• Home
  • Articles
  • Get Latest May-2025 Conduct effective penetration tests using VCEDumps Secure-Software-Design [Q21-Q36]

Get Latest May-2025 Conduct effective penetration tests using VCEDumps Secure-Software-Design [Q21-Q36]

Share

Get Latest [May-2025] Conduct effective penetration tests using VCEDumps Secure-Software-Design

Penetration testers simulate Secure-Software-Design exam PDF

NEW QUESTION # 21
Which threat modeling approach concentrates on things the organization wants to protect?

  • A. Attacker-centric
  • B. Asset-centric
  • C. Server-centric
  • D. Application-centric

Answer: B

Explanation:
The Asset-centric approach to threat modeling focuses on identifying and protecting the assets that are most valuable to an organization. This method prioritizes the assets themselves, assessing their sensitivity, value, and the impact on the business should they be compromised. It is a strategic approach that aims to safeguard the confidentiality, integrity, and availability of the organization's key assets.
References:
* A Review of Asset-Centric Threat Modelling Approaches1.
* Approaches to Threat Modeling - are you getting what you need?2.
* What Is Threat Modeling? - CrowdStrike3.


NEW QUESTION # 22
Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?

  • A. Dynamic testing
  • B. Black box testing
  • C. White box testing
  • D. Reasonableness testing

Answer: C

Explanation:
White box testing, also known as clear box testing, glass box testing, transparent box testing, and structural testing, is a method of software testing where the internal structure, design, and coding of the software are tested to verify the flow of input-output and to improve the design, usability, and security. It involves looking at the structures that are internal to the system, with the tester having knowledge of the internal workings of the product. This type of testing is concerned with examining the internal logical structures of the program and is typically performed by stepping through the code line by line to analyze the program for potential errors, which aligns with the description of the control test in question.
References:
* Control Structure Testing - GeeksforGeeks1
* What is White Box Testing? - BrowserStack2
* Software Testing Strategies Chapter 18 - IIT3


NEW QUESTION # 23
Which secure software design principle assumes attackers have the source code and specifications of the product?

  • A. Separation of Privileges
  • B. Psychological Acceptability
  • C. Open Design
  • D. Total Mediation

Answer: C


NEW QUESTION # 24
The security software team has cloned the source code repository of the new software product so they can perform vulnerability testing by modifying or adding small snippets of code to see if they can cause unexpected behavior and application failure.
Which security testing technique is being used?

  • A. Binary Fault Injection
  • B. Fuzz Testing
  • C. Dynamic Code Analysis
  • D. Source-Code Fault Injection

Answer: D


NEW QUESTION # 25
Which SDL security goal is defined as ensuring timely and reliable access to and use of information?

  • A. Confidentiality
  • B. Availability
  • C. Integrity
  • D. Information security

Answer: B

Explanation:
The term 'availability' in the context of Secure Software Development Lifecycle (SDL) refers to ensuring that systems, applications, and data are accessible to authorized userswhen needed. This means that the information must be timely and reliable, without undue delays or interruptions. Availability is a critical aspect of security, as it ensures that the software functions correctly and efficiently, providing users with the information they need to perform their tasks.
References:
* The definition of availability as per the National Institute of Standards and Technology (NIST) Glossary1.
* The Microsoft Security Development Lifecycle (SDL) which emphasizes the importance of availability in secure software design2.
* General principles of Secure Software Development Life Cycle (SSDLC) that include availability as a key security goal3.


NEW QUESTION # 26
A recent vulnerability scan uncovered an XML external entity (XXE) Haw that could allow attackers to return the contents of a system file by including a specificpayloadin an XML request.
How should the organization remediate this vulnerability?

