Secure Software Design Exam: 300 Questions and Answers, Exams of Nursing

300 questions and detailed answers with rationales related to secure software design. It covers topics such as software development life cycle (sdl/sdlc), least privilege methods, security risks, nonfunctional requirements, password security, application attacks, and software testing techniques. It also includes change management processes, service-level agreements, and software threats. This resource is valuable for students and professionals studying software security and preparing for exams.

Typology: Exams

2025/2026

Available from 09/12/2025

Academicgenius
Academicgenius šŸ‡¬šŸ‡§

3.5

(22)

1.9K documents

1 / 69

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
WGU MASTER'S COURSE C706 - SECURE
SOFTWARE DESIGN EXAM LATEST 2024
ACTUAL EXAM 300 QUESTIONS AND CORRECT
DETAILED ANSWERS WITH RATIONALES
(VERIFIED ANSWERS) |ALREADY GRADED A+
Which phase of the software development life cycle (SDL/SDLC)
would be used to determine the minimum set of privileges required to
perform the targeted task and restrict the user to a domain with those
privileges?
A Design
B Deploy
C Development
D Implementation - ...ANSWER..A
Which least privilege method is more granular in scope and grants
specific processes only the privileges necessary to perform certain
required functions, instead of granting them unrestricted access to the
system?
A Entitlement privilege
B Separation of privilege
C Aggregation of privileges
D Segregation of responsibilities - ...ANSWER..B
Why does privilege creep pose a potential security risk?
A User privileges do not match their job role.
B With more privileges, there are more responsibilities.
C Auditing will show a mismatch between individual responsibilities
and their access rights.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45

Partial preview of the text

Download Secure Software Design Exam: 300 Questions and Answers and more Exams Nursing in PDF only on Docsity!

WGU MASTER'S COURSE C706 - SECURE

SOFTWARE DESIGN EXAM LATEST 2024

ACTUAL EXAM 300 QUESTIONS AND CORRECT

DETAILED ANSWERS WITH RATIONALES

(VERIFIED ANSWERS) |ALREADY GRADED A+

Which phase of the software development life cycle (SDL/SDLC) would be used to determine the minimum set of privileges required to perform the targeted task and restrict the user to a domain with those privileges? A Design B Deploy C Development D Implementation - ...ANSWER..A Which least privilege method is more granular in scope and grants specific processes only the privileges necessary to perform certain required functions, instead of granting them unrestricted access to the system? A Entitlement privilege B Separation of privilege C Aggregation of privileges D Segregation of responsibilities - ...ANSWER..B Why does privilege creep pose a potential security risk? A User privileges do not match their job role. B With more privileges, there are more responsibilities. C Auditing will show a mismatch between individual responsibilities and their access rights.

D Users have more privileges than they need and may perform actions outside their job description. - ...ANSWER..D A system developer is implementing a new sales system. The system developer is concerned that unauthorized individuals may be able to view sensitive customer financial data. Which family of nonfunctional requirements should be considered as part of the acceptance criteria? A Integrity B Availability C Nonrepudition D Confidentiality - ...ANSWER..D A project manager is given the task to come up with nonfunctional acceptance criteria requirements for business owners as part of a project delivery. Which nonfunctional requirement should be applied to the acceptance criteria? A Give search options to users B Evaluate test execution results C Divide users into groups and give them separate rights D Develop software that keeps downward compatibility intact - ...ANSWER..B A user was given a task to identify a nonfunctional acceptance criteria. Which nonfunctional requirement should be applied to the acceptance criteria? A Encryption used during data transfer B Review of the most recent test results C Software developed keeping downward compatibility intact

Which type of application attack is used to harvest and steal sensitive information? A Whaling B Remote access tool C Malicious file execution D Advanced persistent threat - ...ANSWER..B Which type of application attack is commonly waged through the use of rootkits? A Backdoor B Time of check C Rainbow table D Escalation of privilege - ...ANSWER..D Which attack aims to make web service unavailable or unusable? A Spoofing B Tampering C Repudiation D Denial-of-service - ...ANSWER..D A company is developing a new software application that requires users to log in using a username and password. The company needs to implement a security control that is effective at preventing spoofing during the log-in process. Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality - ...ANSWER..C

A company is developing a new database application. The company needs to implement a security control that is effective at preventing tampering. Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality - ...ANSWER..A A bank is developing a new checking account application for customers and needs to implement a security control that is effective at preventing an elevation of privilege attack. Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality - ...ANSWER..B A database has a table called "orders_table" which has columns: order_no, last_name, first_name, ship_city, credit_card A hacker wants to perform the following SQL injection code to attack this table: SELECT * FROM orders_table WHERE order_no= ' ' OR '1'='1'; Which software testing technique is the most effective approach to identify this attack?

