




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A set of questions and answers related to secure software design, specifically updated for 2025 and 2026. It covers topics such as software security initiatives, static and dynamic analysis, iso standards, secure coding practices, threat modeling, and scrum methodologies. The questions are designed to test understanding of key concepts and best practices in software security, making it a valuable resource for students and professionals in the field. It includes questions on topics like building security in maturity model (bsimm), owasp software assurance maturity model (samm), and common computer vulnerabilities and exposures (cve).
Typology: Exercises
1 / 319
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1 What is the study of real-world software security initiatives organized so companies can measure their initiatives and understand how to evolve them over time? A) Building Security in Maturity Model (BSIMM) B) Security features and design C) OWASP Software Assurance Maturity Model (SAMM) D) ISO 27001 Correct Answer Question 2 What is the analysis of computer software that is performed without executing programs? A) Static analysis B) Fuzzing C) Dynamic analysis D) OWASP ZAP Correct Answer A) Static analysis Question 3 What iso standard is the benchmark for information security today? A) iso/iec 27001 B) iso/iec 7799 C) iso/iec 27034 D) iso 8601 Correct Answer A) iso 27001 Question 4 what is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time? A) dynamic analysis B) static analysis C) fuzzing D) security testing Correct Answer A) dynamic analysis Question 5 A) Building Security in Maturity Model (BSIMM)
D) Identifying and documenting threats Correct Answer A) Analyzing the target Question 9 The scrum team is attending their morning meeting, which is scheduled at the beginning of the work day. Each team member reports what they accomplished yesterday, what they plan to accomplish today, and if they have any impediments that may cause them to miss their delivery deadline. Which scrum ceremony is the team participating in? A) Daily scrum B) Sprint review C) Sprint retrospective D) Sprint planning Correct Answer A) Daily scrum Question 10 what is a list of information security vulnerabilities that aims to provide names for publicly known problems? A) common computer vulnerabilities and exposures (CVE) B) SANS institute top cyber security risks C) bugtraq D) Carnegie melon computer emergency readiness team (CERT) Correct Answer Question 11 which secure coding best practice uses well-tested, publicly available algorithms to hide product data from unauthorized access? A) access control B) authentication and password management C) cryptographic practices D) data protection Correct Answer C) cryptographic practices Question 12 which secure coding best practice ensures servers, frameworks, and system components are all running the latest approved versions? A) file management B) input validation A) common computer vulnerabilities and exposures (CVE)
C) database security D) system configuration Correct Answer D) system configuration Question 13 Which secure coding best practice says to use parameterized queries, encrypted connection strings stored in separate configuration files, and strong passwords or multi-factor authentication? A) access control B) database security C) file management D) session management Correct Answer B) database security Question 14 which secure coding best practice says that all information passed to other systems should be encrypted? A) output encoding B) memory management C) communication security D) database security Correct Answer C) communication security Question 15 Team members are being introduced during sprint zero in the project kickoff meeting. The person being introduced is a member of the scrum team, responsible for writing feature logic and attending sprint ceremonies. Which role is the team member playing? A) Software developer B) Product owner C) Scrum master D) Quality assurance analyst Correct Answer A) Software developer Question 16 A software security team member has created data flow diagrams, chosen the STRIDE methodology to perform threat reviews, and created the security assessment for the new product.
C) analyzing the target Question 20 The scrum team is attending their morning meeting, which is scheduled at the beginning of the work day. Each team member reports what they accomplished yesterday, what they plan to accomplish today, and if they have any impediments that may cause them to miss their delivery deadline. Which scrum ceremony is the team participating in? A) Daily scrum B) Sprint review C) Sprint retrospective D) Sprint planning Correct Answer A) Daily scrum Question 21 Team members are being introduced during sprint zero in the project kickoff meeting. The person being introduced is a member of the scrum team, responsible for writing feature logic and attending sprint ceremonies. Which role is the team member playing? A) scrum master B) quality assurance analyst C) software developer D) product owner Correct Answer C) software developer Question 22 A software security team member has created data flow diagrams, chosen the STRIDE methodology to perform threat reviews, and created the security assessment for the new product. Which category of secure software best practices did the team member perform? A) training B) pen testing C) code review D) architecture analysis Correct Answer D) architecture analysis Question 23 Team members are being introduced during sprint zero in the project kickoff meeting. The person being introduced will be a facilitator, will try to remove roadblocks and ensure the team is communicating
freely, and will be responsible for facilitating all scrum ceremonies. Which role is the team member playing? A) product owner B) software developer C) scrum master D) quality assurance analyst Correct Answer C) scrum master Question 24 The new product standards state that all traffic must be secure and encrypted. What is the name for this secure coding practice? A) communication security B) system configuration C) session management D) access control Correct Answer A) communication security Question 25 Which DREAD category is based on how easily a threat exploit can be repeated? A) reproducibility B) discoverability C) exploitability D) affected users Correct Answer A) reproducibility Question 26 Which mitigation technique can be used to fight against a data tampering threat? A) Throttling B) Run with least privilege C) Audit trails D) digital signatures Correct Answer D) digital signatures Question 27 What is a countermeasure to the web application security frame (ASF) configuration management threat category?
