Download Secure Software Design: Q&A for Development Best Practices and more Exams Computer Science in PDF only on Docsity!
Questions with 58 solutions rated and
approved.
D487: Secure Software Design
Questions with 58 solutions rated and
approved.
What are the two common best principles of software applications in the development process? Choose 2 answers.
Quality code
Secure code
Information security
Integrity
Availability - ANSWER Quality code
Secure code
"Quality code" is correct. Quality code is efficient code that is easy to maintain and reusable.
"Secure code" is correct. Secure code authorizes and authenticates every user transaction, logs the transaction, and denies all unauthorized requisitions.
What ensures that the user has the appropriate role and privilege to view data?
Authentication
Multi-factor authentication
Encryption
Information security
Authorization - ANSWER Authorization
Authorization ensures a user's information and credentials are approved by the system.
Questions with 58 solutions rated and
approved.
Which security goal is defined by "guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity"?
Integrity
Quality
Availability
Reliability - ANSWER Integrity
The data must remain unchanged by unauthorized users and remain reliable from the data entry point to the database and back.
Which phase in an SDLC helps to define the problem and scope of any existing systems and determine the objectives of new systems?
Requirements
Design
Planning
Testing - ANSWER Planning
The planning stage sets the project schedule and looks at the big picture.
What happens during a dynamic code review?
Programmers monitor system memory, functional behavior, response times, and overall performance.
Customers perform tests to check software meets requirements.
An analysis of computer programs without executing them is performed.
Input fields are supplied with unexpected input and tested. - ANSWER Programmers monitor system memory, functional behavior, response times, and overall performance.
How should you store your application user credentials in your application database?
Questions with 58 solutions rated and
approved.
In Scrum methodology, who is responsible for making decisions on the requirements?
Scrum Team
Product Owner
ScrumMaster
Technical Lead - ANSWER Product Owner
The Product Owner is responsible for requirements/backlog items and prioritizing them.
What is the reason software security teams host discovery meetings with stakeholders early in the development life cycle?
To determine how much budget is available for new security tools
To meet the development team
To refactor functional requirements to ensure security is included
To ensure that security is built into the product from the start - ANSWER To ensure that security is built into the product from the start
To correctly and cost-effectively introduce security into the software development life cycle, it needs to be done early.
Why should a security team provide documented certification requirements during the software assessment phase?
Certification is required if the organization wants to move to the cloud.
Depending on the environment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers.
By ensuring software products are certified, the organization is protected from future litigation.
By ensuring all developers have security certifications before writing any code, teams can forego discovery sessions. - ANSWER Depending on the environment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers.
Questions with 58 solutions rated and
approved.
Any new product may need to be certified based on the data it stores, the frameworks it uses, or the domain in which it resides. Those certification requirements need to be analyzed and documented early in the development life cycle.
What are two items that should be included in the privacy impact assessment plan regardless of which methodology is used?Choose 2 answers.
Required process steps
Technologies and techniques
SDL project outline
Threat modeling
Post-implementation signoffs - ANSWER Required process steps
Technologies and techniques
"Required process steps" is correct. Required process steps explain in more detail which requirements are relevant to developers, detailing what types of data are considered sensitive and how they need to be protected.
"Technologies and techniques" is correct. Technologies and techniques detail techniques for meeting legislative requirements in five categories: Confidentiality, Integrity, Availability, Auditing and Logging, and Authentication.
What are the goals of each SDL deliverable?
Select one of these options for each deliverable:
-Estimate the actual cost of the product
-Identify dependence on unmanaged software
-Map security activities to the development schedule
-Guide security activities to protect the product from vulnerabilities
Product risk profile
Questions with 58 solutions rated and
approved.
Decompose the application
Redesign the process to eliminate the threat
Transfer the risk
Identify business requirements - ANSWER Survey the application
Decompose the application
"Survey the application" is correct. Surveying the application is a way to gain knowledge of how the product works by reading product documentation and interviewing the development team.
"Decompose the application" is correct. Decomposing the application can be done by doing a deep dive into the code and understanding how it works behind the scenes.
What do the "A" and the first "D" in the DREAD acronym represent?Choose 2 answers.
Damage
Affected users
Denial of service
Authentication - ANSWER Damage
Affected users
"Damage" is correct. Damage represents the first 'D' in DREAD and measures how much damage will be caused if the threat exploit occurs.
"Affected users" is correct. Affected users represents the 'A' in DREAD and measures how many users will be affected.
Which shape indicates each type of flow diagram element?
Select an option for each element:
-Two parallel horizontal lines
-Solid line with an arrow.
Questions with 58 solutions rated and
approved.
-Rectangle
-Dashed line
External elements
Data store
Data flow
Trust boundary - ANSWER Rectangle
Two parallel horizontal lines
Solid line with an arrow.
Dashed line
A rectangle in a data flow diagram represents an element outside your control and external to your software application.
Two parallel horizontal lines in a data flow diagram represent where data can be stored but not modified.
A single solid line with an arrow in a data flow diagram represents the movement of data within the software.
A single dashed line in a data flow diagram represents scenarios that exist between elements running at different privilege levels or different components running at the same privilege level.
What are the two deliverables of the Architecture phase of the SDL?Choose 2 answers.
Threat modeling artifacts
Policy compliance analysis
Information disclosure
Questions with 58 solutions rated and
approved.
Which key success factor identifies threats to the software?
