C706- Secure Software Design exam
|\ |\ |\ |\ |\
questions with answers |\ |\
Functional Requirements - CORRECT ANSWERS ✔✔Describe what
|\ |\ |\ |\ |\ |\ |\
an application must do to serve a business need.
|\ |\ |\ |\ |\ |\ |\ |\
Nonfunctional requirements (NFRs) - CORRECT ANSWERS |\ |\ |\ |\ |\ |\
✔✔Address how well the functional requirements are met; they
|\ |\ |\ |\ |\ |\ |\ |\ |\
constrain the functional requirements to specified operating
|\ |\ |\ |\ |\ |\ |\
ranges.
What percent of current business security vulnerabilities are
|\ |\ |\ |\ |\ |\ |\ |\
found within software applications rather than the network
|\ |\ |\ |\ |\ |\ |\ |\
boundaries? - CORRECT ANSWERS ✔✔70% |\ |\ |\ |\
What is the purpose of secure software development? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Reduce the risk of insecure code:
|\ |\ |\ |\ |\ |\ |\
What term describes what has to work right? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Quality |\
What term describes what has to be secure? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Security |\
What are the two challenges to fix vulnerabilities? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔The cost and most security activities happen post-
|\ |\ |\ |\ |\ |\ |\ |\
release
,What is software security? - CORRECT ANSWERS ✔✔The process
|\ |\ |\ |\ |\ |\ |\ |\ |\
of building & designing secure software
|\ |\ |\ |\ |\
What is application security? - CORRECT ANSWERS ✔✔the
|\ |\ |\ |\ |\ |\ |\ |\
process of protecting the complete & designed secure software
|\ |\ |\ |\ |\ |\ |\ |\
What is the purpose of software security? - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔Building secure software; designing software to be secure;
|\ |\ |\ |\ |\ |\ |\ |\
and educating software developers, architects, and users about
|\ |\ |\ |\ |\ |\ |\ |\
how to build security in.
|\ |\ |\ |\
What is the purpose of application security? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Protecting software and the systems that software
|\ |\ |\ |\ |\ |\ |\ |\
runs in a post facto, only after development is complete.
|\ |\ |\ |\ |\ |\ |\ |\ |\
What are the three primary goals of the secure software
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
development process? - CORRECT ANSWERS ✔✔Confidentiality, |\ |\ |\ |\ |\ |\
integrity, and availability |\ |\
SDL vs SDLC - CORRECT ANSWERS ✔✔Security Development
|\ |\ |\ |\ |\ |\ |\ |\
Lifecycle: aimed at developing secure software.
|\ |\ |\ |\ |\
Software Development Lifecycle: aimed at developing quality
|\ |\ |\ |\ |\ |\ |\
software.
,What are two goals of the SDL? - CORRECT ANSWERS ✔✔Reduce
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
the number of security vulnerabilities & privacy problems and
|\ |\ |\ |\ |\ |\ |\ |\ |\
reduce the severity of the vulnerabilities that remain.
|\ |\ |\ |\ |\ |\ |\
Secure code does not mean _________ ___________ - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Quality code |\ |\
What terms describe quality code? - CORRECT ANSWERS ✔✔Ease
|\ |\ |\ |\ |\ |\ |\ |\
of use, reusable, and maintainable
|\ |\ |\ |\ |\
Under 44 U.S.C., Sec. 3442 Information Security is defined as: -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔The protection of information and
|\ |\ |\ |\ |\ |\ |\
information systems from unauthorized access, use, disclosure,
|\ |\ |\ |\ |\ |\ |\
disruption, modification, or destruction in order to provide
|\ |\ |\ |\ |\ |\ |\ |\
confidentiality, integrity, and availability. |\ |\ |\
Under 44 U.S.C., Sec. 3442 Confidentiality is defined as: -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔Preserving authorized restrictions on
|\ |\ |\ |\ |\ |\
information access and disclosure, including means for protecting
|\ |\ |\ |\ |\ |\ |\
personal privacy and proprietary information.
|\ |\ |\ |\ |\
Under 44 U.S.C., Sec. 3442 Integrity is defined as: - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Guarding against improper information modification
|\ |\ |\ |\ |\
or destruction, and includes ensuring information non-
|\ |\ |\ |\ |\ |\ |\
repudiation and authenticity. |\ |\
Under 44 U.S.C., Sec. 3442 Availability is defined as: - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Ensuring timely and reliable access to and use of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
information.
