Secure Software Design Practice Questions
Which aspect of threat modeling is being addressed as part of a work breakdown structure using DREAD as a security model? A. Analyzing threats B. Threat mitigation C. Threat resolution D. Identifying threats
A. Analyzing threats
A software engineering project WBS identifies Requirements Analysis as one of the work activities. The project manager wants to use a matrix organization to staff the project with requirements engineers who have security-specific skills and experience. How should the security requirements engineers be grouped? A. By requirements-definition functions B. As members of the security department C. As direct reports to the chief security officer D. By hierarchy so that security requirements are given high priority
A. By requirements-definition functions
Which two goals does threat modeling accomplish? Choose 2 answers A. Defines the security of an application B. Helps in the selection of an operating system C. Increases accessibility to a system D. Reduces the number of vulnerabilities E. Improves design efficiency
A. Defines the security of an application D. Reduces the number of vulnerabilities
A member of the development team is tasked with final code review and deployment of the finished product to various environments at project completion. Which role has this team member been asked to fill? A. Release manager B. Developer C. Business analyst D. Quality assurance tester
A. Release manager
Which methodology is used for measuring the type of vulnerability? A. STRIDE B. DREAD C. OCTAVE D. OWASP
A. STRIDE
A software developer is preparing a documented plan that verifies a system's code performs the proper actions. Which role is this developer filling? A. Tester B. Business analyst C. Release manager D. Developer
A. Tester
A firm is monitoring the status of a software development project with earned value, where budgeted cost of work scheduled (BCWS) and budgeted cost of work performed (BCWP) is respectively given as 35 Pers-days and 70 Pers-days. The sum of the actual efforts of all of the tasks that have been completed at a specific status-checking date is 75 Pers-days. After computing the schedule variance (SV) and cost variance (CV), what are the relevant indicators (SV and CV) of the project status? A. 35 Pers-days, 5 Pers-days B. 35 Pers-days, -5 Pers-days C. 105 Pers-days, 40 Pers-days D. 105 Pers-days, -35 Pers-days
B. 35 Pers-days, -5 Pers-days
System engineers are following the software development life cycle (SDLC) process and defining system requirements, performing an analysis, and designing the application. Which management control domain do these actions primarily align to? A. Monitoring B. Acquisition and implementation C. Planning and organization D. Delivery and support
B. Acquisition and implementation
An employee has been supporting the SDLC process for a new web application. The employee is in charge of identifying the requirements the web application needs to satisfy. The employee will also be identifying who will be impacted by the application. After the application is developed in the test environment, the employee will ensure that the user acceptance testing (UAT) is completed. Which role in the SDLC does this employee have? A. Tester B. Business analyst C. Project manager D. Architect
B. Business analyst
Which methodology are T-MAP-defined, threat-relevant attributes primarily derived from? A. DREAD B. CVSS C. STRIDE D. OCTAVE
B. CVSS
Under which maturity level in the staged representation model should project monitoring and control be performed? A. Maturity level 1 B. Maturity level 2 C. Maturity level 3 D. Maturity level 4 E. Maturity level 5
B. Maturity level 2
What is an iterative and incremental model that utilizes the divide-and-conquer methodology to decompose a complex problem into parts? A. Multiple-component B. Rational Unified Process (RUP) C. Multiple-release D. Waterfall
B. Rational Unified Process (RUP)
At the end of threat modeling, a company wants to rate the threats based on probability and damage potential. Which approach is suitable? A. SSA B. T-MAP C. DREAD D. STRIDE
C. DREAD
Verification and validation take place during the implementation and training phase of the software development life cycle (SDLC). In which two management control domains are these efforts performed? Choose 2 answers A. Acquisition and implementation B. Planning and organization C. Monitoring D. Delivery and support
C. Monitoring D. Delivery and support
The focus of a team falls under the Capability Maturity Model Integration (CMMI) engineering category, specifically under the verification phase. Which activity performed by this team would be relevant to verification as it relates to the secure development lifecycle (SDL)? A. Defining minimum acceptable levels of security and privacy quality B. Analyzing source code prior to compilation and documenting peer review results C. Performing run time checks for memory corruption and user privilege issues D. Examining software design based on costs and regulatory requirements
C. Performing run time checks for memory corruption and user privilege issues
Which system development methodology provides a resource to entry-level developers with limited exposure? A. joint application development B. agile model C. waterfall model D. extreme programming
C. waterfall model
Which core element of cybersecurity is implemented through the following secure software design features? Cryptography = Non-repudiation = Redundancy = Digital signatures =
Cryptography = Confidentiality Non-repudiation = Integrity Redundancy = Availability Digital signatures = Integrity
A lead developer is measuring the number of security defects found in a particular phase of the software development life cycle (SDLC) and tracking the rate of security defect identification. At which level of the Capability Maturity Model Integration (CMMI) framework is the lead developer operating? A. CMM level 1 B. CMM level 2 C. CMM level 3 D. CMM level 4 E. CMM level 5
D. CMM level 4
Which modeling approach assigns ratings based on attack reproducibility and vulnerability exploitability? A. CVSS B. OCTAVE C. STRIDE D. DREAD
D. DREAD Damage - how bad? Reproducibility - reproducible? Exploitability - how hard to do? Affected users - how many people would be affected? Discoverability - how easy to discover?
