Software Security and Development Lifecycle (SDL) — Co, Exams of Forensics

Software Security and Development Lifecycle (SDL) — Co

Typology: Exams

2024/2025

Uploaded on 11/06/2025

scott-benzeleski
scott-benzeleski 🇺🇸

24 documents

1 / 24

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Software Security and Development
Lifecycle (SDL) Complete
Question and Answer Guide
Which due diligence activity for supply chain security should occur in the initiation phase of the software
acquisition life cycle? Ans✔✔Developing a request for proposal (RFP) that includes supply chain security
risk management
Which due diligence activity for supply chain security investigates the means by which data sets are
shared and assessed? Ans✔✔A document exchange and review
Consider these characteristics:
Identification of the entity making the access request
Verification that the request has not changed since its initiation
Application of the appropriate authorization procedures
Reexamination of previously authorized requests by the same entity
Which security design analysis is being described? Ans✔✔Complete mediation
1
Which software security principle guards against the improper modification or destruction of
information and ensures the nonrepudiation and authenticity of information? Ans✔✔1
Integrity
What type of functional security requirement involves receiving, processing, storing, transmitting, and
delivering in report form? Ans✔✔Primary dataflow
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Partial preview of the text

Download Software Security and Development Lifecycle (SDL) — Co and more Exams Forensics in PDF only on Docsity!

Software Security and Development

Lifecycle (SDL) — Complete

Question and Answer Guide

Which due diligence activity for supply chain security should occur in the initiation phase of the software acquisition life cycle? Ans✔✔Developing a request for proposal (RFP) that includes supply chain security risk management Which due diligence activity for supply chain security investigates the means by which data sets are shared and assessed? Ans✔✔A document exchange and review Consider these characteristics: Identification of the entity making the access request Verification that the request has not changed since its initiation Application of the appropriate authorization procedures Reexamination of previously authorized requests by the same entity Which security design analysis is being described? Ans✔✔Complete mediation 1 Which software security principle guards against the improper modification or destruction of information and ensures the nonrepudiation and authenticity of information? Ans✔✔ 1 Integrity What type of functional security requirement involves receiving, processing, storing, transmitting, and delivering in report form? Ans✔✔Primary dataflow

Which nonfunctional security requirement provides a way to capture information correctly and a way to store that information to help support later audits Ans✔✔Logging Which security concept refers to the quality of information that could cause harm or damage if disclosed Ans✔✔Sensitivity 2 Which technology would be an example of an injection flaw, according to the OWASP Top 10 Ans✔✔ 2 SQL A company is creating a new software to track customer balance and wants to design a secure application. Which best practice should be applied? Ans✔✔Create multiple layers of protection so that a subsequent layer provides protection if a layer is breached A company is developing a secure software that has to be evaluated and tested by a large number of experts. Which security principle should be applied? Ans✔✔Open Design Which type of TCP scanning indicates that a system is moving to the second phase in a three-way TCP handshake? Ans✔✔TCP SYN scanning Which evaluation technique provides invalid, unexpected, or random data to the inputs of a computer software program? Ans✔✔Fuzz testing Which approach provides an opportunity to improve the software development life cycle by tailoring the process to the specific risks facing the organization? Ans✔✔Software assurance maturity model (SAMM)

An application development team is designing and building an application that interfaces with a back- end database. Which activity should be included when constructing a threat model for the application? Ans✔✔Decompose the application to understand how it interacts with external entities What is the third step for constructing a threat model for identifying a spoofing threat? Ans✔✔Decompose threats What is a step for constructing a threat model for a project when using practical risk analysis? Ans✔✔Make a list of what you are trying to protect Which cyber threats are typically surgical by nature, have highly specific targeting, and are technologically sophisticated? Ans✔✔Tactical attacks Which type of cyberattacks are often intended to elevate awareness of a topic? Ans✔✔Sociopolitical attacks What type of attack locks a user's desktop and then requires a payment to unlock it? Ans✔✔Ransomware What is a countermeasure against various forms of XML and XML path injection attacks Ans✔✔XML attribute escaping Which countermeasure is used to mitigate SQL injection attacks Ans✔✔Query parameterization What is an appropriate countermeasure to an escalation of privilege attack? Ans✔✔Restricting access to specific operations through role-based access controls Which configuration management security countermeasure implements least privilege access control? Ans✔✔Restricting file access to users based on authorization