D Reasonableness check - ...ANSWER..D Which item is a phase of the change management process? A Budget planning B Communication planning C Assessment management D Project time management - ...ANSWER..B Which part of the change management process addresses the needs to identify, understand, and help leaders manage opposition throughout the organization? A Training development B Resistance management C Communication planning D Employee corrective action - ...ANSWER..B Which component of the change management process allows developers to prioritize tasks? A Change control B Release control C Request control D Configuration control - ...ANSWER..C Which component of the change management process involves new system deployment testing where the new system and the old system are operating at the same time? A Parallel run B Direct cutover C Phased approach D Backout procedure - ...ANSWER..A Which technique documents incident response times agreed upon by both a provider and a customer?

A Capacity plan B Service-level agreement C Change management plan D Configuration management system - ...ANSWER..B Which element is commonly addressed in a service-level agreement (SLA)? A Virus protection B Service availability C Patch management D Equipment and media disposal - ...ANSWER..B The ASF threat list describes a risk that may occur when a software developer forgets to set an expiration for a cookie. Which countermeasure addresses this vulnerability? A User and session management B Authentication and authorization C Data protection in storage and transit D Error handling and exception management - ...ANSWER..A An undocumented command sequence is allowing unauthorized access to a software system. What type of software defect allows this vulnerability? A Backdoor B Rootkit attack C Buffer overflow D Cross-site scripting - ...ANSWER..A A small organization experiences an XSS attack on their web application.

Which technique should remediate this vulnerability? A Prohibiting downloads of Java applets B Prohibiting downloads of ActiveX content C Clearing the Domain Name System (DNS) cache D Clearing the Address Resolution Protocol (ARP) cache - ...ANSWER..B A system administrator wants to use physical controls to prevent unauthorized access to information that belongs to users at a different security level. Which strategy would prevent this problem? A Layering B Abstraction C Process isolation D Hardware segmentation - ...ANSWER..D A video company has installed new software. The developers need to establish a defense against zero-day attacks. What is the best way to manage this vulnerability? A Apply threat modeling B Use a strong password C Install the latest patches D Create another user log-in - ...ANSWER..C Which type of attack would a hacker use to exploit a vulnerability that allows access to be increased to the administrator level? A Rootkit B Whaling C Waterhole D Dictionary - ...ANSWER..A

Which type of attack involves exploiting a social engineering vulnerability over voice communications? A Rootkit B Vishing C Waterhole D Dictionary - ...ANSWER..B Which method provides line-of-code-level detection that enables development teams to remediate vulnerabilities quickly? A Dynamic Cone Pen Testing (DCPT) B Static Application Security Testing (SAST) C Common Weaknesses Enumeration (CWE) D Common Vulnerabilities and Exposures (CVE) - ...ANSWER..B Which technique should be used to detect a software vulnerability that causes extra characters to appear in data fields of a front-facing web application? A Static analysis B Dynamic analysis C Binary code analysis D Property-based testing - ...ANSWER..A What is a known SDL metric used to measure protection against vulnerabilities? A The number of files or objects B findings summary report C The number of security defects found through static analysis tools D The progress against privacy requirements provided in earlier phases - ...ANSWER..C Which statement is true of covert channels? A covert channels are addressed by a C2 rating provided by TCSEC.

