C706 - SECURE SOFTWARE DESIGN STUDY GUIDE\\
2 NEW VERSIONS 2024 100% CORRECT
Confidentiality - CORRECT ANSWER✔✔data is only available to the people intended
to access it
Integrity - CORRECT ANSWER✔✔data & system resources are only changed in
appropriate ways by appropriate people
Availability - CORRECT ANSWER✔✔Systems are ready when needed and perform
acceptably
Authentication - CORRECT ANSWER✔✔Identity of users is established
Authorization - CORRECT ANSWER✔✔Users are explicitly allowed or denied access
to resources
Nonrepudiation - CORRECT ANSWER✔✔Users can't perform an action and later deny
performing it
Primary dataflow - CORRECT ANSWER✔✔Functional security requirement involving
receiving, processing, storing, transmitting, and delivering in report form
Logging - CORRECT ANSWER✔✔Nonfunctional security requirement to capture
information correctly and a way to store the information to help support later audits
Sensitivity - CORRECT ANSWER✔✔Quality of information which could cause harm or
damage if disclosed
Discresion - CORRECT ANSWER✔✔Act of decision where an operator can influence
or control disclosure to minimize harm or damage
Criticality - CORRECT ANSWER✔✔level to which information is mission critical
Concealment - CORRECT ANSWER✔✔act of hiding or preventing disclosure
Secrecy - CORRECT ANSWER✔✔keeping something a secret or preventing the
disclosure of information
Privacy - CORRECT ANSWER✔✔keeping information confidential that is personally
identifiable or might cause harm, embarrassment, or disgrace if revealed
,Security Through Obscurity - CORRECT ANSWER✔✔attempting to gain protection
through hiding, silence, or secrecy
Injection vulnerabilities - CORRECT ANSWER✔✔allow an attacker to supply some
type of code to the web application as input and trick the web server into executing the
code or supplying it to another server to execute
Code Injection Attack - CORRECT ANSWER✔✔attacker attempts to insert attacker-
written code into the legitimate code created by a web app developer
Fuzz testing - CORRECT ANSWER✔✔Supplies invalid input to software (randomly
generated or specially crafted) to attempt to trigger known software vulnerabilities
Two types: Mutation (Dumb) and Generational (Intelligent)
Waterfall Model/Iterative Waterfall Model - CORRECT ANSWER✔✔views the systems
development lifecycle as a series of 7 sequential activities.
Iterative Waterfall allows development to return to the previous phase to correct defects,
known as the feedback loop characteristic
Spiral Model - CORRECT ANSWER✔✔Metamodel that allows for multiple iterations of
a waterfall-style process where the waterfall process is applied to the development of
each prototype
Agile Development - CORRECT ANSWER✔✔Approach that places an emphasis on
the needs of the customer and quickly developing new functionality that meets those
needs in an iterative fashion
Agile Manifesto - CORRECT ANSWER✔✔Document stating the core philosophy of the
Agile approach, including 12 principles
Values:
-Individuals and interactions
-Working software
-Customer collaboration
-Responding to change
Methodologies of Agile approach - CORRECT ANSWER✔✔Scrum, Kanban, Rapid
Application Development (RAD), Agile Unified Process (AUP), Dynamic Systems
Development Model (DSDM), Extreme Programming (XP)
Software Assurance Maturity Model (SAMM) - CORRECT ANSWER✔✔Open-source
product maintained by OWASP. Provides a framework for integrating security activities
into software development and maintenance process & offer organizations ability to
assess maturity.
Five business processes: governance, design, implementation, verification, operations
,Governance (SAMM) - CORRECT ANSWER✔✔activities an organization undertakes
to manage its software development process.
Includes: strategy, metrics, policy, compliance, education, guidance
Design (SAMM) - CORRECT ANSWER✔✔process to define software requirements
and create software
Includes: threat modeling, threat assessment, security requirements, security
architecture
Implementation (SAMM) - CORRECT ANSWER✔✔building and deploying software
components and managing flaws in those components
Includes: secure build, secure deployment, defect management
Verification (SAMM) - CORRECT ANSWER✔✔activities to confirm that code meets
business and security requirements
Includes: architecture assessment, requirements-driven testing, secure testing
Operations (SAMM) - CORRECT ANSWER✔✔actions to maintain security throughout
the software lifecycle after code is released
Includes: incident management, environment management, operational management
IDEAL model - CORRECT ANSWER✔✔Five phase model:
-Initiating
-Diagnosing
-Establishing
-Acting
-Learning
Software Capability Maturity Model (SW-CMM/CMM) - CORRECT ANSWER✔✔model
that describes the principles and practices underlying software process maturity; the
quality of software depends on the quality of its development process.
