W4.1 - 7 Software Security Touchpoints P3

What is the primary focus of Risk-Based Security Testing?

Goes beyond traditional functional testing to combine standard security testing with risk-driven approaches based on attack patterns, risk analysis, and abuse cases using an attacker's mindset

What are the two main artifacts tested in Risk-Based Security Testing?

• Unit level testing
• System level testing

What approaches does Risk-Based Security Testing combine?

• White hat methodology (defensive perspective)
• Black hat methodology (offensive perspective)

How does Security Testing differ from Penetration Testing in timing?

• Security Testing: Can be performed at unit level during development
• Penetration Testing: Performed in operational environments when software is completed and installed

How does Security Testing differ from Penetration Testing in approach direction?

• Security Testing: Uses inside-out approach focusing on internal vulnerabilities
• Penetration Testing: Uses outside-in approach focusing on external attack vectors

What should both Security Testing and Penetration Testing incorporate?

• Risk analysis findings
• Abuse cases
• Functional security requirements

What are the two main strategies for effective security testing?

• Functional Security Testing: Tests security mechanisms for proper implementation
• Adversarial Security Testing: Simulates attacker approaches using risk-based methods

Who can perform Functional Security Testing?

Standard testing organizations using traditional approaches and methodologies

Who should perform Risk-Based Security Testing?

Security professionals with specialized expertise and experience in attack patterns and adversarial thinking

What is the focus of Component Level security testing?

• Begin at feature/unit level
• Mitigate risks to component assets within contextual assumptions
• Test both unauthorized misuse and access to target assets

What is the focus of System Level security testing?

• Identify intra-component failures
• Assess security risks inherent at design level
• Use data flow diagrams and inter-component documentation from risk analysis

What are the main types of malicious input attackers use?

• Register settings
• Environment variables
• File contents
• Network configuration
• Command-line arguments

What tools do attackers commonly use for input-based attacks?

• Fault injection tools
• Grammar generators
• Re-players for attack automation

What elements beyond input should security testing consider?

• Data structures and components
• APIs and program state
• Sockets, pipes, and communication channels
• Files and system registries
• Remote procedure calls (RPCs)

What are Program State vulnerabilities in time-based attacks?

• State preservation issues in stateless protocols like HTTP
• Hidden variable manipulation in URLs
• Object serialization/deserialization attacks

What are concurrency issues in time-based attacks?

• Multiple process interactions
• Shared data structure vulnerabilities
• Time-of-check time-of-use (TOCTOU) race conditions
• Multithreaded system vulnerabilities

What is the definition of Abuse Cases?

Systematic ways to think like an attacker by considering misuse cases or attack patterns that go beyond normal features and contemplate negative or unexpected events

What is the main artifact for Abuse Cases?

Requirements and use cases documentation

What does Abuse Cases explicitly cover?

• What should be protected
• From whom it should be protected
• For how long protection is needed

What is the core problem with traditional software development regarding security?

Most software design focuses exclusively on features and functions using completely functional views, leaving systems vulnerable to unexpected or abnormal behavior

What key questions should attackers ask according to abuse case methodology?

• What do I want? (Attacker goals)
• How can I accomplish my goal? (Attack vectors)

What critical security questions should defenders ask?

• What assumptions are implicit in our system?
• What could make our assumptions false?
• What attack patterns might attackers employ?

What is the primary methodology for creating abuse cases?

Informed brainstorming that relies heavily on experience and expertise in security

Where is abuse always possible according to abuse case principles?

Abuse is always possible wherever legitimate use is possible, making all user interaction points potential attack vectors

What is the primary objective of abuse cases?

Decide and document a priori how software should react to illegitimate use

Who should develop abuse cases?

• Requirements specialists
• Security analysts working as a team

What inputs are required for abuse case development?

• Set of requirements
• Standard use cases
• List of attack patterns

What does Microsoft's STRIDE model stand for?

• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege

What is the definition of a threat in security context?

A threat is an actor or agent who carries out an attack, not vulnerabilities or risks themselves

What are anti-requirements?

The things that you don't want your system to do, providing insight into how attackers can abuse your system

What are the steps for creating an attack model?

• Start with requirements and threat lists
• Cycle through known attacks systematically
• Evaluate applicability to your specific system
• Select relevant attack patterns for abuse case development

What determines the effectiveness of abuse cases?

• Team experience with actual software exploits
• Knowledge of real-world computer security attacks
• Understanding of current attack trends and methodologies

What is the main artifact for Security Requirements?

Requirements documentation with security explicitly worked into the requirements level

What does Security Requirements cover?

• Functional security mechanisms
• Emergent security characteristics

What are examples of functional security requirements?

• Authentication mechanisms
• Authorization controls
• Encryption specifications
• Audit logging requirements
• Input validation specifications

What are examples of emergent security characteristics?

• System resilience properties
• Security performance requirements
• Availability specifications
• Integrity maintenance requirements

What should Service Level Agreements (SLAs) include for vendor accountability?

• Proper implementation of security features
• Verification that known security flaws are absent
• Passing third-party validation and verification security tests
• Use of source code analysis tools

What is the main artifact for Security Operations?

Fielded system in production environments

What does Security Operations focus on?

• Monitoring system usage in operational environments
• Combining network-centric and software-specific operations

What does Security Operations provide to the development process?

• Real-world attack pattern identification
• Security control effectiveness measurement
• Vulnerability discovery in production
• Input for future risk analysis and abuse case development

What is the purpose of External Analysis?

• Independent assessment of security measures
• Fresh perspectives on potential vulnerabilities
• Validation of internal security efforts
• Expert review from specialized security professionals

Why does External Analysis matter?

• Provides objectivity that internal teams may lack
• Brings specialized security expertise
• Offers fresh perspective from outsiders
• Validates effectiveness of security measures

What characterizes the gap between security and development teams?

• Software developers lack security domain knowledge
• Security professionals lack understanding of software development
• Security professionals rarely involved directly in major development projects

How does the touchpoints framework bridge the security-development gap?

• Provides concrete activities both groups can understand
• Creates shared vocabulary and processes
• Establishes clear integration points in development lifecycle

What does SAST stand for and what does it do?

Static Application Security Testing - analyzes source code or bytecode from the inside out to find issues and flaws

What does DAST stand for and what does it do?

Dynamic Application Security Testing - tests a running application's exposed interfaces looking for vulnerabilities and flaws

What does IAST stand for and what does it do?

Interactive Application Security Testing - leverages information from inside the running application including runtime requests, data flow, and control flow to find vulnerabilities accurately

What does RASP stand for and what does it do?

Runtime Application Security Protection - a security tool plugged into an application or runtime environment to protect even if perimeter defenses are breached

What makes the seven touchpoints framework successful?

• Provides manageable number of simple, well-defined activities
• Integrates throughout the software development lifecycle
• Offers practical applicability across different development methodologies

What are the key takeaways from the touchpoints framework?

• Security must be integrated throughout development lifecycle
• Requires both white hat and black hat thinking
• Must be grounded in actual risk analysis and attack patterns
• Needs both development and security expertise working togethe