Test 5

Which type of security analysis is performed using automated software tools while an application is running and is most commonly executed during the testing phase of the SDLC?. Dynamic Analysis. Manual Code Review. Static Analysis. Fuzz Testing.

A tester noticed that the order object was transmitted to the POST endpoint of the API as a human-readable JSON object. How should existing security controls be adjusted to prevent this in the future?. Ensure passwords and private information are not logged. Ensure sensitive transactions can be traced through an audit log. Ensure the contents of authentication cookies are encrypted. Ensure all requests and responses are encrypted.

Which DREAD category is based on how easily a threat exploit can be found?. Damage Potential. Affected Users. Discoverability. Reproducibility.

Which category classifies identified threats do not have defenses in place and expose the application to exploits?. Fully mitigated threat. Threat profile. Unmitigated Threats. Partially mitigated Threat.

Which design and development deliverable contains the types of evaluations that were performed, how many times they were performed, and how many times they were re-evaluated?. Privacy compliance report. Remediation Report. Security testing reports. Security Test execution report.

Base and temporal common vulnerability scoring system (CVSS) scores and a common vulnerabilities and exposures ID report, of an externally discovered vulnerability. What is the most likely reason for making a public disclosure?. The potential for increased public awareness of a vulnerability is probable, which could lead to higher risk for customers. The vulnerability reporter has threatened to make the finding public after being notified that their case was not credible. The response team has determined that the vulnerability is credible. Notification of a vulnerability from an external party has occured.

Which secure coding best practice ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized?. Input validation. System configuration. Authentication and password management. Error handling and logging.

A public library needs to implement security control on publicly used computers to prevent illegal downloads. Which security control would prevent this threat?. Non-repudiation. Authentication. Integrity. Availability.

Which security assessment deliverable identifies possible security vulnerabilities in the product?. SDL project outline. Metrics template. Threat profile. List of third-part software.

What security assessment deliverable identifies possible security vulnerabilities in the product?. SDL project outline. Metrics template. Threat Profile. List of Third-party software.

A potential threat was discovered during automated system testing when a PATCH request sent to the API caused an unhandled server exception. The API only supports GET. POST. PUT, and DELETE requests. How should existing security controls be adjusted to prevent this in the future?. Properly configure acceptable API requests. Enforce role-based authorization. Use API keys to enforce authorization of every request. Ensure audit logs are in place for sensitive transactions.

The team delivered a set of scorecards to leadership along with proposed changes designed to improve low-scoring governance, development, and deployment functions. Which software security maturity model did the team use?. Building Security in Maturity model (BSIMM). Open Web Application security project (OWASP) Open software assurance maturity model (SAMM). U.S. Department of Homeland Security Software Assurance Program. Internal Organization for Standardization ISO/IEC 27034.

Insecure direct object reference vulnerability in a third-party component library that could result in remote code execution. The component library could result in remote code execution. The component library was replaced and is no longer being used within the application. How should the organization remediate this vulnerability?. Ensure sensitive Information is not logged. Ensure Auditing and Logging is enabled on All servers. Access to configuration files is limited to administrators. Enforce the removal of unused dependencies.

Which step in the change management process includes modifying the source code?. Patch management. Installation management. Privacy implementation assessment. Policy compliance analysis.

Which privacy impact statement requirement type defines processes to keep personal information updated and accurate?. Access requirements. Collection of personal information requirements. Data integrity requirements. Personal information retention requirements.

What is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or distribution to provide confidentiality, integrity, and availability?. Availability. Integrity. Confidentiality. Information Security.

They are concentrating on integrations between the new product and database servers, web servers, and web services. Which security testing technique is being used?. Fuzz Testing. Dynamic Code Analysis. Binary Fault injection. Binary Code Analysis.

What sits between a browser and an internet connection and alters requests and responses in a way the developer did not intend?. Load Testing. Input Validation. Intercept Proxy. Reverse Engineering.

Which secure software design principle assumes attackers have the source doe and specifications of the product?. Open Design. Psychological Acceptability. Total Mediation. Separation of Privileges.

A potential threat was discovered during vulnerability testing when an environment configuration file was found that contained the database username and password stored in plain text. How should existing security controls be adjusted to prevent this in the future?. Enforce Role-based authorization. Encrypt Secrets in Storage and Transit. Ensure Strong password policies are in Effect. Validate All user input.

Which mitigation technique can be used to fight against a threat where a user may gain access to administrator level functionality?. Encryption. Quality of service. Hashes. Run with least privilege.

Attempting to log in to the new product with a known username using a collection of passwords. Access was granted after a few hundred attempts. How should existing security controls be adjusted to prevent this in the future?. Ensure passwords are encrypted when stored in persistent data stores. Ensure authentication controls are resistant to brute force attacks. Ensure strong password policies are enforced. Ensure credentials and authentication tokens are encrypted during transit.

Which mitigation technique is used to fight against an identity spoofing threat?. Require user authorization. Filtering. Audit trails. Encryption.

Fuzz testing a new product, random values were entered into input elements search requests were sent to the correct API but many failed on execution due to type mismatches. How should existing security controls be adjusted to prevent this in the future?. Ensure all user input data is validated prior to transmitting requests. Ensure all requests and responses are encrypted. Ensure sensitive transactions can be traced through an audit log. Ensure the contents of authentication cookies are encrypted.

Which threat modeling step collects exploitable weaknesses within the product?. Analyze the target. Rate threats. Identify and document threats. Set the scope.

Which secure software design principle states that it is always safer to require agreement of more than one entity to make a decision?. Least privilege. Total mediation. Separation of privileges. Psychological Acceptability.

Which category classifies identified threats that have some defenses in place and expose the application to limited exploits?. Fully Mitigated Threat. Unmitigated Threats. Threat Profile. Partially Mitigated Threat.

Which secure coding best practice says to require authentication before allowing any files to be updated and to limit types of files to only those needed for the business purpose?. File management. Communication security. Data Protection. Memory Management.

What is an advantage of using the Agile development methodology?. Customer Satisfaction is improved through rapid and continuous delivery of useful software. Each stage is clearly defined, making it easier to assign clear roles to teams and departments who feed into the project. The overall plan fits very neatly into a Gnatt chart so a project manager can easily view the project timeline. There is much less predictability throughout the project regarding deliverables.

The security team is identifying technical resources that will be needed to perform the final product security review. What step of the final product security review process are they in?. Release and Ship. Identify Feature eligibility. Evaluate and plan for remediation. Assess resource availability.

Which security assessment deliverable defines measures that can be periodically reported to management?. Metrics Template. SDL Project outline. Threat outline. Product Risk outline.