Pass the WGU Courses and Certificates Secure-Software-Design Questions and answers with ExamsMirror

Comprehensive and Detailed Explanation From Exact Extract:

This is an example of Input validation, which involves ensuring all user inputs conform to expected formats, lengths, and content before processing. Restricting field lengths and validating accepted data types prevents injection attacks, buffer overflows, and improper data handling. Access control (B) restricts user permissions, communication security (C) protects data in transit, and data protection (D) focuses on confidentiality and integrity of stored data. OWASP Secure Coding Practices and Microsoft SDL emphasize rigorous input validation as a first line of defense against many vulnerabilities.

The issue described involves a PATCH request causing an unhandled server exception because the API does not support this method. The most direct and effective way to prevent such exceptions is to ensure that the API is configured to accept only the supported request methods: GET, POST, PUT, and DELETE. This can be achieved by implementing strict input validation to reject any requests that do not conform to the defined API specifications, including the request method. By doing so, any requests using unsupported methods like PATCH will be immediately rejected, thus preventing the server from reaching an exception state.

Comprehensive and Detailed In-Depth Explanation:

The scenario outlines the process of decommissioning a legacy application after a new product has successfully taken over its functions. This corresponds to the End of Life phase in the Software Development Life Cycle (SDLC).

The End of Life phase involves retiring outdated systems and transitioning users to newer solutions. This phase ensures that obsolete applications are systematically phased out, reducing maintenance costs and potential security vulnerabilities associated with unsupported software.

In this case, running both the legacy and new applications concurrently provided a safety net to ensure the new system's stability. After confirming the new product's reliability, the organization proceeds to disable the legacy system, marking its End of Life.

Dynamic analysis is a security testing method that involves analyzing the behavior of software while it is running or in execution. It is most commonly executed during the testing phase of the Software Development Life Cycle (SDLC). This type of analysis is used to detect issues that might not be visible in the code’s static state, such as runtime errors and memory leaks. Automated tools are employed to perform dynamic analysis, which can simulate attacks on the application and identify vulnerabilities that could be exploited by malicious actors.

Fuzz testing is the ideal technique in this scenario. Here's why:

Focus on Integrations: The scenario emphasizes testing links between the software, databases, web servers, and web services. Fuzz testing is specifically designed to find vulnerabilities in how software handles data and communication between components.

Pre-release Testing: The product being close to release indicates a critical need to identify security flaws before public deployment. Fuzz testing is effective in uncovering unexpected behavior and potential vulnerabilities.

Fuzz Testing Targets: Fuzz testing works by injecting invalid or unexpected data into interfaces (like those between databases, web components, etc.) to observe how the software reacts. This helps expose potential security gaps and weaknesses.

The Asset-centric approach to threat modeling focuses on identifying and protecting the assets that are most valuable to an organization. This method prioritizes the assets themselves, assessing their sensitivity, value, and the impact on the business should they be compromised. It is a strategic approach that aims to safeguard the confidentiality, integrity, and availability of the organization’s key assets.