Software Design
- What are the three primary goals of the secure software development process?
- Redundancy, scalability, and portability
- **Confidentiality, integrity, and availability**
- Cost, speed to market, and profitability
- Performance, reliability, and maintainability
**Explanation**: The three primary goals of secure software development are often referred to as the CIA triad: confidentiality (protecting data from unauthorized access), integrity (ensuring data accuracy and trustworthiness), and availability (ensuring data and systems are accessible to authorized users). These are foundational principles in cybersecurity.
- What is a best practice of secure coding?
- Planning
- User acceptance testing
- **Session management**
- Microservices
**Explanation**: Session management is a critical secure coding practice because it ensures that user sessions are handled securely, preventing issues like session hijacking or fixation. Proper session management includes using secure cookies, setting expiration times, and invalidating sessions after logout, which directly enhances security.
- Which secure coding best practice says to assume all incoming data should be considered untrusted and should be validated to ensure the system only accepts valid data?
- General coding practices
- Session management
- **Input validation**
- System configuration
**Explanation**: Input validation is the practice of verifying that all incoming data meets expected criteria before processing it. This prevents malicious inputs, such as SQL injection or cross-site scripting (XSS), by ensuring the system only accepts valid, safe data.
- Which SDL security goal is defined as ensuring timely and reliable access to and use of information?
- Information security
- **Availability**
- Integrity
- Confidentiality
**Explanation**: Availability, as part of the CIA triad, focuses on ensuring that information and systems are accessible and operational for authorized users when needed. This includes protecting against denial-of-service attacks and ensuring uptime.
- A new product does not display personally identifiable information, will not private documents be printed, and requires elevation of privilege to retrieve archive documents. Which secure coding practice is this describing?
- Authentication
- **Access control**
- Input validation
- Data protection
**Explanation**: Access control is the practice of restricting access to resources based on user privileges. The scenario describes requiring elevation of privilege to access certain documents, which directly aligns with access control mechanisms to ensure only authorized users can retrieve sensitive data.
- The scrum team decided that before any change can be merged and tested, it must be locked by the team’s lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team’s quality standards. Which category of secure software best practices is the team performing?
- **Code review**
- Training
- Architecture analysis
- Penetration testing
**Explanation**: Code review involves examining code to ensure it meets quality and security standards before merging. The scenario describes the lead developer reviewing changes for accepted patterns and quality, which is a classic example of a code review process in secure software development.
- What is a countermeasure to the web application security frame (ASF) authentication threat category?
- Role-based access controls restrict access.
- Cookies have expiration timestamps.
- Sensitive information is scrubbed from error messages.
- **Credentials and tokens are encrypted.**
**Explanation**: The ASF (likely referring to a framework like OWASP’s Application Security Framework) authentication threat category includes risks like stolen credentials. Encrypting credentials and tokens ensures they cannot be easily intercepted or misused, directly addressing authentication threats.
- Which DREAD category has a risk rating based on the threat exploit’s potential level of harm?
- Exploitability
- Reproducibility
- **Damage potential**
- Affected users
**Explanation**: DREAD is a risk assessment model where "Damage potential" specifically evaluates the level of harm a threat could cause if exploited. This category focuses on the severity of impact, such as data loss or system compromise.
- Which mitigation technique can be used to fight against a threat where a user may gain access to administrator level functionality?
- Quality of service
- Hashes
- **Run with least privilege**
- Encryption
**Explanation**: Running with least privilege means limiting users and processes to the minimum permissions necessary for their tasks. This prevents unauthorized access to administrator-level functionality by ensuring users cannot escalate privileges beyond their assigned roles.
- Which software-testing technique can be automated or semi-automated and provides invalid, unexpected, or random data to the inputs of a computer software program?
- **Fuzzing**
- Bugtraq
- Static analysis
- Dynamic analysis
**Explanation**: Fuzzing is a testing technique that involves providing invalid, unexpected, or random data (fuzz) to a program’s inputs to identify vulnerabilities, such as crashes or security flaws. It can be automated or semi-automated, making it an effective method for finding bugs.
- What is a countermeasure to the web application security frame (ASF) authentication threat category?
- Role-based access controls restrict access.
- Cookies have expiration timestamps.
- Sensitive information is scrubbed from error messages.
- **Credentials and tokens are encrypted.**
**Explanation**: The ASF (likely referring to a framework like OWASP’s Application Security Framework) authentication threat category includes risks like stolen credentials. Encrypting credentials and tokens ensures they cannot be easily intercepted or misused, directly addressing authentication threats.
- Which DREAD category has a risk rating based on the threat exploit’s potential level of harm?
