تأمين تطوير الشبكات خيارات

One of the definition for security requirements for software development is to :

� Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time.

� Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed.

� Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other.

To implement supporting toolchains, we need to:

� Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other.

� Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed.

� Follow recommended security practices to deploy, operate, and maintain tools and toolchains.

� Ensure that policies cover the entire software life cycle, including notifying users of the impending end of software support and the date of software end-of-life.

To use criteria for software security checks, you have to:

� Separate and protect each environment involved in software development.

� Minimize direct human access to toolchain systems

� implement processes, mechanisms, etc. To gather and safeguard the necessary information in support of the criteria.

Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. Have access.

� Protect all forms of code from unauthorized access and tampering

Provide a Mechanism for Verifying Software Release Integrity.

� Archive and Protect Each Software Release.

Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release. This one of the:

� Protect all forms of code from unauthorized access and tampering

� Provide a Mechanism for Verifying Software Release Integrity.

� Archive and Protect Each Software Release.

Keep your reused software relatively up-to-date. If your reused components go very far out-of-date, then it may be very difficult to replace a vulnerable version with a fixed version.

True

False

Organizations should produce well-secured software with minimal security vulnerabilities in its releases.

� Prepare the Organization (PO).

� Protect the Software (PS).

� Produce Well-Secured Software (PW).

� Respond to Vulnerabilities (RV).

Use forms of risk modeling – such as threat modeling, attack modeling, or attack surface mapping – to help assess the security risk for the software.

� Design Software to Meet Security Requirements and Mitigate Security Risks.

� Review the Software Design to Verify Compliance with Security Requirements and Risk Information.

� Verify Third-Party Software Complies with Security Requirements.

� Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality.

Review the software design to confirm that it addresses applicable security requirements is an example of:

� Design Software to Meet Security Requirements and Mitigate Security Risks.

� Review the Software Design to Verify Compliance with Security Requirements and Risk Information.

� Verify Third-Party Software Complies with Security Requirements.

� Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality.

Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, opensource, and other third-party developers for use by the organization’s software.

� Design Software to Meet Security Requirements and Mitigate Security Risks.

� Review the Software Design to Verify Compliance with Security Requirements and Risk Information.

� Verify Third-Party Software Complies with Security Requirements.

� Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality.

To create a secure code, you need to:

� Avoid using unsafe functions and calls.

� Validate all inputs, and validate and properly encode all outputs.

� Reuse any code.

� Avoid criteria for how to use a safe code.

To follow all secure coding practices that are appropriate to the development languages and environment to meet the organization’s requirements, you need to:

� Avoid using unsafe functions and calls.

� Validate all inputs, and validate and properly encode all outputs.

� Do not use forms of risk modeling.

� Record the response to some risks.

Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations.

� Create Source Code by Adhering to Secure Coding Practices.

Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security.

� Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements.

� Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements.

Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.

� Choose testing methods based on the stage of the software.

Identify and Confirm Vulnerabilities on an Ongoing Basis.

� Assess, Prioritize, and Remediate Vulnerabilities.

� Analyze Vulnerabilities to Identify Their Root Causes.

Review, analyze, and/or test the software’s code to identify or confirm the presence of previously undetected vulnerabilities is one of the:

� Identify and Confirm Vulnerabilities on an Ongoing Basis.

� Assess, Prioritize, and Remediate Vulnerabilities.

� Analyze Vulnerabilities to Identify Their Root Causes.

Plan and implement risk responses for vulnerabilities is one of the:

� Identify and Confirm Vulnerabilities on an Ongoing Basis.

� Assess, Prioritize, and Remediate Vulnerabilities.

� Analyze Vulnerabilities to Identify Their Root Causes.

Analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently is one of the:

� Identify and Confirm Vulnerabilities on an Ongoing Basis.

� Assess, Prioritize, and Remediate Vulnerabilities.

� Analyze Vulnerabilities to Identify Their Root Causes.

Every day there is news about computer systems being broken into, often via various vulnerabilities in the software. Insecure software may:

� Release private/secret information (“lose confidentiality”)

� Lose or corrupt information ( “lose integrity”)

� Lose service (“lose availability”).

� Secure some information.

By secure softwarewe mean software:

� that is much easier for attackers to exploit,

� that limits damage if an exploitation is successful, and

� where vulnerabilities can be fixed and exploitations partially recovered from relatively quickly.

� Easy to hack.

It is the right to have some control over how your personal information is collected and used.

� Confidentiality.

� Integrity.

� Acceptability.

� Privacy.

Privacy Requirements:

� Considering how to ensure your software provides adequate privacy if it collects information about individuals.

� Collect only relevant and necessary information that is relevant and necessary to carry out an agency function.

� Prove someone did something.

� Who is allowed to do what?

Determine what you will do about the risk. You have several options for each risk.

� Risk planning.

� Risk identification.

� Risk analysis.

� Risk handling.

Determine how the risks have changed over time. Over time, you should “burn down” your risks.

� Risk planning.

� Risk Monitoring.

� Risk analysis.

� Risk handling.

Every time a program gets a request, at least from a source the program cannot completely trust (it is outside the trust boundary), the program must check the request.

� Fail-safe defaults.

� Separation of privilege (e.g., use two-factor authentication).

� Least common mechanism.

� Complete mediation.

The system, in particular the part that security depends on, should be as simple and small as possible.

� Fail-safe defaults.

Fals• Separation of privilege (e.g., use two-factor authentication).e

� Economy of mechanism.

� Complete mediation.

Access to objects should depend on more than one condition, so that breaking one condition does not break everything

� Fail-safe defaults.

� Fail-safe defaults & separation of privilege.

� Economy of mechanism.

� Complete mediation.

Secure software development framework (SSDF) consists of four pillars:

� Prepare the Organization (PO).

� Protect the Software (PS).

� Produce Well-Secured Software (PW).

� Respond to Vulnerabilities (RV).

تأمين تطوير الشبكات خيارات

More Quizzes