D487 - Secure Software Design (Section Quizzes & Lesson Knowledge Checks)

What are the two common best principles of software applications in the development process?

Quality code & Secure code

What ensures that the user has the appropriate role and privilege to view data?

Authorization

Which security goal is defined by "guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity"?

Integrity

Which phase in an SDLC helps to define the problem and scope of any existing systems and determine the objectives of new systems?

Planning

What happens during a dynamic code review?

Programmers monitor system memory, functional behavior, response times, and overall performance.

How should you store your application user credentials in your application database?

Store credentials using salted hashes

Which software methodology resembles an assembly-line approach?

Waterfall model

Which software methodology approach provides faster time to market and higher business value?

Agile Model

In Scrum methodology, who is responsible for making decisions on the requirements?

Product Owner

What is software security?

Security that deals with securing the foundational programmatic logic of the underlying software.

Which part of the CIA goals keeps unauthorized users from accessing confidential information?

Confidentiality

What are the three primary tools basic to the security development life cycle?

Fuzzing/Fuzz testing, Static analysis testing, and Dynamic analysis testing.

In which phase of the SDLC should the software security team be involved?

Concept

What determines the order of items in a product backlog in Scrum?

Order is decided based on value of the items being delivered.

Why is the Waterfall methodology most useful for smaller projects?

When a project is smaller, the risk of changing requirements and scope is lower.

What is the product risk profile?

A security assessment deliverable that estimates the actual cost of the product.

A software security team member has been tasked with creating a deliverable that provides details on where and to what degree sensitive customer information is collected, stored, or created within a new product offering.

What does the team member need to deliver in order to meet the objective?

Privacy impact assessment.

A software security team member has been tasked with creating a threat model for the login processes of a new product.

What is the first step a team member should take?

Identify security objectives

What are three parts of the STRIDE methodology?

Spoofing, Elevation, and Tampering

What is the reason software security teams host discovery meetings with stakeholders early in the development life cycle?

To ensure that security is built into the product from the start

Why should a security team provide documented certification requirements during the software assessment phase?

Depending on the environment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers.

What are two items that should be included in the privacy impact assessment plan regardless of which methodology is used?

Required process steps and Technologies and techniques

What are the goals of this SDL deliverable?: Product Risk Profile

Estimate the actual cost of the product

What are the goals of this SDL deliverable?: SDL project outline

Map security activities to the development schedule

What are the goals of this SDL deliverable?: Threat Profile

Guide security activities to protect the product from vulnerabilities

What are the goals of this SDL deliverable?: List of third-party software

Identify dependence on unmanaged software

What is a threat action that is designed to illegally access and use another person’s credentials?

Spoofing

What are two steps of the threat modeling process?

Survey the application and Decompress the application

What do the “A” and the first “D” in the DREAD acronym represent?

Affected users and Damage

Which shape indicates each type of flow diagram element?: External elements

Rectangle

Which shape indicates each type of flow diagram element?: Data store

Two parallel horizontal lines

Which shape indicates each type of flow diagram element?: Data flow

Solid line with an arrow

Which shape indicates each type of flow diagram element?: Trust boundary

Dashed line

What are the two deliverables of the Architecture phase of the SDL?

Threat modeling artifacts and Policy compliance analysis

What SDL security assessment deliverable is sued as ain input to an SDL architecture process?

Threat profile

Which software security testing technique tests the software from an external perspective?

Black box

Which security design principle states that an entity should be given the minimum privileges and resources for a minimum period of time for a task?

Least privilege

After the developer is done coding a functionality, when should code review be completed?

Within hours or the same day

What are the four step orders that code reviews should follow in order to be effective?

1. Identify security code review objectives.

2. Perform preliminary scan.

3. Review code for security issues.

4. Review for security issues unique to the architecture.

When a software application handles identifiable information (PII) data, what will be the Privacy Impact Rating?

P1: High privacy risk

Which key success factor identifies threats to the software?

Effective threat modeling

What is the goal of design security review deliveriables?

To male modifications to the design of software components based on security assessments

Which application scanner component is useful in identifying vulnerabilities such as cookie misconfigurations and insecure configuration of HTTP response headers?

Passive scanner

Which type of attack occurs when an attacker uses malicious code in the data sent in a form?

Cross-site scripting

Which tools provide the given functions?: Self-managed, automatic code review product

SonarQube

Which tools provide the given functions?: Open-source automation server

Jenkins

Which tools provide the given functions?: Proprietary issue tracking product

JIRA

Which tools provide the given functions?: AI-powered management solution

Dynatrace

A new application is released, and users perform initial testing on the application. Which type of testing are the users performing?

Beta testing

What is a non-system-related component in software security testing attack surface validation?

Users

When an application’s input validation is not handled properly, it could result in which kind of vulnerabilities?

SQL injection, cross-site scripting

What are the advantages of the following security analysis tools?: Static code analysis

Access to the actual instructions the software will be guessing

What are the advantages of the following security analysis tools?: Dynamic code analysis

Tests a specific operational deployment

What are the advantages of the following security analysis tools?: Fuzz testing

Testing in a random approach

What are the advantages of the following security analysis tools?: Manual source code review

Requires no supporting technology

Which activity in the Ship (A5) phase of the security development cycle sets requirements for quality gates that must be met before release?

A5 policy compliance analysis

The company's website uses querystring parameters to filter products by category. The URL, when filtering on a product category, looks like this: company.com/products?category=2.

If the security team saw a URL of company.com/products?category=2 OR 1=1 in the logs, what assumption should they make?

An attacker is attempting to use SQL injection to gain access to information.

Which post-release support activity (PRSA) details the process for investigating, mitigating, and communicating findings when security vulnerabilities are discovered in a software product?

External vulnerability disclosure response

Which post-release support key success factor says that any change or component reuse should trigger security development life cycle activities?

SDL cycle for any architectural changes or code reuses

Which step will you find in the SANS Institute Cyber Defense seven-step recipe for conducting threat modeling and application risk analysis?

Brainstorm threats from adversaries

In which OpenSAMM core practice area would one find environment hardening?

Deployment

Which practice in the Ship (A5) phase of the security development cycle verifies whether the product meets security mandates?

A5 policy compliance analysis

Which post-release support activity defines the process to communicate, identify, and alleviate security threats?

PRSA1: External vulnerability disclosure response

What are two core practice areas of the OWASP Security Assurance Maturity Model (OpenSAMM)?

Governance and Construction

Which practice in the Ship (A5) phase of the security development cycle uses tools to identify weaknesses in the product?

Vulnerability scan

Which post-release support activity should be completed when companies are joining together?

Security architectural reviews

Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions?: A5 Policy compliance analysis

Analyze activities and standards

Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions?: Code-assisted penetration testing

White-box security test

Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions?: Open-source licensing review

License compliance

Which of the Ship (A5) deliverables of the security development cycle are performed with the given actions?: Final security review

Release and ship

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments?: Agile

Iterative development

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments?: DevOps

Continuous integration and continuous development

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments?: Cloud

API invocation processes

How can you establish your own SDL to build security into a process appropriate for your organization's needs based on the given environments?: Digital enterprise

Enables and improves business activities

Which phase of penetration testing allows for remediation to be performed?

Deploy

Which key deliverable occurs during post-release support?

Third-party reviews

Which business function of OpenSAMM is associated with the following core practices?: Governance

Policy and compliance

Which business function of OpenSAMM is associated with the following core practices?: Contruction

Threat assessment

Which business function of OpenSAMM is associated with the following core practices?: Verification

Code review

Which business function of OpenSAMM is associated with the following core practices?: Deployment

Vulnerability management