WGU Master's Course C706 - Secure Software Design latest solution, Exams of Computer Fundamentals

Download WGU Master's Course C706 - Secure Software Design latest solution and more Exams Computer Fundamentals in PDF only on Docsity! pg. 1 1 Which due diligence activity for supply chain security should occur in the initiation phase of the software acquisition life cycle? A Developing a request for proposal (RFP) that includes supply chain security risk management B Lessening the risk of disseminating information during disposal C Facilitating knowledge transfer between suppliers D Mitigating supply chain security risk by providing user guidance Which due diligence activity for supply chain security investigates the means by which data sets are shared and assessed? A on-site assessment D B process policy review C third-party assessment D document exchange and review Consider these characteristics: -Identification of the entity making the access request -Verification that the request has not changed since its initiation -Application of the appropriate authorization procedures -Reexamination of previously authorized requests by the same entity B Which security design analysis is being described? A Open design B Complete mediation C Economy of mechanism D Least common mechanism Which software security principle guards against the improper modification or destruction of information and ensures the nonre- pudiation and authenticity of information? A Quality B B Integrity C Availability D Confidentiality What type of functional security requirement involves receiving, processing, storing, transmitting, and delivering in report form? A Logging C B Error handling C Primary dataflow D Access control flow Which nonfunctional security requirement provides a way to cap- ture information correctly and a way to store that information to help support later audits? A Logging A B Error handling C Primary dataflow D Access control flow Which security concept refers to the quality of information that could cause harm or damage if disclosed? A Isolation D B Discretion C Seclusion D Sensitivity A pg. 2 2 Which technology would be an example of an injection flaw, according to the OWASP Top 10? A SQL A B API C XML D XSS A company is creating a new software to track customer balance and wants to design a secure application. Which best practice should be applied? A Develop a secure authentication method that has a closed design D B Allow mediation bypass or suspension for software testing and emergency planning C Ensure there is physical acceptability to ensure software is intuitive for the users to do their jobs D Create multiple layers of protection so that a subsequent layer provides protection if a layer is breached A company is developing a secure software that has to be evalu- ated and tested by a large number of experts. Which security principle should be applied? B A Fail safe B Open design C Defense in depth D Complete mediation Which type of TCP scanning indicates that a system is moving to the second phase in a three-way TCP handshake? A TCP SYN scanning A B TCP ACK scanning C TCP XMAS scanning D TCP Connect scanning Which evaluation technique provides invalid, unexpected, or ran- dom data to the inputs of a computer software program? A Fuzz testing A B Static analysis C Dynamic analysis D Regression testing Which approach provides an opportunity to improve the software development life cycle by tailoring the process to the specific risks facing the organization? A Agile methodology D B Waterfall methodology C Building security in maturity model (BSIMM) D Software assurance maturity model (SAMM) Which phase contains sophisticated software development processes that ensure that feedback from one phase reaches to the previous phase to improve future results? A Initial C B Managed C Optimizing D Repeatable WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 5 / 33 A Following strong password policies to restrict access B Restricting file access to users based on authorization C Avoiding clear text format for credentials and sensitive data B D Using AES 256 encryption for communications of a sensitive nature Which phase of the software development life cycle (SDL/SDLC) would be used to determine the minimum set of privileges re- quired to perform the targeted task and restrict the user to a domain with those privileges? A A Design B Deploy C Development D Implementation Which least privilege method is more granular in scope and grants specific processes only the privileges necessary to perform cer- tain required functions, instead of granting them unrestricted ac- cess to the system? B A Entitlement privilege B Separation of privilege C Aggregation of privileges D Segregation of responsibilities Why does privilege creep pose a potential security risk? A User privileges do not match their job role. B With more privileges, there are more responsibilities. C Auditing will show a mismatch between individual responsibili- ties and their access rights. D Users have more privileges than they need and may perform actions outside their job description. A system developer is implementing a new sales system. The system developer is concerned that unauthorized individuals may be able to view sensitive customer financial data. Which family of nonfunctional requirements should be considered as part of the acceptance criteria? D A Integrity B Availability C Nonrepudition D Confidentiality A project manager is given the task to come up with nonfunctional acceptance criteria requirements for business owners as part of a project delivery. Which nonfunctional requirement should be applied to the accep- tance criteria? B A Give search options to users B Evaluate test execution results C Divide users into groups and give them separate rights D Develop software that keeps downward compatibility intact A user was given a task to identify a nonfunctional acceptance criteria. Which nonfunctional requirement should be applied to the accep- B tance criteria? A Encryption used during data transfer D WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 6 / 33 B Review of the most recent test results C Software developed keeping downward compatibility intact D Users divided into groups and the groups given separate rights Which technique can be used by an attacker to compromise password