The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives. Which BSIMM domain is being assessed?
A. Governance
B. Software security development life cycle (SSDL) touchpoints
C. Intelligence
D. Deployment
Company leadership has contracted with a security firm to evaluate the vulnerability of all externally facing enterprise applications via automated and manual system interactions. Which security testing technique is being used?
A. Property-based-testing
B. Source-code analysis
C. Penetration testing
D. Source-code fault injection
The software security team has been tasked with assessing a document management application that has been in use for many years and developing a plan to ensure it complies with organizational policies. Which post-release deliverable is being described?
A. Security strategy tor MandA products
B. Security strategy tor legacy code
C. Post-release certifications
D. External vulnerability disclosure response process
The security team has a library of recorded presentations that are required viewing for all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for, and code for possible throats.
Which category of secure software best practices does this represent?
A. Attack models
B. Training
C. Architecture analysis
D. Code review
Which mitigation technique can be used to tight against a threat where a user may gain access to administrator level functionality?
A. Encryption
B. Quality of service
C. Hashes
D. Run with least privilege
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's claims intake component. The base score of the vulnerability was 3.5 and changed to 5.9 after adjusting temporal and environmental metrics.
Which rating would CVSS assign this vulnerability?
A. Critical severity
B. High severity
C. Low severity
D. Medium severity
Which software-testing technique can be automated or semi-automated and provides invalid, unexpected, or random data to the inputs of a computer software program?
A. Fuzzing
B. Static analysis
C. Dynamic analysis
D. Bugtraq
A recent vulnerability scan uncovered an XML external entity (XXE) flaw that could allow attackers to return the contents of a system file by including a specific payload in an XML request. How should the organization remediate this vulnerability?
A. Ensure audit trails exist for all sensitive transactions
B. Disable resolution of external entities in the parsing library
C. Enforce role-based authorization in all application layers
D. Ensure authentication cookies are encrypted
Features have been developed and fully tested, the production environment has been created, and leadership has approved the release of the new product. Technicians have scheduled a time and date to make the product available to customers.
Which phase of the software development lifecycle (SDLC) is being described?
A. Maintenance
B. Deployment
C. End of life
D. Testing
The software security team is performing security testing for a new software product that is close to production release. They are concentrating on integrations between the new product and database servers, web servers, and web services. Which security testing technique is being used?
A. Fuzz testing
B. Dynamic code analysis
C. Binary fault injection
D. Binary code analysis