Question 1
Question
The PRIMARY reason for incorporating security into the software
development life cycle is to protect
Answer
-
the unauthorized disclosure of information.
-
the corporate brand and reputation
-
against hackers who intend to misuse the software.
-
the developers from releasing software with security defects.
Question 2
Question
The resiliency of software to withstand attacks that attempt modify or
alter data in an unauthorized manner is referred to as
Answer
-
Confidentiality.
-
Integrity.
-
Availability.
-
Authorization.
Question 3
Question
The MAIN reason as to why the availability aspects of software must
be part of the organization’s software security initiatives is:
Answer
-
software issues can cause downtime to the business.
-
developers need to be trained in the business continuity procedures.
-
testing for availability of the software and data is often ignored.
-
hackers like to conduct Denial of Service (DoS) attacks against
the organization.
Question 4
Question
Developing the software to monitor its functionality and report when
the software is down and unable to provide the expected service to the
business is a protection to assure which of the following?
Answer
-
Confidentiality.
-
Integrity.
-
Availability.
-
Authentication.
Question 5
Question
When a customer attempts to log into their bank account, the customer
is required to enter a nonce from the token device that was issued to
the customer by the bank. This type of authentication is also known
as which of the following?
Answer
-
Ownership based authentication.
-
Two factor authentication.
-
Characteristic based authentication.
-
Knowledge based authentication.
Question 6
Question
Multi-factor authentication is most closely related to which of the
following security design principles?
Answer
-
Separation of Duties.
-
Defense in depth.
-
Complete mediation.
-
Open design.
Question 7
Question
Audit logs can be used for all of the following EXCEPT
Answer
-
providing evidentiary information.
-
assuring that the user cannot deny their actions.
-
detecting the actions that were undertaken.
-
preventing a user from performing some unauthorized operations.
Question 8
Question
Organizations often pre-determine the acceptable number of user
errors before recording them as security violations. This number is
otherwise known as:
Question 9
Question
A security principle that maintains the confidentiality, integrity and
availability of the software and data, besides allowing for rapid recovery
to the state of normal operations, when unexpected events occur is the
security design principle of
Question 10
Question
Requiring the end user to accept an ‘AS-IS’ disclaimer clause before
installation of your software is an example of risk
Answer
-
avoidance.
-
mitigation.
-
transference.
-
acceptance.
Question 11
Question
An instrument that is used to communicate and mandate organizational
and management goals and objectives at a high level is a
Answer
-
standard.
-
policy.
-
baseline.
-
guideline.
Question 12
Question
The Systems Security Engineering Capability Maturity Model (SSECMM
®) is an internationally recognized standard that publishes
guidelines to
Answer
-
provide metrics for measuring the software and its behavior, and
using the software in a specific context of use.
-
evaluate security engineering practices and organizational
management processes.
-
support accreditation and certification bodies that audit and
certify information security management systems.
-
ensure that the claimed identity of personnel are appropriately
verified.
Question 13
Question
Which of the following is a framework that can be used to develop
a risk based enterprise security architecture by determining security
requirements after analyzing the business initiatives.
Answer
-
Capability Maturity Model Integration (CMMI)
-
Sherwood Applied Business Security Architecture (SABSA)
-
Control Objectives for Information and related Technology
(COBIT®)
-
Zachman Framework
Question 14
Question
Which of the following is a PRIMARY consideration for the software
publisher when selling Commercially Off the Shelf (COTS) software?
Answer
-
Service Level Agreements (SLAs).
-
Intellectual Property protection.
-
Cost of customization.
-
Review of the code for backdoors and Trojan horses.
Question 15
Question
The Single Loss Expectancy can be determined using which of the
following formula?
Answer
-
Annualized Rate of Occurrence (ARO) x Exposure Factor
-
Probability x Impact
-
Asset Value x Exposure Factor
-
Annualized Rate of Occurrence (ARO) x Asset Value
Question 16
Question
Implementing IPSec to assure the confidentiality of data when it is
transmitted is an example of risk
Answer
-
avoidance.
-
transference.
-
mitigation.
-
acceptance.
Question 17
Question
The Federal Information Processing Standard (FIPS) that prescribe
guidelines for biometric authentication is
Answer
-
FIPS 140.
-
FIPS 186.
-
FIPS 197.
-
FIPS 201.
Question 18
Question
Which of the following is a multi-faceted security standard that is
used to regulate organizations that collects, processes and/or stores
cardholder data as part of their business operations?
Answer
-
FIPS 201.
-
ISO/IEC 15408.
-
NIST SP 800-64.
-
PCI DSS.
Question 19
Question
Which of the following is the current Federal Information Processing
Standard (FIPS) that specifies an approved cryptographic algorithm to
ensure the confidentiality of electronic data?
Answer
-
Security Requirements for Cryptographic Modules (FIPS 140).
-
Peronal Identity Verification (PIV) of Federal Employees and
Contractors (FIPS 201).
-
Advanced Encryption Standard (FIPS 197).
-
Digital Signature Standard (FIPS 186).
