WGU Master's Course C706 - Secure Software Design

Which due diligence activity for supply chain security should occur in the initiation phase of the software acquisition life cycle? A Developing a request for proposal (RFP) that includes supply chain security risk management B Lessening the risk of disseminating information during disposal C Facilitating knowledge transfer between suppliers D Mitigating supply chain security risk by providing user guidance Correct answer- A Which due diligence activity for supply chain security investigates the means by which data sets are shared and assessed? A on-site assessment B process policy review C third-party assessment D document exchange and review Correct answer- D Consider these characteristics: -Identification of the entity making the access request -Verification that the request has not changed since its initiation -Application of the appropriate authorization procedures -Reexamination of previously authorized requests by the same entity Which security design analysis is being described? A Open design B Complete mediation C Economy of mechanism D Least common mechanism Correct answer- B Which software security principle guards against the improper modification or destruction of information and ensures the nonrepudiation and authenticity of information? A Quality B Integrity C Availability D Confidentiality Correct answer- B What type of functional security requirement involves receiving, processing, storing, transmitting, and delivering in report form? A Logging B Error handling C Primary dataflow D Access control flow Correct answer- C Which nonfunctional security requirement provides a way to capture information correctly and a way to store that information to help support later audits? A Logging B Error handling C Primary dataflow D Access control flow Correct answer- A Which security concept refers to the quality of information that could cause harm or damage if disclosed? A Isolation B Discretion C Seclusion D Sensitivity Correct answer- D Which technology would be an example of an injection flaw, according to the OWASP Top 10? A SQL B API C XML D XSS Correct answer- A A company is creating a new software to track customer balance and wants to design a secure application. Which best practice should be applied? A Develop a secure authentication method that has a closed design B Allow mediation bypass or suspension for software testing and emergency planning C Ensure there is physical acceptability to ensure software is intuitive for the users to do their jobs D Create multiple layers of protection so that a subsequent layer provides protection if a layer is breached Correct answer- D A company is developing a secure software that has to be evaluated and tested by a large number of experts. Which security principle should be applied? A Fail safe B Open design C Defense in depth D Complete mediation Correct answer- B Which type of TCP scanning indicates that a system is moving to the second phase in a three-way TCP handshake? A TCP SYN scanning B TCP ACK scanning C TCP XMAS scanning D TCP Connect scanning Correct answer- A Which evaluation technique provides invalid, unexpected, or random data to the inputs of a computer software program? A Fuzz testing B Static analysis C Dynamic analysis D Regression testing Correct answer- A Which approach provides an opportunity to improve the software development life cycle by tailoring the process to the specific risks facing the organization? A Agile methodology B Waterfall methodology C Building security in maturity model (BSIMM) D Software assurance maturity model (SAMM) Correct answer- D Which phase contains sophisticated software development processes that ensure that feedback from one phase reaches to the previous phase to improve future results? A Initial B Managed C Optimizing D Repeatable Correct answer- C The activities for compliance include ensuring collected information is only used for intended purposes, information is timely and accurate, and the public is aware of the information collected and how it is used. Which well-accepted secure development standard is addressed by these activities? A PIA B PA-DSS C PCI-DSS D PTS-DSS Correct answer- A An organization is in the process of building an application for its banking software. Which security coding practice must the organization follow? A Run a data analysis B Conduct data validation C Validate the data source D Align business goals Correct answer- B What is included in a typical job description of a software security champion (SSC)? A Identify software update source and sink B Review code to identify skill-related bugs C Develop and manage the after-SDLC stage D Consider all possible paths of attack or exploits Correct answer- D Which role is a training champion of software security, an advocate for the overall SDL process, and a proponent for promulgating and enforcing the overall software product security program? A Software security user (SSU) B Software security architect (SSA) C Software security evangelist (SSE) D Software security stakeholder (SSS) Correct answer- C Which role requires the technical capability to be trained as a software security architect who then assists the centralized software security group with architecture security analysis and threat modeling? A Software champion B Software evangelist C Junior software developer D Senior software programmer Correct answer- A An application development team is designing and building an application that interfaces with a back-end database. Which activity should be included when constructing a threat model for the application? A Designate one or more primary keys for each database table in the database B Decompose the application to understand how it interacts with external entities C Review the relationships among the attributes to be included in the database tables D Create a set of performance metrics to assess the functionality of the developed application Correct answer- B What is the third step for constructing a threat model for identifying a spoofing threat? A Decompose threats B Identify threats C Identify vulnerabilities D Survey the application Correct answer- A What is a step for constructing a threat model for a project when using practical risk analysis? A Align your business goals B Apply engineering methods C Estimate probability of project time D Make a list of what you are trying to protect Correct answer- D Which cyber threats are typically surgical by nature, have highly specific targeting, and are technologically sophisticated? A Tactical attacks B Criminal attacks C Strategic attacks D User-specific attacks Correct answer- A Which type of cyberattacks are often intended to elevate awareness of a topic? A Cyberwarfare B Tactical attacks C User-specific attacks D Sociopolitical attacks Correct answer- D What type of attack locks a user's desktop and then requires a payment to unlock it? A Phishing B Keylogger C Ransomware D Denial-of-service Correct answer- C What is a countermeasure against various forms of XML and XML path injection attacks? A XML name wrapping B XML unicode encoding C XML attribute escaping D XML distinguished name escaping Correct answer- C Which countermeasure is used to mitigate SQL injection attacks? A SQL Firewall B Projected bijection C Query parameterization D Progressive ColdFusion Correct answer- C What is an appropriate countermeasure to an escalation of privilege attack? A Enforcing strong password policies B Using standard encryption algorithms and correct key sizes C Enabling the auditing and logging of all administration activities D Restricting access to specific operations through role-based access controls Correct answer- D Which configuration