Secure Software Design Practice Questions

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Which aspect of threat modeling is being addressed as part of a work breakdown structure using DREAD as a security model? A. Analyzing threats B. Threat mitigation C. Threat resolution D. Identifying threats

A. Analyzing threats

A software engineering project WBS identifies Requirements Analysis as one of the work activities. The project manager wants to use a matrix organization to staff the project with requirements engineers who have security-specific skills and experience. How should the security requirements engineers be grouped? A. By requirements-definition functions B. As members of the security department C. As direct reports to the chief security officer D. By hierarchy so that security requirements are given high priority

A. By requirements-definition functions

Which two goals does threat modeling accomplish? Choose 2 answers A. Defines the security of an application B. Helps in the selection of an operating system C. Increases accessibility to a system D. Reduces the number of vulnerabilities E. Improves design efficiency

A. Defines the security of an application D. Reduces the number of vulnerabilities

A member of the development team is tasked with final code review and deployment of the finished product to various environments at project completion. Which role has this team member been asked to fill? A. Release manager B. Developer C. Business analyst D. Quality assurance tester

A. Release manager

Which methodology is used for measuring the type of vulnerability? A. STRIDE B. DREAD C. OCTAVE D. OWASP

A. STRIDE

A software developer is preparing a documented plan that verifies a system's code performs the proper actions. Which role is this developer filling? A. Tester B. Business analyst C. Release manager D. Developer

A. Tester

A firm is monitoring the status of a software development project with earned value, where budgeted cost of work scheduled (BCWS) and budgeted cost of work performed (BCWP) is respectively given as 35 Pers-days and 70 Pers-days. The sum of the actual efforts of all of the tasks that have been completed at a specific status-checking date is 75 Pers-days. After computing the schedule variance (SV) and cost variance (CV), what are the relevant indicators (SV and CV) of the project status? A. 35 Pers-days, 5 Pers-days B. 35 Pers-days, -5 Pers-days C. 105 Pers-days, 40 Pers-days D. 105 Pers-days, -35 Pers-days

B. 35 Pers-days, -5 Pers-days

System engineers are following the software development life cycle (SDLC) process and defining system requirements, performing an analysis, and designing the application. Which management control domain do these actions primarily align to? A. Monitoring B. Acquisition and implementation C. Planning and organization D. Delivery and support

B. Acquisition and implementation

An employee has been supporting the SDLC process for a new web application. The employee is in charge of identifying the requirements the web application needs to satisfy. The employee will also be identifying who will be impacted by the application. After the application is developed in the test environment, the employee will ensure that the user acceptance testing (UAT) is completed. Which role in the SDLC does this employee have? A. Tester B. Business analyst C. Project manager D. Architect

B. Business analyst

Which methodology are T-MAP-defined, threat-relevant attributes primarily derived from? A. DREAD B. CVSS C. STRIDE D. OCTAVE

B. CVSS

Under which maturity level in the staged representation model should project monitoring and control be performed? A. Maturity level 1 B. Maturity level 2 C. Maturity level 3 D. Maturity level 4 E. Maturity level 5

B. Maturity level 2

What is an iterative and incremental model that utilizes the divide-and-conquer methodology to decompose a complex problem into parts? A. Multiple-component B. Rational Unified Process (RUP) C. Multiple-release D. Waterfall

B. Rational Unified Process (RUP)

At the end of threat modeling, a company wants to rate the threats based on probability and damage potential. Which approach is suitable? A. SSA B. T-MAP C. DREAD D. STRIDE

C. DREAD

Verification and validation take place during the implementation and training phase of the software development life cycle (SDLC). In which two management control domains are these efforts performed? Choose 2 answers A. Acquisition and implementation B. Planning and organization C. Monitoring D. Delivery and support

C. Monitoring D. Delivery and support

The focus of a team falls under the Capability Maturity Model Integration (CMMI) engineering category, specifically under the verification phase. Which activity performed by this team would be relevant to verification as it relates to the secure development lifecycle (SDL)? A. Defining minimum acceptable levels of security and privacy quality B. Analyzing source code prior to compilation and documenting peer review results C. Performing run time checks for memory corruption and user privilege issues D. Examining software design based on costs and regulatory requirements

C. Performing run time checks for memory corruption and user privilege issues

Which system development methodology provides a resource to entry-level developers with limited exposure? A. joint application development B. agile model C. waterfall model D. extreme programming

C. waterfall model

Which core element of cybersecurity is implemented through the following secure software design features? Cryptography = Non-repudiation = Redundancy = Digital signatures =

Cryptography = Confidentiality Non-repudiation = Integrity Redundancy = Availability Digital signatures = Integrity

A lead developer is measuring the number of security defects found in a particular phase of the software development life cycle (SDLC) and tracking the rate of security defect identification. At which level of the Capability Maturity Model Integration (CMMI) framework is the lead developer operating? A. CMM level 1 B. CMM level 2 C. CMM level 3 D. CMM level 4 E. CMM level 5

D. CMM level 4

Which modeling approach assigns ratings based on attack reproducibility and vulnerability exploitability? A. CVSS B. OCTAVE C. STRIDE D. DREAD

D. DREAD Damage - how bad? Reproducibility - reproducible? Exploitability - how hard to do? Affected users - how many people would be affected? Discoverability - how easy to discover?

