D487 QUESTIONS & ANSWERS
What is a study of real-world software security initiatives organized so companies can
measure their initiatives and understand how to evolve them over time? - Answers
:Building Security In Maturity Model (BSIMM)
Which secure coding best practice says to use parameterized queries, encrypted
connection strings stored in separate configuration files, and strong passwords or multi-
factor authentication? - Answers :Database security
The software security team is currently working to identify approaches for input
validation, authentication, authorization, and configuration management of a new
software product so they can deliver a security profile. Which threat modeling step is
being described? - Answers :Analyzing the target
Team members are being introduced during sprint zero in the project kickoff meeting.
The person being introduced is a member of the scrum team, responsible for writing
feature logic and attending sprint ceremonies. Which role is the team member playing? -
Answers :Software developer
Which mitigation technique can be used to fight against a data tampering threat? -
Answers :Digital signatures
What is a countermeasure to the web application security frame (ASF) configuration
management threat category? - Answers :Service accounts have no administration
capabilities.
Which type of requirement specifies that credit card numbers displayed in the
application will be masked so they only show the last four digits? - Answers :Privacy
requirement
Which type of requirement specifies that credit card numbers are designated as highly
sensitive confidential personal information? - Answers :Data classification requirement
Which architecture deliverable identifies whether the product adheres to organization
security rules? - Answers :Policy compliance analysis
The project team received a SonarQube report of their most recent stage deployment
that contains 15 vulnerabilities that must be fixed before the product may be released to
production. Which security testing technique is being used? - Answers :Source-code
analysis
Organizational leadership is considering buying a competitor and has asked the
software security team to develop a plan to ensure the competitor's point-of-sale system
complies with organizational policies. Which post-release deliverable is being
described? - Answers :Security strategy for M&A products
What is a study of real-world software security initiatives organized so companies can
measure their initiatives and understand how to evolve them over time? - Answers
:Building Security In Maturity Model (BSIMM)
Which secure coding best practice says to use parameterized queries, encrypted
connection strings stored in separate configuration files, and strong passwords or multi-
factor authentication? - Answers :Database security
The software security team is currently working to identify approaches for input
validation, authentication, authorization, and configuration management of a new
software product so they can deliver a security profile. Which threat modeling step is
being described? - Answers :Analyzing the target
Team members are being introduced during sprint zero in the project kickoff meeting.
The person being introduced is a member of the scrum team, responsible for writing
feature logic and attending sprint ceremonies. Which role is the team member playing? -
Answers :Software developer
Which mitigation technique can be used to fight against a data tampering threat? -
Answers :Digital signatures
What is a countermeasure to the web application security frame (ASF) configuration
management threat category? - Answers :Service accounts have no administration
capabilities.
Which type of requirement specifies that credit card numbers displayed in the
application will be masked so they only show the last four digits? - Answers :Privacy
requirement
Which type of requirement specifies that credit card numbers are designated as highly
sensitive confidential personal information? - Answers :Data classification requirement
Which architecture deliverable identifies whether the product adheres to organization
security rules? - Answers :Policy compliance analysis
The project team received a SonarQube report of their most recent stage deployment
that contains 15 vulnerabilities that must be fixed before the product may be released to
production. Which security testing technique is being used? - Answers :Source-code
analysis
Organizational leadership is considering buying a competitor and has asked the
software security team to develop a plan to ensure the competitor's point-of-sale system
complies with organizational policies. Which post-release deliverable is being
described? - Answers :Security strategy for M&A products
