WGU D487 PRE-ASSESSMENT: SECURE SOFTWARE DESIGN (KEO1) (PKEO)

WGU D487 PRE-ASSESSMENT: SECURE SOFTWARE

DESIGN (KEO1) (PKEO)

19 studiers today 5.0 (3 reviews) Students also studied Terms in this set (60) Western Governors UniversityD 487 Save

D487: Secure Software Design Ques...

58 terms chadl97Preview

D487 STUDYY

70 terms pawlowskithomas Preview D487 - Secure Software Design 1,286 terms SpaceChimpanzee Preview

D488 -

1,074 ter Spa What is a study of real-world software security initiatives organized so companies can measure their initiatives and understand how to evolve them over time?, Building Security In Maturity Model (BSIMM) What is the analysis of computer software that is performed without executing programs?Static analysis Which International Organization for Standardization (ISO) standard is the benchmark for information security today?

ISO/IEC 27001.

What is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time?, Dynamic analysis Which person is responsible for designing, planning, and implementing secure coding practices and security testing methodologies?Software security architect A company is preparing to add a new feature to its flagship software product. The new feature is similar to features that have been added in previous years, and the requirements are well-documented. The project is expected to last three to four months, at which time the new feature will be released to customers. Project team members will focus solely on the new feature until the project ends. Which software development methodology is being used?Waterfall

A new product will require an administration section for a small number of users. Normal users will be able to view limited customer information and should not see admin functionality within the application. Which concept is being used?Principle of least privilege The scrum team is attending their morning meeting, which is scheduled at the beginning of the work day.Each team member reports what they accomplished yesterday, what they plan to accomplish today, and if they have any impediments that may cause them to miss their delivery deadline. Which scrum ceremony is the team participating in?Daily Scrum What is a list of information security vulnerabilities that aims to provide names for publicly known problems?Common computer vulnerabilities and exposures (CVE) Which secure coding best practice uses well-tested, publicly available algorithms to hide product data from unauthorized access?Cryptographic practices Which secure coding best practice uses well-tested, publicly available algorithms to hide product data from unauthorized access?Cryptographic practices Which secure coding best practice ensures servers, frameworks, and system components are all running the latest approved versions?System configuration Which secure coding best practice says to use parameterized queries, encrypted connection strings stored in separate configuration files, and strong passwords or multi-factor authentication?Database security Which secure coding best practice says that all information passed to other systems should be encrypted?Communication security eam members are being introduced during sprint zero in the project kickoff meeting. The person being introduced is a member of the scrum team, responsible for writing feature logic and attending sprint ceremonies. Which role is the team member playing?Software developer A software security team member has created data flow diagrams, chosen the STRIDE methodology to perform threat reviews, and created the security assessment for the new product. Which category of secure software best practices did the team member perform?Architecture analysis

Team members are being introduced during sprint zero in the project kickoff meeting. The person being introduced will be a facilitator, will try to remove roadblocks and ensure the team is communicating freely, and will be responsible for facilitating all scrum ceremonies. Which role is the team member playing?Scrum master The new product standards state that all traffic must be secure and encrypted. What is the name for this secure coding practice?Communication security Which DREAD category is based on how easily a threat exploit can be repeated?Reproducibility Which mitigation technique can be used to fight against a data tampering threat?Digital signatures What is a countermeasure to the web application security frame (ASF) configuration management threat category?Compliance requirement Which type of requirement specifies that file formats the application sends to financial institutions must be certified every four years?Compliance requirement Which type of requirement specifies that credit card numbers displayed in the application will be masked so they only show the last four digits?Privacy requirement Which type of requirement specifies that user passwords will require a minimum of 8 characters and must include at least one uppercase character, one number, and one special character?Security requirement Which type of requirement specifies that credit card numbers are designated as highly sensitive confidential personal information?Data classification requirement Which privacy impact statement requirement type defines how personal information is protected on devices used by more than a single associate?Privacy control requirements In which step of the PASTA threat modeling methodology does design flaw analysis take place?Vulnerability and weakness analysis Which privacy impact statement requirement type defines who has access to personal information within the product?Access requirements Which security assessment deliverable defines milestones that will be met during each phase of the project, merged into the product development schedule?SDL project outline

Which architecture deliverable identifies whether the product adheres to organization security rules?Policy compliance analysis Which threat modeling process identifies threats to each individual object in a data flow diagram?STRIDE-per-element The DREAD methodology has been used to classify an

identified exploit where:

the attacker could log in as an administrator (damage potential) the attacker could log in at any time (reproducibility) almost anybody could perform the attack (exploitability) all system users could be affected (affected users) any person who knows how to open dev tools in a browser could find the vulnerability (discoverability) Which rating should be assigned to the exploit after performing an analysis using a ternary ranking scale where high risk = 3 points, medium risk = 2 points, and low risk = 1 point?High risk What is the recommended way to mitigate a threat identified during threat modeling?Apply a standard accepted countermeasure The organization's testing team has created a catalog of test cases using the source code and design documentation of the new product. Each test case will be executed for each user role in the new product. Which type of security testing technique is being performed?White-box Security team members have been instructed to document which developers and analysts will perform product testing and which tools they will use. Which step of the security test plan is being performed?Identify internal resources Security team members have been instructed to document how many users will access the new product and what roles those users will play. Which step of the security test plan is being performed?Define the user community The project team received a SonarQube report of their most recent stage deployment that contains 15 vulnerabilities that must be fixed before the product may be released to production. Which security testing technique is being used?Source-code analysis What is the application of multiple layers of protection so that, if one layer is breached, the next layer provides protection?Defense in depth Which design and development deliverable details the progress of personal information requirements created in earlier phases of the security development lifecycle?Privacy compliance report