Software Security and Risk Quiz

Questions and Answers

What type of vulnerability results from security bugs in the coding of the software?

Structural vulnerability

Cryptographic vulnerability

Design vulnerability

Implementation vulnerability (correct)

Which is an example of a design vulnerability?

Weak session management

Choosing the wrong cryptography (correct)

Poor input validation

Running processes at a high privilege level

What makes design vulnerabilities harder to handle compared to other defects?

They require redesigning the entire system (correct)

They are often related to user permissions

They are easier to identify

They do not impact program functionality

What is a common issue related to flawed input validation?

Not centralizing validation routines

Which of the following is a poor security practice related to cryptography?

Creating your own cryptography

What contributes to weak structural security in software design?

Large attack surface

What is a common implementation issue in C/C++ languages mentioned in the text?

Buffer overflow/Stack smashing

Which language is susceptible to command injection based on the text?

Shell scripting

What is one of the security concerns related to the Java Virtual Machine (JVM) as per the text?

Sending malware to take control of the JVM

In software security, what is highlighted as an evolutionary process?

Incremental developments

What is emphasized as a core concept of software security based on the text?

Involving multiple perspectives and layers of abstraction

Which type of languages are associated with remote file inclusion vulnerability according to the text?

Shell scripting and PHP

What percentage of project costs are typically allocated to software design?

More than 35%

Why is it essential to eliminate software risk early in the development cycle?

Vulnerabilities are easier and less expensive to fix at that stage

How is software security best described according to the text?

A process that requires continuous attention and improvement

Why was network security believed to be sufficient in the past?

Secure network infrastructure was considered adequate protection

Which of the following techniques has been used to penetrate valid authentication channels, as mentioned in the text?

Cross-Site Scripting (XSS)

Why has network security alone been proven inadequate against attacks?

Malicious users found ways to exploit weaknesses like SQL injection

What is the primary focus of the Secure Software Development (SDL) approach?

Ensuring security is an integral part of software design and development

Why may applying patches sometimes lead to more security problems?

Patches can inadvertently introduce new security issues

What category of weaknesses does 'Insecure Design' represent?

Missing or ineffective control design in application development

Why is software security considered a fundamental aspect of enterprise software design?

To build a system that cannot be broken into

Which area did the UK defense Dept. identify as a top priority in software security?

Cyber Software Security Design

What is the purpose of defense-in-depth strategies in protecting assets?

To add layers of security to different parts of a system

What is emphasized as a crucial aspect of software security?

Using security libraries properly

Why is it mentioned that you can't just deploy a magical tool to resolve vulnerabilities?

Because there are endless clever ways to break software

What mindset should software engineers have in terms of security?

Reasoned, balanced, defensive mindset

What is the relationship between quality code and secure code?

Secure code is not necessarily quality code, and quality code is not necessarily secure code

Why do developers need to understand how to use security libraries properly?

To prevent unintended functionality

What misconception is highlighted in the text regarding risk management among developers?

'Everything is possible now' irrational fear