Question 20
Question
The organization that publishes the ten most critical web application
security risks (Top Ten) is the
Answer
-
Computer Emergency Response Team (CERT).
-
Web Application Security Consortium (WASC).
-
Open Web Application Security Project (OWASP).
-
Forums for Incident Response and Security Teams (FIRST)
Question 21
Question
The process of removing private information from sensitive data sets is
referred to as
Answer
-
Sanitization.
-
Degaussing.
-
Anonymization.
-
Formatting.
Question 22
Question
(Domain 2)
Which of the following MUST be addressed by software security
requirements? Choose the BEST answer
Answer
-
Technology used in building the application
-
Goals and objectives of the organization.
-
Software quality requirements
-
External auditor requirements
Question 23
Question
Which of the following types of information is exempt from
confidentiality requirements?
Question 24
Question
Requirements that are identified to protect against the destruction of
information or the software itself are commonly referred to as
Answer
-
confidentiality requirements.
-
integrity requirements
-
availability requirements.
-
authentication requirements
Question 25
Question
The amount of time by which business operations need to be restored
to service levels as expected by the business when there is a security
breach or disaster is known as
Answer
-
Maximum Tolerable Downtime (MTD).
-
Mean Time Before Failure (MTBF).
-
Minimum Security Baseline (MSB).
-
Recovery Time Objective (RTO).
Question 26
Question
The use of an individual’s physical characteristics such as retinal blood
patterns and fingerprints for validating and verifying the user’s identity
if referred to as
Question 27
Question
Which of the following policies is MOST likely to include the
following requirement? “All software processing financial transactions
need to use more than one factor to verify the identity of the entity
requesting access””
Answer
-
Authorization
-
Authentication.
-
Auditing
-
Availability
Question 28
Question
A means of restricting access to objects based on the identity of subjects
and/or groups to which they belong, as mandated by the requested
resource owner is the definition of
Answer
-
Non-discretionary Access Control (NDAC).
-
Discretionary Access Control (DAC).
-
Mandatory Access Control (MAC).
-
Role based Access Control.
Question 29
Question
Requirements which when implemented can help to build a history of
events that occurred in the software are known as
Answer
-
authentication requirements.
-
archiving requirements.
-
accountability requirements.
-
authorization requirements.
Question 30
Question
Which of the following is the PRIMARY reason for an application to
be susceptible to a Man-in-the-Middle (MITM) attack?
Question 31
Question
The process of eliciting concrete software security requirements from
high level regulatory and organizational directives and mandates in
the requirements phase of the SDLC is also known as
Answer
-
threat modeling.
-
policy decomposition.
-
subject-object modeling
-
misuse case generation.
Question 32
Question
The FIRST step in the Protection Needs Elicitation (PNE) process is
to
Answer
-
engage the customer
-
model information management
-
identify least privilege applications
-
conduct threat modeling and analysis
Question 33
Question
A Requirements Traceability Matrix (RTM) that includes security
requirements can be used for all of the following except
Answer
-
ensuring scope creep does not occur
-
validating and communicating user requirements
-
determining resource allocations
-
identifying privileged code sections
Question 34
Question
Parity bit checking mechanisms can be used for all of the following
except
Answer
-
Error detection
-
Message corruption.
-
Integrity assurance
-
Input validation
Question 35
Question
Which of the following is an activity that can be performed to clarify
requirements with the business users using diagrams that model the
expected behavior of the software?
Answer
-
Threat modeling
-
Use case modeling
-
Misuse case modeling
-
Data modeling
Question 36
Question
Which of the following is LEAST LIKELY to be identified by misuse
case modeling?
Answer
-
Race conditions
-
Mis-actors
-
Attacker’s perspective
-
Negative requirements
Question 37
Question
Data classification is a core activity that is conducted as part of which
of the following?
Question 38
Question
Web farm data corruption issues and card holder data encryption
requirements need to be captured as part of which of the following
requirements?
Answer
-
Integrity.
-
Environment.
-
International.
-
Procurement.
Question 39
Question
When software is purchased from a third party instead of being built
in-house, it is imperative to have contractual protection in place and
have the software requirements explicitly specified in which of the
following?
Question 40
Question
When software is able to withstand attacks from a threat agent and
not violate the security policy it is said to be exhibiting which of the
following attributes of software assurance?
Answer
-
Reliability
-
Resiliency.
-
Recoverability
-
Redundancy.
Question 41
Question
Infinite loops and improper memory calls are often known to cause
threats to which of the following?
Answer
-
Availability.
-
Authentication.
-
Authorization.
-
Accountability.
Question 42
Question
Which of the following is used to communicate and enforce availability
requirements of the business or client?
Question 43
Question
Software security requirements that are identified to protect against
disclosure of data to unauthorized users is otherwise known as
Answer
-
integrity requirements
-
authorization requirements
-
confidentiality requirements.
-
non-repudiation requirements.
Question 44
Question
The requirements that assure reliability and prevent alterations are to be
identified in which section of the software requirements specifications
(SRS) documentation?
Answer
-
Confidentiality.
-
Integrity.
-
Availability.
