Test 3

Data flow diagram with an arrow between two circles. Data Store. External Entity. Process. Data Flow.

Aging credential recovery/forgotten password component that emails temp passwords to users who claim to have forgotten their application password. How should the organization remediate this vulnerability?. Lock a user account after Multiple failed authentication attempts. Ensure all Authorization requests are logged. Implement Multi-factor Authentication. Implement Role-Based Authorization.

Security Analysis limited by the fact that a significant time investment of a highly skilled team member is required?. Fuzz Testing. Dynamic Code Analysis. Manual Code Review. Static code Analysis.

Conducting a maturity assessment using the Building security in maturity model (BSIMM). Currently focused on reviewing attack models created during recently completed initiatives. Which BSIMM domain is being assessed?. Governance. Software security development life cycle. Intelligence. Deployment.

Manual code review technique being used when the reviewer starts at an input control and traces through its value through the application to each of the value's outputs?. Risk analysis. Control Flow analysis. Data Flow Analysis. Threat Analysis.

Evaluating the vulnerability of all externally facing enterprise applications via automated and manual interactions. Which security testing technique is being used?. Properly-based-testing. Source-code Analysis. Penetration Testing. Source-code Fault injection.

PSIRT unable to recreate the vulnerability in a testing lab. What is the response team's next step?. Determine the severity of the vulnerability. Notify the Reporter that the case is going to be closed. Determine how the reporter was able to create the vulnerability. Identify resources and schedule the fix.

Technicians have scheduled a time and date to make the product available to customers. Which phase of the SDLC is being described?. Maintenance. Deployment. End of Life. Testing.

OWASP SAMM currently focused on reviewing design artifacts to ensure they comply with organizational security standards. Which openSAMM business function is being assessed?. Verification. Construction. Deployment. Governance.

Only use tested and approved components and use task-specific, built in APIs to conduct operating system functions?. Session Management. Authentication and Password Management. Data Protection. General Coding Practices.

Well vetted algorithms to ensure that the application uses random identifiers, identifiers are appropriately restricted to the application, and user processes are fully terminated on logout?. Output Encoding. Input Validation. Access control. Session Management.

Best practice of secure coding?. Planning. Session Management. User Acceptance Testing. Microservices.

Which software-testing technique can be automated or semi-automated and provides invalid, unexpected, or random data to the inputs of a computer software program?. Fuzzing. Static Analysis. Dynamic Analysis. Bugtraq.

The software security team is performing security testing on a new software product using a testing tool that scans the running application for known exploit signatures. Which security testing technique is being used?. Automated vulnerability Scanning. Penetration Testing. Properly-based testing. Secure-code analysis.

Threat modeling methodology involves creating or using collections of similar threats?. Data Flow Diagrams. Attack Libraries. Attack Trees. Security Profile.

Refers to the review of software source code by developers other than the original coders to try to identify oversights, mistakes, assumptions, a lack of knowledge, or even experience?. User Acceptance Testing. Manual Peer Review. Fault injection. Dynamic Code Review.

Countermeasure to the web ASF authentication threat category?. Role-based access controls restrict access. Credentials and tokens are encrypted. Cookies have expiration timestamps. Sensitive information is scrubbed from error messages.

QA analyst closed the browser window but did not logout of the application. A different QA analyst accessed the application an hour later and was not prompted to login. How should existing security controls be adjusted to prevent this in the future?. Ensure no sensitive information is stored in plain text cookies. Ensure user sessions timeout after short intervals. Ensure role-based access control is enforced for access to all resources. Ensure strong password policies are enforced.

Discovered an untapped revenue stream within its customer base and wants to meet with IT to share its vision for the future. Which phase of the SDLC is being described?. Implementation. Design. Planning. Requirements.

An exception was thrown on the order entry view, which caused a full stack dump to be displayed in the browser window that included function names from the source code. How should existing security controls be adjusted to prevent this in the future?. Ensure privileges are restored after application exceptions. Ensure all exceptions are handled in a standardized way. Ensure private information is not logged. Ensure sensitive information is scrubbed from all error messages.