Overview of Software Security

Flashcards reviewing key concepts related to software security, its importance, terminology, risk management, and integrating security into the Software Development Lifecycle.

What is software security?

Engineering software so that it continues to function correctly under malicious attack.

Why is software security important?

Most software systems today are insecure and contain numerous flaws and bugs that attackers exploit.

What are defects in software security?

Implementation vulnerabilities and design vulnerabilities.

What is the difference between bugs and flaws?

Bugs are implementation-level errors, while flaws are problems at a deeper design level.

What is a risk in the context of software security?

The probability that a flaw or bug will impact the purpose of the software, calculated as risk = probability x impact.

What are the three pillars of software security?

Risk management, touchpoints, and knowledge.

What are common reasons for insecure software?

Lack of education in secure methods, lack of integration with the OS, lack of testing, and poor development environments.

What activities are included in Risk Management Framework (RMF)?

Understanding business context, identifying risks, prioritizing risks, and implementing risk mitigation strategies.

What is the purpose of architectural risk analysis?

To track risk over time and link system-level concerns to probability and impact measures.

What is an abuse case in software security?

Determining what the software can't and won't do, anticipating abnormal behaviors.

What should security requirements satisfy?

They must be explicitly defined, consider assumptions about system behavior, and meet defined security goals.

What is the role of security operations in software security?

To integrate software security with network security operations by understanding software behavior to prevent successful attacks.

What is the goal of integrating security into each phase of the Software Development Lifecycle (SDLC)?

To ensure that security considerations are embedded from planning to maintenance.

What are key practices during the implementation phase of the SDLC?

Educating developers on secure coding practices and implementing regular security-focused code reviews.

What should be done during the maintenance phase of software security?

Keep software and dependencies updated and develop an incident response plan.

What are the goals of risk-based security testing?

To test areas of code where an attack is likely to succeed and to identify and rank risks based on a risk-based approach.