security when a password such as "123456" is used by an organization? A Denial-of-service attack B B Brute-force attack C Blind SQL injection D Blind XPath injection Which type of password attack tests for every possible value of a parameter? A Phishing B B Brute force C DNS poisoning D Cache poisoning Which type of attack allows the complete disclosure or destruction of all data on a system and allows attackers to spoof identity, tamper with existing data, and cause repudiation issues such as voiding transactions or changing balances? A A SQL injection B Code injection C Command injection D Special element injection Which threat uses malware that tricks users into believing that there is no way out for them except to pay to get rid of a nuisance? A Script kiddies C B Insider threats C Ransomware D Bitcoin malware Which type of application attack is used to harvest and steal sensitive information? A Whaling B B Remote access tool C Malicious file execution D Advanced persistent threat Which type of application attack is commonly waged through the use of rootkits? A Backdoor D B Time of check C Rainbow table D Escalation of privilege Which attack aims to make web service unavailable or unusable? A Spoofing B Tampering C Repudiation D Denial-of-service A company is developing a new software application that requires users to log in using a username and password. The company needs to implement a security control that is effective at prevent- ing spoofing during the log-in process. D WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 7 / 33 Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality A company is developing a new database application. The com- pany needs to implement a security control that is effective at preventing tampering. Which security control is effective at preventing this threat action? A A Integrity B Authorization C Authentication D Confidentiality A bank is developing a new checking account application for cus- tomers and needs to implement a security control that is effective at preventing an elevation of privilege attack. Which security control is effective at preventing this threat action? B A Integrity B Authorization C Authentication D Confidentiality A database has a table called "orders_table" which has columns: order_no, last_name, first_name, ship_city, credit_card A hacker wants to perform the following SQL injection code to attack this table: B SELECT * FROM orders_table WHERE order_no= ' ' OR '1'='1'; Which software testing technique is the most effective approach to identify this attack? A Fuzz testing B Input validation C Dynamic code analysis D Vulnerablilty scanning probe Which software security testing technique can be categorized as white box? A Byte code analysis C B Binary code analysis C Source code analysis D Dynamic code analysis Which software testing approach can be used against an attacker who manipulates input strings in banking software to gain access to another individual's overdrawn account in order to withdraw funds? C A Fuzz testing B Dynamic testing C Misuse case testing D Application interface testing C WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 10 / 33 A system administrator wants to use physical controls to prevent unauthorized access to information that belongs to users at a different security level. Which strategy would prevent this problem? D A Layering B Abstraction C Process isolation D Hardware segmentation A video company has installed new software. The developers need to establish a defense against zero-day attacks. What is the best way to manage this vulnerability? C A Apply threat modeling B Use a strong password C Install the latest patches D Create another user log-in Which type of attack would a hacker use to exploit a vulnerability that allows access to be increased to the administrator level? A Rootkit A B Whaling C Waterhole D Dictionary Which type of attack involves exploiting a social engineering vulnerability over voice communications? A Rootkit B B Vishing C Waterhole D Dictionary Which method provides line-of-code-level detection that enables development teams to remediate vulnerabilities quickly? A Dynamic Cone Pen Testing (DCPT) B B Static Application Security Testing (SAST) C Common Weaknesses Enumeration (CWE) D Common Vulnerabilities and Exposures (CVE) Which technique should be used to detect a software vulnerability that causes extra characters to appear in data fields of a front-fac- ing web application? A Static analysis A B Dynamic analysis C Binary code analysis D Property-based testing What is a known SDL metric used to measure protection against vulnerabilities? A The number of files or objects B findings summary report C C The number of security defects found through static analysis tools D The progress against privacy requirements provided in earlier phases Which statement is true of covert channels? A covert channels are addressed by a C2 rating provided by WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 11 / 33 TCSEC. B covert channels act a trusted path for authorized communica- tion. C covert channels regulate the information flow and implements the security policy. D covert channels are not controlled by a security mechanism. Which security threat often uses tracking cookies to collect and report on a user's activities? A spyware A B virus C worm D Trojan horse Which term describes a module's ability to perform its job without using other modules? A low cohesion D B high cohesion C high coupling D low coupling Which type of virus installs itself under the anti-virus system and intercepts any calls that the anti-virus system makes to the operating system? A script virus B B tunneling virus C boot sector virus D meme virus Which statement correctly defines dynamic data exchange (DDE)? A DDE allows multiple applications to share and exchange the same set of data. B DDE is an interface to link information between various data- bases. C DDE is a graphical technique that is used to track the progress of a project over a period of time. D DDE is a software interface that enables communication be- tween an application and a database. How does an ActiveX component enforce security? A by using sandboxes B by using object codes C by using macro languages D by using Authenticode Which statements are true regarding software process