D487 Secure Software Design: Roles, Models, Lifecycle & Vulnerabilities Questions With complete verified solutions already graded A+(PASS GUARANTEED)

Scrum Master

Facilitator, removes roadblocks, runs ceremonies.

Product Owner

Defines requirements, prioritizes backlog, voice of the customer.

Software Developer

Writes code, implements features, follows secure practices.

Quality Assurance Analyst

Tests the software for bugs, ensures it meets requirements.

Software Security Architect

Designs secure frameworks, coding standards.

Security Champion

Promotes security awareness inside dev team, bridge between devs and security team.

Access Control

Who can enter/do what (MFA, RBAC, least privilege).

Database Security

Protect the data (parameterized queries, encrypted connection strings).

File Management

Safe file handling (validate uploads, restrict types/sizes).

Session Management

Control user sessions (timeouts, cookies, prevent hijacking).

BSIMM

Descriptive, benchmarks real org practices.

SAMM

Prescriptive, guides what you should do.

STRIDE

Threat categories (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege).

DREAD

Risk scoring (Damage, Reproducibility, Exploitability, Affected users, Discoverability).

PASTA

7-step attack simulation methodology.

A1 - Security Assessment

Profiles & paperwork (risk profile, laws, regulations).

A2 - Architecture

Blueprint + threat model (DFDs, mitigation plan).

A3 - Design & Development

Plans & updates (test plan, privacy assessment).

A4 - Readiness

Proof reports (testing execution + remediation).

A5 - Ship

Final stamp (pen test, reviews, licensing, customer prep).

PRS - Post-Release Support

Ongoing support (disclosures, certifications, legacy plans).

CVE System

IDs and shares known vulnerabilities so teams can recognize and patch.

Waterfall Methodology

Pros = structured/simple. Cons = inflexible.

Agile Methodology

Pros = flexible, collaborative. Cons = unpredictable, requires communication.

Privacy Impact Assessment

What data is collected, how it's used, risks, safeguards.

Code Review

Check code for bugs, logic errors, and insecure practices.

Change Management

Propose → Assess → Approve → Implement → Test → Document.

Pen Testing vs Vulnerability Scanning

Scanning = find weaknesses, Pen test = exploit them.

SQL Injection

Parameterized queries.

XSS

Output encoding.

File Upload Issues

Input validation.

Weak Passwords

Complexity + MFA.

Default Configurations

Change defaults, disable accounts.

Configuration Management Countermeasures

Limit service account privileges (no admin rights).

Post-Release Support (PRSA1-5)

Even after software is released, security and privacy must be managed.

PRSA1 - External Vulnerability Disclosure Response (PSIRT)

Manage vulnerabilities reported by researchers/customers, use severity scoring (CVSS), coordinated disclosure.

PRSA2 - Third-Party Reviews

Independent audits/pen tests required by regulators/customers.

PRSA3 - Post-Release Certifications

HIPAA, PCI DSS, FIPS 140-2, etc. after release.

PRSA4 - Internal Review for New Uses/Cloud Deployments

Reused/re-architected code must go through SDL again.

PRSA5 - Legacy & M&A Security Reviews

Review legacy code (technical debt), evaluate acquired products (binary/static analysis).

Key Success Factors

Clear vulnerability response process, annual third-party reviews, early certification planning, strategies for legacy & M&A code.

Deliverables

Vulnerability response plan, third-party review reports, post-release certifications, legacy/M&A strategies.

Metrics

Time to respond, hours spent on disclosures, number/severity of issues, customer-reported problems.