Week 5

Question 1

Why is software difficult to secure?

Answer 1

It’s often under-resourced and security is added as an afterthought, making it vulnerable to attacks.

Question 2

What is the Common Weakness Enumeration (CWE)?

Answer 2

A community-driven list of software security vulnerabilities maintained by MITRE.

Question 3

What is the OWASP Top 10?

Answer 3

A list of the 10 most critical web application security risks identified by the Open Web Application Security Project.

Question 4

When should security requirements be defined?

Answer 4

At the requirement specification stage, not added later.

Question 5

Name three components of secure software development.

Answer 5

Defensive coding, functional testing, backup & data security.

Question 6

Why is secure development everyone’s concern?

Answer 6

All developers play a role in ensuring code quality, repository protection, and secure deployment.

Question 7

What is Cross-Site Scripting (XSS)?

Answer 7

Injection of malicious scripts into trusted web pages viewed by other users.

Question 8

Name the two main types of XSS.

Answer 8

Reflected (non-persistent) and Stored (persistent) XSS.

Question 9

Give one XSS prevention technique.

Answer 9

Escape untrusted data before inserting it into HTML, JS, or CSS.

Question 10

What is SQL Injection?

Answer 10

Injection of SQL commands via unsanitized input, modifying database queries.

Question 11

What are the four risk control strategies?

Answer 11

Avoid, Accept, Refuse, Transfer.

Question 12

What does patching do?

Answer 12

Fixes software bugs to remove vulnerabilities, preventing exploitation.

Question 13

What is the purpose of change control?

Answer 13

To manage risks when modifying software, reducing introduction of new flaws.

Question 14

What is the difference between certification and accreditation?

Answer 14

Certification confirms a product/system meets requirements; Accreditation recognises the certifying body.

Question 15

When is accredited certification typically mandated?

Answer 15

For safety - or security - critical systems.

Question 16

What does ISO 27000 require regarding environments?

Answer 16

Separation of live and development systems.

Question 17

Name one way to secure a development environment.

Answer 17

Run training and testing in non-live systems.

Question 18

What should security testing include?

Answer 18

Defensive code effectiveness, malware protection, backups, access control, and resilience.