Secure Software Design Exam with
Questions and Correct Answers 2025
The ,ASF ,threat ,list ,describes ,a ,risk ,that ,may ,occur ,when ,a ,software ,developer
,forgets ,to ,set ,an ,expiration ,for ,a ,cookie. ,Which ,countermeasure ,addresses ,this
,vulnerability?
User ,and ,session ,management
Authentication ,and ,authorization
Data ,protection ,in ,storage ,and ,transit
Error ,handling ,and ,exception ,management ,- ,CORRECT ,ANSWER-User ,and
,session ,management
What ,does ,ASF ,stand ,for? ,- ,CORRECT ,ANSWER-Application ,Security ,Frame
What ,does ,STRIDE ,stand ,for? ,- ,CORRECT ,ANSWER-spoofing, ,tampering,
,repudiation, ,info ,disclosure, ,DoS, ,elevation ,of ,privilege
An ,undocumented ,command ,sequence ,is ,allowing ,unauthorized ,access ,to ,a
,software ,system. ,What ,type ,of ,software ,defect ,allows ,this ,vulnerability?
Backdoor
Rootkit ,attack
Buffer ,overflow
Cross-site ,scripting ,- ,CORRECT ,ANSWER-Backdoor.
Note, ,NOT ,a ,rootkit. ,A ,rootkit ,creates ,a ,backdoor. ,The ,backdoor ,is ,the
,command ,sequence ,itself.
A ,small ,organization ,experiences ,an ,XSS ,attack ,on ,their ,web ,application. ,What
,type ,of ,vulnerability ,has ,occurred?
SQL ,injection
SQL ,intrusion
Cross-site ,scripting
Cross-site ,request ,forgery ,- ,CORRECT ,ANSWER-Cross-site ,scripting
What ,type ,of ,software ,threat ,occurs ,when ,password ,resets ,reveal ,password
,hints ,and ,valid ,usernames, ,according ,to ,the ,Application ,Security ,Frame ,(ASF)?
,Authorization
Authentication
User ,and ,session ,management
Data ,protection ,in ,storage ,and ,transit ,- ,CORRECT ,ANSWER-Authentication.
NOT ,User ,and ,Session ,Management
What ,type ,of ,software ,threat ,occurs ,when ,output ,encoding ,is ,skipped,
,according ,to ,the ,Application ,Security ,Frame ,(ASF)?
Authorization
Authentication
User ,and ,session ,management
Data ,and ,parameter ,validation ,- ,CORRECT ,ANSWER-Data ,and ,parameter
,validation
Which ,form ,of ,malicious ,software ,hides ,in ,the ,lower ,levels ,of ,an ,operating
,system ,with ,privileged ,access ,permissions ,and ,opens ,a ,backdoor ,on ,the
,system?
Trojan
Rootkit
Keylogger
Ransomware ,- ,CORRECT ,ANSWER-Rootkit
A ,security ,administrator ,wants ,to ,prevent ,web-based ,code ,that ,has ,full ,access
,to ,a ,Windows ,operating ,system ,when ,executing ,on ,user ,systems. ,Which
,technique ,should ,remediate ,this ,vulnerability?
Prohibiting ,downloads ,of ,Java ,applets
Prohibiting ,downloads ,of ,ActiveX ,content
Clearing ,the ,Domain ,Name ,System ,(DNS) ,cache
Clearing ,the ,Address ,Resolution ,Protocol ,(ARP) ,cache ,- ,CORRECT ,ANSWER-
Prohibiting ,downloads ,of ,ActiveX ,content
Not ,sure ,why ,it's ,ActiveX ,over ,Java ,applets...
What ,are ,Java ,Applets? ,- ,CORRECT ,ANSWER-An ,applet ,is ,a ,Java ,program ,that
,can ,be ,embedded ,into ,a ,web ,page. ,Could ,be ,something ,as ,simple ,as ,a
,calculator ,that ,lives ,on ,a ,webpage. ,Think ,Java ,Code.
What ,is ,ActiveX ,content? ,- ,CORRECT ,ANSWER-ActiveX ,controls ,are ,small ,apps
,that ,allow ,websites ,to ,provide ,content ,such ,as ,videos ,and ,games. ,They ,also
,let ,you ,interact ,with ,content ,like ,toolbars ,and ,stock ,tickers ,when ,you ,browse
, ,the ,web. ,However, ,these ,apps ,can ,sometimes ,malfunction, ,or ,give ,you ,content
,that ,you ,don't ,want.