5 Stages: Initial, Repeatable, Defined, Managed, Optimizing
Level 1: Initial (CMM) - CORRECT ANSWER✔✔little or no defined software
development process; people charging ahead in a disorganized fashion
Level 2: Repeatable (CMM) - CORRECT ANSWER✔✔basic lifecycle management
processes introduced. Reuse of code in an organized fashion and repeatable results
expected from similar projects
Level 3: Defined (CMM) - CORRECT ANSWER✔✔software developers operate
according to a set of formal, documented software development processes; all projects
take place within constraints of new standardized management model
, Level 4: Managed (CMM) - CORRECT ANSWER✔✔Quantitative measures used to
gain a detailed understanding of the development process
Level 5: Optimizing (CMM) - CORRECT ANSWER✔✔Process of continuous
improvement occurs; sophisticated software development processes in place to ensure
feedback from one phase reaches to previous phase to improve future results
Privacy Impact Assessment (PIA) - CORRECT ANSWER✔✔evaluates issues and
privacy impact rating related to the privacy of personally identifiable information in the
software; part of the Security Assessment (A1) phase of SDL
Input validation - CORRECT ANSWER✔✔verifies that the values provided by a user
match the programmer's expectation before allowing further processing; may also check
for unusual characters which may indicate an attack or transform input to remove risky
character sequences & replace them with safe values (escaping input)
Inheritance - CORRECT ANSWER✔✔methods from a class (parent or superclass) are
inherited by another subclass (child) or object
Delegation - CORRECT ANSWER✔✔forwarding of a request by an object to another
object or delegate; occurs when an object does not have a method to handle the
message
Polymorphism - CORRECT ANSWER✔✔characteristic of an object that allows it to
respond with different behaviors to the same message or method because of changes
in external conditions
Cohesion - CORRECT ANSWER✔✔the strength of the relationship between the
purposes of methods in the same class
-high cohesion: all methods have similar purposes (preferred)
-low cohesion: methods do not have similar purposes (system is not well designed)
Coupling - CORRECT ANSWER✔✔level of interaction between objects
-lower coupling: less interaction, better software design, objects more independent and
easier to troubleshoot/update
Software Security Champion (SSC) - CORRECT ANSWER✔✔individual with 3-5 years
of software dev experience; passion/background in software security; time to be trained
in software security/centralized software security team tools, plans, and processes; able
to develop and deconstruct software while "thinking like a hacker" regarding all possible
paths or exploits (attack planes); the technical ability to be trained as a junior software
security architect to assist with architecture security analysis/threat modeling
2 NEW VERSIONS 2024 100% CORRECT
Confidentiality - CORRECT ANSWER✔✔data is only available to the people intended
to access it
Integrity - CORRECT ANSWER✔✔data & system resources are only changed in
appropriate ways by appropriate people
Availability - CORRECT ANSWER✔✔Systems are ready when needed and perform
acceptably
Authentication - CORRECT ANSWER✔✔Identity of users is established
Authorization - CORRECT ANSWER✔✔Users are explicitly allowed or denied access
to resources
Nonrepudiation - CORRECT ANSWER✔✔Users can't perform an action and later deny
performing it
Primary dataflow - CORRECT ANSWER✔✔Functional security requirement involving
receiving, processing, storing, transmitting, and delivering in report form
Logging - CORRECT ANSWER✔✔Nonfunctional security requirement to capture
information correctly and a way to store the information to help support later audits
Sensitivity - CORRECT ANSWER✔✔Quality of information which could cause harm or
damage if disclosed
Discresion - CORRECT ANSWER✔✔Act of decision where an operator can influence
or control disclosure to minimize harm or damage
Criticality - CORRECT ANSWER✔✔level to which information is mission critical
Concealment - CORRECT ANSWER✔✔act of hiding or preventing disclosure
Secrecy - CORRECT ANSWER✔✔keeping something a secret or preventing the
disclosure of information
Privacy - CORRECT ANSWER✔✔keeping information confidential that is personally
identifiable or might cause harm, embarrassment, or disgrace if revealed
,Security Through Obscurity - CORRECT ANSWER✔✔attempting to gain protection
through hiding, silence, or secrecy
Injection vulnerabilities - CORRECT ANSWER✔✔allow an attacker to supply some
type of code to the web application as input and trick the web server into executing the
code or supplying it to another server to execute
Code Injection Attack - CORRECT ANSWER✔✔attacker attempts to insert attacker-
written code into the legitimate code created by a web app developer
Fuzz testing - CORRECT ANSWER✔✔Supplies invalid input to software (randomly
generated or specially crafted) to attempt to trigger known software vulnerabilities
Two types: Mutation (Dumb) and Generational (Intelligent)
Waterfall Model/Iterative Waterfall Model - CORRECT ANSWER✔✔views the systems
development lifecycle as a series of 7 sequential activities.