management security countermeasure implements least privilege access control? A Following strong password policies to restrict access B Restricting file access to users based on authorization C Avoiding clear text format for credentials and sensitive data D Using AES 256 encryption for communications of a sensitive nature Correct answer- B Which phase of the software development life cycle (SDL/SDLC) would be used to determine the minimum set of privileges required to perform the targeted task and restrict the user to a domain with those privileges? A Design B Deploy C Development D Implementation Correct answer- A Which least privilege method is more granular in scope and grants specific processes only the privileges necessary to perform certain required functions, instead of granting them unrestricted access to the system? A Entitlement privilege B Separation of privilege C Aggregation of privileges D Segregation of responsibilities Correct answer- B Why does privilege creep pose a potential security risk? A User privileges do not match their job role. B With more privileges, there are more responsibilities. C Auditing will show a mismatch between individual responsibilities and their access rights. D Users have more privileges than they need and may perform actions outside their job description. Correct answer- D A system developer is implementing a new sales system. The system developer is concerned that unauthorized individuals may be able to view sensitive customer financial data. Which family of nonfunctional requirements should be considered as part of the acceptance criteria? A Integrity B Availability C Nonrepudition D Confidentiality Correct answer- D A project manager is given the task to come up with nonfunctional acceptance criteria requirements for business owners as part of a project delivery. Which nonfunctional requirement should be applied to the acceptance criteria? A Give search options to users B Evaluate test execution results C Divide users into groups and give them separate rights D Develop software that keeps downward compatibility intact Correct answer- B A user was given a task to identify a nonfunctional acceptance criteria. Which nonfunctional requirement should be applied to the acceptance criteria? A Encryption used during data transfer B Review of the most recent test results C Software developed keeping downward compatibility intact D Users divided into groups and the groups given separate rights Correct answer- B Which technique can be used by an attacker to compromise password security when a password such as "" is used by an organization? A Denial-of-service attack B Brute-force attack C Blind SQL injection D Blind XPath injection Correct answer- B Which type of password attack tests for every possible value of a parameter? A Phishing B Brute force C DNS poisoning D Cache poisoning Correct answer- B Which type of attack allows the complete disclosure or destruction of all data on a system and allows attackers to spoof identity, tamper with existing data, and cause repudiation issues such as voiding transactions or changing balances? A SQL injection B Code injection C Command injection D Special element injection Correct answer- A Which threat uses malware that tricks users into believing that there is no way out for them except to pay to get rid of a nuisance? A Script kiddies B Insider threats C Ransomware D Bitcoin malware Correct answer- C Which type of application attack is used to harvest and steal sensitive information? A Whaling B Remote access tool C Malicious file execution D Advanced persistent threat Correct answer- B Which type of application attack is commonly waged through the use of rootkits? A Backdoor B Time of check C Rainbow table D Escalation of privilege Correct answer- D Which attack aims to make web service unavailable or unusable? A Spoofing B Tampering C Repudiation D Denial-of-service Correct answer- D A company is developing a new software application that requires users to log in using a username and password. The company needs to implement a security control that is effective at preventing spoofing during the log-in process. Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality Correct answer- C A company is developing a new database application. The company needs to implement a security control that is effective at preventing tampering. Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality Correct answer- A A bank is developing a new checking account application for customers and needs to implement a security control that is effective at preventing an elevation of privilege attack. Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality Correct answer- B A database has a table called "orders_table" which has columns: order_no, last_name, first_name, ship_city, credit_card A hacker wants to perform the following SQL injection code to attack this table: SELECT * FROM orders_table WHERE order_no= ' ' OR '1'='1'; Which software testing technique is the most effective approach to identify this attack? A Fuzz testing B Input validation C Dynamic code analysis D Vulnerablilty scanning probe Correct answer- B Which software security testing technique can be categorized as white box? A Byte code analysis B Binary code analysis C Source code analysis D Dynamic code analysis Correct answer- C Which software testing approach can be used against an attacker who manipulates input strings in banking software to gain access to another individual's overdrawn account in order to withdraw funds? A Fuzz testing B Dynamic testing C Misuse case testing D Application interface testing Correct answer- C Which security testing technique allows the evaluators to circumvent the security features of a system? A Fuzz testing B Penetration testing C Black box debugging D Vulnerability scanning Correct answer- B Which software control test executes an application and then uses data that is designed to evaluate whether the values returned by the application match a specified range of criteria? A Static test B White box test C Manual code review D Reasonableness check Correct answer- D Which item is a phase of the change management process? A Budget planning B Communication planning C Assessment management D Project time management Correct answer- B Which part of the change management process addresses the needs to identify, understand, and help leaders manage opposition throughout the organization? A Training development B Resistance management C Communication planning D Employee corrective action Correct answer- B Which component of the change management process allows developers to prioritize tasks? A Change control B Release control C Request control D Configuration control Correct answer- C Which component of the change management process involves new system deployment testing where the new system and the old system are operating at the same time? A Parallel run B Direct cutover C Phased approach D Backout procedure Correct answer- A Which technique documents incident response times agreed upon by both a provider and a customer? A Capacity plan B Service-level agreement C Change management plan D Configuration management system Correct answer- B Which element is commonly addressed in a service-level agreement (SLA)? A Virus protection B Service availability C Patch management D Equipment and media disposal Correct answer- B The ASF threat list describes a risk that may occur when a software developer forgets to set an expiration for a cookie. Which countermeasure addresses this vulnerability? A User and session management B Authentication and authorization C Data protection in storage and transit D Error handling and exception management Correct answer- A An