D487 Secure SW Design
Exam All Combined Review
Questions With Revised Correct
Answers
What does DREAD stand for? - ANSWER damage potential,
reproducibility, exploitability, affected users, and
discoverability
What is a weakness that can be exploited? - ANSWER
vulnerability
What is a unified conceptual framework for security auditing? -
ANSWER Trike Threat Model
What is the path an attacker can take to exploit a vulnerability?
- ANSWER threat vector
,What is reusable software developed externally from the
organization's platforms? - ANSWER third party codes
What is maliciously changing or modifying persistent data? -
ANSWER Tampering
What defines what needs to be protected and how it will be
protected? - ANSWER software security policy
What is performing illegal operations in a system that lacks the
ability to trace the prohibited operations? - ANSWER
repudiation
What is determining the fundamental functions of an app? -
ANSWER application decomposition
What are threat models focused around senior management
and protecting the assets of an organization? - ANSWER
asset-centric threat modeling
, What are threat models that start with visualizing the
application you are building? - ANSWER application-centric
threat modeling
During what phase of the SDL is any policy that exists outside
of the SDL policy is reviewed? - ANSWER A3 Design and
Development
A software security team member has been tasked with
creating a threat model for the login process of a new product.
What is the first step the team member should take? -
ANSWER identify security objectives
What is the reason software security teams host discovery
meetings with stakeholders early in the development life cycle?
- ANSWER To ensure that security is built into the product
from the start
Why should a security team provide documented certification
requirements during the software assessment phase? -
ANSWER Depending on the environment in which the
product resides, certifications may be required by corporate or
government entities before the software can be released to
customers.
, What are two items that should be included in the privacy
impact assessment plan regardless of which methodology is
used? - ANSWER Required process steps, technologies and
techniques
What are the goals of the product risk profile in the SDL
deliverable? - ANSWER Estimate the actual cost of the
product
What are the goals of the SDL project outline in the SDL
deliverable? - ANSWER map security activities to the
development schedule
What are the goals of the threat profile in the SDL deliverable?
- ANSWER Guide security activities to protect the product
from vulnerabilities
What are the goals of listing the third party software in the SDL
deliverable? - ANSWER identify dependence on
unmanaged software
Exam All Combined Review
Questions With Revised Correct
Answers
What does DREAD stand for? - ANSWER damage potential,
reproducibility, exploitability, affected users, and
discoverability
What is a weakness that can be exploited? - ANSWER
vulnerability
What is a unified conceptual framework for security auditing? -
ANSWER Trike Threat Model
What is the path an attacker can take to exploit a vulnerability?
- ANSWER threat vector
,What is reusable software developed externally from the
organization's platforms? - ANSWER third party codes
What is maliciously changing or modifying persistent data? -
ANSWER Tampering
What defines what needs to be protected and how it will be
protected? - ANSWER software security policy
What is performing illegal operations in a system that lacks the
ability to trace the prohibited operations? - ANSWER
repudiation
What is determining the fundamental functions of an app? -
ANSWER application decomposition
What are threat models focused around senior management
and protecting the assets of an organization? - ANSWER
asset-centric threat modeling
, What are threat models that start with visualizing the
application you are building? - ANSWER application-centric
threat modeling
During what phase of the SDL is any policy that exists outside
of the SDL policy is reviewed? - ANSWER A3 Design and
Development
A software security team member has been tasked with
creating a threat model for the login process of a new product.
What is the first step the team member should take? -
ANSWER identify security objectives
What is the reason software security teams host discovery
meetings with stakeholders early in the development life cycle?
- ANSWER To ensure that security is built into the product
from the start
Why should a security team provide documented certification
requirements during the software assessment phase? -
ANSWER Depending on the environment in which the
product resides, certifications may be required by corporate or
government entities before the software can be released to
customers.
, What are two items that should be included in the privacy
impact assessment plan regardless of which methodology is
used? - ANSWER Required process steps, technologies and
techniques
What are the goals of the product risk profile in the SDL
deliverable? - ANSWER Estimate the actual cost of the
product
What are the goals of the SDL project outline in the SDL
deliverable? - ANSWER map security activities to the
development schedule
What are the goals of the threat profile in the SDL deliverable?
- ANSWER Guide security activities to protect the product
from vulnerabilities
What are the goals of listing the third party software in the SDL
deliverable? - ANSWER identify dependence on
unmanaged software