Which phase of the software development life cycle (SDL/SDLC) would be used to determine the minimum set of privileges required to perform the targeted task and restrict the user to a domain with those privileges? Ans✔✔Design Which least privilege method is more granular in scope and grants specific processes only the privileges necessary to perform certain required functions, instead of granting them unrestricted access to the system? Ans✔✔Separation of privilege Why does privilege creep pose a potential security risk? Ans✔✔Users have more privileges than they need and may perform actions outside their job description. 6 A system developer is implementing a new sales system. The system developer is concerned that unauthorized individuals may be able to view sensitive customer financial data. Which family of nonfunctional requirements should be considered as part of the acceptance criteria? Ans✔✔ 6 Confidentiality A project manager is given the task to come up with nonfunctional acceptance criteria requirements for business owners as part of a project delivery. Which nonfunctional requirement should be applied to the acceptance criteria? Ans✔✔Evaluate test execution results A user was given a task to identify a nonfunctional acceptance criteria.Which nonfunctional requirement should be applied to the acceptance criteria? Ans✔✔Review of the most recent test results Which type of attack allows the complete disclosure or destruction of all data on a system and allows attackers to spoof identity, tamper with existing data, and cause repudiation issues such as voiding transactions or changing balances? Ans✔✔SQL injection Which type of application attack is used to harvest and steal sensitive information? Ans✔✔RAT

Which software security testing technique can be categorized as white box? Ans✔✔Source code analysis Which software testing approach can be used against an attacker who manipulates input strings in banking software to gain access to another individual's overdrawn account in order to withdraw funds? Ans✔✔Misuse case testing Which security testing technique allows the evaluators to circumvent the security features of a system? Ans✔✔Penetration testing Which software control test executes an application and then uses data that is designed to evaluate whether the values returned by the application match a specified range of criteria? Ans✔✔Reasonableness check Which item is a phase of the change management process? Ans✔✔Communication planning Which part of the change management process addresses the needs to identify, understand, and help leaders manage opposition throughout the organization? Ans✔✔Resistance management Which component of the change management process allows developers to prioritize tasks? Ans✔✔Request control Which component of the change management process involves new system deployment testing where the new system and the old system are operating at the same time? Ans✔✔Parallel run Which technique documents incident response times agreed upon by both a provider and a customer? Ans✔✔SLA Which element is commonly addressed in a service-level agreement (SLA)? Ans✔✔Service availability

The ASF threat list describes a risk that may occur when a software developer forgets to set an expiration for a cookie.Which countermeasure addresses this vulnerability? Ans✔✔User and session management A small organization experiences an XSS attack on their web application. What type of vulnerability has occurred? Ans✔✔Cross site scripting 10 What type of software threat occurs when password resets reveal password hints and valid usernames, according to the Application Security Frame (ASF) Ans✔✔ 10 Authentication What type of software threat occurs when output encoding is skipped, according to the Application Security Frame (ASF) Ans✔✔Data and parameter validation Which form of malicious software hides in the lower levels of an operating system with privileged access permissions and opens a backdoor on the system? Ans✔✔Rootkit A security administrator wants to prevent web-based code that has full access to a Windows operating system when executing on user systems. Which technique should remediate this vulnerability? Ans✔✔Prohibiting downloads of ActiveX content A system administrator wants to use physical controls to prevent unauthorized access to information that belongs to users at a different security level. Which strategy would prevent this problem? Ans✔✔Hardware segmentation A video company has installed new software. The developers need to establish a defense against zero- day attacks. What is the best way to manage this vulnerability? Ans✔✔Install the latest patches

