and Answers (2026/2027) | 100% Verified
Solutions | A+ Study Pack
• Secure software -✓✓Software that protects confidentiality, integrity, and availability
while meeting its intended function.
• Software security -✓✓The discipline of preventing, finding, and fixing security
weaknesses in software throughout its life cycle.
• Security assurance -✓✓Confidence that software security controls and processes are
effective and appropriate for the product's risk.
• CIA triad -✓✓Confidentiality, integrity, and availability; the three core security goals.
• Confidentiality -✓✓Protecting information from unauthorized disclosure.
• Integrity -✓✓Protecting data or systems from unauthorized or improper modification.
• Availability -✓✓Ensuring systems and data are accessible when needed.
• Attack surface -✓✓The set of exposed entry points, interfaces, data flows, privileges,
and code paths an attacker could target.
• Attack surface validation -✓✓Testing and reviewing exposed attack paths to confirm
they are minimized and protected.
• Threat modeling -✓✓A structured process for identifying assets, attackers, entry
points, threats, vulnerabilities, and mitigations.
• Threat -✓✓A potential event or actor that could cause harm to a system or asset.
• Vulnerability -✓✓A weakness in software, design, configuration, or process that can
be exploited.
• Exploit -✓✓A technique, code, or method used to take advantage of a vulnerability.
• Attack -✓✓An action taken against a target system; often carried out using an exploit.
• Mitigation -✓✓A control or design change that reduces the likelihood or impact of a
threat.
,• Risk -✓✓The combination of likelihood and impact of a threat exploiting a
vulnerability.
• Likelihood -✓✓The probability that a threat will occur or a vulnerability will be
exploited.
• Impact -✓✓The amount of harm caused if a risk is realized.
• Risk ranking -✓✓Prioritizing threats or vulnerabilities based on severity, likelihood,
impact, or scoring models.
• Risk acceptance -✓✓A formal decision to release or continue operating with a known
risk.
• Security requirement -✓✓A required security behavior, control, or constraint the
software must satisfy.
• Privacy requirement -✓✓A requirement related to proper collection, use, storage,
disclosure, retention, or deletion of personal data.
• Nonfunctional requirement -✓✓A requirement describing system qualities such as
security, performance, reliability, privacy, or compliance.
• Least privilege -✓✓Granting users, processes, and systems only the minimum access
necessary to perform their function.
• Defense in depth -✓✓Using multiple layers of controls so failure of one control does
not fully compromise the system.
• Secure by design -✓✓Designing architecture and features with security controls and
threat resistance from the start.
• Shift left -✓✓Moving security activities earlier in the development life cycle to find and
fix issues sooner.
• Security champion -✓✓A development-team member who promotes secure practices
and helps scale security knowledge inside the team.
• Software Security Group (SSG) -✓✓A centralized group that defines software security
policy, guidance, reviews, metrics, and response processes.
• Software Security Initiative (SSI) -✓✓An organization-wide program for improving
software security practices and maturity.
, • Software Security Architect -✓✓A role responsible for security architecture guidance,
threat modeling, and design risk analysis.
• Chief Information Security Officer (CISO) -✓✓Executive responsible for information
security strategy and governance.
• Chief Security Officer (CSO) -✓✓Executive responsible for broader organizational
security responsibilities.
• Chief Privacy Officer (CPO) -✓✓Executive responsible for privacy strategy, policy,
and compliance.
• A1 Security Assessment -✓✓The SDL phase that scopes the project's security and
privacy needs early in the SDLC.
• A1 main purpose -✓✓Identify risk, threat profile, compliance needs, privacy concerns,
stakeholders, and required SDL work before design hardens.
• Discovery meeting -✓✓An early meeting to gather product purpose, architecture
assumptions, data types, users, deployment context, technology stack, and risks.
• SDL project plan -✓✓A plan defining required SDL activities, responsibilities,
schedule, deliverables, and tracking mechanisms.
• Risk profile -✓✓A description of the product's security risk level and risk drivers.
• Threat profile -✓✓A description of likely attackers, attack methods, assets, and threat
categories for a product.
• Compliance mapping -✓✓Identifying regulatory, certification, contractual, or policy
obligations that apply to the product.
• Privacy Impact Assessment (PIA) -✓✓An assessment that identifies privacy risks and
obligations related to personal or sensitive data.
• PII -✓✓Personally identifiable information; data that can identify or be linked to a
person.
• A2 Architecture -✓✓The SDL phase focused on analyzing architecture from a security
perspective before detailed implementation.
• A2 main purpose -✓✓Make the architecture secure by design through threat
modeling, DFDs, risk mitigation, policy analysis, and attack-surface reduction.