Secure Software Design (D487)
Access The Exact Questions for Secure Software Design (D487)
💯 100% Pass Rate guaranteed
🗓️ Unlock for 1 Month
Rated 4.8/5 from over 1000+ reviews
- Unlimited Exact Practice Test Questions
- Trusted By 200 Million Students and Professors
What’s Included:
- Unlock Actual Exam Questions and Answers for Secure Software Design (D487) on monthly basis
- Well-structured questions covering all topics, accompanied by organized images.
- Learn from mistakes with detailed answer explanations.
- Easy To understand explanations for all students.
Free Secure Software Design (D487) Questions
Which secure software design principle assumes attackers have the source code and specification of the product
-
Open design
-
Total mediation
-
Psychological acceptability
-
Separation of privileges
Explanation
Correct Answer:
a) Open design
Explanation:
The principle of open design assumes that attackers may have access to the source code and specifications of a product. This means that security is built on the design itself, rather than on keeping the design or implementation secret. The security should still be robust even if the attackers have detailed knowledge of the system.
Why other options are wrong:
b) Total mediation: This principle suggests that every access to a resource must be checked and authorized, but it doesn't focus on the assumption that attackers have access to the source code.
c) Psychological acceptability: This refers to making security mechanisms easy for users to understand and use, but it does not directly involve the assumption that attackers have access to the source code.
d) Separation of privileges: This principle involves dividing tasks or privileges to minimize risk, but it doesn't assume attackers have access to the source code.
A product team, consisting of a scrum master, a business analyst, two developers, and a quality assurance tester are on a video call with the product owner. The team is reviewing a list to determine how many they feel can be added to their backlog and completed within the next two week iteration. Which scrum ceremony is the team participating in
-
Sprint planning
-
Daily scrum
-
Sprint review
-
Sprint retrospective
Explanation
Correct Answer:
a) Sprint planning
Explanation:
In Sprint Planning, the scrum team collaborates to review the backlog and decide which items will be included in the upcoming sprint. The goal is to determine how much work the team can complete in the next iteration (typically two weeks).
Why other options are wrong:
b) Daily scrum: The Daily Scrum (also known as the Daily Standup) is a brief meeting held every day during the sprint to discuss progress, impediments, and plans for the next 24 hours.
c) Sprint review: The Sprint Review is a meeting held at the end of the sprint to demonstrate the completed work and discuss whether the sprint goals were met, not to plan the next sprint.
d) Sprint retrospective: The Sprint Retrospective takes place after the Sprint Review and focuses on reflecting on the sprint's process and identifying areas for improvement for the next sprint.
What is a countermeasure to the web application security frame (ASF) data validation/parameter validation threat category
-
All administrative activities are logged and audited
-
Sensitive information is not logged
-
All exceptions are handled in a structured way
-
Inputs enforce type, format, length, and range checks
Explanation
Correct Answer:
d) Inputs enforce type, format, length, and range checks
Explanation:
The data validation/parameter validation threat category involves ensuring that inputs to a web application are properly validated to prevent malicious data from being processed. By enforcing type, format, length, and range checks on inputs, the application ensures that only valid data is accepted and reduces the risk of attacks such as SQL injection or buffer overflows.
Why other options are wrong:
a) All administrative activities are logged and audited: This is a good security practice for tracking and monitoring activities, but it is not directly related to data validation or parameter validation.
b) Sensitive information is not logged: While this is important for protecting sensitive data, it doesn't address the validation of user inputs.
c) All exceptions are handled in a structured way: Handling exceptions properly is important for application stability and security, but it is not specifically related to validating user inputs for correctness or security.
Developers have finished coding, and changes have been peer reviewed. Features have been deployed to a pre-production environment so that analysts may verify that the product is working as expected. Which phase of the software development Life Cycle (SDLC) is being described
-
Testing
-
Requirements
-
Deployment
-
Design
Explanation
Correct Answer:
a) Testing
Explanation:
In the Testing phase, the product is deployed to a pre-production or testing environment where analysts and quality assurance teams verify that the features are working as expected, ensuring the product meets the specified requirements.
Why other options are wrong:
b) Requirements: The requirements phase is about gathering and defining the needs for the system, not about testing functionality.
c) Deployment: Deployment refers to the final release of the software to the production environment, which occurs after testing.
d) Design: The design phase involves creating the system architecture and design plans before any coding or testing happens.
The software security team prepared a report of necessary coding and architecture changes identified during the security assessment. Which design and development deliverable did the team prepare
-
Updated threat modeling artifacts
-
Design security review
-
Privacy implementation assessment results
-
Security test plans
Explanation
Correct Answer:
b) Design security review
Explanation:
The Design security review is the deliverable that provides the necessary coding and architecture changes identified during a security assessment. This review typically involves evaluating the current design for security gaps and recommending changes to improve security based on the assessment.
Why other options are wrong:
a) Updated threat modeling artifacts: These focus on documenting potential threats and vulnerabilities but do not directly cover the necessary changes to coding or architecture identified during an assessment.
c) Privacy implementation assessment results: This is focused on privacy-related issues and how they were implemented, not necessarily coding or architecture changes from a security assessment.
d) Security test plans: These detail how the application will be tested for security vulnerabilities, not the changes needed in the code or design based on an assessment.
Which security assessment deliverable defines measures that will be periodically reported to management
-
Metrics template
-
Product risk profile
-
SDL project outline
-
Threat profile
Explanation
Correct Answer:
a) Metrics template
Explanation:
A metrics template defines the specific measures, key performance indicators (KPIs), and metrics that will be periodically reported to management. This deliverable ensures that the progress and effectiveness of security initiatives are tracked and communicated over time.
