• Home
  • Articles
  • Check the Free demo of our Secure-Software-Design Exam Dumps with 67 Questions [Q26-Q42]

Check the Free demo of our Secure-Software-Design Exam Dumps with 67 Questions [Q26-Q42]

Share

Check the Free demo of our Secure-Software-Design Exam Dumps with 67 Questions

Clear your concepts with Secure-Software-Design Questions Before Attempting Real exam

NEW QUESTION # 26
Which step in the change management process includes modifying the source code?

  • A. Patch management
  • B. Policy compliance analysis
  • C. Installation management
  • D. Privacy implementation assessment

Answer: A

Explanation:
Modifying the source code is typically associated with the patch management step in the change management process. Patch management involves the acquisition, testing, and installation of code changes, which can include updates, bug fixes, or improvements to existing software. This step ensures that modifications to the software are made in a controlled and systematic manner, maintaining the integrity and security of the software throughout the change.
References: The information provided aligns with industry-standard practices for change management in software engineering1.


NEW QUESTION # 27
An individual is developing a software application that has a back-end database and is concerned that a malicious user may run the following SOL query to pull information about all accounts from the database:

Which technique should be used to detect this vulnerability without running the source codes?

  • A. Cross-site scripting
  • B. Dynamic analysis
  • C. Fuzz testing
  • D. Static analysis

Answer: D

Explanation:
Static analysis is a method used to detect vulnerabilities in software without executing the code. It involves examining the codebase for patterns that are indicative of security issues, such as SQL injection vulnerabilities. This technique can identify potential threats and weaknesses by analyzing the code's structure, syntax, and data flow.
References:
* Static analysis as a means to identify security vulnerabilities1.
* The importance of static analysis in the early stages of the SDLC to prevent security issues2.
* Learning-based approaches to fix SQL injection vulnerabilities using static analysis3.


NEW QUESTION # 28
The security team has a library of recorded presentations that are required viewing tor all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for. and code tor possible threats.
Which category of secure software best practices does this represent?

  • A. Code review
  • B. Training
  • C. Attack models
  • D. Architecture analysis

Answer: B

Explanation:
The category of secure software best practices being described is Training. This is because the focus is on educating new developers about organizational security policies and coding practices to mitigate potential threats. Training is a proactive approach to ensure that developers are aware of security concerns and are equipped with the knowledge to address them in their coding practices.
References: The importance of training in secure software best practices is supported by industry resources such as the SAFECode's "Fundamental Practices for Secure Software Development" which emphasizes the need for application security control definition and management1, and the NIST's Secure Software Development Framework (SSDF) which recommends integrating secure development practices throughout the software development lifecycle2. Additional support for this category can be found in resources detailing effective secure development practices345.


NEW QUESTION # 29
A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents. Which secure coding practice is this describing?

  • A. Data protection
  • B. Authentication
  • C. Input validation
  • D. Access control

Answer: D

Explanation:
The secure coding practice being described is Access Control. This practice ensures that access to data and features within a system is restricted and controlled. The description given indicates that the product has mechanisms to prevent the display of personally identifiable information (PII), restrict the printing of private documents, and require elevated privileges to access archived documents. These are all measures to control who has access to what data and under what circumstances, which is the essence of access control.
References:
* ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud1.
* NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)2.
* ISO/IEC 29151:2017, Code of practice for personally identifiable information protection3.


NEW QUESTION # 30
Which privacy impact statement requirement type defines how personal information will be protected when authorized or independent external entities are involved?

  • A. Data integrity requirements
  • B. User controls requirements
  • C. Third party requirements
  • D. Personal information retention requirements

Answer: C

Explanation:
The privacy impact statement requirement that defines how personal information will be protected when authorized or independent external entities are involved is best categorized under Third party requirements.
This aspect of privacy impact assessments ensures that personal data is safeguarded even when it is necessary to involve third parties, which could be service providers, partners, or other entities that might handle personal information on behalf of the primary organization. These requirements typically include stipulations for data handling agreements, securitymeasures, and compliance checks to ensure that third parties maintain the confidentiality and integrity of the personal information they process.
References:
* Guide to undertaking privacy impact assessments | OAIC1
* A guide to Privacy Impact Assessments - Information and Privacy2
* Personal Information Protection Law of China: Key Compliance Considerations3
* Privacy Impact Assessment - General Data Protection Regulation (GDPR)4
* Privacy impact assessment (PIA) - TechTarget5


NEW QUESTION # 31
Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?

