D487 - Secure Software Design Exam !|! !|! !|! !|! !|! !|!
(actual Exam) All possible questions with !|! !|! !|! !|! !|! !|!
verified solutions !|!
What is the study of real-world software security initiatives organized so companies can
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
measure their initiatives and understand how to evolve them over time?
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
A) !|! Building Security in Maturity Model (BSIMM) !|! !|! !|! !|! !|!
B)!|! Security features and design !|! !|! !|!
C)!|! OWASP Software Assurance Maturity Model (SAMM)
!|! !|! !|! !|! !|!
D) !|! ISO 27001 !|!
A) Building Security in Maturity Model (BSIMM)
!|! !|! !|! !|! !|! !|!
What is the analysis of computer software that is performed without executing programs?
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
A) !|! Static analysis !|!
B)!|! Fuzzing
C)!|! Dynamic analysis !|!
D) !|! OWASP ZAP !|!
A) Static analysis
!|! !|!
What iso standard is the benchmark for information security today?
!|! !|! !|! !|! !|! !|! !|! !|! !|!
A) !|! iso/iec 27001 !|!
B)!|! iso/iec 7799 !|!
C)!|! iso/iec 27034 !|!
D) !|! iso 8601 !|!
A) iso 27001
!|! !|!
what is the analysis of computer software that is performed by executing programs on a
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
real or virtual processor in real time?
!|! !|! !|! !|! !|! !|!
A) dynamic analysis
!|! !|!
B) static analysis
!|! !|!
,C) fuzzing
!|!
D) security testing
!|! !|!
A) dynamic analysis
!|! !|!
which person is responsible for designing, planning, and implementing secure coding
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
practices and security testing methodologies?
!|! !|! !|! !|!
A) !|! software security architect !|! !|!
B) !|! product security developer !|! !|!
C) !|! software security champion !|! !|!
D) !|! software tester !|!
A) software security architect
!|! !|! !|!
A company is preparing to add a new feature to its flagship software product. The new
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
feature is similar to features that have been added in previous years, and the
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
requirements are well-documented. The project is expected to last three to four months,
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
at which time the new feature will be released to customers. Project team members will
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
focus solely on the new feature until the project ends.
!|! !|! !|! !|! !|! !|! !|! !|! !|!
Which software development methodology is being used?
!|! !|! !|! !|! !|! !|!
A) !|! Waterfall
B) !|! Agile
C) !|! Scrum
D) !|! Extreme programming !|!
A) Waterfall
!|!
A new product will require an administration section for a small number of users. Normal
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
users will be able to view limited customer information and should not see admin
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
functionality within the application. !|! !|! !|!
Which concept is being used?
!|! !|! !|! !|!
A) !|! Principle of least privilege !|! !|! !|!
B) !|! Privacy
C) !|! Software security champion !|! !|!
D) !|! Elevation of privilege !|! !|!
A) Principle of least privilege
!|! !|! !|! !|!
,The software security team is currently working to identify approaches for input validation,
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
authentication, authorization, and configuration management of a new software product
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
so they can deliver a security profile.
!|! !|! !|! !|! !|! !|!
Which threat modeling step is being described?
!|! !|! !|! !|! !|! !|!
A) !|! Analyzing the target !|! !|!
B) !|! Drawing data flow diagram !|! !|! !|!
C) !|! Rating threats !|!
D) !|! Identifying and documenting threats !|! !|! !|!
A) Analyzing the target
!|! !|! !|!
The scrum team is attending their morning meeting, which is scheduled at the beginning
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
of the work day. Each team member reports what they accomplished yesterday, what they
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
plan to accomplish today, and if they have any impediments that may cause them to miss
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
their delivery deadline.
!|! !|! !|!
Which scrum ceremony is the team participating in?
!|! !|! !|! !|! !|! !|! !|!
A) !|! Daily scrum !|!
B) !|! Sprint review !|!
C) !|! Sprint retrospective !|!
D) !|! Sprint planning !|!
