Question 1

Creating a graphical representation of the required elements for an attack vector occurs in which step of Threat Modeling?&#10;A)Step 1-Define scope&#10;B)Step 4-Enumerate threats&#10;C)Step 5-Classify threats&#10;D)Step 8-Create threat trees

Accepted Answer

Creating a graphical representation of the attack vector is done in Step 8-Create threat trees, which involves breaking down each identified threat into smaller components and constructing a diagram to illustrate the potential paths an attacker might take to achieve their desired outcome.

Question 2

Lease privilege refers to removing all controls from a system.

Accepted Answer

Lease privilege actually involves reducing or limiting the amount of control that certain users or processes have over a system, in order to improve security and protect sensitive data.

Question 3

Which type of attack is used especially against databases?&#10;A)DB manipulation&#10;B)DB injection&#10;C)SQL injection&#10;D)SQL rejection

Accepted Answer

SQL injection is a type of attack in which an attacker injects malicious code into a database query with the intention of accessing or manipulating sensitive data. It is a commonly used attack against databases specifically, which makes C the best choice. A and D are not valid options as they are not widely recognized attack types. B is a similar concept to C, but specifically refers to injection attacks on databases using SQL, so C is still the more appropriate choice.

Question 4

Canonicalization vulnerabilities are restricted to Windows systems.

Accepted Answer

Canonicalization vulnerabilities can occur in any operating system, not just limited to Windows. These vulnerabilities arise because of inconsistent handling of files and paths, which can allow attackers to bypass access controls and perform unauthorized actions.

Question 5

Scoring the efforts to reduce the effects of threats occurs in which step of threat modeling?&#10;A)Step 2-Enumerate assets&#10;B)Step 7-Score and rank threats&#10;C)Step 8-Create threat trees&#10;D)Step 9-Determine and score mitigation

Accepted Answer

Scoring the efforts to reduce the effects of threats is part of determining and scoring mitigation, which occurs in Step 9 of threat modeling.

Question 6

In the secure development lifecycle,employing use cases to compare program responses to known inputs,and then comparing the outputs to the desired outputs should take place in which phase?&#10;A)Coding phase&#10;B)Design phase&#10;C)Requirements phase&#10;D)Testing phase

Accepted Answer

This process of comparing program responses to known inputs and desired outputs is a part of testing. Therefore, it should take place in the testing phase of the secure development lifecycle.

Question 7

What is the one item that could labeled as the &#34;most wanted&#34; item in coding security?&#10;A)Run length overflow&#10;B)Proper string handling&#10;C)Herman the Fly&#10;D)Buffer overflow

Accepted Answer

Buffer overflow is the most common and dangerous security vulnerability in coding. It occurs when a program tries to write more data to a buffer than it can hold, and the excess data spills over into adjacent memory, corrupting or overwriting valid data. This can allow attackers to execute malicious code or gain unauthorized access to a system. Therefore, preventing buffer overflows is crucial for ensuring the security of software applications.

Question 8

What does the term spiral method refer to?&#10;A)SQL&#10;B)The software engineering process model&#10;C)Proper coding of SSL&#10;D)Physical security of facilities

Accepted Answer

The spiral method refers to the software engineering process model, which involves iterative development cycles that gradually increase in complexity over time.

Question 9

Testing is not an essential part of the generation of secure code.

Accepted Answer

Testing is a crucial part of generating secure code. It helps to identify vulnerabilities and flaws in the code and ensures that the code functions as expected in a secure manner. Without testing, it is difficult to guarantee that the code is secure and free from potential security risks.

Question 10

Cryptography is the solution to all security problems.

Accepted Answer

While cryptography can certainly play a key role in securing data and systems, it is not a panacea for all security problems. Other factors such as proper configuration, network segmentation, access control, and employee awareness and training, must also be considered to establish a comprehensive security approach.

Question 11

What is the waterfall model characterized by?&#10;A)A generic,repeatable process for debugging software&#10;B)A protocol limiting liquids in the workplace&#10;C)A linear,multistep process&#10;D)A process for ensuring that all inputs are tested

Accepted Answer

The answer of What is the waterfall model characterized by?&#10;A)A...

Question 12

What is used to compare program responses to known inputs and comparison of the output to desired output?&#10;A)Use cases&#10;B)Waterfall models&#10;C)Requirements testing&#10;D)Good practices

Accepted Answer

The answer of What is used to compare program responses...

Question 13

What technique can be used to find potentially exploitable buffer overflows,without any specific knowledge of the coding?&#10;A)Code injection&#10;B)Use cases&#10;C)Fuzzing&#10;D)Backdoors

Accepted Answer

The answer of What technique can be used to find...

