WGU Updated Secure-Software-Design Exam Questions and Answers by efan

The category of secure software best practices being described is Training. This is because the focus is on educating new developers about organizational security policies and coding practices to mitigate potential threats. Training is a proactive approach to ensure that developers are aware of security concerns and are equipped with the knowledge to address them in their coding practices.

The secure coding best practice that recommends using a single application-level authorization component to lock down the application if it cannot access its configuration information is known as Access Control. This practice is part of a broader set of security measures aimed at ensuring that only authorized users have access to certain functionalities or data within an application. By centralizing the authorization logic, it becomes easier to manage and enforce security policies consistently across the application. If the authorization component cannot retrieve its configuration, it defaults to a secure state, thus preventing unauthorized access1.

ASF Authentication Threats: The Web Application Security Frame (ASF) authentication category encompasses threats related to how users and systems prove their identity to the application. This includes issues like weak passwords, compromised credentials, and inadequate access controls.

Role-Based Access Control (RBAC): RBAC is a well-established security principle that aligns closely with addressing authentication threats. It involves assigning users to roles and granting those roles specific permissions based on the principle of least privilege. This limits the attack surface and reduces the impact of a compromised user account.

Let's analyze the other options:

B. Credentials and tokens are encrypted: While vital for security, encryption primarily protects data at rest or in transit. It doesn't directly address authentication risks like brute-force attacks or weak password management.

C. Cookies have expiration timestamps: Expiring cookies are a good practice, but their primary benefit is session management rather than directly mitigating authentication-specific threats.

D. Sensitive information is scrubbed from error messages: While essential for preventing information leakage, this practice doesn't address the core threats within the ASF authentication category.