Test 1

Defining every-sprint requirements, one-time requirements, bucket requirements, and financial security review requirements. Type of requirement states that the team must identify primary security and privacy contacts?. Final Security review requirement. Bucket Requirement. Every-Sprint requirement. One-Time Requirement.

Which question reflects the security change management component of the change management process?. How Critical is the software to meeting the customer's mission?. What threats are possible in the environment where the software will be operating?. Which security objectives are required by the software?. How is remote administration secured?.

In which step of the PASTA modeling methodology will the team capture infrastructure, application, and software dependencies?. Attack modeling. Define technical scope. Define objectives. Risk and impact analysis.

What are the three primary goals of the secure software development process?. Performance, reliability, and maintainability. Cost, speed to market, and profitability. Redundancy, scalability, and portability. Confidentiality, Integrity, and Availability.

A single application-level authorization component that will lock down the application if it cannot access its configuration information?. Access Control. Data Protection. Session Management. Communication Security.

Developers are currently determining how to deliver each part of the overall product. Which phase of the SDLC?. Maintenance. End or life. Deployment. Design.

Identified threats that have defenses in place and do not expose the application to exploits?. Threat Profile. Fully Mitigated Threat. Partially Mitigated Threat. Unmitigated Threats.

Leadership has decided that it is in the best interests of the company to become ISO 27001 compliant. What security development life cycle deliverable is being described?. External vulnerability disclosure response process. Third-party security review. Security strategy for M&A products. Post-release certifications.

Practice involves clearing all local storage and will automatically log a user out after an hour of inactivity. Access Control. System Configuration. Communication security. Session management.

They are also creating documentation to share with the organization's largest customers. Open-source licensing. Customer engagement framework. Remediation Report. Security Testing Reports.

Assume all incoming data should be considered untrusted and should be validated to ensure the system only accepts valid data?. General coding practices. Input validation. Session Management. System Configuration.

Testers were able to view credit card numbers as clear text. Never cache sensitive data. Ensure there is an audit trail for all sensitive transactions. Ensure all data in transit is encrypted. Enforce role-based authorization controls in all application layers.

Assessing a document management application that has been in use for many years and developing a plan to ensure it complies with organizational policies. Security strategy for M&A products. Security Strategy for legacy code. Post-release certifications. External vulnerability disclosure response process.

Ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized?. Authentication and Password Management. Input Validation. System Configuration. Error Handling and Logging.

Details organizational security policies and demonstrates how to define, test for, and code for possible threats. What Secure software best practices does this represent?. Attack models. Training. Architecture Analysis. Code Review.

The abstraction layer of a computing environment can only access the information and resources that are necessary for its legitimate purpose?. Privacy. Principle of least privilege. Elevation of privilege. Confidentiality.

Is reviewing whether changes or open issues exist that would affect the requirements for handling personal information documented in earlier phases of the development life cycle. Which SDL phase is being performed?. Vulnerability Scan. Final Security Review. Open-source licensing review. Final Privacy Review.

Could allow attackers to return the contents of a system file by including a specific payload in an XML request. How should it be remediated?. Ensure audit trails exist for all sensitive transactions. Disable resolution of external entities in the parsing library. Enforce role-based authorization in all application layers. Ensure authentication cookies are encrypted.

Amount of test data grew exponentially overnight. Dynamic analysis. Fuzzing. Threat model. Static Analysis.

Defines how personal information will be protected when authorized or independent external entities are involved?. Personal information retention requirements. User controls requirements. Third party requirements. Data integrity requirements.