W3.1 - 7 Software Security Touchpoints P1

What is the primary focus of Software Security Touchpoints

A system-wide activity that spans from design to testing and feedback throughout the entire SDLC

What are the two types of activities in Software Security Touchpoints

• White Hat activities: constructive security measures
• Black Hat activities: destructive testing to identify vulnerabilities

What is the main goal of Secure SDLC

To add security-related activities to existing development processes rather than replacing them

Name the three prominent Secure SDLC models

• Microsoft Security Development Lifecycle (MS SDL)
• OWASP CLASP (Comprehensive Lightweight Application Security Process)
• NIST 800-64

What is the key economic principle for applying security

Early application of security is economically superior because fixing security issues becomes exponentially more expensive as software progresses through development phases

What are the four factors affecting touchpoint effectiveness

• Economics
• Available software artifacts
• Tool availability
• Cultural changes

What transformation must organizations make regarding security strategy

Change from reactive security strategies (fixing problems after they occur) to proactive secure development (preventing problems during development)

List all seven Software Security Touchpoints

• Code Review
• Architectural Risk Analysis
• Penetration Testing
• Risk-based Security Testing
• Abuse Cases
• Security Requirements
• Security Operations

What is the primary artifact and focus of Code Review touchpoint

• Artifact: Source code
• Focus: Detecting implementation bugs using static analysis tools

What is the key difference between programming bugs and security bugs

• Programming bugs: caught by compilers with immediate feedback
• Security bugs: may remain dormant for years and have potentially much higher costs

What are the main characteristics of Manual Peer Code Review

• Tedious and error-prone
• Requires experts with attacker mindset
• Can identify subtle logical flaws
• Provides context and domain knowledge

What are the advantages of Static Analysis Tools

• Identify common coding problems systematically
• Faster than manual review for large codebases
• Consistent application of security rules
• Can process millions of lines efficiently

What is the optimal review volume according to best practices

Review fewer than 200-400 lines at a time to optimize vulnerability detection at 70-90% effectiveness

What is the recommended inspection rate for code review

Less than 300-500 lines of code per hour because faster is not better for detecting vulnerabilities

What is the maximum time limit for code review sessions

No more than 60-90 minutes at a time because efficiency drops significantly after one hour of intense work

Why should developers annotate their code

• Encourages self-reflection and double-checking
• Reduces number of vulnerabilities before review
• Improves code documentation

What types of metrics should be established for code review

• External metrics: reduced support calls and security incidents
• Internal metrics: inspection rate defect rate and defect density

What is the most important cultural rule for peer code reviews

Peer code reviews should never be used for performance evaluation to maintain a positive culture

What percentage of code should be reviewed according to best practices

At least 20-33% of code should be reviewed to maintain effectiveness and encourage good coding habits

How do static analysis tools work

• Look for fixed sets of patterns or rules
• Use syntactic matches lexical analysis and flow analysis
• Examine control flow call chains and data flow

What are false negatives and false positives in static analysis

• False negatives: real vulnerabilities that tools miss
• False positives: reported issues that aren't actual vulnerabilities

What is the difference between sound and unsound static analysis tools

• Sound tools: given assumptions produce no false negatives
• Unsound tools: may miss some vulnerabilities but are more practical (most commercial tools)

What are the advantages of source code analysis over binary code analysis

• Easy to identify flaw locations
• CPU independent
• Language dependent but fixes can be applied directly
• Usually first-party internal analysis

What are the advantages of binary code analysis over source code analysis

• Language independent
• Environment independent
• Can analyze third-party components
• CPU dependent but works with compiled code

Why are manual reviews still necessary despite automated tools

• Find defects that tools miss
• Provide broader scope beyond just code
• Give context to tool reports
• Validate tool findings
• Provide intangible benefits like mentoring

What is the primary artifact and focus of Architectural Risk Analysis

• Artifact: design and specification documents
• Focus: identifying design flaws that account for 50% of security problems

Why can't design flaws be identified by code review

Design flaws require higher-level understanding of software architecture and cannot be detected by examining individual code implementations

What is the difference between Risk Analysis and Risk Management

• Risk Analysis: identifying and ranking risks at specific SDLC stages
• Risk Management: comprehensive activity spanning multiple analyses tracking risks and strategic mitigation

What is the fundamental risk equation

Risk equals Probability multiplied by Impact

What are Project Risks in software development

Risks that threaten the project plan including:
• Resource problems
• Schedule issues
• Stakeholder problems
• Technical risks affecting quality and schedule

