Written by Simon

Answers for the TryHackMe SSDLC Room

The TryHackMe Secure Software Development Lifecycle (S-SDLC) is a free room from TryHackMe available at https://tryhackme.com/room/securesdlc

As this room is purely theory, we will only be presenting the questions and answers

Task 1: Introduction

Question 1

No answer needed

Task 2: What is SSDLC?

Question 1: How much more does it cost to identify vulnerabilities during the testing phase?

15

Task 3: Implementing SSDLC

Question 1: What should you understand before implementing Secure SDLC processes?

Security Posture

Question 2: During which stages should you perform a Risk Assessment?

Planning and Requirements

Question 3: What should be carried out during the design phase?

Threat Modelling

Task 4: Risk Assessment

Question 1: What is a formula to assign a Qualitative Risk level?

Severity x Likelihood

Question 2: Which type of Risk Assessment assigns numerical values to determine risk?

Quantitative Risk Assessment

Task 5: Threat Modelling

Question 1: What threat modelling methodology assigns a rating system based on risk probability?

DREAD

Question 2: What threat modelling methodology is built upon the CIA triad?

STRIDE

Question 3: What threat modelling methodology helps align technical requirements with business objectives?

PASTA

Task 6: Secure Coding

Question 1: Is it recommended to use SAST analysis at the beginning of the SDLC? (y/n)

y

Question 2: Which type of code analysis uses the black-box method?

DAST

Question 3: Which type of code analysis uses the white-box method?

SAST

Task 7: Security Assessments

Question 1: Which form of assessment is more budget-friendly and takes less time?

Vulnerability Assessment

Question 2: Which type of assessment identifies vulnerabilities and attempts to exploit them?

Penetration Testing

Question 3: When do you typically carry out Vulnerability Assessments or Pentests?

Operations & Maintenance

Task 8: SSDLC Methodologies

Question 1: What methodology follows a set of mandatory procedures embedded in the SDLC?

Microsoft SDL

Question 2: What Maturity Model helps you measure tailored risks facing your organisation?

SAMM

Question 3: What maturity model acts as a measuring stick to determine your security posture?

BSIMM

Task 9: Secure Space Lifecycle

Answers to the rocket game:

  • Risk Management
  • Threat Modeling
  • SAST
  • DAST
  • Code Review
  • Secure Config
  • Security Assessment

And the flag is:

THM{D0-A-Barr3l-R011}