






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A series of questions and answers related to secure software design, focusing on the security development lifecycle (sdl) and practices within software engineering. It covers topics such as vulnerability disclosure, security assurance maturity models, penetration testing phases, and compliance requirements. The document also explores threat modeling, privacy impact assessments, and various testing methodologies, offering insights into building security into software development processes. It is useful for students and professionals in computer science and software engineering, providing a concise overview of key security concepts and practices. (415 characters)
Typology: Exams
1 / 10
This page cannot be seen from the preview
Don't miss anything!







Which post-release support activity defines the process to communicate, identify, and alleviate security threats? PRSA1: External vulnerability disclosure response What are two core practice areas of the OWASP Security Assurance Maturity Model (OpenSAMM)? Governance, Construction Which practice in the Ship (A5) phase of the security development cycle uses tools to identify weaknesses in the product? Vulnerability scan Which post-release support activity should be completed when companies are joining together? Security architectural reviews Which of the Ship (A5) deliverables of the security development cycle are performed during the A5 policy compliance analysis? Analyze activities and standards Which of the Ship (A5) deliverables of the security development cycle are performed during the code- assisted penetration testing? white-box security test Which of the Ship (A5) deliverables of the security development cycle are performed during the open- source licensing review? license compliance Which of the Ship (A5) deliverables of the security development cycle are performed during the final security review? Release and ship
How can you establish your own SDL to build security into a process appropriate for your organization's needs based on agile? iterative development How can you establish your own SDL to build security into a process appropriate for your organization's needs based on devops? continuous integration and continuous deployments
During what phase of SDL do all key stakeholders discuss, identify, and have common understandings of the security and privacy implications, considerations, and requirements? A1 Security Assessment What are the three areas of focus in secure software requirements? Gathering the software requirements, data classification, and managing data protection requirements During what phase of SDL is an initial project outline for security milestones developed and integrated into the development project schedule? A1 Security Assessment What term means requirements that describe what the system will do and its core purpose? functional requirements What term means requirements that describe any constraints or restrictions on a design but do not impact the core purpose of the system non-functional requirements What term is a process that evaluates issues and privacy impact rating in relation to the privacy of personally identifiable information in the software? privacy impact assessment What term helps to determine the actual cost of the product from different perspectives? product risk profile What term is a table that lists all of the security requirements requirement traceability matrix What term is the environment in which the product will operate and potential threats in that environment? threat profile What phase of the SDL examines security in terms of business risks, with inputs from the software security team and key stakeholders? A2 Architecture Phase In what phase of the SDL is threat modeling conducted? A2 Architecture Phase
What is it called when technicians identify security objectives, survey applications, decompose applications, identify threats, and identify vulnerabilities? threat modeling What is the process to pinpoint security threats and potential vulnerabilities that will help prioritize remediation. threat modeling Five steps of threat modeling are: identify security objectives, survey the application, decompose it, identify threats, and identify vulnerabilities. What does STRIDE stand for? spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege What does PASTA stand for? process of attack simulation and threat analysis How should you rank an organization's threats? based on their probability and damage potential. What does DREAD stand for? damage potential, reproducibility, exploitability, affected users, and discoverability What is a weakness that can be exploited? vulnerability What is a unified conceptual framework for security auditing? Trike Threat Model What is the path an attacker can take to exploit a vulnerability? threat vector What is reusable software developed externally from the organization's platforms? third party codes What is maliciously changing or modifying persistent data? Tampering What defines what needs to be protected and how it will be protected? software security policy What is performing illegal operations in a system that lacks the ability to trace the prohibited operations? repudiation What is determining the fundamental functions of an app? application decomposition What are threat models focused around senior management and protecting the assets of an organization? asset-centric threat modeling What are threat models that start with visualizing the application you are building? application-centric threat modeling
Which shape indicates the trust boundary in the flow diagram? dashed line What are the two deliverables of the Architecture phase of the SDL? threat modeling artifacts, policy compliance analysis What SDL security assessment deliverable is used as an input to an SDL architecture process? threat profile What is alpha level testing? testing done by the developers themselves What is beta level testing? testing done by those not familiar with the actual development of the system What is black box testing? tests from an external perspective with no prior knowledge of the software What is the third phase of the security development life cycle, in which you analyze and test software to determine security and privacy issues as you make informed decisions moving forward with your software? A3 Design and Development What are external resources? resources hired on a temporary basis to come into a project, test the application, and report findings What are functional testing scripts? step-by-step instructions for a specific scenario or situation What are gray box testing? analyzes the source code for the software to help design the test cases What are internal resources? resources from the company's organization What are secure testing scripts? scripts created specifically for the application being tested What is white box testing? tests from an internal perspective with full knowledge of the software Which software security testing technique tests the software from an external perspective? black box What testing tests with no prior knowledge of the software? During this phase, only binary executable or intermediate byte code is analyzed. black box What is phase four of the SDL? A4 Design and Development CONT
What is an open-source platform that can perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities in over 25 programming languages. SonarQube What is analysis of computer software that is performed without actually executing programs? static anaylysis What identifies inputs and supplies those to the scanning components of the security tool? Spider Type of request to merge your code into another branch... pull request What silently analyzes all the hypertext transfer protocol (HTTP) requests and responses passing through the web application security tool? passive scanner Type of test done by the development tester to continually assess the quality of his or her work... exploratory test Type of application security testing to identify vulnerabilities within a product application dynamic analysis After the developer is done coding a functionality, when should code review be completed? Within hours/same day What is the order that code reviews should follow in order to be effective? Identify security code review objectives, perform preliminary scan, review code for security issues, review the code for security issues unique to the architecture When a software application handles personally identifiable information (PII) data, what will be the Privacy Impact Rating? P1 High Privacy Risk Which key success factor identifies threats to the software? Effective threat modeling What is the goal of design security review deliverables? To make modifications to the design of software components based on security assessments
What tool is anAI powered management solution? Dynatrace A new application is released, and users perform initial testing on the application.Which type of testing are the users performing? Beta testing