Question 30 Which type of requirement specifies that user passwords will require a minimum of 8 characters and must include at least one uppercase character, one number, and one special character? A) Privacy requirement B) Data classification requirement C) Security requirement D) Functional requirement Correct Answer C) Security requirement Question 31 Which type of requirement specifies that credit card numbers are designated as highly sensitive confidential personal information? A) Security requirement B) Data classification requirement C) Privacy requirement D) Compliance requirement Correct Answer Question 32 Which privacy impact statement requirement type defines how personal information is protected on devices used by more than a single associate? A) Data integrity requirements B) Access requirements C) Privacy control requirements D) Education of stakeholder's requirements Correct Answer Question 33 In which step of the PASTA threat modeling methodology does design flaw analysis take place? A) Vulnerability and weakness analysis B) Application decomposition C) Attack modeling D) Risk and impact analysis Correct Answer Question 34 B) Data classification requirement C) Privacy control requirements A) Vulnerability and weakness analysis
Which privacy impact statement requirement type defines who has access to personal information within the product? A) Access requirements B) Data integrity requirements C) Personal information retention requirements D) Additional software interaction requirements Correct Answer A) Access requirements Question 35 Which threat modeling process identifies threats to each individual object in a data flow diagram? A) STRIDE-per-element B) STRIDE-per-process C) STRIDE-per-trust-boundary D) STRIDE-per-interaction Correct Answer A) STRIDE-per-element Question 36 The DREAD methodology has been used to classify an identified exploit where:
Question 42 Security team members have been instructed to document how many users will access the new product and what roles those users will play. Which step of the security test plan is being performed? A) Define test scripts B) Identify external resources C) Identify internal resources D) Define the user community Correct Answer Question 43 The project team received a SonarQube report of their most recent stage deployment that contains 15 vulnerabilities that must be fixed before the product may be released to production. Which security testing technique is being used? A) Source-code analysis B) Property-based testing C) Source-code fault injection D) Dynamic code analysis Correct Answer A) Source-code analysis Question 44 What is the application of multiple layers of protection so that, if one layer is breached, the next layer provides protection? A) fail-safe B) defense-in-depth C) separation of duties D) open design Correct Answer B) defense-in-depth Question 45 Which design and development deliverable details the progress of personal information requirements created in earlier phases of the security development lifecycle? A) Privacy compliance report B) Security testing reports C) Remediation report D) Security test execution report Correct Answer A) Identify internal resources D) Define the user community
Question 46 Which design and development deliverable contains technical and executive level reports detailing any newly identified vulnerabilities? A) Updated threat modeling artifacts B) Privacy implementation assessment results C) Security test plans D) Design security review Correct Answer Question 47 Which programming language is highly susceptible to buffer overflow vulnerabilities? A) C++ B) Javascript C) C# D) Java Correct Answer Question 48 What is the first step of the SDLC/SDL code review process? A) Identify security code review objectives B) Perform preliminary scan C) Review code for security issues D) Review for security issues unique to the architecture Correct Answer Question 49 Which type of software testing is being performed when an analyst executes a series of test cases based on application requirements? A) Unit testing B) Regression testing C) Integration testing D) Functional testing Correct Answer D) Functional testing Question 50 A) Privacy compliance report A) Updated threat modeling artifacts A) C++ A) Identify security code review objectives
Correct Answer Question 54 During penetration testing, an analyst discovered a DOM-based (document object model) cross-site scripting vulnerability within the applications search bar that could allow an attacker to insert malicious code. How should the organization remediate this vulnerability? A) Enforce encoding of special characters B) Ensure all data is encrypted in transit C) Ensure audit trails exist for all sensitive transactions D) Follow the principle of least privilege for user and system accounts Correct Answer Question 55 Application credentials are stored in the database using simple hashes to store passwords. An undiscovered credential recovery flaw allowed a security analyst to download the database and expose passwords using their GPU to crack the simple encryption. How should the organization remediate this vulnerability? A) Enforce the use of strong, salted hashing functions when storing passwords B) Enforce strong password complexity standards C) Enforce regular password updates D) Enforce encryption on credentials in transit Correct Answer Question 56 During functional testing, a QA analyst using a non-admin account caused an application exception. After the exception was handled, the tester was able to navigate to the admin section of the application by typing the URL directly into the browser address bar. They were unable to force the same navigation before the exception was thrown. How should the organization remediate this vulnerability? A) Ensure user privileges are restored to the appropriate level after exceptions B) Ensure exceptions are handle in a centralized, structured way C) Ensure error messages are scrubbed of any sensitive informationD Ensure there is an audit log for all sensitive transactions Correct Answer Question 57 The product security incident response team (PSIRT) determined a reported vulnerability was credible and of a high enough severity that it needs to be fixed. What is the response team's next step? A) Identify resources and schedule the fix B) Identify the team that owns the product C) Notify customers that the fix is available A) Ensure default accounts and passwords are disabled or removed A) Enforce encoding of special characters A) Enforce the use of strong, salted hashing functions when storing passwords A) Ensure user privileges are restored to the appropriate level after exceptions
