CyberVista Software Development Security Questions and Answers

Question 1

A development team is analyzing a new feature for an online banking application.
To identify potential security flaws, they are categorizing threats into the following groups: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
Which threat modeling methodology is the team using?

Accepted Answer

STRIDE

Answer

PASTA

Answer

DREAD

Answer

CVSS

Question 2

A security team wants to identify vulnerabilities like SQL injection and buffer overflows by analyzing an application's source code without executing the program. Which of the following testing methodologies should they employ?

Accepted Answer

Static Application Security Testing (SAST)

Answer

Dynamic Application Security Testing (DAST)

Answer

Interactive Application Security Testing (IAST)

Answer

Manual Penetration Testing

Question 3

A developer is building a web page that displays user-provided comments. To prevent stored Cross-Site Scripting (XSS) attacks, what is the MOST critical security control to implement before rendering the comments in the user's browser?

Accepted Answer

Performing context-aware output encoding

Answer

Encrypting the comments in the database

Answer

Using a Web Application Firewall (WAF)

Answer

Implementing strong server-side input validation

Question 4

During a security review of a new application, it is discovered that the development team has used numerous open-source libraries. What type of security tool is specifically designed to scan for and identify known vulnerabilities within these third-party components?

Accepted Answer

Software Composition Analysis (SCA) tool

Answer

Static Application Security Testing (SAST) analyzer

Answer

Dynamic Application Security Testing (DAST) scanner

Answer

Web Application Firewall (WAF)

Question 5

An organization is adopting a DevSecOps culture to improve security. They decide to integrate automated security scanning tools directly into their CI/CD pipeline, allowing developers to get immediate feedback on potential vulnerabilities as they commit code. This practice is a core tenet of which security principle?

Accepted Answer

Shifting Left

Answer

Defense in Depth

Answer

Security through Obscurity

Answer

Principle of Least Privilege

Question 6

A web application takes serialized user-supplied data, reconstructs it into an object, and then processes it. An attacker crafts a malicious serialized object that, when deserialized by the application, leads to arbitrary code execution on the server. Which vulnerability has been exploited?

Accepted Answer

Insecure Deserialization

Answer

Cross-Site Request Forgery (CSRF)

Answer

Server-Side Request Forgery (SSRF)

Answer

XML External Entity (XXE) injection