  • A. Dynamic testing
  • B. Black box testing
  • C. Reasonableness testing
  • D. White box testing

Answer: D

Explanation:
White box testing, also known as clear box testing, glass box testing, transparent box testing, and structural testing, is a method of software testing where the internal structure, design, and coding of the software are tested to verify the flow of input-output and to improve the design, usability, and security. It involves looking at the structures that are internal to the system, with the tester having knowledge of the internal workings of the product. This type of testing is concerned with examining the internal logical structures of the program and is typically performed by stepping through the code line by line to analyze the program for potential errors, which aligns with the description of the control test in question.
References:
* Control Structure Testing - GeeksforGeeks1
* What is White Box Testing? - BrowserStack2
* Software Testing Strategies Chapter 18 - IIT3


NEW QUESTION # 32
Which threat modeling approach concentrates on things the organization wants to protect?

  • A. Asset-centric
  • B. Server-centric
  • C. Application-centric
  • D. Attacker-centric

Answer: A

Explanation:
The Asset-centric approach to threat modeling focuses on identifying and protecting the assets that are most valuable to an organization. This method prioritizes the assets themselves, assessing their sensitivity, value, and the impact on the business should they be compromised. It is a strategic approach that aims to safeguard the confidentiality, integrity, and availability of the organization's key assets.
References:
* A Review of Asset-Centric Threat Modelling Approaches1.
* Approaches to Threat Modeling - are you getting what you need?2.
* What Is Threat Modeling? - CrowdStrike3.


NEW QUESTION # 33
What sitsbetween a browser and an internet connection and alters requests and responses in a way thedeveloper did not intend?

  • A. Intercept proxy
  • B. Load testing
  • C. Reverse engineering
  • D. Input validation

Answer: A

Explanation:
An intercept proxy, also known as a proxy server, sits between a web client (such as a browser) and an external server to filter, monitor, or manipulate the requests and responses passing through it. This can be used for legitimate purposes, such as security testing and user privacy, but it can also be exploited by attackers to alter web traffic in a way that the developer did not intend, potentially leading to security vulnerabilities.
References:
* Understanding of HTTP and HTTPS protocols12.
* Definition and role of proxy servers3.


NEW QUESTION # 34
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the user authentication component of the company's now product. The base score of the vulnerability was 8.3 and changed to 9.4 after adjusting temporal and environmental metrics.
Which rating would CVSS assign this vulnerability?

  • A. Critical severity
  • B. High seventy
  • C. Low seventy
  • D. Medium severity

Answer: A

Explanation:
The task described involves assessing a document management application that has been in use for many years to ensure compliance with organizational policies. This typically falls under the category of a security strategy for legacy code. Legacy code refers to software that has been around for a while and may not have been designed with current security standards or organizational policies in mind. A security strategy for legacy code would involve reviewing and updating the application to meet current security requirements and organizational policies, ensuring that it remains secure and compliant over time.
References: The answer is based on standard practices for managing and securing legacy software systems, which include regular assessments and updates to align with current security standards and organizational policies1.


NEW QUESTION # 35
Which SDL security goal is defined as ensuring timely and reliable access to and use of information?

  • A. Availability
  • B. Confidentiality
  • C. Information security
  • D. Integrity

Answer: A

Explanation:
The term 'availability' in the context of Secure Software Development Lifecycle (SDL) refers to ensuring that systems, applications, and data are accessible to authorized userswhen needed. This means that the information must be timely and reliable, without undue delays or interruptions. Availability is a critical aspect of security, as it ensures that the software functions correctly and efficiently, providing users with the information they need to perform their tasks.
References:
* The definition of availability as per the National Institute of Standards and Technology (NIST) Glossary1.
* The Microsoft Security Development Lifecycle (SDL) which emphasizes the importance of availability in secure software design2.
* General principles of Secure Software Development Life Cycle (SSDLC) that include availability as a key security goal3.


NEW QUESTION # 36
Security testers have completed testing and are documenting the results of vulnerability scans and penetration analysis They are also creating documentation lo share with the organization's largest customers.
Which deliverable is being prepared?

  • A. Remediation report
  • B. Open-source licensing review report
  • C. Security testing reports
  • D. Customer engagement framework

Answer: C

Explanation:
After completing vulnerability scans and penetration analysis, security testers document the results to share with stakeholders, such as the organization's largest customers. The deliverable being prepared in this context is the Security testing reports. These reports typically include detailed findings from the security assessments, explanations of the vulnerabilities discovered, the potential risks they pose, and recommendations for remediation. The purpose of these reports is to provide transparency about the security posture of the software or system and to guide the organization in addressing the identified security issues12. References: 1, 2
https://blog.halosecurity.com/what-really-matters-when-it-comes-to-pentesting-deliverables/


NEW QUESTION # 37
What refers to the review of software source code by developers other than the original coders to try to identify oversights, mistakes, assumptions, a lack of knowledge, or even experience?

