WGU C706 Secure Software Design Study Guide –
Questions With Verified Solutions
Availability Accurate Answer:- The computing systems used to store
and process information, the security controls used to protect information,
and the communication channels used to access information must be
functioning correctly. Ensures system remains operational even in the event
of a failure or an attack. It is achieved by providing redundancy or fault
tolerance for a failure of a system and its components.
Confidentiality Accurate Answer:- Information is not made available or
disclosed to unauthorized individuals, entities, or processes. Ensures
unauthorized persons are not able to read private and sensitive data. It is
achieved through cryptography.
Integrity Accurate Answer:- Ensures unauthorized persons or channels
are not able to modify the data. It is accomplished through the use of a
message digest or digital signatures.
Ensure Confidentiality Accurate Answer:- Public Key Infrastructure
(PKI) and Cryptography/Encryption
Ensure Availability Accurate Answer:- Offsite back-up and Redundancy
Ensure Integrity Accurate Answer:- Hashing, Message Digest (MD5),
non repudiation and digital signatures
Software Architect Accurate Answer:- Moves analysis to
implementation and analyzes the requirements and use cases as activities to
perform as part of the development process; can also develop class diagrams.
Security Practitioner Roles Accurate Answer:- Release Manager,
Architect, Developer, Business Analyst/Project Manager
Release Manager Accurate Answer:- Deployment
Architect Accurate Answer:- Design
,Developer Accurate Answer:- Coding
Business Analyst/Project Manager Accurate Answer:- Requirements
Gathering
Red Team Accurate Answer:- Teams of people familiar with the
infrastructure of the company and the languages of the software being
developed. Their mission is to kill the system as the developers build it.
Static Analysis Accurate Answer:- A method of computer program
debugging that is done by examining the code without executing the program.
The process provides an understanding of the code structure, and can help to
ensure that the code adheres to industry standards. It's also referred as code
review.
MD5 Hash Accurate Answer:- A widely used hash function producing a
128-bit hash value. Initially designed to be used as a cryptographic hash
function, it has been found to suffer from extensive vulnerabilities. It can still
be used as a checksum to verify data integrity, but only against unintentional
corruption.
SHA-256 (Secure Hash Algorithm) Accurate Answer:- One of a number
of cryptographic hash functions. A cryptographic hash is like a signature for a
text or a data file. Generates an almost-unique, fixed size 32-byte
(32 X 8) hash. Hash is a one-way function - it cannot be decrypted.
Advanced Encryption Standard (AES) Accurate Answer:- A symmetric
encryption algorithm. The algorithm was developed by two Belgian
cryptographers Joan Daemen and Vincent Rijmen. Designed to be efficient in
both hardware and software, and supports a block length of 128 bits and key
lengths of 128, 192, and 256 bits.
Algorithms used to verify integrity Accurate Answer:- MD5 Hash, SHA-
256
Algorithm used to verify confidentiality Accurate Answer:- Advanced
Encryption Standard (AES)
, Stochastic Accurate Answer:- unintentional or accidental
safety-relevant faults Accurate Answer:- stochastic (i.e., unintentional
or accidental)
security-relevant faults Accurate Answer:- "Sponsored," i.e.,
intentionally created and activated through conscious and intentional human
agency.
Fuzz Testing Accurate Answer:- Used to see if the system has solid
exception handling to the input it receives. Is the use of malformed or random
input into a system in order to intentionally produce failure. This is a very
easy process of feeding garbage to the system when it expects a formatted
input, and it is always a good idea to feed as much garbage as possible to an
input field.
Three (3) Tier Accurate Answer:- Removes the business logic from the
client end of the system. It generally places the business logic on a separate
server from the client. The data access portion of the system resides
separately from both the client and the business logic platform.
T-MAP Accurate Answer:- Defines a set of threat-relevant attributes for
each layer or node. These can be classified as probability-relevant, size-of-loss
relevant, or descriptive. These are primarily derived from Common
Vulnerability Scoring System (CVSS). USC's Threat Modeling based on
Attacking Path analysis is a risk management approach that quantifies total
severity weights of relevant attacking paths for COTS-based systems. Its
strengths lie in its ability to maintain sensitivity to an organization's business
value priorities and IT environment, to prioritize and estimate security
investment effectiveness and evaluate performance, and to communicate
executive-friendly vulnerability details as threat profiles to help evaluate cost
efficiency.
Trike Accurate Answer:- An open source conceptual framework,
methodology, and tool set designed to auto-generate repeatable threat
models. Its methodology enables the risk analyst to accurately and completely
describe the security characteristics of the system, from high-level
architecture to low-level implementation of details. It also requires building a
defensive model of the subject system.
