Kopieren und bearbeiten

Secure Software Development Final

Beschreibung

Computer Science Quiz am Secure Software Development Final , erstellt von Thomas Kreuser am 18/04/2017.
Thomas Kreuser
Quiz von Thomas Kreuser, aktualisiert more than 1 year ago
Thomas Kreuser
Erstellt von Thomas Kreuser vor etwa 7 Jahre
3194
2
0

Zusammenfassung der Ressource

Frage 1

Frage
The PRIMARY reason for incorporating security into the software development life cycle is to protect
Antworten
  • the unauthorized disclosure of information.
  • the corporate brand and reputation
  • against hackers who intend to misuse the software.
  • the developers from releasing software with security defects.

Frage 2

Frage
The resiliency of software to withstand attacks that attempt modify or alter data in an unauthorized manner is referred to as
Antworten
  • Confidentiality.
  • Integrity.
  • Availability.
  • Authorization.

Frage 3

Frage
The MAIN reason as to why the availability aspects of software must be part of the organization’s software security initiatives is:
Antworten
  • software issues can cause downtime to the business.
  • developers need to be trained in the business continuity procedures.
  • testing for availability of the software and data is often ignored.
  • hackers like to conduct Denial of Service (DoS) attacks against the organization.

Frage 4

Frage
Developing the software to monitor its functionality and report when the software is down and unable to provide the expected service to the business is a protection to assure which of the following?
Antworten
  • Confidentiality.
  • Integrity.
  • Availability.
  • Authentication.

Frage 5

Frage
When a customer attempts to log into their bank account, the customer is required to enter a nonce from the token device that was issued to the customer by the bank. This type of authentication is also known as which of the following?
Antworten
  • Ownership based authentication.
  • Two factor authentication.
  • Characteristic based authentication.
  • Knowledge based authentication.

Frage 6

Frage
Multi-factor authentication is most closely related to which of the following security design principles?
Antworten
  • Separation of Duties.
  • Defense in depth.
  • Complete mediation.
  • Open design.

Frage 7

Frage
Audit logs can be used for all of the following EXCEPT
Antworten
  • providing evidentiary information.
  • assuring that the user cannot deny their actions.
  • detecting the actions that were undertaken.
  • preventing a user from performing some unauthorized operations.

Frage 8

Frage
Organizations often pre-determine the acceptable number of user errors before recording them as security violations. This number is otherwise known as:
Antworten
  • Clipping level.
  • Known Error.
  • Minimum Security Baseline.
  • Maximum Tolerable Downtime.

Frage 9

Frage
A security principle that maintains the confidentiality, integrity and availability of the software and data, besides allowing for rapid recovery to the state of normal operations, when unexpected events occur is the security design principle of
Antworten
  • defense in depth.
  • economy of mechanisms.
  • fail secure
  • psychological acceptability

Frage 10

Frage
Requiring the end user to accept an ‘AS-IS’ disclaimer clause before installation of your software is an example of risk
Antworten
  • avoidance.
  • mitigation.
  • transference.
  • acceptance.

Frage 11

Frage
An instrument that is used to communicate and mandate organizational and management goals and objectives at a high level is a
Antworten
  • standard.
  • policy.
  • baseline.
  • guideline.

Frage 12

Frage
The Systems Security Engineering Capability Maturity Model (SSECMM ®) is an internationally recognized standard that publishes guidelines to
Antworten
  • provide metrics for measuring the software and its behavior, and using the software in a specific context of use.
  • evaluate security engineering practices and organizational management processes.
  • support accreditation and certification bodies that audit and certify information security management systems.
  • ensure that the claimed identity of personnel are appropriately verified.

Frage 13

Frage
Which of the following is a framework that can be used to develop a risk based enterprise security architecture by determining security requirements after analyzing the business initiatives.
Antworten
  • Capability Maturity Model Integration (CMMI)
  • Sherwood Applied Business Security Architecture (SABSA)
  • Control Objectives for Information and related Technology (COBIT®)
  • Zachman Framework

Frage 14

Frage
Which of the following is a PRIMARY consideration for the software publisher when selling Commercially Off the Shelf (COTS) software?
Antworten
  • Service Level Agreements (SLAs).
  • Intellectual Property protection.
  • Cost of customization.
  • Review of the code for backdoors and Trojan horses.

Frage 15

Frage
The Single Loss Expectancy can be determined using which of the following formula?
Antworten
  • Annualized Rate of Occurrence (ARO) x Exposure Factor
  • Probability x Impact
  • Asset Value x Exposure Factor
  • Annualized Rate of Occurrence (ARO) x Asset Value

Frage 16

Frage
Implementing IPSec to assure the confidentiality of data when it is transmitted is an example of risk
Antworten
  • avoidance.
  • transference.
  • mitigation.
  • acceptance.