Question 5 :The majority of against software some vulnerability or weakness in that software; these terms are often used interchangeably. Ans✔✔attacks, exploit 13 Question 6 :Which concept in the software life cycle understands the potential security threats to the system, determines risk, and establishes appropriate mitigations? Ans✔✔ 13 Threat modeling 19 Question 7 :What is responsible for ensuring timely and reliable access to and use of informatio Ans✔✔ 19 Availability 20 Question 8 :What is responsible for guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity? Ans✔✔ 20 Integrity Question 9 :The most well-known SDL model is the , a process that Microsoft has adopted for the development of software that needs to withstand malicious attack and is considered the most mature of the top three models. Ans✔✔Trustworthy Computing Security Development Lifecycle The ISO/IEC standard provides guidance to help organizations embed security within their processes that help secure applications running in the environment, including application life cycle processes. Ans✔✔ 27034

Question 11 : is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services. Ans✔✔SAFECODE he is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. Ans✔✔CVE is a black-box software testing technique that can be automated and provides invalid, unexpected, or random data to the inputs of a computer software program Ans✔✔Fuzzing Question 16 :It is important in meetings, when the software security team is included, to ensure that security is a key element of the SDLC and is built into the process. Ans✔✔Kick-off Question 19 :The setting of the for any SDL phase will make it more effective and will help in performing post-mortem afterwards to understand what worked and what did not. Ans✔✔Key success factors Question 20 :The SDL should outline security milestones based on the information gained during the previous phase and integrate them into the overall SDLC schedule to allow proper preparation as changes occur. Ans✔✔Project plan 21 Question 21 :The meeting is essentially an SDL kick-off meeting where the key SDLC stakeholders get on the same page at the beginning of the process so that security is built in rather than bolted on post-release. Ans✔✔ 21 Discovery Bringing the security team into the development process early is the most way to enable risk identification, planning, and mitigation Ans✔✔cost-effective

Question 38 :During phase , any policy that exists outside the domain of the SDL policy is reviewed. This may include policies from outside the development organization. Ans✔✔A What is considered an advantage of dynamic code analysis? Ans✔✔Automated tools provide flexibility on what to scan for Question 42 :The goal of the security code review process is to improve the overall security of the product and to provide output that can be used by the development team to make changes and mitigations that will achieve improved software product security. Ans✔✔final The basic design of a product may contain flaws, and it should be noted that all coding errors are not actual Ans✔✔vulnerabilities 25 Question 48 : is a white-box security analysis of a software system to simulate the actions of a hacker, with the objective of uncovering potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Ans✔✔Penetration testing Question 51 : What is the first in the four-phase process to achieve the minimum requirements for penetration testing? Ans✔✔ 51 Assess Question 53 :Which two International Standards Organization (ISO) standards relate to the proper functioning of a vendor PSIRT? Ans✔✔29147 & 30111 In relation to software security, a is responsible for responding to software product security incidents involving external discoveries of post-release software product security vulnerabilities. Ans✔✔PSIRT

Question 56 :What consists of multiple security assessments from independent parties? Ans✔✔Third- Party Security Reviews Question 57 :What requires a communication cadence with customers that should be formalized and published so that everyone in the company is aware of it and can invoke it if needed? Ans✔✔External Vulnerability Disclosure Response Process The is that once software has been through an SDL, you can re-use the software code any way you want. This presumption is false because any architectural changes that have occurred after release of a software product will likely introduce new attack vectors in the previously secure code. Ans✔✔misconception What illustrates the flow of activities through the SDL? Ans✔✔Architect → Design → Code → Test What is the first step in the architecture task flow for when a project is new or a redesign? Ans✔✔Architecture Assessment Question 64 :Requirements and architecture as a front-end process to Agile cycles is also known as

. Ans✔✔Sprints Question 67 :What is one principle that should be used during the development of software as defined by software security expert Gary McGraw Ans✔✔Grant least privilege The U.S. Department of Defense has announced five strategic initiatives it is taking. First, treat cyberspace as an operational domain of war, just like land, sea, air, and space. Hence, the "fifth domain" of war is recognized as an operational theater. Second, evolve new defense concepts to combat cyber- attacks. This entails taking four basic steps, as shown below: Ans✔✔Enhance cyber best practices to improve its cyber security. Deter and mitigate insider threats, strengthen workforce communications, workforce accountability, internal monitoring, and information management capabilities.

