D487 - Secure Software Design
What is the study of real-world software security initiatives organized so companies can
measure their initiatives and understand how to evolve them over time?
A) Building Security in Maturity Model (BSIMM)
B) Security features and design
C) OWASP Software Assurance Maturity Model (SAMM)
D) ISO 27001 - *answers *A) Building Security in Maturity Model (BSIMM)
What is the analysis of computer software that is performed without executing
programs?
A) Static analysis
B) Fuzzing
C) Dynamic analysis
D) OWASP ZAP - *answers *A) Static analysis
What iso standard is the benchmark for information security today?
A) iso/iec 27001
B) iso/iec 7799
C) iso/iec 27034
D) iso 8601 - *answers *A) iso 27001
what is the analysis of computer software that is performed by executing programs on a
real or virtual processor in real time?
A) dynamic analysis
B) static analysis
C) fuzzing
D) security testing - *answers *A) dynamic analysis
which person is responsible for designing, planning, and implementing secure coding
practices and security testing methodologies?
A) software security architect
B) product security developer
C) software security champion
D) software tester - *answers *A) software security architect
A company is preparing to add a new feature to its flagship software product. The new
feature is similar to features that have been added in previous years, and the
requirements are well-documented. The project is expected to last three to four months,
at which time the new feature will be released to customers. Project team members will
focus solely on the new feature until the project ends.
Which software development methodology is being used?
,D487 - Secure Software Design
A) Waterfall
B) Agile
C) Scrum
D) Extreme programming - *answers *A) Waterfall
A new product will require an administration section for a small number of users. Normal
users will be able to view limited customer information and should not see admin
functionality within the application.
Which concept is being used?
A) Principle of least privilege
B) Privacy
C) Software security champion
D) Elevation of privilege - *answers *A) Principle of least privilege
The software security team is currently working to identify approaches for input
validation, authentication, authorization, and configuration management of a new
software product so they can deliver a security profile.
Which threat modeling step is being described?
A) Analyzing the target
B) Drawing data flow diagram
C) Rating threats
D) Identifying and documenting threats - *answers *A) Analyzing the target
The scrum team is attending their morning meeting, which is scheduled at the beginning
of the work day. Each team member reports what they accomplished yesterday, what
they plan to accomplish today, and if they have any impediments that may cause them
to miss their delivery deadline.
Which scrum ceremony is the team participating in?
A) Daily scrum
B) Sprint review
C) Sprint retrospective
D) Sprint planning - *answers *A) Daily scrum
what is a list of information security vulnerabilities that aims to provide names for
publicly known problems?
A) common computer vulnerabilities and exposures (CVE)
B) SANS institute top cyber security risks
C) bugtraq
,D487 - Secure Software Design
D) Carnegie melon computer emergency readiness team (CERT) - *answers *A)
common computer vulnerabilities and exposures (CVE)
which secure coding best practice uses well-tested, publicly available algorithms to hide
product data from unauthorized access?
A) access control
B) authentication and password management
C) cryptographic practices
D) data protection - *answers *C) cryptographic practices
which secure coding best practice ensures servers, frameworks, and system
components are all running the latest approved versions?
A) file management
B) input validation
C) database security
D) system configuration - *answers *D) system configuration
Which secure coding best practice says to use parameterized queries, encrypted
connection strings stored in separate configuration files, and strong passwords or multi-
factor authentication?
A) access control
B) database security
C) file management
D) session management - *answers *B) database security
which secure coding best practice says that all information passed to other systems
should be encrypted?
A) output encoding
B) memory management
C) communication security
D) database security - *answers *C) communication security
Team members are being introduced during sprint zero in the project kickoff meeting.
The person being introduced is a member of the scrum team, responsible for writing
feature logic and attending sprint ceremonies.
Which role is the team member playing?
A) Software developer
B) Product owner
C) Scrum master
, D487 - Secure Software Design
D) Quality assurance analyst - *answers *A) Software developer
A software security team member has created data flow diagrams, chosen the STRIDE
methodology to perform threat reviews, and created the security assessment for the
new product.
Which category of secure software best practices did the team member perform?
A) Architecture analysis
B) Training
C) Penetration testing
D) Code review - *answers *A) Architecture analysis
A company is preparing to add a new feature to its flagship software product. The new
feature is similar to features that have been added in previous years, and the
requirements are well-documented. The project is expected to last three to four months,
at which time the new feature will be released to customers. Project team members will
focus solely on the new feature until the project ends. Which software development
methodology is being used?
A) Agile
B) Waterfall
C) Scrum
D) Extreme programming - *answers *B) Waterfall
A new product will require an administration section for a small number of users. Normal
users will be able to view limited customer information and should not see admin
functionality within the application. Which concept is being used?
A) privacy
B) POLP
C) software security champion
D) elevation of privilege - *answers *B) POLP
The software security team is currently working to identify approaches for input
validation, authentication, authorization, and configuration management of a new
software product so they can deliver a security profile. Which threat modeling step is
being described?
A) Rating threats
B) Identifying and documenting threats
C) analyzing the target
D) drawing data flow diagram - *answers *C) analyzing the target
The scrum team is attending their morning meeting, which is scheduled at the beginning
of the work day. Each team member reports what they accomplished yesterday, what
What is the study of real-world software security initiatives organized so companies can
measure their initiatives and understand how to evolve them over time?
