Secure Software Design v1.0

Which secure coding best practice says to use a single application-level authorization component that will lock down the application if it cannot access its configuration information?

Which mitigation technique can be used to tight against a threat where a user may gain access to administrator level functionality?

Which privacy impact statement requirement type defines processes to keep personal information updated and accurate?

The software security team prepared a detailed schedule mapping security development lifecycle phases to the type of analysis they will execute.
Which design and development deliverable did the team prepare?

Which type of security analysis is limited by the fact that a significant time investment of a highly skilled team member is required?

A potential threat was discovered during automated system testing when a PATCH request sent to the API caused an unhandled server exception. The API only supports GET, POST, PUT, and DELETE requests.
How should existing security controls be adjusted to prevent this in the future?

Recent vulnerability scans discovered that the organization’s production web servers were responding to ping requests with server type, version, and operating system, which hackers could leverage to plan attacks.
How should the organization remediate this vulnerability?

Which security assessment deliverable identifies unmanaged code that must be kept up to date throughout the life of the product?

Credit card numbers are encrypted when stored in the database but are automatically decrypted when data is fetched. The testing tool intercepted the GET response, and testers were able to view credit card numbers as clear text.
How should the organization remediate this vulnerability?

Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company’s claims intake component. The base score of the vulnerability was 3.5 and changed to 5.9 after adjusting temporal and environmental metrics.
Which rating would CVSS assign this vulnerability?

Which software-testing technique can be automated or semi-automated and provides invalid, unexpected, or random data to the inputs of a computer software program?

While performing functional testing of the new product from a shared machine, a QA analyst closed their browser window but did not log out of the application. A different QA analyst accessed the application an hour later and was not prompted to login. They then noticed the previous analyst was still logged into the application.
How should existing security controls be adjusted to prevent this in the future?

Company leadership has discovered an untapped revenue stream within its customer base and wants to meet with IT to share its vision for the future and determine whether to move forward.
Which phase of the software development lifecycle (SDLC) is being described?

Which SDL security goal is defined as ensuring timely and reliable access to and use of information?