D487 - Secure Software Design
Which privacy impact statement requirement type defines who has access to personal information within the product? A) Access requirements B) Data integrity requirements C) Personal information retention requirements D) Additional software interaction requirements
A) Access requirements
The software security team is currently working to identify approaches for input validation, authentication, authorization, and configuration management of a new software product so they can deliver a security profile. Which threat modeling step is being described? A) Analyzing the target B) Drawing data flow diagram C) Rating threats D) Identifying and documenting threats
A) Analyzing the target
What is the recommended way to mitigate a threat identified during threat modeling? A) Apply a standard accepted countermeasure B) Create a custom countermeasure specific to the new threat C) Add low-risk, high effort to fix threats to the support team backlog D) Log occurrences of the exploit for later mitigation
A) Apply a standard accepted countermeasure
A software security team member has created data flow diagrams, chosen the STRIDE methodology to perform threat reviews, and created the security assessment for the new product. Which category of secure software best practices did the team member perform? A) Architecture analysis B) Training C) Penetration testing D) Code review
A) Architecture analysis
The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one-time requirements, bucket requirements, and final security review requirements. Which type of requirement states that the team must perform remote procedure call (RPC) fuzz testing? A) Bucket requirement B) One-time requirement C) Every-sprint requirement D) Final security review requirement
A) Bucket requirement
What is the study of real-world software security initiatives organized so companies can measure their initiatives and understand how to evolve them over time? A) Building Security in Maturity Model (BSIMM) B) Security features and design C) OWASP Software Assurance Maturity Model (SAMM) D) ISO 27001
A) Building Security in Maturity Model (BSIMM)
Which programming language is highly susceptible to buffer overflow vulnerabilities? A) C++ B) Javascript C) C# D) Java
A) C++
The scrum team is attending their morning meeting, which is scheduled at the beginning of the work day. Each team member reports what they accomplished yesterday, what they plan to accomplish today, and if they have any impediments that may cause them to miss their delivery deadline. Which scrum ceremony is the team participating in? A) Daily scrum B) Sprint review C) Sprint retrospective D) Sprint planning
A) Daily scrum
The scrum team is attending their morning meeting, which is scheduled at the beginning of the work day. Each team member reports what they accomplished yesterday, what they plan to accomplish today, and if they have any impediments that may cause them to miss their delivery deadline. Which scrum ceremony is the team participating in? A) Daily scrum B) Sprint review C) Sprint retrospective D) Sprint planning
A) Daily scrum
During penetration testing, an analyst discovered a DOM-based (document object model) cross-site scripting vulnerability within the applications search bar that could allow an attacker to insert malicious code. How should the organization remediate this vulnerability? A) Enforce encoding of special characters B) Ensure all data is encrypted in transit C) Ensure audit trails exist for all sensitive transactions D) Follow the principle of least privilege for user and system accounts
A) Enforce encoding of special characters
Application credentials are stored in the database using simple hashes to store passwords. An undiscovered credential recovery flaw allowed a security analyst to download the database and expose passwords using their GPU to crack the simple encryption. How should the organization remediate this vulnerability? A) Enforce the use of strong, salted hashing functions when storing passwords B) Enforce strong password complexity standards C) Enforce regular password updates D) Enforce encryption on credentials in transit
A) Enforce the use of strong, salted hashing functions when storing passwords
An organizational security review discovered multiple database instances that were installed using publicly available default settings, including security and access. How should the organization remediate this vulnerability? A) Ensure default accounts and passwords are disabled or removed B) Ensure auditing and logging is enabled on all servers C) Ensure access to configuration files is limited to administrators D) Ensure servers are configured to return as little information as possible to network requests
A) Ensure default accounts and passwords are disabled or removed
A security tester changed the application URL from www.app.com/account?id='3' to www.app.com/account?id='3 or 1=1', which returned a collection of account information. Database logs showed that the query that was executed was SELECT * FROM ACCOUNTS WHERE accountId=3 or 1=1. How should existing security controls be adjusted to prevent this in the future? A) Ensure server-side queries are parameterized B) Ensure all requests and responses are encrypted C) Ensure sensitive transactions can be traced through a audit log D) Ensure database service accounts do not have administrative access
A) Ensure server-side queries are parameterized
The enterprise security team discovered a vulnerability in a third-party logging tool that could allow unauthorized access to application logs. The vulnerability is fixed in a new release of the third-party product. How should existing security controls be adjusted to prevent this in the future? A) Ensure third party libraries are kept up to date and reviewed consistently B) Ensure passwords and private information are not logged C) Ensure log files provide audit trails for sensitive transactions D) Ensure auditing and logging are enabled on all servers