assess- ments?Choose TWO: A They develop an action plan for continuous process improve- ment. B They identify contractors who are qualified to develop software or to monitor the state of the software process in a current soft- ware project. C They determine the state of an organization's current software process and are used to gain support from within the organization for a software process improvement program. D They develop a risk profile for source selection. D A D AC pg. 1 1 Which due diligence activity for supply chain security should occur in the initiation phase of the software acquisition life cycle? A Developing a request for proposal (RFP) that includes supply chain security risk management B Lessening the risk of disseminating information during disposal C Facilitating knowledge transfer between suppliers D Mitigating supply chain security risk by providing user guidance Which due diligence activity for supply chain security investigates the means by which data sets are shared and assessed? A on-site assessment D B process policy review C third-party assessment D document exchange and review Consider these characteristics: -Identification of the entity making the access request -Verification that the request has not changed since its initiation -Application of the appropriate authorization procedures -Reexamination of previously authorized requests by the same entity B Which security design analysis is being described? A Open design B Complete mediation C Economy of mechanism D Least common mechanism Which software security principle guards against the improper modification or destruction of information and ensures the nonre- pudiation and authenticity of information? A Quality B B Integrity C Availability D Confidentiality What type of functional security requirement involves receiving, processing, storing, transmitting, and delivering in report form? A Logging C B Error handling C Primary dataflow D Access control flow Which nonfunctional security requirement provides a way to cap- ture information correctly and a way to store that information to help support later audits? A Logging A B Error handling C Primary dataflow D Access control flow Which security concept refers to the quality of information that could cause harm or damage if disclosed? A Isolation D B Discretion C Seclusion D Sensitivity A pg. 2 2 Which technology would be an example of an injection flaw, according to the OWASP Top 10? A SQL A B API C XML D XSS A company is creating a new software to track customer balance and wants to design a secure application. Which best practice should be applied? A Develop a secure authentication method that has a closed design D B Allow mediation bypass or suspension for software testing and emergency planning C Ensure there is physical acceptability to ensure software is intuitive for the users to do their jobs D Create multiple layers of protection so that a subsequent layer provides protection if a layer is breached A company is developing a secure software that has to be evalu- ated and tested by a large number of experts. Which security principle should be applied? B A Fail safe B Open design C Defense in depth D Complete mediation Which type of TCP scanning indicates that a system is moving to the second phase in a three-way TCP handshake? A TCP SYN scanning A B TCP ACK scanning C TCP XMAS scanning D TCP Connect scanning Which evaluation technique provides invalid, unexpected, or ran- dom data to the inputs of a computer software program? A Fuzz testing A B Static analysis C Dynamic analysis D Regression testing Which approach provides an opportunity to improve the software development life cycle by tailoring the process to the specific risks facing the organization? A Agile methodology D B Waterfall methodology C Building security in maturity model (BSIMM) D Software assurance maturity model (SAMM) Which phase contains sophisticated software development processes that ensure that feedback from one phase reaches to the previous phase to improve future results? A Initial C B Managed C Optimizing D Repeatable WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 5 / 33 A Following strong password policies to restrict access B Restricting file access to users based on authorization C Avoiding clear text format for credentials and sensitive data B D Using AES 256 encryption for communications of a sensitive nature Which phase of the software development life cycle (SDL/SDLC) would be used to determine the minimum set of privileges re- quired to perform the targeted task and restrict the user to a domain with those privileges? A A Design B Deploy C Development D Implementation Which least privilege method is more granular in scope and grants specific processes only the privileges necessary to perform cer- tain required functions, instead of granting them unrestricted ac- cess to the system? B A Entitlement privilege B Separation of privilege C Aggregation of privileges D Segregation of responsibilities Why does privilege creep pose a potential security risk? A User privileges do not match their job role. B With more privileges, there are more responsibilities. C Auditing will show a mismatch between individual responsibili- ties and their access rights. D Users have more privileges than they need and may perform actions outside their job description. A system developer is implementing a new sales system. The system developer is concerned that unauthorized individuals may be able to view sensitive customer financial data. Which family of nonfunctional requirements should be considered as part of the acceptance criteria? D A Integrity B Availability C Nonrepudition D Confidentiality A project manager is given the task to come up with nonfunctional acceptance criteria requirements for business owners as part of a project delivery. Which nonfunctional requirement should be applied to the accep- tance criteria? B A Give search options to users B Evaluate test execution results C Divide users into groups and give them separate rights D Develop software that keeps downward compatibility intact A user was given a task to identify a nonfunctional acceptance criteria. Which nonfunctional requirement should be applied to the accep- B tance criteria? A Encryption used during data transfer D WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 