Official (ISC)² CSSLP - Domain 3: Secure Software Design CORRECTLY ANSWERED LATEST 2023

Official (ISC)² CSSLP - Domain 3: Secure Software Design CORRECTLY ANSWERED LATEST 20233-Tier architecture A form of distributed computing in which client intelligence is moved to a middle tier so that stateless clients can be used. Client-server architecture A form of distributed computing in which client code contacts the server for data, then formats and displays it to the use. Input from the client is committed back to the server when it represents a permanent change. Cloud computing A computing model that enables convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Defense-in-depth A security principle in which multiple layers of controls and risk-mitigation countermeasures are incorporated so that there is no single point of complete compromise. Discretionary Access Control A means of restricting access to objects based on the identity of subjects and groups to which they belong. The controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission on to another subject. Economy of mechanism A security principle that states that the more complex the design is, the more likelihood there is of vulnerabilities; keeping the software design small and simple decreases attack surface and has fewer weak links. Enterprise service bus A software architecture model used for designing and implementing the interaction and communication between mutually interacting software applications in Service-Oriented Architecture (SOA). Federation An authentication design approach that extends SSO to enterprises, allowing an individual to log into one site and access services at another affiliated site without having to log in each time or re-establish an identity. Infrastructure-as-a-Service A cloud computing service model that provides infrastructure components. Least common mechanism A security principle in which mechanisms common to more than one user/process are not shared. Least privilege A security principle in which any user/process is given only the necessary, minimum level of access rights (privileges) explicitly, for the minimum amount of time, in order for it to complete its operation. Mandatory access control A means of restricting access to data based on varying degrees of security requirements for information contained in the objects. A policy-based means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (access control privileges) of subjects to access information of such sensitivity. SaaS Software-as-a-Service: A cloud computing service model that provides software applications. Secret writing (covert) A confidentiality technique that hides information within itself or in some other media or form. Secret writing (overt) A confidentiality technique that makes information humanly indecipherable or unintelligible even if disclosed. Service-oriented architecture A form of distributed computing in which functionality and processes are abstracted and exposed as interoperable services. Software-as-a-Service A cloud computing service model that provides software applications.