©Jason McConnel 2025 ALL RIGHTS RESERVED.
Secure Software Design Exam Questions
With Correct Answers A+
SDL - Answer✔Security Development Life Cycle
SDLC - Answer✔Software Development Life Cycle
Software Security - Answer✔Building security into the software through a SDL (Security
Development Life Cycle) in an SDLC (Software Development Life Cycle)
Application Security - Answer✔Protecting the software and the systems on which it runs after
release
Three core elements of security - Answer✔Confidentiality, integrity, and availability (the C.I.A.
model)
PITAC - Answer✔President's Information Technology Advisory Committee
Quality and security - Answer✔In terms of coding defects, the product not only has to work
right, it also has to be secure
Trustworthy Computing (TwC) - Answer✔The team which formed the concepts that led to the
Microsoft Security Development Lifecycle
Static analysis tools - Answer✔Tools that look for a fixed set of patterns or rules in the code in a
manner similar to virus-checking programs
Authorization - Answer✔Ensures that the user has the appropriate role and privilege to view data
Authentication - Answer✔Ensures that the user is who he or she claims to be and that the data
come from the appropriate place
Threat modeling - Answer✔To understand the potential security threats to the system, determine
risk, and establish appropriate mitigations. Applies principles such as least privilege and defense-
in-depth; requires human expertise and not tools to accomplish
Attack surface - Answer✔The entry points and exit points of an application that may be
accessible to an attacker
1|Page
, ©Jason McConnel 2025 ALL RIGHTS RESERVED.
- Answer✔The majority of attacks against software take advantage of, or exploit, some
vulnerability or weakness in that software; for this reason, "attack" is often used interchangeably
with "exploit," though the Build Security In Attack Pattern Glossary makes a clear distinction
between the two terms, with attack referring to the action against the targeted software and
exploit referring to the mechanism (e.g., a technique or malicious code) by which that action is
carried out.
- Answer✔Availability: Ensuring timely and reliable access to and use of information.
- Answer✔Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary information.
- Answer✔Integrity: Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity.
- Answer✔Authorization and authentication are the two properties that support confidentiality in
that authorization ensures that users have the appropriate role and privilege to view data, and
authentication ensures that users are who they claim to be and that the data come from the
appropriate place.
- Answer✔Developers must take the time to code cleanly, and eradicate every possible security
flaw before the code goes into production.
- Answer✔The idea behind threat modeling is simply to understand the potential security threats
to the system, determine risk, and establish appropriate mitigations. When it is performed
correctly, threat modeling occurs early in the project life cycle and can be used to find security
design issues before code is committed.
- Answer✔You cannot have quality without security or security without quality. These two
attributes complement each other, and both enhance overall software product integrity and
market value.
Techniques used in penetrating valid channels of authentication - Answer✔Cross-Site Scripting
(XSS), Structured Query Language (SQL) injection, buffer overflow exploitation
The most well-known SDL model - Answer✔Trustworthy Computing Security Development
Lifecycle (SDL)
Other popular SDL models - Answer✔Cigital Software Security Touchpoints model, OWASP
SDL, Cisco Secure Development Lifecycle (CSDL)
SDL Optimization Model - Answer✔Enables development managers and IT policymakers to
assess the state of the security in development
Two very popular software security maturity models that have been developed and continue to
mature at a rapid rate - Answer✔Cigital BSIMM, OWASP Open SAMM
Building Security In Maturity Model (BSIMM) - Answer✔A study of real-world software
security initiatives organized so that you can determine where you stand with your software
security initiative and how to evolve your efforts over time
2|Page
, ©Jason McConnel 2025 ALL RIGHTS RESERVED.
OWASP Software Assurance Maturity Model (SAMM) - Answer✔A flexible and prescriptive
framework for building security into a software development organization
ISO/IEC - Answer✔International Standards Organization (ISO) / International Electrotechnical
Commission (IEC)
ISO/IEC 27034-1:2011 - Answer✔A standard for application security which offers a concise,
internationally recognized way to get transparency into a vendor/supplier's software security
management process
ISMS - Answer✔Information Security Management System
ISO/IEC 27001 - Answer✔A standard that specifies a management system intended to bring
information security under formal management control
ISO/IEC 27034 - Answer✔A standard that provides guidance to help organizations embed
security within their processes that help secure applications running in the environment,
including application lifecycle processes
SAFECode - Answer✔A global, industry-led effort to identify and promote best practices for
developing and delivering more secure and reliable software, hardware, and services
NCSD - Answer✔Department of Homeland Security National Cyber Security Division
Software Assurance Program - Answer✔The SwA Program seeks to reduce software
vulnerabilities, minimize exploitation, and address ways to improve the routine development and
deployment of trustworthy software products
NIST - Answer✔National Institute of Standards and Technology
NSA - Answer✔National Security Agency
SWE - Answer✔Common Weakness Enumeration
Software Assurance Metrics And Tool Evaluation (SAMATE) - Answer✔The project dedicated
to improving software assurance by developing methods to enable software tool evaluations,
measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods
NIST Special Publication (SP) 800-64, Security Considerations in the System Development Life
Cycle - Answer✔Developed to assist federal government agencies in integrating essential
information technology security steps into their established IT system development lifecycle
National Vulnerability Database (NVD) - Answer✔The U.S. government repository of
standards-based vulnerability management data
SCAP - Answer✔Security Content Automation Protocol
Common Vulnerability Scoring System (CVSS) - Answer✔Provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities
3|Page
Secure Software Design Exam Questions
With Correct Answers A+
SDL - Answer✔Security Development Life Cycle
SDLC - Answer✔Software Development Life Cycle
Software Security - Answer✔Building security into the software through a SDL (Security
Development Life Cycle) in an SDLC (Software Development Life Cycle)
Application Security - Answer✔Protecting the software and the systems on which it runs after
release
Three core elements of security - Answer✔Confidentiality, integrity, and availability (the C.I.A.
