A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents. Which secure coding practice is this describing?
Answer(s): A
The secure coding practice being described is Access Control. This practice ensures that access to data and features within a system is restricted and controlled. The description given indicates that the product has mechanisms to prevent the display of personally identifiable information (PII), restrict the printing of private documents, and require elevated privileges to access archived documents. These are all measures to control who has access to what data and under what circumstances, which is the essence of access control.
ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud1. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)2. ISO/IEC 29151:2017, Code of practice for personally identifiable information protection3.
Which secure coding practice involves clearing all local storage as soon as a user logs of for the night and will automatically log a user out after an hour of inactivity?
Answer(s): D
The practice of clearing all local storage when a user logs off and automatically logging a user out after an hour of inactivity falls under the category of Session Management. This is a security measure designed to prevent unauthorized access to a user's session and to protect sensitive data that might be stored in the local storage. By clearing the local storage, any tokens, session identifiers, or other sensitive information are removed, reducing the risk of session hijacking or other attacks. The automatic logout feature ensures that inactive sessions do not remain open indefinitely, which could otherwise be exploited by attackers.
The information aligns with the secure coding practices outlined by the OWASP Foundation1, and is supported by common practices in web development for managing sessions and local storage2.
Which software control test examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output?
Answer(s): B
The software control test that examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output is known as black box testing. This testing method focuses on the functionality of the application rather than its internal structures or workings. Testers provide inputs and examine outputs without knowing how and where the inputs are worked upon. It's designed to test the system's external behavior. Black box testing is used to verify that the system meets the requirements and behaves as expected in various scenarios, including edge cases and incorrect input data. It helps in identifying discrepancies between the system's actual functionality and its specified requirements. This type of testing is applicable across various levels of software testing, including unit, integration, system, and acceptance testing. It is particularly useful for validating user stories and use cases during the software development process.Since black box testing treats the software as a "black box", it does not require the tester to have knowledge of the programming languages or the system's implementation. This allows testers to objectively test the software's behavior and performance.
The concept of black box testing is well-documented and is a standard practice in secure software design, as outlined by sources such as LambdaTest1 and other industry best practices.
Which DKEAD category has a risk rating based on the threat exploit's potential level of harm?
The DKEAD category that has a risk rating based on the threat exploit's potential level of harm is Damage potential. This category assesses the total damage or impact that a threat could cause if it is exploited by an attacker. The risk rating in this category is determined by evaluating the severity of the potential damage, which could range from information disclosure to complete system destruction or loss of system availability.
DREAD Threat Modeling1OWASP Risk Rating Methodology2DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis3
What is a countermeasure to the web application security frame (ASF) authentication threat category?
ASF Authentication Threats: The Web Application Security Frame (ASF) authentication category encompasses threats related to how users and systems prove their identity to the application. This includes issues like weak passwords, compromised credentials, and inadequate access controls. Role-Based Access Control (RBAC): RBAC is a well-established security principle that aligns closely with addressing authentication threats. It involves assigning users to roles and granting those roles specific permissions based on the principle of least privilege. This limits the attack surface and reduces the impact of a compromised user account.Let's analyze the other options:B . Credentials and tokens are encrypted: While vital for security, encryption primarily protects data at rest or in transit. It doesn't directly address authentication risks like brute-force attacks or weak password management.C . Cookies have expiration timestamps: Expiring cookies are a good practice, but their primary benefit is session management rather than directly mitigating authentication-specific threats. D . Sensitive information is scrubbed from error messages: While essential for preventing information leakage, this practice doesn't address the core threats within the ASF authentication category.
NIST Special Publication 800-53 Revision 4, Access Control (AC) Family:(https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final) Details the importance of RBAC as a cornerstone of access control.The Web Application Security Frame (ASF): (https://patents.google.com/patent/US7818788B2/en) Outlines the ASF categories, with authentication being one of the primary areas.
Which mitigation technique is used to fight against an identity spoofing threat?
