System requirements designed to protect against the destruction of information or the system itself are commonly known as availability or resilience requirements. These requirements focus on ensuring the system's ability to withstand and recover from various types of disruptions, including attacks, disasters, or failures, to maintain functionality and data integrity. Resilience requirements often encompass features like backup and recovery mechanisms, redundancy, fault tolerance, and disaster recovery plans to enhance the system's robustness and ability to continue operating under adverse conditions.

The primary advantage of employing threat modeling early in the development lifecycle is it identifies potential security threats and vulnerabilities early, enabling proactive mitigation strategies

By identifying potential security threats and vulnerabilities early in the development process, threat modeling allows for the implementation of proactive mitigation strategies, reducing the likelihood of security issues later on. This helps ensure that security is built into the design from the beginning.

Storing credentials in a directory server and enforcing applications to integrate via Identity and Access Management (IAM) provider through Single Sign-On (SSO) is a best practice because it centralizes user authentication and authorization. This design enhances security by reducing the number of places where sensitive credentials are stored, minimizing the risk of unauthorized access. IAM providers offer robust security features, including multi-factor authentication and access controls, ensuring a standardized and secure authentication process across applications. SSO simplifies user experience, promotes consistency, and allows for efficient management of user credentials and permissions centrally.

A threat vector is a path or method that a threat actor uses to gain unauthorized access or deliver a malicious payload to a target system or network. It represents the avenue through which a security threat exploits vulnerabilities to compromise the security of a system or organization. Threat vectors can include methods such as phishing emails, malicious websites, software vulnerabilities, or social engineering tactics. Understanding and mitigating threat vectors are critical components of cybersecurity efforts.

To protect against code tampering and reverse engineering, the mobile app binaries should apply code obfuscation and anti-tampering.

Applying code obfuscation makes the code harder to understand and reverse engineer, while anti-tampering measures can help detect and prevent unauthorized modifications to the app.

The security principle that involves assigning only the needed privileges to users is known as the Principle of Least Privilege (PoLP). This principle aims to limit access rights and permissions for individuals or systems to the minimum levels required to perform their tasks, reducing the potential impact of accidental mishandling or intentional malicious actions.

In the context of secure software design, the principle of "defense in depth" advocates for:

Implementing multiple layers of security controls for sensitive application operations

This approach involves using a variety of security mechanisms (such as encryption, access controls, intrusion detection systems, etc.) to protect against multiple types of threats and vulnerabilities. It ensures that if one layer of security is breached or fails, other layers are in place to provide additional protection.

The essential security measure for protecting sensitive data during transmission is "Encryption." Encryption ensures that data is transformed into a secure, unreadable format during transmission, safeguarding it from unauthorized interception or tampering. This security measure is crucial for maintaining the confidentiality and integrity of sensitive information as it travels across networks or communication channels.

"Secure by design" means Integrating security measures from the beginning of the design phase

Top Secret is the highest level of classification for government/military environments.

Example: Sensitive details of military operations, intelligence sources involving ongoing operations.

All of the user authentication activities and user management activities are critical for secure logging requirements.

The primary benefit of secure defaults in system configurations is:

Ensures systems are secure out-of-the-box

Secure defaults in system configurations mean that when a system is initially set up or deployed, it is already configured with security settings that provide a baseline level of protection. This reduces the risk of misconfiguration or oversight that could lead to security vulnerabilities.

The principle that involves dividing responsibilities among multiple individuals to reduce the risk of fraud and error is : Separation of Duties

Separation of Duties ensures that no single individual has complete control over a critical process or function. By dividing responsibilities, organizations can minimize the risk of fraud, errors, and unauthorized actions, thereby enhancing security and accountability.

Accountability requirements emphasize the ability to trace and attribute actions to specific users or entities, contributing to accountability and auditability.

One of the primary reasons to include the availability aspect in an organization's software security efforts is to ensure uninterrupted and reliable access to systems and services, preventing disruptions that could impact business operations and user experience.

Security training for development teams contributes to secure software requirements by fostering awareness, knowledge, and best practices related to security throughout the software development lifecycle. This training equips development teams with the skills to identify and address potential security risks early in the development process. It encourages the integration of security considerations into the design, coding, and testing phases, leading to the establishment of secure software requirements. Overall, security training enhances the team's ability to proactively implement security measures, reducing vulnerabilities and ensuring the creation of more robust and secure software.

ACL (Access Control List) is commonly used to manage access permissions for resources, including content on websites. It specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Threat modelling involves identifying application entry points where the application interacts with external entities is crucial in understanding potential attack vectors and entry points for security threats.

An organization's security policy plays a crucial role in defining and guiding secure software requirements. It serves as the foundation for establishing the security objectives and expectations for software development. The security policy outlines the organization's approach to safeguarding sensitive information, mitigating risks, and ensuring compliance with industry regulations.

Secure software requirements and design are intended to mitigate risks and enhance overall software quality, which typically results in improved user trust, reduced risk of data breaches, and easier maintenance. While there may be initial costs associated with implementing security measures, the overall goal is to reduce costs over time by preventing security incidents and minimizing the impact of vulnerabilities. Therefore, increased development costs are not considered a direct benefit of secure software requirements and design.