undocumented command sequence is allowing unauthorized access to a software system. What type of software defect allows this vulnerability? A Backdoor B Rootkit attack C Buffer overflow D Cross-site scripting Correct answer- A A small organization experiences an XSS attack on their web application. What type of vulnerability has occurred? A SQL injection B SQL intrusion C Cross-site scripting D Cross-site request forgery Correct answer- C What type of software threat occurs when password resets reveal password hints and valid usernames, according to the Application Security Frame (ASF)? A Authorization B Authentication C User and session management D Data protection in storage and transit Correct answer- B What type of software threat occurs when output encoding is skipped, according to the Application Security Frame (ASF)? A Authorization B Authentication C User and session management D Data and parameter validation Correct answer- D Which form of malicious software hides in the lower levels of an operating system with privileged access permissions and opens a backdoor on the system? A Trojan B Rootkit C Keylogger D Ransomware Correct answer- B A security administrator wants to prevent web-based code that has full access to a Windows operating system when executing on user systems. Which technique should remediate this vulnerability? A Prohibiting downloads of Java applets B Prohibiting downloads of ActiveX content C Clearing the Domain Name System (DNS) cache D Clearing the Address Resolution Protocol (ARP) cache Correct answer- B A system administrator wants to use physical controls to prevent unauthorized access to information that belongs to users at a different security level. Which strategy would prevent this problem? A Layering B Abstraction C Process isolation D Hardware segmentation Correct answer- D A video company has installed new software. The developers need to establish a defense against zero-day attacks. What is the best way to manage this vulnerability? A Apply threat modeling B Use a strong password C Install the latest patches D Create another user log-in Correct answer- C Which type of attack would a hacker use to exploit a vulnerability that allows access to be increased to the administrator level? A Rootkit B Whaling C Waterhole D Dictionary Correct answer- A Which type of attack involves exploiting a social engineering vulnerability over voice communications? A Rootkit B Vishing C Waterhole D Dictionary Correct answer- B Which method provides line-of-code-level detection that enables development teams to remediate vulnerabilities quickly? A Dynamic Cone Pen Testing (DCPT) B Static Application Security Testing (SAST) C Common Weaknesses Enumeration (CWE) D Common Vulnerabilities and Exposures (CVE) Correct answer- B Which technique should be used to detect a software vulnerability that causes extra characters to appear in data fields of a front-facing web application? A Static analysis B Dynamic analysis C Binary code analysis D Property-based testing Correct answer- A What is a known SDL metric used to measure protection against vulnerabilities? A The number of files or objects B findings summary report C The number of security defects found through static analysis tools D The progress against privacy requirements provided in earlier phases Correct answer- C Which statement is true of covert channels? A covert channels are addressed by a C2 rating provided by TCSEC. B covert channels act a trusted path for authorized communication. C covert channels regulate the information flow and implements the security policy. D covert channels are not controlled by a security mechanism. Correct answer- D Which security threat often uses tracking cookies to collect and report on a user's activities? A spyware B virus C worm D Trojan horse Correct answer- A Which term describes a module's ability to perform its job without using other modules? A low cohesion B high cohesion C high coupling D low coupling Correct answer- D Which type of virus installs itself under the anti-virus system and intercepts any calls that the anti-virus system makes to the operating system? A script virus B tunneling virus C boot sector virus D meme virus Correct answer- B Which statement correctly defines dynamic data exchange (DDE)? A DDE allows multiple applications to share and exchange the same set of data. B DDE is an interface to link information between various databases. C DDE is a graphical technique that is used to track the progress of a project over a period of time. D DDE is a software interface that enables communication between an application and a database. Correct answer- A How does an ActiveX component enforce security? A by using sandboxes B by using object codes C by using macro languages D by using Authenticode Correct answer- D Which statements are true regarding software process assessments?Choose TWO: A They develop an action plan for continuous process improvement. B They identify contractors who are qualified to develop software or to monitor the state of the software process in a current software project. C They determine the state of an organization's current software process and are used to gain support from within the organization for a software process improvement program. D They develop a risk profile for source selection. Correct answer- AC What is the best description of CAPI? A an application programming interface that uses two-factor authentication B an application programming interface that provides encryption C an application programming interface that uses Kerberos D an application programming interface that provides accountability Correct answer- B Your company decides you must purchase a new software product to help the marketing staff manage their marketing campaigns and resources. During which phase of the software acquisition process is the product actually deployed? A Planning phase B Monitoring phase C Maintaining phase D Contracting phase Correct answer- B What is the definition of polymorphism? A the ability to suppress superfluous details so that the important properties can be examined B when different objects respond to the same command or input in different ways C the process of categorizing objects that will be appropriate for a solution D representation of a real-world problem Correct answer- B What is another name for an asynchronous attack? A time-of-check/time-of-use (TOC/TOU) attack B race condition C maintenance hook D buffer overflow Correct answer- A Which virus is written in Visual Basic (VB) and is capable of infecting operating systems? A stealth virus B self-garbling virus C polymorphic virus D macro virus Correct answer- D Which statement correctly defines spamming attacks? A sending spoofed packets with the same source and destination address B sending multiple spoofed packets with the SYN flag set to the target host on an open port C repeatedly sending identical e-mails to a specific address D using ICMP oversized echo messages to flood the target computer Correct answer- C What is an example of privilege escalation? A gaining access to a restricted file by changing the permissions of your valid account B gaining access to a restricted file by using a Trojan horse C gaining access to a system by impersonating a user to obtain his credentials D gaining access to a system by using another user's credentials Correct answer- A A hacker has used a design flaw in an application to obtain unauthorized access to the application. Which type of attack has occurred? A buffer overflow B backdoor C escalation of privileges D maintenance hook Correct answer- C During the recent development of a new application, the customer requested a change. You must implement this change