\
confidentiality, integrity and availability controls. |\ |\ |\ |\
ISO/IEC 27034 |\
A standard that provides guidance to help organizations embed
|\ |\ |\ |\ |\ |\ |\ |\ |\
security within their processes that help secure applications
|\ |\ |\ |\ |\ |\ |\ |\
running in the environment, including application lifecycle
|\ |\ |\ |\ |\ |\ |\
processes
Software security champion |\ |\
a developer with an interest in security who helps amplify
|\ |\ |\ |\ |\ |\ |\ |\ |\
the security message at the team level
|\ |\ |\ |\ |\ |\ |\
waterfall methodology |\
a sequential, activity-based process in which each phase in the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
SDLC is performed sequentially from planning through
|\ |\ |\ |\ |\ |\ |\
implementation and maintenance |\ |\
Agile Development |\
A software development methodology that delivers functionality
|\ |\ |\ |\ |\ |\ |\
in rapid iterations, measured in weeks, requiring frequent
|\ |\ |\ |\ |\ |\ |\ |\
communication, development, testing, and delivery. |\ |\ |\ |\
Scrum
