D487: SECURE SOFTWARE DESIGN QUESTIONS,
SECURE SOFTWARE DESIGN SDL STAGES AND
BEST PRACTICES, SECTON 4, SECTION 3, SECTION
2, SECTION 1, SECURITY DEVELOPMENT LIFE CYCLE
- DELIVERABLES, D487, WGU C706 STUDY GUIDE
(SECURE SOFTWARE DESIGN STUDY GUIDE)
What are the two common best principles of software applications in the development
process? Choose 2 answers.
Quality code
Secure code
Information security
Integrity
Availability - Answers :Quality code
Secure code
"Quality code" is correct. Quality code is efficient code that is easy to maintain and
reusable.
"Secure code" is correct. Secure code authorizes and authenticates every user
transaction, logs the transaction, and denies all unauthorized requisitions.
What ensures that the user has the appropriate role and privilege to view data?
Authentication
Multi-factor authentication
Encryption
Information security
Authorization - Answers :Authorization
Authorization ensures a user's information and credentials are approved by the system.
Which security goal is defined by "guarding against improper information modification or
destruction and ensuring information non-repudiation and authenticity"?
Integrity
Quality
Availability
Reliability - Answers :Integrity
The data must remain unchanged by unauthorized users and remain reliable from the
data entry point to the database and back.
Which phase in an SDLC helps to define the problem and scope of any existing
systems and determine the objectives of new systems?
Requirements
,Design
Planning
Testing - Answers :Planning
The planning stage sets the project schedule and looks at the big picture.
What happens during a dynamic code review?
Programmers monitor system memory, functional behavior, response times, and overall
performance.
Customers perform tests to check software meets requirements.
An analysis of computer programs without executing them is performed.
Input fields are supplied with unexpected input and tested. - Answers :Programmers
monitor system memory, functional behavior, response times, and overall performance.
How should you store your application user credentials in your application database?
Use application logic to encrypt credentials
Store credentials as clear text
Store credentials using Base 64 encoded
Store credentials using salted hashes - Answers :Store credentials using salted hashes
Hashing is a one-way process that converts a password to ciphertext using hash
algorithms. Password salting adds random characters before or after a password prior
to hashing to obfuscate the actual password.
Which software methodology resembles an assembly-line approach?
V-model
Agile model
Iterative model
Waterfall model - Answers :Waterfall model
Waterfall model is a continuous software development model in which the development
steps flow steadily downwards.
Which software methodology approach provides faster time to market and higher
business value?
Iterative model
Waterfall model
V-model
Agile model - Answers :Agile model
In the agile model, projects are divided into small incremental builds that provide
working software at the end of each iteration and adds value to business.
In Scrum methodology, who is responsible for making decisions on the requirements?
Scrum Team
Product Owner
,ScrumMaster
Technical Lead - Answers :Product Owner
The Product Owner is responsible for requirements/backlog items and prioritizing them.
What is the reason software security teams host discovery meetings with stakeholders
early in the development life cycle?
To determine how much budget is available for new security tools
To meet the development team
To refactor functional requirements to ensure security is included
To ensure that security is built into the product from the start - Answers :To ensure that
security is built into the product from the start
To correctly and cost-effectively introduce security into the software development life
cycle, it needs to be done early.
Why should a security team provide documented certification requirements during the
software assessment phase?
Certification is required if the organization wants to move to the cloud.
Depending on the environment in which the product resides, certifications may be
required by corporate or government entities before the software can be released to
customers.
By ensuring software products are certified, the organization is protected from future
litigation.
By ensuring all developers have security certifications before writing any code, teams
can forego discovery sessions. - Answers :Depending on the environment in which the
product resides, certifications may be required by corporate or government entities
before the software can be released to customers.
Any new product may need to be certified based on the data it stores, the frameworks it
uses, or the domain in which it resides. Those certification requirements need to be
analyzed and documented early in the development life cycle.
What are two items that should be included in the privacy impact assessment plan
regardless of which methodology is used?Choose 2 answers.
Required process steps
Technologies and techniques
SDL project outline
Threat modeling
Post-implementation signoffs - Answers :Required process steps
Technologies and techniques
"Required process steps" is correct. Required process steps explain in more detail
which requirements are relevant to developers, detailing what types of data are
considered sensitive and how they need to be protected.
, "Technologies and techniques" is correct. Technologies and techniques detail
techniques for meeting legislative requirements in five categories: Confidentiality,
Integrity, Availability, Auditing and Logging, and Authentication.
What are the goals of each SDL deliverable?
Select one of these options for each deliverable:
-Estimate the actual cost of the product
-Identify dependence on unmanaged software
-Map security activities to the development schedule
-Guide security activities to protect the product from vulnerabilities
Product risk profile
SDL project outline
Threat profile
List of third-party software - Answers :Estimate the actual cost of the product
Map security activities to the development schedule
Guide security activities to protect the product from vulnerabilities
Identify dependence on unmanaged software
The product risk profile helps management see the actual cost of a product.
The SDL project outline maps security activities to the development schedule.
A threat profile guides the security team on how to protect the product from threats.
The third-party software list identifies all components the product is using that are
managed outside the organization.
What is a threat action that is designed to illegally access and use another person's
credentials?
Tampering
Spoofing
Elevation of privilege
Information disclosure - Answers :Spoofing
Spoofing is a threat action that occurs when the cyber criminal acts as a trusted device
to get you to relay secure information.
What are two steps of the threat modeling process?Choose 2 answers.
