WGU Master's Course C706 - Secure Software Design Latest Upd ate 2023 -2024 240+ Questions and Verified Correc t Answers Grade d A+ _________ means that designs that are kept secret versus designs that are open to scrutiny are evaluated by the community at large. - CORRECT ANSWER: Open design __________ and __________ are the two properties that support confidentiality as one ensures users have the appropriate role and privilege to view data, and the other ensures users are who they claim to be and that the data come from the appropriate place . A Authorization, authentication B Availability, authenticity C Access, authorization D Asymmetry, access - CORRECT ANSWER: A __________ is a global, industry -led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services. A BSI B NCSD C SAFECode D SDLC - CORRECT ANSWER: C __________ is a white -box security analysis of a software system to simulate the actions of a hacker, with the objective of uncovering potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. A Vulnerability scanning B Penetration testing C Code analysis D Fuzzing - CORRECT ANSWER: B __________ is an important component of the SDL process and should be considered a system design principle of significant importance in all phases of the SDLC. A failure to protect it will lead to an erosion of trust. A Authenticity B Privacy C Confidentiality D Integrity - CORRECT ANSWER: B __________ is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time. A Static program analysis B Scratching C Dynamic program analysis D Fuzzing - CORRECT ANSWER: C __________ is the application of multiple layers of protection, such that a subsequent layer will provide protection if a previous layer is breached. A Least privilege B Separation of duties C Defense in depth D Fail safe policy - CORRECT ANSWER: C __________ software is a way to envision the interactions of the proposed software within its intended environment. A Analyzing B Validating C Modeling D Pentesting - CORRECT ANSWER: C ___________ means that if a system fails, it should fail to a state where the security of the system and its data are not compromised. In the situation where system recovery is not done automatically, the failed system should permit access only by the system administrator and not by users, until security controls are reestablished. - CORRECT ANSWER: Fail safe ___________ modeling and ____________ surface validation are perhaps the most time-consuming, misunderstood, and difficult parts of the SDL. This requires the attention of the most seasoned and experienced person of the software security team: the softwar e security architect. - CORRECT ANSWER: Threat, attack ____________ is to provide assurance to management of the effectiveness of the security program and compliance with regulations. - CORRECT ANSWER: Role of Audit ____________ security is about building secure software: designing software to be secure; making sure that software is secure; and educating software developers, architects, and users about how to "build security in". ______________ security is about protecting software and the systems that software runs in a post facto, only after development is complete. - CORRECT ANSWER: Software, Application ____________ software attacks are highly repeatable, use general targeting against a broad industry (e.g., military, finance, energy) or groups of individuals (e.g., politicians, executives), and must have long -term staying power. HINT: They are less sophisticated in comparison to TACTICAL threats and typically are lower in cost to develop and maintain. - CORRECT ANSWER: Strategic _____________ is where every request by a subject to access an object in a computer system must undergo a valid and effective authorization procedure. - CORRECT ANSWER: Complete mediation _____________ requirements describe what an application must do to serve a business need. For example, an application must be able to allow a consumer to complete their transaction on the site using a credit card. - CORRECT ANSWER: Functional _____________ tests emphasize the personal freedom and responsibility of the individual tester to continually optimize the quality of his or her work by treating test -
related learning, test design, test execution, and test result interpretation as mutuall y supportive activities that run in parallel throughout the project. - CORRECT ANSWER: Exploratory ______________ requirements address how well the functional requirements are met, or to put it another way, they constrain the functional requirements to specified operating ranges. They address areas such as capacity planning, uptime, response times, maintainability, and portability (web, mobile, etc.). Think of them like guardrails on a highway -you are free to operate on the road within the boundaries of the guardrails. - CORRECT ANSWER: Nonfunctional _______________ cyber threats are typically surgical by nature, have highly specific targeting, and are technologically sophisticated. - CORRECT ANSWER: Tactical _______________ states that a minimum number of protective mechanisms should be common to multiple users, as shared access paths can be sources of unauthorized information exchange. Shared access paths that provide unintentional data transfers are known as covert channels. It promotes the least possible sharing of common security mechanisms. - CORRECT ANSWER: Least common mechanism _________________ promotes simple and comprehensible design and implementation of protection mechanisms, so that unintended access paths do not exist or can be readily identified and eliminated. - CORRECT ANSWER: Economy of mechanism ______________________ are typically done as a line -by-line inspection of the software to determine any security vulnerabilities in the software product. This will include a thorough review of programming ____________ of multitier and multicomponent enterprise software products. - CORRECT ANSWER: Manual security code reviews, source code A __________ is a team solely dedicated to conduct security M&A assessments, third -
party reviews, post -release certifications, internal reviews for new product combinations of cloud deployments, and review for legacy software that is still in use or about to be re-used. A PSIRT B SDLC C NCSD D SAMATE - CORRECT ANSWER: A A __________ means that if a system ceases to function, it moves to a state where the security of the system and its data are not compromised. A fail safe policy B least privilege C separation of duties D defense in depth - CORRECT ANSWER: A A bank is developing a new checking account application for customers and needs to implement a security control that is effective at preventing an elevation of privilege attack. Which security control is effective at preventing this threat action? A Integrity B Authorization C Authentication D Confidentiality - CORRECT ANSWER: B A company is creating a new software to track customer balance and wants to design a secure application. Which best practice should be applied? A Develop a secure authentication method that has a closed design