6 / 33 B Review of the most recent test results C Software developed keeping downward compatibility intact D Users divided into groups and the groups given separate rights Which technique can be used by an attacker to compromise password security when a password such as "123456" is used by an organization? A Denial-of-service attack B B Brute-force attack C Blind SQL injection D Blind XPath injection Which type of password attack tests for every possible value of a parameter? A Phishing B B Brute force C DNS poisoning D Cache poisoning Which type of attack allows the complete disclosure or destruction of all data on a system and allows attackers to spoof identity, tamper with existing data, and cause repudiation issues such as voiding transactions or changing balances? A A SQL injection B Code injection C Command injection D Special element injection Which threat uses malware that tricks users into believing that there is no way out for them except to pay to get rid of a nuisance? A Script kiddies C B Insider threats C Ransomware D Bitcoin malware Which type of application attack is used to harvest and steal sensitive information? A Whaling B B Remote access tool C Malicious file execution D Advanced persistent threat Which type of application attack is commonly waged through the use of rootkits? A Backdoor D B Time of check C Rainbow table D Escalation of privilege Which attack aims to make web service unavailable or unusable? A Spoofing B Tampering C Repudiation D Denial-of-service A company is developing a new software application that requires users to log in using a username and password. The company needs to implement a security control that is effective at prevent- ing spoofing during the log-in process. D WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 7 / 33 Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality A company is developing a new database application. The com- pany needs to implement a security control that is effective at preventing tampering. Which security control is effective at preventing this threat action? A A Integrity B Authorization C Authentication D Confidentiality A bank is developing a new checking account application for cus- tomers and needs to implement a security control that is effective at preventing an elevation of privilege attack. Which security control is effective at preventing this threat action? B A Integrity B Authorization C Authentication D Confidentiality A database has a table called "orders_table" which has columns: order_no, last_name, first_name, ship_city, credit_card A hacker wants to perform the following SQL injection code to attack this table: B SELECT * FROM orders_table WHERE order_no= ' ' OR '1'='1'; Which software testing technique is the most effective approach to identify this attack? A Fuzz testing B Input validation C Dynamic code analysis D Vulnerablilty scanning probe Which software security testing technique can be categorized as white box? A Byte code analysis C B Binary code analysis C Source code analysis D Dynamic code analysis Which software testing approach can be used against an attacker who manipulates input strings in banking software to gain access to another individual's overdrawn account in order to withdraw funds? C A Fuzz testing B Dynamic testing C Misuse case testing D Application interface testing C WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 10 / 33 A system administrator wants to use physical controls to prevent unauthorized access to information that belongs to users at a different security level. Which strategy would prevent this problem? D A Layering B Abstraction C Process isolation D Hardware segmentation A video company has installed new software. The developers need to establish a defense against zero-day attacks. What is the best way to manage this vulnerability? C A Apply threat modeling B Use a strong password C Install the latest patches D Create another user log-in Which type of attack would a hacker use to exploit a vulnerability that allows access to be increased to the administrator level? A Rootkit A B Whaling C Waterhole D Dictionary Which type of attack involves exploiting a social engineering vulnerability over voice communications? A Rootkit B B Vishing C Waterhole D Dictionary Which method provides line-of-code-level detection that enables development teams to remediate vulnerabilities quickly? A Dynamic Cone Pen Testing (DCPT) B B Static Application Security Testing (SAST) C Common Weaknesses Enumeration (CWE) D Common Vulnerabilities and Exposures (CVE) Which technique should be used to detect a software vulnerability that causes extra characters to appear in data fields of a front-fac- ing web application? A Static analysis A B Dynamic analysis C Binary code analysis D Property-based testing What is a known SDL metric used to measure protection against vulnerabilities? A The number of files or objects B findings summary report C C The number of security defects found through static analysis tools D The progress against privacy requirements provided in earlier phases Which statement is true of covert channels? A covert channels are addressed by a C2 rating provided by WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 11 / 33 TCSEC. B covert channels act a trusted path for authorized communica- tion. C covert channels regulate the information flow and implements the security policy. D covert channels are not controlled by a security mechanism. Which security threat often uses tracking cookies to collect and report on a user's activities? A spyware A B virus C worm D Trojan horse Which term describes a module's ability to perform its job without using other modules? A low cohesion D B high cohesion C high coupling D low coupling Which type of virus installs itself under the anti-virus system and intercepts any calls that the anti-virus system makes to the operating system? A script virus B B tunneling virus C boot sector virus D meme virus Which statement correctly defines dynamic data exchange (DDE)? A DDE allows multiple applications to share and exchange the same set of data. B DDE is an interface to link information between various data- bases. C DDE is a graphical technique that is used to track the progress of a project over a period of time. D DDE is a software interface that enables