Secure Software Design - C706 exam with
|\ |\ |\ |\ |\ |\ |\
correct answers |\
Protecting the software and the systems on which it runs after
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
release, after dev is complete - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Application security |\
Three core elements of security - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Confidentiality, integrity, and availability (the C.I.A. model |\ |\ |\ |\ |\ |\
Tools that look for a fixed set of patterns or rules in the code in a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
manner similar to virus-checking programs - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Static analysis tools
|\ |\
Ensures that the user has the appropriate role and privilege to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
view data - CORRECT ANSWERS ✔✔Authorization
|\ |\ |\ |\ |\
Ensures that the user is who he or she claims to be and that the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
data come from the appropriate place - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔Authentication
Question 4 : |\ |\
What is responsible for preserving authorized restrictions on
|\ |\ |\ |\ |\ |\ |\ |\
information access and disclosure, including means for protecting
|\ |\ |\ |\ |\ |\ |\
personal privacy and proprietary information? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Question 4 |\ |\
,Confidentiality
Q5:
What is responsible for guarding against improper information
|\ |\ |\ |\ |\ |\ |\ |\
modification or destruction, and includes ensuring information
|\ |\ |\ |\ |\ |\ |\
non-repudiation and authenticity? - CORRECT ANSWERS ✔✔Q5: |\ |\ |\ |\ |\ |\
Integrity
Q6:
Which concept in the software life cycle understands the
|\ |\ |\ |\ |\ |\ |\ |\ |\
potential security threats to the system, determines risk, and
|\ |\ |\ |\ |\ |\ |\ |\ |\
establishes appropriate mitigations? - CORRECT ANSWERS ✔✔Q6:
|\ |\ |\ |\ |\ |\
Threat modeling |\
Q7:
The idea behind is simply to understand the potential security
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
threats to the system, determine risk, and establish appropriate
|\ |\ |\ |\ |\ |\ |\ |\ |\
mitigations. When it is performed correctly, it occurs early in the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
project life cycle and can be used to find security design issues
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
before code is committed. - CORRECT ANSWERS ✔✔Q7:
|\ |\ |\ |\ |\ |\ |\
,threat modeling |\
_Q8:
____________is about building secure software: designing software |\ |\ |\ |\ |\ |\ |\
to be secure; making sure that software is secure; and educating
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
software developers, architects, and users about how to build
|\ |\ |\ |\ |\ |\ |\ |\ |\
security in. - CORRECT ANSWERS ✔✔Q8:
|\ |\ |\ |\ |\
software security |\
Q9:
__________, as the name suggests, is really aimed at developing
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
secure software, not necessarily quality software - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Q9: |\
SDL methodology
|\
The most well-known SDL model is the __________, a process that
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Microsoft has adopted for the development of software that
|\ |\ |\ |\ |\ |\ |\ |\ |\
needs to withstand malicious attack. This is considered the most
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
mature of the top three models. - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔Trustworthy Computing Security Development Lifecycle |\ |\ |\ |\
_________This is a study of real-world software security initiatives|\ |\ |\ |\ |\ |\ |\ |\ |\
organized so that you can determine where you stand with your
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
, software security initiative and how to evolve your efforts over
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
time. It is a set of best practices that Cigital developed by
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
analyzing real-world data from nine leading software security
|\ |\ |\ |\ |\ |\ |\ |\
initiatives and creating a framework based on common areas of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
success. There are 12 practices organized into four domains.
|\ |\ |\ |\ |\ |\ |\ |\ |\
These practices are used to organize the 109 BSIMM activities
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
(BSIMM 4 has a total of 111 activities). - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔BSIMM ( short for Building Security In Maturity Model.)
|\ |\ |\ |\ |\ |\ |\ |\
_______________provides guidance to help organizations embed |\ |\ |\ |\ |\ |\
security within their processes, including application lifecycle
|\ |\ |\ |\ |\ |\ |\
processes, that help to secure applications running in the|\ |\ |\ |\ |\ |\ |\ |\ |\
environment. It is a risk-based framework to continuously |\ |\ |\ |\ |\ |\ |\ |\
improve security through process integration and improvements
|\ |\ |\ |\ |\ |\ |\
in managing applications. It takes a process approach by design.
