Answer the following questions.
1) (12 pts.) A company develops a new security product using the extreme programming software development methodology. Programmer’s code, then test, then add more code, then test and continue this iteration. Every day they test the code base as a whole. The programmers work in pairs when writing to ensure that at least two people review the code. The company does not adduce any additional evidence of assurance. How would you explain to the management of this company why their software is in fact not “high assurance” software? (8 pts.)
• Identify any laws associated with utilizing tools for assurance – (1 pt.)
• To enhance the system software security of a product during development, what should the Program Manager do? ________ (-3 pts.)
2) (15 pts.) Bonner Company has hired you as a senior software designer and you have been tasked to
solve a challenging problem for the company. The customer, Dr. See of Crypto Company wants you
to resolve an issue for his company; how can he secure his data at rest and in motion for his system
software security system. What is your plan to resolve this request?
3) (18 pts.) Assume that the Clark Wilson model is implemented on a computer system. Could a computer virus that scrambled constrained data items be introduced into the system? Why or Why not? Specifically, if not, identify the precise control that would prevent the virus from being introduced, and explain why it would prevent the virus from being introduced; if yes, identify the specific control or controls that would allow the virus to be introduced and explain why they fail to keep it out?
t
4) (20 pts.) Bonner’s company has a new assignment for you; to develop a Test Evaluation Master Plan (TEMP) with assurance built into it for the four (4) phases of a lifecycle (Analyze/Select, Obtain, Implementation and Sustain) for a new secure software system. You have been directed to provide the following deliverables to the customer:
(good reference for this question is: http://www.acqnotes.com/acqnote/careerfields/test-and-evaluation-master-plan-temp)
a) The TEMP must provide the ____________________ required for _______, _______, and ___________. (4 pts.)
b) The TEMP should be completed before the start of what lifecycle phase? (4 pts.)
c) Secure Assurance should be part of what two (2) most important tests in the product lifecycle and discuss why?(4 pts)
d) Using the answer to question c), discuss in detail which additional tests/or process would support your choice of the two (2) tests? (8 pts.)
5) (15 pts.)You just been hired by Bonner Company as the new Program Manager for their development of a new secure phone for an unnamed customer. You have been requested to perform the following functions as the new Program Manager:
a) Control what two (2) areas of the program? ______and ________ (2 pts.)
b) Develop a secure process as part of the Software Program Management Plan Outline (10 pts.)
c) Develop a Secure Software Configuration Plan Outline (3 pts.)
6) (20 pts.) Essay Question: Secure software certification. Your present company (fictional company-make-up one) is at EAL4. You are the new program manager on this effort and your job is to bring your present software secure package to EAL7. Explain to me your management plan on upgrading your present software package from EAL4 to EAL7. Your management plan should include discussing your past documentation (how did you get to EAL4), the difference between EAL4 and EAL7, what additional paperwork will be needed to reach EAL7 certification, and finally, define your risk based on reusing software code for this migration from EAL4 to EAL7 certification.