A deployment is happening, and Varlam encounters a critical bug. Which feature that
emphasizes collaboration and automation for bug resolution will Varlam use?
DevOps
Correct
waterfall
traditional QA
The term "defects" is most relatable to which of the following?
coding errors that can harm the program
design errors within a system
any errors introducing vulnerabilities
Correct
Which website contains information about the top 10 web application software risks?
CERT Division of the Software Engineering Institute
IEEE Security & Privacy
Cybersecurity and Infrastructure Security Agency
Open Web Application Security Project
Correct
How can risk manifestation appear in the category Probability?
by exposing a software vulnerability that can be exploited into a threat
This was the correct answer
SOFTWARE SECURITY THREADS
At a security workshop, Helga encounters a code-level vulnerability. What does this
vulnerability likely involve?
a secure method for handling input data
a technique for injecting malicious SQL queries
Correct
an unauthorized access gateway that evades detection
Development teams are typically faced with threats to security. What usually causes
these security vulnerabilities?
unclear or ambiguous security requirements
Correct
excessive documentation of features unrelated to security
inadequate user interface customization options
Which architectural-level threat poses the greatest risk to developing secure software?
lack of input validation
Correct
inconsistent coding style
excessive use of comments in code
How do design patterns commonly exhibit limitations?
They can introduce unnecessary complexity and overhead.
Correct
They often lead to syntax errors in code.
They automatically optimize code performance.
Why should an uninterruptible power supply be linked to a countermeasure?
to avoid a single point of failure
Incorrect
to allow energy to be saved for use in essential systems
to help stabilize system services
Correct
How does the Trusted Platform Module serve its purpose?
It protects hardware through secure wired cables.
It allows trusted people such as software engineers into systems.
It prevents breaches resulting from hardware vulnerabilities.
Correct
Which step in threat modeling for developing secure software involves assessing the
potential impact and likelihood of identified threats?
analysis
identification
categorization for prioritization
Correct
mitigation
SECURE SOFTWARE DESIGN
Which statement is true regarding message integrity verification in open EMR?
Message integrity is not used in open EMR but is effective in other programming areas.
Message integrity is ensured through manual verification by users.
Message integrity is ensured through standardized library functions.
Correct
How does the Architectural Analysis for Security (AAFS) process utilize security tactics
and patterns?
It identifies vulnerabilities in the software architecture.
It conducts an inspection of software security using security patterns during the
VoAA phase.
It examines the source code for evidence of security design decisions.
It refines security tactics into specific design decisions during the PoAA phase.
Correct
Which resource is described as an exceptional tool for software security practitioners to
identify design flaws?
Common Vulnerabilities and Exposures (CVE) database
Common Weakness Enumeration (CWE) database
Correct
Mitre's repository of reported security vulnerabilities
Trina is evaluating a website at a security assessment. Which practice should she avoid
to enhance security?
Allow file uploads without specifying allowed file types.
This was the correct answer
During the vulnerability-oriented architecture analysis phase, what common vulnerability
can occur when the intercepting validator pattern is misused or not used?
clickjacking
SQL injection
Correct
Alex is conducting a security training session with several employees. Letitia asks, "What
is the most effective approach for utilizing security patterns?" How should Alex respond?
"Ad hoc adoption by individual developers without architectural vision."
"Architectural implementation with supervision by a software architect."
Correct
"Implementation of design patterns without communication among developers."
How can developers effectively employ security tactics when creating secure software?
by using robust input validation and sanitization processes
Correct
Christian is speaking at a seminar for secure design. A participant asks, "What is the best
way to foster secure design in software development?" Which approach should Christian
recommend?
"Use post-deployment security patches."
"Test for potential vulnerabilities."
"Implement ad hoc security considerations."
"Incorporate security throughout the development lifecycle."
Correct
SECURE CODING
How do software developers commonly err in safeguarding sensitive information?
They fail to implement multi-factor authentication procedures.
They do not ensure that regular data backups are occurring.
They rely solely on firewalls for security defense.
They do not provide adequate protection such as access control and encryption.
