1- How does the source of your software code affect the overall security of the system? Justify your position for a general system.
2- Why is it beneﬁcial to develop a software system in a language that is well known to the development team? What are the risks of using a language that is unknown or less common to them?
3- What protections can you place within an organization on code that is developed externally? Give examples to support your recommendation.
4- How can modular code developed within an organization be helpful or harmful to the security of the system? Justify your position.
5- Why is it important to limit the attack surface of the system? Give examples to support your argument.
1- Why is it important to probe and attack a system both at rest and in action? Give examples of information that is provided by each that the other could not provide.
2- Why is it important to simulate the deployment environment as closely as possible when performing a penetration test? What could happen if the conditions vary signiﬁcantly from the live environment?
3- What advantages do actual attackers have over-penetration testers in attempting to compromise a system? Justify your conclusions.
4- What are the important considerations in choosing a Red Team (or attack team) for your software system? Give examples to justify your position.
5- What are the risks of using a Red Team that is not qualiﬁed? How could this negatively affect system deployment in the live environment?