Software Security and Risk Quiz

Questions and Answers

What type of vulnerability results from security bugs in the coding of the software?

• Structural vulnerability
• Cryptographic vulnerability
• Design vulnerability
• Implementation vulnerability (correct)

Which is an example of a design vulnerability?

• Weak session management
• Choosing the wrong cryptography (correct)
• Poor input validation
• Running processes at a high privilege level

What makes design vulnerabilities harder to handle compared to other defects?

• They require redesigning the entire system (correct)
• They are often related to user permissions
• They are easier to identify
• They do not impact program functionality

What is a common issue related to flawed input validation?

Not centralizing validation routines (A)

Which of the following is a poor security practice related to cryptography?

Creating your own cryptography (A)

What contributes to weak structural security in software design?

Large attack surface (A)

What is a common implementation issue in C/C++ languages mentioned in the text?

Buffer overflow/Stack smashing (B)

Which language is susceptible to command injection based on the text?

Shell scripting (D)

What is one of the security concerns related to the Java Virtual Machine (JVM) as per the text?

Sending malware to take control of the JVM (C)

In software security, what is highlighted as an evolutionary process?

Incremental developments (B)

What is emphasized as a core concept of software security based on the text?

Involving multiple perspectives and layers of abstraction (A)

Which type of languages are associated with remote file inclusion vulnerability according to the text?

Shell scripting and PHP (A)

What percentage of project costs are typically allocated to software design?

More than 35% (D)

Why is it essential to eliminate software risk early in the development cycle?

Vulnerabilities are easier and less expensive to fix at that stage (B)

How is software security best described according to the text?

A process that requires continuous attention and improvement (B)

Why was network security believed to be sufficient in the past?

Secure network infrastructure was considered adequate protection (D)

Which of the following techniques has been used to penetrate valid authentication channels, as mentioned in the text?

Cross-Site Scripting (XSS) (A)

Why has network security alone been proven inadequate against attacks?

Malicious users found ways to exploit weaknesses like SQL injection (B)

What is the primary focus of the Secure Software Development (SDL) approach?

Ensuring security is an integral part of software design and development (C)

Why may applying patches sometimes lead to more security problems?

Patches can inadvertently introduce new security issues (B)

What category of weaknesses does 'Insecure Design' represent?

Missing or ineffective control design in application development (D)

Why is software security considered a fundamental aspect of enterprise software design?

To build a system that cannot be broken into (D)

Which area did the UK defense Dept. identify as a top priority in software security?

Cyber Software Security Design (D)

What is the purpose of defense-in-depth strategies in protecting assets?

To add layers of security to different parts of a system (C)

What is emphasized as a crucial aspect of software security?

Using security libraries properly (A)

Why is it mentioned that you can't just deploy a magical tool to resolve vulnerabilities?

Because there are endless clever ways to break software (B)

What mindset should software engineers have in terms of security?

Reasoned, balanced, defensive mindset (B)

What is the relationship between quality code and secure code?

Secure code is not necessarily quality code, and quality code is not necessarily secure code (B)

Why do developers need to understand how to use security libraries properly?

To prevent unintended functionality (D)

What misconception is highlighted in the text regarding risk management among developers?

'Everything is possible now' irrational fear (A)