Reference validation mechanism and toe security functions

Assignment Help Computer Network Security
Reference no: EM13879274

Part I:

1. There are three Parts

2. For the descriptive questions (Parts II and III), you should provide answers in your words.

However, when you use the words of others in any answers, you must use quotation marks and attribute the source right there following APA style recommendations.

You must provide a separate reference section for each descriptive question following APA style recommendations.

For the descriptive questions, correctness, logical flow, grammar, and proper references are all important in that order.

3. You may use any resources in addition to the textbook, such as other books, articles, and the Web.

Part I: Multiple Choice questions

1. What is software assurance?

a. a methodology that provides the framework for secure software b. a tool that can be used to produce secure software c. a theorem prover technique to produce secure software d. a CMMI process to produce reliable software

2. What are two ways a developer can sustain secure code during software maintenance?

a. Create a Change Control Board and conduct threat analysis on each change request. b. Go to training for advanced hacking techniques and read journals on security topics. c. Work closely with the business analysts with each requirement and continue with the peer reviews. d. Read journals and web sites that repot on latest attacks.

3. Validation is the process to ensure that:

a. the requirements meet the needs. b. the design meets the requirements. c. the implementation meets the requirements. d. the implementation faithfully satisfies the design.

4. Verification is the process to ensure that:

a. the requirements meet the needs. b. the design meets the requirements. c. the implementation meets the requirements. d. the implementation faithfully satisfies the design.

5. The NRL taxonomy classifies flaws using multiple dimensions that include (choose all that apply):

a. where the flaw occurs b. the programmer who introduced the flaw c. the organization that introduced the flaw d. the time the flaw was introduced

6. Having a software assurance plan ensures which of the following?

a. secure code b. that a process is in place within the development life cycle that tests for security vulnerabilities c. that the software is safe from attacks d. that the development has tested for security vulnerabilities before releasing the software product

7. Which of the following defines a functional test script?

a. a document created by the project management team that specifies what needs to be tested, how to test, and who test it b. step-by-step instructions that are specifically created for testing the security of the application c. step-by-step instructions that depict a specific scenario or situation that the use case will encounter as well as the expected result d. a document that contains test output

8. Which of the following is not a technique for secure coding?

a. validating request data b. error handling c. self-monitoring d. diversity e. minimizing number of lines of code

9. Which tool will help in the following situation? There are five developers on the team and they have trouble synchronizing their code. Currently, they are emailing their files and merging them ad hoc.

a. IDE b. Version Control c. Build Tool d. Merge Tool

10. Which tool will help analyze the following situation? The application seems to take longer to reply after the code executes the database calls

a. IDE b. Debugger c. Profiler d. Memory Monitor

11. Why should developers collaborate with business analysts?

a. Refine system requirements including security requirements while creating design documentation as each requirement is discussed. b. Look for weaknesses and unknowns in the requirements documentation. c. Get tips for secure coding. d. Install and configure development tools

12. To help understand a use case, the developer walks through each step of tasks and activities and makes sure all relevant requirements are covered. What is this type of analyzing called?

a. Thinking like the application b. Use case interrogation c. Subjective analysis d. Objective analysis

13. As a developer of application, what is the most relevant element you should know about an attack?

a. Who the attacker is. b. What motivates the attacker. c. What preconditions in the applications have to be met for the attacker to succeed. d. Where did the attack originate from.

14. Into which of the eight design principles by Saltzer and Schroeder does the following design fit? The developers should design their code so that proper authorization is checked when the initial request is sent to the server and again when the response is sent back to the client.

a. Fail-safe b. Complete mediation c. Least privilege d. Keep it simple

15. Into which of the eight design principles by Saltzer and Schroeder does the following design fit? The developers designed their code so that no update transaction can execute unless the request comes from a security administrator who is using the update screen from application xxx

a. Fail-safe b. Complete mediation c. Keep it simple d. Least privilege

16. To address failing securely, what should be built into the code (choose all that apply)?

a. Proper error handling b. Self-detection of a failure c. Separation of GUI requirements from database requirements d. Separation of GUI requirements from business requirements

17. When software development goes through all stages, a small chunk of requirements at a time, it is said to be coded using what methodology?

a. Waterfall b. Object-oriented c. Spiral d. Iterative

18. When software development goes through all stages from start to finish in one swoop, it is said to be coded using what methodology?

a. Waterfall b. Object-oriented c. Spiral d. Iterative

19. The main goal of secure software development process is to:

a. develop code quickly b. develop efficient code c. write quality code that handles known vulnerabilities and follow good security design and coding practices d. assure that code does not have any bugs

20. The most critical step in designing an effective auditing system in an enterprise to detect security violations is:

a. have a good understanding of the attacks that could be directed at the enterprise b. have a good understanding of the computing needs of users or employees who will be using the various systems in the enterprise c. have a good understanding of the policies to be enforced d. have a good understanding of the communication requirements of various systems in the enterprise

Part II: Questions requiring a short description, no more than 1 page (double-spaced) per question

1. Bishop, Chapter 21, p. 610 - Problem # 4 - What are the conceptual differences between a reference validation mechanism, a trusted computing base, and the TOE Security Functions?

2. Bishop, Chapter 18, p. 495 - Problem # 7 - A company develops a new security product using the extreme programming software development methodology - programmers code, then test, then add more code, then test, and continue the iteration. Every day, they test the code base as a whole. The programmers work in pair when writing code to ensure that at least two people review the code. The company does not adduce any additional evidence of assurance. How will you explain to the management of this company why their software is not a high assurance software.

Part III: 1 question requiring no more than 2 pages (double-spaced). There are two secure software development methodologies that are popular:

1. Microsoft Security Development Lifecycle (see; also see the attached Simplified Implementation of the Microsoft SDL document)

2. OWASP CLASP (see; also see the attached overview presentation of CLASP)

Pick one of these two methodologies. Explain what the methodology is, how well it addresses security concerns in the life cycle and what are its drawbacks if any. Feel free to use other resources.

Verified Expert

Reference no: EM13879274

Analyze the fundamentals of pki

Analyze the fundamentals of PKI, and determine the primary ways in which its features and functions could benefit your organization and its information security department.

Calculates the hash value

Alice is able to intercept the message, and generates an alternative message that has a hash value that collides with Bob's original hash value. Show a message that Alice ma

Evaluate the strengths and weaknesses of the organizations

Evaluate the strengths and weaknesses of the organizations cybersecurity policy along attributes - Analyze the range of organizational policies (the policy framework) that are

Compute shortest path tree or implement dijkstras algorithm

Write a function compute Dijkstra(sourceID,C)' which takes as inputs the source node ID and the link cost matrix and returns the final best cost vector and the final predece

Describe the key issues or challenges from this case study

Describe the key issues/challenges/crisjs from this case study. Based on the information provided in the case study, describe and document the recommended security strategy t

Treats to a companies intellectual property

Day by day threats to a company's intellectual property have grown to an alarming rate over the years. After looking at your network security, structure there are three spec

Mitigate risk by using information security systems policies

Write a report identifying the risks associated with the current position your organization is in, and how your organization can mitigate risk by using information security

Describe the concept and function of electronic money

Identify potential solutions for these issues and evaluate their ability to protect both payers and receivers. You must remember this homework has to be plagiarism free than


Write a Review

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd