The security software team has cloned the source code repository of the new software product so they can perform vulnerability testing by modifying or adding small snippets of code to see if they can cause unexpected behavior and application failure.
Which security testing technique is being used?
Credit card numbers are encrypted when stored in the database but are automatically decrypted when data is fetched. The testing tool intercepted the GET response, and testers were able to view credit card numbers as clear text.
How should the organization remediate this vulnerability?
The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives.
Which BSIMM domain is being assessed?
Which step in the change management process includes modifying the source code?
Which design and development deliverable contains the results of each type of evaluation that was performed and the type and number of vulnerabilities discovered?
Security testers have completed testing and are documenting the results of vulnerability scans and penetration analysis They are also creating documentation lo share with the organization's largest customers.
Which deliverable is being prepared?
A product team, consisting of a Scrum Master, a Business Analyst, two Developers, and a Quality Assurance Tester, are on a video call with the Product Owner. The team is reviewing a list of work items to determine how many they feel can be added to their backlog and completed within the next two-week iteration.
Which Scrum ceremony is the team participating in?
Which secure software design principle states that it is always safer to require agreement of more than one entity to make a decision?
Developers have finished coding, and changes have been peer-reviewed. Features have been deployed to a pre-production environment so that analysts may verify that the product is working as expected.
Which phase of the Software Development Life Cycle (SDLC) is being described?
What is a countermeasure to the web application security frame (ASF) authentication threat category?
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's claims intake component. The base score of the vulnerability was 3.5 and changed to 5.9 after adjusting temporal and environmental metrics.
Which rating would CVSS assign this vulnerability?
Which secure coding best practice says to assume all incoming data should be considered untrusted and should be validated to ensure the system only accepts valid data?
What is an advantage of using the Agile development methodology?
Which category classifies identified threats that have some defenses in place and expose the application to limited exploits?
The software security group is conducting a maturity assessment using the Open Web Application Security Project Software Assurance Maturity Model (OWASP SAMM). They are currently focused on reviewing design artifacts to ensure they comply with organizational security standards.
Which OpenSAMM business function is being assessed?
What is the privacy impact rating of an application that stores personally identifiable information, monitors users with ongoing transfers of anonymous data, and changes settings without notifying the user?
Which secure software design principle assumes attackers have the source code and specifications of the product?
Which security assessment deliverable identities possible security vulnerabilities in the product?
What is a countermeasure to the web application security frame (ASF) data validation/parameter validation threat category?
Senior IT staff has determined that a new product will be hosted in the cloud and will support web and mobile users. Developers will need to deliver secure REST services. Android and IOS mobile apps. and a web application. Developers are currently determining how to deliver each part of the overall product.
Which phase of the software development lifecycle (SDLC) is being described?
Which concept is demonstrated when every module in a particular abstraction layer of a computing environment can only access the information and resources that are necessary for its legitimate purpose?
Which threat modeling step identifies the assets that need to be protected?
Which type of security analysis is performed by reviewing source code line-by-line after other security analysis techniques have been executed?
Company leadership has discovered an untapped revenue stream within its customer base and wants to meet with IT to share its vision for the future and determine whether to move forward.
Which phase of the software development lifecycle (SDLC) is being described?
What are the eight phases of the software development lifecycle (SDLC)?
The security team is identifying technical resources that will be needed to perform the final product security review.
Which step of the final product security review process are they in?
Which mitigation technique is used to fight against an identity spoofing threat?
Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?
The software security team has been tasked with assessing a document management application that has been in use for many years and developing a plan to ensure it complies with organizational policies.
Which post-release deliverable is being described?
Which SDL security goal is defined as ensuring timely and reliable access to and use of information?
Which secure coding practice requires users to log in to their accounts using an email address and a password they choose?
Which threat modeling step collects exploitable weaknesses within the product?
Which software-testing technique can be automated or semi-automated and provides invalid, unexpected, or random data to the inputs of a computer software program?