Secure Software Design Questions and Answers, Exams of Information Technology

A series of multiple-choice questions and answers related to secure software design principles and practices. It covers topics such as secure coding, authorization, integrity, sdlc phases, threat modeling, and privacy impact assessment. Insights into best practices for building secure software applications.

Typology: Exams

2024/2025

Available from 04/08/2025

QUIZBANK01
QUIZBANK01 šŸ‡ŗšŸ‡ø

4.9

(9)

4.3K documents

1 / 25

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1 / 25
D487: Secure Software Design Questions
1. What are the two common best principles of software applications in the development process? Choose 2
answers.
Quality code Secure code
Information security
Integrity
Availability: Quality code Secure
code
"Quality code" is correct. Quality code is efficient code that is easy to maintain and reusable.
"Secure code" is correct. Secure code authorizes and authenticates every user transaction, logs the transaction, and denies
all unauthorized requisitions.
2. What ensures that the user has the appropriate role and privilege to view data?
Authentication
Multi-factor authentication Encryption
Information security Authorization:
Authorization
Authorization ensures a user's information and credentials are approved by the system.
3. Which security goal is defined by "guarding against improper information modification or destruction and
ensuring information non-repudiation and authenticity"?
Integrity Quality
Availability
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19

Partial preview of the text

Download Secure Software Design Questions and Answers and more Exams Information Technology in PDF only on Docsity!

D487: Secure Software Design Questions

1. What are the two common best principles of software applications in the development process? Choose 2

answers. Quality code Secure code Information security Integrity Availability: Quality code Secure code "Quality code" is correct. Quality code is efficient code that is easy to maintain and reusable. "Secure code" is correct. Secure code authorizes and authenticates every user transaction, logs the transaction, and denies all unauthorized requisitions.

2. What ensures that the user has the appropriate role and privilege to view data?

Authentication Multi-factor authentication Encryption Information security Authorization: Authorization Authorization ensures a user's information and credentials are approved by the system.

3. Which security goal is defined by "guarding against improper information modification or destruction and

ensuring information non-repudiation and authenticity"? Integrity Quality Availability

Reliability: Integrity The data must remain unchanged by unauthorized users and remain reliable from the data entry point to the database and back.

4. Which phase in an SDLC helps to define the problem and scope of any existing systems and determine

the objectives of new systems? Requirements Design Planning Testing: Planning The planning stage sets the project schedule and looks at the big picture.

5. What happens during a dynamic code review?

Programmers monitor system memory, functional behavior, response times, and overall performance. Customers perform tests to check software meets requirements. An analysis of computer programs without executing them is performed. Input fields are supplied with unexpected input and tested.: Programmers mon- itor system memory, functional behavior, response times, and overall performance.

6. How should you store your application user credentials in your application database?

Use application logic to encrypt credentials Store credentials as clear text Store credentials using Base 64 encoded Store credentials using salted hashes: Store credentials using salted hashes Hashing is a one-way process that converts a password to ciphertext using hash algorithms. Password salting adds random characters before or after a password prior to hashing to obfuscate the actual password.

7. Which software methodology resembles an assembly-line approach? V-model

To ensure that security is built into the product from the start: To ensure that security is built into the product from the start To correctly and cost-effectively introduce security into the software development life cycle, it needs to be done early.

11. Why should a security team provide documented certification require- ments during the software

assessment phase? Certification is required if the organization wants to move to the cloud. Depending on the environment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers. By ensuring software products are certified, the organization is protected from future litigation. By ensuring all developers have security certifications before writing any code, teams can forego discovery sessions.: Depending on the environment in which the product resides, certifications may be required by corporate or govern- ment entities before the software can be released to customers. Any new product may need to be certified based on the data it stores, the frameworks it uses, or the domain in which it resides. Those certification requirements need to be analyzed and documented early in the development life cycle.

12. What are two items that should be included in the privacy impact assess- ment plan regardless of which

methodology is used? Choose 2 answers. Required process steps Technologies and techniques SDL project outline Threat modeling Post-implementation signoffs: Required process steps Technologies and techniques "Required process steps" is correct. Required process steps explain in more detail which requirements are relevant to

developers, detailing what types of data are considered sensitive and how they need to be protected. "Technologies and techniques" is correct. Technologies and techniques detail tech- niques for meeting legislative requirements in five categories: Confidentiality, Integri- ty, Availability, Auditing and Logging, and Authentication.