model)
PITAC - Answer✔President's Information Technology Advisory Committee
Quality and security - Answer✔In terms of coding defects, the product not only has to work
right, it also has to be secure
Trustworthy Computing (TwC) - Answer✔The team which formed the concepts that led to the
Microsoft Security Development Lifecycle
Static analysis tools - Answer✔Tools that look for a fixed set of patterns or rules in the code in a
manner similar to virus-checking programs
Authorization - Answer✔Ensures that the user has the appropriate role and privilege to view data
Authentication - Answer✔Ensures that the user is who he or she claims to be and that the data
come from the appropriate place
Threat modeling - Answer✔To understand the potential security threats to the system, determine
risk, and establish appropriate mitigations. Applies principles such as least privilege and defense-
in-depth; requires human expertise and not tools to accomplish
Attack surface - Answer✔The entry points and exit points of an application that may be
accessible to an attacker
1|Page
, ©Jason McConnel 2025 ALL RIGHTS RESERVED.
- Answer✔The majority of attacks against software take advantage of, or exploit, some
vulnerability or weakness in that software; for this reason, "attack" is often used interchangeably
with "exploit," though the Build Security In Attack Pattern Glossary makes a clear distinction
between the two terms, with attack referring to the action against the targeted software and
exploit referring to the mechanism (e.g., a technique or malicious code) by which that action is
carried out.
- Answer✔Availability: Ensuring timely and reliable access to and use of information.
- Answer✔Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary information.
- Answer✔Integrity: Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity.
- Answer✔Authorization and authentication are the two properties that support confidentiality in
that authorization ensures that users have the appropriate role and privilege to view data, and
authentication ensures that users are who they claim to be and that the data come from the
appropriate place.
- Answer✔Developers must take the time to code cleanly, and eradicate every possible security
flaw before the code goes into production.
- Answer✔The idea behind threat modeling is simply to understand the potential security threats
to the system, determine risk, and establish appropriate mitigations. When it is performed
correctly, threat modeling occurs early in the project life cycle and can be used to find security
design issues before code is committed.
- Answer✔You cannot have quality without security or security without quality. These two
attributes complement each other, and both enhance overall software product integrity and
market value.
Techniques used in penetrating valid channels of authentication - Answer✔Cross-Site Scripting
(XSS), Structured Query Language (SQL) injection, buffer overflow exploitation
The most well-known SDL model - Answer✔Trustworthy Computing Security Development
Lifecycle (SDL)
Other popular SDL models - Answer✔Cigital Software Security Touchpoints model, OWASP
SDL, Cisco Secure Development Lifecycle (CSDL)
SDL Optimization Model - Answer✔Enables development managers and IT policymakers to
assess the state of the security in development
Two very popular software security maturity models that have been developed and continue to
mature at a rapid rate - Answer✔Cigital BSIMM, OWASP Open SAMM
Building Security In Maturity Model (BSIMM) - Answer✔A study of real-world software
security initiatives organized so that you can determine where you stand with your software
security initiative and how to evolve your efforts over time
2|Page
, ©Jason McConnel 2025 ALL RIGHTS RESERVED.
OWASP Software Assurance Maturity Model (SAMM) - Answer✔A flexible and prescriptive
framework for building security into a software development organization
ISO/IEC - Answer✔International Standards Organization (ISO) / International Electrotechnical
Commission (IEC)
ISO/IEC 27034-1:2011 - Answer✔A standard for application security which offers a concise,
internationally recognized way to get transparency into a vendor/supplier's software security
management process
ISMS - Answer✔Information Security Management System
ISO/IEC 27001 - Answer✔A standard that specifies a management system intended to bring
information security under formal management control
ISO/IEC 27034 - Answer✔A standard that provides guidance to help organizations embed
security within their processes that help secure applications running in the environment,
including application lifecycle processes
SAFECode - Answer✔A global, industry-led effort to identify and promote best practices for
developing and delivering more secure and reliable software, hardware, and services
NCSD - Answer✔Department of Homeland Security National Cyber Security Division
Software Assurance Program - Answer✔The SwA Program seeks to reduce software
vulnerabilities, minimize exploitation, and address ways to improve the routine development and
deployment of trustworthy software products
NIST - Answer✔National Institute of Standards and Technology
NSA - Answer✔National Security Agency
SWE - Answer✔Common Weakness Enumeration
Software Assurance Metrics And Tool Evaluation (SAMATE) - Answer✔The project dedicated
to improving software assurance by developing methods to enable software tool evaluations,
measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods
NIST Special Publication (SP) 800-64, Security Considerations in the System Development Life
Cycle - Answer✔Developed to assist federal government agencies in integrating essential
information technology security steps into their established IT system development lifecycle
National Vulnerability Database (NVD) - Answer✔The U.S. government repository of
standards-based vulnerability management data
SCAP - Answer✔Security Content Automation Protocol
Common Vulnerability Scoring System (CVSS) - Answer✔Provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities
3|Page
