Free Practice Questions for WGU Secure-Software-Design Exam

Comprehensive and Detailed In-Depth Explanation:

Engaging an independent security consulting firm to simulate attacks on deployed products is an example of Penetration Testing.

Penetration testing involves authorized simulated attacks on a system to evaluate its security. The objective is to identify vulnerabilities that could be exploited by malicious entities and to assess the system's resilience against such attacks. This proactive approach helps organizations understand potential weaknesses and implement necessary safeguards.

According to the OWASP Testing Guide, penetration testing is a critical component of a comprehensive security program:

"Penetration testing involves testing the security of systems and applications by simulating attacks from malicious individuals."

Manual peer review refers to the systematic examination of software source code by developers other than the original author. This practice is recognized as a valuable tool for reducing software defects and improving the quality of software projects. It involves developers inspecting the code to find and fix mistakes overlooked in the initial development phase, which enhances both the overall quality of software and the developers’ skills. Peer code review is less formal and more “lightweight” than the code inspections performed in the past, and it provides benefits such as knowledge transfer, increased team awareness, and creation of alternative solutions to problems.

Security change management within the change management process involves ensuring that any changes, including updates or modifications to software, do not introduce new vulnerabilities and are in line with security policies. The question about securing remote administration directly reflects this component because it addresses the security considerations that must be managed when changes are made to how software is accessed and controlled remotely. This includes implementing secure protocols, authentication methods, and monitoring to prevent unauthorized access or breaches, which are crucial when managing changes in a secure manner.

The phase being described is the Planning phase of the SDLC. This initial stage involves gathering business requirements and evaluating the feasibility of the project. It’s when the company leadership would typically meet with IT and other stakeholders to share visions for the future, discuss potential revenue streams, and determine the project’s direction before moving forward with development. This phase is crucial for setting the groundwork for all subsequent phases of the SDLC.

The secure coding best practice that recommends using a single application-level authorization component to lock down the application if it cannot access its configuration information is known as Access Control. This practice is part of a broader set of security measures aimed at ensuring that only authorized users have access to certain functionalities or data within an application. By centralizing the authorization logic, it becomes easier to manage and enforce security policies consistently across the application. If the authorization component cannot retrieve its configuration, it defaults to a secure state, thus preventing unauthorized access1.

A threat profile is a security assessment deliverable that identifies possible security vulnerabilities in a product. It involves a systematic examination of the product to uncover any weaknesses that could potentially be exploited by threats. The process typically includes identifying the assets that need protection, assessing the threats to those assets, and evaluating the vulnerabilities that could be exploited by those threats. This deliverable is crucial for understanding the security posture of a product and for prioritizing remediation efforts.