Why other options are wrong:
b) Product risk profile: This provides a snapshot of risks associated with a specific product, but it doesn't typically outline periodic reporting measures for management.
c) SDL project outline: This outlines the stages of the Secure Development Lifecycle (SDL), but it doesn't specifically define periodic measures for management.
d) Threat profile: This assesses and categorizes threats, but doesn't define reporting measures for management.
Which privacy impact statement requirement type defines processes to keep personal information updated and accurate
-
Data integrity requirements
-
Collection of personal information requirements
-
Access requirements
-
Personal information retention requirements
Explanation
Correct Answer:
a) Data integrity requirements
Explanation:
Data integrity requirements define the processes necessary to ensure that personal information remains accurate, complete, and up to date. These requirements are critical for maintaining the quality and accuracy of personal data over time.
Why other options are wrong:
b) Collection of personal information requirements: These pertain to how personal information is gathered and consented to but not how it should be kept updated.
c) Access requirements: These focus on who can access the personal information and under what circumstances, not on its accuracy.
d) Personal information retention requirements: These pertain to how long personal information should be kept, not on ensuring it is accurate or up to date.
A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retry. Which secure coding practice is this describing
-
Data protection
-
Input validation
-
Authentication
-
Access control
Explanation
Correct Answer:
a) Data protection
Explanation:
Data protection focuses on safeguarding sensitive information, including ensuring that personally identifiable information (PII) is not exposed and implementing mechanisms that prevent unauthorized actions (such as printing private documents or attempting unauthorized retries). It includes practices to secure data both in transit and at rest, ensuring privacy and confidentiality.
Why other options are wrong:
b) Input validation: Input validation ensures that input data is correct and sanitized but does not address the protection of sensitive information or prevent unauthorized actions such as printing private documents.
c) Authentication: Authentication verifies the identity of users, but this practice focuses more on protecting data and controlling actions, not on verifying user identity.
d) Access control: Access control deals with restricting what actions a user can perform based on their role and permissions, but in this case, the main focus is on safeguarding the data itself, not merely controlling access to it.
The security software team has cloned the source code repository of the new software product so they can perform vulnerability testing by modifying code that can cause unexpected behavior and application failure. Which security testing technique is being used
-
Binary fault injection
-
Fuzz testing
-
Dynamic code analysis
-
Source-code fault injection
Explanation
Correct Answer:
d) Source-code fault injection
Explanation:
Source-code fault injection involves modifying the source code to intentionally introduce errors or vulnerabilities, testing how the application responds to these faults. This method is done at the code level, which matches the scenario described where the team is modifying the source code repository to test for vulnerabilities and unexpected behavior.
Why other options are wrong:
a) Binary fault injection: This involves injecting faults at the binary level (compiled code), not the source code level.
b) Fuzz testing: While fuzz testing involves providing random or unexpected inputs to an application to detect vulnerabilities, it doesn’t involve modifying the source code directly.
c) Dynamic code analysis: This is typically a technique used to analyze code behavior during execution, usually to identify security issues or vulnerabilities in runtime, not by injecting faults at the source code level.
Which secure coding best practice says to use a single application-level authorization component that will lock down the application if it cannot
-
Session management
-
Data protection
-
Access control
-
Communication security
Explanation
Correct Answer:
c) Access control
Explanation:
Access control involves implementing a centralized authorization mechanism that restricts access to resources based on user roles and permissions. If the application cannot authenticate or authorize a user properly, access should be locked down to prevent unauthorized access.
Why other options are wrong:
a) Session management: Session management ensures that user sessions are securely created, maintained, and terminated but does not specifically address the application-level authorization process.
b) Data protection: Data protection focuses on safeguarding sensitive data, such as encryption or ensuring data confidentiality, integrity, and availability, rather than access control or authorization.
d) Communication security: Communication security ensures that data transmitted between systems is protected (e.g., through encryption), but it doesn't involve locking down the application based on authorization failures.
How to Order
Select Your Exam
Click on your desired exam to open its dedicated page with resources like practice questions, flashcards, and study guides.Choose what to focus on, Your selected exam is saved for quick access Once you log in.
Subscribe
Hit the Subscribe button on the platform. With your subscription, you will enjoy unlimited access to all practice questions and resources for a full 1-month period. After the month has elapsed, you can choose to resubscribe to continue benefiting from our comprehensive exam preparation tools and resources.
Pay and unlock the practice Questions
Once your payment is processed, you’ll immediately unlock access to all practice questions tailored to your selected exam for 1 month .
Frequently Asked Question
The course focuses on secure coding principles, software vulnerabilities, authentication mechanisms, cryptography, and best practices for designing secure applications.
Secure software design helps prevent cyber threats such as SQL Injection, Cross-Site Scripting (XSS), authentication bypasses, and data breaches, ensuring application security and compliance with industry standards.
The course covers vulnerabilities like SQL Injection, XSS, Cross-Site Request Forgery (CSRF), insecure authentication, weak cryptography, and improper error handling.
Using prepared statements and parameterized queries is the most effective method to prevent SQL Injection, as it ensures user input is treated strictly as data, not executable code.
XSS occurs when an attacker injects malicious scripts into web pages viewed by users. It can be prevented by sanitizing and encoding user input, using a Content Security Policy (CSP), and avoiding innerHTML in JavaScript.
MFA requires users to verify their identity using multiple factors (e.g., password + one-time code). It significantly enhances security by preventing unauthorized access, even if a password is compromised.
Authentication verifies a user’s identity (e.g., username and password). Authorization determines what actions or data a user is allowed to access after authentication.