D487: Secure Software Design Questions

D487: Secure Software Design Questions

25 studiers today 4.6 (24 reviews) Students also studied Terms in this set (58) Western Governors UniversityD 487 Save

WGU D487 PRE-ASSESSMENT: SEC...

60 terms Shaun_Krause Preview D488 - Cybersecurity Architecture a...1,074 terms SpaceChimpanzee Preview D487 - Secure Software Design 1,286 terms SpaceChimpanzee Preview

D487 S

70 terms paw What are the two common best principles of software applications in the development process? Choose 2 answers.Quality code Secure code Information security Integrity Availability Quality code Secure code "Quality code" is correct. Quality code is efficient code that is easy to maintain and reusable."Secure code" is correct. Secure code authorizes and authenticates every user transaction, logs the transaction, and denies all unauthorized requisitions.What ensures that the user has the appropriate role and privilege to view data?Authentication Multi-factor authentication Encryption Information security Authorization Authorization Authorization ensures a user's information and credentials are approved by the system.Which security goal is defined by "guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity"?Integrity Quality Availability Reliability Integrity The data must remain unchanged by unauthorized users and remain reliable from the data entry point to the database and back.

Which phase in an SDLC helps to define the problem and scope of any existing systems and determine the objectives of new systems?Requirements Design Planning Testing Planning The planning stage sets the project schedule and looks at the big picture.What happens during a dynamic code review?Programmers monitor system memory, functional behavior, response times, and overall performance.Customers perform tests to check software meets requirements.An analysis of computer programs without executing them is performed.Input fields are supplied with unexpected input and tested.Programmers monitor system memory, functional behavior, response times, and overall performance.How should you store your application user credentials in your application database?Use application logic to encrypt credentials Store credentials as clear text Store credentials using Base64 encoded Store credentials using salted hashes Store credentials using salted hashes Hashing is a one-way process that converts a password to ciphertext using hash algorithms. Password salting adds random characters before or after a password prior to hashing to obfuscate the actual password.Which software methodology resembles an assembly- line approach?V-model Agile model Iterative model Waterfall model Waterfall model Waterfall model is a continuous software development model in which the development steps flow steadily downwards.Which software methodology approach provides faster time to market and higher business value?Iterative model Waterfall model V-model Agile model Agile model In the agile model, projects are divided into small incremental builds that provide working software at the end of each iteration and adds value to business.In Scrum methodology, who is responsible for making decisions on the requirements?Scrum Team Product Owner ScrumMaster Technical Lead Product Owner The Product Owner is responsible for requirements/backlog items and prioritizing them.

What is the reason software security teams host discovery meetings with stakeholders early in the development life cycle?To determine how much budget is available for new security tools To meet the development team To refactor functional requirements to ensure security is included To ensure that security is built into the product from the start To ensure that security is built into the product from the start To correctly and cost-effectively introduce security into the software development life cycle, it needs to be done early.Why should a security team provide documented certification requirements during the software assessment phase?Certification is required if the organization wants to move to the cloud.Depending on the environment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers.By ensuring software products are certified, the organization is protected from future litigation.By ensuring all developers have security certifications before writing any code, teams can forego discovery sessions.Depending on the environment in which the product resides, certifications may be required by corporate or government entities before the software can be released to customers.Any new product may need to be certified based on the data it stores, the frameworks it uses, or the domain in which it resides. Those certification requirements need to be analyzed and documented early in the development life cycle.What are two items that should be included in the privacy impact assessment plan regardless of which methodology is used?Choose 2 answers.Required process steps Technologies and techniques SDL project outline Threat modeling Post-implementation signoffs Required process steps Technologies and techniques "Required process steps" is correct. Required process steps explain in more detail which requirements are relevant to developers, detailing what types of data are considered sensitive and how they need to be protected."Technologies and techniques" is correct. Technologies and techniques detail techniques for meeting legislative requirements in five categories: Confidentiality, Integrity, Availability, Auditing and Logging, and Authentication.What are the goals of each SDL deliverable?

Select one of these options for each deliverable:

-Estimate the actual cost of the product -Identify dependence on unmanaged software -Map security activities to the development schedule -Guide security activities to protect the product from vulnerabilities Product risk profile SDL project outline Threat profile List of third-party software Estimate the actual cost of the product Map security activities to the development schedule Guide security activities to protect the product from vulnerabilities Identify dependence on unmanaged software The product risk profile helps management see the actual cost of a product.The SDL project outline maps security activities to the development schedule.A threat profile guides the security team on how to protect the product from threats.The third-party software list identifies all components the product is using that are managed outside the organization.

What is a threat action that is designed to illegally access and use another person's credentials?Tampering Spoofing Elevation of privilege Information disclosure Spoofing Spoofing is a threat action that occurs when the cyber criminal acts as a trusted device to get you to relay secure information.What are two steps of the threat modeling process?Choose 2 answers.Survey the application Decompose the application Redesign the process to eliminate the threat Transfer the risk Identify business requirements Survey the application Decompose the application "Survey the application" is correct. Surveying the application is a way to gain knowledge of how the product works by reading product documentation and interviewing the development team."Decompose the application" is correct. Decomposing the application can be done by doing a deep dive into the code and understanding how it works behind the scenes.What do the "A" and the first "D" in the DREAD acronym represent?Choose 2 answers.Damage Affected users Denial of service Authentication Damage Affected users "Damage" is correct. Damage represents the first 'D' in DREAD and measures how much damage will be caused if the threat exploit occurs."Affected users" is correct. Affected users represents the 'A' in DREAD and measures how many users will be affected.Which shape indicates each type of flow diagram element?

Select an option for each element:

-Two parallel horizontal lines -Solid line with an arrow.-Rectangle -Dashed line External elements Data store Data flow Trust boundary Rectangle Two parallel horizontal lines Solid line with an arrow.Dashed line A rectangle in a data flow diagram represents an element outside your control and external to your software application.Two parallel horizontal lines in a data flow diagram represent where data can be stored but not modified.A single solid line with an arrow in a data flow diagram represents the movement of data within the software.A single dashed line in a data flow diagram represents scenarios that exist between elements running at different privilege levels or different components running at the same privilege level.What are the two deliverables of the Architecture phase of the SDL?Choose 2 answers.Threat modeling artifacts Policy compliance analysis Information disclosure Attack modeling Application decomposition Threat modeling artifacts Policy compliance analysis "Threat modeling artifacts" is correct. Threat modeling artifacts include data flow diagrams, technical threat modeling reports, high-level executive threat modeling reports, and recommendations for threat analysis."Policy compliance analysis" is correct. Policy compliance analysis is a report on compliance with security and non-security policies of the organization.