Chapter 12 Software Development Security

Lauren wants to insert data into the response from her browser to a web application. What type of tool should she use if she wants to easily make manual changes in what her browser sends out as she interacts with the website? A.An interception proxy B.A fuzzer C.A WAF D.A sniffer

A.An interception proxy Explanation: Interception proxies are designed to allow testers to intercept, view and modify traffic sent from web browsers and are often used for penetration testing and web application security testing. Fuzzers are used for application testing by sending invalid data to the application A WAF is a web application firewall A sniffer is useful for monitoring traffic but not for modifying web traffic in a live, easy-to-use manner

Precompiled SQL statements that only require variables to be input are an example of what type of application security control? A.Parameterized queries B.Encoding data C.Input validation D.Appropriate access controls

A.Parameterized queries Explanation: A parameterized query (sometimes called a prepared statement) uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data. Encoding data helps to prevent cross-site scriptiing attacksm as does input validation. Appropriate access controls can prevent access to data that the accouont or application should not have access to, but they dont use precompiled SQL statement

WHat Agile process is used to determine whether application development is occurring at the speed that was expected? A.Velocity tracking B.Speed traps C.Timeboxing D.Planning poker

A.Velocity tracking Explanation: Velocity tracking calculates the actual speed based on accomplishments versus the estimated work from the sprint planning effort Planning poker is used for estimation Speed traps are not a term associated with the Agile methodology

Angela's software development team is working on a large-scale control package that will run a nuclear power plant for multiple decades. They want to select an SDLC that fits their needs, which include careful up-front planning and analysis, without any anticipated change during the coding process. What SDLC model should she choose? A.Waterfall B.Spiral C.Agile Scrum D.Rapid APplication Development

A.Waterfall Explanation: Waterfall continues to be useful in complex software development efforts where requirements are well documented and careful planning is required. Spiral would fit better if risks were likely to change during the development effort, Agile Scrum is well suited to changing requirements. Rapid Application Developments prototype model is not a good fit for controlling a nuclear reactor

How many phases does the Spiral model cycle through? A.Three B.Four C.Five D.Six

B.Four Explanation: The Spiral model cycles through four phases; requirement gathering, design, build and evaluation/risk analysis

Kristen wants to implement code review but has a distributed team that works at various times during the day. She also does not want to create any additional support load for her team with new development environment applications. What type of review process will work best for her needs? A.Pair programming B.Pass around C.Over-the-shoulder D.Tool assisted

B.Pass around Explanation: Pass around reviews normally rely on email to move code between developers. In Kristens case, a pass-around review will exactly meet her needs Pair programming and over-the-shoulder review both require developers to work together, whereas tool-assisted reviews require implementation of a tool to specifically support the review

After a major patch is released for the web application that he is respnsible for, Sam proceeds to run his web application security scanner against the web application to verify that it is still secure. What is the term for the process Sam is conducting? A.Code review B.Regression testing C.Stress testing D.Whiffing

B.Regression testing Explanation: Sam is conducting a regression test which verifies that changes have not introduced new issues to his application. Code review focuses on the application code Stress testing verifies that the application will perform under load or other stress conditions Whiffing isnt a term used in this type of review

Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting? A.Mutation testing B.Static code analysis C.Dynamic code analysis D.Fuzzing

B.Static code analysis Explanation: Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, Both mutation testing and fuzzing are types of dynamic analysis

What type of code review requires two programmers, one of whom explains their code to other developers? A.Pair programming B.TOol assisted C.Over-the-shoulder D.Pass around

C.Over-the-shoulder Explanation: Over-the-shoulder code reviews use a pair of developers to perform peer code review, one of whom explains their code to the other. Pair programming also uses two developers but allows the developers to swap roles between writing code and observing and strategizing. Tool-assisted review uses a code review tool, whereas pass-around review uses email or other methods to send code to others for review

Charles is worred about users conducting SQL injection attacks. Which of the following solutions will best address his concern? A.Using secure session management B.Enabling logging on the database C.Performing user input validation D.Implementing TLS

C.Performing user input validation Explanation: Charles should perform user input validation to strip any SQL code or other unwanted input. Secure session management can help prevent session hijacking, logging may provide useful information for incident investigation, and implementing TLS can help protect network traffic, but only input validation helps with the issue described

What process checks to ensure that functionality meets custmer needs? A.CNA B.Stress testinh C.UAT D.Unit testing

C.UAT Explanation: User acceptance testing (UAT) is the process of testing to ensure that the users of the software are satisfied with its functionality Stress testing verifies that the application will perform when under high load or other stress Unit testing validates individual components of the application CNA is not a term associated with application development

What type of testing focuses on inserting problems into the error handling processes and paths in an application? A.Fuzzing B.Stress testing C.Dynamic code analysis D.Fault injection

D.Fault injection Expplanation: Fault injection directly inserts faults into the error handling paths for an application to verify how it will handle the problem. Stress testing focuses on application load, dynamic code analysis describes any type of live application testing Fuzzing sends invalid data to applications to ensure that they can feal with it properly

(Number 16 actually) What process is used to ensure that an application can handle very high numbers of concurrent users or sessions? A.Fuzzing B.Fault injection C.Mutation testing D.Load testing

D.Load testing Explanation: Load testing is used to validate the performance of an application under heavy loads like high numbers of concurrent user sessions. Fuzzing,mutation testing, and fault injection are all types of code review and testing

Using TLS to protect application traffic helps satisfy which of the OWASP 2016-best practices? A,Parameterize queries B.Encode data C.Validate all inputs D.Protect data

D.Protect data Explanation: TLS satisfies the "protect data" best practice by ensuring that network traffic is secure Parameterized queieres uses prebuilt SQL, while enconding data removes control characters that could be used for cross-site scripting attacks and other exploits Validating all inputs requires treating all user input as untrsuted

During a Fagan code inspection, which process can redirect to the planning stage? A.Overview B.Preparation C.Meeting D.Rework

D.Rework Explanation: During the rework stage of Fagan inspection, issues may be identified that require the process to return to the planning stage and then proceed back through the remaining stages to re-review the code

Susan's team has been writing code for a major project for a year and recently released their third version of the code. During a post implementation regression test, an issue that was originally seen in version 1 reappeared. What type of tool should Susan implement to help avoid this issue in the future? A.Stress testing B.A WAF C.Pair programming D,Source control management

D.Source control management Explanation: A source control management tool like Subversion or Git can help prevent old code from being added to current versions of an application. Developer practices still matter, but knowing what version of the code you are checking in and out helps! Stress testing would help determine whether the application can handle load, WAF or web application firewall can protect against attacks, but neither would resolve this issue. Pair programming might detect the problem, but the question specifically asks for a tool, not a process

What term is used to describe high-level requirements in Agile development efforts? A.Backlogs B.Planning poker C.Velocity D.User stories

D.User stories Explanation: User stores are collected to describe high-level user requirements in Agile development efforts. Backlogs are lists of features and tasks that are needed to finish the project Planning poker is an estimation method Velocity tracking is used to measure progress versus expectations