Building Security In Maturity Model and Threat Analysis D487 Questions With complete verified solutions already graded A+(PASS GUARANTEED)
Studied by 0 people
Call with Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/99
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No study sessions yet.
100 Terms
BSIMM
Building Security In Maturity Model; studies real-world software security initiatives for benchmarking.
SAMM
Software Assurance Maturity Model - prescriptive framework.
Key Distinction
BSIMM is descriptive (what organizations actually do) vs SAMM is prescriptive (what you should do).
Governance
Strategy, compliance, training programs.
Intelligence
Attack models, security features, standards research.
SSDL Touchpoints
Hands-on security activities such as code review and testing.
Deployment
Configuration management, vulnerability management.
STRIDE
Threat modeling framework.
Spoofing
Identity impersonation attacks.
Tampering
Unauthorized data modification.
Repudiation
Denial of performed actions.
Information Disclosure
Unauthorized data access.
Denial of Service
Service availability attacks.
Elevation of Privilege
Unauthorized access escalation.
DREAD
Risk scoring model. Damage, Reproducibility, Exploitability, Affected users, Discoverability
Ternary Scale
High=3, Medium=2, Low=1.
Damage
Potential impact severity.
Reproducibility
How easily an attack can be repeated.
Exploitability
Difficulty of executing the attack.
Affected users
Scope and number of impacted users.
Discoverability
How easy a vulnerability is to find.
Total Score Interpretation
13-15 points = High Risk, 8-12 points = Medium Risk, 5-7 points = Low Risk.
PASTA
Process for Attack Simulation and Threat Analysis.
Seven-Stage Methodology
Define Objectives, Define Technical Scope, Application Decomposition, Threat Analysis, Vulnerability and Weakness Analysis, Attack Modeling, Risk and Impact Analysis.
Microsoft Threat Modeling
Four-Step Process: Diagram, Identify, Mitigate, Validate.
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation.
Three Phases of OCTAVE
Phase 1: Build asset-based threat profiles, Phase 2: Identify infrastructure vulnerabilities, Phase 3: Develop security strategy and plans.
TRIKE
Risk-based approach to security.
SDL Phases
Includes A1: Security Assessment, A2: Architecture, A3: Design and Development, A4: Design and Development (readiness), A5: Ship.
Static Analysis
Code examination without execution
Dynamic Analysis
Testing while program executes
White-box Testing
Full access to source code/docs
Gray-box Testing
Limited internal knowledge
Black-box Testing
External perspective only
Functional Testing
Validates application requirements compliance
Unit Testing
Individual component testing
Integration Testing
Component interaction testing
Regression Testing
Ensures changes don't break existing functionality
Security Testing Tools
Tools used for security testing
SonarQube
Static code analysis (SAST)
OWASP ZAP
Dynamic application security testing (DAST)
Burp Suite
Web application security testing
Every-sprint Requirements
Applied continuously (input validation, authentication)
Bucket Requirements
Triggered by specific technologies (RPC fuzz testing)
One-time Requirements
Implemented once per project (initial architecture)
Final Security Review Requirements
Pre-release validation activities
SDL Project Outline
Security milestones integrated with development schedule
Policy Compliance Analysis
Verification of adherence to organizational security rules
Threat Modeling Artifacts
Updated documentation with newly identified vulnerabilities
Security Strategy for M&A
Framework for integrating acquired products
Final Security Review Outcomes
Results of the final security review
Principle of Least Privilege
Users get minimum necessary access
Role-Based Access Control (RBAC)
Access based on user roles
Separation of Duties
Multiple people required for critical tasks
Defense in Depth
Multiple layers of protection
Input Validation
Verify user input meets expected criteria (type, size, range)
Output Encoding
Prevent XSS by encoding special characters (<, >, ", ', &)
Parameterized Queries
Prevent SQL injection by separating code from data
Cryptographic Practices
Use proven algorithms (AES, RSA, SHA-256)
System Configuration
Maintain latest approved versions of all components
Default Account Management
Disable/remove default credentials immediately
Communication Security
Encrypt all data in transit (TLS/SSL)
Weak Passwords
Enforce complexity (8+ chars, upper, number, special)
Session Management
Proper timeouts and session handling
Weak Hashing
Use strong, salted hashing (bcrypt, Argon2, scrypt)
Default Configurations
Change all default settings and credentials
Key Management
Proper encryption key storage and rotation
PSIRT workflow
Fix development comes before customer notification.
ISO 27001
Information Security Management Systems standard.
CVE
Common Vulnerabilities and Exposures naming system.
OWASP
Open Web Application Security Project.
SDL
Security Development Lifecycle.
SAST
Static Application Security Testing.
DAST
Dynamic Application Security Testing.
XSS
Cross-Site Scripting.
CSRF
Cross-Site Request Forgery.
RBAC
Role-Based Access Control.
MFA
Multi-Factor Authentication.
TLS
Transport Layer Security.
AES
Advanced Encryption Standard.
CI/CD
Continuous Integration/Continuous Deployment.
DevSecOps
Development, Security, and Operations integration.
RACI
Responsible, Accountable, Consulted, Informed matrix.
Threat Modeling
Systematic threat identification process.
Penetration Testing
Simulated cyber attack testing.
Vulnerability Assessment
Security weakness identification.
Code Review
Source code security examination.
Least Privilege
Minimum necessary access principle.
Fail Safe
Secure failure mode principle.
Zero Trust
Never trust, always verify model.
Threat Modeling
A2: Initial modeling A3: Updated artifacts Tools: STRIDE vs PASTA vs DREAD
Policy Compliance Analysis
A2: Initial analysis A3: Updates A4: Compliance review A5: Final analysis
Security Testing
A3: Test planning A4: Test execution A5: Final testing
Privacy Activities
A3: Implementation assessment A4: Validation/remediation A5: Final review
Risk Mitigation
A2: Risk mitigation plan A3: Test plans to mitigate risk
Software Security Architect
Design secure frameworks. Creates secure coding practices, methodologies.
Security Champion
Advocate/promote. Promotes security within development teams.
Scrum Master
Facilitate process. Removes impediments, facilitates ceremonies.
Software Developer
Implement features. Writes code, attends ceremonies.
SDLC
SDLC = Software Development Lifecycle