A potential threat was discovered during vulnerability testing when an environment configuration file was found that contained the database username and password stored in plain text.
How should existing security controls be adjusted to prevent this in the future?
Which secure coding best practice says to ensure that buffers are allocated correctly and at the right size, that input strings are truncated to a reasonable length, and that resources, connections, objects, and file handles are destroyed once the application no longer needs them?
The software security group is conducting a maturity assessment using the Open Web Application Security Project Software Assurance Maturity Model (OWASP SAMM). They are currently focused on reviewing design artifacts to ensure they comply with organizational security standards.
Which OpenSAMM business function is being assessed?
Which threat modeling approach concentrates on things the organization wants to protect?
Which threat modeling step collects exploitable weaknesses within the product?
A company is moving forward with a new product. Product scope has been determined, teams have formed, and backlogs have been created. Developers are actively writing code for the new product, with one team concentrating on delivering data via REST services, one Team working on the mobile apps, and a third team writing the web application.
Which phase of the software development lifecycle (SDLC) is being described?
What sits between a browser and an internet connection and alters requests and responses in a way the developer did not intend?
After being notified of a vulnerability in the company’s online payment system, the Product Security Incident Response Team (PSIRT) was unable to recreate the vulnerability in a testing lab.
What is the response team’s next step?
Automated security testing was performed by attempting to log in to the new product with a known username using a collection of passwords. Access was granted after a few hundred attempts.
How should existing security controls be adjusted to prevent this in the future?
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the user authentication component of the company's now product. The base score of the vulnerability was 8.3 and changed to 9.4 after adjusting temporal and environmental metrics.
Which rating would CVSS assign this vulnerability?
Which secure coding practice uses role-based authentication where department-specific credentials will authorize department-specific functionality?
The organization has contracted with an outside firm to simulate an attack on the new software product and report findings and remediation recommendations.
Which activity of the Ship SDL phase is being performed?
A recent security review has identified an aging credential recovery/forgotten password component that emails temporary passwords to users who claim to have forgotten their application password.
How should the organization remediate this vulnerability?
Which security assessment deliverable defines measures that can be periodically reported to management?
The software security team is performing security testing for a new software product that is close to production release. They are concentrating on integrations between the new product and database servers, web servers, and web services.
Which security testing technique is being used?
Due to positive publicity from the release of the new software product, leadership has decided that it is in the best interests of the company to become ISO 27001 compliant. ISO 27001 is the leading international standard focused on information security.
Which security development life cycle deliverable is being described?
Which type of threat exists when an attacker can intercept and manipulate form data after the user clicks the save button but before the request is posted to the API?
The security team has a library of recorded presentations that are required viewing tor all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for. and code tor possible threats.
Which category of secure software best practices does this represent?
Which secure coding best practice ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized?
Developers have finished coding, and changes have been peer-reviewed. Features have been deployed to a pre-production environment so that analysts may verify that the product is working as expected.
Which phase of the Software Development Life Cycle (SDLC) is being described?
Which secure coding best practice says to only use tested and approved components and use task-specific, built-in APIs to conduct operating system functions?
What refers to the review of software source code by developers other than the original coders to try to identify oversights, mistakes, assumptions, a lack of knowledge, or even experience?
What is a countermeasure to the web application security frame (ASF) data validation/parameter validation threat category?
During fuzz testing of the new product, an exception was thrown on the order entry view, which caused a full stack dump to be displayed in the browser window that included function names from the source code.
How should existing security controls be adjusted to prevent this in the future?
Which threat modeling methodology involves creating or using collections of similar threats?
The final security review determined that two low-risk security issues identified in testing are still outstanding. Developers have assured the security team that both issues can be resolved quickly once they have time to fix them. The security team is confident that developers can fix the flaws in the first post-release patch.
What is the result of the final security review?
The scrum team decided that before any change can be merged and tested, it must be looked at by the learns lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team's quality standards.
Which category of secure software best practices is the team performing?