Design security analysis
Effective threat modeling
Policy compliance review
Comprehensive security test plan - ANSWER Effective threat modeling
Effective threat modeling allows the developer the ability to identify threats such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege as part of the threat model.
What is the goal of design security review deliverables?
To plan to mitigate, accept, or tolerate risk
To make modifications to the design of software components based on security assessments
To analyze adherence to company policies
To create data flow diagrams, elements, and threat listings - ANSWER To make modifications to the design of software components based on security assessments
This goal lists changes to the software components and design based on a review from security architects and the assessments team.
Which application scanner component is useful in identifying vulnerabilities such as cookie misconfigurations and insecure configuration of HTTP response headers?
Spider
Virus scanner
Active scanner
Passive scanner - ANSWER Passive scanner
Questions with 58 solutions rated and
approved.
Passive scanning is used to analyze vulnerability requests and to respond silently as they pass through the web application security tool.
Which type of attack occurs when an attacker uses malicious code in the data sent in a form?
SQL injection
Distributed Denial-of-Service (DDoS)
Cross-site scripting
Man-in-the-middle attack - ANSWER Cross-site scripting
Cross-site scripting (XSS) attacks are a type of injection in which attackers use scripts that are injected into otherwise benign and trusted websites.
Which tools provide the given functions?
-SonarQube
-JIRA
-Dynatrace
-Jenkins
Question 6a:
Self-managed, automatic code review product
Question 6b:
Open-source automation server
Question 6c:
Proprietary issue tracking product
Questions with 58 solutions rated and
approved.
Architecture - ANSWER Users
Users are not part of the software application and are external.
What are the advantages of the following security analysis tools?
-Tests a specific operational deployment
-Testing in a random approach
-Access to the actual instructions the software will be guessing
-Requires no supporting technology
Question 10a:
Static code analysis
Question 10b:
Dynamic code analysis
Question 10c:
Fuzz testing
Question 10d:
Manual source code review - ANSWER Access to the actual instructions the software will be guessing
Without having to guess or interpret behavior, this method gives full access to the software's possible behaviors.
Tests a specific operational deployment
By having specific areas to test, this method can identify infrastructure, configuration, and patch errors more easily.
Questions with 58 solutions rated and
approved.
Testing in a random approach
By having a closed testing system, this method can find bugs that would often be missed by the human eye.
Requires no supporting technology
By having a flexible approach, this method can be applied to a variety of situations.
Which practice in the Ship (A5) phase of the security development cycle verifies whether the product meets security mandates?
Open-source licensing review
Code-assisted penetration testing
Final security review
A5 policy compliance analysis - ANSWER A5 policy compliance analysis
A5 policy compliance analysis ensures that products have met requirements, undergone compliance activities at each SDL phase, and passed quality gates before release.
Which post-release support activity defines the process to communicate, identify, and alleviate security threats?
PRSA3: Post-release certifications
PRSA1: External vulnerability disclosure response
PRSA4: Internal review for new product combinations or cloud deployments
PRSA2: Third-party reviews - ANSWER PRSA1: External vulnerability disclosure response
The external vulnerability disclosure response (PRSA1) defines processes to evaluate and mitigate security vulnerabilities discovered post-release. It also details how the organization will communicate to customers.
Questions with 58 solutions rated and
approved.
Security architectural reviews - ANSWER Security architectural reviews
Review of software during a merger or acquisition to ensure that software is secure during the merging process.
Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions?
-White-box security test
-Analyze activities and standards
-License compliance
-Release and ship
Question 6a:
A5 Policy compliance analysis
Question 6b:
Code-assisted penetration testing
Question 6c:
Open-source licensing review
Question 6d:
Final security review - ANSWER Analyze activities and standards
During this practice, processes are standardized at each phase of the SDL/SDLC.
Questions with 58 solutions rated and
approved.
White-box security test
During this practice, actions of a hacker are simulated to uncover vulnerabilities.
License compliance
During this practice, licensing requirements must be managed to ensure that there is no delay of current release and ship dates.
Release and ship
During this practice, regression testing occurs to ensure that a change in one part of the software does not change other parts of the software.
How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments?
-Continuous integration and continuous deployment
-API invocation processes
-Iterative development
-Enables and improves business activities
Question 7a:
Agile
Question 7b:
DevOps
Questions with 58 solutions rated and
approved.
Assess - ANSWER Deploy
During this phase, the penetration test is executed, and any issues will be resolved.
Which key deliverable occurs during post-release support?
Security testing reports
Customer engagement framework
Third-party reviews
Remediation report - ANSWER Third-party reviews
Third-party reviews are security assessments from outside groups (other than internal testing teams)
Which business function of OpenSAMM is associated with the following core practices?
-Policy and compliance
-Threat assessment
-Code review
-Vulnerability management
Question 10a:
Governance
Question 10b:
Construction
Question 10ac:
Questions with 58 solutions rated and
approved.
Verification
Question 10d:
Deployment - ANSWER Policy and compliance
Sets up a security and compliance control and audit framework
Threat assessment
Accurately identifies and characterizes potential attacks on software.
Code review
Assesses the organization's source code, which helps discover vulnerabilities.
Vulnerability management
Establishes processes for managing internal and external weakness reports.
What is software security?
Data transmission security by using HTTPS and SSL
Security that websites use, such as Web Application Firewall to block and monitor HTTP traffic
Security that networks use, such as a firewall allowing only intended traffic
Security that deals with securing the foundational programmatic logic of the underlying software - ANSWER Security that deals with securing the foundational programmatic logic of the underlying software