A) Ensure third party libraries are kept up to date and reviewed consistently
During functional testing, a QA analyst using a non-admin account caused an application exception. After the exception was handled, the tester was able to navigate to the admin section of the application by typing the URL directly into the browser address bar. They were unable to force the same navigation before the exception was thrown. How should the organization remediate this vulnerability? A) Ensure user privileges are restored to the appropriate level after exceptions B) Ensure exceptions are handle in a centralized, structured way C) Ensure error messages are scrubbed of any sensitive information D Ensure there is an audit log for all sensitive transactions
A) Ensure user privileges are restored to the appropriate level after exceptions
The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one-time requirements, bucket requirements, and final security review requirements. Which type of requirement states that all user input values must be validated by type, size, and range? A) Every-sprint requirement B) Bucket requirement C) One-time requirement D) Final security review requirement
A) Every-sprint requirement
The software security team has been tasked with identifying who will be involved when security vulnerabilities are reported from external entities. They are creating a RACI matrix that will identify stakeholders by who is responsible, accountable, consulted, and informed of any new vulnerabilities. Which post-release deliverable is being described? A) External vulnerability disclosure response process B) Third-party security review C) Security strategy for legacy code D) Post-release certifications
A) External vulnerability disclosure response process
The security team is reviewing all threat models, identified vulnerabilities, and documented requirements. They are also performing static and dynamic analysis on the software product to determine if it is ready for release. Which activity of the Ship SDL phase is being performed? A) Final security review B) Penetration testing C) Vulnerability scan D) Final privacy review
A) Final security review
Security team members have been instructed to document which developers and analysts will perform product testing and which tools they will use. Which step of the security test plan is being performed? A) Identify internal resources B) Define test scripts C) Identify external resources D) Define the user community
A) Identify internal resources
The product security incident response team (PSIRT) determined a reported vulnerability was credible and of a high enough severity that it needs to be fixed. What is the response team's next step? A) Identify resources and schedule the fix B) Identify the team that owns the product C) Notify customers that the fix is available D) Determine how the reporter was able to create the vulnerability
A) Identify resources and schedule the fix
What is the first step of the SDLC/SDL code review process? A) Identify security code review objectives B) Perform preliminary scan C) Review code for security issues D) Review for security issues unique to the architecture
A) Identify security code review objectives
After determining a reported vulnerability was a credible claim, the product security incident response team (PSIRT) worked with development teams to create and test a patch. The patch is scheduled to be released at the end of the month. What is the response team's next step? A) Notify customers that the fix is available B) Publish the reasons for closing the case C) Notify the reporter that the case is going to be closed D) Identify the team that owns the product
A) Notify customers that the fix is available
The final security review determined that all security issues identified in testing have been resolved and all SDL requirements have been met. What is the result of the final security review? A) Passed B) Passed with exceptions C) Not passed and requires escalation D) Not passed but does not require escalation
A) Passed
The security team is reviewing whether new security requirements, based on identified threats or changes to organizational guidelines, can be implemented prior to releasing the new product. Which activity of the Ship SDL phase is being performed? A) Policy compliance analysis B) Penetration testing C) Final privacy review D) Open-source licensing review
A) Policy compliance analysis
Which architecture deliverable identifies whether the product adheres to organization security rules? A) Policy compliance analysis B) Threat modeling artifacts C) Business requirements D) Risk mitigation plan
A) Policy compliance analysis
A new product will require an administration section for a small number of users. Normal users will be able to view limited customer information and should not see admin functionality within the application. Which concept is being used? A) Principle of least privilege B) Privacy C) Software security champion D) Elevation of privilege
A) Principle of least privilege
Which design and development deliverable details the progress of personal information requirements created in earlier phases of the security development lifecycle? A) Privacy compliance report B) Security testing reports C) Remediation report D) Security test execution report
A) Privacy compliance report
A developer writes software that is efficient, easy to maintain, and performs well. However, it later becomes vulnerable to a data breach. Which of the following statements best explains why this happened? A) Quality alone is not sufficient to ensure security, as security must be built into the code explicitly. B) Quality code never requires additional security checks. C) Security vulnerabilities only occur in poorly optimized code. D) A secure development process eliminates the need for quality checks.
