1. How does the source of your software code affect the overall security of the system? Justify your position for a general system.
2. What protections can you place within an organization on code that is developed externally? Give examples to support your recommendation.
3. Why is it beneficial to develop a software system in a language that is well known to the development team? What are the risks of using a language that is unknown or less common to them?
4. What are the most critical aspects of security in an object-oriented software system? Consider the use of classes and data members in your analysis.
5. Is it easier to predict the security of a procedural system or a class-based system? Justify your position with examples.
1. What are the important considerations in choosing a Red Team (or attack team) for your software system? Give examples to justify your position.
2. How should you utilize the results of a static analysis of the system? What criteria should determine the level of action taken on any item?
3. Why is it important to probe and attack a system both at rest and in action? Give examples of information that is provided by each that the other could not provide.
4. What factors should influence the time frame and scope of a penetration test? Give examples to support your ranking.
5. Why is a single system compromise insufficient for a penetration test? Justify your position.
1. Why is it good practice to put an Incident Response Plan in place for small software systems as well as large software systems? Give examples to support your position.
2. What are the essential outcomes of the Final Security Review? Why is this process necessary as a last step before release if security has been a consideration throughout the development process?
3. What general elements of a system should be closely monitored when it goes live for the first time? Can the level of vigilance over the system be relaxed after an initial deployment phase?
4. Why is periodic system review beneficial to security? Justify your position.
5. How does the evolution of attack tools affect existing systems? What steps should an organization take to remain vigilant of these new methods for compromising systems?
1. Why is it important to train personnel in security if it is not part of their job routine? Give examples to justify your position.
2. Why do insiders pose such a significant threat to an organization? Find examples to justify your position.
3. What are the main problems with preventing social engineering in an organization? Give examples to support your answer.
4. What is the risk of allowing Web 2.0 technologies to run on the computers of all employees in an organization? Give examples to justify your position.
5. Why is it necessary to define enforcement policies for security rules in an organization? Why is it necessary to consistently follow through on enforcement?