D487 STUDY
1. Building Security A study of real-world software security initiatives organized so that you can
In Maturity Model determine where you stand with your software security initiative and how to
(BSIMM) evolve your efforts over time
2. SAMM offers a roadmap and a well-defined maturity model for secure software
development and deployment, along with useful tools for self-assessment
and planning.
3. Core OpenSAMM ac- Governance
tivities Construction
Verification
Deployment
4. static analysis Source code of an application is reviewed manually or with automatic tools
without running the code
5. dynamic analysis Analysis and testing of a program occurs while it is being executed or run
6. Fuzzing Injection of randomized data into a software program in an attempt to find
system failures, memory leaks, error handling issues, and improper input
validation
7. OWASP ZAP -Open-source web application security scanner
-Can be used as a proxy to manipulate traffic running through it (even https)
8. ISO/IEC 27001 Specifies requirements for establishing, implementing, operating, moni-
toring, reviewing, maintaining and improving a documented information
security management system
9. ISO/IEC 17799 ISO/EIC is a joint committee that develops and maintains standards in the IT
industry. is an international code of practice for information security manage-
ment. This section defines confidentiality, integrity and availability controls.
10. ISO/IEC 27034
1/7
, D487 STUDY
A standard that provides guidance to help organizations embed security with-
in their processes that help secure applications running in the environment,
including application lifecycle processes
11. Software security a developer with an interest in security who helps amplify the security mes-
champion sage at the team level
12. waterfall methodolo- a sequential, activity-based process in which each phase in the SDLC is
gy performed sequentially from planning through implementation and main-
tenance
13. Agile Development A software development methodology that delivers functionality in rapid
iterations, measured in weeks, requiring frequent communication, develop-
ment, testing, and delivery.
14. Scrum an agile project management framework that helps teams structure and
manage their work through a set of values, principles, and practices
15. Daily scrum daily time-boxed event of 15 minutes, or less, for the Development Team
to re-plan the next day of development work during a Sprint. Updates are
reflected in the Sprint Backlog.
16. Sprint review A meeting that occurs after each sprint to show the product or process to
stakeholders for approval and to receive feedback.
17. Sprint retrospective an opportunity for the Scrum Team to inspect itself and create a plan for
improvements to be enacted during the next Sprint.
18. Sprint planning A collaborative event in Scrum in which the Scrum team plans the work for
the current sprint.
19. Threat Modeling Identify security objectives
Steps Survey the application
Decompose it
2/7
1. Building Security A study of real-world software security initiatives organized so that you can
In Maturity Model determine where you stand with your software security initiative and how to
(BSIMM) evolve your efforts over time
2. SAMM offers a roadmap and a well-defined maturity model for secure software
development and deployment, along with useful tools for self-assessment
and planning.
3. Core OpenSAMM ac- Governance
tivities Construction
Verification
Deployment
4. static analysis Source code of an application is reviewed manually or with automatic tools
without running the code
5. dynamic analysis Analysis and testing of a program occurs while it is being executed or run
6. Fuzzing Injection of randomized data into a software program in an attempt to find
system failures, memory leaks, error handling issues, and improper input
validation
7. OWASP ZAP -Open-source web application security scanner
-Can be used as a proxy to manipulate traffic running through it (even https)
8. ISO/IEC 27001 Specifies requirements for establishing, implementing, operating, moni-
toring, reviewing, maintaining and improving a documented information
security management system
9. ISO/IEC 17799 ISO/EIC is a joint committee that develops and maintains standards in the IT
industry. is an international code of practice for information security manage-
ment. This section defines confidentiality, integrity and availability controls.
10. ISO/IEC 27034
1/7
, D487 STUDY
A standard that provides guidance to help organizations embed security with-
in their processes that help secure applications running in the environment,
including application lifecycle processes
11. Software security a developer with an interest in security who helps amplify the security mes-
champion sage at the team level
12. waterfall methodolo- a sequential, activity-based process in which each phase in the SDLC is
gy performed sequentially from planning through implementation and main-
tenance
13. Agile Development A software development methodology that delivers functionality in rapid
iterations, measured in weeks, requiring frequent communication, develop-
ment, testing, and delivery.
14. Scrum an agile project management framework that helps teams structure and
manage their work through a set of values, principles, and practices
15. Daily scrum daily time-boxed event of 15 minutes, or less, for the Development Team
to re-plan the next day of development work during a Sprint. Updates are
reflected in the Sprint Backlog.
16. Sprint review A meeting that occurs after each sprint to show the product or process to
stakeholders for approval and to receive feedback.
17. Sprint retrospective an opportunity for the Scrum Team to inspect itself and create a plan for
improvements to be enacted during the next Sprint.
18. Sprint planning A collaborative event in Scrum in which the Scrum team plans the work for
the current sprint.
19. Threat Modeling Identify security objectives
Steps Survey the application
Decompose it
2/7
