QUESTIONS AND CORRECT ANSWERS (100% CORRECT
VERIFIED ANSWERS) D487 SECURE SOFTWARE DESIGN
OBJECTIVE ASSESSMENT
Which design and development deliverable details the progress of personal information
requirements created in earlier phases of the security development lifecycle?
-Privacy compliance report
-Security testing reports
-Remediation report
-Security test execution report - ANSWER--Privacy compliance report
Which design and development deliverable contains technical and executive level reports detailing
any newly identified vulnerabilities?
-Updated threat modeling artifacts
-Privacy implementation assessment results
-Security test plans
-Design security review - ANSWER--Updated threat modeling artifacts
Which programming language is highly susceptible to buffer overflow vulnerabilities?
-C++
-Javascript
-C#
-Java - ANSWER--C++
What is the first step of the SDLC/SDL code review process?
-Identify security code review objectives
-Perform preliminary scan
-Review code for security issues
, -Review for security issues unique to the architecture - ANSWER--Identify security code review
objectives
Which type of software testing is being performed when an analyst executes a series of test cases
based on application requirements?
-Unit testing
-Regression testing
-Integration testing
-Functional testing - ANSWER--Functional testing
A security tester changed the application URL from www.app.com/account?id='3' to
www.app.com/account?id='3 or 1=1', which returned a collection of account information. Database
logs showed that the query that was executed was SELECT * FROM ACCOUNTS WHERE accountId=3
or 1=1. How should existing security controls be adjusted to prevent this in the future?
-Ensure server-side queries are parameterized
-Ensure all requests and responses are encrypted
-Ensure sensitive transactions can be traced through a audit log
-Ensure database service accounts do not have administrative access - ANSWER--Ensure serverside
queries are parameterized
The enterprise security team discovered a vulnerability in a third-party logging tool that could allow
unauthorized access to application logs. The vulnerability is fixed in a new release of the third-party
product. How should existing security controls be adjusted to prevent this in the future?
-Ensure third party libraries are kept up to date and reviewed consistently
-Ensure passwords and private information are not logged
-Ensure log files provide audit trails for sensitive transactions
-Ensure auditing and logging are enabled on all servers - ANSWER--Ensure third party libraries are
kept up to date and reviewed consistently
A potential threat was discovered during functional testing of a file upload component when a QA
analyst was allowed to upload a shell script. Users should only be allowed to upload image files. How
should existing security controls be adjusted to prevent this in the future?
-Validate all user input
-Enforce role-based authorization