Information and Software Security

What does the model train example illustrate in Domain Driven Design (DDD)?

That a model is a simplification of reality that focuses on essential aspects.

What is a context map used for in DDD?

To identify dependencies between different parts (bounded contexts) of the system.

What is a security requirement?

A representation of the expected security level of the system in relation to threats.

What are abuse or misuse cases used for?

To identify potential attacks by thinking like an attacker.

What are attack trees used for?

To identify possible attacks and infer security requirements.

What is the main purpose of penetration testing?

Simulating attacks to identify security weaknesses.

What is a limitation of penetration testing?

Fixing discovered weaknesses late in development can be very costly.

How does software security penetration testing differ from system penetration testing?

It focuses on finding vulnerabilities in the software itself.

What is the main difference between functional and risk-based security testing?

Functional testing tests security features

How can risk-based testing be integrated with the SDLC?

Its results can be used as input for penetration testing and code review.

What is the goal of Security Operations (SecOps)?

To ensure the system is secure and resistant to attacks in production.

What is a common pitfall in software security?

Focusing too much on penetration testing late in the development cycle.

Why is top management support important for software security success?

Because security requires resources that leadership must prioritize and allocate.

What is the OWASP Top 10?

A list of the ten most common security weaknesses in web applications.

What is OWASP ASVS?

A guide for developers to build secure web applications.

What is the main difference between BSIMM and OpenSAMM?

BSIMM is descriptive (observations)

Why must security champions stay motivated?

They lose interest if they don’t see the value of their work.

What is an SBOM (Software Bill of Materials)?

A detailed list of all components and dependencies in a software project.

What is the main purpose of Dependency-Track?

To continuously monitor software components for vulnerabilities.

What is Schneier’s Law?

Anyone can create an encryption algorithm they themselves cannot crack.

What is the purpose of Software Composition Analysis (SCA)?

To identify and manage third-party or open-source components in software.

What is the goal of SCA and SBOM together?

To improve transparency and visibility in the software supply chain.

What is the avalanche effect in hashing?

A small change in the input produces a completely different output.

What is the primary security flaw in HTTP Basic Authentication?

Passwords are transmitted as plaintext.

What does the principle of Default Deny mean?

Only explicitly allowed access is permitted.

In which phase of the Secure Software Development Lifecycle (SSDL) are SAST and DAST used?

During the Development phase.

What is the main weakness of the Caesar Cipher?

The keyspace is limited to the number of alphabet letters.

How often should an organization think about security?

Continuously.

What are the three main SBOM formats?

SPDX

What are Mikko Hyppönen’s recommendations for ransomware?

Don’t pay the ransom; Make backups.

What are Howell’s steps to developing security champions?

Recruit and select champions; Coach for skill development; Guide for career development.

What should a risk-based testing plan include?

Prioritization based on risk

What should be in a security incident contingency plan?

Contact info for key personnel

What are the BSIMM framework domains?

Governance

Which statements about Microsoft SDL are correct?

Originally waterfall-focused; included security training; result of Bill Gates’ Trustworthy Computing memo.

Which statements about security in Agile development are correct?

Agile is no excuse for skipping security; static analysis tools improve quality; Protection Poker estimates security workload.

Which actions improve software supply chain security?

Establish SBOM; Implement Security Champions; Use SCA to manage dependencies.

What are correct security principles?

Least privilege; Defense in depth.

What are true statements about SAST?

Analyzes source code without running it; finds vulnerabilities; can produce false positives; gives quick feedback.

What does Privacy by Design mean?

Privacy considerations are built into system design and development from the start.

What does the GDPR principle of data minimisation mean?

Only collect and process personal data necessary for a specific purpose.

Which standard must NoMetronome follow when handling credit card data?

PCI DSS (Payment Card Industry Data Security Standard).

What are the main elements of the NoMetronome system DFD?

Users

What does STRIDE stand for?

Spoofing

How do you start a STRIDE threat modelling exercise?

Create a DFD

Example of an attack tree (NoMetronome)?

Root: Steal credit card info → Access payment DB (SQL Injection

What is the significance of the Secure Software Development Lifecycle (SSDL)?

It integrates security throughout development

What is the principle of Defense in Depth?

Use multiple layers of protection so if one fails

How are cryptographic hash functions used for security?

To ensure data integrity and to securely store passwords using salted hashes (e.g.

Why are default credentials dangerous?

They allow attackers to gain unauthorized access if not changed; mitigation: disable or force password change.