A) Quality alone is not sufficient to ensure security, as security must be built into the code explicitly.
A senior developer is training new developers and explains that high-quality code is not always secure code. Why is it important to differentiate between these two concepts? A) Quality code emphasizes design efficiency, but secure code focuses on protecting sensitive data. B) Quality code does not require security updates. C) Secure code is relevant only for web-based applications. D) Secure code focuses only on backend development.
A) Quality code emphasizes design efficiency, but secure code focuses on protecting sensitive data.
During a project review, the development lead emphasizes that software must balance quality and security attributes. Why is it necessary to consider both quality and security in the development process? A) Quality ensures code is optimized, while security ensures resilience against unauthorized access. B) Quality and security are synonymous, so focusing on one ensures the other. C) Security automatically guarantees quality. D) Quality code can't function without security mechanisms.
A) Quality ensures code is optimized, while security ensures resilience against unauthorized access.
Which threat modeling process identifies threats to each individual object in a data flow diagram? A) STRIDE-per-element B) STRIDE-per-process C) STRIDE-per-trust-boundary D) STRIDE-per-interaction
A) STRIDE-per-element
Organizational leadership is considering buying a competitor and has asked the software security team to develop a plan to ensure the competitor's point-of-sale system complies with organizational policies. Which post-release deliverable is being described? A) Security strategy for M&A products B) Post-release certifications C) Security strategy for legacy code D) Third-party security review
A) Security strategy for M&A products
What is a countermeasure to the web application security frame (ASF) configuration management threat category? A) Service accounts have no administration capabilities. B) Sessions expire at logout. C) Output encoding is used. D) Access to log files is restricted.
A) Service accounts have no administration capabilities.