C DDE is a graphical technique that is used to track the progress of a project over a period of time. D DDE is a software interface that enables communication between an application and a database. - ...ANSWER..A How does an ActiveX component enforce security? A by using sandboxes B by using object codes C by using macro languages D by using Authenticode - ...ANSWER..D Which statements are true regarding software process assessments? Choose TWO: A They develop an action plan for continuous process improvement. B They identify contractors who are qualified to develop software or to monitor the state of the software process in a current software project. C They determine the state of an organization's current software process and are used to gain support from within the organization for a software process improvement program. D They develop a risk profile for source selection. - ...ANSWER..AC What is the best description of CAPI? A an application programming interface that uses two-factor authentication B an application programming interface that provides encryption C an application programming interface that uses Kerberos D an application programming interface that provides accountability - ...ANSWER..B

Your company decides you must purchase a new software product to help the marketing staff manage their marketing campaigns and resources. During which phase of the software acquisition process is the product actually deployed? A Planning phase B Monitoring phase C Maintaining phase D Contracting phase - ...ANSWER..B What is the definition of polymorphism? A the ability to suppress superfluous details so that the important properties can be examined B when different objects respond to the same command or input in different ways C the process of categorizing objects that will be appropriate for a solution D representation of a real-world problem - ...ANSWER..B What is another name for an asynchronous attack? A time-of-check/time-of-use (TOC/TOU) attack B race condition C maintenance hook D buffer overflow - ...ANSWER..A Which virus is written in Visual Basic (VB) and is capable of infecting operating systems? A stealth virus B self-garbling virus C polymorphic virus D macro virus - ...ANSWER..D

B Submit the change results to the management. C Acquire management approval. D Record the change request. - ...ANSWER..A Which interface language is an application programming interface (API) that can be configured to allow any application to query databases? A JDBC B XML C OLE DB D ODBC - ...ANSWER..D Which type of channel is used when one process writes data to a hard drive and another process reads it? A covert storage channel B overt storage channel C overt timing channel D covert timing channel - ...ANSWER..A Which type of malicious attack uses Visual Basic scripting? A dumpster diving attack B denial of service attack C Trojan horse attack D social engineering attack - ...ANSWER..C All of the following are countermeasures for session management attacks, EXCEPT: A Implement pre- and post-validation controls. B Encrypt cookies that include information about the state of the connection. C Implement time stamps or time-based validation. D Implement randomized session IDs. - ...ANSWER..A

Which tool assists in application development design layout as a part of application development life cycle? A Aggregation B Delphi C Spiral D CASE - ...ANSWER..D What is a characteristic of maintaining logs in a system? A Logging provides access control by authenticating user credentials. B Logging helps an administrator to detect security breaches and vulnerable points in a network. C Logging provides audit trails but enhances security violations. D Logging prevents security violations but only deals with passive monitoring. - ...ANSWER..B Your company has purchased an expert system that uses if-then-else reasoning to obtain more data than is currently available. Which expert system processing technique is being implemented? A forward-chaining technique B backward-chaining technique C waterfall model D spiral model - ...ANSWER..A Which type of malicious code is hidden inside an otherwise benign program when the program is written? A worm B logic bomb C Trojan horse D virus - ...ANSWER..C Which statement is true of a software development life cycle?

A type of passive attack. B social engineering technique. C not an example of data diddling. D involves stealing small amounts of money from multiple accounts. - ...ANSWER..D Your company decides that a new software product must be purchased to help the marketing staff manage their marketing campaigns and the resources used. During which phase of the software acquisition process do you document the software requirements? A Monitoring phase B Maintaining phase C Planning phase D Contracting phase - ...ANSWER..C You have been tasked with the development of a new application for your organization. You are engaged in the project initiation phase. Which activity should you implement during this phase? A certification and accreditation B defining formal functional baseline C functionality and performance tests D identification of threats and vulnerabilities - ...ANSWER..D Which Web browser add-in uses Authenticode for security? A Common Gateway Interface (CGI) B ActiveX C Cross-site scripting (XSS) D Java - ...ANSWER..B Which statement correctly defines the multipart virus?

A multipart virus is coded in macro language. B multipart virus can change some of its characteristics while it replicates. C multipart virus can hide itself from antivirus software by distorting its code. D multipart virus can infect both executable files and boot sectors of hard disk drives. - ...ANSWER..D Which malicious software relies upon other applications to execute and infect the system?Each correct answer represents a complete solution. Choose two. A worm B logic bomb C Trojan horse D virus - ...ANSWER..CD What is the primary function of COCOMO? A cost estimation B time estimation C risk estimation D threat analysis - ...ANSWER..A You have implemented a new network for a customer. Management has requested that you implement anti-virus software that is capable of detecting all types of malicious code, including unknown malware. Which type of anti-virus software should you implement? A heuristic detection B behavior blocking C immunization D signature-based detection - ...ANSWER..A During a recent security assessment, you discover that a computer on your network has been compromised. An application has been