A software development project team is moving from performing random fuzz testing to a more structured approach that optimizes the overall testing performed on the system and attempts to achieve efficiencies as part of the software development life cycle. At which Capability Maturity Model Integration (CMMI) maturity level is this team performing? A. Level 2 B. Level 3 C. Level 4 D. Level 5
D. Level 5
Which maturity level of the Capability Maturity Model Integration (CMMI) is characterized by a focus on continuous process improvement, including defect prevention, technology change management, and process change management? A. Maturity level 2 B. Maturity level 3 C. Maturity level 4 D. Maturity level 5
D. Maturity level 5
An organization is executing an incident response plan. In which SDLC phase does this activity take place? A. Project definition B. Design C. Installation D. Operation
D. Operation
What is a characteristic of maturity level 2 of the staged representation model of Capability Maturity Model Integration (CMMI)? A. Organizational process performance B. Integrated teaming C. Causal analysis and resolution D. Project planning
D. Project planning
Who conducts the code review process as part of the last phase of the software development process? A. Architect B. Tester C. Project manager D. Release manager
D. Release manager
Which threat model focuses on the end results of possible attacks rather than on the identification of each specific attack? A. SSA B. SSD C. DREAD D. STRIDE
D. STRIDE Spoofing Tampering Repudiation Information disclosure Denial of Service Escalation of privilege
Which narrative approach should help guide the mitigation that needs to be put in place to protect a system from attacks? A. Attack tree B. Penetration testing C. Model-driven development D. Threat model
D. Threat model
A web application that will be hosted on a system that was previously limited to the organization's internal network is being developed. What expands the network attack surface and will enable a threat actor to command embedded malware, which would result from the change in the trust boundary for this application? A. Old software versions B. Weak passwords C. Stale and unnecessary accounts D. Unnecessary open ports
D. Unnecessary open ports
What is a common attack scenario faced by web servers? A. Malformed queries that attempt to extract sensitive data B. Password cracking attempts that disclose user credentials C. Spoofed server IP addresses that redirect the client D. Unsolicited TCP requests that overwhelm resources
D. Unsolicited TCP requests that overwhelm resources
A company is developing a web application for employees. The web application must meet the following requirements: • Employees must be able to use the web application to track shipments. • The web application must be able to store personal information and shipment details. • Although the web application will be accessible outside of the company's intranet, employees' information must be secure. Which process should be used to make certain that the web application meets these requirements? A. redundancy in the data B. SDLC agile model C. SDLC waterfall model D. software assurance
D. software assurance
A software firm is planning to develop a web-based project with a team of up to eight people. What is a relevant software methodology to apply where others' roles may be filled by the same people, including a project manager and business expert? A. Crystal orange web B. Waterfall C. Crystal orange D. Crystal Clear E. Scrum
E. Scrum
Match DREAD classification term to description: Exploitability
Measures the effort required to launch an attack
Match DREAD classification term to description: Affected users
Measures the number of installed instances of the system affected by an exploit
Which core element of cybersecurity is implemented through the following secure software design features? Off-site backup Public key Hash Message digest
Off-site backup = Availability Public key = Confidentiality Hash = Integrity Message digest = Integrity
Match DREAD classification term to description: Reproducibility
Ranks how often an attempt at exploiting a vulnerability really works
Match DREAD classification term to description: Damage potential
Ranks the extent of harm that occurs if a vulnerability is exploited
A development team has chosen the waterfall methodology as an SDLC approach. This methodology was chosen because of the limited experience of the team, but waterfall has several security considerations. Match each phase of the waterfall methodology to its appropriate security concern. Requirements analysis Design Construction/implementation Testing Installation Operation
Requirements analysis - Define security features Design - Misuse cases/vulnerability mapping Construction/implementation - Secure coding practices Testing - Penetration assessment Installation - Final security review Operation - Periodic security review and updates
Match DREAD classification term to description: Discoverability
States the likelihood that a vulnerability will be found by security researchers or hackers