|\ |\ |\ |\ |\ |\ |\ |\ |\
- CORRECT ANSWERS ✔✔The ISO/IEC 27034 standard
|\ |\ |\ |\ |\ |\ |\
_____________ is a nonprofit organization dedicated to increasing |\ |\ |\ |\ |\ |\ |\ |\
trust in information and communications technology products
|\ |\ |\ |\ |\ |\ |\
and services through the advancement of effective software
|\ |\ |\ |\ |\ |\ |\ |\
assurance methods. SAFECode is a global, industry-led effort to
|\ |\ |\ |\ |\ |\ |\ |\ |\
identify and promote best practices for developing and delivering
|\ |\ |\ |\ |\ |\ |\ |\
more secure and reliable software, hardware, and services. -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔The Software Assurance Forum for
|\ |\ |\ |\ |\ |\ |\
Excellence in Code (SAFECode) |\ |\ |\
______________ is dedicated to improving software assurance by |\ |\ |\ |\ |\ |\ |\ |\
developing methods to enable software tool evaluations, |\ |\ |\ |\ |\ |\ |\
measuring the effectiveness of tools and techniques, and |\ |\ |\ |\ |\ |\ |\ |\
identifying gaps in tools and methods. - CORRECT ANSWERS |\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔The NIST SAMATE (Software Assurance Metrics and Tool
|\ |\ |\ |\ |\ |\ |\ |\
Evaluation) project |\
|\ |\ |\ |\ |\ |\ |\
correct answers |\
Protecting the software and the systems on which it runs after
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
release, after dev is complete - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Application security |\
Three core elements of security - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Confidentiality, integrity, and availability (the C.I.A. model |\ |\ |\ |\ |\ |\
Tools that look for a fixed set of patterns or rules in the code in a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
manner similar to virus-checking programs - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Static analysis tools
|\ |\
Ensures that the user has the appropriate role and privilege to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
view data - CORRECT ANSWERS ✔✔Authorization
|\ |\ |\ |\ |\
Ensures that the user is who he or she claims to be and that the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
data come from the appropriate place - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔Authentication
Question 4 : |\ |\
What is responsible for preserving authorized restrictions on
|\ |\ |\ |\ |\ |\ |\ |\
information access and disclosure, including means for protecting
|\ |\ |\ |\ |\ |\ |\
personal privacy and proprietary information? - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Question 4 |\ |\
,Confidentiality
Q5:
What is responsible for guarding against improper information
|\ |\ |\ |\ |\ |\ |\ |\
modification or destruction, and includes ensuring information
|\ |\ |\ |\ |\ |\ |\
non-repudiation and authenticity? - CORRECT ANSWERS ✔✔Q5: |\ |\ |\ |\ |\ |\
Integrity
Q6:
Which concept in the software life cycle understands the
|\ |\ |\ |\ |\ |\ |\ |\ |\
potential security threats to the system, determines risk, and
|\ |\ |\ |\ |\ |\ |\ |\ |\
establishes appropriate mitigations? - CORRECT ANSWERS ✔✔Q6:
|\ |\ |\ |\ |\ |\
Threat modeling |\
Q7:
The idea behind is simply to understand the potential security
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
threats to the system, determine risk, and establish appropriate
|\ |\ |\ |\ |\ |\ |\ |\ |\
mitigations. When it is performed correctly, it occurs early in the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
project life cycle and can be used to find security design issues
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
before code is committed. - CORRECT ANSWERS ✔✔Q7:
|\ |\ |\ |\ |\ |\ |\
,threat modeling |\
_Q8:
____________is about building secure software: designing software |\ |\ |\ |\ |\ |\ |\
to be secure; making sure that software is secure; and educating
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
software developers, architects, and users about how to build
|\ |\ |\ |\ |\ |\ |\ |\ |\
security in. - CORRECT ANSWERS ✔✔Q8:
|\ |\ |\ |\ |\
software security |\
Q9:
__________, as the name suggests, is really aimed at developing
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
secure software, not necessarily quality software - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Q9: |\
SDL methodology
|\
The most well-known SDL model is the __________, a process that
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Microsoft has adopted for the development of software that
|\ |\ |\ |\ |\ |\ |\ |\ |\
needs to withstand malicious attack. This is considered the most
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
mature of the top three models. - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔Trustworthy Computing Security Development Lifecycle |\ |\ |\ |\
_________This is a study of real-world software security initiatives|\ |\ |\ |\ |\ |\ |\ |\ |\
organized so that you can determine where you stand with your
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
, software security initiative and how to evolve your efforts over
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
time. It is a set of best practices that Cigital developed by
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
analyzing real-world data from nine leading software security
|\ |\ |\ |\ |\ |\ |\ |\
initiatives and creating a framework based on common areas of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
success. There are 12 practices organized into four domains.
|\ |\ |\ |\ |\ |\ |\ |\ |\
These practices are used to organize the 109 BSIMM activities
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
(BSIMM 4 has a total of 111 activities). - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔BSIMM ( short for Building Security In Maturity Model.)
|\ |\ |\ |\ |\ |\ |\ |\
_______________provides guidance to help organizations embed |\ |\ |\ |\ |\ |\
security within their processes, including application lifecycle
|\ |\ |\ |\ |\ |\ |\
processes, that help to secure applications running in the|\ |\ |\ |\ |\ |\ |\ |\ |\
environment. It is a risk-based framework to continuously |\ |\ |\ |\ |\ |\ |\ |\
improve security through process integration and improvements
|\ |\ |\ |\ |\ |\ |\
in managing applications. It takes a process approach by design.
|\ |\ |\ |\ |\ |\ |\ |\ |\
- CORRECT ANSWERS ✔✔The ISO/IEC 27034 standard
|\ |\ |\ |\ |\ |\ |\
_____________ is a nonprofit organization dedicated to increasing |\ |\ |\ |\ |\ |\ |\ |\
trust in information and communications technology products
|\ |\ |\ |\ |\ |\ |\
and services through the advancement of effective software
|\ |\ |\ |\ |\ |\ |\ |\
assurance methods. SAFECode is a global, industry-led effort to
|\ |\ |\ |\ |\ |\ |\ |\ |\
identify and promote best practices for developing and delivering
|\ |\ |\ |\ |\ |\ |\ |\
more secure and reliable software, hardware, and services. -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔The Software Assurance Forum for
|\ |\ |\ |\ |\ |\ |\
Excellence in Code (SAFECode) |\ |\ |\
______________ is dedicated to improving software assurance by |\ |\ |\ |\ |\ |\ |\ |\
developing methods to enable software tool evaluations, |\ |\ |\ |\ |\ |\ |\
measuring the effectiveness of tools and techniques, and |\ |\ |\ |\ |\ |\ |\ |\
identifying gaps in tools and methods. - CORRECT ANSWERS |\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔The NIST SAMATE (Software Assurance Metrics and Tool
|\ |\ |\ |\ |\ |\ |\ |\
Evaluation) project |\