according to the change control process. What is the first step you should implement? A Analyze the change request. B Submit the change results to the management. C Acquire management approval. D Record the change request. Correct answer- A Which interface language is an application programming interface (API) that can be configured to allow any application to query databases? A JDBC B XML C OLE DB D ODBC Correct answer- D Which type of channel is used when one process writes data to a hard drive and another process reads it? A covert storage channel B overt storage channel C overt timing channel D covert timing channel Correct answer- A Which type of malicious attack uses Visual Basic scripting? A dumpster diving attack B denial of service attack C Trojan horse attack D social engineering attack Correct answer- C All of the following are countermeasures for session management attacks, EXCEPT: A Implement pre- and post-validation controls. B Encrypt cookies that include information about the state of the connection. C Implement time stamps or time-based validation. D Implement randomized session IDs. Correct answer- A Which tool assists in application development design layout as a part of application development life cycle? A Aggregation B Delphi C Spiral D CASE Correct answer- D What is a characteristic of maintaining logs in a system? A Logging provides access control by authenticating user credentials. B Logging helps an administrator to detect security breaches and vulnerable points in a network. C Logging provides audit trails but enhances security violations. D Logging prevents security violations but only deals with passive monitoring. Correct answer- B Your company has purchased an expert system that uses if-then-else reasoning to obtain more data than is currently available. Which expert system processing technique is being implemented? A forward-chaining technique B backward-chaining technique C waterfall model D spiral model Correct answer- A Which type of malicious code is hidden inside an otherwise benign program when the program is written? A worm B logic bomb C Trojan horse D virus Correct answer- C Which statement is true of a software development life cycle? A Parallel testing verifies whether more than one system is available for redundancy. B A software programmer should be the only person to develop the software, test it, and submit it to production C Unit testing should be performed by the developer and the quality assurance team. D Workload testing should be performed while designing the functional requirements. Correct answer- C Your organization has several diskless computer kiosks that boot via optical media located in the office lobby. Recently, users reported that the diskless computers have been infected with a virus. What should you do to ensure the virus is removed? A Launch an anti-virus program on the diskless computers via a USB flash drive. B Remotely launch an anti-virus program on the diskless computers. C Reboot the server to which the diskless computers connect. D Reboot the diskless computers. Correct answer- D Your company implements several databases. You are concerned with the security of the data in the databases. Which statement is correct for database security? A Data control language (DCL) implements security through access control and granular restrictions. B Bind variables provide access control through implementing granular restrictions. C Data manipulation language (DML) implements access control through authorization. D Data identification language implements security on data components. Correct answer- A Which statement is true of a salami attack? A type of passive attack. B social engineering technique. C not an example of data diddling. D involves stealing small amounts of money from multiple accounts. Correct answer- D Your company decides that a new software product must be purchased to help the marketing staff manage their marketing campaigns and the resources used. During which phase of the software acquisition process do you document the software requirements? A Monitoring phase B Maintaining phase C Planning phase D Contracting phase Correct answer- C You have been tasked with the development of a new application for your organization. You are engaged in the project initiation phase. Which activity should you implement during this phase? A certification and accreditation B defining formal functional baseline C functionality and performance tests D identification of threats and vulnerabilities Correct answer- D Which Web browser add-in uses Authenticode for security? A Common Gateway Interface (CGI) B ActiveX C Cross-site scripting (XSS) D Java Correct answer- B Which statement correctly defines the multipart virus? A multipart virus is coded in macro language. B multipart virus can change some of its characteristics while it replicates. C multipart virus can hide itself from antivirus software by distorting its code. D multipart virus can infect both executable files and boot sectors of hard disk drives. Correct answer- D Which malicious software relies upon other applications to execute and infect the system?Each correct answer represents a complete solution. Choose two. A worm B logic bomb C Trojan horse D virus Correct answer- CD What is the primary function of COCOMO? A cost estimation B time estimation C risk estimation D threat analysis Correct answer- A You have implemented a new network for a customer. Management has requested that you implement anti-virus software that is capable of detecting all types of malicious code, including unknown malware. Which type of anti-virus software should you implement? A heuristic detection B behavior blocking C immunization D signature-based detection Correct answer- A During a recent security assessment, you discover that a computer on your network has been compromised. An application has been inadvertently installed on the computer. This application allows a criminal to use the compromised computer to carry out an attack. What is the term for this compromised computer? A victim B botnet C bot D zombie Correct answer- D Recently, your company's file server was the victim of a hacker attack. After researching the attack, you discover that multiple computers were used to implement the attack, which eventually caused the file server to overload. Which attack occurred? A ping of death attack B land attack C distributed denial-of-service (DDoS) attack D denial-of-service (DoS) attack Correct answer- C Which pair of processes should be separated from each other to manage the stability of the test environment? A testing and validity B testing and development C validity and production D validity and security Correct answer- B A custom application is used to manage your company's human resources files. A manager reports that certain users are able to perform actions that should not be permitted. When you research this issue, you discover that the users have been granted an inappropriate permission. Which type of security threat has occurred? A privilege escalation B virus C logic bomb D worm Correct answer- A After a software development project is completed, management decides to reassign its physical resources, after first ensuring that there is no residual data left on the medium. Which term is used to describe this practice? A dynamic data exchange B polymorphism C metadata D object reuse Correct answer- D Your organization has recently implemented an artificial neural network (ANN). The ANN enabled the network to make decisions based on the experience provided to them. Which characteristic of the ANN is described? A adaptability B fault tolerance C neural integrity D retention capability Correct answer- A What is