A) Daily scrum
!|! !|!
what is a list of information security vulnerabilities that aims to provide names for publicly
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
known problems?
!|! !|!
A) !|! common computer vulnerabilities and exposures (CVE)
!|! !|! !|! !|! !|!
B) !|! SANS institute top cyber security risks
!|! !|! !|! !|! !|!
C) !|! bugtraq
D) !|! Carnegie melon computer emergency readiness team (CERT)
!|! !|! !|! !|! !|! !|!
A) common computer vulnerabilities and exposures (CVE)
!|! !|! !|! !|! !|! !|!
which secure coding best practice uses well-tested, publicly available algorithms to hide
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
product data from unauthorized access?
!|! !|! !|! !|!
A) access control
!|! !|!
, B) authentication and password management
!|! !|! !|! !|!
C) cryptographic practices
!|! !|!
D) data protection
!|! !|!
C) cryptographic practices
!|! !|!
which secure coding best practice ensures servers, frameworks, and system components
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
are all running the latest approved versions?
!|! !|! !|! !|! !|! !|!
A) !|! file management !|!
B) !|! input validation !|!
C) !|! database security !|!
D) !|! system configuration !|!
D) system configuration
!|! !|!
Which secure coding best practice says to use parameterized queries, encrypted connection
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
strings stored in separate configuration files, and strong passwords or multi-factor
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
authentication?
A) !|! access control !|!
B) !|! database security !|!
C) !|! file management !|!
D) !|! session management !|!
B) database security
!|! !|!
which secure coding best practice says that all information passed to other systems should
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
be encrypted?
!|! !|!
A) !|! output encoding !|!
B) !|! memory management !|!
C) !|! communication security !|!
D) !|! database security !|!
C) communication security
!|! !|!
Team members are being introduced during sprint zero in the project kickoff meeting. The
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
person being introduced is a member of the scrum team, responsible for writing feature
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
logic and attending sprint ceremonies.
!|! !|! !|! !|!
Which role is the team member playing?
!|! !|! !|! !|! !|! !|!
(actual Exam) All possible questions with !|! !|! !|! !|! !|! !|!
verified solutions !|!
What is the study of real-world software security initiatives organized so companies can
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
measure their initiatives and understand how to evolve them over time?
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
A) !|! Building Security in Maturity Model (BSIMM) !|! !|! !|! !|! !|!
B)!|! Security features and design !|! !|! !|!
C)!|! OWASP Software Assurance Maturity Model (SAMM)
!|! !|! !|! !|! !|!
D) !|! ISO 27001 !|!
A) Building Security in Maturity Model (BSIMM)
!|! !|! !|! !|! !|! !|!
What is the analysis of computer software that is performed without executing programs?
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
A) !|! Static analysis !|!
B)!|! Fuzzing
C)!|! Dynamic analysis !|!
D) !|! OWASP ZAP !|!
A) Static analysis
!|! !|!
What iso standard is the benchmark for information security today?
!|! !|! !|! !|! !|! !|! !|! !|! !|!
A) !|! iso/iec 27001 !|!
B)!|! iso/iec 7799 !|!
C)!|! iso/iec 27034 !|!
D) !|! iso 8601 !|!
A) iso 27001
!|! !|!
what is the analysis of computer software that is performed by executing programs on a
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
real or virtual processor in real time?
!|! !|! !|! !|! !|! !|!
A) dynamic analysis
!|! !|!
B) static analysis
!|! !|!
,C) fuzzing
!|!
D) security testing
!|! !|!
A) dynamic analysis
!|! !|!
which person is responsible for designing, planning, and implementing secure coding
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
practices and security testing methodologies?
!|! !|! !|! !|!
A) !|! software security architect !|! !|!
B) !|! product security developer !|! !|!
C) !|! software security champion !|! !|!
D) !|! software tester !|!
A) software security architect
!|! !|! !|!
