Incorporating security requirements into software development is essential to mitigate risks and protect against potential threats. The primary goals include safeguarding sensitive data, maintaining user trust by providing secure software, preventing malicious exploitation, complying with regulations, and reducing business risks. This proactive approach ensures adherence to legal standards, enables secure functionality, and helps organizations adapt to evolving cyber threats. By addressing security concerns throughout the development life cycle, organizations aim to minimize the impact of security incidents, enhance system reliability, and foster a resilient foundation for their applications.

The correct approach is to:

Integrate security considerations throughout the entire development lifecycle (SDLC).

Security should be an integral part of the design, development, and deployment processes. This ensures that security is built into the software from the start, reducing vulnerabilities and ensuring robust protection.

Each of these options represents a security requirement for applications:

Encrypting the communication between client and server: Ensures that data transmitted over networks is protected from eavesdropping and tampering.
Hashing and salting the passwords when storing in a database: Ensures that even if the database is compromised, passwords remain secure and cannot be easily decrypted.
Masking the credit card number when displayed in a browser/mobile app: Protects sensitive information from unauthorized viewing.

Implementing all these measures helps enhance the security of an application by safeguarding sensitive data and communications.

Performing code review from a security perspective is to uncover weaknesses that could be exploited by attackers. This includes things like insecure input validation, SQL injection vulnerabilities, cross-site scripting (XSS), insecure authentication mechanisms, and more.

Rationale: By identifying and fixing these vulnerabilities before the code is released, organizations can significantly reduce the risk of data breaches, malware infections, and other security incidents.

Secure coding guidelines aim to equip developers with best practices and techniques to write code that is inherently resistant to security attacks. This involves adhering to principles like proper input validation, secure data handling, and robust authentication mechanisms. By following these guidelines, developers can significantly reduce the chances of introducing vulnerabilities that could be exploited by hackers, protecting user data and system integrity.

Security testing plays a crucial role in detecting and addressing these vulnerabilities early in the development cycle, before they become exploitable in production environments. This proactive approach saves time and resources compared to fixing vulnerabilities later, potentially during deployment or after an attack.
Benefits of early detection and mitigation:
1. Reduced risk of security incidents
2. Increased software resilience
3. Improved user trust and compliance
4. Lower remediation costs

The primary route for attacks on an application or system is typically through input interfaces. These are the points where users or other systems provide data to the application. Attackers often exploit vulnerabilities in how an application processes input, such as through SQL injection, cross-site scripting (XSS), and other forms of injection attacks. By manipulating inputs, attackers can execute malicious code, access unauthorized data, and compromise the system.

In a secure software development lifecycle (SDLC), the phase that is critical for integrating security requirements into functional requirements is the Requirements Gathering and Analysis Phase
During this phase, security requirements are identified, documented, and integrated into the overall functional requirements of the software, ensuring that security considerations are incorporated from the very beginning of the development process.

Data classification involves categorizing data based on its sensitivity, importance, and the level of protection required. This process helps organizations identify and prioritize the security measures needed to safeguard different types of information. By classifying data into categories such as public, internal use, confidential, or highly sensitive, organizations can apply appropriate security controls, access restrictions, and encryption methods to ensure the confidentiality, integrity, and availability of their data. Sorting data alphabetically, encrypting data, and compressing data are different processes that may be applied to data but are not synonymous with data classification.

Security requirements commonly include specifications for Confidentiality, Integrity, and Availability, often referred to as the CIA triad.
These three components are fundamental to ensuring the overall security of a system:

Confidentiality: Ensures that information is accessible only to those authorized to view it.
Integrity: Ensures the accuracy and trustworthiness of data and systems by preventing unauthorized alterations.
Availability: Ensures that systems and data are available and accessible to authorized users when needed.

Authorization is the process of granting or denying access rights and permissions to individuals or entities based on their identity, roles, or attributes. It determines what actions or resources a user is allowed to access within a system or application. Authorization ensures that users only have the appropriate level of access to perform their designated tasks and prevents unauthorized actions, helping to maintain the security and integrity of a system.

Confidentiality ensures that data is accessible only by those authorized to view or modify it. This security concept safeguards information from unauthorized access, maintaining its privacy and restricting visibility to authorized individuals or entities.