-
Accountability
Question 45
Question
Which of the following is a covert mechanism that assures
confidentiality?
Answer
-
Encryption.
-
Steganography.
-
Hashing.
-
Masking.
Question 46
Question
As a means to assure confidentiality of copyright information, the
security analyst identifies the requirement to embed information
insider another digital audio, video or image signal. This is commonly
referred to as
Answer
-
Encryption.
-
Hashing.
-
Licensing
-
Watermarking.
Question 47
Question
Checksum validation can be used to satisfy which of the following
requirements?
Answer
-
Confidentiality.
-
Integrity.
-
Availability
-
Authentication.
Question 48
Question
A Requirements Traceability Matrix (RTM) that includes security
requirements can be used for all of the following EXCEPT
Answer
-
Ensure scope creep does not occur
-
Validate and communicate user requirements
-
Determine resource allocations
-
Identifying privileged code sections
Question 49
Question
Domain 3
During which phase of the software development lifecycle (SDLC) is
threat modeling initiated?
Answer
-
Requirements analysis
-
Design
-
Implementation
-
Deployment
Question 50
Question
Certificate Authority, Registration Authority, and Certificate
Revocation Lists are all part of which of the following?
Answer
-
Advanced Encryption Standard (AES)
-
Steganography
-
Public Key Infrastructure (PKI)
-
Lightweight Directory Access Protocol (LDAP)
Question 51
Question
The use of digital signatures has the benefit of providing which of the
following that is not provided by symmetric key cryptographic design?
Question 52
Question
When passwords are stored in the database, the best defense against
disclosure attacks can be accomplished using
Answer
-
encryption.
-
masking.
-
hashing.
-
obfuscation.
Question 53
Question
Nicole is part of the ‘author’ role as well as she is included in the
‘approver’ role, allowing her to approve her own articles before it is
posted on the company blog site. This violates the principle of
Answer
-
least privilege.
-
least common mechanisms.
-
economy of mechanisms.
-
separation of duties
Question 54
Question
The primary reason for designing Single Sign On (SSO) capabilities is
to
Answer
-
increase the security of authentication mechanisms
-
simplify user authentication.
-
have the ability to check each access request
-
allow for interoperability between wireless and wired networks.
Question 55
Question
Database triggers are PRIMARILY useful for providing which of the
following detective software assurance capability?
Answer
-
Availability
-
Authorization.
-
Auditing.
-
Archiving
Question 56
Question
During a threat modeling exercise, the software architecture is reviewed
to identify
Answer
-
attackers.
-
business impact.
-
critical assets
-
entry points.
Question 57
Question
A Man-in-the-Middle (MITM) attack is PRIMARILY an expression
of which type of the following threats?
Answer
-
Spoofing
-
Tampering
-
Repudiation
-
Information disclosure
Question 58
Question
IPSec technology which helps in the secure transmission of information
operates in which layer of the Open Systems Interconnect (OSI) model?
Answer
-
Transport.
-
Network
-
Session.
-
Application.
Question 59
Question
When internal business functionality is abstracted into service oriented
contract based interfaces, it is PRIMARILY used to provide for
Answer
-
interoperability.
-
authentication.
-
authorization.
-
installation ease.
Question 60
Question
At which layer of the Open Systems Interconnect (OSI) model must
security controls be designed to effectively mitigate side channel attacks?
Answer
-
Transport
-
Network
-
Data link
-
Physical
Question 61
Question
Which of the following software architectures is effective in distributing
the load between the client and the server, but since it includes the
client to be part of the threat vectors it increases the attack surface?
Answer
-
Software as a Service (SaaS).
-
Service Oriented Architecture (SOA).
-
Rich Internet Application (RIA).
-
Distributed Network Architecture (DNA).
Question 62
Question
When designing software to work in a mobile computing environment,
the Trusted Platform Module (TPM) chip can be used to provide
which of the following types of information?
Answer
-
Authorization.
-
Identification.
-
Archiving
-
Auditing.
Question 63
Question
When two or more trivial pieces of information are brought together
with the aim of gleaning sensitive information, it is referred to as what
type of attack?
Answer
-
Injection.
-
Inference.
-
Phishing.
-
Polyinstantiation.
Question 64
Question
The inner workings and internal structure of backend databases can be
protected from disclosure using
Answer
-
triggers.
-
normalization.
-
views.
-
encryption
Question 65
Question
Choose the BEST answer. Configurable settings for logging exceptions,
auditing and credential management must be part of
Question 66
Question
The token that is PRIMARILY used for authentication purposes in a
Single Sign (SSO) implementation between two different companies is
Question 67
Question
Syslog implementations require which additional security protection
mechanisms to mitigate disclosure attacks?
Answer
-
Unique session identifier generation and exchange.
-
Transport Layer Security.
-
Digital Rights Management (DRM)
-
Data Loss Prevention,
Question 68
Question
Rights and privileges for a file can be granularly granted to each client
using which of the following technologies
Answer
-
Data Loss Prevention (DLP).
-
Software as a Service (SaaS)
-
Flow control
-
Digital Rights Management (DRM)
Question 69
Question
Which of the following is known to circumvent the ring protection
mechanisms in operating systems?