Correct
Alena is trying to determine the best way to minimize the possibility of introducing the
direct object reference vulnerability. Which option will benefit her most?
automated testing using specialized tools
enhanced encryption algorithms for data protection
routine code review focusing on access control mechanisms
Correct
stricter user authentication protocols
What risk is associated with uncontrolled direct access to system resources?
system performance degradation
loss of encryption keys
potential data or information leakage
Correct
increased vulnerability to phishing attacks
Attila is tasked with selecting a security framework for authentication and session
management. Which criterion is essential for choosing the best framework?
implementation of custom code from scratch
caution regarding unknown security vulnerabilities
reputation and acceptance in the developer community
Correct
lack of technical support for maintenance
Next question
Why is building a custom authentication and session management scheme considered
risky for software developers?
It is more efficient than using standardized authentication methods.
It reduces the risk of insider threats and social engineering attacks.
It provides better control over access control mechanisms.
It is prone to error and can lead to security vulnerabilities.
Correct
What is the surefire way of stopping buffer overflow attacks at the software developer
level?
Follow secure coding practices.
This was the correct answer
Hyeon is discussing buffer overflow vulnerabilities in software security. Which practice
helps prevent such attacks?
allowing unrestricted user input
implementing strict input validation
Correct
adding user input validation
using coding practices that have worked in the past
What is emphasized as a fundamental aspect of secure coding practices?
high return on investment (ROI)
This was the correct answer
Which type of architectural solution is used to address input validation vulnerabilities?
overarching and lasting solutions
This was the correct answer
TESTING FOR SECURITY
What is the most significant difference between criminal hacking and penetration
testing?
Criminal hacking focuses on identifying vulnerabilities, while penetration testing
launches attacks.
Criminal hacking is done in isolation, while penetration testing is conducted in the wild.
Criminal hacking is done without permission, while penetration testing requires formal
authorization.
Correct
During a software security training session, Micha is tasked with selecting a tool for
analyzing web applications dynamically. Which tool should Micha choose?
Nikto
This was the correct answer
Which industry standard does Nessus use to assess the seriousness of cybersecurity
vulnerabilities?
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Vulnerability Scoring System (CVSS)
Correct
During a cybersecurity briefing, Marina is asked to identify the initial step in a
vulnerability management process. What is the first step?
Develop vulnerability management policies.
Correct
The Linux distribution that is specifically focused on penetration testing is _____.
BackTrack
Ubuntu
Kali
Correct
What is a requirement for conducting effective white-box testing?
knowledge of software vulnerabilities
extensive testing documentation
access to source code
Correct
knowledge of user requirements
How can you identify the limitations of static analysis for software security?
by requiring the execution of the source code during testing
by detecting bugs in only fully functional code
by seeing if the output releases false positives and false negatives
Correct
by being effective in detecting design flaws
What are the three conventional testing techniques for software security?
static analysis, dynamic analysis, and penetration testing
Correct
functional analysis, regression testing, and usability testing
black-box testing, white-box testing, and gray-box testing
unit testing, integration testing, and system testing
RECENT DEVELOPMENTS and FUTURE DIRECTIONS
How does the European Union initiative affect organizations globally, even if they are
outside of Europe?
through the Computer Fraud and Abuse Act (CFAA)
through the Health Insurance Portability and Accountability Act (HIPAA)
through the Payment Card Industry Data Security Standard (PCI DSS)
through the General Data Protection Regulation (GDPR)
Correct
Which certification program addresses software security in the context of web applications?
Certified Web Application Defender (CWAD)
Correct
One of the cybersecurity threats manifests in IoT devices through _____.
privacy violations
Correct
How can organizations support software engineers in building security into the software
they produce?
Encourage developers to create custom encryption algorithms.
Limit access to commercial and open-source encryption libraries.
Provide additional, extensive cybersecurity training.
Invest in developer-friendly software security environments and automation.
Correct
What is a potential security concern related to cloud computing?
lack of access to physical servers
vulnerabilities in hypervisors
Correct
local storage of code repositories
limited computing resources for virtual machines
0
