Free WGU Secure-Software-Design Practice Exam with Questions & Answers

In the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology, vulnerability and exploit analysis is performed during the Attack modeling step. This step involves identifying potential threats and vulnerabilities within the system and understanding how they could be exploited.

Attack modeling is a critical phase where the focus is on simulating attacks based on identified vulnerabilities. It allows for a deep understanding of the threats in the context of the application’s architecture and system design.

During this phase, security analysts use their knowledge of the system’s technical scope and application decomposition to simulate how an attacker could exploit the system’s vulnerabilities. This helps in prioritizing the risks and planning appropriate mitigation strategies.

The goal of attack modeling is not just to identify vulnerabilities but also to understand the potential impact of exploits on the system and the business, which is essential for developing a robust security posture.

References: The information provided is aligned with the PASTA methodology as described in resources such as VerSprite1 and the OWASP Foundation2. These sources detail the seven stages of PASTA, with attack modeling being a key component of the process.

The activity described pertains to the review of noncommercial software libraries to ensure compliance with the legal specifications set by the authors. This is part of the open-source licensing review, which is a critical activity in the Ship phase of the Security Development Lifecycle (SDL). This review ensures that all open-source components are used in accordance with their licenses, which is essential for legal and security compliance.

References: The Ship phase of the SDL includes various activities such as policy compliance review, vulnerability scanning, penetration testing, open-source licensing review, and final security and privacy reviews12. The open-source licensing review specifically addresses the legal aspects of using third-party software components2.

White box testing, also known as clear box testing, glass box testing, transparent box testing, and structural testing, is a method of software testing where the internal structure, design, and coding of the software are tested to verify the flow of input-output and to improve the design, usability, and security. It involves looking at the structures that are internal to the system, with the tester having knowledge of the internal workings of the product. This type of testing is concerned with examining the internal logical structures of the program and is typically performed by stepping through the code line by line to analyze the program for potential errors, which aligns with the description of the control test in question.

References:

Control Structure Testing - GeeksforGeeks1

What is White Box Testing? - BrowserStack2

Software Testing Strategies Chapter 18 - IIT3

The category of secure software best practices being described is Training. This is because the focus is on educating new developers about organizational security policies and coding practices to mitigate potential threats. Training is a proactive approach to ensure that developers are aware of security concerns and are equipped with the knowledge to address them in their coding practices.

References: The importance of training in secure software best practices is supported by industry resources such as the SAFECode’s “Fundamental Practices for Secure Software Development” which emphasizes the need for application security control definition and management1, and the NIST’s Secure Software Development Framework (SSDF) which recommends integrating secure development practices throughout the software development lifecycle2. Additional support for this category can be found in resources detailing effective secure development practices345.

Validating user input data before it is processed by the application is a fundamental security control in software design. This process, known as input validation, ensures that only properly formed data is entering the workflow of the application, thereby preventing many types of attacks, including type mismatches as mentioned in the question. By validating input data, the application can reject any requests that contain unexpected or malicious data, reducing the risk of security vulnerabilities and ensuring the integrity of the system.

References:

Secure SDLC practices emphasize the importance of integrating security activities, such as creating security and functional requirements, code reviews, security testing, architectural analysis, and risk assessment, into the existing development workflow1.

A Secure Software Development Life Cycle (SSDLC) ensures that security is considered at every phase of the development process, from planning and design to coding, testing, deploying, and maintaining the software2.

The phase being described is the Deployment phase of the SDLC. This phase involves making the software available for use by customers after it has been developed, tested, and approved for release. It includes the installation of the software in the production environment, ensuring that all features are operational as intended, and obtaining formal approval from leadership to proceed with making the product available to end-users. The deployment phase is critical as it transitions the software from a development setting to a real-world operational environment.

References:

SDLC Deployment Phase – A Step by Step Guide1

Understanding the SDLC: Software Development Lifecycle Explained2