Questions 1) Consider a small business employer who writes web application softw

Question

Questions

1) Consider a small business employer who writes web application software for other small businesses. Their approach to security is to perform penetration testing before product release using tools such as Vega, OWASP ZAP, and w3af. When the tools find no more vulnerabilities, the owner ships the software and claim a high level of security for his products. Do you agree? Why or why not? What are the benefits and drawbacks to his approach? If you were running the business, what (if any) additional steps would you take and why?

2) Consider the standard software development lifecycle contrasted against a secure software development lifecycle of your choice (e.g. SDL, BSIMM, OpenSAMM). What are the similarities in the lifecycles? What additional activities take place in a secure development lifecycle? Which, in your opinion, are the most critical additional activities and why?

3) Consider the scenario of user logging in to a web application for e-commerce.Using the Microsoft SDL Threat Modeling Tool (downloadable from http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx), do the following:

    a) Create a context diagram for the application

    b) Create a level 1 diagram for the login process

    c) Apply STRIDE to the data flows between the user and the login process only (or else you’ll spend too much time).

    d) Show your results from a-c above and explain what you learned through the process.

Explanation / Answer

1. Yes being software engineer I do agree with testing, Testing is 100% MUST and your sowtwares / Testing techniques are also great

2.) You may opt for Agile Models, they are more suitable at professional level

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.