Iterative Waterfall allows development to return to the previous phase to correct defects,
known as the feedback loop characteristic
Spiral Model - CORRECT ANSWER✔✔Metamodel that allows for multiple iterations of
a waterfall-style process where the waterfall process is applied to the development of
each prototype
Agile Development - CORRECT ANSWER✔✔Approach that places an emphasis on
the needs of the customer and quickly developing new functionality that meets those
needs in an iterative fashion
Agile Manifesto - CORRECT ANSWER✔✔Document stating the core philosophy of the
Agile approach, including 12 principles
Values:
-Individuals and interactions
-Working software
-Customer collaboration
-Responding to change
Methodologies of Agile approach - CORRECT ANSWER✔✔Scrum, Kanban, Rapid
Application Development (RAD), Agile Unified Process (AUP), Dynamic Systems
Development Model (DSDM), Extreme Programming (XP)
Software Assurance Maturity Model (SAMM) - CORRECT ANSWER✔✔Open-source
product maintained by OWASP. Provides a framework for integrating security activities
into software development and maintenance process & offer organizations ability to
assess maturity.
Five business processes: governance, design, implementation, verification, operations
,Governance (SAMM) - CORRECT ANSWER✔✔activities an organization undertakes
to manage its software development process.
Includes: strategy, metrics, policy, compliance, education, guidance
Design (SAMM) - CORRECT ANSWER✔✔process to define software requirements
and create software
Includes: threat modeling, threat assessment, security requirements, security
architecture
Implementation (SAMM) - CORRECT ANSWER✔✔building and deploying software
components and managing flaws in those components
Includes: secure build, secure deployment, defect management
Verification (SAMM) - CORRECT ANSWER✔✔activities to confirm that code meets
business and security requirements
Includes: architecture assessment, requirements-driven testing, secure testing
Operations (SAMM) - CORRECT ANSWER✔✔actions to maintain security throughout
the software lifecycle after code is released
Includes: incident management, environment management, operational management
IDEAL model - CORRECT ANSWER✔✔Five phase model:
-Initiating
-Diagnosing
-Establishing
-Acting
-Learning
Software Capability Maturity Model (SW-CMM/CMM) - CORRECT ANSWER✔✔model
that describes the principles and practices underlying software process maturity; the
quality of software depends on the quality of its development process.
5 Stages: Initial, Repeatable, Defined, Managed, Optimizing
Level 1: Initial (CMM) - CORRECT ANSWER✔✔little or no defined software
development process; people charging ahead in a disorganized fashion
Level 2: Repeatable (CMM) - CORRECT ANSWER✔✔basic lifecycle management
processes introduced. Reuse of code in an organized fashion and repeatable results
expected from similar projects
Level 3: Defined (CMM) - CORRECT ANSWER✔✔software developers operate
according to a set of formal, documented software development processes; all projects
take place within constraints of new standardized management model
, Level 4: Managed (CMM) - CORRECT ANSWER✔✔Quantitative measures used to
gain a detailed understanding of the development process
Level 5: Optimizing (CMM) - CORRECT ANSWER✔✔Process of continuous
improvement occurs; sophisticated software development processes in place to ensure
feedback from one phase reaches to previous phase to improve future results
Privacy Impact Assessment (PIA) - CORRECT ANSWER✔✔evaluates issues and
privacy impact rating related to the privacy of personally identifiable information in the
software; part of the Security Assessment (A1) phase of SDL
Input validation - CORRECT ANSWER✔✔verifies that the values provided by a user
match the programmer's expectation before allowing further processing; may also check
for unusual characters which may indicate an attack or transform input to remove risky
character sequences & replace them with safe values (escaping input)
Inheritance - CORRECT ANSWER✔✔methods from a class (parent or superclass) are
inherited by another subclass (child) or object
Delegation - CORRECT ANSWER✔✔forwarding of a request by an object to another
object or delegate; occurs when an object does not have a method to handle the
message
Polymorphism - CORRECT ANSWER✔✔characteristic of an object that allows it to
respond with different behaviors to the same message or method because of changes
in external conditions
Cohesion - CORRECT ANSWER✔✔the strength of the relationship between the
purposes of methods in the same class
-high cohesion: all methods have similar purposes (preferred)
-low cohesion: methods do not have similar purposes (system is not well designed)
Coupling - CORRECT ANSWER✔✔level of interaction between objects
-lower coupling: less interaction, better software design, objects more independent and
easier to troubleshoot/update
Software Security Champion (SSC) - CORRECT ANSWER✔✔individual with 3-5 years
of software dev experience; passion/background in software security; time to be trained
in software security/centralized software security team tools, plans, and processes; able
to develop and deconstruct software while "thinking like a hacker" regarding all possible
paths or exploits (attack planes); the technical ability to be trained as a junior software
security architect to assist with architecture security analysis/threat modeling
