Question
QUESTION 1 Which of the following are true? a. Abuse cases help developers to think about the software the same way that attackers do. b.
QUESTION 1
Which of the following are true?
| a. | Abuse cases help developers to think about the software the same way that attackers do. | |
| b. | Abuse cases represent the normative features and functions of the software. | |
| c. | Abuse cases help developers to think about negative or unexpected events. | |
| d. | Abuse cases are sometimes called misuse cases. |
8 points
QUESTION 2
In order to hold vendor accountable for software security, service level agreement (
SLA) should clearly define security expectation, with an emphasis on specific, measurable criteria that can determine if expectations have been met.
True
False
8 points
QUESTION 3
In order to hold vendor accountable for software security, it is suggested that SLA contractual language should cover the following:
| a. | Proper implementation of security features; | |
| b. | use of source code analysis; | |
| c. | searching for known flaws and confirming their non-existence; | |
| d. | passing 3rd party validation and verification tests; |
8 points
QUESTION 4
Which of the following are true?
| a. | Security is an emergent property of a system, not a feature. | |
| b. | Security can be bolted on after other software features are codifed | |
| c. | Security must be built in from the ground up considered a critical part of the design from the very beginning and included in every subsequent development phase all the way through fielding a complete system. | |
| d. | Security features alone are sufficient for building secure software. |
8 points
QUESTION 5
Software designers and analysts should carefully consider the implicit assumptions in the system.
True
False
8 points
QUESTION 6
Attackers are not likely to undermine the assumptions a system is built on.
True
False
8 points
QUESTION 7
Which of the following methods is usually more effective for creating abuse cases?
| a. | Theoretical methods that involves fully specifying a system with rigorous formal models and logics. | |
| b. | Brain storming by a team of security and reliability experts with system designers. |
8 points
QUESTION 8
One of the goals of abuse case is to decide and document a priori how the software should react to illegitimate use.
True
False
8 points
QUESTION 9
Which of the following are true?
| a. | An anti-requirement related to a security requirement involves determining what happens in the absence of this security function, or what happens if this security function fails.
| |
| b. | Anti-requirements are security requirements. | |
| c. | Anti-requirement capture things you don't want the system to do. | |
| d. | Anti-requirements provide insight into how a threat can abuse your system. |
9 points
QUESTION 10
Which of the following are true about attack model?
| a. | a. To create an attack model, you should cycle through a list of known attacks one at a time and think about whether the same attack applies to your system. | |
| b. | a. Attack patterns are very useful for creating an attack model. | |
| c. | a. Creating an attack model is a critical activity of abuse case development. | |
| d. | a. Microsoft STRIDE model is an approach to create an attack model. |
9 points
QUESTION 11
Consider a payroll system that allows a human resource department to control salaries and benefits. Which of the following are abuse cases:
| a. | An employee gains extra privileges in the payroll system and slightly increases his own salary. | |
| b. | An attacker delays payments in order to embezzle the extra accrued interest. | |
| c. | The system allows users in the HR management group to view and modify salaries of all employees. | |
| d. | The system will only allow a basic user to view his or her own salary. |
9 points
QUESTION 12
Consider a client-server application. The architecture had been set up so that the server relied on the client-side application, which manipulated a financially sensitive database, to manage all data-access permissions and no permissions were enforced on the server itself. The client also enforced which messages were sent to the server, the server assumed that any messages coming from the client had passed the client softwares access control system and were, therefore, legitimate.
Which of the following are true?
| a. | a. An attacker may be able to inject data into the database. | |
| b. | a. An attacker may be able to intercept network traffic from client to server. | |
| c. | a. Make the Client Invisible attack pattern is applicable in this situation. | |
| d. | a. An attacker may be able to build a hostile client. | |
| e. | a. An anti-requirement of this system would be considering what happens when an attracker bypasses the access control mechanism built into the client software. |
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started
Database Systems Design Implementation And Management
Authors: Peter Rob, Carlos Coronel
6th International Edition
061921323X, 978-0619213237
