Welcome to TestSimulate

Pass Your Next Certification Exam Fast!

Everything you need to prepare, learn & pass your certification exam easily.

365 days free updates. First attempt guaranteed success.

  • Home
  • Blogs
  • [Q39-Q56] Full Secure-Software-Design Practice Test and 106 Unique Questions, Get it Now!

[Q39-Q56] Full Secure-Software-Design Practice Test and 106 Unique Questions, Get it Now!

Share

Full Secure-Software-Design Practice Test and 106 Unique Questions, Get it Now!

The Best Secure-Software-Design Exam Study Material Premium Files  and Preparation Tool

NEW QUESTION # 39
An individual is developing a software application that has a back-end database and is concerned that a malicious user may run the following SOL query to pull information about all accounts from the database:

Which technique should be used to detect this vulnerability without running the source codes?

  • A. Dynamic analysis
  • B. Fuzz testing
  • C. Static analysis
  • D. Cross-site scripting

Answer: C

Explanation:
Static analysis is a method used to detect vulnerabilities in software without executing the code. It involves examining the codebase for patterns that are indicative of security issues, such as SQL injection vulnerabilities. This technique can identify potential threats and weaknesses by analyzing the code's structure, syntax, and data flow.
References:
* Static analysis as a means to identify security vulnerabilities1.
* The importance of static analysis in the early stages of the SDLC to prevent security issues2.
* Learning-based approaches to fix SQL injection vulnerabilities using static analysis3.


NEW QUESTION # 40
Which secure coding best practice says to only use tested and approved components and use task-specific, built-in APIs to conduct operating system functions?

  • A. General Coding Practices
  • B. Data Protection
  • C. Session Management
  • D. Authentication and Password Management

Answer: A


NEW QUESTION # 41
The security software team has cloned the source code repository of the new software product so they can perform vulnerability testing by modifying or adding small snippets of code to see if they can cause unexpected behavior and application failure.
Which security testing technique is being used?

  • A. Source-Code Fault Injection
  • B. Dynamic Code Analysis
  • C. Fuzz Testing
  • D. Binary Fault Injection

Answer: A


NEW QUESTION # 42
Which type of security analysis is performed using automated software tools while an application is running and is most commonly executed during the testing phase of the SDLC?

  • A. Fuzz testing
  • B. Dynamic analysis
  • C. Manual code review
  • D. Static analysis

Answer: B

Explanation:
Dynamic analysis is a security testing method that involves analyzing the behavior of software while it is running or in execution. It is most commonly executed during the testing phase of the Software Development Life Cycle (SDLC). This type of analysis is used to detect issues that might not be visible in the code's static state, such as runtime errors and memory leaks. Automated tools are employed to perform dynamic analysis, which can simulate attacks on the application and identify vulnerabilities that could be exploited by malicious actors.
References: The information provided here is verified by multiple sources that discuss security automation in the SDLC and the role of dynamic analysis during the testing phase123.


NEW QUESTION # 43
Which type of security analysis is limited by the fact that a significant time investment of a highly skilled team member is required?

  • A. Manual code review
  • B. Fuzz testing
  • C. Dynamic code analysis
  • D. Static code analysis

Answer: A

Explanation:
Manual code review is a type of security analysis that requires a significant time investment from a highly skilled team member. This process involves a detailed and thorough examination of the source code to identify security vulnerabilities that automated tools might miss. It is labor-intensive because it relies on the expertise of the reviewer to understand the context, logic, and potential security implications of the code. Unlike automated methods like static or dynamic code analysis, manual codereview demands a deep understanding of the codebase, which can be time-consuming and requires a high level of skill and experience.
References: The information provided here is based on industry best practices and standards for secure software design and development, as well as my understanding of security analysis methodologies12.


NEW QUESTION # 44
Which type of security analysis is limited by the fact that a significant time investment of a highly skilled team member is required?

  • A. Manual code review
  • B. Fuzz testing
  • C. Dynamic code analysis
  • D. Static code analysis

Answer: A

Explanation:
Manual code review is a type of security analysis that requires a significant time investment from a highly skilled team member. This process involves a detailed and thorough examination of the source code to identify security vulnerabilities that automated tools might miss. It is labor-intensive because it relies on the expertise of the reviewer to understand the context, logic, and potential security implications of the code.
Unlike automated methods like static or dynamic code analysis, manual code review demands a deep understanding of the codebase, which can be time-consuming and requires a high level of skill and experience.
References: The information provided here is based on industry best practices and standards for secure software design and development, as well as my understanding of security analysis methodologies12.


