

















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A series of multiple-choice questions and answers related to secure software design principles and practices. It covers topics such as secure coding, authorization, integrity, sdlc phases, threat modeling, and privacy impact assessment. Insights into best practices for building secure software applications.
Typology: Exams
1 / 25
This page cannot be seen from the preview
Don't miss anything!


















answers. Quality code Secure code Information security Integrity Availability: Quality code Secure code "Quality code" is correct. Quality code is efficient code that is easy to maintain and reusable. "Secure code" is correct. Secure code authorizes and authenticates every user transaction, logs the transaction, and denies all unauthorized requisitions.
Authentication Multi-factor authentication Encryption Information security Authorization: Authorization Authorization ensures a user's information and credentials are approved by the system.
ensuring information non-repudiation and authenticity"? Integrity Quality Availability
Reliability: Integrity The data must remain unchanged by unauthorized users and remain reliable from the data entry point to the database and back.
the objectives of new systems? Requirements Design Planning Testing: Planning The planning stage sets the project schedule and looks at the big picture.
Programmers monitor system memory, functional behavior, response times, and overall performance. Customers perform tests to check software meets requirements. An analysis of computer programs without executing them is performed. Input fields are supplied with unexpected input and tested.: Programmers mon- itor system memory, functional behavior, response times, and overall performance.
Use application logic to encrypt credentials Store credentials as clear text Store credentials using Base 64 encoded Store credentials using salted hashes: Store credentials using salted hashes Hashing is a one-way process that converts a password to ciphertext using hash algorithms. Password salting adds random characters before or after a password prior to hashing to obfuscate the actual password.
To ensure that security is built into the product from the start: To ensure that security is built into the product from the start To correctly and cost-effectively introduce security into the software development life cycle, it needs to be done early.
assessment phase? Certification is required if the organization wants to move to the cloud. Depending on the environment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers. By ensuring software products are certified, the organization is protected from future litigation. By ensuring all developers have security certifications before writing any code, teams can forego discovery sessions.: Depending on the environment in which the product resides, certifications may be required by corporate or govern- ment entities before the software can be released to customers. Any new product may need to be certified based on the data it stores, the frameworks it uses, or the domain in which it resides. Those certification requirements need to be analyzed and documented early in the development life cycle.
methodology is used? Choose 2 answers. Required process steps Technologies and techniques SDL project outline Threat modeling Post-implementation signoffs: Required process steps Technologies and techniques "Required process steps" is correct. Required process steps explain in more detail which requirements are relevant to
developers, detailing what types of data are considered sensitive and how they need to be protected. "Technologies and techniques" is correct. Technologies and techniques detail tech- niques for meeting legislative requirements in five categories: Confidentiality, Integri- ty, Availability, Auditing and Logging, and Authentication.
options for each deliverable: -Estimate the actual cost of the product -Identify dependence on unmanaged software -Map security activities to the development schedule -Guide security activities to protect the product from vulnerabilities Product risk profile SDL project outline Threat profile List of third-party software: Estimate the actual cost of the product Map security activities to the development schedule Guide security activities to protect the product from vulnerabilities Identify dependence on unmanaged software The product risk profile helps management see the actual cost of a product. The SDL project outline maps security activities to the development schedule. A threat profile guides the security team on how to protect the product from threats. The third-party software list identifies all components the product is using that are managed outside the organization.
Tampering Spoofing Elevation of privilege Information disclosure:
-Two parallel horizontal lines -Solid line with an arrow.
Threat modeling artifacts Policy compliance analysis Information disclosure Attack modeling Application decomposition: Threat modeling artifacts Policy compliance analysis "Threat modeling artifacts" is correct. Threat modeling artifacts include data flow diagrams, technical threat modeling reports, high-level executive threat modeling reports, and recommendations for threat analysis. "Policy compliance analysis" is correct. Policy compliance analysis is a report on compliance with security and non-
security policies of the organization.
SDL project outline Certification requirements Product risk profile Threat profile: Threat profile Threat profiles created in the Security Assessment phase are used to build the
This goal lists changes to the software components and design based on a review from security architects and the assessments team.
misconfigurations and insecure configuration of HTTP response headers? Spider Virus scanner Active scanner Passive scanner: Passive scanner Passive scanning is used to analyze vulnerability requests and to respond silently as they pass through the web application security tool.
SQL injection Distributed Denial-of-Service (DDoS) Cross-site scripting Man-in-the-middle attack: Cross-site scripting Cross-site scripting (XSS) attacks are a type of injection in which attackers use scripts that are injected into otherwise benign and trusted websites.