  • A. Enforce role-based authorization in all application layers
  • B. Disable resolution of external entities in the parsing library
  • C. Ensure authentication cookies are encrypted
  • D. Ensure audit trails exist for all sensitive transactions

Answer: C

Explanation:
Security change management within the change management process involves ensuring that any changes, including updates or modifications to software, do not introduce new vulnerabilities and are in line with security policies. The question about securing remote administration directly reflects this component because it addresses the security considerations that must be managed when changes are made to how software is accessed and controlled remotely. This includes implementing secure protocols,authentication methods, and monitoring to prevent unauthorized access or breaches, which are crucial when managing changes in a secure manner.
References:
* Change management in cybersecurity emphasizes the structured approach to implementing alterations in security protocols, technologies, and processes, ensuring systematic assessment and monitoring1.
* The role of change management in cybersecurity includes decisions about network access and ensuring the right person can access the right information at the right time, which aligns with securing remote administration2.
* Seminal change management models in cybersecurity, like PROSCI's ADKAR model, guide individuals through the change process, managing resistance and identifying training needs, which is relevant to securing remote administration3.


NEW QUESTION # 27
What is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or distribution to provide confidentiality, integrity, and availability?

  • A. Availability
  • B. Confidentiality
  • C. Integrity
  • D. Information Security

Answer: D


NEW QUESTION # 28
The product security incident response team (PSIRT) has decided to make a formal public disclosure, including base and temporal common vulnerability scoring system (CVSS) scores and a common vulnerabilities and exposures (CVE) ID report, of an externally discovered vulnerability.
What is the most likely reason for making a public disclosure?

  • A. The vulnerability reporter has threatened to make the finding public after being notified that their case was not credible.
  • B. The response team has determined that the vulnerability is credible.
  • C. The potential for increased public awareness of a vulnerability is probable, which could lead to higher risk for customers.
  • D. Notification of a vulnerability from an external party has occurred.

Answer: B


NEW QUESTION # 29
The security team is reviewing whether changes or open issues exist that would affect requirements for handling personal information documented in earlier phases of the development life cycle.
Which activity of the Ship SDL phase is being performed?

  • A. Final security review
  • B. Final privacy review
  • C. Open-source licensing review
  • D. Vulnerability scan

Answer: B

Explanation:
The activity being performed is the final privacy review. This step is crucial in the Ship phase of the Security Development Lifecycle (SDL), where the security team assesses if there are any changes or unresolved issues that could impact the requirements for handling personal information. These requirements are typically documented in the earlier stages of the development lifecycle, and the final privacy review ensures that the software complies with these requirements before release.
References: The explanation is based on the best practices outlined in the SDL Activities and Best Practices, which detail the importance of conducting a final privacy review during the Ship phase to ensure that all privacy issues have been addressed12.


NEW QUESTION # 30
A potential threat was discovered during automated system testing when a PATCH request sent to the API caused an unhandled server exception. The API only supports GET. POST. PUT,and DELETE requests.
How should existing security controls be adjusted to prevent this in the future?

  • A. Enforce role-based authorization
  • B. Property configure acceptable API requests
  • C. Use API keys to enforce authorization of every request
  • D. Ensure audit logs are in place for sensitive transactions

Answer: B

Explanation:
The issue described involves a PATCH request causing an unhandled server exception because the API does not support this method. The most direct and effective way to prevent such exceptions is to ensure that the API is configured to accept only the supported request methods: GET, POST, PUT, and DELETE. This can be achieved by implementing strict input validation to reject any requests that do not conform to thedefined API specifications, including the request method. By doing so, any requests using unsupported methods like PATCH will be immediately rejected, thus preventing the server from reaching an exception state.
References:
* OWASP's guidance on error and exception handling emphasizes the importance of managing exceptions in a centralized manner and ensuring that all unexpected behavior is correctly handled within the application1.
* Additional best practices for error handling in software development suggest the significance of input validation and the implementation of defensive programming techniques to prevent errors2.
* The OWASP Foundation also highlights the principle that all security mechanisms should deny access until specifically granted, which supports the approach of configuring acceptable API requests3.


NEW QUESTION # 31
Which software control test examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output?

