WGU Secure-Software-Design - WGU Secure Software Design (D487) Exam

Fuzzing is an automated or semi-automated software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program1. This process is designed to uncover coding errors, security vulnerabilities, and other potential issues within the software by observing how it behaves under unexpected or malformed inputs. Fuzzing is particularly effective because it can expose corner cases that have not been properly dealt with and can be used to test programs that take structured inputs, such as file formats or protocols2.

References: 1: Wikipedia - Fuzzing 2: DZone - Fuzzing in Software Engineering

The activity being performed is the final privacy review. This step is crucial in the Ship phase of the Security Development Lifecycle (SDL), where the security team assesses if there are any changes or unresolved issues that could impact the requirements for handling personal information. These requirements are typically documented in the earlier stages of the development lifecycle, and the final privacy review ensures that the software complies with these requirements before release.

References: The explanation is based on the best practices outlined in the SDL Activities and Best Practices, which detail the importance of conducting a final privacy review during the Ship phase to ensure that all privacy issues have been addressed12.

The Common Vulnerability Scoring System (CVSS) uses the following ranges to determine the severity rating of a vulnerability:

0.1 - 3.9: Low severity

4.0 - 6.9: Medium severity

7.0 - 8.9: High severity

9.0 - 10.0: Critical severity

Since the adjusted score for the vulnerability is 5.9, it falls within the High severity range.

References:

CVSS v3.1 Specification Document - FIRST: https://www.first.org/cvss/specification-document

National Vulnerability Database (NVD) - NIST: https://nvd.nist.gov/vuln-metrics/cvss

Validating user input data before it is processed by the application is a fundamental security control in software design. This process, known as input validation, ensures that only properly formed data is entering the workflow of the application, thereby preventing many types of attacks, including type mismatches as mentioned in the question. By validating input data, the application can reject any requests that contain unexpected or malicious data, reducing the risk of security vulnerabilities and ensuring the integrity of the system.

References:

Secure SDLC practices emphasize the importance of integrating security activities, such as creating security and functional requirements, code reviews, security testing, architectural analysis, and risk assessment, into the existing development workflow1.

A Secure Software Development Life Cycle (SSDLC) ensures that security is considered at every phase of the development process, from planning and design to coding, testing, deploying, and maintaining the software2.

The task described involves assessing a document management application that has been in use for many years to ensure compliance with organizational policies. This typically falls under the category of a security strategy for legacy code. Legacy code refers to software that has been around for a while and may not have been designed with current security standards or organizational policies in mind. A security strategy for legacy code would involve reviewing and updating the application to meet current security requirements and organizational policies, ensuring that it remains secure and compliant over time.

References: The answer is based on standard practices for managing and securing legacy software systems, which include regular assessments and updates to align with current security standards and organizational policies1.