Question 70
Question
When the software is designed using Representational State Transfer
(REST) architecture, it promotes which of the following good
programming practices?
Answer
-
High Cohesion
-
Low Cohesion
-
Tight Coupling
-
Loose Coupling
Question 71
Question
. Which of the following components of the Java architecture is primarily
responsible to ensure type consistency, safety and assure that there are
no malicious instructions in the code?
Answer
-
Garbage collector
-
Class Loader
-
Bytecode Verfier
-
Java Security Manager
Question 72
Question
The primary security concern when implementing cloud applications
is related to
Question 73
Question
The predominant form of malware that infects mobile apps is
Answer
-
Virus
-
Ransomware
-
Worm
-
Spyware
Question 74
Question
Most Supervisory Control And Data Acquisition (SCADA) systems
are susceptible to software attacks because
Answer
-
they were not initially implemented with security in mind
-
the skills of a hacker has increased significantly
-
the data that they collect are of top secret classification
-
the firewalls that are installed in front of these devices have been
breached.
Question 75
Question
Domain 4
Software developers writes software programs PRIMARILY to
Answer
-
create new products
-
capture market share
-
solve business problems
-
mitigate hacker threats
Question 76
Question
The process of combining necessary functions, variables and
dependency files and libraries required for the machine to run the
program is referred to as
Answer
-
compilation
-
interpretation
-
linking
-
instantiation
Question 77
Question
Which of the following is an important consideration to manage
memory and mitigate overflow attacks when choosing a programming
language?
Answer
-
Locality of reference
-
Type safety
-
Cyclomatic complexity
-
Parametric polymorphism
Question 78
Question
Assembly and machine language are examples of
Question 79
Question
Using multifactor authentication is effective in mitigating which of the
following application security risks?
Question 80
Question
Impersonation attacks such as Man-in-the-Middle (MITM) attacks in
an Internet application can be BEST mitigated using proper
Question 81
Question
Implementing Completely Automated Public Turing test to tell
Computers and Humans Apart (CAPTCHA) protection is a means
of defending against
Answer
-
SQL Injection
-
Cross-Site Scripting (XSS)
-
Cross-Site Request Forgery (CSRF)
-
. Insecure cryptographic storage
Question 82
Question
The findings of a code review indicate that cryptographic operations
in code use the Rijndael cipher, which is the original publication of
which of the following algorithms?
Answer
-
Skipjack
-
Data Encryption Standard (DES)
-
Triple Data Encryption Standard (3DES)
-
Advanced Encryption Standard (AES)
Question 83
Question
Which of the following transport layer technologies can BEST mitigate
session hijacking and replay attacks in a local area network (LAN)?
Answer
-
Data Loss Prevention (DLP)
-
Internet Protocol Security (IPSec)
-
Secure Sockets Layer (SSL)
-
Digital Rights Management (DRM)
Question 84
Question
Verbose error messages and unhandled exceptions can result in which
of the following software security threats?
Answer
-
Spoofing
-
Tampering
-
Repudiation
-
Information disclosure
Question 85
Question
Code signing can provide all of the following EXCEPT
Answer
-
Anti-tampering protection
-
Authenticity of code origin
-
Runtime permissions for code
-
Authentication of users
Question 86
Question
When an attacker uses delayed error messages between successful and
unsuccessful query probes, he is using which of the following side
channel techniques to detect injection vulnerabilities?
Answer
-
Distant observation
-
Cold boot
-
Power analysis
-
Timing
Question 87
Question
When the code is not allowed to access memory at arbitrary locations
that is out of range of the memory address space that belong to the
object’s publicly exposed fields, it is referred to as which of the following
types of code?
Answer
-
Object code
-
Type safe code
-
Obfuscated code
-
Source code
Question 88
Question
When the runtime permissions of the code are defined as security
attributes in the metadata of the code, it is referred to as
Question 89
Question
When an all-or-nothing approach to code access security is not possible
and business rules and permissions need to be set and managed more
granularly inline code functions and modules, a programmer can
leverage which of the following?
Answer
-
Cryptographic agility
-
Parametric polymorphism
-
Declarative security
-
Imperative security
Question 90
Question
An understanding of which of the following programming concepts
is necessary to protect against memory manipulation buffer overflow
attacks? Choose the BEST answer.
Answer
-
Error handling
-
Exception management
-
Locality of reference
-
Generics
Question 91
Question
Exploit code attempt to take control of dangling pointers which
Answer
-
are references to memory locations of destroyed objects.
-
is the non-functional code that that is left behind in the source.
-
is the payload code that the attacker uploads into memory to
execute.
-
are references in memory locations that are used prior to being
initialized.
Question 92
Question
Which of the following is a feature of most recent operating systems
(OS) that makes it difficult for an attacker to guess the memory address
of the program as it makes the memory address different each time the
program is executed?
