• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/17

Click to flip

17 Cards in this Set

  • Front
  • Back
Cigital's Three critical sub-processes for architectural risk analysis
1) Underlying framework weakness
2) Attack resistance analysis
3) Ambiguity analysis
Describe Cigital's Underlying framework weakness
1) Shows dependencies on toolkits and frameworks
2) How solid is the foundation?
3) How solid is the usage of the foundation?
Describe Cigital's Attack resistance analysis
1) Apply checklist of known attacks
2) Risk-based judgment of fitness
Describe Cigital's Ambiguity analysis
1) Find attacks based on how the system works
2) Expose invalid assumptions
What is BSIMM?
Building Security In Maturity Module.
The purpose of the BSIMM is to quantify the activities carried out by real software security initiatives.
BSIMM3 was published 2011
What is the BSIMM method?
1. We relied on our own knowledge of software security practices to create the Software Security
Framework.
We conducted a series of nine in-person interviews with executives in charge of software security
initiatives.
3. We used the same interview technique to conduct thirty-three additional BSIMM assessments.
What are BSIMMS objectives?
• Informed risk management decisions
• Clarity on what is “the right thing to do” for everyone involved in software security
• Cost reduction through standard, repeatable processes
• Increased code quality
What does BSIMM mean by a satelite?
A group of interested and engaged developers, architects, software managers, and testers who have a
natural affinity for software security and are catered to and leveraged by a software security initiative.
What are the four domains of the BSIMM software security framework?
governance, intelligence, SSDL touchpoints, deployment
What is BSIMM Governance domain?
Those practices that help organize, manage, and measure a software security initiative. Staff development is also a central governance practice.
What are the 3 practices under BSIMM Governance domain?
strategy and metrics
compliance and policy
training
What is BSIMM Intelligence domain?
Practices that result in collections of corporate knowledge used in carrying out software security activities throughout the organization. Collections include both proactive security guidance and organizational threat modeling.
What are the 3 practices under BSIMM Intelligence domain?
Attack models
security features and design
standards and requirements
What is BSIMM SSDL touchpoints domain?
Practices associated with analysis and assurance of particular software development artifacts and processes. All software security methodologies include these practices.
What are the 3 practices under BSIMM SSDL touchpoints domain?
Architecture analysis
code review
security testing
What is BSIMM Deployment domain?
Practices that interface with traditional network security and software maintenance organizations. Software configuration, maintenance, and other environment issues have direct impact on software security.
What are the 3 practices under BSIMM Deployment domain?
penetration testing
software environment
configuration management and vulnerability management