Secure Software Design SET 2

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/10

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

11 Terms

1
New cards

What is OpenSAMM?

(Software Assurance Maturity Model) is an open-source framework designed to help organizations evaluate, formulate, and implement software security strategies. Its goal is to provide structured guidance to incrementally improve software security practices.

In short, OpenSAMM is a practical and adaptable tool organizations use to continuously measure and improve their software security maturity.

2
New cards

What are the four main business functions of OpenSAMM?

Governance, Design, Implementation, Verification

3
New cards

What are the security practices of the Governance function of OpenSAMM?

Strategy & Metrics

Policy & Compliance

Education & Guidance

4
New cards

What are the security practices of the Design function of OpenSAMM?

Threat Assessment

Security Requirements

Security Architecture

5
New cards

What are the security practices of the Implementation function of OpenSAMM?

Secure Build

Secure Deployment

Defect Management

6
New cards

What are the security practices of the Verification function of OpenSAMM?

Architecture Assessment

Security Testing

Incident Management

7
New cards

Benefits of OpenSAMM:

Flexible: Adaptable to any organization's size, complexity, and goals.

Incremental: Supports phased improvement, avoiding overwhelming changes.

Actionable: Provides concrete recommendations and clear maturity levels.

Strategic: Aligns software security with business objectives.

8
New cards

What is Fuzz Testing (Fuzzing)?

Purpose:Discover unexpected or exploitable behaviors by injecting random, malformed, or unexpected inputs.

Usage:Ideal for identifying boundary conditions, buffer overflows, and input validation weaknesses.

9
New cards

What is Static Analysis testing?

Purpose:Analyze source code or binaries without executing the program.

Usage:Detects coding errors, vulnerabilities (e.g., SQL injection, buffer overflow), and insecure patterns early in development.

10
New cards

What is Dynamic Analysis testing?

Purpose:Analyze code by observing runtime behavior of software.

Usage:Identifies vulnerabilities only visible during execution (e.g., race conditions, memory leaks, runtime security flaws).

11
New cards

What is Manual Code Reviews?

Purpose:Human-led inspection of code to identify security flaws missed by automated tools.

Usage:Essential for spotting complex logical flaws, design errors, and subtle security issues that automation alone might overlook.