Test 4

Which architecture identifies the organization's tolerance to security issues and how the organization plans to react if a security issue occurs?. Threat modeling Artifacts. Risk Mitigation Plan. Business Requirements. Policy Compliance Analysis.

Which Threat modeling step assigns a score to discovered threats?. Rate Threats. Analyze the Target. Identify and document threats. Set the Scope.

Which type of security analysis is performed by reviewing source code line-by-line after other security analysis techniques have been executed?. Dynamic Analysis. Static Analysis. Manual Code Review. Fuzz Testing.

Reviewing a list of work items to determine how many they feel can be added to their backlog and completed within the next two-week iteration. Which Scrum ceremony is the team participating in?. Daily Scrum. Sprint Planning. Sprint Retrospective. Sprint Review.

The soft security team prepared a detailed schedule napping security development lifecycle phases to the type of analysis they will execute. Which design and development deliverable did the team prepare. Design Security Review. Updated threat modeling artifacts. Privacy implementation assessment results. Security Test plans.

Which security Assessment deliverable identifies unmanaged code that must be kept up to date throughout the life of the product?. Threat profile. Metrics Template. Product Risk Profile. List of Third-party Software.

Which secure coding practice requires users to log in to their accounts using an email address and a password they choose. Access Control. Data Protection. Input Validation. Authentication.

The software security team is using an automation tool that generates random data to input into every field in the new product and track results. Which security testing technique is being used?. Black-Box Debugging. Fuzz Testing. Binary Code Analysis. Byte code analysis.

Which design and development deliverable contains the results of each type of evaluation that was performed and the type and number of vulnerabilities discovered?. Security Test Execution Report. Security Testing Reports. Privacy Compliance Report. Remediation Report.

Production Web servers were responding to ping requests with server type, version, and operating system, which hackers could leverage to plan attacks. How should the organization remediate this vulnerability?. Ensure servers are configured to return as little information as possible to network requests. Ensure servers are regularly updated with the latest security patches. Always uninstall or disable features that are not required. Access to configuration files is limited to administrators.

During penetration testing, an analyst was able to create hundreds of user accounts by executing a script that sent individual requests to the registration endpoint. How should the organization remediate this vulnerability?. Use a Tool like CAPTCHA to prevent Batched Registrations and Bots. Enforce strong Password complexity standards. Enforce Idle Time-outs on Session IDs. Ensure All data is encrypted in Transit.

The software security team prepared a report of the necessary coding and architecture changes identified during the security assessment. Which design and development deliverable did the team prepare?. Updated Threat modeling artifacts. Security Test plans. Privacy implementation assessment results. Design Security review.

CISO has recommended contracting with external experts to perform annual reviews of the enterprise's software products, including penetration testing. Which post-release deliverable is being described?. Security Strategy for legacy code. Post-release Certifications. Third-Party Security Review. External Vulnerability Disclosure Response.

Which type of threat exists when an attacker can intercept and manipulate form data after the user clicks the save button but before the request is posted to the API?. Elevation of Privledge. Spoofing. Tampering. Information Disclosure.

In which step of the PASTA threat modeling methodology is vulnerability and exploit analysis performed?. Define Technical Scope. Attack modeling. Define Objectives. Application Decomposition.

Coding best practice says to ensure that buffers are allocated correctly and at the right size, that input strings are truncated to a reasonable length, and that resources, corrections, objects, and file handles are destroyed once the application no longer needs them?. Input Validation. Memory Management. Session Management. Data Protection.

What are the eight phases of the SDLC?. Planning, security analysis, requirement analysis, design, implementation, threat mitigation, testing, maintenance. Planning, requirements, design, implementation, testing, deployment, maintenance, end of life. Plan, gather requirements, identify attack surface, design, write code, perform code reviews, test, deploy. Gather requirements, prototype, perform threat modeling, write code, test, user acceptance testing, deploy, maintain.

Which threat modeling step identifies the assets that need to be protected?. Set the scope. Analyze the Target. Rate Threats. Identify and Document Threats.

A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents. Which secure coding practice is this desribing?. Access control. Data protection. Input Validation. Authentication.

An individual is developing a software application that has a back-end database and is concerned that a malicious user may run the following SQL query to pull information about all accounts from the database: SELECT * FROM Accounts WHERE accountID=' " ' or '1'='1'; Which technique should be used to detect this vulnerability without running the source codes?. Dynamic Analysis. Cross-site scripting. Static Analysis. Fuzz Testing.