Frage 17

Frage
The Federal Information Processing Standard (FIPS) that prescribe guidelines for biometric authentication is
Antworten
  • FIPS 140.
  • FIPS 186.
  • FIPS 197.
  • FIPS 201.

Frage 18

Frage
Which of the following is a multi-faceted security standard that is used to regulate organizations that collects, processes and/or stores cardholder data as part of their business operations?
Antworten
  • FIPS 201.
  • ISO/IEC 15408.
  • NIST SP 800-64.
  • PCI DSS.

Frage 19

Frage
Which of the following is the current Federal Information Processing Standard (FIPS) that specifies an approved cryptographic algorithm to ensure the confidentiality of electronic data?
Antworten
  • Security Requirements for Cryptographic Modules (FIPS 140).
  • Peronal Identity Verification (PIV) of Federal Employees and Contractors (FIPS 201).
  • Advanced Encryption Standard (FIPS 197).
  • Digital Signature Standard (FIPS 186).

Frage 20

Frage
The organization that publishes the ten most critical web application security risks (Top Ten) is the
Antworten
  • Computer Emergency Response Team (CERT).
  • Web Application Security Consortium (WASC).
  • Open Web Application Security Project (OWASP).
  • Forums for Incident Response and Security Teams (FIRST)

Frage 21

Frage
The process of removing private information from sensitive data sets is referred to as
Antworten
  • Sanitization.
  • Degaussing.
  • Anonymization.
  • Formatting.

Frage 22

Frage
(Domain 2) Which of the following MUST be addressed by software security requirements? Choose the BEST answer
Antworten
  • Technology used in building the application
  • Goals and objectives of the organization.
  • Software quality requirements
  • External auditor requirements

Frage 23

Frage
Which of the following types of information is exempt from confidentiality requirements?
Antworten
  • Directory information.
  • Personally identifiable information (PII).
  • User’s card holder data.
  • Software architecture and network diagram

Frage 24

Frage
Requirements that are identified to protect against the destruction of information or the software itself are commonly referred to as
Antworten
  • confidentiality requirements.
  • integrity requirements
  • availability requirements.
  • authentication requirements

Frage 25

Frage
The amount of time by which business operations need to be restored to service levels as expected by the business when there is a security breach or disaster is known as
Antworten
  • Maximum Tolerable Downtime (MTD).
  • Mean Time Before Failure (MTBF).
  • Minimum Security Baseline (MSB).
  • Recovery Time Objective (RTO).

Frage 26

Frage
The use of an individual’s physical characteristics such as retinal blood patterns and fingerprints for validating and verifying the user’s identity if referred to as
Antworten
  • biometric authentication.
  • forms authentication.
  • digest authentication.
  • integrated authentication.

Frage 27

Frage
Which of the following policies is MOST likely to include the following requirement? “All software processing financial transactions need to use more than one factor to verify the identity of the entity requesting access””
Antworten
  • Authorization
  • Authentication.
  • Auditing
  • Availability

Frage 28

Frage
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong, as mandated by the requested resource owner is the definition of
Antworten
  • Non-discretionary Access Control (NDAC).
  • Discretionary Access Control (DAC).
  • Mandatory Access Control (MAC).
  • Role based Access Control.

Frage 29

Frage
Requirements which when implemented can help to build a history of events that occurred in the software are known as
Antworten
  • authentication requirements.
  • archiving requirements.
  • accountability requirements.
  • authorization requirements.

Frage 30

Frage
Which of the following is the PRIMARY reason for an application to be susceptible to a Man-in-the-Middle (MITM) attack?
Antworten
  • Improper session management
  • Lack of auditing
  • Improper archiving
  • Lack of encryption

Frage 31

Frage
The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates in the requirements phase of the SDLC is also known as
Antworten
  • threat modeling.
  • policy decomposition.
  • subject-object modeling
  • misuse case generation.

Frage 32

Frage
The FIRST step in the Protection Needs Elicitation (PNE) process is to
Antworten
  • engage the customer
  • model information management
  • identify least privilege applications
  • conduct threat modeling and analysis

Frage 33

Frage
A Requirements Traceability Matrix (RTM) that includes security requirements can be used for all of the following except
Antworten
  • ensuring scope creep does not occur
  • validating and communicating user requirements
  • determining resource allocations
  • identifying privileged code sections

Frage 34

Frage
Parity bit checking mechanisms can be used for all of the following except
Antworten
  • Error detection
  • Message corruption.
  • Integrity assurance
  • Input validation