used in evolutionary computing? A characteristics of living organisms B knowledge from an expert C mathematical or computational models D genetic algorithms Correct answer- D Which statement correctly defines the object-oriented database model? A The relationship between data elements is in the form of a logical tree. B It is a hybrid between relational and object-based databases. C It logically interconnects remotely located databases. D It can store data that includes multimedia clips, images, video, and graphics. Correct answer- D You need to view events on host name registrations. Which log in Event Viewer should you view? A Security B System C DNS D Application Correct answer- C A developer has requested a particular change in the configuration of a file server. Which step should occur next in the change process if a change control policy is in place? A Document the change. B Approve the change. C Implement the change. D Test the change. Correct answer- A An organization's Web site includes several Java applets. The Java applets include a security feature that limits the applet's access to certain areas of the Web user's system. How does it do this? A by using macro languages B by using digital and trusted certificates C by using sandboxes D by using object codes Correct answer- C Which statement correctly defines the capability maturity model in the context of software development? A It is a model based on conducting reviews and documenting the reviews in each phase of the software development cycle. B It is a model based on analyzing the risk and building prototypes and simulations during the various phases of the software development cycle. C It is a model that describes the principles, procedures, and practices that should be followed in the software development cycle. D It is a formal model based on the capacity of an organization to cater to projects. Correct answer- C What is the process of ensuring the corporate security policies are carried out consistently? A auditing B social engineering C footprinting D scanning Correct answer- A Your organization uses a relational database to store customer contact information. You need to modify the schema of the relational database. Which component identifies this information? A data definition language (DDL) B query language (QL) C data control language (DCL) D data manipulation language (DML) Correct answer- A You work for a company that creates customized software solutions for customers. Recently, a customer has requested that your company provide a software escrow. What is the purpose of this request? A to provide a software vendor's source code in the event the vendor goes out of business B to ensure that appropriate software licenses exist C to provide an account to purchase software licenses D to provide a backup copy of all software used by your company Correct answer- A Your organization has a fault-tolerant, clustered database that maintains sales records. Which transactional technique is used in this environment? A ODBC B OLE DB C OLTP D data warehousing Correct answer- C Which function is provided by remote procedure call (RPC)? A allows the execution of individual routines on remote computers across a network. B identifies components within a distributed computing environment (DCE). C provides code that can be transmitted across a network and executed remotely. D provides an integrated file system that all users in the distributed environment can share. Correct answer- A During a software development project, you need to ensure that the period progress of the project is monitored appropriately. Which technique(s) can be used? a. Gantt charts b. Unit testing c. Delphi technique d. Program Evaluation Review Technique charts e. Prototype Evaluation Review Technique charts A option d B option e C options a and b only D options c and d only E options c and e only F options a and d only G option a H option b I option c Correct answer- F Which statement is true of data diddling? A Data diddling is associated with the outsiders in an organization. B Data diddling is used to extract sensitive information regarding employees. C Data diddling refers to manipulation of the input data in an application. D A salami attack is not an example of data diddling. Correct answer- C Which type of virus is specifically designed to take advantage of the extension search order of an operating system? A resident B nonresident C boot sector replication D companion Correct answer- D During the application development life cycle, your team performs testing to debug the code instructions. Which software testing method is the team using? A vertical testing B blue-box testing C perpendicular testing D unit testing Correct answer- D Which security threat is a software application that displays advertisements while the application is executing? A adware B worm C spyware D virus Correct answer- A What is an agent in a distributed computing environment? A protocol that encodes messages in a Web service setup B identifier used to uniquely identify users, resources, and components within an environment C program that performs services in one environment on behalf of a principal in another environment D the middleware that establishes the relationship between objects in a client/server environment Correct answer- C You are developing a new software application for a customer. The customer is currently defining the application requirements. Which process is being completed? A abstraction B sampling C prototyping D interpretation Correct answer- C An attacker is in the process of making an unauthorized change to some data in your database. You need to cancel any database changes from the transaction and return the database to its previous state. Which database operation should you use? A savepoint B checkpoint C rollback D commit Correct answer- C Which extensions are used for naming batch files in a Microsoft environment? a. bat b. cmd c. dll d. exe A option d B option c C option b D option a E options a and b only F options c and d only G options b and c only Correct answer- E Which statement correctly describes a Trojan horse? A modifies IP addresses in an IP packet to imitate an authorized source. B To be executed, it depends upon other programs. C social engineering technique. D embeds malicious code within useful utilities. Correct answer- D You need to ensure that data types and rules are enforced in the database. Which type of integrity should be enforced? A entity integrity B semantic integrity C cell suppression D referential integrity Correct answer- B Which statement is true of programming languages? A The compiler translates one command at a time. B Assemblers translate assembly language into machine language. C A high-level programming language requires more time to code instructions. D High cohesion and high coupling represent the best programming. Correct answer- B Recently, an attacker injected malicious code into a Web application on your organization's Web site. Which type of attack did your organization experience? A buffer overflow B cross-site scripting C path traversal D SQL injection Correct answer- B Which type of virus is specifically designed to infect programs as they are loaded into memory? A companion B nonresident C resident D boot sector replication Correct answer- C Which spyware technique inserts a dynamic link library into a running process's memory? A SMTP open relay B DLL injection C cookies D buffer overflow Correct answer- B What is responsible for preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information? A Integrity B Availability C Authorization D Confidentiality Correct answer- D Which concept in the software life cycle understands the