LIFE CYCLE (SDL) MASTER GUIDE 140+ HIGH-YIELD MCQS
WITH CORRECT ANSWERS AND DETAILED RATIONALES
1. Which practice in the Ship (A5) phase of the Security Development Life Cycle (SDL) verifies
whether the product meets security mandates?
A. Vulnerability scan
B. Code-assisted penetration testing
C. A5 policy compliance analysis
D. Final security review
Correct Answer: C. A5 policy compliance analysis
Rationale: A5 policy compliance analysis verifies that the product meets required security policies,
standards, and mandates before release.
2. Which post-release support activity defines the process to communicate, identify, and alleviate
security threats?
A. Security architectural reviews
B. Third-party reviews
C. External vulnerability disclosure response
D. Vulnerability scanning
Correct Answer: C. External vulnerability disclosure response
Rationale: External vulnerability disclosure response defines how security vulnerabilities are
reported, investigated, communicated, and resolved.
3. What are two core practice areas of the OWASP Security Assurance Maturity Model
(OpenSAMM)?
A. Deployment and testing
B. Governance and Construction
C. Verification and operations
D. Planning and maintenance
Correct Answer: B. Governance and Construction
Rationale: OpenSAMM includes Governance, Construction, Verification, and Deployment as major
software security practice areas.
4. Which practice in the Ship (A5) phase uses tools to identify weaknesses in the product?
A. Final security review
B. Open-source licensing review
,C. Vulnerability scan
D. Policy compliance analysis
Correct Answer: C. Vulnerability scan
Rationale: Vulnerability scans use automated tools to detect weaknesses before software release.
5. Which post-release support activity should be completed when companies are joining together?
A. Code review
B. Security architectural reviews
C. Vulnerability scan
D. Threat modeling
Correct Answer: B. Security architectural reviews
Rationale: Security architectural reviews evaluate risks caused by combining systems, applications,
or environments.
6. Which Ship (A5) deliverable is performed during A5 policy compliance analysis?
A. White-box security testing
B. Analyze activities and standards
C. License compliance
D. Release and ship
Correct Answer: B. Analyze activities and standards
Rationale: Policy compliance analysis verifies required activities and security standards are followed.
7. Which Ship (A5) deliverable is performed during code-assisted penetration testing?
A. License compliance
B. Threat modeling artifacts
C. White-box security testing
D. Final release approval
Correct Answer: C. White-box security testing
Rationale: Code-assisted penetration testing uses internal knowledge of software to perform white-
box testing.
8. Which Ship (A5) deliverable is performed during open-source licensing review?
A. Vulnerability scanning
B. License compliance
C. Threat assessment
D. Code review
,Correct Answer: B. License compliance
Rationale: Open-source licensing review ensures third-party components follow legal licensing
requirements.
9. Which Ship (A5) deliverable is performed during the final security review?
A. Threat profile
B. Release and ship
C. Data classification
D. Code analysis
Correct Answer: B. Release and ship
Rationale: Final security review confirms the product is ready for secure release.
10. How can an organization establish its own SDL to build security into an agile process?
A. Waterfall development
B. Iterative development
C. Manual deployment only
D. Outsourcing all security
Correct Answer: B. Iterative development
Rationale: Agile SDL integrates security into repeated development cycles.
Continuing:
11. How can an organization establish its own SDL to build security into a DevOps process?
A. Manual security reviews only
B. Continuous integration and continuous deployments
C. Removing automation
D. Delaying security until release
Correct Answer: B. Continuous integration and continuous deployments
Rationale: DevOps-based SDL practices integrate security into automated development and
deployment workflows.
12. How can an organization establish its own SDL to build security into a cloud environment?
A. Physical security controls only
B. API invocation processes
C. Eliminating automated services
D. Restricting all access
Correct Answer: B. API invocation processes
, Rationale: Cloud environments rely on secure API processes to manage communication and services.
13. How can an organization establish its own SDL based on a digital enterprise?
A. Disable business processes
B. Enables and improves business activities
C. Avoid security requirements
D. Remove compliance checks
Correct Answer: B. Enables and improves business activities
Rationale: A digital enterprise SDL supports business functions while maintaining security.
14. Which phase of penetration testing allows remediation to be performed?
A. Assess
B. Identify
C. Evaluate and plan
D. Deploy
Correct Answer: D. Deploy
Rationale: The deploy phase is where fixes and remediation actions are implemented.
15. Which key deliverable occurs during post-release support?
A. Threat modeling
B. Third-party reviews
C. Requirement gathering
D. Functional testing
Correct Answer: B. Third-party reviews
Rationale: Post-release support includes ongoing reviews and assessments after deployment.
16. Which business function of OpenSAMM is associated with governance?
A. Threat assessment
B. Code review
C. Vulnerability management
D. Policy and compliance
Correct Answer: D. Policy and compliance
Rationale: Governance focuses on policies, compliance, and organizational security processes.
17. Which business function of OpenSAMM is associated with construction?