Team members are being introduced during sprint zero in the project kickoff meeting. The person being introduced is a member of the scrum team, responsible for writing feature logic and attending sprint ceremonies. Which role is the team member playing? A) Software developer B) Product owner C) Scrum master D) Quality assurance analyst
A) Software developer
The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing security testing results from recently completed initiatives. Which BSIMM domain is being assessed? A) Software security development life cycle (SSDL) touchpoints B) Intelligence C) Governance D) Deployment
A) Software security development life cycle (SSDL) touchpoints
The project team received a SonarQube report of their most recent stage deployment that contains 15 vulnerabilities that must be fixed before the product may be released to production. Which security testing technique is being used? A) Source-code analysis B) Property-based testing C) Source-code fault injection D) Dynamic code analysis
A) Source-code analysis
What is the analysis of computer software that is performed without executing programs? A) Static analysis B) Fuzzing C) Dynamic analysis D) OWASP ZAP
A) Static analysis
Which design and development deliverable contains technical and executive level reports detailing any newly identified vulnerabilities? A) Updated threat modeling artifacts B) Privacy implementation assessment results C) Security test plans D) Design security review
A) Updated threat modeling artifacts
A potential threat was discovered during functional testing of a file upload component when a QA analyst was allowed to upload a shell script. Users should only be allowed to upload image files. How should existing security controls be adjusted to prevent this in the future? A) Validate all user input B) Enforce role-based authorization C) Ensure all data is encrypted in transit D) Force users to re-authenticate when accessing critical functionality
A) Validate all user input
In which step of the PASTA threat modeling methodology does design flaw analysis take place? A) Vulnerability and weakness analysis B) Application decomposition C) Attack modeling D) Risk and impact analysis
A) Vulnerability and weakness analysis
A company is preparing to add a new feature to its flagship software product. The new feature is similar to features that have been added in previous years, and the requirements are well-documented. The project is expected to last three to four months, at which time the new feature will be released to customers. Project team members will focus solely on the new feature until the project ends. Which software development methodology is being used? A) Waterfall B) Agile C) Scrum D) Extreme programming
A) Waterfall
what is a list of information security vulnerabilities that aims to provide names for publicly known problems? A) common computer vulnerabilities and exposures (CVE) B) SANS institute top cyber security risks C) bugtraq D) Carnegie melon computer emergency readiness team (CERT)
A) common computer vulnerabilities and exposures (CVE)
The new product standards state that all traffic must be secure and encrypted. What is the name for this secure coding practice? A) communication security B) system configuration C) session management D) access control
A) communication security
what is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time? A) dynamic analysis B) static analysis C) fuzzing D) security testing
A) dynamic analysis
What iso standard is the benchmark for information security today? A) iso/iec 27001 B) iso/iec 7799 C) iso/iec 27034 D) iso 8601
A) iso 27001
Which DREAD category is based on how easily a threat exploit can be repeated? A) reproducibility B) discoverability C) exploitability D) affected users
A) reproducibility
which person is responsible for designing, planning, and implementing secure coding practices and security testing methodologies? A) software security architect B) product security developer C) software security champion D) software tester
A) software security architect
The costs to remediate security flaws once a software product is released can run as much as _______ times the costs to remediate them while still in development: A) 50 B) 100 C) 500 D) 1500
B) 100
During a review meeting, the CISO of a government agency mentions that addressing vulnerabilities in the early stages of the software development lifecycle (SDLC) is more cost-effective than post-release patching. This view aligns with which approach mentioned in the 2006 U.S. Department of Homeland Security Draft? A) Applying regular software patches after release B) Adopting security-enhanced processes in the SDLC C) Conducting annual penetration tests on software D) Outsourcing security testing to third parties
B) Adopting security-enhanced processes in the SDLC
A company finds that its applications are vulnerable despite being efficient and highly functional. The CTO emphasizes that security should not be assumed solely from the quality of the code. Why is secure code not guaranteed by quality code? A) Because secure code is assessed only after quality testing is complete B) Because quality is subjective, whereas security directly relates to confidentiality, integrity, and availability C) Because quality automatically prevents all vulnerabilities D) Because secure code does not require any design efficiency
B) Because quality is subjective, whereas security directly relates to confidentiality, integrity, and availability
A company's security team is tasked with ensuring that new software products are designed with security in mind. The team emphasizes that software security is not the same as application security. What does software security primarily focus on in contrast to application security? A) Monitoring post-release software vulnerabilities B) Building security measures into software from the start C) Applying network controls to the software environment D) Ensuring data backups and redundancy
B) Building security measures into software from the start
A healthcare application development team is preparing a software release. The security lead emphasizes three main goals to maintain data protection for users' personal health information. Which of the following goals should the team prioritize as essential components of software security? A) Usability, reliability, and speed B) Confidentiality, integrity, and availability C) Efficiency, performance, and interoperability D) Accessibility, reliability, and portability
B) Confidentiality, integrity, and availability
A software firm is working to improve the security of its e-commerce platform by adopting SDL. The security team decides to prioritize the three main goals of SDL throughout the software lifecycle. Which set of goals should the team focus on to ensure the platform's foundational security? A) Reliability, reusability, and efficiency B) Confidentiality, integrity, and availability C) Performance, scalability, and redundancy D) Compatibility, interoperability, and security
B) Confidentiality, integrity, and availability
Which type of requirement specifies that credit card numbers are designated as highly sensitive confidential personal information? A) Security requirement B) Data classification requirement C) Privacy requirement D) Compliance requirement
B) Data classification requirement
Threat modeling and attack surface analysis is most effective when it's conducted: A) Post-release B) During product inception/product backlog development C) During integration testing phase(s) D) Prior to code development/commitment
B) During product inception/product backlog development
During a meeting, a project manager asks for clarity on software security versus application security. The team lead states that while both aim to secure the software, they are applied differently within the SDLC. How does application security differ from software security in its approach? A) It prioritizes quality assurance testing. B) It focuses on post-release protection of software and systems. C) It integrates security during the design phase. D) It limits vulnerability detection to development stages.
