Assessment Worksheet

Implementing a Security Development Lifecycle (SDL) Plan

Course Name and Number:

ICS-690:CyberSecurity

Student Name:

SURYA TEJASWI

Instructor Name:

FAISAL KALEEM

Lab Due Date:

March-01-2015

Overview
In this lab, you explored several tools provided by Microsoft to help implement an SDL. First, you
used the Microsoft Threat Modeling Tool to create a threat model that can help highlight STRIDE
threats in an application. You also ran the Attack Surface Analyzer to take a snapshot of the processes
and services running on the server. You first collected a baseline snapshot and ran it again later for
comparison. You used the SDL Regex Fuzzer to test Regular Expressions for the ReDoS vulnerability.
Finally, you used the BinScope Binary Analyzer to discover possible security issues inside of dynamic
link libraries (DLL).

Lab Assessment Questions & Answers

1. List and briefly describe the training phase of the Security Development Lifecycle (SDL).
Ans: Everyone involved in the project should understand secure programming principles and attend at
least one security focused training course per year. Training should cover Secure Design, Secure Coding,
Threat Modeling, Security Testing and practice regarding privacy.
2. What does the acronym STRIDE stand for?
Ans : Acronym of STRIDE stands for spoofing identity, tampering with data, repudiation, information
disclosure, denial of service, and elevation of privilege.
3. Which of the Regular Expressions in Part 3 are safe from ReDoS?
Ans: The following Regular Expressions in Part 3 are safe from ReDos
1) /([0-9]+|::)/ 2) /".*"/
3) /-?[0-9]*\.?[0-9]*/
4.Why is it necessary for an SDL to include an Incident Response Phase?
ANS : Even when software is released with no known vulnerabilities, that does not mean there will be no

incidents. As technology moves forward, and new vulnerabilities are discovered daily, the released
software could fall victim to an attack either through its own vulnerability or due to a vulnerability
from a third-party release that directly affects the software. If the released software is found to have a
vulnerability, it should be the team's responsibility to act promptly.
5.What are the seven phases in the Microsoft SDL?
Ans: The seven phases in the Microsoft SDL are as follow:
1. Training ; 2.Requirements ; 3. Design ; 4. Implementation ; 5. Verification ; 6. Release and 7.
Response.
6.What is a buffer-overflow or overrun condition?
Ans: Buffer overflow or overrun condition is a failure to check or limit input data-buffer sizes before
data is manipulated or processed.
7.In which phases of the secure software development life cycle may a cross-site scripting (XSS)
be discovered?
Ans: In the Implementation Phase with peer code review, unit testing, or third-party white-box testing
of the secure software development life cycle may a cross-site scripting (XSS) be discovered.
8.What is ReDoS?
Ans: ReDos is Regular Expression denial of service.
9.What failure did BinScope identify in the ActionCenter.dll file?
Ans : The following Failed checks that didn't complete for BinScope run on ActionCenter.dll