D487 - Secure Software Design Knowlege Check and Quiz

0.0(0)
studied byStudied by 0 people
0.0(0)
full-widthCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/76

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

77 Terms

1
New cards

What are the two common best principles of software applications in the development process?

Quality Code & Secure Code

2 multiple choice options

2
New cards

What ensures that the user has the appropriate role and privilege to view data?

Authorization

3 multiple choice options

3
New cards

Which security goal is defined by "guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity"?

Integrity

3 multiple choice options

4
New cards

Which phase in an SDLC helps to define the problem and scope of any existing systems and determine the objectives of new systems?

Planning

3 multiple choice options

5
New cards

What happens during a dynamic code review?

Programmers monitor system memory, functional behavior, response times, and overall performance.

3 multiple choice options

6
New cards

How should you store your application user credentials in your application database?

Store credentials using salted hashes

3 multiple choice options

7
New cards

Which software methodology resembles an assembly-line approach?

Waterfall model

3 multiple choice options

8
New cards

Which software methodology approach provides faster time to market and higher business value?

Agile model

3 multiple choice options

9
New cards

In Scrum methodology, who is responsible for making decisions on the requirements?

Product Owner

3 multiple choice options

10
New cards

What is the product risk profile?

A security assessment deliverable that estimates the actual cost of the product

3 multiple choice options

11
New cards

A software security team member has been tasked with creating a deliverable that provides details on where and to what degree sensitive customer information is collected, stored, or created within a new product offering.

What does the team member need to deliver in order to meet the objective?

Privacy impact assessment

3 multiple choice options

12
New cards

A software security team member has been tasked with creating a threat model for the login process of a new product.What is the first step the team member should take?

Identify security objectives

3 multiple choice options

13
New cards

What are three parts of the STRIDE methodology?

Spoofing, Elevation, Tampering

3 multiple choice options

14
New cards

What is the reason software security teams host discovery meetings with stakeholders early in the development life cycle?

To ensure that security is built into the product from the start

3 multiple choice options

15
New cards

Why should a security team provide documented certification requirements during the software assessment phase?

Depending on the environment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers.

3 multiple choice options

16
New cards

What are two items that should be included in the privacy impact assessment plan regardless of which methodology is used?

Required process steps & Technologies and techniques

3 multiple choice options

17
New cards

What are the goals of each SDL deliverable? - Product Risk Profile

Estimate the actual cost of the product

3 multiple choice options

18
New cards

What are the goals of each SDL deliverable? -SDL project outline

Map security activities to the development schedule

3 multiple choice options

19
New cards

What are the goals of each SDL deliverable? - Threat profile

Guide security activities to protect the product from vulnerabilities

3 multiple choice options

20
New cards

What are the goals of each SDL deliverable? -List of third-party software

Identify the dependence on unmanaged software

3 multiple choice options

21
New cards

What is a threat action that is designed to illegally access and use another person's credentials?

Spoofing

3 multiple choice options

22
New cards

What are two steps of the threat modeling process?

Survey The application & Decompose the application

3 multiple choice options

23
New cards

What do the "A" and the first "D" in the DREAD acronym represent?

Damage & Affected Users

3 multiple choice options

24
New cards

Which shape indicates each type of flow diagram element? - External elements

Rectangle

3 multiple choice options

25
New cards

Which shape indicates each type of flow diagram element? - Data Store

Two Parallel horizontal lines

3 multiple choice options

26
New cards

Which shape indicates each type of flow diagram element? - Data Flow

Solid Line with an arrow

3 multiple choice options

27
New cards

Which shape indicates each type of flow diagram element? - Trust Boundry

Dashed Line

3 multiple choice options

28
New cards

What are the two deliverables of the Architecture phase of the SDL?

Threat Modeling artifacts & Policy compliance analysis

3 multiple choice options

29
New cards

What SDL security assessment deliverable is used as an input to an SDL architecture process?

Threat profile

3 multiple choice options

30
New cards

Which software security testing technique tests the software from an external perspective?

Black box

3 multiple choice options

31
New cards

Which security design principle states that an entity should be given the minimum privileges and resources for a minimum period of time for a task?

Least privilege

3 multiple choice options

32
New cards

After the developer is done coding a functionality, when should code review be completed?

Within hours or the same day

3 multiple choice options

33
New cards

What is the order that code reviews should follow in order to be effective? - Step 1

Identify security code review objectives

3 multiple choice options

34
New cards

What is the order that code reviews should follow in order to be effective? - Step 2

Preform preliminary scan

3 multiple choice options

35
New cards

What is the order that code reviews should follow in order to be effective? - Step 3

Review code for security issues

3 multiple choice options

36
New cards

What is the order that code reviews should follow in order to be effective? - Step 4

Review for security issues unique to the architecture

3 multiple choice options

37
New cards

When a software application handles personally identifiable information (PII) data, what will be the Privacy Impact Rating?

P1: High privacy risk

3 multiple choice options

38
New cards

Which key success factor identifies threats to the software?

Effective threat modeling

3 multiple choice options

39
New cards

What is the goal of design security review deliverables?

