QUESTION 1 Which of the following are true a Abuse cases help developers to think about the software the same way that attackers do b Abuse cases represent the normative features and functions of the software c Abuse cases help developers to think about negative or unexpected events d Abuse cases are sometimes called misuse cases 8 points QUESTION 2 In order to hold vendor accountable for software security, service level agreement ( SLA) should clearly define security expectation, with an emphasis on specific, measurable criteria that can determine if expectations have been met True False 8 points QUESTION 3 In order to hold vendor accountable for software security, it is suggested that SLA contractual language should cover the following a Proper implementation of security features b use of source code analysis c searching for known flaws and confirming their non existence d passing 3 rd party validation and verification tests 8 points QUESTION 4 Which of the following are true a Security is an emergent property of a system, not a feature b Security can be bolted on after other software features are codifed c Security must be built in from the ground up considered a critical part of the design from the very beginning and included in every subsequent development phase all the way through fielding a complete system d Security features alone are sufficient for building secure software 8 points QUESTION 5 Software designers and analysts should carefully consider the implicit assumptions in the system True False 8 points QUESTION 6 Attackers are not likely to undermine the assumptions a system is built on True False 8 points QUESTION 7 Which of the following methods is usually more effective for creating abuse cases a Theoretical methods that involves fully specifying a system with rigorous formal models and logics b Brain storming by a team of security and reliability experts with system designers 8 points QUESTION 8 One of the goals of abuse case is to decide and document a priori how the software should react to illegitimate use True False 8 points QUESTION 9 Which of the following are true a An anti requirement related to a security requirement involves determining what happens in the absence of this security function, or what happens if this security function fails b Anti requirements are security requirements c Anti requirement capture things you don't want the system to do d Anti requirements provide insight into how a threat can abuse your system 9 points QUESTION 10 Which of the following are true about attack model a a To create an attack model, you should cycle through a list of known attacks one at a time and think about whether the same attack applies to your system b a Attack patterns are very useful for creating an attack model c a Creating an attack model is a critical activity of abuse case development d a Microsoft STRIDE model is an approach to create an attack model 9 points QUESTION 11 Consider a payroll system that allows a human resource department to control salaries and benefits Which of the following are abuse cases a An employee gains extra privileges in the payroll system and slightly increases his own salary b An attacker delays payments in order to embezzle the extra accrued interest c The system allows users in the HR management group to view and modify salaries of all employees d The system will only allow a basic user to view his or her own salary 9 points QUESTION 12 Consider a client server application The architecture had been set up so that the server relied on the client side application, which manipulated a financially sensitive database, to manage all data access permissions and no permissions were enforced on the server itself The client also enforced which messages were sent to the server, the server assumed that any messages coming from the client had passed the client softwares access control system and were, therefore, legitimate Which of the following are true a a An attacker may be able to inject data into the database b a An attacker may be able to intercept network traffic from client to server c a Make the Client Invisible attack pattern is applicable in this situation d a An attacker may be able to build a hostile client e a An anti requirement of this system would be considering what happens when an attracker bypasses the access control mechanism built into the client software

The Answer is in the image, click to view ...

Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Sep 07, 2024

QUESTION 1 Which of the following are true? a. Abuse cases help developers to think about the software the same way that attackers do. b.

QUESTION 1

Which of the following are true?

	a.	Abuse cases help developers to think about the software the same way that attackers do.
	b.	Abuse cases represent the normative features and functions of the software.
	c.	Abuse cases help developers to think about negative or unexpected events.
	d.	Abuse cases are sometimes called misuse cases.

8 points

QUESTION 2

In order to hold vendor accountable for software security, service level agreement (

SLA) should clearly define security expectation, with an emphasis on specific, measurable criteria that can determine if expectations have been met.

True

False

8 points

QUESTION 3

In order to hold vendor accountable for software security, it is suggested that SLA contractual language should cover the following:

	a.	Proper implementation of security features;
	b.	use of source code analysis;
	c.	searching for known flaws and confirming their non-existence;
	d.	passing 3^rd party validation and verification tests;

8 points

QUESTION 4

Which of the following are true?

	a.	Security is an emergent property of a system, not a feature.
	b.	Security can be bolted on after other software features are codifed
	c.	Security must be built in from the ground up considered a critical part of the design from the very beginning and included in every subsequent development phase all the way through fielding a complete system.
	d.	Security features alone are sufficient for building secure software.

8 points

QUESTION 5

Software designers and analysts should carefully consider the implicit assumptions in the system.

True

False

8 points

QUESTION 6

Attackers are not likely to undermine the assumptions a system is built on.

True

False

8 points

QUESTION 7

Which of the following methods is usually more effective for creating abuse cases?

	a.	Theoretical methods that involves fully specifying a system with rigorous formal models and logics.
	b.	Brain storming by a team of security and reliability experts with system designers.

8 points

QUESTION 8

One of the goals of abuse case is to decide and document a priori how the software should react to illegitimate use.

True

False

8 points

QUESTION 9

Which of the following are true?

	a.	An anti-requirement related to a security requirement involves determining what happens in the absence of this security function, or what happens if this security function fails.
	b.	Anti-requirements are security requirements.
	c.	Anti-requirement capture things you don't want the system to do.
	d.	Anti-requirements provide insight into how a threat can abuse your system.

9 points

QUESTION 10

Which of the following are true about attack model?

	a.	a. To create an attack model, you should cycle through a list of known attacks one at a time and think about whether the same attack applies to your system.
	b.	a. Attack patterns are very useful for creating an attack model.
	c.	a. Creating an attack model is a critical activity of abuse case development.
	d.	a. Microsoft STRIDE model is an approach to create an attack model.

9 points

QUESTION 11

Consider a payroll system that allows a human resource department to control salaries and benefits. Which of the following are abuse cases:

	a.	An employee gains extra privileges in the payroll system and slightly increases his own salary.
	b.	An attacker delays payments in order to embezzle the extra accrued interest.
	c.	The system allows users in the HR management group to view and modify salaries of all employees.
	d.	The system will only allow a basic user to view his or her own salary.

9 points

QUESTION 12

Consider a client-server application. The architecture had been set up so that the server relied on the client-side application, which manipulated a financially sensitive database, to manage all data-access permissions and no permissions were enforced on the server itself. The client also enforced which messages were sent to the server, the server assumed that any messages coming from the client had passed the client softwares access control system and were, therefore, legitimate.

Which of the following are true?

	a.	a. An attacker may be able to inject data into the database.
	b.	a. An attacker may be able to intercept network traffic from client to server.
	c.	a. Make the Client Invisible attack pattern is applicable in this situation.
	d.	a. An attacker may be able to build a hostile client.
	e.	a. An anti-requirement of this system would be considering what happens when an attracker bypasses the access control mechanism built into the client software.