communication be- tween an application and a database. How does an ActiveX component enforce security? A by using sandboxes B by using object codes C by using macro languages D by using Authenticode Which statements are true regarding software process assess- ments?Choose TWO: A They develop an action plan for continuous process improve- ment. B They identify contractors who are qualified to develop software or to monitor the state of the software process in a current soft- ware project. C They determine the state of an organization's current software process and are used to gain support from within the organization for a software process improvement program. D They develop a risk profile for source selection. D A D AC WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 12 / 33 What is the best description of CAPI? A an application programming interface that uses two-factor au- thentication B an application programming interface that provides encryption C an application programming interface that uses Kerberos D an application programming interface that provides account- ability Your company decides you must purchase a new software prod- uct to help the marketing staff manage their marketing campaigns and resources. During which phase of the software acquisition process is the product actually deployed? B A Planning phase B Monitoring phase C Maintaining phase D Contracting phase What is the definition of polymorphism? A the ability to suppress superfluous details so that the important properties can be examined B when different objects respond to the same command or input B in different ways C the process of categorizing objects that will be appropriate for a solution D representation of a real-world problem What is another name for an asynchronous attack? A time-of-check/time-of-use (TOC/TOU) attack B race condition C maintenance hook D buffer overflow Which virus is written in Visual Basic (VB) and is capable of infecting operating systems? A stealth virus D B self-garbling virus C polymorphic virus D macro virus Which statement correctly defines spamming attacks? A sending spoofed packets with the same source and destination address B sending multiple spoofed packets with the SYN flag set to the C target host on an open port C repeatedly sending identical e-mails to a specific address D using ICMP oversized echo messages to flood the target com- puter What is an example of privilege escalation? A gaining access to a restricted file by changing the permissions of your valid account B gaining access to a restricted file by using a Trojan horse C gaining access to a system by impersonating a user to obtain his credentials D gaining access to a system by using another user's credentials A hacker has used a design flaw in an application to obtain unauthorized access to the application. B A A WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 15 / 33 C not an example of data diddling. D involves stealing small amounts of money from multiple ac- counts. Your company decides that a new software product must be purchased to help the marketing staff manage their marketing campaigns and the resources used. During which phase of the software acquisition process do you document the software requirements? C A Monitoring phase B Maintaining phase C Planning phase D Contracting phase You have been tasked with the development of a new application for your organization. You are engaged in the project initiation phase. Which activity should you implement during this phase? D A certification and accreditation B defining formal functional baseline C functionality and performance tests D identification of threats and vulnerabilities Which Web browser add-in uses Authenticode for security? A Common Gateway Interface (CGI) B ActiveX C Cross-site scripting (XSS) D Java Which statement correctly defines the multipart virus? A multipart virus is coded in macro language. B multipart virus can change some of its characteristics while it replicates. D C multipart virus can hide itself from antivirus software by distort- ing its code. D multipart virus can infect both executable files and boot sectors of hard disk drives. Which malicious software relies upon other applications to ex- ecute and infect the system?Each correct answer represents a complete solution. Choose two. A worm CD B logic bomb C Trojan horse D virus What is the primary function of COCOMO? A cost estimation B time estimation C risk estimation D threat analysis You have implemented a new network for a customer. Manage- ment has requested that you implement anti-virus software that is capable of detecting all types of malicious code, including unknown malware. A Which type of anti-virus software should you implement? B A WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 16 / 33 A heuristic detection B behavior blocking C immunization D signature-based detection During a recent security assessment, you discover that a com- puter on your network has been compromised. An application has been inadvertently installed on the computer. This application allows a criminal to use the compromised computer to carry out an attack. What is the term for this compromised computer? D A victim B botnet C bot D zombie Recently, your company's file server was the victim of a hacker attack. After researching the attack, you discover that multiple computers were used to implement the attack, which eventually caused the file server to overload. Which attack occurred? C A ping of death attack B land attack C distributed denial-of-service (DDoS) attack D denial-of-service (DoS) attack Which pair of processes should be separated from each other to manage the stability of the test environment? A testing and validity B B testing and development C validity and production D validity and security A custom application is used to manage your company's human resources files. A manager reports that certain users are able to perform actions that should not be permitted. When you research this issue, you discover that the users have been granted an inappropriate permission. Which type of security threat has occurred? A A privilege escalation B virus C logic bomb D worm After a software development project is completed, management decides to reassign its physical resources, after first ensuring that there is no residual data left on