WGU MASTER\\\'S COURSE C706 TEST BANK SECURE SOFTWARE DESIGN EXAM LATEST 2024
ACTUAL EXAM 400 QUESTIONS AND CORRECT
DETAILED ANSWERS WITH RATIONALES (VERIFIED ANSWERS) |ALREADY GRADED A+ |
Explain the Generic Risk Model.
The General Risk Model is a more subjective model that uses the formula "Risk = Likelihood x Impact" to
represent a threat mathematically.
i. With the General Risk Model, likelihood is defined by the ease of exploitation and the possibility
of realizing a threat.
ii. Impact is defined by the damage potential and the extent of the impact
Explain the TRIKE Model.
TRIKE is a unique, open-source threat modeling process focused on satisfying the security auditing
process from a cyber risk management perspective. The foundation of the Trike threat modeling
methodology is a "requirements model." The requirements model ensures the assigned level of risk for
each asset is "acceptable" to the various stakeholders.
How do you mitigate STRIDE spoofing and what security principle does it affect?
Authentication. Implement secure user authentication methods, including both secure password
requirements and multi-factor authentication (MFA).
How do you mitigate STRIDE Tampering and what security principle does it affect?
Integrity. The application should be designed to validate user inputs, and encode outputs. Static code
analysis should be used to identify vulnerabilities to tampering in the application both during the
development stage and once the application is in production.
How do you mitigate STRIDE Repudiation and what security principle does it affect?
Non-Repudiation. incorporating digital signatures in the application that provide proof of actions, or
ensuring that full, tamper-proof logs are in place.
,How do you mitigate STRIDE Info Disclosure and what security principle does it affect?
Confidentiality. Error messages, response headers, and background information should be as generic as
possible to avoid revealing clues about the application's behavior.
Proper access controls and authorizations should be in place to prevent unauthorized access to
information. The application itself should be checked over from a user perspective to validate that
developer comments and other information are not revealed in the production environment.
How do you mitigate STRIDE Denial of Service and what security principle does it affect?
Availability. Configuring firewalls to block traffic from certain sources such as reserved, loopback, or
private IP addresses, or unassigned DCHPDHCP clients, or introducing rate limiting to manage traffic
How do you mitigate STRIDE Elevation of Privilege and what security principle does it affect?
Authorization. includes managing the identity lifecycle, enforcing the principle of least privilege for all
users, hardening systems and applications through configuration changes, removing unnecessary rights
and access, closing ports
What are some common defects software testing should look for?
a. XSS
b. SQL Injection
c. Errors with applications
d. Patch errors
e. Buffer overflow
f. Memory leaks
g. Assertion failures
h. Error handling
,What types of tools are these?
a. AppScan by IBM
b. GFI Languard by GFI
c. Hailstorm by Cenzic
d. McAfee Vulnerability Manager (MVM) by McAfee
e. Nessus by Tenable Network Security
f. Retina Web Security Scanner by eEye Digital Security
g. WebInspect by HP
Vulnerability Scanning Tools
What are the OWASP security design principles?
a. Defense in depth (complete mediation)
b. Use a positive security model: Fail-safe defaults, minimize attack surface
Stuvia.co.uk - The Marketplace for Revision Notes & Study Guides
WGU MASTER'S COURSE C706 -
DESIGN EXAM LATEST 2024 ACTUAL EXAM 400 QUESTIONS
AND CORRECT DETAILED ANSWERS WITH RATIONALES
(VERIFIED ANSWERS) |ALREADY GRADED A+
c. Fail securely.
d. Run with least privilege.
e. Avoid security by obscurity (open design).
f. Keep security simple (verifiable, economy of mechanism).
g. Detect intrusions (compromise recording).
h. Don't trust infrastructure. Don't trust services.
i. Establish secure defaults
, What is code review and its four basic types?
Allows you to find and fix many security issues before the code is tested or shipped. There are four basic
techniques for analyzing the security of a software application:
1. automated scanning
2. manual penetration testing
3. static analysis
4. manual code review
www.stuvia.com
Stuvia.co.uk - The Marketplace for Revision Notes & Study Guides
WGU MASTER'S COURSE C706 -
DESIGN EXAM LATEST 2024 ACTUAL EXAM 400 QUESTIONS
AND CORRECT DETAILED ANSWERS WITH RATIONALES
(VERIFIED ANSWERS) |ALREADY GRADED A+
What is a step for constructing a threat model for a project when using practical risk analysis?
A Align your business goals
B Apply engineering methods
C Estimate probability of project time
D Make a list of what you are trying to protect - ANSWER-D
Which cyber threats are typically surgical by nature, have highly specific targeting, and are
technologically sophisticated?
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller mikedoc. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $27.99. You're not tied to anything after your purchase.