To make modifications to the design of software components based on security assessments

3 multiple choice options

40
New cards

Which application scanner component is useful in identifying vulnerabilities such as cookie misconfigurations and insecure configuration of HTTP response headers?

Passive scanner

3 multiple choice options

41
New cards

Which type of attack occurs when an attacker uses malicious code in the data sent in a form?

Cross-site scripting

3 multiple choice options

42
New cards

Which tools provide the given functions? - Self Managed Automatic Code Review Product

SonarQube

3 multiple choice options

43
New cards

Which tools provide the given functions? - Proprietary issue tracking product

JIRA

3 multiple choice options

44
New cards

Which tools provide the given functions? - Open-source automation server

Jenkins

3 multiple choice options

45
New cards

Which tools provide the given functions? - AI-Powered managemnt soltuion

Dynatrace

3 multiple choice options

46
New cards

A new application is released, and users perform initial testing on the application.

Which type of testing are the users performing?

Beta Testing

47
New cards

What is a non-system-related component in software security testing attack surface validation?

Users

3 multiple choice options

48
New cards

When an application's input validation is not handled properly, it could result in which kind of vulnerabilities?

SQL injection, cross-site scripting

3 multiple choice options

49
New cards

What are the advantages of the following security analysis tools? - Static Code Analysis

Access to the actual instructions the software will be guessing

2 multiple choice options

50
New cards

What are the advantages of the following security analysis tools? - Dynamic Code Analysis

Tests a specific operational deployment

3 multiple choice options

51
New cards

What are the advantages of the following security analysis tools? - Fuzz Testing

Testing in a random approach

3 multiple choice options

52
New cards

What are the advantages of the following security analysis tools? - Manual Code Review

Requires no supporting Technology

3 multiple choice options

53
New cards

Which activity in the Ship (A5) phase of the security development cycle sets requirements for quality gates that must be met before release?

A5 policy compliance analysis

3 multiple choice options

54
New cards

Which post-release support activity should be completed when companies are joining together?

Security architectural reviews

3 multiple choice options

55
New cards

The company's website uses querystring parameters to filter products by category. The URL, when filtering on a product category, looks like this: company.com/products?category=2.

If the security team saw a URL of company.com/products?category=2 OR 1=1 in the logs, what assumption should they make?

An attacker is attempting to use SQL injection to gain access to information.

3 multiple choice options

56
New cards

Which post-release support activity (PRSA) details the process for investigating, mitigating, and communicating findings when security vulnerabilities are discovered in a software product?

External vulnerability disclosure response

3 multiple choice options

57
New cards

Which post-release support key success factor says that any change or component reuse should trigger security development life cycle activities?

SDL cycle for any architectural changes or code reuses

3 multiple choice options

58
New cards

Which step will you find in the SANS Institute Cyber Defense seven-step recipe for conducting threat modeling and application risk analysis?

Brainstorm threats from adversaries

3 multiple choice options

59
New cards

In which OpenSAMM core practice area would one find environment hardening?

Deployment

3 multiple choice options

60
New cards

Which practice in the Ship (A5) phase of the security development cycle verifies whether the product meets security mandates?

A5 policy compliance analysis

3 multiple choice options

61
New cards

Which post-release support activity defines the process to communicate, identify, and alleviate security threats?

PRSA1: External vulnerability disclosure response

3 multiple choice options

62
New cards

What are two core practice areas of the OWASP Security Assurance Maturity Model (OpenSAMM)?

Governance & Construction

3 multiple choice options

63
New cards

Which practice in the Ship (A5) phase of the security development cycle uses tools to identify weaknesses in the product?

Vulnerability Scan

3 multiple choice options

64
New cards

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments? - Cloud

API invocation processes

3 multiple choice options

65
New cards

Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions? - A5 Policy Compliance Analysis

Analyze activities and standards

3 multiple choice options

66
New cards

Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions? - Code-assisted penetration testing

White-Box Security test

3 multiple choice options

67
New cards

Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions? - Open-Source Licensing Review

License Compliance

3 multiple choice options

68
New cards

Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions? - Final Security Review

Release and ship

3 multiple choice options

69
New cards

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments? - Agile

Iterative Development

3 multiple choice options

70
New cards

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments? - Devops

Continues integration and continuous development

3 multiple choice options

71
New cards

Which business function of OpenSAMM is associated with the following core practices? - Verification

Code Review

3 multiple choice options

72
New cards

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments? - Digital enterprise

Enables and improves business activities

3 multiple choice options

73
New cards

Which phase of penetration testing allows for remediation to be performed?

Deploy

3 multiple choice options

74
New cards

Which key deliverable occurs during post-release support?

Third-party reviews

3 multiple choice options

75
New cards

Which business function of OpenSAMM is associated with the following core practices? - Governance

Policy and Compliance

3 multiple choice options

76
New cards

Which business function of OpenSAMM is associated with the following core practices? - Construction

Threat Assessment

3 multiple choice options

77
New cards

Which business function of OpenSAMM is associated with the following core practices? - Deployment

Vulnerability management

3 multiple choice options