Question 14

Which is related to a code injection error?&#10;A)VB.NET&#10;B)SQL&#10;C)JavaScript&#10;D)C#

Accepted Answer

The answer of Which is related to a code injection...

Question 15

Errors found after development is complete are expensive.

Accepted Answer

The answer of Errors found after development is complete are...

Question 16

Determining what needs to be accessed,and the appropriate level of permission for every item accessed is an example of what principle?&#10;A)Least functionality&#10;B)Least privilege&#10;C)Least access&#10;D)Least rights

Accepted Answer

The answer of Determining what needs to be accessed,and the...

Question 17

In the secure development lifecycle,in which phase should minimizing the attack surface area take place?&#10;A)Coding phase&#10;B)Design phase&#10;C)Requirements phase&#10;D)Testing phase

Accepted Answer

The answer of In the secure development lifecycle,in which phase...

Question 18

In the secure development lifecycle,how must the specific security needs of software being developed be defined?&#10;A)Coding phase&#10;B)Design phase&#10;C)Requirements phase&#10;D)Testing phase

Accepted Answer

The answer of In the secure development lifecycle,how must the...

Question 19

Unvalidated input that changes the code functioning in an unintended way is which type of coding error?&#10;A)Canonicalization error&#10;B)Improper output handling&#10;C)Injection&#10;D)Buffer overflow

Accepted Answer

The answer of Unvalidated input that changes the code functioning...

Question 20

Which type of error occurs when a program executes the error checking routine,prior to manipulating strings to a base form?&#10;A)Canonicalization error&#10;B)Improper output handling&#10;C)Injection&#10;D)Buffer overflow

Accepted Answer

The answer of Which type of error occurs when a...

Question 21

A(n)_______________ attack is a form of code injection aimed at any Structured Query Language (SQL)-based database,regardless of vendor.

Accepted Answer

The answer of A(n)_______________ attack is a form of code...

Question 22

Generating true random numbers is a fairly trivial task.

Accepted Answer

The answer of Generating true random numbers is a fairly...

Question 23

The _______________ model is characterized by iterative development,where requirements and solutions evolve through an ongoing collaboration of self-organizing cross-functioning teams.

Accepted Answer

The answer of The _______________ model is characterized by iterative...

Question 24

Proper use of _______________ can provide a wealth of programmatic functionality,such as authentication,confidentiality,integrity,and nonrepudiation.

Accepted Answer

The answer of Proper use of _______________ can provide a...

Question 25

What are the major types of coding errors and their root cause?

Accepted Answer

The answer of What are the major types of coding...

Question 26

_______________ is the systematic application of a series of malformed inputs to test how the program responds.

Accepted Answer

The answer of _______________ is the systematic application of a...

Question 27

_______________ is the conversion of a name to its simplest form.

Accepted Answer

The answer of _______________ is the conversion of a name...

Question 28

_______________,historically,has not been an integral part of the software development life cycle.

Accepted Answer

The answer of _______________,historically,has not been an integral part of...

Question 29

How does implementing a good software development process enforce security inclusion in a project?

Accepted Answer

The answer of How does implementing a good software development...

Question 30

How can secure coding be incorporated into the software development process?

Accepted Answer

The answer of How can secure coding be incorporated into...

Question 31

What are the phases of the software development lifecycle?

Accepted Answer

The answer of What are the phases of the software...

Question 32

You are interviewing for a job as a software developer.The interviewer asks you to explain good software development practices.

Accepted Answer

The answer of You are interviewing for a job as...

Question 33

Employing _______________ to compare program responses to known inputs and then comparing the output to the desired output is a proven method of testing software.

Accepted Answer

The answer of Employing _______________ to compare program responses to...

Question 34

The spiral model is characterized by iterative development,where requirements and solutions evolve through an ongoing collaboration between self-organizing,cross-functional teams.

Accepted Answer

The answer of The spiral model is characterized by iterative...

Question 35

When the function of code is changed in an unintended way,it is an example of code injection.

Accepted Answer

The answer of When the function of code is changed...

Question 36

The _______________ is the first step in a software development process model.

Accepted Answer

The answer of The _______________ is the first step in...

Question 37

The specific security needs of a program being developed should be defined in the design phase of the secure development lifecycle.

Accepted Answer

The answer of The specific security needs of a program...

Question 38

If the requirement phase marks the beginning of the generation of security in code,then the _______________ marks the other boundary.

Accepted Answer

The answer of If the requirement phase marks the beginning...

Question 39

The _______________ model is characterized by a multistep process in which the steps follow each other in a linear,one-way fashion,like water over a waterfall

Accepted Answer

The answer of The _______________ model is characterized by a...

Question 40

Fuzzing is a powerful tool used in testing code.

Accepted Answer

The answer of Fuzzing is a powerful tool used in...

Deck 18: Secure Software Development