D487 - SECURE SOFTWARE DESIGN KNOWLEGE
CHECK AND QUIZ
What are the two common best principles of software applications in the development
process? - Answers :Quality Code & Secure Code
What ensures that the user has the appropriate role and privilege to view data? -
Answers :Authorization
Which security goal is defined by "guarding against improper information modification or
destruction and ensuring information non-repudiation and authenticity"? - Answers
:Integrity
Which phase in an SDLC helps to define the problem and scope of any existing
systems and determine the objectives of new systems? - Answers :Planning
What happens during a dynamic code review? - Answers :Programmers monitor system
memory, functional behavior, response times, and overall performance.
How should you store your application user credentials in your application database? -
Answers :Store credentials using salted hashes
Which software methodology resembles an assembly-line approach? - Answers
:Waterfall model
Which software methodology approach provides faster time to market and higher
business value? - Answers :Agile model
In Scrum methodology, who is responsible for making decisions on the requirements? -
Answers :Product Owner
What is the product risk profile? - Answers :A security assessment deliverable that
estimates the actual cost of the product
A software security team member has been tasked with creating a deliverable that
provides details on where and to what degree sensitive customer information is
collected, stored, or created within a new product offering.
What does the team member need to deliver in order to meet the objective? - Answers
:Privacy impact assessment
, A software security team member has been tasked with creating a threat model for the
login process of a new product.What is the first step the team member should take? -
Answers :Identify security objectives
What are three parts of the STRIDE methodology? - Answers :Spoofing, Elevation,
Tampering
What is the reason software security teams host discovery meetings with stakeholders
early in the development life cycle? - Answers :To ensure that security is built into the
product from the start
Why should a security team provide documented certification requirements during the
software assessment phase? - Answers :Depending on the environment in which the
product resides, certifications may be required by corporate or government entities
before the software can be released to customers.
What are two items that should be included in the privacy impact assessment plan
regardless of which methodology is used? - Answers :Required process steps &
Technologies and techniques
What are the goals of each SDL deliverable? - Product Risk Profile - Answers :Estimate
the actual cost of the product
What are the goals of each SDL deliverable? -SDL project outline - Answers :Map
security activities to the development schedule
What are the goals of each SDL deliverable? - Threat profile - Answers :Guide security
activities to protect the product from vulnerabilities
What are the goals of each SDL deliverable? -List of third-party software - Answers
:Identify the dependence on unmanaged software
What is a threat action that is designed to illegally access and use another person's
credentials? - Answers :Spoofing
What are two steps of the threat modeling process? - Answers :Survey The application
& Decompose the application
What do the "A" and the first "D" in the DREAD acronym represent? - Answers :Damage
& Affected Users
Which shape indicates each type of flow diagram element? - External elements -
Answers :Rectangle
Which shape indicates each type of flow diagram element? - Data Store - Answers :Two
Parallel horizontal lines
CHECK AND QUIZ
What are the two common best principles of software applications in the development
process? - Answers :Quality Code & Secure Code
What ensures that the user has the appropriate role and privilege to view data? -
Answers :Authorization
Which security goal is defined by "guarding against improper information modification or
destruction and ensuring information non-repudiation and authenticity"? - Answers
:Integrity
Which phase in an SDLC helps to define the problem and scope of any existing
systems and determine the objectives of new systems? - Answers :Planning
What happens during a dynamic code review? - Answers :Programmers monitor system
memory, functional behavior, response times, and overall performance.
How should you store your application user credentials in your application database? -
Answers :Store credentials using salted hashes
Which software methodology resembles an assembly-line approach? - Answers
:Waterfall model
Which software methodology approach provides faster time to market and higher
business value? - Answers :Agile model
In Scrum methodology, who is responsible for making decisions on the requirements? -
Answers :Product Owner
What is the product risk profile? - Answers :A security assessment deliverable that
estimates the actual cost of the product
A software security team member has been tasked with creating a deliverable that
provides details on where and to what degree sensitive customer information is
collected, stored, or created within a new product offering.
What does the team member need to deliver in order to meet the objective? - Answers
:Privacy impact assessment
, A software security team member has been tasked with creating a threat model for the
login process of a new product.What is the first step the team member should take? -
Answers :Identify security objectives
What are three parts of the STRIDE methodology? - Answers :Spoofing, Elevation,
Tampering
What is the reason software security teams host discovery meetings with stakeholders
early in the development life cycle? - Answers :To ensure that security is built into the
product from the start
Why should a security team provide documented certification requirements during the
software assessment phase? - Answers :Depending on the environment in which the
product resides, certifications may be required by corporate or government entities
before the software can be released to customers.
What are two items that should be included in the privacy impact assessment plan
regardless of which methodology is used? - Answers :Required process steps &
Technologies and techniques
What are the goals of each SDL deliverable? - Product Risk Profile - Answers :Estimate
the actual cost of the product
What are the goals of each SDL deliverable? -SDL project outline - Answers :Map
security activities to the development schedule
What are the goals of each SDL deliverable? - Threat profile - Answers :Guide security
activities to protect the product from vulnerabilities
What are the goals of each SDL deliverable? -List of third-party software - Answers
:Identify the dependence on unmanaged software
What is a threat action that is designed to illegally access and use another person's
credentials? - Answers :Spoofing
What are two steps of the threat modeling process? - Answers :Survey The application
& Decompose the application
What do the "A" and the first "D" in the DREAD acronym represent? - Answers :Damage
& Affected Users
Which shape indicates each type of flow diagram element? - External elements -
Answers :Rectangle
Which shape indicates each type of flow diagram element? - Data Store - Answers :Two
Parallel horizontal lines