potential security threats to the system, determines risk, and establishes appropriate mitigations? A Penetration testing B Threat modeling C Attack surface validation D Vulnerability assessment Correct answer- B The majority of __________ against software __________ some vulnerability or weakness in that software; these terms are often used interchangeably. A attacks, exploit B malware, flaw C threats, hack D mitigations, remediate Correct answer- A What are two attributes which complement each other and enhance overall software product integrity and market value? A Open source, closed source B Proprietary, shared C Quality, security D Reliability, usability Correct answer- C __________ and __________ are the two properties that support confidentiality as one ensures users have the appropriate role and privilege to view data, and the other ensures users are who they claim to be and that the data come from the appropriate place. A Authorization, authentication B Availability, authenticity C Access, authorization D Asymmetry, access Correct answer- A What is responsible for ensuring timely and reliable access to and use of information? A Authorization B Confidentiality C Integrity D Availability Correct answer- D What is responsible for guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity? A Availability B Integrity C Confidentiality D Authorization Correct answer- B Developers must take the time to code __________, and eradicate __________ security flaw before the code goes into production. A efficiently, the most common B quickly, the least possible C cleanly, every possible D slowly, the most prevalent Correct answer- C ____________ security is about building secure software: designing software to be secure; making sure that software is secure; and educating software developers, architects, and users about how to "build security in". ______________ security is about protecting software and the systems that software runs in a post facto, only after development is complete. Correct answer- Software, Application ___________ modeling and ____________ surface validation are perhaps the most time-consuming, misunderstood, and difficult parts of the SDL. This requires the attention of the most seasoned and experienced person of the software security team: the software security architect. Correct answer- Threat, attack Which concept in the software lifecycle understands the potential security threats to the system, determines risk, and establishes appropriate mitigations? A Threat modeling B Attack surface validation C Vulnerability assessment D Penetration testing Correct answer- A __________ software is a way to envision the interactions of the proposed software within its intended environment. A Analyzing B Validating C Modeling D Pentesting Correct answer- C The most well-known SDL model is the __________, a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. This is considered the most mature of the top three models. A OWASP Security Development Lifecycle B Cisco Secure Development Lifecycle C Trustworthy Computing Security Development Lifecycle D Cigital Software Security Touchpoints model Correct answer- C The __________ is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time. A BSIMM B CSDL C OWASP D SAMM Correct answer- A The ISO/IEC __________ standard provides guidance to help organizations embed security within their processes, including application lifecycle processes, that help to secure applications running in the environment. A 27034 B SDLC C 17799 D 27001 Correct answer- A __________ is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services. A BSI B NCSD C SAFECode D SDLC Correct answer- C What is a black-box software testing technique that can be automated and provides invalid, unexpected, or random data to the inputs of a computer software program? A Fuzzing B Scratching C Static program analysis D Dynamic program analysis Correct answer- A What is the analysis of computer software that is performed without executing programs? A Dynamic program analysis B Scratching C Static program analysis D Fuzzing Correct answer- C __________ is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time. A Static program analysis B Scratching C Dynamic program analysis D Fuzzing Correct answer- C The __________ requires that in a particular abstraction layer of a computing environment, every module must be able to access only the information and resources that are necessary for its legitimate purpose. A software assurance forum B principle of least privilege C software security maturity model D secure development lifecycle Correct answer- B __________ is an important component of the SDL process and should be considered a system design principle of significant importance in all phases of the SDLC. A failure to protect it will lead to an erosion of trust. A Authenticity B Privacy C Confidentiality D Integrity Correct answer- B A __________ is a team solely dedicated to conduct security M&A assessments, third-party reviews, post-release certifications, internal reviews for new product combinations of cloud deployments, and review for legacy software that is still in use or about to be re-used. A PSIRT B SDLC C NCSD D SAMATE Correct answer- A The __________ is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. A NCSD B SAMATE C CVE D SDLC Correct answer- C _____________ requirements describe what an application must do to serve a business need. For example, an application must be able to allow a consumer to complete their transaction on the site using a credit card. Correct answer- Functional ______________ requirements address how well the functional requirements are met, or to put it another way, they constrain the functional requirements to specified operating ranges. They address areas such as capacity planning, uptime, response times, maintainability, and portability (web, mobile, etc.). Think of them like guardrails on a highway-you are free to operate on the road within the boundaries of the guardrails. Correct answer- Nonfunctional he __________ meeting is essentially an SDL kick-off meeting where the key SDLC stakeholders get on the same page at the beginning of the process so that security is built in rather than bolted on post-release. A kickoff B discovery C planning D hotwash Correct answer- B The SDL __________ should outline security milestones based on the information gained during the previous phase and integrate them into the overall SDLC schedule to allow proper preparation as changes occur. A discovery meeting B project plan C metrics D impact assessment Correct answer- B It is important in __________ meetings, when the software security team is included, to ensure that security is a key element of the SDLC and is built into the process. A hot wash B discovery C kick-off D planning Correct answer- C Which requirements describe what an application must do to serve a business need? A Fictional requirements B Nonfictional requirements C Functional requirements D Nonfunctional requirements Correct answer- C Which requirements address how well the requirements are met or constrain the requirements to specified operating ranges? A Functional requirements B Nonfunctional requirements C Fictional requirements D Nonfictional requirements Correct answer- B The setting of the __________ for any SDL phase will make it more effective and will help in performing post-mortem afterwards to understand what worked and what did not. A discovery meeting B project plan C key success factors D impact assessment Correct answer- C Unless the senior leadership of the development organization and the management team support the SDL, it will likely fail. It must be driven by a policy that is signed off