“Defense in depth”, sometimes also known as layered defense, is one of the most important approaches to trustworthy secure system development. Which of the following is true?
A. It creates parallel barriers to prevent, delay, or deter an attack.
B. It achieves greater trustworthiness than the individual security components used.
C. It is an alternative to a balanced application of security concepts and design principles.
D. Its concepts are not the same as the security design principles of modularity and layering.

Continue reading

Exploit and Attack

Threat Modeling

Threat modeling is a form of risk assessment that models aspects of the attack and defense sides of a particular logical entity, such as a piece of data, an application, a host, a system, or an environment.

A common form of threat modeling is software threat modeling, which is threat modeling performed during software design to reduce software vulnerabilities. There are many established methodologies for performing software threat modeling.

Another common form of threat modeling is known as system threat modeling, which is threat modeling performed for operational systems to improve their overall security. Compared to software threat modeling, system threat modeling tends to be largely informal and ad hoc.

Source: NIST SP 800-154 (draft)

Continue reading


Alice develops a program and has permissions, {read, write, execute}, on it. Bob has no permissions on the program but can forcibly take Alice’s permissions. Alice was surprised that Eve should have executed the program because Bob granted Eve this permission without Alice’s awareness. Which of the following is the authorization mechanism the security kernel implements?
A. Mandatory access control
B. Discretionary access control
C. Role-based access control
D. Non-discretionary access control

Continue reading


A plethora of vulnerabilities is discovered after conducting a vulnerability assessment against your company’s official web site. You decide to implement continuous monitoring over the web server and automate the patching process. Which of the following is the best vehicle?
A. DevOps
B. Change control
C. Continous deployment
D. Security Content Automation Protocol (SCAP)

Continue reading


Your company is developing an ERP system, owned by the head of the IT department, using Scrum. You are the product owner of the development of the material management module. Which of the following is the least of your concerns?
A. Refinement of the product backlog
B. Application for authorization to operate (ATO)
C. Trustworthiness of the product
D. User acceptance

Continue reading


CMM and CMMI Maturity Levels Comparison

Software Engineering Institute (SEI), 1984

Software Engineering Institute (SEI) was established in 1984 at Carnegie Mellon University as a federally funded research and development center (FFRDC) dedicated to advancing the practice of software engineering and improving the quality of systems that depend on software. (JUNE 21, 2000 • SEI PRESS RELEASE)

The Effective CISSP: Security and Risk Management

The CISSP exam tests not only your technical foundation but also your management concepts. Many CISSP aspirants fail in Domain 1, 2, 6, or 7. It can be an indicator that they may not have connected the dots, e.g., information security governance, risk management, strategic management, project/program management, business continuity, etc.

My book, The Effective CISSP: Security and Risk Management, introduces those concepts that can help you build a solid foundation of information security from the perspective of information systems, business processes, and the organization.

If you have just started your CISSP or CISM (yes, CISM) journey, lost in the jungle of knowledge, or even failed in any of the domains mentioned above, The Effective CISSP: Security and Risk Management will make it straight.

Click the following book to get a copy to kill the beast!

The Effective CISSP: Security and Risk Management


You started a software house two years ago that builds and implements custom software solutions for clients. As there existed no organizational project management standard and unified processes, your company relied on senior project managers capable of managing projects and delivering software to clients based on their own approaches and experience. Which of the following is the maturity level that best describes your company in terms of CMMI?
A. Initial
B. Repeatable
C. Managed
D. Defined

Continue reading