D487 Secure Software Design - Set 1 - Part 1
Test your knowledge of technical writing concepts with these practice questions. Each question includes detailed explanations to help you understand the correct answers.
Question 1: During penetration testing, an analyst discovered a DOM-based (document object model) cross-site scripting vulnerability within the application’s search bar that could allow an attacker to insert malicious code. How should the organization remediate this vulnerability?
Question 2: Application credentials are stored in the database using simple hashes to store passwords. An undiscovered credential recovery flaw allowed a security analyst to download the database and expose passwords using their GPU to crack the simple encryption. How should the organization remediate this vulnerability?
Question 3: During functional testing, a QA analyst using a non-admin account caused an application exception. After the exception was handled, the tester was able to navigate to the admin section of the application by typing the URL directly into the browser address bar. They were unable to force the same navigation before the exception was thrown. How should the organization remediate this vulnerability?
Question 4: The product security incident response team (PSIRT) determined a reported vulnerability was credible and of a high enough severity that it needs to be fixed. What is the response team's next step?
Question 5: Organizational leadership is considering buying a competitor and has asked the software security team to develop a plan to ensure the competitor's point-of-sale system complies with organizational policies. Which post-release deliverable is being described?
Question 6: The software security team has been tasked with identifying who will be involved when security vulnerabilities are reported from external entities. They are creating a RACI matrix that will identify stakeholders by who is responsible, accountable, consulted, and informed of any new vulnerabilities. Which post-release deliverable is being described?
Question 7: After determining a reported vulnerability was a credible claim, the product security incident response team (PSIRT) worked with development teams to create and test a patch. The patch is scheduled to be released at the end of the month. What is the response team's next step?
Question 8: The final security review determined that all security issues identified in testing have been resolved and all SDL requirements have been met. What is the result of the final security review?
Question 9: The security team is reviewing all threat models, identified vulnerabilities, and documented requirements. They are also performing static and dynamic analysis on the software product to determine if it is ready for release. Which activity of the Ship SDL phase is being performed?
Question 10: The security team is reviewing whether new security requirements, based on identified threats or changes to organizational guidelines, can be implemented prior to releasing the new product. Which activity of the Ship SDL phase is being performed?
Question 11: The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one-time requirements, bucket requirements, and final security review requirements. Which type of requirement states that all user input values must be validated by type, size, and range?
Question 12: The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing security testing results from recently completed initiatives. Which BSIMM domain is being assessed?
Question 13: The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one-time requirements, bucket requirements, and final security review requirements. Which type of requirement states that the team must perform remote procedure call (RPC) fuzz testing?
Question 14: An organization is assessing its security posture and finds that many employees are unaware of their responsibilities regarding data protection. Which strategy should be implemented to improve security awareness?
Question 15: A development team has been implementing features rapidly without considering security implications. What should the security team recommend to ensure that security is integrated into the development process?
Question 16: A company’s web application was found to have multiple vulnerabilities during a routine security assessment. Which of the following approaches should the security team prioritize to mitigate these vulnerabilities?
Question 17: During a security review, it was discovered that an application does not properly validate user input, leading to potential SQL injection vulnerabilities. What is the most effective remediation strategy?
Question 18: A company is experiencing repeated incidents of phishing attacks targeting its employees. What proactive measure should the security team implement to combat this issue?
Question 19: An organization plans to implement a new cloud-based service but is concerned about data security. Which of the following factors should be prioritized when selecting a cloud service provider?
Question 20: A software development team is using an open-source library that has not been updated in over two years. What is the primary risk associated with this decision?
Need Guaranteed Results?
Our exam support service guarantees you'll pass your OA on the first attempt. Pay only after you pass!
Get Exam Support