, What is threat modeling? - CORRECT ANSWERS ✔✔The process of
|\ |\ |\ |\ |\ |\ |\ |\ |\
understanding the potential security threats to the system,
|\ |\ |\ |\ |\ |\ |\ |\ |\
determine risk, and establish appropriate mitigations (What? How
|\ |\ |\ |\ |\ |\ |\
bad is it? How can it be fixed?)
|\ |\ |\ |\ |\ |\ |\ |\
At which point in time is it better to identify and manage security
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
risks? - CORRECT ANSWERS ✔✔The earlier, the better
|\ |\ |\ |\ |\ |\ |\ |\
Define modeling software: - CORRECT ANSWERS ✔✔A way to
|\ |\ |\ |\ |\ |\ |\ |\ |\
envision the interactions of the proposed software within its
|\ |\ |\ |\ |\ |\ |\ |\ |\
intended environment. |\
Define attack surface: - CORRECT ANSWERS ✔✔testing that
|\ |\ |\ |\ |\ |\ |\ |\
should cover the entry points and exit points of an application
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
that may be accessible to an attacker
|\ |\ |\ |\ |\ |\
What increases the attack surface? - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Accessibility
What elements of attack surface can be identified with scanning
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
tools? - CORRECT ANSWERS ✔✔Port scanning for open ports and
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Code analysis tools to locate code that receives input and sends
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
output
What SDL models are available for the development process? -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔Trustworthy Computing Security
|\ |\ |\ |\ |\
Development Lifecycle |\
|\ |\ |\ |\ |\
questions with answers |\ |\
Functional Requirements - CORRECT ANSWERS ✔✔Describe what
|\ |\ |\ |\ |\ |\ |\
an application must do to serve a business need.
|\ |\ |\ |\ |\ |\ |\ |\
Nonfunctional requirements (NFRs) - CORRECT ANSWERS |\ |\ |\ |\ |\ |\
✔✔Address how well the functional requirements are met; they
|\ |\ |\ |\ |\ |\ |\ |\ |\
constrain the functional requirements to specified operating
|\ |\ |\ |\ |\ |\ |\
ranges.
What percent of current business security vulnerabilities are
|\ |\ |\ |\ |\ |\ |\ |\
found within software applications rather than the network
|\ |\ |\ |\ |\ |\ |\ |\
boundaries? - CORRECT ANSWERS ✔✔70% |\ |\ |\ |\
What is the purpose of secure software development? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Reduce the risk of insecure code:
|\ |\ |\ |\ |\ |\ |\
What term describes what has to work right? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Quality |\
What term describes what has to be secure? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Security |\
What are the two challenges to fix vulnerabilities? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔The cost and most security activities happen post-
|\ |\ |\ |\ |\ |\ |\ |\
release
,What is software security? - CORRECT ANSWERS ✔✔The process
|\ |\ |\ |\ |\ |\ |\ |\ |\
of building & designing secure software
|\ |\ |\ |\ |\
What is application security? - CORRECT ANSWERS ✔✔the
|\ |\ |\ |\ |\ |\ |\ |\
process of protecting the complete & designed secure software
|\ |\ |\ |\ |\ |\ |\ |\
What is the purpose of software security? - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔Building secure software; designing software to be secure;
|\ |\ |\ |\ |\ |\ |\ |\
and educating software developers, architects, and users about
|\ |\ |\ |\ |\ |\ |\ |\
how to build security in.