A) Building Security in Maturity Model (BSIMM)
B) Security features and design
C) OWASP Software Assurance Maturity Model (SAMM)
D) ISO 27001 - *answers *A) Building Security in Maturity Model (BSIMM)
What is the analysis of computer software that is performed without executing
programs?
A) Static analysis
B) Fuzzing
C) Dynamic analysis
D) OWASP ZAP - *answers *A) Static analysis
What iso standard is the benchmark for information security today?
A) iso/iec 27001
B) iso/iec 7799
C) iso/iec 27034
D) iso 8601 - *answers *A) iso 27001
what is the analysis of computer software that is performed by executing programs on a
real or virtual processor in real time?
A) dynamic analysis
B) static analysis
C) fuzzing
D) security testing - *answers *A) dynamic analysis
which person is responsible for designing, planning, and implementing secure coding
practices and security testing methodologies?
A) software security architect
B) product security developer
C) software security champion
D) software tester - *answers *A) software security architect
A company is preparing to add a new feature to its flagship software product. The new
feature is similar to features that have been added in previous years, and the
requirements are well-documented. The project is expected to last three to four months,
at which time the new feature will be released to customers. Project team members will
focus solely on the new feature until the project ends.
Which software development methodology is being used?
,D487 - Secure Software Design
A) Waterfall
B) Agile
C) Scrum
D) Extreme programming - *answers *A) Waterfall
A new product will require an administration section for a small number of users. Normal
users will be able to view limited customer information and should not see admin
functionality within the application.
Which concept is being used?
A) Principle of least privilege
B) Privacy
C) Software security champion
D) Elevation of privilege - *answers *A) Principle of least privilege
The software security team is currently working to identify approaches for input
validation, authentication, authorization, and configuration management of a new
software product so they can deliver a security profile.
Which threat modeling step is being described?
A) Analyzing the target
B) Drawing data flow diagram
C) Rating threats
D) Identifying and documenting threats - *answers *A) Analyzing the target
The scrum team is attending their morning meeting, which is scheduled at the beginning
of the work day. Each team member reports what they accomplished yesterday, what
they plan to accomplish today, and if they have any impediments that may cause them
to miss their delivery deadline.
Which scrum ceremony is the team participating in?
A) Daily scrum
B) Sprint review
C) Sprint retrospective
D) Sprint planning - *answers *A) Daily scrum
what is a list of information security vulnerabilities that aims to provide names for
publicly known problems?
A) common computer vulnerabilities and exposures (CVE)
B) SANS institute top cyber security risks
C) bugtraq
,D487 - Secure Software Design
D) Carnegie melon computer emergency readiness team (CERT) - *answers *A)
common computer vulnerabilities and exposures (CVE)
which secure coding best practice uses well-tested, publicly available algorithms to hide
product data from unauthorized access?
A) access control
B) authentication and password management
C) cryptographic practices
D) data protection - *answers *C) cryptographic practices
which secure coding best practice ensures servers, frameworks, and system
components are all running the latest approved versions?
A) file management
B) input validation
C) database security
D) system configuration - *answers *D) system configuration
Which secure coding best practice says to use parameterized queries, encrypted
connection strings stored in separate configuration files, and strong passwords or multi-
factor authentication?
A) access control
B) database security
C) file management
D) session management - *answers *B) database security
which secure coding best practice says that all information passed to other systems
should be encrypted?
A) output encoding
B) memory management
C) communication security
D) database security - *answers *C) communication security
Team members are being introduced during sprint zero in the project kickoff meeting.
The person being introduced is a member of the scrum team, responsible for writing
feature logic and attending sprint ceremonies.
Which role is the team member playing?
A) Software developer
B) Product owner
C) Scrum master
, D487 - Secure Software Design
D) Quality assurance analyst - *answers *A) Software developer
A software security team member has created data flow diagrams, chosen the STRIDE
methodology to perform threat reviews, and created the security assessment for the
new product.
Which category of secure software best practices did the team member perform?
A) Architecture analysis
B) Training
C) Penetration testing
D) Code review - *answers *A) Architecture analysis
A company is preparing to add a new feature to its flagship software product. The new
feature is similar to features that have been added in previous years, and the
requirements are well-documented. The project is expected to last three to four months,
at which time the new feature will be released to customers. Project team members will
focus solely on the new feature until the project ends. Which software development
methodology is being used?
A) Agile
B) Waterfall
C) Scrum
D) Extreme programming - *answers *B) Waterfall
A new product will require an administration section for a small number of users. Normal
users will be able to view limited customer information and should not see admin
functionality within the application. Which concept is being used?
A) privacy
B) POLP
C) software security champion
D) elevation of privilege - *answers *B) POLP
The software security team is currently working to identify approaches for input
validation, authentication, authorization, and configuration management of a new
software product so they can deliver a security profile. Which threat modeling step is
being described?
A) Rating threats
B) Identifying and documenting threats
C) analyzing the target
D) drawing data flow diagram - *answers *C) analyzing the target
The scrum team is attending their morning meeting, which is scheduled at the beginning
of the work day. Each team member reports what they accomplished yesterday, what
