# Software Security Pillars - _Defense in Depth_ - Data - Application (This course's focus) - Host - Internal network - Perimeter - Physical - Policies, procedures, awareness - Shifting security to the left - Dev -> Test -> Staging -> Production - Bring security **in**. ## Pillar I: Risk Management - Risk Management = identifying what could go wrong. - Risk = Probability x Impact - Security Risk = Probability of an **exploit** x value of an **asset** - Asset = anything that requires _confidentiality_, _integrity_, or _availability_. - Domain-specific - Domain-independent - Intangible properties - Factors that affect the probability of an exploit - number of vulnerabilities - scope of the project - targeted attacks (number of malicious actors) - Risk Management Framework 1. Understand the business context 2. Identify the business and technical risks 3. Synthesize, prioritize, and rank the risks 4. Define the risk mitigation strategy 5. Carry out fixes and validate. - All in a business context! ## Pillar II: Touchpoints - _Constructive_ and _Destructive_ activities on the _artifacts_ - Touchpoint 1: Code Reviews - Touchpoint 2: Architectural Risk Analysis - Touchpoint 3: Penetration Testing - Touchpoint 4: Risk-Based Security Testing - Touchpoint 5: Abuse Cases - UML User Case Diagram - Creating Anti-Requirements - Touchpoint 6: Security Requirements ## Pillar III: Knowledge