What are Business Risks in software development

Risks that threaten software viability including:
• Market misalignment
• Business evolution
• Marketing challenges
• Loss of management support
• Resource loss

What are the common themes in risk analysis

• Continuous process of identification ranking and mitigation
• Integration with requirements and testing
• Focus on business impact
• Consideration of human factors and assumptions

List the seven steps of the prototypical risk analysis approach

• Learn about the target system
• Discuss security issues
• Determine probability of compromise
• Perform impact analysis
• Rank risks
• Develop mitigation strategy
• Report findings

What does the STRIDE acronym stand for

• Spoofing: impersonating someone or something else
• Tampering: modifying data or code
• Repudiation: claiming not to have performed an action
• Information disclosure: exposing information to unauthorized parties
• Denial of service: making systems unavailable
• Elevation of privilege: gaining unauthorized capabilities

What is the core question that STRIDE threat modeling addresses

What can go wrong in this system we're working on

What are the three major aspects of knowledge required for architectural risk analysis

• Attack resistance analysis
• Ambiguity analysis
• Weakness analysis

What is the purpose of Attack Resistance Analysis

To capture checklist-like approach using information about known attacks attack patterns and vulnerabilities

What are the four steps of Attack Resistance Analysis

• Identify general flaws using secure design literature and checklists
• Map attack patterns using abuse cases or attack pattern lists
• Identify risks in architecture based on checklists
• Understand and demonstrate viability of known attacks

What is the limitation of Attack Resistance Analysis

It is not good at capturing new or novel attacks that aren't in existing knowledge bases

What is the purpose of Ambiguity Analysis

To capture creative activity required to discover new risks through multiple analyst perspectives

What does Ambiguity Analysis help uncover

• Ambiguity and inconsistency in requirements
• Downstream implementation difficulties
• Overly complex architectural decisions

What is the main challenge of Ambiguity Analysis

It requires a team of experienced analysts making it resource-intensive

What is the purpose of Weakness Analysis

To understand the impact of external software dependencies on system security

What does SBOM stand for and why is it important

Software Bill of Materials which is critical for tracking dependencies in modern software built on complex middleware frameworks

What are the six areas to consider in Weakness Analysis

• COTS (Commercial Off-The-Shelf components)
• Frameworks
• Network topology
• Platform dependencies
• Physical environment
• Build environment

What are the core questions for Weakness Analysis

• What assumptions are you making about external software
• What happens when those assumptions fail or are violated
• How do dependencies affect security posture
• What supply chain risks exist

What are examples of COTS components to analyze

• OpenSSL library
• SolarWinds
• Third-party commercial components
• Open source libraries

What are examples of framework dependencies

• Android platform
• J2EE framework
• .NET framework
• Development and runtime platforms

What are examples of network topology risks

• DNS hijacking
• BGP attacks
• Infrastructure dependencies
• Network trust assumptions

What are examples of platform dependency risks

• Touch ID vulnerabilities
• Hardware security modules
• Operating system services
• Hardware-specific features

What are examples of physical environment risks

• Square 1.0 card reader vulnerabilities
• Physical access controls
• Environmental security assumptions

What are examples of build environment risks

• XcodeGhost malware in development tools
• Compromised development tools
• Build system integrity issues

What cloud computing considerations are important for Weakness Analysis

• Understanding service dependencies
• Knowing service expectations
• Planning for service failure modes
• Assessing cloud service security

What critical knowledge areas are needed for effective architectural risk analysis

• Attack patterns and exploit graphs for attack resistance analysis
• Design principles for ambiguity analysis
• Framework security issues for weakness analysis

Why should newbies not be tasked with architectural risk analysis

It requires:
• Significant security experience
• Deep understanding of attack methods
• Knowledge of system architecture principles
• Ability to think like an attacker
• Understanding of business impact

What is the key takeaway about the economic motivation for security touchpoints

Early security investment is far more cost-effective than post-deployment fixes

What is the relationship between manual and automated security approaches

Both methods have complementary strengths and limitations making both necessary for comprehensive security

Why is expertise requirement critical for security touchpoints

Effective security analysis requires experienced practitioners particularly for architectural risk analysis

What is the nature of security as a process

Security is not a one-time activity but requires ongoing attention throughout development and operations

How must technical security measures align with business

Technical security measures must align with business goals and risk tolerance to be effective