Answer
-
Data Execution Prevention (DEP)
-
Executable Space Protection (ESP)
-
Address Space Layout Randomization (ASLR)
-
Safe Security Exception Handler (/SAFESEH)
Question 93
Question
When the source code is made obscure using special programs in order
to make the readability of the code difficult when disclosed, the code is
also known as
Answer
-
object code
-
obfuscated code.
-
encrypted code.
-
hashed code.
Question 94
Question
The ability to track ownership, changes in code and rollback abilities is
possible because of which of the following configuration management
processes?
Answer
-
Version control
-
Patching
-
Audit logging
-
Change control
Question 95
Question
The MAIN benefit of statically analyzing code is that
Answer
-
runtime behavior of code can be analyzed.
-
business logic flaws are more easily detectable.
-
the analysis is performed in a production or production-like
environment
-
errors and vulnerabilities can be detected earlier in the life cycle.
Question 96
Question
Cryptographic protection includes all of the following EXCEPT
Answer
-
encryption of data when it is processed.
-
hashing of data when it is stored.
-
hiding of data within other media objects when it is transmitted.
-
masking of data when it is displayed.
Question 97
Question
Replacing the Primary Account Number (PAN) with random or
pseudo-random symbols that are uniquely identifiable and still assuring
privacy is also known as
Answer
-
Fuzzing
-
Tokenization
-
Encoding
-
Canonicalization
Question 98
Question
Which of the following is an implementation of the principle of least
privilege?
Answer
-
Sandboxing
-
Tokenization
-
Versioning
-
. Concurrency
Question 99
Question
Domain 5
The ability of the software to restore itself to expected functionality
when the security protection that is built in is breached is also known
as
Answer
-
redundancy.
-
recoverability.
-
resiliency.
-
reliability.
Question 100
Question
In which of the following software development methodologies does
unit testing enable collective code ownership and is critical to assure
software assurance?
Answer
-
Waterfall
-
Agile
-
Spiral
-
Prototyping
Question 101
Question
Which of the secure design principles is promoted when test harnesses
are used?
Question 102
Question
The use of IF-THEN rules is characteristic of which of the following
types of software testing?
Answer
-
Logic
-
Scalability
-
Integration
-
Unit
Question 103
Question
The implementation of secure features such as complete mediation and
data replication needs to undergo which of the following types of test
to ensure that the software meets the service level agreements (SLA)?
Answer
-
Stress
-
Unit
-
Integration
-
Regression
Question 104
Question
Tests that are conducted to determine the breaking point of the software
after which the software will no longer be functional is characteristic
of which of the following types of software testing?
Answer
-
Regression
-
Stress
-
Integration
-
Simulation
Question 105
Question
Which of the following tools or techniques can be used to facilitate the
white box testing of software for insider threats?
Answer
-
Source code analyzers
-
Fuzzers
-
Banner grabbing software
-
Scanners
Question 106
Question
When very limited or no knowledge of the software is made known to
the software tester before she can test for its resiliency, it is characteristic
of which of the following types of security tests?
Answer
-
White box
-
Black box
-
Clear box
-
Glass box
Question 107
Question
Penetration testing must be conducted with properly defined
Question 108
Question
Testing for the randomness of session identifiers and the presence of
auditing capabilities provides the software team insight into which of
the following security controls?
Answer
-
Availability
-
Authentication.
-
Non-repudiation.
-
Authorization.
Question 109
Question
Disassemblers, debuggers and decompilers can be used by security
testers to PRIMARILY determine which of the following types of
coding vulnerabilities?
Question 110
Question
When reporting a software security defect in the software, which of
the following also needs to be reported so that variance from intended
behavior of the software can be determined?
Answer
-
Defect identifier
-
Title
-
Expected results
-
Tester name
Question 111
Question
An attacker analyzes the response from the web server which indicates
that its version is the Microsoft Internet Information Server 6.0
(Microsoft-IIS/6.0), but none of the IIS exploits that the attacker
attempts to execute on the web server are successful. Which of the
following is the MOST probable security control that is implemented?
Answer
-
Hashing
-
Cloaking
-
Masking
-
Watermarking
Question 112
Question
Smart fuzzing is characterized by injecting
Answer
-
truly random data without any consideration for the data
structure.
-
variations of data structures that are known.
-
data that get interpreted as commands by a backend interpreter
-
scripts that are reflected and executed on the client browser.
Question 113
Question
Which of the following is the MOST important to ensure, as part
of security testing, when the software is forced to fail x? Choose the
BEST answer.
Answer
-
Normal operational functionality is not restored automatically.
-
Access to all functionality is denied.
-
Confidentiality, integrity and availability are not adversely
impacted.
-
End users are adequately trained and self help is made available
for the end user to fix the error on their own.
Question 114
Question
Timing and synchronization issues such as race conditions and
resource deadlocks can be MOST LIKELY identified by which of the
following tests? Choose the BEST answer.
Answer
-
Integration
-
Stress
-
Unit
-
Regression
Question 115
Question
The PRIMARY objective of resiliency testing of software is to
determine
Answer
-
the point at which the software will break.
-
if the software can restore itself to normal business operations.
-
the presence and effectiveness of risk mitigation controls.
