WGU Updated Secure-Software-Design Exam Questions and Answers by cian

ASF Authentication Threats: The Web Application Security Frame (ASF) authentication category encompasses threats related to how users and systems prove their identity to the application. This includes issues like weak passwords, compromised credentials, and inadequate access controls.

Role-Based Access Control (RBAC): RBAC is a well-established security principle that aligns closely with addressing authentication threats. It involves assigning users to roles and granting those roles specific permissions based on the principle of least privilege. This limits the attack surface and reduces the impact of a compromised user account.

Let's analyze the other options:

B. Credentials and tokens are encrypted: While vital for security, encryption primarily protects data at rest or in transit. It doesn't directly address authentication risks like brute-force attacks or weak password management.

C. Cookies have expiration timestamps: Expiring cookies are a good practice, but their primary benefit is session management rather than directly mitigating authentication-specific threats.

D. Sensitive information is scrubbed from error messages: While essential for preventing information leakage, this practice doesn't address the core threats within the ASF authentication category.

References:

NIST Special Publication 800-53 Revision 4, Access Control (AC) Family: (https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final ) Details the importance of RBAC as a cornerstone of access control.

The Web Application Security Frame (ASF): (https://patents.google.com/patent/US7818788B2/en ) Outlines the ASF categories, with authentication being one of the primary areas.

Comprehensive and Detailed In-Depth Explanation:

ISO/IEC 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Achieving ISO 27001 certification demonstrates an organization's commitment to information security and provides assurance to customers and stakeholders that security best practices are in place.

In the context of the software development life cycle (SDLC), post-release certifications refer to obtaining formal certifications, such as ISO 27001, after a product has been developed and released. This process involves a comprehensive assessment of the organization's information security practices to ensure they align with the standards set forth by ISO 27001. The certification process typically includes:

Gap Analysis: Evaluating existing information security measures against ISO 27001 requirements to identify areas needing improvement.

Implementation: Addressing identified gaps by implementing necessary policies, procedures, and controls.

Internal Audit: Conducting internal audits to verify the effectiveness of the ISMS and readiness for external assessment.

External Audit: Engaging an accredited certification body to perform a thorough evaluation, leading to certification if compliance is demonstrated.

By pursuing ISO 27001 certification post-release, the company aims to enhance its security posture, comply with international standards, and build trust with its customer base.

References:

ISO/IEC 27001:2022 - Information Security Management Systems

The security assessment deliverable that identifies unmanaged code that must be kept up to date throughout the life of the product is the List of third-party software. Unmanaged code refers to code that does not run under the garbage-collected environment of the .NET Common Language Runtime, and it often includes legacy code, system libraries, or code written in languages that do not support automatic memory management. Keeping a list of third-party software is crucial because it helps organizations track dependencies and ensure they are updated, patched, and compliant with security standards. This is essential for maintaining the security posture of the software over time, as outdated components can introduce vulnerabilities.

References: The references provided from the web search results support the importance of monitoring and updating software components, including unmanaged code, as part of a secure software development lifecycle12.