Which category classifies identified threats that do not have defenses in place and expose the application to exploits?

A. Fully mitigated threat

B. Threat profile

C. Unmitigated threats

D. Partially mitigated threat

Which mitigation technique can be used to tight against a threat where a user may gain access to administrator level functionality?

A. Encryption

B. Quality of service

C. Hashes

D. Run with least privilege

The software security team prepared a detailed schedule mapping security development lifecycle phases to the type of analysis they will execute. Which design and development deliverable did the team prepare?

A. Design security review

B. Updated threat modeling artifacts

C. Privacy implementation assessment results

D. Security test plans

Which type of security analysis is limited by the fact that a significant time investment of a highly skilled team member is required?

A. Fuzz testing

B. Dynamic code analysis

C. Manual code review

D. Static code analysis

Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's claims intake component. The base score of the vulnerability was 3.5 and changed to 5.9 after adjusting temporal and environmental metrics.

Which rating would CVSS assign this vulnerability?

A. Critical severity

B. High severity

C. Low severity

D. Medium severity

Which secure coding best practice says to require authentication before allowing any file to be uploaded and to limit the types of files to only those needed for the business purpose?

A. File management

B. Communication security

C. Data protection

D. Memory management

A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents. Which secure coding practice is this describing?

A. Access control

B. Data protection

C. Input validation

D. Authentication

Which mitigation technique is used to fight against an identity spoofing threat?

A. Require user authorization

B. Filtering

C. Audit trails

D. Encryption

Which privacy impact statement requirement type defines how personal information will be protected when authorized or independent external entities are involved?

A. Personal information retention requirements

B. User controls requirements

C. Third party requirements

D. Data integrity requirements

Security testers have completed testing and are documenting the results of vulnerability scans and penetration analysis. They are also creating documentation to share with the organization's largest customers. Which deliverable is being prepared?

A. Open-source licensing review report

B. Customer engagement framework

C. Remediation report

D. Security testing reports