|\ |\ |\ |\
What is the purpose of application security? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Protecting software and the systems that software
|\ |\ |\ |\ |\ |\ |\ |\
runs in a post facto, only after development is complete.
|\ |\ |\ |\ |\ |\ |\ |\ |\
What are the three primary goals of the secure software
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
development process? - CORRECT ANSWERS ✔✔Confidentiality, |\ |\ |\ |\ |\ |\
integrity, and availability |\ |\
SDL vs SDLC - CORRECT ANSWERS ✔✔Security Development
|\ |\ |\ |\ |\ |\ |\ |\
Lifecycle: aimed at developing secure software.
|\ |\ |\ |\ |\
Software Development Lifecycle: aimed at developing quality
|\ |\ |\ |\ |\ |\ |\
software.
,What are two goals of the SDL? - CORRECT ANSWERS ✔✔Reduce
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
the number of security vulnerabilities & privacy problems and
|\ |\ |\ |\ |\ |\ |\ |\ |\
reduce the severity of the vulnerabilities that remain.
|\ |\ |\ |\ |\ |\ |\
Secure code does not mean _________ ___________ - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Quality code |\ |\
What terms describe quality code? - CORRECT ANSWERS ✔✔Ease
|\ |\ |\ |\ |\ |\ |\ |\
of use, reusable, and maintainable
|\ |\ |\ |\ |\
Under 44 U.S.C., Sec. 3442 Information Security is defined as: -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔The protection of information and
|\ |\ |\ |\ |\ |\ |\
information systems from unauthorized access, use, disclosure,
|\ |\ |\ |\ |\ |\ |\
disruption, modification, or destruction in order to provide
|\ |\ |\ |\ |\ |\ |\ |\
confidentiality, integrity, and availability. |\ |\ |\
Under 44 U.S.C., Sec. 3442 Confidentiality is defined as: -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔Preserving authorized restrictions on
|\ |\ |\ |\ |\ |\
information access and disclosure, including means for protecting
|\ |\ |\ |\ |\ |\ |\
personal privacy and proprietary information.
|\ |\ |\ |\ |\
Under 44 U.S.C., Sec. 3442 Integrity is defined as: - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Guarding against improper information modification
|\ |\ |\ |\ |\
or destruction, and includes ensuring information non-
|\ |\ |\ |\ |\ |\ |\
repudiation and authenticity. |\ |\
Under 44 U.S.C., Sec. 3442 Availability is defined as: - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Ensuring timely and reliable access to and use of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
information.
, What is threat modeling? - CORRECT ANSWERS ✔✔The process of
|\ |\ |\ |\ |\ |\ |\ |\ |\
understanding the potential security threats to the system,
|\ |\ |\ |\ |\ |\ |\ |\ |\
determine risk, and establish appropriate mitigations (What? How
|\ |\ |\ |\ |\ |\ |\
bad is it? How can it be fixed?)
|\ |\ |\ |\ |\ |\ |\ |\
At which point in time is it better to identify and manage security
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
risks? - CORRECT ANSWERS ✔✔The earlier, the better
|\ |\ |\ |\ |\ |\ |\ |\
Define modeling software: - CORRECT ANSWERS ✔✔A way to
|\ |\ |\ |\ |\ |\ |\ |\ |\
envision the interactions of the proposed software within its
|\ |\ |\ |\ |\ |\ |\ |\ |\
intended environment. |\
Define attack surface: - CORRECT ANSWERS ✔✔testing that
|\ |\ |\ |\ |\ |\ |\ |\
should cover the entry points and exit points of an application
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
that may be accessible to an attacker
|\ |\ |\ |\ |\ |\
What increases the attack surface? - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Accessibility
What elements of attack surface can be identified with scanning
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
tools? - CORRECT ANSWERS ✔✔Port scanning for open ports and
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Code analysis tools to locate code that receives input and sends
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
output
What SDL models are available for the development process? -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔Trustworthy Computing Security
|\ |\ |\ |\ |\
Development Lifecycle |\