- Exploitability
- Reproducibility
- **Damage potential**
- Affected users
**Explanation**: DREAD is a risk assessment model where "Damage potential" specifically evaluates the level of harm a threat could cause if exploited. This category focuses on the severity of impact, such as data loss or system compromise.
- Which mitigation technique can be used to fight against a threat where a user may gain access to administrator level functionality?
- Quality of service
- Hashes
- **Run with least privilege**
- Encryption
**Explanation**: Running with least privilege means limiting users and processes to the minimum permissions necessary for their tasks. This prevents unauthorized access to administrator-level functionality by ensuring users cannot escalate privileges beyond their assigned roles.
- The scrum team decided that before any change can be merged and tested, it must be locked by the team’s lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team’s quality standards. Which category of secure software best practices is the team performing?
- **Code review**
- Training
- Architecture analysis
- Penetration testing
**Explanation**: Code review involves examining code to ensure it meets quality and security standards before merging. The scenario describes the lead developer reviewing changes for accepted patterns and quality, which is a classic example of a code review process in secure software development.
- What is one of the four core values of the agile manifesto?
- Business people and developers must work together daily throughout the project.
- Teams should have a dedicated and open workspace.
- Communication between team members
- **Individuals and interactions over processes and tools**
**Explanation**: The Agile Manifesto outlines four core values, one of which is prioritizing "individuals and interactions over processes and tools." This emphasizes the importance of collaboration and communication among team members over rigid adherence to tools or processes.
- Company is moving forward with a new product. Product scope has been determined, test teams have formed, and backlogs have been created. Developers are actively writing code for the new product, with one team working on the mobile apps, and a third team writing the web application. Which phase of the software development lifecycle (SDLC) is being described?
- Design
- **Implementation**
- Deployment
- Requirements
**Explanation**: The implementation phase of the SDLC involves the actual development of the product, where developers write code based on the defined scope and requirements. The scenario describes active coding by multiple teams, which aligns with the implementation phase.
- Which secure coding best practice ensures that a user’s password is not stored in cleartext and is not easily reversible?
- Input validation
- **Cryptography**
- Session management
- Access control
**Explanation**: Cryptography involves techniques like hashing and encryption to protect data. Storing passwords using a strong, one-way hashing algorithm (e.g., bcrypt) ensures they are not in cleartext and are not easily reversible, which is a key secure coding practice for password protection.
- Which STRIDE threat category includes an attacker pretending to be a legitimate user to gain access to a system?
- Tampering
- **Spoofing**
- Elevation of privilege
- Denial of service
**Explanation**: Spoofing, in the STRIDE threat model, refers to an attacker impersonating a legitimate user or system to gain unauthorized access. This directly matches the scenario of an attacker pretending to be a legitimate user.
- What is the STRIDE threat category for an attacker modifying data while it is in transit between a client and a server?
- **Tampering**
- Spoofing
- Repudiation
- Information disclosure
**Explanation**: Tampering, in the STRIDE model, involves unauthorized modification of data. Modifying data in transit between a client and server is a classic example of tampering, as it violates data integrity.
- Which STRIDE threat category includes an attacker gaining access to data they are not authorized to see?
- Spoofing
- Tampering
- **Information disclosure**
- Denial of service
**Explanation**: Information disclosure, in the STRIDE model, occurs when an attacker accesses data they are not authorized to see, such as sensitive user information. This violates confidentiality.
- Which STRIDE threat category includes an attacker denying a user access to a system by crashing the system?
- Spoofing
- Tampering
- Information disclosure
- **Denial of service**
**Explanation**: Denial of service (DoS), in the STRIDE model, involves actions that prevent legitimate users from accessing a system, such as crashing it. This directly impacts availability.
- Which STRIDE threat category includes an attacker denying they performed an action on a system?
- Spoofing
- Tampering
- **Repudiation**
- Information disclosure
**Explanation**: Repudiation, in the STRIDE model, occurs when an attacker denies performing an action, such as claiming they did not send a message or access a system. This often relates to the lack of proper logging or non-repudiation mechanisms.
- Which mitigation technique is used to fight against an identity spoofing threat?
- **Require user authorization**
- Encryption
- Filtering
- Audit trails
**Explanation**: Requiring user authorization, such as strong authentication mechanisms (e.g., multi-factor authentication), helps prevent identity spoofing by ensuring that only legitimate users can access the system. This directly counters the threat of an attacker impersonating a user.
- Which mitigation technique is used to fight against a tampering threat?
- Require user authorization
- **Encryption**
- Filtering
- Audit trails
**Explanation**: Encryption protects data integrity by ensuring that data cannot be modified without detection. For example, using cryptographic signatures or hashes can detect tampering attempts, making it an effective countermeasure against tampering threats.
