WGU D487 questions with verified answers
A1 - Security Assessment Ans✓✓✓ Is the first phase of SDL. This is the phase in
which the project team identifies the project risk profile and the needed SDL
activities, in some SDLs it is called the discovery phase.
A2- Architecture Ans✓✓✓ At this stage of the SDL, security is looked at more in
terms of business risks, which inputs from the software security group and
discussions with key stakeholders in the SDLC.
A3 - Design and Development Ans✓✓✓ In this phase the end user of your
software is foremost in your mind. During this phase, you will do an analysis of
policy compliance, create the test plan documentation, , update your threat
models if necessary, conduct a design security analysis, and do a privacy
implementation assessment so you can make informed decisions about how to
deploy your software securely and establish development best practices to detect
and remove security and privacy issues early in the development lifecycle.
A4 - Design and Development Ans✓✓✓ This phase can be mapped to the
"readiness" phase in a typical software development life cycle (SDLC). In this
phase we start the continuation of policy compliance analysis.
A5 - Ship Ans✓✓✓ In the final policy compliance review, the SDL policy will be
reviewed to ensure that the policy provides specific requirements based on
different development criteria, such as product type, code type, and platform. A
vulnerability scan will look for any remaining vulnerabilities in your software and
associated systems and report potential exposure.
Bucket Requirements Ans✓✓✓ The second category of SDL requirement consists
of tasks that must be performed on a regular basis over the lifetime of the project
, but that are not so critical as to be mandated for each sprint. This category is
called the bucket category and is subdivided into three separate buckets of
related tasks. Currently there are three buckets in the bucket category-
verification tasks (mostly fuzzers and other analysis tools), design review tasks,
and planning tasks. Instead of completing all bucket requirements each sprint,
product teams must complete only one SDL requirement from each bucket of
related tasks during each sprint.
Building Security in Maturity Model (BSIMM) Ans✓✓✓ A study of real-world
software security initiatives organized so that you can determine where you stand
with your software security initiative and how to evolve your efforts over time.
DREAD Ans✓✓✓ D - Damage Potential - How catastrophic is the event?
R - Reproducibility - How easy to reproduce the attack?
E - Exploitability - How easy to launch the attack?
A - Affected Users - What percentage of users are affected?
D - Discoverability - How easy it is to find the vulnerability?
Dynamic Analysis Ans✓✓✓ Analysis and testing of a program occurs while it is
being executed or run.
Every-Sprint Requirement Ans✓✓✓ The first category consists of the SDL
requirements that are so essential to security that no software should ever be
released without these requirements being met. This category is called the every-
sprint category. Whether a team's sprint is two weeks or two months long, every
SDL requirement in the every-sprint category must be completed in each and
every sprint, or the sprint is deemed incomplete, and the software cannot be
released.
A1 - Security Assessment Ans✓✓✓ Is the first phase of SDL. This is the phase in
which the project team identifies the project risk profile and the needed SDL
activities, in some SDLs it is called the discovery phase.
A2- Architecture Ans✓✓✓ At this stage of the SDL, security is looked at more in
terms of business risks, which inputs from the software security group and
discussions with key stakeholders in the SDLC.
A3 - Design and Development Ans✓✓✓ In this phase the end user of your
software is foremost in your mind. During this phase, you will do an analysis of
policy compliance, create the test plan documentation, , update your threat
models if necessary, conduct a design security analysis, and do a privacy
implementation assessment so you can make informed decisions about how to
deploy your software securely and establish development best practices to detect
and remove security and privacy issues early in the development lifecycle.
A4 - Design and Development Ans✓✓✓ This phase can be mapped to the
"readiness" phase in a typical software development life cycle (SDLC). In this
phase we start the continuation of policy compliance analysis.
A5 - Ship Ans✓✓✓ In the final policy compliance review, the SDL policy will be
reviewed to ensure that the policy provides specific requirements based on
different development criteria, such as product type, code type, and platform. A
vulnerability scan will look for any remaining vulnerabilities in your software and
associated systems and report potential exposure.
Bucket Requirements Ans✓✓✓ The second category of SDL requirement consists
of tasks that must be performed on a regular basis over the lifetime of the project
, but that are not so critical as to be mandated for each sprint. This category is
called the bucket category and is subdivided into three separate buckets of
related tasks. Currently there are three buckets in the bucket category-
verification tasks (mostly fuzzers and other analysis tools), design review tasks,
and planning tasks. Instead of completing all bucket requirements each sprint,
product teams must complete only one SDL requirement from each bucket of
related tasks during each sprint.
Building Security in Maturity Model (BSIMM) Ans✓✓✓ A study of real-world
software security initiatives organized so that you can determine where you stand
with your software security initiative and how to evolve your efforts over time.
DREAD Ans✓✓✓ D - Damage Potential - How catastrophic is the event?
R - Reproducibility - How easy to reproduce the attack?
E - Exploitability - How easy to launch the attack?
A - Affected Users - What percentage of users are affected?
D - Discoverability - How easy it is to find the vulnerability?
Dynamic Analysis Ans✓✓✓ Analysis and testing of a program occurs while it is
being executed or run.
Every-Sprint Requirement Ans✓✓✓ The first category consists of the SDL
requirements that are so essential to security that no software should ever be
released without these requirements being met. This category is called the every-
sprint category. Whether a team's sprint is two weeks or two months long, every
SDL requirement in the every-sprint category must be completed in each and
every sprint, or the sprint is deemed incomplete, and the software cannot be
released.