Question 84 :Which of the following is an additional considerations when evaluating vendors? Ans✔✔Additional considerations when evaluating vendors include: Security Engineering Processes Requirements Gathering Ability to work with business representatives SDLC Methodology and Maturity Which of the following represents an examples of a vendor customization? Ans✔✔Vendor customization is the ability to adapt vendor products to local requirements such as: Reports Access controls Privacy regulations Interoperability with other systems : Provide assurance to management of the effectiveness of the security program and compliance with regulations Ans✔✔Role of Audit Which statement correctly defines spamming attacks? Ans✔✔repeatedly sending identical e-mails to a specific address You should not implement as a countermeasure for session management attacks. Pre- and post-validation controls are countermeasures to use in parameter validation attacks. Ans✔✔pre- and post-validation controls Question 91 :Which statement correctly defines the object-oriented database model? Ans✔✔It can store data that includes multimedia clips, images, video, and graphics. Question 94 :Which virus is written in Visual Basic (VB) and is capable of infecting operating systems? Ans✔✔Macro Virus

Question 96 :Which type of channel is used when one process writes data to a hard drive and another process reads it? Ans✔✔covert storage channel Question 97 :Which Web browser add-in uses Authenticode for security? Ans✔✔ActiveX Question 98 :Which type of virus installs itself under the anti-virus system and intercepts any calls that the anti-virus system makes to the operating system? Ans✔✔tunneling virus Question 99 :What is the best description of CAPI? Ans✔✔Cryptographic application programming interface (CAPI) is an application programming interface that provides encryption. Question 100 :How does an ActiveX component enforce security? Ans✔✔by using Authenticode Question 101 :Which statement is true of a software development life cycle? Ans✔✔Unit testing should be performed by the developer and the quality assurance team. Which extensions are used for naming batch files in a Microsoft environment? Ans✔✔Bat and cmd The indicates a dynamic link library file. These are generally used in device drivers and for other configuration purposes. Ans✔✔.dll file extension During a software development project, you need to ensure that the period progress of the project is monitored appropriately. Which technique(s) can be used? Gantt charts Unit testing Delphi technique Program Evaluation Review Technique charts

Question 114 :Your organization has a fault-tolerant, clustered database that maintains sales records. Which transactional technique is used in this environment? Ans✔✔Online transaction processing Question 116 :Which interface language is an application programming interface (API) that can be configured to allow any application to query databases? Ans✔✔Open Database connectivity Different types of viruses: Ans✔✔Stealth virus: It hides the changes it makes as it replicates. Self-garbling virus: It formats its own code to prevent antivirus software from detecting it. Polymorphic virus: It can produce multiple operational copies of itself. Multipart virus: It can infect system files and boot sectors of a computer system. Macro virus: It generally infects the system by attaching itself to MS-Office applications. Boot sector virus: It infects the master boot record of the system and is spread via infected floppy disks. Compression virus: It decompresses itself upon execution but otherwise resides normally in a system. Ways to look at attacks for xss and stuff Ans✔✔ur organization experienced a cross-site scripting (XSS) attack. A XSS attack occurs when an attacker locates a vulnerability on a Web site that allows the attacker to inject malicious code into a Web application .A buffer overflow occurs when an invalid amount of input is written to the buffer area.

A SQL injection occurs when an attacker inputs actual database commands into the database input fields instead of the valid input. Path traversal occurs when the ../ characters are entered into the URL to traverse directories that are not supposed to be available from the Web. You should analyze the change request. The change control procedures ensure that all modifications are authorized, tested, and recorded. Therefore, these procedures serve the primary aim of auditing and review by the management. The necessary steps in a change control process are as follows: Ans✔✔Make a formal request. Analyze the request. This step includes developing the implementation strategy, calculating the costs of the implementation, and reviewing the security implication of implementing the change. Record the change request. Submit the change request for approval. This step involves getting approval of the actual change once all the work necessary to complete the change has been analyzed. Make changes. The changes are implemented and the version is updated in this step. Submit results to management: In this step, the change results are reported to management for review. Question 125 :Which statement correctly describes a Trojan horse? Ans✔✔It embeds malicious code within useful utilities. Question 126 :Which type of virus is specifically designed to take advantage of the extension search order of an operating system? Ans✔✔Companion Question 127 :Which term describes a module's ability to perform its job without using other modules? Ans✔✔low coupling