$10$

You are the test manager for a software project that involves the development of an e$-$commerce platform. The project has a tight schedule and limited resources, and the team is working on lelivering key functionalities, such as user authentication, product search, and payment rocessing. Due to time constraints, thorough testing of all features may not be possible.

Vhich security testing approach would you apply? and why? $[2$ points$]$

hat is Dynamic Analysis Security Testing $($DAST$)$ in software engineering? $[2$ poi

B$-$ One of the common Secure Coding principles is "Don't Reinvent the Wheel". What does that mean? $[1$ point$]$

C$-$ In the following select statement $[1$ point$]$:

sql $=$ "SELECT $*$ FROM users WHERE username $="$ & Request$("$username$")$ & $"$ AND password $="$ & Request$("$password$")$ & $""$

the developer aims accept username and passwords as input from a user to retrieve the user information if the username and password matched. What will happen if the attacker injects the following into the application:

username $=$ john

password $=$ blah' or $\text{'}{1}^{\text{'}}\text{'}=\text{'}1$

n $5$ :

$11$

Match the following security approaches and methods with their related SDLC phase $[3$ points$]$:

$\backslash$table$[[1,$Manual Code Review,,,$\backslash$table$[[$A$],[$Requirement$],[$phase$]]],[2,$Misuse cases,,,$],[3,$Penetration testing,,,$],[4,$SAST,,,$],[5,$Threat Modeling,,,$],[6,$CORAS,,Architecture and Design,$]]$

ixplain the DevOps pillar $($Bridging Compliance and Development$)?[2$ points$]$

A$.$ Writure design in software enginetring primarily emphianize?

B$.$ Driting code with maximum performance.

C$.$ Prieloping software with an aesthetically pleasing user interfece.

D$.$ Incorporing the implementation of new features.

against poteng principles and practices to prevent security vulterabilities and protect

Part $2[5$ points$]$:

$11.$ Imagine a software development company that has recently adopted DevOps practices to enhance their software delivery processes. The development and operations teams are now working collaboratively to streamline workflows and accelerate the release cyele. As part o this transformation, the company has implemented continuous integration, automated testin and containerization. How do the implemented DevOps practices contribute to the overall improvement of the software development lifecycle?

A$-$ By slowing down the release cycle

B$-$ By increasing manual interventions

C$-$ By fostering collaboration and reducing silos

D$.$ By eliminating the need for automated testing

$12-$ Which of the following is a fundamental principle of DevOps?

A$-$ Continuous Monitoring

B$-$ Waterfall Deployment

C$-$ Misuse cases

D$.$ All of the above

$13-$ Which one represent a Top Down test planning approach?

A$-$ Risks $$ Goals $$ Indicators $$ Tests

B$-$ Goals $$ Risks $$ Indicators $$ Tests

C$-$ Tests $$ Indicators $$ Risks $$ Goals

D$.$ Goals $$ Tests $$ Indicators $$ Risks

You are the test manager for a software project that involves the development of an e$-$commerce platform. The project has a tight schedule and limited resources, and the team is working on delivering key functionalities, such as user authentication, product search, and payment brocessing. Due to time constraints, thorough testing of all features may not be possible.

Which security testing approach would you apply? and why? $[2$ points$]$

hat is Dynamic Analysis Security Testing $($DAST$)$ in software engineering? $[2$ poi

B$-$ One of the common Secure Coding principles is "Don't Reinvent the Whed". What does that mean? $[1$ point$]$

C$-$ In the following select statement $[1$ point$]$:

$sql=$ SELECT$*FROMusersWHEREusername=\frac{?}{?}$& Request$(username)\frac{?}{?}$& ANDpassword$=8s$

Request$("$password$")$ & $"\text{'}"$

cept username and passwords as input from a user to retrieve the user information if the username and password matched. What will happen if the attacker injects the following into the application:

username $=$ john

password $=$ blah' or $\text{'}1\text{'}=\text{'}1$

Question $4$:

A$-$ List and explain two Defensive techniques to counter attacks on log$-$in functions. $[2$ points$]$

B$-$ What is the differences between regular testing and security testing in the softwar engineering domain $[2$ points$]$

Avoid a single point of failure:

Compartmentalize your assets:

Log user actions:

$14-$ The following requirement represents! combination of passwords and biometrie verifiewtion $".$

A$-$ Regular Functional Requirement.

B$-$ Regular Non$-$Functional Requirement

C$-$ Non$-$Functional Security Requirement

D$-$ Functional Security Requirement

$15-$ The following requirement represents:

"The system should be capable of handling a large numb