WGU-C706 Secure Software Design (Pre-Assessment)
Study online at https://quizlet.com/_9pp8vc
1. Which due diligence activity for supply chain security should occur in the
initiation phase of the software acquisition life cycle?: Developing a request for
proposal (RFP) that includes supply chain security risk management
2. Which due diligence activity for supply chain security investigates the
means by which data sets are shared and assessed?: A document exchange
and review
3. Identification of the entity making the access request
Verification that the request has not changed since its initiation
Application of the appropriate authorization procedures
Reexamination of previously authorized requests by the same entity
Which security design analysis is being described?: Complete mediation
4. Which software security principle guards against the improper modification
or destruction of information and ensures the nonrepudiation and authenticity
of information?: Integrity
5. What type of functional security requirement involves receiving, process-
ing, storing, transmitting, and delivering in report form?: Primary dataflow
6. Which nonfunctional security requirement provides a way to capture in-
formation correctly and a way to store that information to help support later
audits?: Logging
7. Which security concept refers to the quality of information that could cause
harm or damage if disclosed?: Sensitivity
8. Which technology would be an example of an injection flaw, according to
the OWASP Top 10?: SQL
9. A company is creating a new software to track customer balance and wants
to design a secure application.
Which best practice should be applied?: Create multiple layers of protection so
that a subsequent layer provides protection if a layer is breached
10. A company is developing a secure software that has to be evaluated and
tested by a large number of experts.
Which security principle should be applied?: Open design
11. Which type of TCP scanning indicates that a system is moving to the
second phase in a three-way TCP handshake?: TCP SYN scanning
12. Which evaluation technique provides invalid, unexpected, or random data
to the inputs of a computer software program?: Fuzz testing
13. Which approach provides an opportunity to improve the software devel-
opment life cycle by tailoring the process to the specific risks facing the
organization?: Software assurance maturity model (SAMM)
1/6
, WGU-C706 Secure Software Design (Pre-Assessment)
Study online at https://quizlet.com/_9pp8vc
14. Which phase contains sophisticated software development processes that
ensure that feedback from one phase reaches to the previous phase to im-
prove future results?: Optimizing
15. The activities for compliance include ensuring collected information is
only used for intended purposes, information is timely and accurate, and the
public is aware of the information collected and how it is used.
Which well-accepted secure development standard is addressed by these
activities?: PIA
16. An organization is in the process of building an application for its banking
software.
Which security coding practice must the organization follow?: Conduct data
validation
17. What is included in a typical job description of a software security cham-
pion (SSC)?: Consider all possible paths of attack or exploits
18. Which role is a training champion of software security, an advocate for
the overall SDL process, and a proponent for promulgating and enforcing the
overall software product security program?: Software security evangelist (SSE)
19. Which role requires the technical capability to be trained as a software
security architect who then assists the centralized software security group
with architecture security analysis and threat modeling?: Software champion
20. An application development team is designing and building an application
that interfaces with a back-end database.
Which activity should be included when constructing a threat model for
the application?: Decompose the application to understand how it interacts with
external entities
21. What is the third step for constructing a threat model for identifying a
spoofing threat?: Decompose threats
22. What is a step for constructing a threat model for a project when using
practical risk analysis?: Make a list of what you are trying to protect
23. Which cyber threats are typically surgical by nature, have highly specific
targeting, and are technologically sophisticated?: Tactical attacks
24. Which type of cyberattacks are often intended to elevate awareness of a
topic?: Sociopolitical attacks
25. What type of attack locks a user's desktop and then requires a payment to
unlock it?: Ransomware
2/6
Study online at https://quizlet.com/_9pp8vc
1. Which due diligence activity for supply chain security should occur in the
initiation phase of the software acquisition life cycle?: Developing a request for
proposal (RFP) that includes supply chain security risk management
2. Which due diligence activity for supply chain security investigates the
means by which data sets are shared and assessed?: A document exchange
and review
3. Identification of the entity making the access request
Verification that the request has not changed since its initiation
Application of the appropriate authorization procedures
Reexamination of previously authorized requests by the same entity
Which security design analysis is being described?: Complete mediation
4. Which software security principle guards against the improper modification
or destruction of information and ensures the nonrepudiation and authenticity
of information?: Integrity
5. What type of functional security requirement involves receiving, process-
ing, storing, transmitting, and delivering in report form?: Primary dataflow
6. Which nonfunctional security requirement provides a way to capture in-
formation correctly and a way to store that information to help support later
audits?: Logging
7. Which security concept refers to the quality of information that could cause
harm or damage if disclosed?: Sensitivity
8. Which technology would be an example of an injection flaw, according to
the OWASP Top 10?: SQL
9. A company is creating a new software to track customer balance and wants
to design a secure application.
Which best practice should be applied?: Create multiple layers of protection so
that a subsequent layer provides protection if a layer is breached
10. A company is developing a secure software that has to be evaluated and
tested by a large number of experts.
Which security principle should be applied?: Open design
11. Which type of TCP scanning indicates that a system is moving to the
second phase in a three-way TCP handshake?: TCP SYN scanning
12. Which evaluation technique provides invalid, unexpected, or random data
to the inputs of a computer software program?: Fuzz testing
13. Which approach provides an opportunity to improve the software devel-
opment life cycle by tailoring the process to the specific risks facing the
organization?: Software assurance maturity model (SAMM)
1/6
, WGU-C706 Secure Software Design (Pre-Assessment)
Study online at https://quizlet.com/_9pp8vc
14. Which phase contains sophisticated software development processes that
ensure that feedback from one phase reaches to the previous phase to im-
prove future results?: Optimizing
15. The activities for compliance include ensuring collected information is
only used for intended purposes, information is timely and accurate, and the
public is aware of the information collected and how it is used.
Which well-accepted secure development standard is addressed by these
activities?: PIA
16. An organization is in the process of building an application for its banking
software.
Which security coding practice must the organization follow?: Conduct data
validation
17. What is included in a typical job description of a software security cham-
pion (SSC)?: Consider all possible paths of attack or exploits
18. Which role is a training champion of software security, an advocate for
the overall SDL process, and a proponent for promulgating and enforcing the
overall software product security program?: Software security evangelist (SSE)
19. Which role requires the technical capability to be trained as a software
security architect who then assists the centralized software security group
with architecture security analysis and threat modeling?: Software champion
20. An application development team is designing and building an application
that interfaces with a back-end database.
Which activity should be included when constructing a threat model for
the application?: Decompose the application to understand how it interacts with
external entities
21. What is the third step for constructing a threat model for identifying a
spoofing threat?: Decompose threats
22. What is a step for constructing a threat model for a project when using
practical risk analysis?: Make a list of what you are trying to protect
23. Which cyber threats are typically surgical by nature, have highly specific
targeting, and are technologically sophisticated?: Tactical attacks
24. Which type of cyberattacks are often intended to elevate awareness of a
topic?: Sociopolitical attacks
25. What type of attack locks a user's desktop and then requires a payment to
unlock it?: Ransomware
2/6
