A. Repeatability
B. Reciprocity
C. Reconstruction
D. Reproducibility
✔ Correct Answer: B. Reciprocity
Rationale:
In DREAD, Reciprocity refers to how easily an attack can be repeated or reproduced by others.
2. The security team is reviewing whether new security requirements can be implemented before
releasing a new product. Which Ship SDL phase activity is this?
A. Policy compliance analysis
B. Policy compliance review
C. Every-sprint requirement
D. Final security review
✔ Correct Answer: B. Policy compliance review
Rationale:
Policy compliance review checks whether new or updated security requirements can be implemented
before the product ships.
3. What type of analysis involves executing software on a real or virtual processor in real time?
A. Coverage analysis
B. Static analysis
C. Dynamic analysis
D. Memory analysis
✔ Correct Answer: C. Dynamic analysis
Rationale:
Dynamic analysis runs the program during execution to observe its real-time behavior.
,4. After confirming a vulnerability and developing a fix scheduled for release, what is the next step for
the security response team?
A. Notify customers that the fix is available
B. Notify the reporter the case is closing
C. Identify resources and schedule the fix
D. Identify the team that owns the product
✔ Correct Answer: A. Notify customers that the fix is available
Rationale:
Once a patch is ready and scheduled, the team must inform customers so they know a fix will be
released.
5. What is a countermeasure for the Web Application Security Frame (ASF) configuration management
threat category?
A. Static analysis
B. Security requirement
C. Privacy requirement
D. Compliance requirement
✔ Correct Answer: B. Security requirement
Rationale:
A security requirement helps ensure proper configuration management and reduces related security
risks.
6. During sprint zero, a team member who writes feature logic and attends all sprint
ceremonies is being introduced. Which role does this person play?
A. Web developer
B. Software engineer
C. Software developer
D. Systems analyst
✔ Correct Answer: C. Software developer
Rationale:
A software developer writes the application logic and participates in sprint activities as part of the Scrum
team.
, 7. Which secure coding best practice uses well-tested, publicly available algorithms to protect data
from unauthorized access?
A. System configuration
B. Digital signatures
C. Cryptographic practices
D. Database security
✔ Correct Answer: C. Cryptographic practices
Rationale:
Cryptographic practices ensure data confidentiality by using strong, vetted encryption algorithms.
8. PSIRT has confirmed a vulnerability is credible and high severity. What is the next step?
A. Identify internal resources
B. Identify resources and schedule the fix
C. Create the SDL project outline
D. Notify customers that the fix is available
✔ Correct Answer: B. Identify resources and schedule the fix
Rationale:
After confirming a vulnerability, PSIRT must assign resources and plan the fix before notifying
customers.
9. A security analyst cracked user passwords because simple hashes were used. How should the
organization remediate the issue?
A. Enforce the use of strong, salted hashing functions
B. Ensure server-side queries are parameterized
C. Apply a security strategy for M&A products
D. Use the principle of least privilege
✔ Correct Answer: A. Enforce the use of strong, salted hashing functions
Rationale:
Passwords should always be stored using strong, salted cryptographic hashing to prevent cracking.
10. The security team is reviewing threat models, vulnerabilities, and requirements while running
static and dynamic analysis before release. Which Ship SDL activity is this?
A. Code-assisted penetration testing
B. Open-source licensing review