B) It focuses on post-release protection of software and systems.
A CEO of a tech company is evaluating the importance of incorporating software security practices. The CISO presents a report emphasizing that insecure software poses a high risk, not only from a security perspective but also as a business decision. Which of the following best describes why software security is critical for businesses? A) It enhances user interface design. B) It mitigates monetary costs and risks associated with insecure software. C) It increases product features and functionalities. D) It primarily addresses hardware vulnerabilities.
B) It mitigates monetary costs and risks associated with insecure software.
A new product will require an administration section for a small number of users. Normal users will be able to view limited customer information and should not see admin functionality within the application. Which concept is being used? A) privacy B) POLP C) software security champion D) elevation of privilege
B) POLP
Which type of requirement specifies that credit card numbers displayed in the application will be masked so they only show the last four digits? A) Operational requirement B) Privacy requirement C) Data classification requirement D) Non-functional requirement
B) Privacy requirement
A software development team has created a new mobile application with high usability and performance ratings. However, the security team finds multiple vulnerabilities that could expose user data. What does this situation reveal about the relationship between quality code and secure code? A) Quality code inherently includes secure coding practices. B) Quality and secure code are not necessarily the same, and quality does not guarantee security. C) Secure code can only be developed by prioritizing speed and user experience. D) Quality and secure code are always achieved through the same development practices.
B) Quality and secure code are not necessarily the same, and quality does not guarantee security.
A software company is discussing the differences between quality code and secure code. A developer notes that while their application meets quality standards, it recently experienced a security breach. What is a likely reason for this discrepancy between quality and secure code? A) Quality code ensures security by default, but secure code does not ensure quality. B) Quality code focuses on functionality, while secure code focuses on preventing unauthorized access. C) Quality code is more expensive to produce than secure code. D) Secure code generally lacks the usability found in quality code.
B) Quality code focuses on functionality, while secure code focuses on preventing unauthorized access.
A software product designed to handle sensitive financial data is praised for its efficiency and maintainability but criticized for lacking adequate security measures. Which statement best illustrates the distinction between quality code and secure code? A) Quality code is secure by default when optimized correctly. B) Quality focuses on usability and performance, while secure code focuses on preventing unauthorized access. C) Secure code must sacrifice quality to prevent vulnerabilities. D) Quality code is unimportant in applications handling sensitive data.
B) Quality focuses on usability and performance, while secure code focuses on preventing unauthorized access.
During a security meeting, a software development team is confused about the difference between software security and application security. The security architect explains that focusing on SDL helps secure software from the start, while application security focuses on protection post-release. In this context, which statement best differentiates software security from application security? A) Software security ensures operational security controls are in place, while application security uses SDL practices. B) Software security builds security into the software, while application security defends it after deployment. C) Software security manages post-release issues, while application security focuses on secure coding. D) Software security relies on network security controls, while application security is specific to applications.