13. What are the goals of each SDL deliverable? Select one of these

options for each deliverable: -Estimate the actual cost of the product -Identify dependence on unmanaged software -Map security activities to the development schedule -Guide security activities to protect the product from vulnerabilities Product risk profile SDL project outline Threat profile List of third-party software: Estimate the actual cost of the product Map security activities to the development schedule Guide security activities to protect the product from vulnerabilities Identify dependence on unmanaged software The product risk profile helps management see the actual cost of a product. The SDL project outline maps security activities to the development schedule. A threat profile guides the security team on how to protect the product from threats. The third-party software list identifies all components the product is using that are managed outside the organization.

14. What is a threat action that is designed to illegally access and use another person's credentials?

Tampering Spoofing Elevation of privilege Information disclosure:

-Two parallel horizontal lines -Solid line with an arrow.

  • Rectangle -Dashed line External elements Data store Data flow Trust boundary: Rectangle Two parallel horizontal lines Solid line with an arrow. Dashed line A rectangle in a data flow diagram represents an element outside your control and external to your software application. Two parallel horizontal lines in a data flow diagram represent where data can be stored but not modified. A single solid line with an arrow in a data flow diagram represents the movement of data within the software. A single dashed line in a data flow diagram represents scenarios that exist between elements running at different privilege levels or different components running at the same privilege level.

18. What are the two deliverables of the Architecture phase of the SDL?Choose 2 answers.

Threat modeling artifacts Policy compliance analysis Information disclosure Attack modeling Application decomposition: Threat modeling artifacts Policy compliance analysis "Threat modeling artifacts" is correct. Threat modeling artifacts include data flow diagrams, technical threat modeling reports, high-level executive threat modeling reports, and recommendations for threat analysis. "Policy compliance analysis" is correct. Policy compliance analysis is a report on compliance with security and non-

security policies of the organization.

19. What SDL security assessment deliverable is used as an input to an SDL architecture process?

SDL project outline Certification requirements Product risk profile Threat profile: Threat profile Threat profiles created in the Security Assessment phase are used to build the

This goal lists changes to the software components and design based on a review from security architects and the assessments team.

23. Which application scanner component is useful in identifying vulnerabil- ities such as cookie

misconfigurations and insecure configuration of HTTP response headers? Spider Virus scanner Active scanner Passive scanner: Passive scanner Passive scanning is used to analyze vulnerability requests and to respond silently as they pass through the web application security tool.

24. Which type of attack occurs when an attacker uses malicious code in the data sent in a form?

SQL injection Distributed Denial-of-Service (DDoS) Cross-site scripting Man-in-the-middle attack: Cross-site scripting Cross-site scripting (XSS) attacks are a type of injection in which attackers use scripts that are injected into otherwise benign and trusted websites.

25. Which tools provide the given functions?

  • SonarQube
  • JIRA
  • Dynatrace
  • Jenkins

Question 6a: Self-managed, automatic code review product Question 6b: Open-source automation server Question 6c: Proprietary issue tracking product Question 6d: AI-powered management solution: SonarQube This tool systematically helps to deliver clean code by analyzing 30+ programming languages and integrates with the continuous integration pipeline and DevOps platform. Jenkins This tool enables developers around the world to reliably build, test, and deploy their software. JIRA This tool is developed by Atlassian and allows bug tracking and agile project management. Dynatrace This tool is a full-stack, automated performance and infrastructure management solution.

26. A new application is released, and users perform initial testing on the application.Which type of testing

are the users performing? Alpha testing Unit testing Beta testing Integration testing: Beta testing

Without having to guess or interpret behavior, this method gives full access to the software's possible behaviors. Tests a specific operational deployment By having specific areas to test, this method can identify infrastructure, configura- tion, and patch errors more easily. Testing in a random approach By having a closed testing system, this method can find bugs that would often be missed by the human eye. Requires no supporting technology By having a flexible approach, this method can be applied to a variety of situations.

29. Which practice in the Ship (A5) phase of the security development cycle verifies whether the product

meets security mandates? Open-source licensing review Code-assisted penetration testing Final security review A5 policy compliance analysis: A5 policy compliance analysis A5 policy compliance analysis ensures that products have met requirements, un- dergone compliance activities at each SDL phase, and passed quality gates before release.

30. Which post-release support activity defines the process to communicate, identify, and alleviate security

threats? PRSA3: Post-release certifications PRSA1: External vulnerability disclosure response PRSA4: Internal review for new product combinations or cloud deployments PRSA2: Third-party reviews: PRSA1: External vulnerability disclosure response The external vulnerability disclosure response (PRSA1) defines processes to evalu- ate and mitigate security vulnerabilities discovered post-release. It also details how the organization will communicate to customers.