D) Determine how the reporter was able to create the vulnerability Correct Answer Question 58 Organizational leadership is considering buying a competitor and has asked the software security team to develop a plan to ensure the competitor's point-of-sale system complies with organizational policies. Which post-release deliverable is being described? A) Security strategy for M&A products B) Post-release certifications C) Security strategy for legacy code D) Third-party security review Correct Answer Question 59 The software security team has been tasked with identifying who will be involved when security vulnerabilities are reported from external entities. They are creating a RACI matrix that will identify stakeholders by who is responsible, accountable, consulted, and informed of any new vulnerabilities. Which post-release deliverable is being described? A) External vulnerability disclosure response process B) Third-party security review C) Security strategy for legacy code D) Post-release certifications Correct Answer A) External vulnerability disclosure response process Question 60 After determining a reported vulnerability was a credible claim, the product security incident response team (PSIRT) worked with development teams to create and test a patch. The patch is scheduled to be released at the end of the month. What is the response team's next step? A) Notify customers that the fix is available B) Publish the reasons for closing the case C) Notify the reporter that the case is going to be closed D) Identify the team that owns the product Correct Answer Question 61 The final security review determined that all security issues identified in testing have been resolved and all SDL requirements have been met. What is the result of the final security review? A) Passed B) Passed with exceptions A) Identify resources and schedule the fix A) Security strategy for M&A products A) Notify customers that the fix is available
The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing security testing results from recently completed initiatives. Which BSIMM domain is being assessed? A) Software security development life cycle (SSDL) touchpoints B) Intelligence C) Governance D) Deployment Correct Answer Question 66 The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one-time requirements, bucket requirements, and final security review requirements. Which type of requirement states that the team must perform remote procedure call (RPC) fuzz testing? A) Bucket requirement B) One-time requirement C) Every-sprint requirement D) Final security review requirement Correct Answer A) Bucket requirement Question 67 The costs to remediate security flaws once a software product is released can run as much as _______ times the costs to remediate them while still in development: A) 50 B) 100 C) 500 D) 1500 Correct Answer Question 68 Defective software is: A) A network security problem B) An operating system security problem C) A user-caused problem D) A software development and engineering problem Correct Answer A) Software security development life cycle (SSDL) touchpoints B) 100 D) A software development and engineering problem
Question 69 The three goals of the security development lifecycle are: A) Reliability, efficiency, and maintainability B) Speed, quality, and continuous releases C) Confidentiality, integrity, and availability D) Availability, reliability, and portability Correct Answer Question 70 Threat modeling and attack surface analysis is most effective when it's conducted: A) Post-release B) During product inception/product backlog development C) During integration testing phase(s) D) Prior to code development/commitment Correct Answer Question 71 A financial organization is reviewing its software development practices after a recent breach due to a buffer overflow vulnerability. The security lead argues that incorporating a structured Security Development Lifecycle (SDL) could mitigate such risks by catching these flaws early. What is the primary business benefit of implementing SDL in this scenario? A) Decreased time-to-market by streamlining security processes B) Improved software quality by detecting coding errors C) Reduced remediation costs by addressing security flaws during development D) Increased revenue through secure software sales Correct Answer Question 72 During a security meeting, a software development team is confused about the difference between software security and application security. The security architect explains that focusing on SDL helps secure software from the start, while application security focuses on protection post-release. In this context, which statement best differentiates software security from application security? A) Software security ensures operational security controls are in place, while application security uses SDLpractices. B) Software security builds security into the software, while application security defends it after deployment. C) Software security manages post-release issues, while application security focuses on secure coding. D) Software security relies on network security controls, while application security is specific to applications. Correct Answer C) Confidentiality, integrity, and availability B) During product inception/product backlog development C) Reduced remediation costs by addressing security flaws during development