B) Software security builds security into the software, while application security defends it after deployment.
During a security review, a developer asks why the "C.I.A." model is essential for the software they are creating. The security architect explains that the C.I.A. model is vital for protecting sensitive data. Which of the following best describes the purpose of these three security goals? A) They focus on ensuring the software is user-friendly. B) They provide a framework for protecting data from unauthorized access, tampering, and outages. C) They prioritize code quality over security features. D) They ensure all users have access to sensitive data.
B) They provide a framework for protecting data from unauthorized access, tampering, and outages.
A tech company's product suffered a security incident due to improper handling of buffer overflows, as cited in the U.S. President's Information Technology Advisory Committee (PITAC) 2005 report. What does this report highlight about common software development practices? A) They strictly control all security practices. B) They tend to ignore issues like buffer overflow management. C) They exclusively focus on network boundaries. D) They apply rigorous controls across all software layers.
B) They tend to ignore issues like buffer overflow management.
A healthcare company implementing SDL finds that training developers to identify potential threats early in the development cycle is reducing their security incident rate. Which SDL practice is being emphasized in this training to preemptively identify design vulnerabilities? A) Code refactoring B) Threat modeling C) Source code scanning D) Functional testing
B) Threat modeling
A company transitioning to secure software development practices wants to ensure its development lifecycle aligns with the principles outlined by industry experts. The team discusses Gary McGraw's perspective on software security. According to McGraw, what is the primary goal of software security? A) To protect software after development with additional security controls B) To embed security considerations into the software design and educate developers on secure coding practices C) To limit developer access to sensitive parts of the software D) To simplify the post-release patching process
B) To embed security considerations into the software design and educate developers on secure coding practices
A company is preparing to add a new feature to its flagship software product. The new feature is similar to features that have been added in previous years, and the requirements are well-documented. The project is expected to last three to four months, at which time the new feature will be released to customers. Project team members will focus solely on the new feature until the project ends. Which software development methodology is being used? A) Agile B) Waterfall C) Scrum D) Extreme programming
B) Waterfall
Which secure coding best practice says to use parameterized queries, encrypted connection strings stored in separate configuration files, and strong passwords or multi-factor authentication? A) access control B) database security C) file management D) session management
B) database security
What is the application of multiple layers of protection so that, if one layer is breached, the next layer provides protection? A) fail-safe B) defense-in-depth C) separation of duties D) open design
B) defense-in-depth
An organization is setting up new security protocols and needs to clarify why both software and application security practices are necessary. The team lead suggests that the two security areas should not be confused, even though they intersect. Why is it important to differentiate between software security and application security? A) Because software security is only necessary in the initial development stages B) Because application security applies exclusively to the end-user environment C) Because software security builds resilience directly into the software, while application security safeguards its operational environment D) Because application security negates the need for secure software practices
C) Because software security builds resilience directly into the software, while application security safeguards its operational environment
Which type of requirement specifies that file formats the application sends to financial institutions must be certified every four years? A) Non-functional requirement B) Operational requirement C) Compliance requirement D) Functional requirement
C) Compliance requirement
The three goals of the security development lifecycle are: A) Reliability, efficiency, and maintainability B) Speed, quality, and continuous releases C) Confidentiality, integrity, and availability D) Availability, reliability, and portability
C) Confidentiality, integrity, and availability
A software architect in a large organization is explaining SDL to a development team. He mentions that focusing on software security within SDL means addressing the root causes of security issues. Which approach best illustrates this proactive security focus within SDL? A) Installing firewalls and antivirus software post-release B) Regularly scanning for vulnerabilities after deployment C) Designing software to inherently prevent vulnerabilities D) Conducting security training after software deployment
C) Designing software to inherently prevent vulnerabilities
In an organization that has yet to implement software security practices, an IT auditor points out that over 70% of security vulnerabilities exist in software applications, not network boundaries, as noted by Gartner. Why is there a growing emphasis on application security? A) To mitigate the cost of hardware updates B) Because application security is simpler to manage than network security C) Due to the prevalence of vulnerabilities in software applications D) Because applications rarely require security patches
C) Due to the prevalence of vulnerabilities in software applications
A software company faces frequent security incidents, which have caused delays in product development and led to additional costs. To mitigate these issues, they are considering a software security program. Why would a software security program make sense from a business perspective? A) It allows development teams to avoid competitive pressures. B) It reduces the need for network security measures. C) It helps avoid costly product recalls and delays by integrating security early. D) It prevents the need for any further security testing.