the medium. Which term is used to describe this practice? D A dynamic data exchange B polymorphism C metadata D object reuse Your organization has recently implemented an artificial neural network (ANN). The ANN enabled the network to make decisions based on the experience provided to them. WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 17 / 33 Which characteristic of the ANN is described? A adaptability B fault tolerance C neural integrity D retention capability What is used in evolutionary computing? A characteristics of living organisms B knowledge from an expert C mathematical or computational models D genetic algorithms Which statement correctly defines the object-oriented database model? A The relationship between data elements is in the form of a logical tree. D B It is a hybrid between relational and object-based databases. C It logically interconnects remotely located databases. D It can store data that includes multimedia clips, images, video, and graphics. You need to view events on host name registrations. Which log in Event Viewer should you view? A Security C B System C DNS D Application A developer has requested a particular change in the configura- tion of a file server. Which step should occur next in the change process if a change control policy is in place? A A Document the change. B Approve the change. C Implement the change. D Test the change. An organization's Web site includes several Java applets. The Java applets include a security feature that limits the applet's access to certain areas of the Web user's system. How does it do this? C A by using macro languages B by using digital and trusted certificates C by using sandboxes D by using object codes Which statement correctly defines the capability maturity model in the context of software development? A It is a model based on conducting reviews and documenting the reviews in each phase of the software development cycle. C B It is a model based on analyzing the risk and building prototypes and simulations during the various phases of the software devel- opment cycle. C It is a model that describes the principles, procedures, and A D WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 20 / 33 C prototyping D interpretation An attacker is in the process of making an unauthorized change to some data in your database. You need to cancel any database changes from the transaction and return the database to its previous state. Which database operation should you use? C A savepoint B checkpoint C rollback D commit Which extensions are used for naming batch files in a Microsoft environment? a. bat b. cmd c. dll d. exe E A option d B option c C option b D option a E options a and b only F options c and d only G options b and c only Which statement correctly describes a Trojan horse? A modifies IP addresses in an IP packet to imitate an authorized source. D B To be executed, it depends upon other programs. C social engineering technique. D embeds malicious code within useful utilities. You need to ensure that data types and rules are enforced in the database. Which type of integrity should be enforced? B A entity integrity B semantic integrity C cell suppression D referential integrity Which statement is true of programming languages? A The compiler translates one command at a time. B Assemblers translate assembly language into machine lan- guage. B C A high-level programming language requires more time to code instructions. D High cohesion and high coupling represent the best program- ming. Recently, an attacker injected malicious code into a Web applica- tion on your organization's Web site. Which type of attack did your organization experience? B A buffer overflow B cross-site scripting WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 21 / 33 C path traversal D SQL injection Which type of virus is specifically designed to infect programs as they are loaded into memory? A companion C B nonresident C resident D boot sector replication Which spyware technique inserts a dynamic link library into a running process's memory? A SMTP open relay B B DLL injection C cookies D buffer overflow What is responsible for preserving authorized restrictions on in- formation access and disclosure, including means for protecting personal privacy and proprietary information? A Integrity D B Availability C Authorization D Confidentiality Which concept in the software life cycle understands the potential security threats to the system, determines risk, and establishes appropriate mitigations? A Penetration testing B B Threat modeling C Attack surface validation D Vulnerability assessment The majority of against software some vulnerability or weakness in that software; these terms are often used interchangeably. A attacks, exploit A B malware, flaw C threats, hack D mitigations, remediate What are two attributes which complement each other and en- hance overall software product integrity and market value? A Open source, closed source C B Proprietary, shared C Quality, security D Reliability, usability and are the two properties that support confidentiality as one ensures users have the appropriate role and privilege to view data, and the other ensures users are who they claim to be and that the data come from the appropriate place. A A Authorization, authentication B Availability, authenticity C Access, authorization D Asymmetry, access What is responsible for ensuring timely and reliable access to and use of information? WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 22 / 33 A Authorization B Confidentiality C Integrity D Availability What is responsible for guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity? A Availability B Integrity C Confidentiality D Authorization Developers must take the time to code , and eradi- cate security flaw before the code goes into produc- tion. A efficiently, the most common B quickly, the least possible C cleanly, every possible D slowly, the most prevalent security is about building secure software: de- signing software to be secure; making sure that software is se- cure; and educating software developers, architects, and users about how to "build security in". security is about protecting software and the systems that software runs in a post facto, only after development is complete. modeling and surface validation are perhaps the