Survey the application
Decompose the application
Redesign the process to eliminate the threat
Transfer the risk
Identify business requirements - Answers :Survey the application
Decompose the application
SECURE SOFTWARE DESIGN SDL STAGES AND
BEST PRACTICES, SECTON 4, SECTION 3, SECTION
2, SECTION 1, SECURITY DEVELOPMENT LIFE CYCLE
- DELIVERABLES, D487, WGU C706 STUDY GUIDE
(SECURE SOFTWARE DESIGN STUDY GUIDE)
What are the two common best principles of software applications in the development
process? Choose 2 answers.
Quality code
Secure code
Information security
Integrity
Availability - Answers :Quality code
Secure code
"Quality code" is correct. Quality code is efficient code that is easy to maintain and
reusable.
"Secure code" is correct. Secure code authorizes and authenticates every user
transaction, logs the transaction, and denies all unauthorized requisitions.
What ensures that the user has the appropriate role and privilege to view data?
Authentication
Multi-factor authentication
Encryption
Information security
Authorization - Answers :Authorization
Authorization ensures a user's information and credentials are approved by the system.
Which security goal is defined by "guarding against improper information modification or
destruction and ensuring information non-repudiation and authenticity"?
Integrity
Quality
Availability
Reliability - Answers :Integrity
The data must remain unchanged by unauthorized users and remain reliable from the
data entry point to the database and back.
Which phase in an SDLC helps to define the problem and scope of any existing
systems and determine the objectives of new systems?
Requirements
,Design
Planning
Testing - Answers :Planning
The planning stage sets the project schedule and looks at the big picture.
What happens during a dynamic code review?
Programmers monitor system memory, functional behavior, response times, and overall
performance.
Customers perform tests to check software meets requirements.
An analysis of computer programs without executing them is performed.
Input fields are supplied with unexpected input and tested. - Answers :Programmers
monitor system memory, functional behavior, response times, and overall performance.
How should you store your application user credentials in your application database?
Use application logic to encrypt credentials
Store credentials as clear text
Store credentials using Base 64 encoded
Store credentials using salted hashes - Answers :Store credentials using salted hashes
Hashing is a one-way process that converts a password to ciphertext using hash
algorithms. Password salting adds random characters before or after a password prior
to hashing to obfuscate the actual password.
Which software methodology resembles an assembly-line approach?
V-model
Agile model
Iterative model
Waterfall model - Answers :Waterfall model
Waterfall model is a continuous software development model in which the development
steps flow steadily downwards.
Which software methodology approach provides faster time to market and higher
business value?
Iterative model
Waterfall model
V-model
Agile model - Answers :Agile model
In the agile model, projects are divided into small incremental builds that provide
working software at the end of each iteration and adds value to business.
In Scrum methodology, who is responsible for making decisions on the requirements?
Scrum Team
Product Owner
,ScrumMaster
Technical Lead - Answers :Product Owner
The Product Owner is responsible for requirements/backlog items and prioritizing them.
What is the reason software security teams host discovery meetings with stakeholders
early in the development life cycle?
To determine how much budget is available for new security tools
To meet the development team
To refactor functional requirements to ensure security is included
To ensure that security is built into the product from the start - Answers :To ensure that
security is built into the product from the start
To correctly and cost-effectively introduce security into the software development life
cycle, it needs to be done early.
Why should a security team provide documented certification requirements during the
software assessment phase?
Certification is required if the organization wants to move to the cloud.
Depending on the environment in which the product resides, certifications may be
required by corporate or government entities before the software can be released to
customers.
By ensuring software products are certified, the organization is protected from future
litigation.
By ensuring all developers have security certifications before writing any code, teams
can forego discovery sessions. - Answers :Depending on the environment in which the
product resides, certifications may be required by corporate or government entities
before the software can be released to customers.
Any new product may need to be certified based on the data it stores, the frameworks it
uses, or the domain in which it resides. Those certification requirements need to be
analyzed and documented early in the development life cycle.
What are two items that should be included in the privacy impact assessment plan
regardless of which methodology is used?Choose 2 answers.
Required process steps
Technologies and techniques
SDL project outline
Threat modeling
Post-implementation signoffs - Answers :Required process steps
Technologies and techniques
"Required process steps" is correct. Required process steps explain in more detail
which requirements are relevant to developers, detailing what types of data are
considered sensitive and how they need to be protected.
, "Technologies and techniques" is correct. Technologies and techniques detail
techniques for meeting legislative requirements in five categories: Confidentiality,
Integrity, Availability, Auditing and Logging, and Authentication.
What are the goals of each SDL deliverable?
Select one of these options for each deliverable:
-Estimate the actual cost of the product
-Identify dependence on unmanaged software
-Map security activities to the development schedule
-Guide security activities to protect the product from vulnerabilities
Product risk profile
SDL project outline
Threat profile
List of third-party software - Answers :Estimate the actual cost of the product
Map security activities to the development schedule
Guide security activities to protect the product from vulnerabilities
Identify dependence on unmanaged software
The product risk profile helps management see the actual cost of a product.
The SDL project outline maps security activities to the development schedule.
A threat profile guides the security team on how to protect the product from threats.
The third-party software list identifies all components the product is using that are
managed outside the organization.
What is a threat action that is designed to illegally access and use another person's
credentials?
Tampering
Spoofing
Elevation of privilege
Information disclosure - Answers :Spoofing
Spoofing is a threat action that occurs when the cyber criminal acts as a trusted device
to get you to relay secure information.
What are two steps of the threat modeling process?Choose 2 answers.
Survey the application
Decompose the application
Redesign the process to eliminate the threat
Transfer the risk
Identify business requirements - Answers :Survey the application
Decompose the application