NEW QUESTION # 45
The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives.
Which BSIMM domain is being assessed?

  • A. Governance
  • B. Software security development life cycle (SSDL) touchpoints
  • C. Deployment
  • D. Intelligence

Answer: D

Explanation:
The Intelligence domain in the Building Security in Maturity Model (BSIMM) focuses on gathering and using information about software security. This includes understanding the types of attacks that are possible against the software being developed, which is why reviewing attack models falls under this domain. The BSIMM domain of Intelligence involves creating models of potential attacks on software (attack models), analyzing actual attacks that have occurred (attack intelligence), and sharing this information to improve security measures. By reviewing attack models, the software security group is essentially assessing the organization's ability to anticipate and understand potential security threats, which is a key aspect of the Intelligence domain.
References: The references used to verify this answer include the official BSIMM documentation and related resources that describe the various domains and their activities within the BSIMM framework12345.


NEW QUESTION # 46
Company leadership has contracted with a security firm to evaluate the vulnerabilityofall externally lacing enterprise applications via automated and manual system interactions. Which security testing technique is being used?

  • A. Properly-based-testing
  • B. Source-code fault injection
  • C. Source-code analysis
  • D. Penetration testing

Answer: D

Explanation:
The security testing technique that involves evaluating the vulnerability of all externally facing enterprise applications through both automated and manual system interactions is known as Penetration Testing. This method simulates real-world attacks on systems to identify potential vulnerabilities that could be exploited by attackers. It is a proactive approach to discover security weaknesses before they can be exploited in a real attack scenario. Penetration testing can include a variety of methods such as network scanning, application testing, and social engineering tactics to ensure a comprehensive security evaluation.
References: The concept of Penetration Testing as a method for evaluating vulnerabilities aligns with industry standards and practices, as detailed in resources from security-focused organizations and literature1.


NEW QUESTION # 47
Which security assessment deliverable identities possible security vulnerabilities in the product?

  • A. List of third-party software
  • B. Threat profile
  • C. SDL project outline
  • D. Metrics template

Answer: B

Explanation:
A threat profile is a security assessment deliverable that identifies possible security vulnerabilities in a product. It involves a systematic examination of the product to uncover any weaknesses that could potentially be exploited by threats. The process typically includes identifying the assets that need protection, assessing the threats to those assets, and evaluating the vulnerabilities that could be exploited by those threats. This deliverable is crucial for understanding the security posture of a product and for prioritizing remediation efforts.
References: The importance of a threat profile in identifying security vulnerabilities is supported by various security resources. For instance, Future Processing's blog on vulnerability assessments outlines the steps involved in identifying security vulnerabilities, which align with the creation of a threat profile1. Additionally, UpGuard's article on conducting vulnerability assessments further emphasizes the role of identifying vulnerabilities as part of the security assessment process2.


NEW QUESTION # 48
What is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or distribution to provide confidentiality, integrity, and availability?

  • A. Information Security
  • B. Integrity
  • C. Confidentiality
  • D. Availability

Answer: A


NEW QUESTION # 49
Recent vulnerability scans discovered that the organization's production web servers were responding to ping requests with server type, version, and operating system, which hackers could leverage to plan attacks.
How should the organization remediate this vulnerability?

  • A. Ensure servers are regularly updated with the latest security patches
  • B. Ensure servers are configured to return as little information as possible to network requests
  • C. Always uninstall or disable features that are not required
  • D. Access to configuration files is limited to administrators

Answer: B

Explanation:
To remediate the vulnerability of servers responding to ping requests with sensitive information, the organization should configure the servers to return as little information as possible to network requests. This practice is known as reducing the attack surface. By limiting the amount of information disclosed, potential attackers have less data to use when attempting to exploit vulnerabilities. Regular updates and patching (Option B) are also important, but they do not address the specific issue of information disclosure.
Uninstalling or disabling unnecessary features (Option C) and restricting access to configuration files (Option D) are good security practices, but they do not directly prevent the leakage of server information through ping responses.
References: The remediation steps are aligned with best practices in vulnerability management, which include finding, prioritizing, and fixing vulnerabilities, as well as configuring servers to minimize the exposure of sensitive information123.


NEW QUESTION # 50
Which secure software design principle states that it is always safer to require agreement of more than one entity to make a decision?