- Which mitigation technique is used to fight against a denial-of-service threat?
- Require user authorization
- Encryption
- **Filtering**
- Audit trails
**Explanation**: Filtering, such as implementing rate limiting or IP filtering, can help mitigate denial-of-service (DoS) attacks by blocking malicious traffic before it overwhelms the system. This helps maintain availability.
- In which step of the PASTA threat modeling methodology will the team capture infrastructure, application, and software dependencies?
- Risk and impact analysis
- **Define technical scope**
- Attack modeling
- Define objectives
**Explanation**: PASTA (Process for Attack Simulation and Threat Analysis) includes a step to define the technical scope, where the team identifies and documents the infrastructure, application, and software dependencies. This step ensures a comprehensive understanding of the system’s components for threat modeling.
**Question 27**
Which category classifies identified threats that do not have defenses in place and expose the application to exploits?
- Threat profile
- Partially mitigated threat
- **Unmitigated threats**
- Fully mitigated threat
**Explanation**: Unmitigated threats are those that lack defenses, leaving the application vulnerable to exploits. The other options either imply some level of mitigation (partially or fully mitigated) or are unrelated to the lack of defenses (threat profile).
**Question 28**
In which step of the PASTA threat modeling methodology is vulnerability and exploit analysis performed?
- **Attack modeling**
- Define technical scope
- Application decomposition
- Define objectives
**Explanation**: PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric threat modeling methodology. Vulnerability and exploit analysis occurs during the "Attack modeling" step, where potential attack scenarios are simulated to identify vulnerabilities and exploits that could be leveraged by attackers.
---
**Question 33**
Which security assessment deliverable identifies unmanaged code that must be kept up to date throughout the life of the product?
- Metrics template
- **List of third-party software**
- Product risk profile
- Threat profile
**Explanation**: Unmanaged code often comes from third-party software or libraries, which need to be tracked and updated to address vulnerabilities. The "List of third-party software" is the deliverable that identifies such components, ensuring they are monitored and maintained throughout the product's lifecycle.
**Question 32**
Which security assessment deliverable identifies possible security vulnerabilities in the product?
- **Threat profile**
- Metrics template
- List of third-party software
- SDL project outline
**Explanation**: A threat profile identifies potential vulnerabilities and risks in a product by analyzing possible threats. The other options focus on different aspects: metrics templates track performance, third-party software lists dependencies, and SDL project outlines define processes, none of which directly identify vulnerabilities.
---
**Question 35**
Which threat modeling step collects exploitable weaknesses within the product?
- Analyze the target
- Set the scope
- Rate threats
- **Identify and document threats**
**Explanation**: Identifying and documenting threats involves pinpointing weaknesses that could be exploited, which aligns with collecting exploitable weaknesses. The other steps focus on different parts of the threat modeling process, such as defining the scope or prioritizing threats.
**Question 37**
Company leadership has contracted with a security firm to evaluate the vulnerability of all externally facing enterprise applications via automated and manual system interactions. Which security testing technique is being used?
- **Penetration testing**
- Source-code analysis
- Source-code fault injection
- Property-based testing
**Explanation**: Penetration testing involves both automated and manual techniques to evaluate the security of externally facing applications by simulating real-world attacks. This matches the description of the security firm's approach, which focuses on system interactions to identify vulnerabilities.
---
**Question 40**
The software security team is performing security testing on a new software product using a testing tool that scans the running application for known exploit signatures. Which security testing technique is being used?
- Property-based testing
- Source-code analysis
- Penetration testing
- **Automated vulnerability scanning**
**Explanation**: Automated vulnerability scanning involves using tools to scan a running application for known vulnerabilities or exploit signatures. This aligns with the description of the testing tool being used by the software security team to identify potential security issues.
**Question 41**
The product team has been tasked with updating the user interface (UI). They will change the layout and also add restrictions to field lengths and what data will be accepted. Which secure coding practice is this?
- Data protection
- Communication security
- Access control
- **Input validation**
**Explanation**: Adding restrictions to field lengths and acceptable data is a form of input validation, a secure coding practice that ensures only properly formatted data is accepted, preventing issues like injection attacks. The other options focus on different security aspects, such as protecting data in transit or controlling access.
---
**Question 43**
Which type of security analysis is limited by the fact that a significant time investment of a highly skilled team member is required?
- Fuzz testing
- Static code analysis
- **Manual code review**
- Dynamic code analysis
**Explanation**: Manual code review requires a highly skilled team member to meticulously analyze code, which is time-intensive. Other methods like fuzz testing, static, and dynamic code analysis can be more automated, requiring less human effort.
