WGU Master's Course C706 Secure Software Design
Questions and Answers (2022/2023) (Verified Answers)
What is Extreme Programming (XP) method of the Agile SDLC Model?
Small teams working in the same room to encourage communication, only required
documentation created.
What is Crystal Clear for?
For noncritical projects using discretionary money, requiring up to six or eight people.
One team same room. Max release 2 months.
What is Crystal Orange for?
Adequate for critical, but not life-critical, projects requiring up to 40 people. Different
teams. From 2 to 4 months, two user viewings per release.
How does a SQL Injection attack work?
takes advantage of a vulnerability that appears when a web application fails to properly
filter or validate data a user enters on a web page to order a product or communicate
with a company. An attacker can send a malformed SQL query to the underlying
database to break into it, plant malicious code or access other systems.
Agility & Discipline of XP Method?
Agility - High, Discipline required - High
Agility & Discipline of Crystal Clear Method?
Agility - High, Discipline required - Low
Agility & Discipline of Crystal Orange Method?
Agility - Medium, Discipline required - Medium
Agility & Discipline of Scrum Method?
Agility - High, Discipline required - High
Agility & Discipline of RUP Method?
Agility - Low to Medium, Discipline required - High
What are four Scrum events?
1. Sprint planning meeting.
2. Daily Scrum
3. Sprint review
4. Sprint retrospective
What are the four Scrum artifacts?
1. Product backlog
2. Sprint backlog
3. Increment
4. Burndown chart
What are the three Scrum roles?
1. Product owner - represents customer
2. Development team
3. Scrum master - Coaches team, not project manager
What are the three pillar concepts of Scrum?
1. Transparency - product visible
2. Inspection - of artifact or progress
3. Adaptation - Make corrections when required
, What security practitioner role handles deployment?
Release Manager
What security practitioner role handles design?
Architect
What security practitioner role handles coding?
Developer
What security practitioner role handles requirements gathering?
Business Analyst/Project Manager
This team is familiar with company infrastructure and software languages and
tries to kill system as developers build it.
Red Team
This is a method of program debugging by examining the code but not executing
the program. Also called code review.
Static analysis
Initially designed as a crypto hash but has extensive vulnerabilities, this hash is
used as a checksum to verify data integrity.
MD5 Hash
One way cryptographic hash that generates fixed 256-bit hash.
SHA-256
Symmetric encryption algorithm that supports 128 bit block and 128/192/256 bit
key lengths. Efficient in both hardware and software.
AES
This architecture model removes business logic from client end of system and
places on separate server.
Three (3) Tier
Testing used to see if system has solid exception handling to input received.
Malformed or random input is put into a system to intentionally produce failure.
Fuzz Testing
USC Threat Modeling based on Attacking Path analysis. Risk management
approach that quantifies total severity weights of relevant attacking paths for
COTS-based systems.
T-MAP (Threat Modeling Attacking Path)
Open source conceptual framework, methodology, and toolset designed to
autogenerate repeatable threat models.
Trike
This free tool assists in creation of threat models built on Microsoft Visio.
SDL Threat Modeling Tool
The overall goal of ______ _______ is to determine most likely locations within
the system in development where an attacker will strike.
Vulnerability Mapping
Vulnerability mapping is done on the _______ phase of the SDLC.
Design
Highest vulnerability mapping level. Very likely target and highest security
priority for the system.
V3
Questions and Answers (2022/2023) (Verified Answers)
What is Extreme Programming (XP) method of the Agile SDLC Model?
Small teams working in the same room to encourage communication, only required
documentation created.
What is Crystal Clear for?
For noncritical projects using discretionary money, requiring up to six or eight people.
One team same room. Max release 2 months.
What is Crystal Orange for?
Adequate for critical, but not life-critical, projects requiring up to 40 people. Different
teams. From 2 to 4 months, two user viewings per release.
How does a SQL Injection attack work?
takes advantage of a vulnerability that appears when a web application fails to properly
filter or validate data a user enters on a web page to order a product or communicate
with a company. An attacker can send a malformed SQL query to the underlying
database to break into it, plant malicious code or access other systems.
Agility & Discipline of XP Method?
Agility - High, Discipline required - High
Agility & Discipline of Crystal Clear Method?
Agility - High, Discipline required - Low
Agility & Discipline of Crystal Orange Method?
Agility - Medium, Discipline required - Medium
Agility & Discipline of Scrum Method?
Agility - High, Discipline required - High
Agility & Discipline of RUP Method?
Agility - Low to Medium, Discipline required - High
What are four Scrum events?
1. Sprint planning meeting.
2. Daily Scrum
3. Sprint review
4. Sprint retrospective
What are the four Scrum artifacts?
1. Product backlog
2. Sprint backlog
3. Increment
4. Burndown chart
What are the three Scrum roles?
1. Product owner - represents customer
2. Development team
3. Scrum master - Coaches team, not project manager
What are the three pillar concepts of Scrum?
1. Transparency - product visible
2. Inspection - of artifact or progress
3. Adaptation - Make corrections when required
, What security practitioner role handles deployment?
Release Manager
What security practitioner role handles design?
Architect
What security practitioner role handles coding?
Developer
What security practitioner role handles requirements gathering?
Business Analyst/Project Manager
This team is familiar with company infrastructure and software languages and
tries to kill system as developers build it.
Red Team
This is a method of program debugging by examining the code but not executing
the program. Also called code review.
Static analysis
Initially designed as a crypto hash but has extensive vulnerabilities, this hash is
used as a checksum to verify data integrity.
MD5 Hash
One way cryptographic hash that generates fixed 256-bit hash.
SHA-256
Symmetric encryption algorithm that supports 128 bit block and 128/192/256 bit
key lengths. Efficient in both hardware and software.
AES
This architecture model removes business logic from client end of system and
places on separate server.
Three (3) Tier
Testing used to see if system has solid exception handling to input received.
Malformed or random input is put into a system to intentionally produce failure.
Fuzz Testing
USC Threat Modeling based on Attacking Path analysis. Risk management
approach that quantifies total severity weights of relevant attacking paths for
COTS-based systems.
T-MAP (Threat Modeling Attacking Path)
Open source conceptual framework, methodology, and toolset designed to
autogenerate repeatable threat models.
Trike
This free tool assists in creation of threat models built on Microsoft Visio.
SDL Threat Modeling Tool
The overall goal of ______ _______ is to determine most likely locations within
the system in development where an attacker will strike.
Vulnerability Mapping
Vulnerability mapping is done on the _______ phase of the SDLC.
Design
Highest vulnerability mapping level. Very likely target and highest security
priority for the system.
V3