Frage 35

Frage
Which of the following is an activity that can be performed to clarify requirements with the business users using diagrams that model the expected behavior of the software?
Antworten
  • Threat modeling
  • Use case modeling
  • Misuse case modeling
  • Data modeling

Frage 36

Frage
Which of the following is LEAST LIKELY to be identified by misuse case modeling?
Antworten
  • Race conditions
  • Mis-actors
  • Attacker’s perspective
  • Negative requirements

Frage 37

Frage
Data classification is a core activity that is conducted as part of which of the following?
Antworten
  • Key Management Lifecycle
  • Information Lifecycle Management
  • Configuration Management
  • Problem Management

Frage 38

Frage
Web farm data corruption issues and card holder data encryption requirements need to be captured as part of which of the following requirements?
Antworten
  • Integrity.
  • Environment.
  • International.
  • Procurement.

Frage 39

Frage
When software is purchased from a third party instead of being built in-house, it is imperative to have contractual protection in place and have the software requirements explicitly specified in which of the following?
Antworten
  • Service Level Agreements (SLA).
  • Non-Disclosure Agreements (NDA)
  • Non-compete Agreements
  • Project plan.

Frage 40

Frage
When software is able to withstand attacks from a threat agent and not violate the security policy it is said to be exhibiting which of the following attributes of software assurance?
Antworten
  • Reliability
  • Resiliency.
  • Recoverability
  • Redundancy.

Frage 41

Frage
Infinite loops and improper memory calls are often known to cause threats to which of the following?
Antworten
  • Availability.
  • Authentication.
  • Authorization.
  • Accountability.

Frage 42

Frage
Which of the following is used to communicate and enforce availability requirements of the business or client?
Antworten
  • Non-Disclosure Agreement (NDA).
  • Corporate Contract.
  • Service Level Agreements (SLA).
  • Threat model.

Frage 43

Frage
Software security requirements that are identified to protect against disclosure of data to unauthorized users is otherwise known as
Antworten
  • integrity requirements
  • authorization requirements
  • confidentiality requirements.
  • non-repudiation requirements.

Frage 44

Frage
The requirements that assure reliability and prevent alterations are to be identified in which section of the software requirements specifications (SRS) documentation?
Antworten
  • Confidentiality.
  • Integrity.
  • Availability.
  • Accountability

Frage 45

Frage
Which of the following is a covert mechanism that assures confidentiality?
Antworten
  • Encryption.
  • Steganography.
  • Hashing.
  • Masking.

Frage 46

Frage
As a means to assure confidentiality of copyright information, the security analyst identifies the requirement to embed information insider another digital audio, video or image signal. This is commonly referred to as
Antworten
  • Encryption.
  • Hashing.
  • Licensing
  • Watermarking.

Frage 47

Frage
Checksum validation can be used to satisfy which of the following requirements?
Antworten
  • Confidentiality.
  • Integrity.
  • Availability
  • Authentication.

Frage 48

Frage
A Requirements Traceability Matrix (RTM) that includes security requirements can be used for all of the following EXCEPT
Antworten
  • Ensure scope creep does not occur
  • Validate and communicate user requirements
  • Determine resource allocations
  • Identifying privileged code sections

Frage 49

Frage
Domain 3 During which phase of the software development lifecycle (SDLC) is threat modeling initiated?
Antworten
  • Requirements analysis
  • Design
  • Implementation
  • Deployment

Frage 50

Frage
Certificate Authority, Registration Authority, and Certificate Revocation Lists are all part of which of the following?
Antworten
  • Advanced Encryption Standard (AES)
  • Steganography
  • Public Key Infrastructure (PKI)
  • Lightweight Directory Access Protocol (LDAP)

Frage 51

Frage
The use of digital signatures has the benefit of providing which of the following that is not provided by symmetric key cryptographic design?
Antworten
  • Speed of cryptographic operations
  • Confidentiality assurance
  • Key exchange
  • Non-repudiation

Frage 52

Frage
When passwords are stored in the database, the best defense against disclosure attacks can be accomplished using
Antworten
  • encryption.
  • masking.
  • hashing.
  • obfuscation.

Frage 53

Frage
Nicole is part of the ‘author’ role as well as she is included in the ‘approver’ role, allowing her to approve her own articles before it is posted on the company blog site. This violates the principle of
Antworten
  • least privilege.
  • least common mechanisms.
  • economy of mechanisms.
  • separation of duties

Frage 54

Frage
The primary reason for designing Single Sign On (SSO) capabilities is to
Antworten
  • increase the security of authentication mechanisms
  • simplify user authentication.
  • have the ability to check each access request
  • allow for interoperability between wireless and wired networks.