**Question 46**
Which type of manual code review technique is being used when the reviewer starts at an input control and traces its value through the application to each of the value’s outputs?
- Risk analysis
- **Control flow analysis**
- Threat analysis
- Data flow analysis
**Explanation**: The technique described involves tracing the path of an input through the application to its outputs, which aligns with "Control flow analysis." This method focuses on understanding how control flows through the program, ensuring that inputs are handled securely at each step.
**Question 47**
What is the last step of the SDLC/SDL code review process?
- Identify security code review objectives
- Perform preliminary scan
- Review for security issues unique to the architecture
- **Review code for security issues**
**Explanation**: In the Software Development Life Cycle (SDLC) or Secure Development Lifecycle (SDL), the code review process typically culminates in a detailed "Review code for security issues." This final step ensures that all potential security vulnerabilities in the code are identified and addressed before deployment.
**Question 48**
The software security team prepared a detailed schedule mapping security development lifecycle phases to the type of analysis they will execute. Which design and development deliverable did the team prepare?
- Design security review
- **Security test plans**
- Privacy implementation assessment results
- Updated threat modeling artifacts
**Explanation**: A detailed schedule mapping SDL phases to analysis types is a security test plan, which outlines how security testing will be conducted throughout the lifecycle. The other options are either specific deliverables (like design reviews) or unrelated to scheduling (like privacy assessments).
**Question 49**
A potential threat was discovered during automated system testing when a PATCH request sent to the API caused an unhandled server exception. The API only supports GET, POST, PUT, and DELETE requests. How should existing security controls be adjusted to prevent this in the future?
- **Properly configure acceptable API requests**
- Enforce role-based authorization
- Use API keys to enforce authorization of every request
- Ensure audit logs are in place for sensitive transactions
**Explanation**: The issue arises because the API does not handle unsupported HTTP methods like PATCH, leading to an unhandled exception. To prevent this, the API should be configured to only accept supported requests (GET, POST, PUT, DELETE) and reject or handle others appropriately, which is achieved by "Properly configuring acceptable API requests."
**Question 53**
The security team is reviewing all noncommercial software libraries used in the new product to ensure they are being used according to the legal specifications defined by the authors. What activity of the Ship SDL phase is being performed?
- Final security review
- **Open-source licensing review**
- Penetration testing
- Policy compliance analysis
**Explanation**: Reviewing software libraries for compliance with legal specifications is an open-source licensing review, typically part of the Ship phase in the SDL to ensure legal usage before release. The other options involve different activities, such as testing or final reviews, not specifically tied to licensing.
**Question 55**
Recent vulnerability scans discovered that the organization’s production web servers were responding to ping requests with server type, version, and operating system, which hackers could leverage to plan attacks. How should the organization remediate this vulnerability?
- **Ensure servers are configured to return as little information as possible to network requests**
- Access to configuration files is limited to administrators
- Ensure servers are regularly updated with the latest security patches
- Always uninstall or disable features that are not required
**Explanation**: The vulnerability arises because the servers are exposing sensitive information (server type, version, OS) in response to ping requests. To remediate this, the organization should "Ensure servers are configured to return as little information as possible to network requests," minimizing the data exposed to potential attackers.
**Question 56**
Security testers have completed testing and are documenting the results of vulnerability scans and penetration analysis. They are also creating documentation to share with the organization’s largest customers. Which deliverable is being prepared?
- Customer engagement framework
- Remediation report
- **Security testing reports**
- Open-source licensing review report
**Explanation**: The "Security testing reports" deliverable is specifically designed to document the results of security evaluations, such as vulnerability scans and penetration tests, and is often shared with stakeholders like customers to demonstrate the security posture of the product.
---
**Question 57**
A recent vulnerability scan uncovered an XML external entity (XXE) flaw that could allow attackers to return the contents of a system file by including a specific payload in an XML request. How should the organization remediate this vulnerability?
- **Disable resolution of external entities in the parsing library**
- Enforce role-based authorization in all application layers
- Ensure authentication cookies are encrypted
- Ensure audit trails exist for all sensitive transactions
**Explanation**: An XXE vulnerability occurs when an XML parser processes external entities, allowing attackers to access system files. The most direct remediation is to "Disable resolution of external entities in the parsing library," which prevents the parser from processing potentially malicious external entities.
---
**Question 58**
The software security group is conducting a maturity assessment using the Open Web Application Security Project Software Assurance Maturity Model (OWASP OpenSAMM). They are currently focused on reviewing design artifacts to ensure they comply with organizational security standards. Which OpenSAMM business function is being assessed?