A company is preparing to add a new feature to its flagship software product. The new
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
feature is similar to features that have been added in previous years, and the
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
requirements are well-documented. The project is expected to last three to four months,
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
at which time the new feature will be released to customers. Project team members will
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
focus solely on the new feature until the project ends.
!|! !|! !|! !|! !|! !|! !|! !|! !|!
Which software development methodology is being used?
!|! !|! !|! !|! !|! !|!
A) !|! Waterfall
B) !|! Agile
C) !|! Scrum
D) !|! Extreme programming !|!
A) Waterfall
!|!
A new product will require an administration section for a small number of users. Normal
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
users will be able to view limited customer information and should not see admin
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
functionality within the application. !|! !|! !|!
Which concept is being used?
!|! !|! !|! !|!
A) !|! Principle of least privilege !|! !|! !|!
B) !|! Privacy
C) !|! Software security champion !|! !|!
D) !|! Elevation of privilege !|! !|!
A) Principle of least privilege
!|! !|! !|! !|!
,The software security team is currently working to identify approaches for input validation,
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
authentication, authorization, and configuration management of a new software product
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
so they can deliver a security profile.
!|! !|! !|! !|! !|! !|!
Which threat modeling step is being described?
!|! !|! !|! !|! !|! !|!
A) !|! Analyzing the target !|! !|!
B) !|! Drawing data flow diagram !|! !|! !|!
C) !|! Rating threats !|!
D) !|! Identifying and documenting threats !|! !|! !|!
A) Analyzing the target
!|! !|! !|!
The scrum team is attending their morning meeting, which is scheduled at the beginning
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
of the work day. Each team member reports what they accomplished yesterday, what they
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
plan to accomplish today, and if they have any impediments that may cause them to miss
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
their delivery deadline.
!|! !|! !|!
Which scrum ceremony is the team participating in?
!|! !|! !|! !|! !|! !|! !|!
A) !|! Daily scrum !|!
B) !|! Sprint review !|!
C) !|! Sprint retrospective !|!
D) !|! Sprint planning !|!
A) Daily scrum
!|! !|!
what is a list of information security vulnerabilities that aims to provide names for publicly
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
known problems?
!|! !|!
A) !|! common computer vulnerabilities and exposures (CVE)
!|! !|! !|! !|! !|!
B) !|! SANS institute top cyber security risks
!|! !|! !|! !|! !|!
C) !|! bugtraq
D) !|! Carnegie melon computer emergency readiness team (CERT)
!|! !|! !|! !|! !|! !|!
A) common computer vulnerabilities and exposures (CVE)
!|! !|! !|! !|! !|! !|!
which secure coding best practice uses well-tested, publicly available algorithms to hide
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
product data from unauthorized access?
!|! !|! !|! !|!
A) access control
!|! !|!
, B) authentication and password management
!|! !|! !|! !|!
C) cryptographic practices
!|! !|!
D) data protection
!|! !|!
C) cryptographic practices
!|! !|!
which secure coding best practice ensures servers, frameworks, and system components
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
are all running the latest approved versions?
!|! !|! !|! !|! !|! !|!
A) !|! file management !|!
B) !|! input validation !|!
C) !|! database security !|!
D) !|! system configuration !|!
D) system configuration
!|! !|!
Which secure coding best practice says to use parameterized queries, encrypted connection
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
strings stored in separate configuration files, and strong passwords or multi-factor
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
authentication?
A) !|! access control !|!
B) !|! database security !|!
C) !|! file management !|!
D) !|! session management !|!
B) database security
!|! !|!
which secure coding best practice says that all information passed to other systems should
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
be encrypted?
!|! !|!
A) !|! output encoding !|!
B) !|! memory management !|!
C) !|! communication security !|!
D) !|! database security !|!
C) communication security
!|! !|!
Team members are being introduced during sprint zero in the project kickoff meeting. The
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
person being introduced is a member of the scrum team, responsible for writing feature
!|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|! !|!
logic and attending sprint ceremonies.
!|! !|! !|! !|!
Which role is the team member playing?
!|! !|! !|! !|! !|! !|!
