Secure-Software-Design Exam Dumps - WGU Secure Software Design (D487) Exam

The phase being described is the Deployment phase of the SDLC. This phase involves making the software available for use by customers after it has been developed, tested, and approved for release. It includes the installation of the software in the production environment, ensuring that all features are operational as intended, and obtaining formal approval from leadership to proceed with making the product available to end-users. The deployment phase is critical as it transitions the software from a development setting to a real-world operational environment.

References:

SDLC Deployment Phase – A Step by Step Guide1

Understanding the SDLC: Software Development Lifecycle Explained2

In the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology, vulnerability and exploit analysis is performed during the Attack modeling step. This step involves identifying potential threats and vulnerabilities within the system and understanding how they could be exploited.

Attack modeling is a critical phase where the focus is on simulating attacks based on identified vulnerabilities. It allows for a deep understanding of the threats in the context of the application’s architecture and system design.

During this phase, security analysts use their knowledge of the system’s technical scope and application decomposition to simulate how an attacker could exploit the system’s vulnerabilities. This helps in prioritizing the risks and planning appropriate mitigation strategies.

The goal of attack modeling is not just to identify vulnerabilities but also to understand the potential impact of exploits on the system and the business, which is essential for developing a robust security posture.

References: The information provided is aligned with the PASTA methodology as described in resources such as VerSprite1 and the OWASP Foundation2. These sources detail the seven stages of PASTA, with attack modeling being a key component of the process.

ASF Authentication Threats: The Web Application Security Frame (ASF) authentication category encompasses threats related to how users and systems prove their identity to the application. This includes issues like weak passwords, compromised credentials, and inadequate access controls.

Role-Based Access Control (RBAC): RBAC is a well-established security principle that aligns closely with addressing authentication threats. It involves assigning users to roles and granting those roles specific permissions based on the principle of least privilege. This limits the attack surface and reduces the impact of a compromised user account.

Let's analyze the other options:

B. Credentials and tokens are encrypted: While vital for security, encryption primarily protects data at rest or in transit. It doesn't directly address authentication risks like brute-force attacks or weak password management.

C. Cookies have expiration timestamps: Expiring cookies are a good practice, but their primary benefit is session management rather than directly mitigating authentication-specific threats.

D. Sensitive information is scrubbed from error messages: While essential for preventing information leakage, this practice doesn't address the core threats within the ASF authentication category.

References:

NIST Special Publication 800-53 Revision 4, Access Control (AC) Family: (https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final ) Details the importance of RBAC as a cornerstone of access control.

The Web Application Security Frame (ASF): (https://patents.google.com/patent/US7818788B2/en ) Outlines the ASF categories, with authentication being one of the primary areas.

The activity being performed is the final privacy review. This step is crucial in the Ship phase of the Security Development Lifecycle (SDL), where the security team assesses if there are any changes or unresolved issues that could impact the requirements for handling personal information. These requirements are typically documented in the earlier stages of the development lifecycle, and the final privacy review ensures that the software complies with these requirements before release.

References: The explanation is based on the best practices outlined in the SDL Activities and Best Practices, which detail the importance of conducting a final privacy review during the Ship phase to ensure that all privacy issues have been addressed12.

Fuzzing is an automated or semi-automated software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program1. This process is designed to uncover coding errors, security vulnerabilities, and other potential issues within the software by observing how it behaves under unexpected or malformed inputs. Fuzzing is particularly effective because it can expose corner cases that have not been properly dealt with and can be used to test programs that take structured inputs, such as file formats or protocols2.

References: 1: Wikipedia - Fuzzing 2: DZone - Fuzzing in Software Engineering

Data integrity requirements within a privacy impact statement ensure that personal information is maintained in an accurate and up-to-date manner. This involves establishing processes to regularly review and update personal data, as well as correct any inaccuracies. These requirements are crucial for maintaining the trustworthiness of the data and ensuring that decisions made based on this information are sound and reliable.

References:

The Office of the Privacy Commissioner of Canada’s guide on the Privacy Impact Assessment process emphasizes the importance of accuracy and currency of personal information1.

The European Union’s General Data Protection Regulation (GDPR) outlines principles for data processing, including the necessity for data to be accurate and kept up to date2.

The General Data Protection Regulation (GDPR) also includes provisions for data protection impact assessments, which involve documenting processes before starting data processing3.