-
how a blackhat would circumvent access control mechanisms.
Question 116
Question
The ability of the software to withstand attempts of attackers who
intend to breach the security protection that is built in is also known as
Answer
-
redundancy.
-
recoverability.
-
resiliency.
-
reliability.
Question 117
Question
Drivers and stub based programming are useful to conduct which of
the following tests?
Answer
-
Integration
-
Regression
-
Unit
-
Penetration
Question 118
Question
Assurance that the software meets the expectations of the business as
defined in the service level agreements (SLAs) can be demonstrated by
which of the following types of tests?
Answer
-
Unit
-
Integration
-
Performance
-
Regression
Question 119
Question
Vulnerability scans are used to
Answer
-
measure the resiliency of the software by attempting to exploit
weaknesses.
-
detect the presence of loopholes and weaknesses in the software.
-
detect the effectiveness of security controls that are implemented
in the software.
-
measure the skills and technical know-how of the security tester.
Question 120
Question
In the context of test data management, when a transaction which
serves no business purpose is tested, it is referred to as what kind of
transaction?
Answer
-
Non-synthetic
-
Synthetic
-
Useless
-
Discontinuous
Question 121
Question
As part of the test data management strategy, when a criteria is applied
to export selective information from a production system to the test
environment, it is also referred to as
Answer
-
Subletting
-
Filtering
-
Validation
-
Subsetting
Question 122
Question
Domain 6
Your organization has the policy to attest the security of any software
that will be deployed into the production environment. A third party
vendor software is being evaluated for its readiness to be deployed.
Which of the following verification and validation mechanism can be
employed to attest the security of the vendor’s software?
Question 123
Question
To meet the goals of software assurance, when accepting software, the
acquisition phase MUST include processes to
Answer
-
verify that installation guides and training manuals are provided.
-
assess the presence and effectiveness of protection mechanisms.
-
validate vendor’s software products.
-
assist the vendor in responding to the request for proposals.
Question 124
Question
The process of evaluating software to determine whether the products
of a given development phase satisfies the conditions imposed at the
start of the phase is referred to as
Answer
-
verification
-
validation
-
authentication
-
authorization
Question 125
Question
When verification activities are used to determine if the software is
functioning as it is expected to, it provides insight into which of the
following aspects of software assurance?
Answer
-
Redundancy
-
Reliability
-
Resiliency
-
Recoverability
Question 126
Question
When procuring software the purchasing company can request the
evaluation assurance levels (EALs) of the software product which is
determined using which of the following evaluation methodologies?
Answer
-
Operationally Critical Assets Threats and Vulnerability Evaluation®
(OCTAVE)
-
Security Quality Requirements Engineering (SQUARE)
-
Common Criteria
-
Comprehensive, Lightweight Application Security Process
(CLASP)
Question 127
Question
The FINAL activity in the software acceptance process is the go/no go
decision that can be determined using
Answer
-
regression testing.
-
integration testing.
-
unit testing.
-
user acceptance testing.
Question 128
Question
Management’s formal acceptance of the system after an understanding
of the residual risks to that system in the computing environment is
also referred to as
Answer
-
patching.
-
hardening.
-
certification.
-
accreditation.
Question 129
Question
You determine that a legacy software running in your computing
environment is susceptible to Cross Site Request Forgery (CSRF)
attacks because of the way it manages sessions. The business has the
need to continue use of this software but you do not have the source
code available to implement security controls in code as a mitigation
measure against CSRF attacks. What is the BEST course of action to
undertake in such a situation?
Answer
-
Avoid the risk by forcing the business to discontinue use of the
software.
-
Accept the risk with a documented exception.
-
Transfer the risk by buying insurance.
-
Ignore the risk since it is legacy software
Question 130
Question
As part of the accreditation process, the residual risk of a software
evaluated for deployment must be accepted formally by the
Question 131
Question
Domain 7
When software that worked without any issues in the test environments
fails to work in the production environment, it is indicative of
Answer
-
inadequate integration testing
-
incompatible environment configurations.
-
incomplete threat modeling.
-
ignored code review
Question 132
Question
Which of the following is not characteristic of good security metrics?
Answer
-
Quantitatively expressed
-
Objectively expressed
-
Contextually relevant
-
Collected manually
Question 133
Question
Removal of maintenance hooks, debugging code and flags, and
unneeded documentation before deployment are all examples of
software
Answer
-
hardening
-
patching.
-
reversing.
-
obfuscation.
Question 134
Question
Which of the following has the goal of ensuring that the resiliency
levels of software is always above the acceptable risk threshold as
defined by the business post deployment?
Answer
-
Threat modeling.
-
Code review.
-
Continuous monitoring.
-
Regression testing.
Question 135
Question
Logging application events such as failed login attempts, sales price
updates and user roles configuration for audit review at a later time is
an example of which of the following type of security control?
Answer
-
Preventive
-
Corrective
-
Compensating
-
Detective
Question 136
Question
When a compensating control is to be used, the Payment Card Industry
Data Security Standard (PCI DSS) prescribes that the compensating
control must meet all of the following guidelines EXCEPT
Answer
-
Meet the intent and rigor of the original requirement.