on, promulgated, and provides support by the software development management team and ideally by the CEO. (True or False) A False B True Correct answer- B What are these known as? Steps: 1) Identify security objectives 2) Survey the application 3) Decompose it 4) Identify threats 5) Identify vulnerabilities Correct answer- The 5 steps of the threat risk modeling process The diagram produced in this stage of the threat modeling process is called a(n) __________ with focus on how data moves through the software solution and what happens to the data as it moves. A Data Flow Diagram (DFD) B TFT C STRIDE D MITM Correct answer- A STRIDE Threat action that is designed to illegally access and use another user's credentials, such as username and password—Authentication is also known as ___________________. Correct answer- Spoofing STRIDE Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet—Integrity is also known as __________________. Correct answer- Tampering STRIDE Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations—Nonrepudiation is also known as _________________. Correct answer- Repudiation STRIDE Threat action to read a file that one was not granted access to, or to read data in transit—Confidentiality is also known as _____________________. Correct answer- Information disclosure STRIDE Threat aimed to deny access to valid users, such as by making a Web server temporarily unavailable or unusable—Availability is also known as _____________________. Correct answer- Denial of service STRIDE Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system—Authorization is also known as ____________________. Correct answer- Elevation of privilege The increasing trend in the software industry to draw on the strengths of various types of software to deliver the highest value at the lowest cost is called __________. A mixed source B shareware C proprietary D open source Correct answer- A The __________ phase determines how PII will be handled to ensure that it conforms to applicable legal, regulatory, and policy requirements regarding privacy. A threat B compliance C analysis D selection Correct answer- C Which exercise requires a special set of skills, experience, and mindset, and requires the team to think like an adversary? A Security modeling B Exploit modeling C Vulnerability modeling D Threat modeling Correct answer- D Which artifact lists software requirements and business risks mapped to the three pillars of information security? A Formal business requirement B Informal business requirement C Formal compliance requirement D Informal security requirement Correct answer- A Which assessment requires an extensive review that will be conducted by your software security architect, a third party, or a combination of both? A Compliance assessment B Security assessment C Quality assessment D Policy assessment Correct answer- B During this phase, any policy that exists outside the domain of the SDL policy is reviewed and might include policies from outside the development organization that set security and privacy requirements and guidelines to be adhered to when developing software or applications. What is this phase? A Policy compliance analysis B Policy compliance assessment C Policy requirements assessment D Policy compliance review Correct answer- A The __________________ principle requires that completion of a specified sensitive activity or access to sensitive objects is dependent on the satisfaction of multiple conditions. It forces collusion among entities in order to compromise the system. Correct answer- Separation of duties ___________ means that if a system fails, it should fail to a state where the security of the system and its data are not compromised. In the situation where system recovery is not done automatically, the failed system should permit access only by the system administrator and not by users, until security controls are reestablished. Correct answer- Fail safe _________________ promotes simple and comprehensible design and implementation of protection mechanisms, so that unintended access paths do not exist or can be readily identified and eliminated. Correct answer- Economy of mechanism _____________ is where every request by a subject to access an object in a computer system must undergo a valid and effective authorization procedure. Correct answer- Complete mediation _________ means that designs that are kept secret versus designs that are open to scrutiny are evaluated by the community at large. Correct answer- Open design _______________ states that a minimum number of protective mechanisms should be common to multiple users, as shared access paths can be sources of unauthorized information exchange. Shared access paths that provide unintentional data transfers are known as covert channels. It promotes the least possible sharing of common security mechanisms. Correct answer- Least common mechanism Which risk describes the feature, product, or service that stores or transfers personally identifiable information (PII), changes settings or file type associations, or installs software? A Low Privacy Risk B No Privacy Risk C High Privacy Risk D Moderate Privacy Risk Correct answer- C __________ is the application of multiple layers of protection, such that a subsequent layer will provide protection if a previous layer is breached. A Least privilege B Separation of duties C Defense in depth D Fail safe policy Correct answer- C A __________ means that if a system ceases to function, it moves to a state where the security of the system and its data are not compromised. A fail safe policy B least privilege C separation of duties D defense in depth Correct answer- A An element of security testing is to identify software weaknesses so that security violations and noncompliance with security requirements that could cause the software to fail or be out of compliance with any of software security requirements are avoided. A False B True Correct answer- B During phase __________, any policy that exists outside the domain of the SDL policy is reviewed and may include policies from outside the development organization. A A3 B A4 C A1 D A2 Correct answer- B _____________ tests emphasize the personal freedom and responsibility of the individual tester to continually optimize the quality of his or her work by treating test-related learning, test design, test execution, and test result interpretation as mutually supportive activities that run in parallel throughout the project. Correct answer- Exploratory What are these? Steps: 1 Identify security code review objectives 2 Perform preliminary scan 3 Review code for security issues 4 Review for security issues unique to the architectur Correct answer- Techniques of Code Review The basic design of a product may contain flaws, so it should be noted that some coding errors that may affect product reliability are actual vulnerabilities. (True or False) A False B True Correct answer- A ______________________ are typically done as a line-by-line inspection of the software to determine any security vulnerabilities in the software product. This will include a thorough review of programming ____________ of multitier and multicomponent enterprise software products. Correct answer- Manual security code reviews, source code The __________ goal of the security code review process is to improve the overall security of the product and to provide output that can be used by the development team to make changes or mitigations that will achieve improved software product security. A second B initial C final D third Correct answer- C What is one advantage of dynamic code analysis? A Automated tools produce false positives and false negatives B Automated tools provide a false sense