D487 - Secure Software Design EXAM
|\ |\ |\ |\ |\ |\
QJESTIONS WITH 100% CORRECT |\ |\ |\ |\
answers
What is the study of real-world software security initiatives
|\ |\ |\ |\ |\ |\ |\ |\ |\
organized so companies can measure their initiatives and
|\ |\ |\ |\ |\ |\ |\ |\
understand how to evolve them over time? |\ |\ |\ |\ |\ |\
A) Building Security in Maturity Model (BSIMM)
|\ |\ |\ |\ |\ |\
B) Security features and design
|\ |\ |\ |\
C) OWASP Software Assurance Maturity Model (SAMM)
|\ |\ |\ |\ |\ |\
D) ISO 27001
|\ |\
A) Building Security in Maturity Model (BSIMM)
|\ |\ |\ |\ |\ |\
What is the analysis of computer software that is performed
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
without executing programs?
|\ |\
A) Static analysis
|\ |\
B) Fuzzing
|\
C) Dynamic analysis
|\ |\
D) OWASP ZAP
|\ |\
A) Static analysis
|\ |\
What iso standard is the benchmark for information security
|\ |\ |\ |\ |\ |\ |\ |\ |\
today?
A) iso/iec 27001
|\ |\
B) iso/iec 7799
|\ |\
C) iso/iec 27034
|\ |\
D) iso 8601
|\ |\
A) iso 27001
|\ |\
,what is the analysis of computer software that is performed by
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
executing programs on a real or virtual processor in real time?
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
A) dynamic analysis
|\ |\
B) static analysis
|\ |\
C) fuzzing|\
D) security testing
|\ |\
A) dynamic analysis
|\ |\
which person is responsible for designing, planning, and
|\ |\ |\ |\ |\ |\ |\ |\
implementing secure coding practices and security testing |\ |\ |\ |\ |\ |\ |\
methodologies?
A) software security architect
|\ |\ |\
B) product security developer
|\ |\ |\
C) software security champion
|\ |\ |\
D) software tester
|\ |\
A) software security architect
|\ |\ |\
A company is preparing to add a new feature to its flagship
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
software product. The new feature is similar to features that have
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
been added in previous years, and the requirements are well-
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
documented. The project is expected to last three to four |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
months, at which time the new feature will be released to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
customers. Project team members will focus solely on the new
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
feature until the project ends.
|\ |\ |\ |\
Which software development methodology is being used?
|\ |\ |\ |\ |\ |\
A) Waterfall
|\
B) Agile |\
C) Scrum |\
D) Extreme programming
|\ |\
A) Waterfall
|\
,A new product will require an administration section for a small
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
number of users. Normal users will be able to view limited
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
customer information and should not see admin functionality
|\ |\ |\ |\ |\ |\ |\ |\
within the application.
|\ |\
Which concept is being used?
|\ |\ |\ |\
A) Principle of least privilege
|\ |\ |\ |\
B) Privacy
|\
C) Software security champion
|\ |\ |\
D) Elevation of privilege
|\ |\ |\
A) Principle of least privilege
|\ |\ |\ |\
The software security team is currently working to identify
|\ |\ |\ |\ |\ |\ |\ |\ |\
approaches for input validation, authentication, authorization,
|\ |\ |\ |\ |\ |\
and configuration management of a new software product so
|\ |\ |\ |\ |\ |\ |\ |\ |\
they can deliver a security profile.
|\ |\ |\ |\ |\
Which threat modeling step is being described?
|\ |\ |\ |\ |\ |\
A) Analyzing the target
|\ |\ |\
B) Drawing data flow diagram
|\ |\ |\ |\
C) Rating threats
|\ |\
D) Identifying and documenting threats
|\ |\ |\ |\
A) Analyzing the target
|\ |\ |\
The scrum team is attending their morning meeting, which is
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
scheduled at the beginning of the work day. Each team member
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
reports what they accomplished yesterday, what they plan to
|\ |\ |\ |\ |\ |\ |\ |\ |\
accomplish today, and if they have any impediments that may
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
cause them to miss their delivery deadline.
|\ |\ |\ |\ |\ |\
Which scrum ceremony is the team participating in?
|\ |\ |\ |\ |\ |\ |\
A) Daily scrum
|\ |\
, B) Sprint review
|\ |\
C) Sprint retrospective
|\ |\
D) Sprint planning
|\ |\
A) Daily scrum
|\ |\
what is a list of information security vulnerabilities that aims to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
provide names for publicly known problems?
|\ |\ |\ |\ |\
A) common computer vulnerabilities and exposures (CVE)
|\ |\ |\ |\ |\ |\
B) SANS institute top cyber security risks
|\ |\ |\ |\ |\ |\
C) bugtraq
|\
D) Carnegie melon computer emergency readiness team (CERT)
|\ |\ |\ |\ |\ |\ |\
A) common computer vulnerabilities and exposures (CVE)
|\ |\ |\ |\ |\ |\
which secure coding best practice uses well-tested, publicly
|\ |\ |\ |\ |\ |\ |\ |\
available algorithms to hide product data from unauthorized
|\ |\ |\ |\ |\ |\ |\ |\
access?
A) access control
|\ |\
B) authentication and password management
|\ |\ |\ |\
C) cryptographic practices
|\ |\
D) data protection
|\ |\
C) cryptographic practices
|\ |\
which secure coding best practice ensures servers, frameworks,
|\ |\ |\ |\ |\ |\ |\ |\
and system components are all running the latest approved
|\ |\ |\ |\ |\ |\ |\ |\ |\
versions?