-
Provide an increased level of defense than the original requirement
-
Be implemented as part of a defense in depth measure.
-
Must commensurate with additional risk imposed by not adhering
to the requirement
Question 137
Question
Versioning, back-ups, check-in and check-out practices are all important
components of
Answer
-
Patch management
-
Release management
-
Problem management
-
Incident management
Question 138
Question
Software that is deployed in a high trust environment such as the
environment within the organizational firewall when not continuously
monitored is MOST susceptible to which of the following types of
security attacks? Choose the BEST answer.
Question 139
Question
Bastion host systems can be used to continuously monitor the security
of the computing environment when it is used in conjunction with
intrusion detection systems (IDS) and which other security control?
Answer
-
Authentication.
-
Authorization.
-
Archiving.
-
Auditing.
Question 140
Question
The FIRST step in the incident response process of a reported breach
is to
Answer
-
notify management of the security breach.
-
research the validity of the alert or event further
-
inform potentially affected customers of a potential breach.
-
conduct an independent third party evaluation to investigate the
reported breach.
Question 141
Question
Which of the following is the BEST recommendation to champion
security objectives within the software development organization?
Answer
-
Informing the developers that they could lose their jobs if their
software is breached.
-
Informing management that the organizational software could
be hacked.
-
Informing the project team about the recent breach of the
competitor’s software.
-
Informing the development team that there should be no injection
flaws in the payroll application.
Question 142
Question
Which of the following independent process provides insight into the
presence and effectiveness of security and privacy controls and is used
to determine the organization’s compliance with the regulatory and
governance (policy) requirements?
Answer
-
Penetration testing
-
Audits
-
Threat modeling
-
Code review
Question 143
Question
The process of using regular expressions to parse audit logs into
information that indicate security incidents is referred to as
Answer
-
correlation.
-
normalization.
-
collection.
-
visualization.
Question 144
Question
The FINAL stage of the incident management process is to
Answer
-
detection.
-
containment.
-
eradication
-
recovery
Question 145
Question
Problem management aims to improve the value of Information
Technology to the business because it improves service by
Answer
-
restoring service to the expectation of the business user
-
determining the alerts and events that need to be continuously
monitored.
-
depicting incident information in easy to understand user friendly
format.
-
identifying and eliminating the root cause of the problem
Question 146
Question
The process of releasing software to fix a recently reported vulnerability
without introducing any new features or changing hardware
configuration is referred to as
Answer
-
versioning.
-
hardening.
-
patching.
-
porting.
Question 147
Question
Fishbone diagramming is a mechanism that is PRIMARILY used for
which of the following processes?
Answer
-
Threat modeling
-
Requirements analysis.
-
Network deployment.
-
Root cause analysis.
Question 148
Question
As a means to assure the availability of the existing software functionality
after the application of a patch, the patch need to be tested for
Question 149
Question
Which of the following policies needs to be established to securely
dispose software and associated data and documents?
Question 150
Question
Discontinuance of a software with known vulnerabilities with a newer
version is an example of risk
Answer
-
mitigation.
-
transference.
-
acceptance.
-
avoidance.
Question 151
Question
Printer ribbons, facsimile transmissions and printed information when
not securely disposed are susceptible to disclosure attacks by which of
the following threat agents? Choose the BEST answer.
Answer
-
Malware
-
Dumpster divers
-
Social engineers
-
Script kiddies.
Question 152
Question
System resources can be protected from malicious file execution attacks
by uploading the user supplied file and running it in which of the
following environment?
Answer
-
Honeypot
-
Sandbox
-
Simulated
-
Production
Question 153
Question
As a means to demonstrate the improvement in the security of code
that is developed, one must compute the relative attack surface quotient
(RASQ)
Answer
-
at the end of development phase of the project
-
before and after the code is implemented.
-
before and after the software requirements are complete.
-
at the end of the deployment phase of the project.
Question 154
Question
Modifications to data directly in the database by developers must be
prevented by
Answer
-
periodically patching database servers
-
implementing source code version control.
-
logging all database access requests.
-
proper change control management.
Question 155
Question
Which of the following documents is the BEST source to contain
damage and which needs to be referred to and consulted with upon
the discovery of a security breach?
Question 156
Question
Domain 8
The increased need for security in the software supply chain is
PRIMARILY attributed to
Answer
-
cessation of development activities within a company
-
increase in the number of foreign trade agreements
-
incidences of malicious code and logic found in acquired software
-
decrease in the trust of consumers on software developed within
a company.
Question 157
Question
Which phase of the acquisition life cycle involves the issuance of
advertisements to source and evaluate suppliers?
Answer
-
Contracting
-
Planning
-
Development
-
Delivery (Handover
Question 158
Question
Predictable execution means that the software demonstrates all the
following qualities EXCEPT?
Answer
-
Authenticity
-
Conformance
-
Authorization
-
Trustworthiness
Question 159
Question
Which of the following is a process threat in the software supply chain?