  • A. Separation of Privileges
  • B. Psychological Acceptability
  • C. Least Privilege
  • D. Total Mediation

Answer: A


NEW QUESTION # 51
Which category classifies identified threats that have some defenses in place and expose the application to limited exploits?

  • A. Fully Mitigated Threat
  • B. Partially Mitigated Threat
  • C. Threat Profile
  • D. Unmitigated Threats

Answer: B


NEW QUESTION # 52
What sitsbetween a browser and an internet connection and alters requests and responses in a way thedeveloper did not intend?

  • A. Input validation
  • B. Reverse engineering
  • C. Load testing
  • D. Intercept proxy

Answer: D

Explanation:
An intercept proxy, also known as a proxy server, sits between a web client (such as a browser) and an external server to filter, monitor, or manipulate the requests and responses passing through it. This can be used for legitimate purposes, such as security testing and user privacy, but it can also be exploited by attackers to alter web traffic in a way that the developer did not intend, potentially leading to security vulnerabilities.
References:
* Understanding of HTTP and HTTPS protocols12.
* Definition and role of proxy servers3.


NEW QUESTION # 53
Which privacy impact statement requirement type defines how personal information will be protected when authorized or independent external entities are involved?

  • A. Personal information retention requirements
  • B. Data integrity requirements
  • C. Third party requirements
  • D. User controls requirements

Answer: C

Explanation:
The privacy impact statement requirement that defines how personal information will be protected when authorized or independent external entities are involved is best categorized under Third party requirements.
This aspect of privacy impact assessments ensures that personal data is safeguarded even when it is necessary to involve third parties, which could be service providers, partners, or other entities that might handle personal information on behalf of the primary organization. These requirements typically include stipulations for data handling agreements, securitymeasures, and compliance checks to ensure that third parties maintain the confidentiality and integrity of the personal information they process.
References:
* Guide to undertaking privacy impact assessments | OAIC1
* A guide to Privacy Impact Assessments - Information and Privacy2
* Personal Information Protection Law of China: Key Compliance Considerations3
* Privacy Impact Assessment - General Data Protection Regulation (GDPR)4
* Privacy impact assessment (PIA) - TechTarget5


NEW QUESTION # 54
Which DKEAD category has a risk rating based on the threat exploit's potential level of harm?

  • A. Exploitability
  • B. Reproducibility
  • C. Damage potential
  • D. Affected users

Answer: C

Explanation:
The DKEAD category that has a risk rating based on the threat exploit's potential level of harm is Damage potential. This category assesses the total damage or impact that a threat could cause if it is exploited by an attacker. The risk rating in this category is determined by evaluating the severity of the potential damage, which could range from information disclosure to complete system destruction or loss of system availability.
References:
* DREAD Threat Modeling1
* OWASP Risk Rating Methodology2
* DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis3


NEW QUESTION # 55
While performing functional testing of the new product from a shared machine, a QA analyst closed their browser window but did not logout of the application. A different QA analyst accessed the application an hour later and was not prompted to login. They then noticed the previous analyst was still logged into the application.
How should existing security controls be adjusted to prevent this in the future?

  • A. Ensure strong password policies are enforced
  • B. Ensure user sessions timeout after short intervals
  • C. Ensure no sensitive information is stored in plain text in cookies
  • D. Ensure role-based access control is enforced for access to all resources

Answer: B

Explanation:
The issue described involves a session management vulnerability where the user's session remains active even after the browser window is closed, allowing another user on the same machine to access the application without logging in. To prevent this security risk, it's essential to adjust the session management controls to include an automatic timeout feature. This means that after a period of inactivity, or when the browser window is closed, the session should automatically expire, requiring a new login to access the application.
This adjustment ensures that even if a user forgets to log out, their session won't remain active indefinitely, reducing the risk of unauthorized access.
References:
* Secure SDLC practices emphasize the importance of security at every stage of the software development life cycle, including the implementation of proper session management controls12.
* Best practices for access control in security highlight the significance of managing session timeouts to prevent unauthorized access3.
* Industry standards and guidelines often recommend session timeouts as a critical security control to protect against unauthorized access4.


NEW QUESTION # 56
......

Get Instant Access to Secure-Software-Design Practice Exam Questions: https://www.testsimulate.com/Secure-Software-Design-study-materials.html

Related Blogs

more
Go To Secure-Software-Design Questions

Copyright © 2026 TESTSIMULATE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.