of security that everything is being addressed C Automated tools provide flexibility on what to scan for D Automated tools are only as good as the rules they are using to scan with Correct answer- C What is the appropriate test-type category performed on a software product and its associated system(s) to compare estimates to actual results? A Benchmarks B Transitional C Exploratory D Scheduled Correct answer- A SDL __________ covers all projects that have meaningful security and privacy risks and is analyzed in each phase and updated to cover new threats and practices. A process improvement B standards adherence C best practice D policy compliance Correct answer- D __________ is a white-box security analysis of a software system to simulate the actions of a hacker, with the objective of uncovering potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. A Vulnerability scanning B Penetration testing C Code analysis D Fuzzing Correct answer- B What are these? Steps: 1 Assess 2 Identify 3 Evaluate & Plan 4 Deploy Correct answer- Phase process minimum requirements for penetration testing The metrics to be collected during the Ship (A5) phase of the SDL are limited to the number, type, and severity of security issues found through vulnerability scanning and penetration testing. (True or False) A True B False Correct answer- B Open-source software is free and it increases innovation, efficiency, and competitiveness for software product development. A True B False Correct answer- B What is the first in the four-phase process to achieve the minimum requirements for penetration testing? A Assess B Deploy C Identify D Evaluate and Plan Correct answer- A What is the first in the four-step process for the final product security review? A Evaluate and plan for remediation B Release and ship C Identify feature eligibility D Assess resource availability Correct answer- D What is described as an evangelist for the overall software product security program promulgated policy, enforcing policy, and evangelizing the overall SDL process? A SSC B SSE C SES D SSD Correct answer- B In relation to software security, a(n) __________ is responsible for responding to software product security incidents involving external discoveries of post-release software product security vulnerabilities. A CIRT B PSIRT C GCIH D CERT Correct answer- B Which two International Standards Organization (ISO) standards relate to the proper functioning of a vendor PSIRT? A 14000; 14001 B 9000; 9001 C 29147; 30111 D 9001; 14001 Correct answer- C Which example of security or privacy certification or standard applies to healthcare? A FISMA B FIPS C DIACAP D HIPAA Correct answer- D What requires communication cadence with customers that should be formalized and published so that everyone in the company is aware of it and can invoke it if needed? A External vulnerability disclosure response process B Post-release certifications C Third-party security reviews D Security strategy for legacy code, M&A, and EOL plans Correct answer- A What consists of multiple security assessments from independent parties? A Third-party security reviews B Security strategy for legacy code, M&A, and EOL plans C Post-release certifications D External vulnerability disclosure response process Correct answer- A Which path illustrates the flow of activities through the SDL? A Architect ⇒ Test ⇒ Code ⇒ Design B Code ⇒ Design ⇒ Architect ⇒ Test C Design ⇒ Architect ⇒ Code ⇒ Test D Architect ⇒ Design ⇒ Code ⇒ Test Correct answer- D What is one of most well-known sets of security design principles as defined by OWASP? A Trust infrastructure B Trust services C Fail securely D Keep security complex Correct answer- C What are advantages of dynamic analysis? A Can only be conducted on custom applications B Permits validating static code analysis findings C Requires the analysis of applications for which you have access to the actual code D Restricts the collection of temporal information Correct answer- B In an ___________process, everyone is involved in security. Security personnel mustn't toss security "over the wall" and expect secure results. Development teams will likely perceive such a toss as an interjection into the work with which they're already tasked. Correct answer- Agile Requirements and architecture as a front-end process to Agile cycles is also known as __________. A dashes B sprints C pushes D rushes Correct answer- B What is the first step in the architecture task flow for when a project is new or a redesign? A Test Plan B Design Review C Architecture Assessment D Threat Model Correct answer- C What is one principle that should be used during the development of software as defined by software security expert Gary McGraw? A Share mechanisms B Make security invisible C Assume your secrets are safe D Grant least privilege Correct answer- D _______________ cyber threats are typically surgical by nature, have highly specific targeting, and are technologically sophisticated. Correct answer- Tactical ____________ software attacks are highly repeatable, use general targeting against a broad industry (e.g., military, finance, energy) or groups of individuals (e.g., politicians, executives), and must have long-term staying power. HINT: They are less sophisticated in comparison to TACTICAL threats and typically are lower in cost to develop and maintain. Correct answer- Strategic Which of the four basic steps is considered a new defense concept to combat cyberattacks as defined by the U.S. Department of Defense? A Implement industry standard defense operating concepts and computing architectures B Employ a passive cyber defense capability to prevent intrusions C Utilize current cyber best practices to improve cyber security D Deter and mitigate insider threats Correct answer- D The __________ standard defines application security as a process that an organization can perform for applying controls and measurements to its applications in order to manage the risk of using them. A ISO 27034 B ISO 13485 C ISO 9001 D ISO 31000 Correct answer- A Post-release support (PRSA1-5) is typically conducted by your internal organization. A True B False Correct answer- B What is a concern of security in third-party software? A Secure development environment B Security implanted during development C Digital "aluminum foil" D Untrusted distributions of software Correct answer- A A disadvantage of using third-party software is inflexibility. A True B False Correct answer- A Which term is used for software in government systems? A COTS B NOTS C GOTS D LOTS Correct answer- C What is a challenge of using proprietary software? A Proprietary format B Open source nature C Decreased license fees D No End of Support Correct answer- A What is one disadvantage to outsourcing software development to a third party? A Tailored to business needs B Experience with technology C Ownership of code D Available skilled resources Correct answer- C Which of the following is a consideration when evaluating vendors? A Social Media Policy B Priority Awareness C Accreditation D Certification Correct answer- D Which of the following represents an example of a vendor customization? A Reporting components B Incompatibility with other systems C Access control inadherence D Privacy regulation avoidance Correct answer- A ____________ is to provide assurance to management of the effectiveness of the security program and compliance with regulations. Correct answer- Role of Audit Which of the following is important criteria in choosing a vendor to purchase a product? A Cost B Repudiation C Lateralization D Unqualified staff Correct answer- A Cost and warranty are not considerations when comparing outsourced or in-house vendor support. A True B Fal