Question 6a: Self-managed, automatic code review product Question 6b: Open-source automation server Question 6c: Proprietary issue tracking product Question 6d: AI-powered management solution: SonarQube This tool systematically helps to deliver clean code by analyzing 30+ programming languages and integrates with the continuous integration pipeline and DevOps platform. Jenkins This tool enables developers around the world to reliably build, test, and deploy their software. JIRA This tool is developed by Atlassian and allows bug tracking and agile project management. Dynatrace This tool is a full-stack, automated performance and infrastructure management solution.
are the users performing? Alpha testing Unit testing Beta testing Integration testing: Beta testing
Without having to guess or interpret behavior, this method gives full access to the software's possible behaviors. Tests a specific operational deployment By having specific areas to test, this method can identify infrastructure, configura- tion, and patch errors more easily. Testing in a random approach By having a closed testing system, this method can find bugs that would often be missed by the human eye. Requires no supporting technology By having a flexible approach, this method can be applied to a variety of situations.
meets security mandates? Open-source licensing review Code-assisted penetration testing Final security review A5 policy compliance analysis: A5 policy compliance analysis A5 policy compliance analysis ensures that products have met requirements, un- dergone compliance activities at each SDL phase, and passed quality gates before release.
threats? PRSA3: Post-release certifications PRSA1: External vulnerability disclosure response PRSA4: Internal review for new product combinations or cloud deployments PRSA2: Third-party reviews: PRSA1: External vulnerability disclosure response The external vulnerability disclosure response (PRSA1) defines processes to evalu- ate and mitigate security vulnerabilities discovered post-release. It also details how the organization will communicate to customers.
Choose 2 answers. Governance Construction Results Objective: Governance Construction "Governance" is correct. Governance focuses on the processes and activities re- lated to organizational software development activities within OpenSAMM practice areas. "Construction" is correct. Construction focuses on the processes and activities related to creating software within development projects within OpenSAMM practice areas.
in the product? Final privacy review Vulnerability scan Remediation report Customer engagement framework: Vulnerability scan Vulnerability scanning tools use databases of threat signatures to identify vulnera- bilities in applications.
Post-release certifications Third-party security reviews Internal review Security architectural reviews: Security architectural reviews Review of software during a merger or acquisition to ensure that software is secure during the merging process.
parts of the software.
needs based on the given environments? -Continuous integration and continuous deployment -API invocation processes -Iterative development -Enables and improves business activities Question 7a: Agile Question 7b: DevOps Question 7c: Cloud Question 7d: Digital enterprise: Iterative development This method uses requirements and solutions evolving through collaboration. Continuous integration and continuous deployment This method involves teams working together as partners as they learn how their product operates in the real world. API invocation processes This method uses new ways of data to rethink how applications are built, deployed, and used. Enables and improves business activities This method involves digitizing systems rapidly and dramatically.
Evaluation and plan Identify Deploy Assess: Deploy During this phase, the penetration test is executed, and any issues will be resolved.
Customer engagement framework Third-party reviews Remediation report: Third-party reviews Third-party reviews are security assessments from outside groups (other than internal testing teams)
-Policy and compliance -Threat assessment -Code review -Vulnerability management Question 10a: Governance Question 10b: Construction
information.
Fuzzing or fuzz testing Static analysis testing Dynamic analysis testing Software security architects Measurement model: Fuzzing or fuzz testing Static analysis testing Dynamic analysis testing "Fuzzing or fuzz testing" is correct. Fuzz testing is automated or semi-automated testing that provides invalid, unexpected, or random data to the computer software program. "Static analysis testing" is correct. Static analysis analyzes computer software without executing programs. "Dynamic analysis testing" is correct. Dynamic analysis analyzes computer software while executing programs.
Planning Support and Sustain Design and Development Release and Launch Concept: Concept During the concept phase, initial details are discussed and conceptualized. It is crucial for the security team to be a part of these discussions to integrate security throughout the entire process.
Team Order is decided by the ScrumMaster Order is decided by the project manager
Order is decided based on value of the items being delivered: Order is decided based on value of the items being delivered Order is decided based on the value of the item/requirement in the backlog as it helps business when the item is done and business can start using it. The Product Owner decides the order of items in the backlog.
turned back upwards after the coding phase is complete. When a project is smaller, the risk of changing requirements and scope is lower. When a project is smaller, it doesn't need any time for reflection. When a project is smaller, there is an emphasis on empowering teams with collaborative decision-making.: When a project is smaller, the risk of changing requirements and scope is lower. The Waterfall method works with each stage being clearly defined. The project builds on itself, and in smaller projects, this creates a clearer and easily definable path.
A security assessment deliverable that lists education requirements for prod- uct and operations teams A security assessment deliverable that maps activities to the development schedule A security assessment deliverable that guides SDL activities to mitigate is- sues A security assessment deliverable that estimates the actual cost of the prod- uct: A security assessment deliverable that estimates the actual cost of the product Looking at products from different perspectives allows management to determine the actual cost of a product, which includes selling it in different markets, and liabilities that might be incurred.
where and to what degree sensitive customer information is collected, stored, or created within a new product offering. What does the team member need to deliver in order to meet the objective?