Secure-Software-Design学習範囲 & Secure-Software-Design技術試験WGUのSecure-Software-Design試験に受かることを通じて現在の激しい競争があるIT業種で昇進したくて、IT領域で専門的な技能を強化したいのなら、豊富なプロ知識と長年の努力が必要です。WGUのSecure-Software-Design試験に受かるのはあなたが自分をIT業種にアピールする方法の一つです。でも、試験に合格するために大量な時間とエネルギーを費やすことはなく、PassTestのWGUのSecure-Software-Design試験トレーニング資料を選んだらいいです。PassTestのトレーニング資料はIT認証試験に受かるために特別に研究されたものですから、この資料を手に入れたら難しいWGUのSecure-Software-Design認定試験に気楽に合格することができるようになります。 WGUSecure Software Design (KEO1) Exam 認定 Secure-Software-Design 試験問題 (Q94-Q99):質問 # 94
Company leadership has discovered an untapped revenue stream within its customer base and wants to meet with IT to share its vision for the future and determine whether to move forward.
Which phase of the software development lifecycle (SDLC) is being described?
A. Design
B. Requirements
C. Planning
D. Implementation
正解:C
解説:
The phase being described is the Planning phase of the SDLC. This initial stage involves gathering business requirements and evaluating the feasibility of the project. It's when the company leadership would typically meet with IT and other stakeholders to share visions for the future, discuss potential revenue streams, and determine the project'sdirection before moving forward with development. This phase is crucial for setting the groundwork for all subsequent phases of the SDLC.
References:
* The Software Development Life Cycle (SDLC): 7 Phases and 5 Models1.
* What Is the Software Development Life Cycle? SDLC Explained2.
* Software Development Life Cycle (SDLC) Phases & Models3.
質問 # 95
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's customer portal. The base score of the vulnerability was 9.9 and changed to 8.0 after adjusting temporal and environmental metrics.
Which rating would CVSS assign this vulnerability?
A. Low severity
B. Medium severity
C. High severity
D. Critical severity
正解:C
解説:
Comprehensive and Detailed Explanation From Exact Extract:
CVSS scores are classified into severity levels based on numeric ranges. A base score of 9.9 falls within the Critical range (9.0-10.0), but after adjustment for temporal and environmental metrics, the score is 8.0, which falls into the High severity category (7.0-8.9). Therefore, the final rating assigned is High severity.
Medium severity corresponds to scores between 4.0 and 6.9, and low severity is below 4.0. This scoring methodology is defined by the FIRST Common Vulnerability Scoring System v3.1 Specification which guides how scores are adjusted to reflect real-world risk contexts.
References:
FIRST CVSS v3.1 Specification
OWASP Vulnerability Severity Classification
NIST National Vulnerability Database (NVD)
質問 # 96
What are the three primary goals of the secure software development process?
A. Cost, speed to market, and profitability
B. Confidentiality, integrity, and availability
C. Performance, reliability, and maintainability
D. Redundancy, scalability, and portability
正解:B
解説:
The three primary goals of the secure software development process, often referred to as the CIA triad, are confidentiality, integrity, and availability. These principles form the cornerstone of security considerations in the software development life cycle (SDLC).
* Confidentiality ensures that sensitive information is accessed only by authorized individuals and systems. This involves implementing access controls and encryption to protect data from unauthorized access.
* Integrity refers to maintaining the accuracy and consistency of data across its lifecycle. This means that the data is not altered or tampered with by unauthorized entities. Techniques like checksums and digital signatures help ensure data integrity.
* Availability ensures that information and resources are accessible to authorized users when needed.
This involves creating resilient systems that can withstand attacks and recover quickly from any disruptions.
By integrating these security goals into each phase of the SDLC, from planning and design to development, testing, and maintenance, organizations can create more secure software systems that are resilient to cyber threats.
References: The information provided here is verified as per the Secure Software Design documents and best practices in the field, as outlined by sources such as Snyk1, GeeksforGeeks2, and SAFECode3.
質問 # 97
A potential threat was discovered during automated system testing when a PATCH request sent to the API caused an unhandled server exception. The API only supports GET. POST. PUT,and DELETE requests.
How should existing security controls be adjusted to prevent this in the future?
A. Enforce role-based authorization
B. Ensure audit logs are in place for sensitive transactions
C. Use API keys to enforce authorization of every request
D. Property configure acceptable API requests
正解:D
解説:
The issue described involves a PATCH request causing an unhandled server exception because the API does not support this method. The most direct and effective way to prevent such exceptions is to ensure that the API is configured to accept only the supported request methods: GET, POST, PUT, and DELETE. This can be achieved by implementing strict input validation to reject any requests that do not conform to thedefined API specifications, including the request method. By doing so, any requests using unsupported methods like PATCH will be immediately rejected, thus preventing the server from reaching an exception state.
References:
* OWASP's guidance on error and exception handling emphasizes the importance of managing exceptions in a centralized manner and ensuring that all unexpected behavior is correctly handled within the application1.
* Additional best practices for error handling in software development suggest the significance of input validation and the implementation of defensive programming techniques to prevent errors2.
* The OWASP Foundation also highlights the principle that all security mechanisms should deny access until specifically granted, which supports the approach of configuring acceptable API requests3.
質問 # 98
Which mitigation technique can be used to light against a threat where a user may gain access to administrator level functionality?
A. Hashes
B. Quality of service
C. Run with least privilege
D. Encryption
正解:C
解説:
The principle of running with the least privilege is a fundamental security concept that involves granting users only the permissions they need to perform their tasks and no more. This minimizes the risk of a user gaining access to administrator-level functionality that they are not authorized to use. By limiting the privileges of user accounts to the bare minimum necessary, the potential damage from various attacks, such as privilege escalation, is significantly reduced.
References: The concept of least privilege is widely recognized as a critical security measure. Resources like Exabeam's article on preventing privilege escalation and TechTarget's guide on privilege escalation attacks provide insights into how enforcing least privilege can mitigate such threats12. These sources verify that running with the least privilege is an effective mitigation technique against the threat of unauthorized access to elevated privileges.