Partial preview of the text
Download D487 - Secure Software Design Knowledge Check and Quiz and more Exams Computer Science in PDF only on Docsity!
D487 - Secure Software Design Knowledge Check and Quiz What are the two common best principles of software applications in the development process? Quality Code & Secure Code 2 multiple choice options What ensures that the user has the appropriate role and privilege to view data? Authorization 3 multiple choice options Which security goal is defined by "guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity"? Integrity 3 multiple choice options Which phase in an SDLC helps to define the problem and scope of any existing systems and determine the objectives of new systems? Planning 3 multiple choice options What happens during a dynamic code review? Programmers monitor system memory, functional behavior, response times, and overall performance. 3 multiple chuice options Tow should you store your application user credentials in your application database? Store credentials using salted hashes 3 multiple choice options Which software methodology resembles an assembly-line approach? Waterfall model 3 multiple choice options Which software methodology approach provides faster time to market and higher business value? Agile model 3 multiple choice options In Scrum methodology, who is responsible for making decisions on the requirements? Product Owner 3 multiple chuice options What is the product risk profile? A security assessment deliverable that estimates the actual cost of the product 3 multiple choice options A software security team member has been tasked with creating a deliverable that provides details on where and to what degree sensitive customer information is collected, stored, or created within a new product offering. ‘What does the team member need to deliver in order to meet the objective? Privacy impact assessment 3 multiple choice options A software security team member has been tasked with creating a threat model for the login process of a new product.What is the first step the team member should take? Identify security objectives 3 multiple choice options What are three parts of the STRIDE methodology? Spoofing, Elevation, Tampering 3 multiple choice options What is the reason software security teams host discovery meetings with stakeholders early in the development life cycle? To ensure that security is built into the product from the start 3 multiple choice options Why should a security team provide documented certification requirements during the software assessment phase? Depending on the cnvironment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers. 3 multiple chuice options What are two items that should be included in the privacy impact assessment plan regardless of which methodology is used? Required process steps & Technologies and techniques 3 multiple choice options What are the goals of each SDL deliverable? - Product Risk Profile Estimate the actual cost of the product 3 multiple choice options What are the goals of each SDL deliverable? -SDL project outline Map security activitics to the development schedule 3 multiple choice options What are the goals of cach SDL deliverable? - Threat profile Guide security activities to protect the product from vulnerabilities 3 multiple chuice options What are the goals of each SDL deliverable? -List of third-party software Identify the dependence on unmanaged software 3 multiple choice options ‘What is a threat action that is designed to illegally access and use another person's credentials? Spoofing 3 multiple choice options What are two steps of the threat modeling process? Survey The application & Decompose the application 3 multiple chvice options What do the "A" and the first "D" in the DREAD acronym represent? Damage & Affected Users 3 multiple choice options Which shape indicates each type of flow diagram element? - External elements Rectangle 3 multiple choice options Which shape indicates each type of flow diagram element? - Data Store Two Parallel horizontal lines 3 multiple choice options Which shape indicates each type of flow diagram element? - Data Flow Solid Line with an arrow Which type of attack occurs when an attacker uses malicious code in the data sent in a form? Cross-site scripting 3 multiple choice options Which tools provide the given functions? - Self Managed Automatic Code Review Product SonarQube 3 multiple choice options Which tools provide the given functions? - Proprictary issue tracking product JIRA. 3 multiple chuice options Which tools provide the given functions? - Open-source automation server Jenkins 3 multiple choice options Which tools provide the given functions? - Al-Powered managemnt soltuion Dynatrace 3 multiple choice options A new application is released, and users perform initial testing on the application. Which type of testing are the users performing? Beta Testing What is a non-system-related component in software security testing attack surface validation? Users 3 multiple choice options When an application's input validation is not handled properly, it could result in which kind of vulnerabilities’? SQL injection, cross-site scripting 3 multiple chuice options What are the advantages of the following security analysis tools? - Static Code Analysis Access to the actual instructions the software will be guessing 3 multiple choice options ‘What are the advantages of the following security analysis tools? - Dynamic Code Analysis Tests a specific operational deployment 3 multiple choice options What are the advantages of the following security analysis tools? - Fuzz Testing Testing in a random approach 3 multiple chuice options What are the advantages of the following security analysis tools? - Manual Code Review Requires no supporting Technology 3 multiple choice options Which activity in the Ship (A5) phase of the security development cycle sets requirements for quality gates that must be met before release? AS policy compliance analysis 3 multiple choice options Which post-release support activity should be completed when companies are joining together? Security architectural reviews 3 multiple choice options The company's website uses querystring parameters to filter products by category. The URL, when filtering on a product category, looks like this: company.com/products?calegory=2. Tf the security team saw a URL of company.com/products?category—2 OR /—/ in the logs, what assumption should they make? An attacker is attempting to use SQL injection to gain access to information. 3 multiple choice options Which post-release support activity (PRSA) details the process for investigating, mitigating, and communicating findings when security vulnerabilities are discovered in a software product? External vulnerability disclosure response 3 multiple choice options Which post-release support kcy success factor says that any change or component reuse should trigger security development life cycle activities? SDL cycle for any architectural changes or code reuses 3 multiple choice options Which step will you find in the SANS Institute Cyber Defense seven-step recipe for conducting threat modeling and application risk analysis? Brainstorm threats from adversaries 3 multiple choice options In which OpenSAMM core practice area would one find environment hardening? Deployment 3 multiple choice options Which practice in the Ship (A5) phase of the sceurity development cyele verifics whether the product meets security mandates? AS policy compliance analysis 3 multiple choice options Which post-release support activity defines the process to communicate, identify, and alleviate security threats? PRSAL: External vulnerability disclosure response 3 multiple choice options ‘What are two core practice areas of the OWASP Security Assurance Maturity Model (OpenSAMM)? Governance & Construction 3 multiple choice options Which practice in the Ship (A5) phase of the security development cycle uses tools to identify weaknesses in the product? Vulnerability Scan 3 multiple choice options Tow can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments? - Cloud. APT invocation processes 3 multiple choice options Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions? - AS Policy Compliance Analysis Analyze activities and standards 3 multiple choice options