Software security requirements for an application can be built from all defined here:
1. Business Goals and Objectives: Aligning security requirements with the overarching goals of the business ensures that the application supports and protects the organization's strategic interests.
2. Threat Landscape for the Application: Understanding the specific threats and risks that the application faces helps in creating targeted security requirements to mitigate those threats effectively.
3. Compliance Requirements for Organization Policy and Industry Standards: Adhering to regulatory and industry standards (such as GDPR, HIPAA, PCI-DSS) ensures that the application meets legal obligations and follows best practices in security.
Considering all these factors provides a comprehensive foundation for building robust and effective security requirements for an application.

Secure software design principles emphasize:

Minimizing the attack surface by reducing unnecessary functionality.

This principle focuses on reducing the opportunities for attackers to exploit vulnerabilities by limiting the amount of code and functionality exposed to potential threats. It promotes simplicity and security by design, aiming to decrease the overall risk of the software application.

Public is the lowest level of data classification in business/non-government Sector.

Eg:- Documents about company products, education materials etc are public classified documents

The correct answer is all of the above.

1. Principle of Least Privilege: Ensures users and systems have the minimum necessary access to perform their functions.
2. Defense-in-Depth: Employs multiple layers of security controls to protect against threats.
3. Fail-Secure: Ensures systems fail in a secure manner, defaulting to a safe state in the event of a failure.

Each of these principles contributes to a robust security posture.

The criticality of data in an application depends on the context and the specific security requirements of the system. However, among the options provided:

Credit card numbers are often considered critical data due to its sensitive nature and the potential for financial fraud or identity theft if compromised. Credit card numbers are subject to stringent security measures to protect against unauthorized access and misuse.

The security principle of least privilege is the concept of providing individuals or systems with only the minimum levels of access or permissions needed to perform their tasks, and nothing more. This principle aims to limit potential damage from accidental mishandling or intentional malicious actions by restricting access rights to the bare necessities. By adhering to the principle of least privilege, organizations minimize the attack surface, mitigate the risk of unauthorized access, and enhance overall security posture.

The primary purpose of a security baseline in software development is to establish a minimum set of security configurations and standards that all systems and applications within an organization must adhere to. This baseline serves as a foundation for implementing consistent security measures, reducing vulnerabilities, and ensuring a standardized and secure environment. It helps mitigate common security risks, facilitates compliance with security policies, and provides a starting point for secure software development practices. The security baseline acts as a reference point for assessing and maintaining the security posture of software systems throughout their lifecycle.

Employing a secure, one-way hashing algorithm is a common security practice to store passwords because it enhances the protection of user credentials. One-way hashing ensures that passwords are transformed into irreversible, unique hash values. In the event of a data breach, even if the hashed passwords are exposed, it is computationally infeasible to reverse the process and obtain the original passwords. This adds a layer of security, reducing the risk associated with password compromise and enhancing overall data protection in the event of unauthorized access.

The correct answer is all mentioned here.

Logging of Authentication Requests: Helps monitor and detect suspicious activities, providing an audit trail for security incidents.
User Lockout for Invalid Authentication Requests: Protects against brute force attacks by limiting the number of invalid login attempts.
2-Factor Authentication Requirement: Enhances security by requiring an additional layer of verification beyond just the username and password.

Each of these measures is a key component of a secure authentication strategy.

The best strategy to handle sensitive data is to encrypt data during storage and transport.

Encryption ensures that sensitive data is protected both when it is stored (at rest) and when it is being transmitted (in transit). This makes the data unreadable to unauthorized parties, safeguarding it from potential breaches.

While hashing and masking have their uses in certain contexts, encryption is the most comprehensive strategy for protecting sensitive data in both storage and transport.

The phrase Access Control matrix matches the definition in the question.

People who might need to access items are typically referred to as subjects. Typically, objects are documents, information, or other resources that subjects may need to access. They might also be a piece of hardware or a system process. The information in it specifies access levels and permissions for subjects and objects. They are created by organizations to guarantee authorized access and guard against malicious or accidental unauthorized access to sensitive data.