To combat identity spoofing threats, a mitigation technique that is often used is requiring user authorization. This involves implementing strong authentication methods to verify the identity of users before granting access to sensitive information or systems. Techniques such as two-factor authentication (2FA) or multi-factor authentication (MFA) are effective in reducing the risk of unauthorized access, as they require users to provide multiple pieces of evidence to confirm their identity, making it much harder for attackers to spoof an identity successfully.
Best practices for preventing spoofing attacks, including the use of antivirus and firewall tools, and the importance of strong authentication methods like 2FA and MFA1. The National Security Agency's guidance on identity theft threats and mitigations, emphasizing the need for personal protection and strong authentication measures2. Discussion on the effectiveness of strong authentication methods in protecting against spoofing attacks3.The role of comprehensive identity verification and authentication strategies in preventing AI- enhanced identity fraud4.
Which mitigation technique can be used to light against a threat where a user may gain access to administrator level functionality?
The principle of running with the least privilege is a fundamental security concept that involves granting users only the permissions they need to perform their tasks and no more. This minimizes the risk of a user gaining access to administrator-level functionality that they are not authorized to use. By limiting the privileges of user accounts to the bare minimum necessary, the potential damage from various attacks, such as privilege escalation, is significantly reduced.
The concept of least privilege is widely recognized as a critical security measure. Resources like Exabeam's article on preventing privilege escalation and TechTarget's guide on privilege escalation attacks provide insights into how enforcing least privilege can mitigate such threats12. These sources verify that running with the least privilege is an effective mitigation technique against the threat of unauthorized access to elevated privileges.
What is the privacy impact rating of an application that stores personally identifiable information, monitors users with ongoing transfers of anonymous data, and changes settings without notifying the user?
The privacy impact rating for an application that stores personally identifiable information (PII), monitors users with ongoing transfers of anonymous data, and changes settings without notifying the user would be P1 high privacy risk. Storing PII already poses a significant risk due to the potential for data breaches and misuse. Monitoring users and transferring data, even if anonymous, increases the risk as it involves ongoing data collection. Changing settings without user notification is a serious privacy concern because it can lead to unauthorized data processing or sharing, further elevating the risk level.
Practical Data Security and Privacy for GDPR and CCPA - ISACA1. Privacy risk assessment and privacy-preserving data monitoring2. How To Effectively Monitor Your Privacy Program: A New Series3.
Share your comments for WGU Secure-Software-Design exam with other users:
i appreciated the mix of multiple-choice and short answer questions. i passed my exam this morning.
great to find this website, thanks
examination questions seem to be relevant.
planning to take psm test
please allow to download
please provide dumps
is the answer to question 15 correct ? i feel like the answer should be b
its getting more technical
i think these questions are what i need.
helpful assessment
i am confused about the answers to the questions. do you know if the answers are correct?
hi, please make the dumps available for my upcoming examination.
good practice
so far it is really informative
hi i want it please please upload it
am preparing for exam ,just nice questions
please upload c_tadm_23 exam
can we get tdvan4 vantage data engineering pdf?
want to clear the exam.
could you please upload the dumps of sap c_sac_2302
asm management configuration is about storage
kool thumb up
just passed the az-500 exam this last friday. most of the questions in this exam dumps are in the exam. i bought the full version and noticed some of the questions which were answered wrong in the free version are all corrected in the full version. this site is good but i wish the had it in an interactive version like a test engine simulator.
i can practice for exam
please i need this exam.
i need the dump
i want it bad, even if cs6 maybe retired, i want to learn cs6
i hate comptia with all my heart with their "choose the best" answer format as an argument could be made on every question. they say "the "comptia way", lmao no this right here boys is the comptia way 100%. take it from someone whos failed this exam twice but can configure an entire complex network that these are the questions that are on the test 100% no questions asked. the pbqs are dead on! nice work
very good materials
thanks for your support.
iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use.
not bad but you question database from isaca
awesome contents
answer to 134 is casb. while data loss prevention is the goal, in order to implement dlp in cloud applications you need to deploy a casb.
Keeping this site free takes real effort. We constantly battle automated scraping and unauthorized content copying. A quick account helps us protect the community and keep the site free.
To continue studying for your Secure-Software-Design, please sign in or create a free account.