C) It helps avoid costly product recalls and delays by integrating security early.
An organization's leadership is concerned with escalating post-release patching costs due to software vulnerabilities discovered in the field. A cost-benefit analysis highlights that addressing security earlier in the SDLC could be more efficient. According to industry research, how does fixing security flaws during development compare to fixing them post-release? A) It is 5-10 times less expensive than post-release remediation. B) It is 10-20 times less expensive than post-release remediation. C) It is up to 100 times less expensive than post-release remediation. D) It has no significant cost difference from post-release remediation.
C) It is up to 100 times less expensive than post-release remediation.
A technology firm with a history of software breaches aims to revamp its security practices. The CISO explains that software security requires embedding security measures into the codebase during development, while application security focuses on securing the environment where the software operates. What benefit does a security-focused Software Development Life Cycle (SDL) provide? A) It reduces the need for security audits. B) It prevents all forms of software vulnerabilities. C) It minimizes post-release security issues by integrating security early. D) It guarantees immunity from network-based attacks.
C) It minimizes post-release security issues by integrating security early.
Which privacy impact statement requirement type defines how personal information is protected on devices used by more than a single associate? A) Data integrity requirements B) Access requirements C) Privacy control requirements D) Education of stakeholder's requirements
C) Privacy control requirements
A software team plans to release a new version of an application and wants to ensure that both quality and security are integral to the product. Which of the following is true about the relationship between quality and security in software? A) Quality is more important than security in most applications. B) Security practices are always separate from quality practices. C) Quality and security complement each other and should be integrated into the software's foundation. D) Security measures do not impact software quality.
C) Quality and security complement each other and should be integrated into the software's foundation.
A financial organization is reviewing its software development practices after a recent breach due to a buffer overflow vulnerability. The security lead argues that incorporating a structured Security Development Lifecycle (SDL) could mitigate such risks by catching these flaws early. What is the primary business benefit of implementing SDL in this scenario? A) Decreased time-to-market by streamlining security processes B) Improved software quality by detecting coding errors C) Reduced remediation costs by addressing security flaws during development D) Increased revenue through secure software sales
C) Reduced remediation costs by addressing security flaws during development
Which type of requirement specifies that user passwords will require a minimum of 8 characters and must include at least one uppercase character, one number, and one special character? A) Privacy requirement B) Data classification requirement C) Security requirement D) Functional requirement
C) Security requirement
A software company wants to reduce the number of security incidents in its products. To do so, the CISO suggests that they adopt a Security Development Lifecycle (SDL) model similar to Microsoft's. What is a key goal of implementing an SDL model in this context? A) To focus exclusively on fixing security bugs post-release B) To ensure security is treated as an afterthought in development C) To prevent the inclusion of security vulnerabilities in the software's codebase D) To make security audits unnecessary by automating all security measures
C) To prevent the inclusion of security vulnerabilities in the software's codebase
An organization is debating whether to invest in a software security program. The Chief Technology Officer mentions that software security must be "secure by design" due to its integration in critical systems. What justifies this need for secure-by-design software? A) To support the organization's reputation for innovative features B) To adhere to customer demand for frequent software updates C) To reduce the inherent risk in applications used in critical systems D) To enable faster software release cycles
C) To reduce the inherent risk in applications used in critical systems
The software security team is currently working to identify approaches for input validation, authentication, authorization, and configuration management of a new software product so they can deliver a security profile. Which threat modeling step is being described? A) Rating threats B) Identifying and documenting threats C) analyzing the target D) drawing data flow diagram
C) analyzing the target