  • A. Black box
  • B. Dynamic
  • C. Static
  • D. White box

Answer: A

Explanation:
The software control test that examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output is known as black box testing. This testing method focuses on the functionality of the application rather than its internal structures or workings. Testers provide inputs and examine outputs without knowing how and where the inputs are worked upon. It's designed to test the system' s external behavior.
* Black box testing is used to verify that the system meets the requirements and behaves as expected in various scenarios, including edge cases and incorrect input data. It helps in identifying discrepancies between the system's actual functionality and its specified requirements.
* This type of testing is applicable across various levels of software testing, including unit, integration, system, and acceptance testing. It is particularly useful for validating user stories and use cases during the software development process.
* Since black box testing treats the software as a "black box", it does not require the tester to have knowledge of the programming languages or the system's implementation. This allows testers to objectively test the software's behavior and performance.
References: The concept of black box testing is well-documented and is a standard practice in secure software design, as outlined by sources such as LambdaTest1 and other industry best practices.


NEW QUESTION # 32
Which software control test examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output?

  • A. Black box
  • B. Dynamic
  • C. Static
  • D. White box

Answer: A

Explanation:
The software control test that examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output is known as black box testing. This testing method focuses on the functionality of the application rather than its internal structures or workings. Testers provide inputs and examine outputs without knowing how and where the inputs are worked upon. It's designed to test the system's external behavior.
* Black box testing is used to verify that the system meets the requirements and behaves as expected in various scenarios, including edge cases and incorrect input data. It helps in identifying discrepancies between the system's actual functionality and its specified requirements.
* This type of testing is applicable across various levels of software testing, including unit, integration,
* system, and acceptance testing. It is particularly useful for validating user stories and use cases during the software development process.
* Since black box testing treats the software as a "black box", it does not require the tester to have knowledge of the programming languages or the system's implementation. This allows testers to objectively test the software's behavior and performance.
References: The concept of black box testing is well-documented and is a standard practice in secure software design, as outlined by sources such as LambdaTest1 and other industry best practices.


NEW QUESTION # 33
Which DKEAD category has a risk rating based on the threat exploit's potential level of harm?

  • A. Exploitability
  • B. Reproducibility
  • C. Affected users
  • D. Damage potential

Answer: D

Explanation:
The DKEAD category that has a risk rating based on the threat exploit's potential level of harm is Damage potential. This category assesses the total damage or impact that a threat could cause if it is exploited by an attacker. The risk rating in this category is determined by evaluating the severity of the potential damage, which could range from information disclosure to complete system destruction or loss of system availability.
References:
* DREAD Threat Modeling1
* OWASP Risk Rating Methodology2
* DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis3


NEW QUESTION # 34
The software security team is performing security testing for a new software product that is close to production release. They are concentrating on integrations between the new product and database servers, web servers, and web services.
Which security testing technique is being used?

  • A. Dynamic code analysis
  • B. Fuzz testing
  • C. Binary code analysis
  • D. Binary fault injection

Answer: B

Explanation:
Fuzz testing is the ideal technique in this scenario. Here's why:
* Focus on Integrations: The scenario emphasizes testing links between the software, databases, web servers, and web services. Fuzz testing is specifically designed to find vulnerabilities in how software handles data and communication between components.
* Pre-release Testing: The product being close to release indicates a critical need to identify security flaws before public deployment. Fuzz testing is effective in uncovering unexpected behavior and potential vulnerabilities.
* Fuzz Testing Targets: Fuzz testing works by injecting invalid or unexpected data into interfaces (like those between databases, web components, etc.) to observe how the software reacts. This helps expose potential security gaps and weaknesses.


NEW QUESTION # 35
What is a countermeasure to the web application security frame (ASF) data validation/parameter validation threat category?

  • A. All administrative activities are logged and audited.
  • B. All exceptions are handled in a structured way.
  • C. Sensitive information is not logged.
  • D. Inputs enforce type, format, length, and range checks.

Answer: D


NEW QUESTION # 36
......

Tested Material Used To Secure-Software-Design Test Engine: https://prep4sure.vcedumps.com/Secure-Software-Design-examcollection.html

Related Articles

more
WGU Secure-Software-Design Certification Practice Exam

VCEDumps is a joint venture for provding vce files free and valid dumps pdf. We guarantee VCEDumps dumps pdf help you pass exam 100% for sure. Not Valid, Full Refund!

Latest VCE Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 VCEDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy