Wgu d487 secure software design study guide exam questions and solutions

D487: Secure Software Design Questions
bq bq bq bq




1. What are the two common best principles of software applications in the
bq bq bq bq bq bq bq bq bq bq bq




development process? Choose 2 answers.
bq bq bq bq bq




Quality codebq




Secure code
b q bq




Information
bq




security Integrity
bq bq




Availability: Quality code bq bq




Secure code
bq bq




"Quality code" is correct. Quality code is efficient code that is easy to maintain and
bq bq bq bq bq bq bq bq bq bq bq bq bq bq




reusable.
bq




"Secure code" is correct. Secure code authorizes and authenticates every user
bq bq bq bq bq bq bq bq bq bq




transaction, logs the transaction, and denies all unauthorized requisitions.
bq bq bq bq bq bq bq bq bq




2. What ensures that the user has the appropriate role and privilege to view
bq bq bq bq bq bq bq bq bq bq bq bq




data?
bq




Authentication
Multi-factor authentication bq




Encryption
bq




Information security bq




Authorization: Authorization
bq bq




Authorization ensures a user's information and credentials are approved by the
bq bq bq bq bq bq bq bq bq bq




system.
bq




3. Which security goal is defined by "guarding against improper information
bq bq bq bq bq bq bq bq bq




modification or destruction and ensuring information non-repudiation and
bq bq bq bq bq bq bq bq




authenticity"?
bq




Integrity
Quality
bq




Availability
bq




Reliability: Integrity bq




The data must remain unchanged by unauthorized users and remain reliable from
bq bq bq bq bq bq bq bq bq bq bq




the data entry point to the database and back.
bq bq bq bq bq bq bq bq bq




4. Which phase in an SDLC helps to define the problem and scope of any
bq bq bq bq bq bq bq bq bq bq bq bq bq




existing systems and determine the objectives of new systems?
bq bq bq bq bq bq bq bq bq




Requirements
bq




Design
Plannin
bq




g
Testing: Planning bq




bq bq

, D487: Secure Software Design Questions bq bq bq bq




The planning stage sets the project schedule and looks at the big picture.
bq bq bq bq bq bq bq bq bq bq bq bq




5. What happens during a dynamic code review?
bq bq bq bq bq bq




Programmers monitor system memory, functional behavior, response times, bq bq bq bq bq bq bq




and overall performance.
bq bq bq




Customers perform tests to check software meets requirements. bq bq bq bq bq bq bq




An analysis of computer programs without executing them is performed.
bq bq bq bq bq bq bq bq bq




Input fields are supplied with unexpected input and tested.: Programmers mon-
bq bq bq bq bq bq bq bq bq bq bq




itor system memory, functional behavior, response times, and overall performance.
bq bq bq bq bq bq bq bq bq bq




6. How should you store your application user credentials in your application
bq bq bq bq bq bq bq bq bq bq




database?
bq




Use application logic to encrypt credentials
bq bq bq bq bq




Store credentials as clear text
bq bq bq bq bq




Store credentials using Base 64 encoded
bq bq bq bq bq




Store credentials using salted hashes: Store credentials using salted hashes
bq bq bq bq bq bq bq bq bq




Hashing is a one-way process that converts a password to ciphertext using hash
bq bq bq bq bq bq bq bq bq bq bq bq




algorithms. Password salting adds random characters before or after a password
bq bq bq bq bq bq bq bq bq bq bq




prior to hashing to obfuscate the actual password.
bq bq bq bq bq bq bq bq




7. Which software methodology resembles an assembly-line approach?
bq bq bq bq bq bq




V-model
bq




Agile model bq




Iterative model
bq bq




Waterfall model: Waterfall model bq bq bq




Waterfall model is a continuous software development model in which the develop-
bq bq bq bq bq bq bq bq bq bq bq




ment steps flow steadily downwards.
bq bq bq bq bq




8. Which software methodology approach provides faster time to market and
bq bq bq bq bq bq bq bq bq




higher business value?
bq bq bq




Iterative model bq




Waterfall
bq




model V-model
bq bq




Agile model: Agile model bq bq bq




In the agile model, projects are divided into small incremental builds that provide
bq bq bq bq bq bq bq bq bq bq bq bq




working software at the end of each iteration and adds value to business.
bq bq bq bq bq bq bq bq bq bq bq bq bq




9. In Scrum methodology, who is responsible for making decisions on the
bq bq bq bq bq bq bq bq bq bq




requirements?
bq




ScrumTeam b
q





bq bq

, D487: Secure Software Design Questions bq bq bq bq




Product Owner bq




ScrumMaster
bq




Technical Lead: Product Owner bq bq bq




The Product Owner is responsible for requirements/backlog items and prioritizing
bq bq bq bq bq bq bq bq bq




them.
bq




10. What is the reason software security teams host discovery meetings with
bq bq bq bq bq bq bq bq bq bq




stakeholders early in the development life cycle?
bq bq bq bq bq bq bq




To determine how much budget is available for new security tools To
bq bq bq bq bq bq bq bq bq bq bq




meet the development team
bq bq bq bq




To refactor functional requirements to ensure security is included
bq bq bq bq bq bq bq bq




To ensure that security is built into the product from the start: To ensure that
bq bq bq bq bq bq bq bq bq bq bq bq bq bq




security is built into the product from the start
bq bq bq bq bq bq bq bq bq




To correctly and cost-effectively introduce security into the software development life
bq bq bq bq bq bq bq bq bq bq




cycle, it needs to be done early.
bq bq bq bq bq bq bq




11. Why should a security team provide documented certification require-
bq bq bq bq bq bq bq bq




ments during the software assessment phase?
bq bq bq bq bq bq




Certification is required if the organization wants to move to the cloud. bq bq bq bq bq bq bq bq bq bq bq




Depending on the environment in which the product resides, certifications
bq bq bq bq bq bq bq bq bq bq




may be required by corporate or government entities before the software can
bq bq bq bq bq bq bq bq bq bq bq bq




be released to customers.
bq bq bq bq




By ensuring software products are certified,the organization is protected from
bq bq bq bq bq b
q bq bq bq bq




future litigation.
bq bq




By ensuring all developers have security certifications before writing any
bq bq bq bq bq bq bq bq bq




code, teams can forego discovery sessions.: Depending on the environment in
bq bq bq bq bq bq bq bq bq bq bq




which the product resides, certifications may be required by corporate or govern-
bq bq bq bq bq bq bq bq bq bq bq bq




ment entities before the software can be released to customers.
bq bq bq bq bq bq bq bq bq bq




Any new product may need to be certified based on the data it stores, the frameworks it
bq bq bq bq bq bq bq bq bq bq bq bq bq bq bq bq




uses, or the domain in which it resides.Those certification requirements need to be
bq bq bq bq bq bq bq bq q
b bq bq bq bq bq




analyzed and documented early in the development life cycle.
bq bq bq bq bq bq bq bq bq




12. What are two items that should be included in the privacy impact assess-
bq bq bq bq bq bq bq bq bq bq bq bq




ment plan regardless of which methodology is used?Choose 2 answers.
bq bq bq bq bq bq bq bq bq bq




Required process steps
bq bq bq




Technologies and techniques bq bq




SDL project outline
bq bq bq




Threat modeling bq




Post-implementation signoffs: Required process steps bq bq bq bq





bq bq