most time-consuming, misunderstood, and dif- ficult parts of the SDL. This requires the attention of the most seasoned and experienced person of the software security team: the software security architect. Which concept in the software lifecycle understands the potential security threats to the system, determines risk, and establishes appropriate mitigations? A Threat modeling B Attack surface validation C Vulnerability assessment D Penetration testing software is a way to envision the interactions of the proposed software within its intended environment. A Analyzing B Validating C Modeling D Pentesting The most well-known SDL model is the , a process that Microsoft has adopted for the development of software that needs to withstand malicious attack. This is considered the most mature of the top three models. A OWASP Security Development Lifecycle B Cisco Secure Development Lifecycle C Trustworthy Computing Security Development Lifecycle D Cigital Software Security Touchpoints model The is a study of real-world software security initia- tives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over D B C Software, Application Threat, attack A C C WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 25 / 33 Which requirements describe what an application must do to serve a business need? A Fictional requirements C B Nonfictional requirements C Functional requirements D Nonfunctional requirements Which requirements address how well the requirements are met or constrain the requirements to specified operating ranges? A Functional requirements B B Nonfunctional requirements C Fictional requirements D Nonfictional requirements The setting of the for any SDL phase will make it more effective and will help in performing post-mortem afterwards to understand what worked and what did not. A discovery meeting C B project plan C key success factors D impact assessment Unless the senior leadership of the development organization and the management team support the SDL, it will likely fail. It must be driven by a policy that is signed off on, promulgated, and provides support by the software development management team and ideally by the CEO. (True or False) A False B True What are these known as? Steps: 1) Identify security objectives 2) Survey the application 3) Decompose it 4) Identify threats 5) Identify vulnerabilities The diagram produced in this stage of the threat modeling process is called a(n) with focus on how data moves through the software solution and what happens to the data as it moves. A Data Flow Diagram (DFD) B TFT C STRIDE D MITM STRIDE Threat action that is designed to illegally access and use another user's credentials, such as username and pass- word—Authentication is also known as . STRIDE Threat action aimed to maliciously change/modify per- sistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet—Integrity is also known as . STRIDE Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited opera- tions—Nonrepudiation is also known as . The 5 steps of the threat risk modeling process A Spoofing Tampering Repudiation B WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 26 / 33 STRIDE Threat action to read a file that one was not granted access to, or to read data in transit—Confidentiality is also known as . STRIDE Threat aimed to deny access to valid users, such as by making a Web server temporarily unavailable or unusable—Avail- ability is also known as . STRIDE Threat aimed to gain privileged access to re- sources for gaining unauthorized access to information or to compromise a system—Authorization is also known as . The increasing trend in the software industry to draw on the strengths of various types of software to deliver the highest value at the lowest cost is called . A mixed source B shareware C proprietary D open source The phase determines how PII will be handled to ensure that it conforms to applicable legal, regulatory, and policy requirements regarding privacy. A threat B compliance C analysis D selection Which exercise requires a special set of skills, experience, and mindset, and requires the team to think like an adversary? A Security modeling B Exploit modeling C Vulnerability modeling D Threat modeling Which artifact lists software requirements and business risks mapped to the three pillars of information security? A Formal business requirement B Informal business requirement C Formal compliance requirement D Informal security requirement Which assessment requires an extensive review that will be con- ducted by your software security architect, a third party, or a combination of both? A Compliance assessment B Security assessment C Quality assessment D Policy assessment During this phase, any policy that exists outside the domain of the SDL policy is reviewed and might include policies from outside the development organization that set security and privacy require- ments and guidelines to be adhered to when developing software or applications. What is this phase? A Policy compliance analysis B Policy compliance assessment Information disclosure Denial of service Elevation of privilege A C D A B A WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 27 / 33 C Policy requirements assessment D Policy compliance review The principle requires that completion of a specified sensitive activity or access to sensitive objects is dependent on the satisfaction of multiple conditions. It forces collusion among entities in order to compromise the system. means that if a system fails, it should fail to a state where the security of the system and its data are not compro- mised. In the situation where system recovery is not done automatically, the failed system should permit access only by the system admin- istrator and not by users, until security controls are reestablished. promotes simple and comprehensible de- sign and implementation of protection mechanisms, so that unin- tended access paths do not exist or can be readily identified and eliminated. is where every request by a subject to access an object in a computer system must undergo a valid and effective authorization procedure. means that designs that are kept secret versus de- signs that are open to scrutiny are evaluated by the community at large. states that a minimum number of protective mechanisms should be common to multiple users, as shared access