A ,system ,administrator ,wants ,to ,use ,physical ,controls ,to ,prevent ,unauthorized
,access ,to ,information ,that ,belongs ,to ,users ,at ,a ,different ,security ,level.
Which ,strategy ,would ,prevent ,this ,problem?
Layering
Abstraction
Process ,isolation
Hardware ,segmentation ,- ,CORRECT ,ANSWER-Hardware ,segmentation
A ,video ,company ,has ,installed ,new ,software. ,The ,developers ,need ,to ,establish
,a ,defense ,against ,zero-day ,attacks. ,What ,is ,the ,best ,way ,to ,manage ,this
,vulnerability?
Apply ,threat ,modeling
Use ,a ,strong ,password
Install ,the ,latest ,patches
Create ,another ,user ,log-in ,- ,CORRECT ,ANSWER-Install ,the ,latest ,patches
This ,is ,kind ,of ,a ,dumb ,answer, ,because ,a ,zero ,day ,attack ,doesn't ,have ,any
,patches ,yet...but ,whatever.
Which ,type ,of ,attack ,would ,a ,hacker ,use ,to ,exploit ,a ,vulnerability ,that ,allows
,access ,to ,be ,increased ,to ,the ,administrator ,level?
Rootkit
Whaling
Waterhole
Dictionary ,- ,CORRECT ,ANSWER-Rootkit
Which ,method ,provides ,line-of-code-level ,detection ,that ,enables ,development
,teams ,to ,remediate ,vulnerabilities ,quickly?
Dynamic ,Cone ,Pen ,Testing ,(DCPT)
Static ,Application ,Security ,Testing ,(SAST)
Common ,Weaknesses ,Enumeration ,(CWE)
Common ,Vulnerabilities ,and ,Exposures ,(CVE) ,- ,CORRECT ,ANSWER-Static
,Application ,Security ,Testing ,(SAST)
If ,you're ,examining ,a ,line ,of ,code, ,it's ,static.
Which ,technique ,should ,be ,used ,to ,detect ,a ,software ,vulnerability ,that ,causes
,extra ,characters ,to ,appear ,in ,data ,fields ,of ,a ,front-facing ,web ,application?
Questions and Correct Answers 2025
The ,ASF ,threat ,list ,describes ,a ,risk ,that ,may ,occur ,when ,a ,software ,developer
,forgets ,to ,set ,an ,expiration ,for ,a ,cookie. ,Which ,countermeasure ,addresses ,this
,vulnerability?
User ,and ,session ,management
Authentication ,and ,authorization
Data ,protection ,in ,storage ,and ,transit
Error ,handling ,and ,exception ,management ,- ,CORRECT ,ANSWER-User ,and
,session ,management
What ,does ,ASF ,stand ,for? ,- ,CORRECT ,ANSWER-Application ,Security ,Frame
What ,does ,STRIDE ,stand ,for? ,- ,CORRECT ,ANSWER-spoofing, ,tampering,
,repudiation, ,info ,disclosure, ,DoS, ,elevation ,of ,privilege
An ,undocumented ,command ,sequence ,is ,allowing ,unauthorized ,access ,to ,a
,software ,system. ,What ,type ,of ,software ,defect ,allows ,this ,vulnerability?
Backdoor
Rootkit ,attack
Buffer ,overflow
Cross-site ,scripting ,- ,CORRECT ,ANSWER-Backdoor.
Note, ,NOT ,a ,rootkit. ,A ,rootkit ,creates ,a ,backdoor. ,The ,backdoor ,is ,the
,command ,sequence ,itself.
A ,small ,organization ,experiences ,an ,XSS ,attack ,on ,their ,web ,application. ,What
,type ,of ,vulnerability ,has ,occurred?
SQL ,injection
SQL ,intrusion
Cross-site ,scripting
Cross-site ,request ,forgery ,- ,CORRECT ,ANSWER-Cross-site ,scripting
What ,type ,of ,software ,threat ,occurs ,when ,password ,resets ,reveal ,password
,hints ,and ,valid ,usernames, ,according ,to ,the ,Application ,Security ,Frame ,(ASF)?
,Authorization
Authentication
User ,and ,session ,management
Data ,protection ,in ,storage ,and ,transit ,- ,CORRECT ,ANSWER-Authentication.
NOT ,User ,and ,Session ,Management
What ,type ,of ,software ,threat ,occurs ,when ,output ,encoding ,is ,skipped,
,according ,to ,the ,Application ,Security ,Frame ,(ASF)?
Authorization
Authentication
User ,and ,session ,management
Data ,and ,parameter ,validation ,- ,CORRECT ,ANSWER-Data ,and ,parameter
,validation
Which ,form ,of ,malicious ,software ,hides ,in ,the ,lower ,levels ,of ,an ,operating
,system ,with ,privileged ,access ,permissions ,and ,opens ,a ,backdoor ,on ,the
,system?
Trojan
Rootkit
Keylogger
Ransomware ,- ,CORRECT ,ANSWER-Rootkit
A ,security ,administrator ,wants ,to ,prevent ,web-based ,code ,that ,has ,full ,access
,to ,a ,Windows ,operating ,system ,when ,executing ,on ,user ,systems. ,Which
,technique ,should ,remediate ,this ,vulnerability?
Prohibiting ,downloads ,of ,Java ,applets
Prohibiting ,downloads ,of ,ActiveX ,content
Clearing ,the ,Domain ,Name ,System ,(DNS) ,cache
Clearing ,the ,Address ,Resolution ,Protocol ,(ARP) ,cache ,- ,CORRECT ,ANSWER-
Prohibiting ,downloads ,of ,ActiveX ,content
Not ,sure ,why ,it's ,ActiveX ,over ,Java ,applets...
What ,are ,Java ,Applets? ,- ,CORRECT ,ANSWER-An ,applet ,is ,a ,Java ,program ,that
,can ,be ,embedded ,into ,a ,web ,page. ,Could ,be ,something ,as ,simple ,as ,a
,calculator ,that ,lives ,on ,a ,webpage. ,Think ,Java ,Code.
What ,is ,ActiveX ,content? ,- ,CORRECT ,ANSWER-ActiveX ,controls ,are ,small ,apps
,that ,allow ,websites ,to ,provide ,content ,such ,as ,videos ,and ,games. ,They ,also
,let ,you ,interact ,with ,content ,like ,toolbars ,and ,stock ,tickers ,when ,you ,browse
, ,the ,web. ,However, ,these ,apps ,can ,sometimes ,malfunction, ,or ,give ,you ,content
,that ,you ,don't ,want.
A ,system ,administrator ,wants ,to ,use ,physical ,controls ,to ,prevent ,unauthorized
,access ,to ,information ,that ,belongs ,to ,users ,at ,a ,different ,security ,level.
Which ,strategy ,would ,prevent ,this ,problem?
Layering
Abstraction
Process ,isolation
Hardware ,segmentation ,- ,CORRECT ,ANSWER-Hardware ,segmentation
A ,video ,company ,has ,installed ,new ,software. ,The ,developers ,need ,to ,establish
,a ,defense ,against ,zero-day ,attacks. ,What ,is ,the ,best ,way ,to ,manage ,this
,vulnerability?
Apply ,threat ,modeling
Use ,a ,strong ,password
Install ,the ,latest ,patches
Create ,another ,user ,log-in ,- ,CORRECT ,ANSWER-Install ,the ,latest ,patches
This ,is ,kind ,of ,a ,dumb ,answer, ,because ,a ,zero ,day ,attack ,doesn't ,have ,any
,patches ,yet...but ,whatever.
Which ,type ,of ,attack ,would ,a ,hacker ,use ,to ,exploit ,a ,vulnerability ,that ,allows
,access ,to ,be ,increased ,to ,the ,administrator ,level?
Rootkit
Whaling
Waterhole
Dictionary ,- ,CORRECT ,ANSWER-Rootkit
Which ,method ,provides ,line-of-code-level ,detection ,that ,enables ,development
,teams ,to ,remediate ,vulnerabilities ,quickly?
Dynamic ,Cone ,Pen ,Testing ,(DCPT)
Static ,Application ,Security ,Testing ,(SAST)
Common ,Weaknesses ,Enumeration ,(CWE)
Common ,Vulnerabilities ,and ,Exposures ,(CVE) ,- ,CORRECT ,ANSWER-Static
,Application ,Security ,Testing ,(SAST)
If ,you're ,examining ,a ,line ,of ,code, ,it's ,static.
Which ,technique ,should ,be ,used ,to ,detect ,a ,software ,vulnerability ,that ,causes
,extra ,characters ,to ,appear ,in ,data ,fields ,of ,a ,front-facing ,web ,application?
