Secure Software Design Study Guide - C706 questions and
answers 2024\2025 A+ Grade
Confidentiality
- correct answer Information is not made available or disclosed to unauthorized individuals, entities, or
processes. Ensures unauthorized persons are not able to read private and sensitive data. It is achieved
through cryptography.
Integrity
- correct answer Ensures unauthorized persons or channels are not able to modify the data. It is
accomplished through the use of a message digest or digital signatures.
Availability
- correct answer The computing systems used to store and process information, the security controls
used to protect information, and the communication channels used to access information must be
functioning correctly. Ensures system remains operational even in the event of a failure or an attack. It is
achieved by providing redundancy or fault tolerance for a failure of a system and its components.
Ensure Confidentiality
- correct answer Public Key Infrastructure (PKI) and Cryptography/Encryption
Ensure Availability
- correct answer Offsite back-up and Redundancy
Ensure Integrity
- correct answer Hashing, Message Digest (MD5), non repudiation and digital signatures
,Software Architect
- correct answer Moves analysis to implementation and analyzes the requirements and use cases as
activities to perform as part of the development process; can also develop class diagrams.
Security Practitioner Roles
- correct answer Release Manager,
Architect, Developer, Business Analyst/Project Manager
Release Manager
- correct answer Deployment
Architect
- correct answer Design
Developer
- correct answer Coding
Business Analyst/Project Manager
- correct answer Requirements Gathering
Red Team
- correct answer Teams of people familiar with the infrastructure of the company and the languages of
the software being developed. Their mission is to kill the system as the developers build it.
Static Analysis
- correct answer A method of computer program debugging that is done by examining the code without
executing the program. The process provides an understanding of the code structure, and can help to
ensure that the code adheres to industry standards. It's also referred as code review.
MD5 Hash
- correct answer A widely used hash function producing a 128-bit hash value. Initially designed to be
used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can
still be used as a checksum to verify data integrity, but only against unintentional corruption.
, SHA-256 (Secure Hash Algorithm)
- correct answer One of a number of cryptographic hash functions. A cryptographic hash is like a
signature for a text or a data file. Generates an almost-unique, fixed size 32-byte
(32 X 8) hash. Hash is a one-way function - it cannot be decrypted.
Advanced Encryption Standard (AES)
- correct answer A symmetric encryption algorithm. The algorithm was developed by two Belgian
cryptographers Joan Daemen and Vincent Rijmen. Designed to be efficient in both hardware and
software, and supports a block length of 128 bits and key lengths of 128, 192, and 256 bits.
Algorithms used to verify integrity
- correct answer MD5 Hash, SHA-256
Algorithm used to verify confidentiality
- correct answer Advanced Encryption Standard (AES)
Stochastic
- correct answer unintentional or accidental
safety-relevant faults
- correct answer stochastic (i.e., unintentional or accidental)
security-relevant faults
- correct answer "Sponsored," i.e., intentionally created and activated through conscious and intentional
human agency.
Fuzz Testing
- correct answer Used to see if the system has solid exception handling to the input it receives. Is the use
of malformed or random input into a system in order to intentionally produce failure. This is a very easy
process of feeding garbage to the system when it expects a formatted input, and it is always a good idea
to feed as much garbage as possible to an input field.
Three (3) Tier
- correct answer Removes the business logic from the client end of the system. It generally places the
answers 2024\2025 A+ Grade
Confidentiality
- correct answer Information is not made available or disclosed to unauthorized individuals, entities, or
processes. Ensures unauthorized persons are not able to read private and sensitive data. It is achieved
through cryptography.
Integrity
- correct answer Ensures unauthorized persons or channels are not able to modify the data. It is
accomplished through the use of a message digest or digital signatures.
Availability
- correct answer The computing systems used to store and process information, the security controls
used to protect information, and the communication channels used to access information must be
functioning correctly. Ensures system remains operational even in the event of a failure or an attack. It is
achieved by providing redundancy or fault tolerance for a failure of a system and its components.
Ensure Confidentiality
- correct answer Public Key Infrastructure (PKI) and Cryptography/Encryption
Ensure Availability
- correct answer Offsite back-up and Redundancy
Ensure Integrity
- correct answer Hashing, Message Digest (MD5), non repudiation and digital signatures
,Software Architect
- correct answer Moves analysis to implementation and analyzes the requirements and use cases as
activities to perform as part of the development process; can also develop class diagrams.
Security Practitioner Roles
- correct answer Release Manager,
Architect, Developer, Business Analyst/Project Manager
Release Manager
- correct answer Deployment
Architect
- correct answer Design
Developer
- correct answer Coding
Business Analyst/Project Manager
- correct answer Requirements Gathering
Red Team
- correct answer Teams of people familiar with the infrastructure of the company and the languages of
the software being developed. Their mission is to kill the system as the developers build it.
Static Analysis
- correct answer A method of computer program debugging that is done by examining the code without
executing the program. The process provides an understanding of the code structure, and can help to
ensure that the code adheres to industry standards. It's also referred as code review.
MD5 Hash
- correct answer A widely used hash function producing a 128-bit hash value. Initially designed to be
used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can
still be used as a checksum to verify data integrity, but only against unintentional corruption.
, SHA-256 (Secure Hash Algorithm)
- correct answer One of a number of cryptographic hash functions. A cryptographic hash is like a
signature for a text or a data file. Generates an almost-unique, fixed size 32-byte
(32 X 8) hash. Hash is a one-way function - it cannot be decrypted.
Advanced Encryption Standard (AES)
- correct answer A symmetric encryption algorithm. The algorithm was developed by two Belgian
cryptographers Joan Daemen and Vincent Rijmen. Designed to be efficient in both hardware and
software, and supports a block length of 128 bits and key lengths of 128, 192, and 256 bits.
Algorithms used to verify integrity
- correct answer MD5 Hash, SHA-256
Algorithm used to verify confidentiality
- correct answer Advanced Encryption Standard (AES)
Stochastic
- correct answer unintentional or accidental
safety-relevant faults
- correct answer stochastic (i.e., unintentional or accidental)
security-relevant faults
- correct answer "Sponsored," i.e., intentionally created and activated through conscious and intentional
human agency.
Fuzz Testing
- correct answer Used to see if the system has solid exception handling to the input it receives. Is the use
of malformed or random input into a system in order to intentionally produce failure. This is a very easy
process of feeding garbage to the system when it expects a formatted input, and it is always a good idea
to feed as much garbage as possible to an input field.
Three (3) Tier
- correct answer Removes the business logic from the client end of the system. It generally places the
