After being notified of a vulnerability in the company’s online payment system, the Product Security Incident Response Team (PSIRT) was unable to recreate the vulnerability in a testing lab.

What is the response team’s next step?

Which secure coding practice involves clearing all local storage as soon as a user logs of for the night and will automatically log a user out after an hour of inactivity?

Features have been developed and fully tested, the production environment has been created, and leadership has approved the release of the new product. Technicians have scheduled a time and date to make the product available to customers.

Which phase of the software development lifecycle (SDLC) is being described?

The final security review determined that two low-risk security issues identified in testing are still outstanding. Developers have assured the security team that both issues can be resolved quickly once they have time to fix them. The security team is confident that developers can fix the flaws in the first post-release patch.

What is the result of the final security review?

Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's claims intake component. The base score of the vulnerability was 3.5 and changed to 5.9 after adjusting temporal and environmental metrics.

Which rating would CVSS assign this vulnerability?

Which threat modeling approach concentrates on things the organization wants to protect?

A software security team recently completed an internal assessment of the company's security assurance program. The team delivered a set of scorecards to leadership along with proposed changes designed to improve low-scoring governance, development, and deployment functions.

Which software security maturity model did the team use?

Security testers have completed testing and are documenting the results of vulnerability scans and penetration analysis They are also creating documentation lo share with the organization's largest customers.

Which deliverable is being prepared?

Which design and development deliverable contains the types of evaluations that were performed, how many times they were performed, and how many times they were re-evaluated?

Which secure coding best practice says to use a single application-level authorization component that will lock down the application if it cannot access its configuration information?

Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's customer portal. The base score of the vulnerability was 9.9 and changed to 8.0 after adjusting temporal and environmental metrics.

Which rating would CVSS assign this vulnerability?

Which type of security analysis is performed by injecting malformed data into open interfaces of an executable or running application and is most commonly executed during the testing or deployment phases of the SDLC?

A potential threat was discovered during automated system testing when a PATCH request sent to the API caused an unhandled server exception. The API only supports GET. POST. PUT, and DELETE requests.

How should existing security controls be adjusted to prevent this in the future?

What are the three primary goals of the secure software development process?

Which software development model starts by specifying and implementing just a part of the software, which is then reviewed and identifies further requirements that are implemented by repeating the cycle?

The security team has a library of recorded presentations that are required viewing tor all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for. and code tor possible threats.

Which category of secure software best practices does this represent?

While performing functional testing of the new product from a shared machine, a QA analyst closed their browser window but did not logout of the application. A different QA analyst accessed the application an hour later and was not prompted to login. They then noticed the previous analyst was still logged into the application.

How should existing security controls be adjusted to prevent this in the future?

What is one of the tour core values of the agile manifesto?

Which security assessment deliverable identities possible security vulnerabilities in the product?

The scrum team decided that before any change can be merged and tested, it must be looked at by the learns lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team's quality standards.

Which category of secure software best practices is the team performing?

A company is moving forward with a new product. Product scope has been determined, teams have formed, and backlogs have been created. Developers are actively writing code for the new product, with one team concentrating on delivering data via REST services, one Team working on the mobile apps, and a third team writing the web application.

Which phase of the software development lifecycle (SDLC) is being described?

The software security team prepared a report of necessary coding and architecture changes identified during the security assessment.

Which design and development deliverable did the team prepare?

Automated security testing was performed by attempting to log in to the new product with a known username using a collection of passwords. Access was granted after a few hundred attempts.

How should existing security controls be adjusted to prevent this in the future?

Which secure coding best practice says to ensure that buffers are allocated correctly and at the right size, that input strings are truncated to a reasonable length, and that resources, connections, objects, and file handles are destroyed once the application no longer needs them?

Which secure coding best practice ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized?

Which secure coding best practice says to use well-vetted algorithms to ensure that the application uses random identifiers, that identifiers are appropriately restricted to the application, and that user processes are fully terminated on logout?

What is a countermeasure to the web application security frame (ASF) data validation/parameter validation threat category?

Which category classifies identified threats that have some defenses in place and expose the application to limited exploits?

Which secure software design principle assumes attackers have the source code and specifications of the product?

Which secure software design principle states that it is always safer to require agreement of more than one entity to make a decision?

In which step of the PASTA threat modeling methodology is vulnerability and exploit analysis performed?

The software security team is performing security testing on a new software product using a testing tool that scans the running application for known exploit signatures.

Which security testing technique is being used?

Which concept is demonstrated when every module in a particular abstraction layer of a computing environment can only access the information and resources that are necessary for its legitimate purpose?

During penetration testing, an analyst was able to create hundreds of user accounts by executing a script that sent individual requests to the registration endpoint.

How should the organization remediate this vulnerability?

Which mitigation technique is used to fight against an identity spoofing threat?