CyberVista Software Development Security Questions and Answers

Question 1

A development team is analyzing a new feature for an online banking application. To identify potential security flaws, they are categorizing threats into the following groups: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Which threat modeling methodology is the team using?

Accepted Answer

STRIDE

Answer

The STRIDE methodology, developed by Microsoft, is an acronym for the six threat categories listed: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It is a widely used model for identifying and categorizing security threats during the design phase.

Question 2

A security team wants to identify vulnerabilities like SQL injection and buffer overflows by analyzing an application's source code without executing the program. Which of the following testing methodologies should they employ?

Accepted Answer

Static Application Security Testing (SAST)

Answer

Static Application Security Testing (SAST) is a white-box testing methodology that analyzes source code, byte code, or binaries for security vulnerabilities without executing the application. This approach allows for the discovery of vulnerabilities early in the SDLC.

Question 3

A developer is building a web page that displays user-provided comments. To prevent stored Cross-Site Scripting (XSS) attacks, what is the MOST critical security control to implement before rendering the comments in the user's browser?

Accepted Answer

Performing context-aware output encoding

Answer

While input validation is an important part of a defense-in-depth strategy, the primary and most effective defense against XSS is performing context-aware output encoding. This process ensures that any user-provided data is treated as displayable text by the browser, rather than as executable code, regardless of the characters it contains.

Question 4

During a security review of a new application, it is discovered that the development team has used numerous open-source libraries. What type of security tool is specifically designed to scan for and identify known vulnerabilities within these third-party components?

Accepted Answer

Software Composition Analysis (SCA) tool

Answer

Software Composition Analysis (SCA) tools are specifically designed to identify the open-source and third-party components used in an application. They then check these components against databases of known vulnerabilities (like CVEs) to uncover security risks and potential licensing issues.

Question 5

An organization is adopting a DevSecOps culture to improve security. They decide to integrate automated security scanning tools directly into their CI/CD pipeline, allowing developers to get immediate feedback on potential vulnerabilities as they commit code. This practice is a core tenet of which security principle?

Accepted Answer

Shifting Left

Answer

Shifting Left is the practice of integrating security considerations and testing as early as possible (further to the left) in the Software Development Lifecycle (SDLC). Integrating automated security tools into the CI/CD pipeline is a prime example of this principle, as it provides early and continuous feedback to developers.

CyberVista Test Practice Test

CyberVista Test Practice Test

CyberVista Software Development Security Questions and Answers