  • A. Manual peer review
  • B. User acceptance testing
  • C. Dynamic code review
  • D. Fault injection

Answer: A

Explanation:
Manual peer review refers to the systematic examination of software source code by developers other than the original author. This practice is recognized as a valuable tool for reducing software defects and improving the quality of software projects. It involves developers inspecting the code to find and fix mistakes overlooked in the initial development phase, which enhances both the overall quality of software and the developers' skills.
Peer code review is less formal and more "lightweight" than the code inspections performed in the past, and it provides benefits such as knowledge transfer, increased team awareness, and creation of alternative solutions to problems.
References:
* Expectations, Outcomes, and Challenges Of Modern Code Review1
* Introduction to Software Engineering/Quality/Code Review2
* Software Security during Modern Code Review: The Developer's Perspective3


NEW QUESTION # 38
Which type of security analysis is limited by the fact that a significant time investment of a highly skilled team member is required?

  • A. Dynamic code analysis
  • B. Static code analysis
  • C. Fuzz testing
  • D. Manual code review

Answer: D

Explanation:
Manual code review is a type of security analysis that requires a significant time investment from a highly skilled team member. This process involves a detailed and thorough examination of the source code to identify security vulnerabilities that automated tools might miss. It is labor-intensive because it relies on the expertise of the reviewer to understand the context, logic, and potential security implications of the code. Unlike automated methods like static or dynamic code analysis, manual codereview demands a deep understanding of the codebase, which can be time-consuming and requires a high level of skill and experience.
References: The information provided here is based on industry best practices and standards for secure software design and development, as well as my understanding of security analysis methodologies12.


NEW QUESTION # 39
Which privacy impact statement requirement type defines processes to keep personal information updated and accurate?

  • A. Collection of personal information requirements
  • B. Access requirements
  • C. Personal information retention requirements
  • D. Data integrity requirements

Answer: D

Explanation:
Data integrity requirements within a privacy impact statement ensure that personal information is maintained in an accurate and up-to-date manner. This involves establishing processes to regularly review and update personal data, as well as correct any inaccuracies. These requirements are crucial for maintaining the trustworthiness of the data and ensuring that decisions made based on this information are sound and reliable.
References:
* The Office of the Privacy Commissioner of Canada's guide on the Privacy Impact Assessment process emphasizes the importance of accuracy and currency of personal information1.
* The European Union's General Data Protection Regulation (GDPR) outlines principles for data processing, including the necessity for data to be accurate and kept up to date2.
* The General Data Protection Regulation (GDPR) also includes provisions for data protection impact assessments, which involve documenting processes before starting data processing3.


NEW QUESTION # 40
Company leadership has discovered an untapped revenue stream within its customer base and wants to meet with IT to share its vision for the future and determine whether to move forward.
Which phase of the software development lifecycle (SDLC) is being described?

  • A. Implementation
  • B. Planning
  • C. Design
  • D. Requirements

Answer: B

Explanation:
The phase being described is the Planning phase of the SDLC. This initial stage involves gathering business requirements and evaluating the feasibility of the project. It's when the company leadership would typically meet with IT and other stakeholders to share visions for the future, discuss potential revenue streams, and determine the project'sdirection before moving forward with development. This phase is crucial for setting the groundwork for all subsequent phases of the SDLC.
References:
* The Software Development Life Cycle (SDLC): 7 Phases and 5 Models1.
* What Is the Software Development Life Cycle? SDLC Explained2.
* Software Development Life Cycle (SDLC) Phases & Models3.


NEW QUESTION # 41
The security team is reviewing whether changes or open issues exist that would affect requirements for handling personal information documented in earlier phases of the development life cycle.
Which activity of the Ship SDL phase is being performed?

  • A. Open-source licensing review
  • B. Final security review
  • C. Vulnerability scan
  • D. Final privacy review

Answer: D

Explanation:
The activity being performed is the final privacy review. This step is crucial in the Ship phase of the Security Development Lifecycle (SDL), where the security team assesses if there are any changes or unresolved issues that could impact the requirements for handling personal information. These requirements are typically documented in the earlier stages of the development lifecycle, and the final privacy review ensures that the software complies with these requirements before release.
References: The explanation is based on the best practices outlined in the SDL Activities and Best Practices, which detail the importance of conducting a final privacy review during the Ship phase to ensure that all privacy issues have been addressed12.


NEW QUESTION # 42
......

Get professional help from our Secure-Software-Design Dumps PDF: https://www.actualtestsit.com/WGU/Secure-Software-Design-exam-prep-dumps.html

Give You Free Regular Updates on Secure-Software-Design Exam Questions: https://drive.google.com/open?id=1PS_IQ_1SVpGzobbu8T3KDuBb9IF_M2HQ

Related Articles

more
WGU Secure-Software-Design Certification Practice Exam