The security team is identifying technical resources that will be needed to perform the final product security review.

Which step of the final product security review process are they in?

The security team contracts with an independent security consulting firm to simulate attacks on deployed products and report results to organizational leadership.

Which category of secure software best practices is the team performing?

What are the three primary goals of the secure software development process?

Which design and development deliverable contains the types of evaluations that were performed, how many times they were performed, and how many times they were re-evaluated?

A recent security review has identified an aging credential recovery/forgotten password component that emails temporary passwords to users who claim to have forgotten their application password.

How should the organization remediate this vulnerability?

The security software team has cloned the source code repository of the new software product so they can perform vulnerability testing by modifying or adding small snippets of code to see if they can cause unexpected behavior and application failure.

Which security testing technique is being used?

After being notified of a vulnerability in the company’s online payment system, the Product Security Incident Response Team (PSIRT) was unable to recreate the vulnerability in a testing lab.

What is the response team’s next step?

Which threat modeling step identifies the assets that need to be protected?

Which software-testing technique can be automated or semi-automated and provides invalid, unexpected, or random data to the inputs of a computer software program?

Which threat modeling step collects exploitable weaknesses within the product?

Company leadership has contracted with a security firm to evaluate the vulnerability of all externally lacing enterprise applications via automated and manual system interactions. Which security testing technique is being used?

Which security assessment deliverable defines measures that can be periodically reported to management?

Which step in the change management process includes modifying the source code?

Which category classifies identified threats that do not have defenses in place and expose the application to exploits?

Which secure coding best practice says to ensure that buffers are allocated correctly and at the right size, that input strings are truncated to a reasonable length, and that resources, connections, objects, and file handles are destroyed once the application no longer needs them?

The final security review determined that two low-risk security issues identified in testing are still outstanding. Developers have assured the security team that both issues can be resolved quickly once they have time to fix them. The security team is confident that developers can fix the flaws in the first post-release patch.

What is the result of the final security review?

Which privacy impact statement requirement type defines how personal information will be protected when authorized or independent external entities are involved?

The security team has a library of recorded presentations that are required viewing tor all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for. and code tor possible threats.

Which category of secure software best practices does this represent?

The scrum team decided that before any change can be merged and tested, it must be looked at by the learns lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team's quality standards.

Which category of secure software best practices is the team performing?

During penetration testing, an analyst was able to create hundreds of user accounts by executing a script that sent individual requests to the registration endpoint.

How should the organization remediate this vulnerability?

A recent vulnerability scan uncovered an XML external entity (XXE) Haw that could allow attackers to return the contents of a system file by including a specific payload in an XML request.

How should the organization remediate this vulnerability?

Which secure coding practice involves clearing all local storage as soon as a user logs of for the night and will automatically log a user out after an hour of inactivity?

A product team, consisting of a Scrum Master, a Business Analyst, two Developers, and a Quality Assurance Tester, are on a video call with the Product Owner. The team is reviewing a list of work items to determine how many they feel can be added to their backlog and completed within the next two-week iteration.

Which Scrum ceremony is the team participating in?

What sits between a browser and an internet connection and alters requests and responses in a way the developer did not intend?

Which threat modeling step assigns a score to discovered threats?

A legacy application has been replaced by a new product that provides mobile capabilities to the company's customer base. The two products have run concurrently for the last three months to provide a fallback if the new product experienced a large-scale failure. The time has come to turn off access to the legacy application.

Which phase of the Software Development Life Cycle (SDLC) is being described?

A company is moving forward with a new product. Product scope has been determined, teams have formed, and backlogs have been created. Developers are actively writing code for the new product, with one team concentrating on delivering data via REST services, one Team working on the mobile apps, and a third team writing the web application.

Which phase of the software development lifecycle (SDLC) is being described?

Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?

Developers have finished coding, and changes have been peer-reviewed. Features have been deployed to a pre-production environment so that analysts may verify that the product is working as expected.

Which phase of the Software Development Life Cycle (SDLC) is being described?

The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives.

Which BSIMM domain is being assessed?

Which question reflects the security change management component of the change management process?

Which mitigation technique is used to fight against an identity spoofing threat?

A public library needs to implement security control on publicly used computers to prevent illegal downloads.

Which security control would prevent this threat?