31. What are two core practice areas of the OWASP Security Assurance Matu- rity Model (OpenSAMM)?

Choose 2 answers. Governance Construction Results Objective: Governance Construction "Governance" is correct. Governance focuses on the processes and activities re- lated to organizational software development activities within OpenSAMM practice areas. "Construction" is correct. Construction focuses on the processes and activities related to creating software within development projects within OpenSAMM practice areas.

32. Which practice in the Ship (A5) phase of the security development cycle uses tools to identify weaknesses

in the product? Final privacy review Vulnerability scan Remediation report Customer engagement framework: Vulnerability scan Vulnerability scanning tools use databases of threat signatures to identify vulnera- bilities in applications.

33. Which post-release support activity should be completed when companies are joining together?

Post-release certifications Third-party security reviews Internal review Security architectural reviews: Security architectural reviews Review of software during a merger or acquisition to ensure that software is secure during the merging process.

parts of the software.

35. How can you establish your own SDL to build security into a process appropriate for your organization's

needs based on the given environments? -Continuous integration and continuous deployment -API invocation processes -Iterative development -Enables and improves business activities Question 7a: Agile Question 7b: DevOps Question 7c: Cloud Question 7d: Digital enterprise: Iterative development This method uses requirements and solutions evolving through collaboration. Continuous integration and continuous deployment This method involves teams working together as partners as they learn how their product operates in the real world. API invocation processes This method uses new ways of data to rethink how applications are built, deployed, and used. Enables and improves business activities This method involves digitizing systems rapidly and dramatically.

36. Which phase of penetration testing allows for remediation to be per- formed?

Evaluation and plan Identify Deploy Assess: Deploy During this phase, the penetration test is executed, and any issues will be resolved.

37. Which key deliverable occurs during post-release support? Security testing reports

Customer engagement framework Third-party reviews Remediation report: Third-party reviews Third-party reviews are security assessments from outside groups (other than internal testing teams)

38. Which business function of OpenSAMM is associated with the following core practices?

-Policy and compliance -Threat assessment -Code review -Vulnerability management Question 10a: Governance Question 10b: Construction

information.

41. What are the three primary tools basic to the security development life cycle?Choose 3 answers.

Fuzzing or fuzz testing Static analysis testing Dynamic analysis testing Software security architects Measurement model: Fuzzing or fuzz testing Static analysis testing Dynamic analysis testing "Fuzzing or fuzz testing" is correct. Fuzz testing is automated or semi-automated testing that provides invalid, unexpected, or random data to the computer software program. "Static analysis testing" is correct. Static analysis analyzes computer software without executing programs. "Dynamic analysis testing" is correct. Dynamic analysis analyzes computer software while executing programs.

42. In which phase of the SDLC should the software security team be in- volved?

Planning Support and Sustain Design and Development Release and Launch Concept: Concept During the concept phase, initial details are discussed and conceptualized. It is crucial for the security team to be a part of these discussions to integrate security throughout the entire process.

43. What determines the order of items in a product backlog in Scrum? Order is decided by the Scrum

Team Order is decided by the ScrumMaster Order is decided by the project manager

Order is decided based on value of the items being delivered: Order is decided based on value of the items being delivered Order is decided based on the value of the item/requirement in the backlog as it helps business when the item is done and business can start using it. The Product Owner decides the order of items in the backlog.

44. Why is the Waterfall methodology most useful for smaller projects? When a project is smaller, it can easily be

turned back upwards after the coding phase is complete. When a project is smaller, the risk of changing requirements and scope is lower. When a project is smaller, it doesn't need any time for reflection. When a project is smaller, there is an emphasis on empowering teams with collaborative decision-making.: When a project is smaller, the risk of changing requirements and scope is lower. The Waterfall method works with each stage being clearly defined. The project builds on itself, and in smaller projects, this creates a clearer and easily definable path.

45. What is the product risk profile?

A security assessment deliverable that lists education requirements for prod- uct and operations teams A security assessment deliverable that maps activities to the development schedule A security assessment deliverable that guides SDL activities to mitigate is- sues A security assessment deliverable that estimates the actual cost of the prod- uct: A security assessment deliverable that estimates the actual cost of the product Looking at products from different perspectives allows management to determine the actual cost of a product, which includes selling it in different markets, and liabilities that might be incurred.

46. A software security team member has been tasked with creating a deliv- erable that provides details on

where and to what degree sensitive customer information is collected, stored, or created within a new product offering. What does the team member need to deliver in order to meet the objective?