WGU Updated Secure-Software-Design Exam Questions and Answers by chaya

 The security testing technique that involves evaluating the vulnerability of all externally facing enterprise applications through both automated and manual system interactions is known as Penetration Testing. This method simulates real-world attacks on systems to identify potential vulnerabilities that could be exploited by attackers. It is a proactive approach to discover security weaknesses before they can be exploited in a real attack scenario. Penetration testing can include a variety of methods such as network scanning, application testing, and social engineering tactics to ensure a comprehensive security evaluation.

References: The concept of Penetration Testing as a method for evaluating vulnerabilities aligns with industry standards and practices, as detailed in resources from security-focused organizations and literature1.

The issue described involves a PATCH request causing an unhandled server exception because the API does not support this method. The most direct and effective way to prevent such exceptions is to ensure that the API is configured to accept only the supported request methods: GET, POST, PUT, and DELETE. This can be achieved by implementing strict input validation to reject any requests that do not conform to the defined API specifications, including the request method. By doing so, any requests using unsupported methods like PATCH will be immediately rejected, thus preventing the server from reaching an exception state.

References:

OWASP’s guidance on error and exception handling emphasizes the importance of managing exceptions in a centralized manner and ensuring that all unexpected behavior is correctly handled within the application1.

Additional best practices for error handling in software development suggest the significance of input validation and the implementation of defensive programming techniques to prevent errors2.

The OWASP Foundation also highlights the principle that all security mechanisms should deny access until specifically granted, which supports the approach of configuring acceptable API requests3.

Penetration testing is an activity where a simulated attack is performed on a software product to identify vulnerabilities that could be exploited by attackers. It is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely trying to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and risky end-user behavior. In the context of the Ship phase of the Security Development Lifecycle (SDL), penetration testing is conducted as a final check to uncover any potential security issues that might have been missed during previous phases. This ensures that the software product is robust and secure before it is released.

References:

The Ship phase of the SDL includes activities such as policy compliance review, vulnerability scanning, penetration testing, open-source licensing review, and final security and privacy reviews1.

Penetration testing is a critical component of the Ship phase, as it helps to identify and fix security vulnerabilities before the software is deployed2.