paths can be sources of unauthorized information ex- change. Shared access paths that provide unintentional data transfers are known as covert channels. It promotes the least possible sharing of common security mech- anisms. Which risk describes the feature, product, or service that stores or transfers personally identifiable information (PII), changes set- tings or file type associations, or installs software? A Low Privacy Risk B No Privacy Risk C High Privacy Risk D Moderate Privacy Risk is the application of multiple layers of protection, such that a subsequent layer will provide protection if a previous layer is breached. A Least privilege B Separation of duties C Defense in depth D Fail safe policy A means that if a system ceases to function, it moves to a state where the security of the system and its data are not compromised. A fail safe policy B least privilege C separation of duties D defense in depth Separation of duties Fail safe Economy of mechanism Complete mediation Open design Least common mechanism C C A WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 30 / 33 A SSC B SSE B C SES D SSD In relation to software security, a(n) is responsible for responding to software product security incidents involving external discoveries of post-release software product security vulnerabilities. B A CIRT B PSIRT C GCIH D CERT Which two International Standards Organization (ISO) standards relate to the proper functioning of a vendor PSIRT? A 14000; 14001 C B 9000; 9001 C 29147; 30111 D 9001; 14001 Which example of security or privacy certification or standard applies to healthcare? A FISMA D B FIPS C DIACAP D HIPAA What requires communication cadence with customers that should be formalized and published so that everyone in the com- pany is aware of it and can invoke it if needed? A External vulnerability disclosure response process A B Post-release certifications C Third-party security reviews D Security strategy for legacy code, M&A, and EOL plans What consists of multiple security assessments from independent parties? A Third-party security reviews A B Security strategy for legacy code, M&A, and EOL plans C Post-release certifications D External vulnerability disclosure response process Which path illustrates the flow of activities through the SDL? A Architect Ò Test Ò Code Ò Design B Code Ò Design Ò Architect Ò Test C Design Ò Architect Ò Code Ò Test D Architect Ò Design Ò Code Ò Test What is one of most well-known sets of security design principles as defined by OWASP? A Trust infrastructure C B Trust services C Fail securely D Keep security complex What are advantages of dynamic analysis? A Can only be conducted on custom applications D WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 31 / 33 B Permits validating static code analysis findings C Requires the analysis of applications for which you have access to the actual code D Restricts the collection of temporal information In an process, everyone is involved in security. Se- curity personnel mustn't toss security "over the wall" and expect secure results. Development teams will likely perceive such a toss as an inter- jection into the work with which they're already tasked. Requirements and architecture as a front-end process to Agile cycles is also known as . A dashes B sprints C pushes D rushes What is the first step in the architecture task flow for when a project is new or a redesign? A Test Plan B Design Review C Architecture Assessment D Threat Model What is one principle that should be used during the development of software as defined by software security expert Gary McGraw? A Share mechanisms B Make security invisible C Assume your secrets are safe D Grant least privilege cyber threats are typically surgical by nature, have highly specific targeting, and are technologically sophisti- cated. software attacks are highly repeatable, use gen- eral targeting against a broad industry (e.g., military, finance, energy) or groups of individuals (e.g., politicians, executives), and must have long-term staying power. HINT: They are less sophisticated in comparison to TACTICAL threats and typically are lower in cost to develop and maintain. Which of the four basic steps is considered a new defense con- cept to combat cyberattacks as defined by the U.S. Department of Defense? A Implement industry standard defense operating concepts and computing architectures B Employ a passive cyber defense capability to prevent intrusions C Utilize current cyber best practices to improve cyber security D Deter and mitigate insider threats The standard defines application security as a process that an organization can perform for applying controls and measurements to its applications in order to manage the risk of using them. A ISO 27034 B ISO 13485 C ISO 9001 D ISO 31000 B Agile B C D Tactical Strategic D A WGU Master's Course C706 - Secure Software Design Study online at https://quizlet.com/_9nx0qn 32 / 33 Post-release support (PRSA1-5) is typically conducted by your internal organization. A True B False What is a concern of security in third-party software? A Secure development environment B Security implanted during development C Digital "aluminum foil" D Untrusted distributions of software A disadvantage of using third-party software is inflexibility. A True B False Which term is used for software in government systems? A COTS B NOTS C GOTS D LOTS What is a challenge of using proprietary software? A Proprietary format B Open source nature C Decreased license fees D No End of Support What is one disadvantage to outsourcing software development to a third party? A Tailored to business needs B Experience with technology C Ownership of code D Available skilled resources Which of the following is a consideration when evaluating ven- dors? A Social Media Policy B Priority Awareness C Accreditation D Certification Which of the following represents an example of a vendor cus- tomization? A Reporting components B Incompatibility with other systems C Access control inadherence D Privacy regulation avoidance is to provide assurance to management of the effectiveness of the security program and compliance with reg- ulations. Which of the following is important criteria in choosing a vendor to purchase a product? A Cost B Repudiation C Lateralization D Unqualified staff B A A C A C D A Role of Audit A