Secure Software Design: Q&A on Security Development Lifecycle, Exams of Computer Science

A series of questions and answers related to secure software design, focusing on the security development lifecycle (sdl) and practices within software engineering. It covers topics such as vulnerability disclosure, security assurance maturity models, penetration testing phases, and compliance requirements. The document also explores threat modeling, privacy impact assessments, and various testing methodologies, offering insights into building security into software development processes. It is useful for students and professionals in computer science and software engineering, providing a concise overview of key security concepts and practices. (415 characters)

Typology: Exams

2024/2025

Available from 07/11/2025

NurseSarahwa
NurseSarahwa 🇺🇸

3.4

(5)

3.3K documents

1 / 10

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
COMPUTER SCIENCE SOFTWARE ENGINEERING D487
SECURE
SW
DESIGN
Which post-release support
activity
defines the process to
communicate,
identify, and alleviate security
threats?
PRSA1:
External
vulnerability
disclosure
response
What are two core practice
areas of
the OWASP Security
Assurance
Maturity Model (OpenSAMM)?
Governance,
Construction
Which practice in the Ship (A5)
phase
of the security
development cycle uses tools to identify
weaknesses in the
product?
Vulnerability
scan
Which post-release support
activity
should be completed
when
companies are joining together?
Security architectural
reviews
Which of the Ship (A5)
deliverables of the security
development cycle are performed
during the A5 policy compliance
analysis?
Analyze activities and standards
Which of the Ship (A5)
deliverables of the security
development cycle are performed
during the code-
assisted
penetration
testing?
white-box security test
Which of the Ship (A5)
deliverables of the security
development cycle are
performed
during the open-
source licensing
review?
license
compliance
Which of the Ship (A5)
deliverables of the security
development cycle are
performed
during the final
security review?
Release and
ship
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Secure Software Design: Q&A on Security Development Lifecycle and more Exams Computer Science in PDF only on Docsity!

COMPUTER SCIENCE SOFTWARE ENGINEERING D

SECURE SW DESIGN

Which post-release support activity defines the process to communicate, identify, and alleviate security threats? PRSA1: External vulnerability disclosure response What are two core practice areas of the OWASP Security Assurance Maturity Model (OpenSAMM)? Governance, Construction Which practice in the Ship (A5) phase of the security development cycle uses tools to identify weaknesses in the product? Vulnerability scan Which post-release support activity should be completed when companies are joining together? Security architectural reviews Which of the Ship (A5) deliverables of the security development cycle are performed during the A5 policy compliance analysis? Analyze activities and standards Which of the Ship (A5) deliverables of the security development cycle are performed during the code- assisted penetration testing? white-box security test Which of the Ship (A5) deliverables of the security development cycle are performed during the open- source licensing review? license compliance Which of the Ship (A5) deliverables of the security development cycle are performed during the final security review? Release and ship

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on agile? iterative development How can you establish your own SDL to build security into a process appropriate for your organization's needs based on devops? continuous integration and continuous deployments

During what phase of SDL do all key stakeholders discuss, identify, and have common understandings of the security and privacy implications, considerations, and requirements? A1 Security Assessment What are the three areas of focus in secure software requirements? Gathering the software requirements, data classification, and managing data protection requirements During what phase of SDL is an initial project outline for security milestones developed and integrated into the development project schedule? A1 Security Assessment What term means requirements that describe what the system will do and its core purpose? functional requirements What term means requirements that describe any constraints or restrictions on a design but do not impact the core purpose of the system non-functional requirements What term is a process that evaluates issues and privacy impact rating in relation to the privacy of personally identifiable information in the software? privacy impact assessment What term helps to determine the actual cost of the product from different perspectives? product risk profile What term is a table that lists all of the security requirements requirement traceability matrix What term is the environment in which the product will operate and potential threats in that environment? threat profile What phase of the SDL examines security in terms of business risks, with inputs from the software security team and key stakeholders? A2 Architecture Phase In what phase of the SDL is threat modeling conducted? A2 Architecture Phase

What is it called when technicians identify security objectives, survey applications, decompose applications, identify threats, and identify vulnerabilities? threat modeling What is the process to pinpoint security threats and potential vulnerabilities that will help prioritize remediation. threat modeling Five steps of threat modeling are: identify security objectives, survey the application, decompose it, identify threats, and identify vulnerabilities. What does STRIDE stand for? spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege What does PASTA stand for? process of attack simulation and threat analysis How should you rank an organization's threats? based on their probability and damage potential. What does DREAD stand for? damage potential, reproducibility, exploitability, affected users, and discoverability What is a weakness that can be exploited? vulnerability What is a unified conceptual framework for security auditing? Trike Threat Model What is the path an attacker can take to exploit a vulnerability? threat vector What is reusable software developed externally from the organization's platforms? third party codes What is maliciously changing or modifying persistent data? Tampering What defines what needs to be protected and how it will be protected? software security policy What is performing illegal operations in a system that lacks the ability to trace the prohibited operations? repudiation What is determining the fundamental functions of an app? application decomposition What are threat models focused around senior management and protecting the assets of an organization? asset-centric threat modeling What are threat models that start with visualizing the application you are building? application-centric threat modeling

Which shape indicates the trust boundary in the flow diagram? dashed line What are the two deliverables of the Architecture phase of the SDL? threat modeling artifacts, policy compliance analysis What SDL security assessment deliverable is used as an input to an SDL architecture process? threat profile What is alpha level testing? testing done by the developers themselves What is beta level testing? testing done by those not familiar with the actual development of the system What is black box testing? tests from an external perspective with no prior knowledge of the software What is the third phase of the security development life cycle, in which you analyze and test software to determine security and privacy issues as you make informed decisions moving forward with your software? A3 Design and Development What are external resources? resources hired on a temporary basis to come into a project, test the application, and report findings What are functional testing scripts? step-by-step instructions for a specific scenario or situation What are gray box testing? analyzes the source code for the software to help design the test cases What are internal resources? resources from the company's organization What are secure testing scripts? scripts created specifically for the application being tested What is white box testing? tests from an internal perspective with full knowledge of the software Which software security testing technique tests the software from an external perspective? black box What testing tests with no prior knowledge of the software? During this phase, only binary executable or intermediate byte code is analyzed. black box What is phase four of the SDL? A4 Design and Development CONT

What is an open-source platform that can perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities in over 25 programming languages. SonarQube What is analysis of computer software that is performed without actually executing programs? static anaylysis What identifies inputs and supplies those to the scanning components of the security tool? Spider Type of request to merge your code into another branch... pull request What silently analyzes all the hypertext transfer protocol (HTTP) requests and responses passing through the web application security tool? passive scanner Type of test done by the development tester to continually assess the quality of his or her work... exploratory test Type of application security testing to identify vulnerabilities within a product application dynamic analysis After the developer is done coding a functionality, when should code review be completed? Within hours/same day What is the order that code reviews should follow in order to be effective? Identify security code review objectives, perform preliminary scan, review code for security issues, review the code for security issues unique to the architecture When a software application handles personally identifiable information (PII) data, what will be the Privacy Impact Rating? P1 High Privacy Risk Which key success factor identifies threats to the software? Effective threat modeling What is the goal of design security review deliverables? To make modifications to the design of software components based on security assessments

What tool is anAI powered management solution? Dynatrace A new application is released, and users perform initial testing on the application.Which type of testing are the users performing? Beta testing