Security, Intrusion/Malware/Exploit, SDLC

Question 1

Security = Safety?

Answer 1

Security =/= Safety

Question 2

Safety =

Answer 2

physische Sicherheit –> alerting if the situation becomes unsafe for humans and environment

Question 3

Security =

Answer 3

process of ensuring safety and maintaining safeguards –> defending against humans with malicious or criminal intent.

Question 4

IT Security =

Answer 4

Verteidgung von Computern gegen Intrusion und unauthorized use of resources.

Question 5

Auf was baut Security auf?

Answer 5

Safety

Question 6

Security breaches may have … consequences

Answer 6

serious safety

Bspw. Steuerung von AKW etc.

Question 7

Perimeter Security Devices

Answer 7

Firewall, App Gateways

Question 8

Hilft Perimeter Security Software-Bugs zu mitigieren?

Answer 8

Nein, hilft es nicht.

Question 9

Defense in depth =

Answer 9

• Zoning
• Castle Approach
• mehrere Schutzlayer

Question 10

Is Perimiter security enough anymore?

Answer 10

No, therefore Zero-Trust

Question 11

What are reasons that Perimeter Security is not enough anymore?

Answer 11

• Moving to cloud
• BYOD
• Remote Work
• …

Question 12

What are generally the challenges regarding security:

Answer 12

• Heterogeneous Environments have more work and less security
• Virtualization concentrates risk
• It’s impossible to protect what you don’t know

Question 13

Zero-Trust Grundsatz:

Answer 13

never trust, always verify

Question 14

Was passiert bei Zero-Trust?

Answer 14

Jeder Zugriff wird authentisiert.

Question 15

Weshalb wurde Perimetersicherheit immer priorisiert?

Answer 15

• Security war nicht der Fokus bei Programmierern
• Security Professionals sind keine Softare Developers
• Fokus von Softwareentwickler liegt auf Funktionalität
• Kunde sind gewohnt fehlerhafte Software sowie Patches zu erhalten
• Kunden können die Fehler in Software nicht kontrollieren –> focus auf Perimitersicherheit

Question 16

Intrusion =

Answer 16

unathorized act of bypassing security mechanisms of network or information system

Question 17

Intrustion - unauthorized access to:

Answer 17

• Computer
• Service
• Data

Question 18

To prevent intrusions, we have to avoid…

Answer 18

Vulnerabilites

Question 19

Vulnerability =

Answer 19

programming errors, which allow exploitation

Question 20

Exploit =

Answer 20

technique to breach security of a network or information system

Question 21

0-Day exlpoit =

Answer 21

öffentliche unbekannter Exploit –> kein Security Patch

Question 22

Malware benutzt …

Answer 22

einen Exploit

Question 23

Payload =

Answer 23

Schädlicher Programmcode

Question 24

Malware =

Answer 24

Malicious Software

Question 25

Ablauf von: - Exlpoit - Payload - Infection

Answer 25

Question 26

Drive-By-Infection

Answer 26

Question 27

3 Steps of an Attack

Answer 27

1. Infect target system 2. Exploit vulnerabilities (--> connect to C2) 3. Load malicious payload - steal information - erase data - encrypt hard drives (for ransom) - spread to other computers - erase itself to avoid detection

Question 28

What systems contain errors?

Answer 28

Every system of minimum complexity --> Sicherheit so gut wie es geht erhöhen

Question 29

Security...

Answer 29

- is not a programming problem only - must be considered from the very beginning on - is relevant in all phases of software development - cannot be fixed by using special methods or tools (no "quickfix") - cannot be seen isolated from deployment or operations

Question 30

Growing code size and complexity -->

Answer 30

Feheranzahl steigt

Question 31

Software Quality:

Answer 31

- Features of softwares necessary for meeting its requirements - Features of security and safety - those features are partly competing - importance of each feature depends on the project

Question 32

Cost of Bugs -->

Answer 32

je früher erkannt, umso kostengünstiger

Question 33

Wo werden die meisten Fehler gefunden?

Answer 33

Question 34

Relationship: Development costs vs. maintenance costs -->

Answer 34

the earlier the cheaper

Question 35

Source of Bugs Statistics

Answer 35

Question 36

Cost of Bugs in relation to their source code

Answer 36

Question 37

Bugs =

Answer 37

Programmflaws, Fehlfunktionen --> leading to incorrect or unexpected results and behavior

Question 38

Ursprung von Bugs

Answer 38

- lack of communication - miscommunication or no communication - recurring ambiguity in requirements - missing process framework - programming errors - too much rework - self-imposed pressures - software complexity - changing requirements - egotistical or overconfident people - poorly documented code - obsolete automation scripts - lack of skilled tester

Question 39

Software Life-Cycle activities

Answer 39

- Software specification (Requirement engineering) - Software design and implementation - Software verification and validation - Software evolution (software maintenance)

Question 40

Process Models and RE

Answer 40

- Activities must be defined exactly and arranged along time scale - Process model is starting point for project planning and project management - process model must be adapted to the project and the development environment

Question 41

Different (Top-Down) Models:

Answer 41

- Spiral - Prototyping - Waterfall

Question 42

Software Engineering includes

Answer 42

- Construction - Control - Rollout - Operation and maintenance

Question 43

Software Quality Assurance

Answer 43

- Functionality - Reliability - Usability - Efficiency - Maintainability - Portability

Question 44

Wasserfall Model und Requirements Engineering

Answer 44

- Grosser Teil von Requirements Engineering ist am Anfang - Danach begleiten und Unterstützen

Question 45

Eigenschaften von Wasserfall Model:

Answer 45

- strikt linear - Einfache Meilensteine - Relativ einfaches Project Management - Wenig Freiheit - nicht sehr flexibel

Question 46

4 agile manifesto

Answer 46

- Individuals and interactions over Processes and tools - Working software over comprehensive documentation - Customer collaboration over contract negotiation - Responding to change over following a plan

Question 47

Agile Prinzipien - kurz gesagt:

Answer 47

- Sachen nicht Doppelt machen - Keep it small and simple (KISS) - Collective code ownership - Functional and customer-oriented development

Question 48

Scrum

Answer 48

- Sprints / Iteration = 2 week cycles - Daily scrum meetings - Product backlog - Product owner (defines the feature of the end product) - Scrum master (priorities the feature to be worked on in each sprint) - Team members - User

Question 49

DevOps =

Answer 49

Development + Operations = kontinuierliche Entwicklung in Produktion

Question 50

Impact von agiler Methode für Security Requirements Engineers

Answer 50

Stetiges Einbringen von Security Inputs. RE muss kontinuierliche durchgeführt werden.