A) file management
|\ |\
B) input validation
|\ |\
C) database security
|\ |\
D) system configuration
|\ |\
D) system configuration
|\ |\
|\ |\ |\ |\ |\ |\
QJESTIONS WITH 100% CORRECT |\ |\ |\ |\
answers
What is the study of real-world software security initiatives
|\ |\ |\ |\ |\ |\ |\ |\ |\
organized so companies can measure their initiatives and
|\ |\ |\ |\ |\ |\ |\ |\
understand how to evolve them over time? |\ |\ |\ |\ |\ |\
A) Building Security in Maturity Model (BSIMM)
|\ |\ |\ |\ |\ |\
B) Security features and design
|\ |\ |\ |\
C) OWASP Software Assurance Maturity Model (SAMM)
|\ |\ |\ |\ |\ |\
D) ISO 27001
|\ |\
A) Building Security in Maturity Model (BSIMM)
|\ |\ |\ |\ |\ |\
What is the analysis of computer software that is performed
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
without executing programs?
|\ |\
A) Static analysis
|\ |\
B) Fuzzing
|\
C) Dynamic analysis
|\ |\
D) OWASP ZAP
|\ |\
A) Static analysis
|\ |\
What iso standard is the benchmark for information security
|\ |\ |\ |\ |\ |\ |\ |\ |\
today?
A) iso/iec 27001
|\ |\
B) iso/iec 7799
|\ |\
C) iso/iec 27034
|\ |\
D) iso 8601
|\ |\
A) iso 27001
|\ |\
,what is the analysis of computer software that is performed by
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
executing programs on a real or virtual processor in real time?
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
A) dynamic analysis
|\ |\
B) static analysis
|\ |\
C) fuzzing|\
D) security testing
|\ |\
A) dynamic analysis
|\ |\
which person is responsible for designing, planning, and
|\ |\ |\ |\ |\ |\ |\ |\
implementing secure coding practices and security testing |\ |\ |\ |\ |\ |\ |\
methodologies?
A) software security architect
|\ |\ |\
B) product security developer
|\ |\ |\
C) software security champion
|\ |\ |\
D) software tester
|\ |\
A) software security architect
|\ |\ |\
A company is preparing to add a new feature to its flagship
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
software product. The new feature is similar to features that have
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
been added in previous years, and the requirements are well-
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
documented. The project is expected to last three to four |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
months, at which time the new feature will be released to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
customers. Project team members will focus solely on the new
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
feature until the project ends.
|\ |\ |\ |\
Which software development methodology is being used?
|\ |\ |\ |\ |\ |\
A) Waterfall
|\
B) Agile |\
C) Scrum |\
D) Extreme programming
|\ |\
A) Waterfall
|\
,A new product will require an administration section for a small
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
number of users. Normal users will be able to view limited
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
customer information and should not see admin functionality
|\ |\ |\ |\ |\ |\ |\ |\
within the application.
|\ |\
Which concept is being used?
|\ |\ |\ |\
A) Principle of least privilege
|\ |\ |\ |\
B) Privacy
|\
C) Software security champion
|\ |\ |\
D) Elevation of privilege
|\ |\ |\
A) Principle of least privilege
|\ |\ |\ |\
The software security team is currently working to identify
|\ |\ |\ |\ |\ |\ |\ |\ |\
approaches for input validation, authentication, authorization,
|\ |\ |\ |\ |\ |\
and configuration management of a new software product so
|\ |\ |\ |\ |\ |\ |\ |\ |\
they can deliver a security profile.
|\ |\ |\ |\ |\
Which threat modeling step is being described?
|\ |\ |\ |\ |\ |\
A) Analyzing the target
|\ |\ |\
B) Drawing data flow diagram
|\ |\ |\ |\
C) Rating threats
|\ |\
D) Identifying and documenting threats
|\ |\ |\ |\
A) Analyzing the target
|\ |\ |\
The scrum team is attending their morning meeting, which is
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
scheduled at the beginning of the work day. Each team member
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
reports what they accomplished yesterday, what they plan to
|\ |\ |\ |\ |\ |\ |\ |\ |\
accomplish today, and if they have any impediments that may
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
cause them to miss their delivery deadline.
|\ |\ |\ |\ |\ |\
Which scrum ceremony is the team participating in?
|\ |\ |\ |\ |\ |\ |\
A) Daily scrum
|\ |\
, B) Sprint review
|\ |\
C) Sprint retrospective
|\ |\
D) Sprint planning
|\ |\
A) Daily scrum
|\ |\
what is a list of information security vulnerabilities that aims to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
provide names for publicly known problems?
|\ |\ |\ |\ |\
A) common computer vulnerabilities and exposures (CVE)
|\ |\ |\ |\ |\ |\
B) SANS institute top cyber security risks
|\ |\ |\ |\ |\ |\
C) bugtraq
|\
D) Carnegie melon computer emergency readiness team (CERT)
|\ |\ |\ |\ |\ |\ |\
A) common computer vulnerabilities and exposures (CVE)
|\ |\ |\ |\ |\ |\
which secure coding best practice uses well-tested, publicly
|\ |\ |\ |\ |\ |\ |\ |\
available algorithms to hide product data from unauthorized
|\ |\ |\ |\ |\ |\ |\ |\
access?
A) access control
|\ |\
B) authentication and password management
|\ |\ |\ |\
C) cryptographic practices
|\ |\
D) data protection
|\ |\
C) cryptographic practices
|\ |\
which secure coding best practice ensures servers, frameworks,
|\ |\ |\ |\ |\ |\ |\ |\
and system components are all running the latest approved
|\ |\ |\ |\ |\ |\ |\ |\ |\
versions?
A) file management
|\ |\
B) input validation
|\ |\
C) database security
|\ |\
D) system configuration
|\ |\
D) system configuration
|\ |\