which secure coding best practice says that all information passed to other systems should be encrypted? A) output encoding B) memory management C) communication security D) database security
C) communication security
which secure coding best practice uses well-tested, publicly available algorithms to hide product data from unauthorized access? A) access control B) authentication and password management C) cryptographic practices D) data protection
C) cryptographic practices
The DREAD methodology has been used to classify an identified exploit where: - the attacker could log in as an administrator (damage potential) - the attacker could log in at any time (reproducibility) - almost anybody could perform the attack (exploitability) - all system users could be affected (affected users) - any person who knows how to open dev tools in a browser could find the vulnerability (discoverability) Which rating should be assigned to the exploit after performing an analysis using a ternary ranking scale where high risk = 3 points, medium risk = 2 points, and low risk = 1 point? A) low risk B) medium risk C) high risk D) no risk
C) high risk
Team members are being introduced during sprint zero in the project kickoff meeting. The person being introduced will be a facilitator, will try to remove roadblocks and ensure the team is communicating freely, and will be responsible for facilitating all scrum ceremonies. Which role is the team member playing? A) product owner B) software developer C) scrum master D) quality assurance analyst
C) scrum master
Team members are being introduced during sprint zero in the project kickoff meeting. The person being introduced is a member of the scrum team, responsible for writing feature logic and attending sprint ceremonies. Which role is the team member playing? A) scrum master B) quality assurance analyst C) software developer D) product owner
C) software developer
The organization's testing team has created a catalog of test cases using the source code and design documentation of the new product. Each test case will be executed for each user role in the new product. Which type of security testing technique is being performed? A) gray-box B) black-box C) white-box D) red-box
C) white-box
Defective software is: A) A network security problem B) An operating system security problem C) A user-caused problem D) A software development and engineering problem
D) A software development and engineering problem
Following a high-profile data breach, an organization's board questions the cause of security issues within software products. A consultant explains that most issues stem from insecure code. Why has insecure code become a primary target for hackers, according to the text? A) Because it offers legal liability opportunities B) Because it lacks frequent updates C) Because it is easier to exploit than hardware D) Because it leads to costly vulnerabilities post-release
D) Because it leads to costly vulnerabilities post-release
Security team members have been instructed to document how many users will access the new product and what roles those users will play. Which step of the security test plan is being performed? A) Define test scripts B) Identify external resources C) Identify internal resources D) Define the user community
D) Define the user community
A team deploying a new web application is advised to consider "attack surface validation" as part of their SDL process. The team needs clarification on when this activity is most effective. In which phase should attack surface validation ideally occur? A) After the application is live B) During the project inception and planning phases C) After functional testing but before release D) During requirements analysis, before code development
D) During requirements analysis, before code development
Which type of software testing is being performed when an analyst executes a series of test cases based on application requirements? A) Unit testing B) Regression testing C) Integration testing D) Functional testing
D) Functional testing
Which security assessment deliverable defines milestones that will be met during each phase of the project, merged into the product development schedule? A) Metrics template B) Threat profile C) Product risk profile D) SDL project outline
D) SDL project outline
A software security team member has created data flow diagrams, chosen the STRIDE methodology to perform threat reviews, and created the security assessment for the new product. Which category of secure software best practices did the team member perform? A) training B) pen testing C) code review D) architecture analysis
D) architecture analysis
Which mitigation technique can be used to fight against a data tampering threat? A) Throttling B) Run with least privilege C) Audit trails D) digital signatures
D) digital signatures
which secure coding best practice ensures servers, frameworks, and system components are all running the latest approved versions? A) file management B) input validation C) database security D) system configuration
D) system configuration