Answer
-
Counterfeit software
-
Insecure code transfer
-
Subornation
-
Piracy
Question 160
Question
In the context of the software supply chain, the principle of persistent
protection is also known as
Question 161
Question
In pre-qualifying a supplier, which of the following must be assessed to
ensure that the supplier can provide timely updates and hotfixes when
an exploitable vulnerability in their software is reported?
Answer
-
Foreign ownership and control or influence
-
Security track record
-
Security knowledge of the supplier’ s personnel
-
Compliance with security policies, regulatory and privacy
requirements.
Question 162
Question
Which of the following can provide insight into the effectiveness and
efficiencies of the supply chain processes as it pertains to assuring trust
and software security?
Answer
-
Key Performance Indicators (KPI)
-
Relative Attack Surface Quotient (RASQ)
-
Maximum Tolerable Downtime (MTD)
-
Requirements Traceability Matrix (RTM)
Question 163
Question
Which of the following contains the security requirements and the
evidence needed to prove that the acquirer requirements are met as
expected?
Question 164
Question
The difference between disclaimer-based protection and contractsbased
is that
Answer
-
Contracts-based protection is mutual.
-
Disclaimer-based protection is mutual
-
Contracts-based protection is done by one-sided notification of
terms
-
Disclaimer-based protection is legally binding.
Question 165
Question
Software programs, database models and images on a website can be
protected using which of the following legal instrument?
Answer
-
Patents
-
Copyright
-
Trademarks
-
Trade secret
Question 166
Question
You find out that employees in your company have been downloading
software files and sharing them using peer-to-peer based torrent
networks. These software files are not free and need to be purchase
from their respective manufacturers. You employee are violating
Answer
-
Trade secrets
-
Trademarks
-
Patents
-
Copyrights
Question 167
Question
Which of the following legal instruments assures the confidentiality
of software programs, processing logic, database schema and internal
organizational business processes and client lists?
Question 168
Question
When source code of Commercially Off-The-Shelf (COTS) software
is escrowed and released under a free software or open source license
when the original developer (or supplier) no longer continues to develop
that software, that software is referred to as
Answer
-
Trialware
-
Demoware
-
Ransomware
-
Freeware
Question 169
Question
Improper implementation of validity periods using length-of-use
checks in code can result in which of the following types of security
issues for legitimate users?
Answer
-
Tampering
-
Denial of Service
-
Authentication bypass
-
Spoofing
Question 170
Question
Your organization’s software is published as a trial version without any
restricted functionality from the paid version. Which of the following
MUST be designed and implemented to ensure that customers who
have not purchased the software are limited in the availability of the
software?
Answer
-
Disclaimers
-
Licensing
-
Validity periods
-
Encryption
Question 171
Question
When must the supplier inform the acquirer of any applicable export
control and foreign trade regulatory requirements in the countries of
export and import?
Question 172
Question
The disadvantage of using open source software from a security
standpoint is
Answer
-
Only the original publisher of the source code can modify the
code
-
Open source software is not supported and maintained by mature
companies or communities.
-
The attacker can look into the source code to determine its
exploitability.
-
Open source software can only be purchased using a piece-meal
approach.
Question 173
Question
Which of the following is the most important security testing process
that validates and verifies the integrity of software code, components
and configurations, in a software security chain?
Answer
-
Threat modeling
-
Fuzzing
-
Penetration testing
-
Code review
Question 174
Question
Which of the following is LEAST likely to be detected using a code
review process?
Answer
-
Backdoors
-
Logic Bombs
-
Logic Flaws
-
Trojan horses
Question 175
Question
Which of the following security principle is LEAST related to the
securing of code repositories?
Answer
-
Least privilege
-
Access Control
-
Auditing
-
Open Design
Question 176
Question
The integrity of build tools and the build environment is necessary to
protect against
Answer
-
spoofing
-
tampering
-
disclosure
-
denial of service
Question 177
Question
Which of the following kind of security testing tool detects the presence
of vulnerabilities through disassembly and pattern recognition?
Answer
-
Source code scanners
-
Binary code scanners
-
Byte code scanners
-
Compliance validators
Question 178
Question
When software is developed by multiple suppliers, the genuineness of
the software can be attested using which of the following processes?
Answer
-
Code review
-
Code signing
-
Encryption
-
Code scanning
Question 179
Question
Which of the following must be controlled during handoff of software
from one supplier to the next, so that no unauthorized tampering of
the software can be done?
Answer
-
Chain of custody
-
Separation of privileges
-
System logs
-
Application data
Question 180
Question
Which of the following risk management concepts is demonstrated
when using code escrows?
Answer
-
Avoidance
-
Transference
-
Mitigation
-
Acceptance
Question 181
Question
Which of the following types of testing is crucial to conduct to
determine single points of failure in a System-of-systems (SoS)?
Answer
-
Unit
-
Integration
-
Regression
-
Logic
Question 182
Question
When software is handed from one supplier to the next, the following
operational process needs to be in place so that the supplier from whom
the software is acquirer can no longer modify the software?
Answer
-
Runtime integrity assurance
-
Patching
-
Termination Access Control
-
Custom Code Extension Checks