- **Construction**
- Verification
- Deployment
- Governance
**Explanation**: The "Construction" business function in OWASP OpenSAMM focuses on the design and development phase, including reviewing design artifacts to ensure they meet security standards. This aligns with the activity described in the question.
---
**Question 59**
Credit card numbers are encrypted when stored in the database but are automatically decrypted when data is fetched. The testing tool intercepted the GET response, and testers were able to view credit card numbers as clear text! How should the organization remediate this vulnerability?
- Enforce role-based authorization controls in all application layers
- **Ensure all data in transit is encrypted**
- Ensure there is an audit trail for all sensitive transactions
- Never cache sensitive data
**Explanation**: The issue is that credit card numbers are exposed in clear text during a GET response, meaning the data in transit is not encrypted. To remediate this, the organization should "Ensure all data in transit is encrypted," typically by using protocols like HTTPS to protect sensitive data during transmission.
---
**Question 60**
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company’s claims intake component. The base score of the vulnerability was 3.5 and changed to 5.9 after adjusting temporal and environmental metrics. Which rating would CVSS assign this vulnerability?
- **Medium severity**
- High severity
- Low severity
- Critical severity
**Explanation**: CVSS scores range from 0 to 10, with the following severity ratings: 0.0 (None), 0.1-3.9 (Low), 4.0-6.9 (Medium), 7.0-8.9 (High), and 9.0-10.0 (Critical). A score of 5.9 falls within the 4.0-6.9 range, so the rating is "Medium severity."
---
**Question 61**
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company’s customer portal. The base score of the vulnerability was 9.3 and changed to 8.0 after adjusting temporal and environmental metrics. Which rating would CVSS assign this vulnerability?
- Critical severity
- **High severity**
- Low severity
- Medium severity
**Explanation**: CVSS severity ratings are: 0.0 (None), 0.1-3.9 (Low), 4.0-6.9 (Medium), 7.0-8.9 (High), and 9.0-10.0 (Critical). A score of 8.0 falls within the 7.0-8.9 range, so the rating is "High severity."
---
**Question 62**
The software security team has been tasked with assessing a document management application that has been in use for many years and developing a plan to ensure it complies with organizational policies. Which post-release deliverable is being described?
- Post-release certifications
- External vulnerability disclosure
- **Security strategy for legacy response processes**
- Security strategy for M&A products
**Explanation**: The task involves assessing a legacy application and ensuring compliance with policies, which aligns with creating a "Security strategy for legacy response processes." This deliverable focuses on managing and securing older systems that are still in use.
---
**Question 63**
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the user authentication component of the company’s new product. The base score of the vulnerability was 8.3 and changed to 9.4 after adjusting temporal and environmental metrics. Which rating would CVSS assign this vulnerability?
- **Critical severity**
- Medium severity
- Low severity
- High severity
**Explanation**: CVSS severity ratings are: 0.0 (None), 0.1-3.9 (Low), 4.0-6.9 (Medium), 7.0-8.9 (High), and 9.0-10.0 (Critical). A score of 9.4 falls within the 9.0-10.0 range, so the rating is "Critical severity."
---
**Question 66**
The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one-time requirements, bucket requirements, and final security review requirements. Which type of requirement states that the team must identify primary security and privacy controls?
- Every-sprint requirement
- **One-time requirement**
- Final security review requirement
- Bucket requirement
**Explanation**: Identifying primary security and privacy controls is a foundational step that typically occurs once during the planning or initial phases of a project, not repeatedly in every sprint. This makes it a "One-time requirement," as it sets the baseline for security and privacy practices.
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section fb_built="1" fullwidth="on" _builder_version="4.9.3" _module_preset="default"][et_pb_fullwidth_header title="GET YOUR PROCTORED EXAM DONE FOR YOU SEAMLESSLY BY OUR EXPERT TEAM, UNDETECTED TODAY AT AN AFFORDABLE PRICE." button_one_text="Click Here" button_one_url="https://academiascholars.com/wgu-fast-track-service/" _builder_version="4.9.3" _module_preset="default"]
Are you currently in session at Western Governors University, and you're stuck with your exams, or even writing the long papers? We're here for you. Let's take full control of that course and see yourself graduating in less than 6 months. We promise nothing less than exemplary in your scores, and here's the kicker: We're completely undetectable!
Reach us on any of the following channels:
- Discord Server - https://discord.gg/38d7A4VJea
- WhatsApp: https://wa.me/+19178105386
- Call/SMS: +19178105386
- Website: Academiascholars.com
- Reddit: https://www.reddit.com/r/Homewrkdomain/
- Email: [email protected]