Question

Which of the following are true about secure programming?

a. In their Security Development Lifecycle, Microsoft include only software engineering activity
b. Dynamic analysis involves reading and checking source code
c. In secure programming, the C in the CIA system stands for control, the I stands for integrity
and the A stands for access
d. If you are using a third-party library, you should carry out some sort of security audit if you
want to identify potential security risks
e. In Wheeler's Secure Programming, validate all inputs' is a key principle Of
f. Bandit is a static analysis tool for Python programs
g. Wheeler tells us that we should send back information judiciously. Telling a user the details of
why their login failed, for example `there is an account with that email, but you have the
wrong password' is an example of /not/ sending back information judiciously

Answer 1

Secure programming involves various practices to develop software that is resistant to security threats. Some statements about secure programming are true, while others are false. Examples include Microsoft's Security Development Lifecycle and the use of tools like Bandit for static analysis.

Step-by-step explanation:

Secure programming is a practice focused on developing software that is resistant to security threats and vulnerabilities. Let's go through each statement:

1. a. In their Security Development Lifecycle, Microsoft include only software engineering activity: This statement is false. Microsoft's Security Development Lifecycle includes activities such as threat modeling, security testing, and code review.
2. b. Dynamic analysis involves reading and checking source code: This statement is false. Dynamic analysis involves running the software and observing its behavior to identify vulnerabilities.
3. c. In secure programming, the C in the CIA system stands for control, the I stands for integrity, and the A stands for access: This statement is true. In the CIA triad, C stands for Confidentiality, I stands for Integrity, and A stands for Availability.
4. d. If you are using a third-party library, you should carry out some sort of security audit if you want to identify potential security risks: This statement is true. Third-party libraries can introduce security vulnerabilities, so conducting a security audit is important to identify and mitigate risks.
5. e. In Wheeler's Secure Programming, 'validate all inputs' is a key principle: This statement is true. Validating all inputs is an essential principle in secure programming to prevent malicious input.
6. f. Bandit is a static analysis tool for Python programs: This statement is true. Bandit is a widely used open-source static analysis tool specifically designed for Python code.
7. g. Wheeler tells us that we should send back information judiciously. Telling a user the details of why their login failed, for example, 'there is an account with that email, but you have the wrong password' is an example of /not/ sending back information judiciously: This statement is true. Wheeler recommends limiting the amount of detailed information provided to users in error messages to prevent potential security breaches.