Questions With Verified Solutions
Availability Accurate Answer:- The computing systems used to store
and process information, the security controls used to protect information,
and the communication channels used to access information must be
functioning correctly. Ensures system remains operational even in the event
of a failure or an attack. It is achieved by providing redundancy or fault
tolerance for a failure of a system and its components.
Confidentiality Accurate Answer:- Information is not made available or
disclosed to unauthorized individuals, entities, or processes. Ensures
unauthorized persons are not able to read private and sensitive data. It is
achieved through cryptography.
Integrity Accurate Answer:- Ensures unauthorized persons or channels
are not able to modify the data. It is accomplished through the use of a
message digest or digital signatures.
Ensure Confidentiality Accurate Answer:- Public Key Infrastructure
(PKI) and Cryptography/Encryption
Ensure Availability Accurate Answer:- Offsite back-up and Redundancy
Ensure Integrity Accurate Answer:- Hashing, Message Digest (MD5),
non repudiation and digital signatures
Software Architect Accurate Answer:- Moves analysis to
implementation and analyzes the requirements and use cases as activities to
perform as part of the development process; can also develop class diagrams.
Security Practitioner Roles Accurate Answer:- Release Manager,
Architect, Developer, Business Analyst/Project Manager
Release Manager Accurate Answer:- Deployment
Architect Accurate Answer:- Design
,Developer Accurate Answer:- Coding
Business Analyst/Project Manager Accurate Answer:- Requirements
Gathering
Red Team Accurate Answer:- Teams of people familiar with the
infrastructure of the company and the languages of the software being
developed. Their mission is to kill the system as the developers build it.
Static Analysis Accurate Answer:- A method of computer program
debugging that is done by examining the code without executing the program.
The process provides an understanding of the code structure, and can help to
ensure that the code adheres to industry standards. It's also referred as code
review.
MD5 Hash Accurate Answer:- A widely used hash function producing a
128-bit hash value. Initially designed to be used as a cryptographic hash
function, it has been found to suffer from extensive vulnerabilities. It can still
be used as a checksum to verify data integrity, but only against unintentional
corruption.
SHA-256 (Secure Hash Algorithm) Accurate Answer:- One of a number
of cryptographic hash functions. A cryptographic hash is like a signature for a
text or a data file. Generates an almost-unique, fixed size 32-byte
(32 X 8) hash. Hash is a one-way function - it cannot be decrypted.
Advanced Encryption Standard (AES) Accurate Answer:- A symmetric
encryption algorithm. The algorithm was developed by two Belgian
cryptographers Joan Daemen and Vincent Rijmen. Designed to be efficient in
both hardware and software, and supports a block length of 128 bits and key
lengths of 128, 192, and 256 bits.
Algorithms used to verify integrity Accurate Answer:- MD5 Hash, SHA-
256
Algorithm used to verify confidentiality Accurate Answer:- Advanced
Encryption Standard (AES)
, Stochastic Accurate Answer:- unintentional or accidental
safety-relevant faults Accurate Answer:- stochastic (i.e., unintentional
or accidental)
security-relevant faults Accurate Answer:- "Sponsored," i.e.,
intentionally created and activated through conscious and intentional human
agency.
Fuzz Testing Accurate Answer:- Used to see if the system has solid
exception handling to the input it receives. Is the use of malformed or random
input into a system in order to intentionally produce failure. This is a very
easy process of feeding garbage to the system when it expects a formatted
input, and it is always a good idea to feed as much garbage as possible to an
input field.
Three (3) Tier Accurate Answer:- Removes the business logic from the
client end of the system. It generally places the business logic on a separate
server from the client. The data access portion of the system resides
separately from both the client and the business logic platform.
T-MAP Accurate Answer:- Defines a set of threat-relevant attributes for
each layer or node. These can be classified as probability-relevant, size-of-loss
relevant, or descriptive. These are primarily derived from Common
Vulnerability Scoring System (CVSS). USC's Threat Modeling based on
Attacking Path analysis is a risk management approach that quantifies total
severity weights of relevant attacking paths for COTS-based systems. Its
strengths lie in its ability to maintain sensitivity to an organization's business
value priorities and IT environment, to prioritize and estimate security
investment effectiveness and evaluate performance, and to communicate
executive-friendly vulnerability details as threat profiles to help evaluate cost
efficiency.
Trike Accurate Answer:- An open source conceptual framework,
methodology, and tool set designed to auto-generate repeatable threat
models. Its methodology enables the risk analyst to accurately and completely
describe the security characteristics of the system, from high-level
architecture to low-level implementation of details. It also requires building a
defensive model of the subject system.
