Exam (elaborations)
Secure Software Design Study Guide - C706 Questions and Answers with Verified Solutions
- Course
- Institution
Secure Software Design Study Guide - C706 Questions and Answers with Verified Solutions
[Show more]
Content preview
Secure Software Design Study Guide -C706 Questions and Answers with
Verified Solutions
Three (3) Tier - ✔✔Removes the business logic from the client end of the system. It generally
places the business logic on a separate server from the client. The data access portion of the
system resides separately from both the client and the business logic platform.
T-MAP - ✔✔Defines a set of threat-relevant attributes for each layer or node. These can be
classified as probability-relevant, size-of-loss relevant, or descriptive. These are primarily
derived from Common Vulnerability Scoring System (CVSS). USC's Threat Modeling based on
Attacking Path analysis is a risk management approach that quantifies total severity weights
of relevant attacking paths for COTS-based systems. Its strengths lie in its ability to maintain
sensitivity to an organization's business value priorities and IT environment, to prioritize and
estimate security investment effectiveness and evaluate performance, and to communicate
executive-friendly vulnerability details as threat profiles to help evaluate cost efficiency.
Trike - ✔✔An open source conceptual framework, methodology, and tool set designed to auto-
generate repeatable threat models. Its methodology enables the risk analyst to accurately and
completely describe the security characteristics of the system, from high-level architecture to
,low-level implementation of details. It also requires building a defensive model of the subject
system.
SDL Threat Modeling Tool - ✔✔This free tool builds on Microsoft Visio and provides a tool for
constructing graphic representations for the system without requiring expertise in security
and also has the capability of graphically representing a software system and identifying
vulnerabilities.
Vulnerability Mapping - ✔✔Used to determine the most likely locations within the system
in development where an attacker will strike. This is done on the design phase of the SDLC.
V3 - ✔✔The highest level of vulnerability. This is a very likely target for an attacker, such as free
text input in a form. These are the highest priory for a security plan for the system and these should
all be mitigated and accounted for by established control systems in development.
V2 - ✔✔A moderate level vulnerability. These are possible but not probable targets. These will
include inter-process communications on the server or traffic within the trust boundary of the
system. Eavesdropping is the most significant risk in this situation. These vulnerabilities should
always be mitigated in the system, but in a trade off analysis, strict control may not be
necessary as long as a procedure is in place to fail safely and protect any private or confidential
data.
V1 - ✔✔The lowest priority level of vulnerability. These are unlikely venues of attack with little
risk if they are exploited. Failing safely is the most important concern at this level, because the
data associated with this vulnerability has no value, and the process involved is not mission
, critical, such as a transmission failure in an HTML header coming from the system; the highest
risk is that the customer will
not properly see the page and it would have to be reloaded. These vulnerabilities can be largely
ignored, but they should be noted in the system specification in case functionality is altered by a
later system update or interaction because this may allow them to become more significant.
Activity Diagram - ✔✔Capable of expressing resolution efforts to malformed input and
potential attacks in a way other documentation at the system level cannot. The caveat is that
these do not contain class calls and references; they only provide a visualization of the
process logic.
Kiviat Diagram - ✔✔Provides a visual comparison of multiple attributes and can visualize
and report the information on a single artifact based on monitored information.
Identify the Assets - ✔✔A threat model process that allows the company to identify the
part that needs to be protected from unauthorized users.
Agile Model - ✔✔Describes a set of principles for software development under which
requirements and solutions evolve through the collaborative effort of self-organizing cross-
functional teams. It promotes adaptive planning, evolutionary development, early delivery, and
continuous improvement, and it encourages rapid and flexible response to change. Supports
the definition and continuing evolution of many software development methods, avoids life
cycle activities, focuses on built-a- little, test-a-little and field-a-little. It also supports informal
communication and Incremental design.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Examsplug. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $13.24. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
71498 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now