A software development project team is moving from performing random fuzz testing to a more structured approach that optimizes the overall testing performed on the system and attempts to achieve efficiencies as part of the software development life cycle. At which Capability Maturity Model Integration (CMMI) maturity level is this team performing? A. Level 2 B. Level 3 C. Level 4 D. Level 5

D. Level 5

Which maturity level of the Capability Maturity Model Integration (CMMI) is characterized by a focus on continuous process improvement, including defect prevention, technology change management, and process change management? A. Maturity level 2 B. Maturity level 3 C. Maturity level 4 D. Maturity level 5

D. Maturity level 5

An organization is executing an incident response plan. In which SDLC phase does this activity take place? A. Project definition B. Design C. Installation D. Operation

D. Operation

What is a characteristic of maturity level 2 of the staged representation model of Capability Maturity Model Integration (CMMI)? A. Organizational process performance B. Integrated teaming C. Causal analysis and resolution D. Project planning

D. Project planning

Who conducts the code review process as part of the last phase of the software development process? A. Architect B. Tester C. Project manager D. Release manager

D. Release manager

Which threat model focuses on the end results of possible attacks rather than on the identification of each specific attack? A. SSA B. SSD C. DREAD D. STRIDE

D. STRIDE Spoofing Tampering Repudiation Information disclosure Denial of Service Escalation of privilege

Which narrative approach should help guide the mitigation that needs to be put in place to protect a system from attacks? A. Attack tree B. Penetration testing C. Model-driven development D. Threat model

D. Threat model

A web application that will be hosted on a system that was previously limited to the organization's internal network is being developed. What expands the network attack surface and will enable a threat actor to command embedded malware, which would result from the change in the trust boundary for this application? A. Old software versions B. Weak passwords C. Stale and unnecessary accounts D. Unnecessary open ports

D. Unnecessary open ports

What is a common attack scenario faced by web servers? A. Malformed queries that attempt to extract sensitive data B. Password cracking attempts that disclose user credentials C. Spoofed server IP addresses that redirect the client D. Unsolicited TCP requests that overwhelm resources

D. Unsolicited TCP requests that overwhelm resources

A company is developing a web application for employees. The web application must meet the following requirements: • Employees must be able to use the web application to track shipments. • The web application must be able to store personal information and shipment details. • Although the web application will be accessible outside of the company's intranet, employees' information must be secure. Which process should be used to make certain that the web application meets these requirements? A. redundancy in the data B. SDLC agile model C. SDLC waterfall model D. software assurance

D. software assurance

A software firm is planning to develop a web-based project with a team of up to eight people. What is a relevant software methodology to apply where others' roles may be filled by the same people, including a project manager and business expert? A. Crystal orange web B. Waterfall C. Crystal orange D. Crystal Clear E. Scrum

E. Scrum

Match DREAD classification term to description: Exploitability

Measures the effort required to launch an attack

Match DREAD classification term to description: Affected users

Measures the number of installed instances of the system affected by an exploit

Which core element of cybersecurity is implemented through the following secure software design features? Off-site backup Public key Hash Message digest

Off-site backup = Availability Public key = Confidentiality Hash = Integrity Message digest = Integrity

Match DREAD classification term to description: Reproducibility

Ranks how often an attempt at exploiting a vulnerability really works

Match DREAD classification term to description: Damage potential

Ranks the extent of harm that occurs if a vulnerability is exploited

A development team has chosen the waterfall methodology as an SDLC approach. This methodology was chosen because of the limited experience of the team, but waterfall has several security considerations. Match each phase of the waterfall methodology to its appropriate security concern. Requirements analysis Design Construction/implementation Testing Installation Operation

Requirements analysis - Define security features Design - Misuse cases/vulnerability mapping Construction/implementation - Secure coding practices Testing - Penetration assessment Installation - Final security review Operation - Periodic security review and updates

Match DREAD classification term to description: Discoverability

States the likelihood that a vulnerability will be found by security researchers or hackers


Kaugnay na mga set ng pag-aaral

AP Psychology Sensation and Perception Practice Test Answers

View Set

Block 3-Thomson Hall : CYBER SYS OPS

View Set

DIEM VUONG C22-2 -XONG-AMERICAN AND THE GREAT WAR

View Set

Biology Unit 1 Chapter 6 - Immunity

View Set