Frage 55

Frage
Database triggers are PRIMARILY useful for providing which of the following detective software assurance capability?
Antworten
  • Availability
  • Authorization.
  • Auditing.
  • Archiving

Frage 56

Frage
During a threat modeling exercise, the software architecture is reviewed to identify
Antworten
  • attackers.
  • business impact.
  • critical assets
  • entry points.

Frage 57

Frage
A Man-in-the-Middle (MITM) attack is PRIMARILY an expression of which type of the following threats?
Antworten
  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure

Frage 58

Frage
IPSec technology which helps in the secure transmission of information operates in which layer of the Open Systems Interconnect (OSI) model?
Antworten
  • Transport.
  • Network
  • Session.
  • Application.

Frage 59

Frage
When internal business functionality is abstracted into service oriented contract based interfaces, it is PRIMARILY used to provide for
Antworten
  • interoperability.
  • authentication.
  • authorization.
  • installation ease.

Frage 60

Frage
At which layer of the Open Systems Interconnect (OSI) model must security controls be designed to effectively mitigate side channel attacks?
Antworten
  • Transport
  • Network
  • Data link
  • Physical

Frage 61

Frage
Which of the following software architectures is effective in distributing the load between the client and the server, but since it includes the client to be part of the threat vectors it increases the attack surface?
Antworten
  • Software as a Service (SaaS).
  • Service Oriented Architecture (SOA).
  • Rich Internet Application (RIA).
  • Distributed Network Architecture (DNA).

Frage 62

Frage
When designing software to work in a mobile computing environment, the Trusted Platform Module (TPM) chip can be used to provide which of the following types of information?
Antworten
  • Authorization.
  • Identification.
  • Archiving
  • Auditing.

Frage 63

Frage
When two or more trivial pieces of information are brought together with the aim of gleaning sensitive information, it is referred to as what type of attack?
Antworten
  • Injection.
  • Inference.
  • Phishing.
  • Polyinstantiation.

Frage 64

Frage
The inner workings and internal structure of backend databases can be protected from disclosure using
Antworten
  • triggers.
  • normalization.
  • views.
  • encryption

Frage 65

Frage
Choose the BEST answer. Configurable settings for logging exceptions, auditing and credential management must be part of
Antworten
  • database views.
  • security management interfaces.
  • global files.
  • exception handling.

Frage 66

Frage
The token that is PRIMARILY used for authentication purposes in a Single Sign (SSO) implementation between two different companies is
Antworten
  • Kerberos
  • Security Assert Markup Language (SAML)
  • Liberty alliance ID-FF
  • One Time password (OTP)

Frage 67

Frage
Syslog implementations require which additional security protection mechanisms to mitigate disclosure attacks?
Antworten
  • Unique session identifier generation and exchange.
  • Transport Layer Security.
  • Digital Rights Management (DRM)
  • Data Loss Prevention,

Frage 68

Frage
Rights and privileges for a file can be granularly granted to each client using which of the following technologies
Antworten
  • Data Loss Prevention (DLP).
  • Software as a Service (SaaS)
  • Flow control
  • Digital Rights Management (DRM)

Frage 69

Frage
Which of the following is known to circumvent the ring protection mechanisms in operating systems?
Antworten
  • Cross Site Request Forgery (CSRF)
  • Coolboot
  • SQL Injection
  • Rootkit

Frage 70

Frage
When the software is designed using Representational State Transfer (REST) architecture, it promotes which of the following good programming practices?
Antworten
  • High Cohesion
  • Low Cohesion
  • Tight Coupling
  • Loose Coupling

Frage 71

Frage
. Which of the following components of the Java architecture is primarily responsible to ensure type consistency, safety and assure that there are no malicious instructions in the code?
Antworten
  • Garbage collector
  • Class Loader
  • Bytecode Verfier
  • Java Security Manager

Frage 72

Frage
The primary security concern when implementing cloud applications is related to
Antworten
  • Insecure APIs
  • Data leakage and/or loss
  • Abuse of computing resources
  • Unauthorized access

Frage 73

Frage
The predominant form of malware that infects mobile apps is
Antworten
  • Virus
  • Ransomware
  • Worm
  • Spyware

Frage 74

Frage
Most Supervisory Control And Data Acquisition (SCADA) systems are susceptible to software attacks because
Antworten
  • they were not initially implemented with security in mind
  • the skills of a hacker has increased significantly
  • the data that they collect are of top secret classification
  • the firewalls that are installed in front of these devices have been breached.

Frage 75

Frage
Domain 4 Software developers writes software programs PRIMARILY to
Antworten
  • create new products
  • capture market share
  • solve business problems
  • mitigate hacker threats

Frage 76

Frage
The process of combining necessary functions, variables and dependency files and libraries required for the machine to run the program is referred to as
Antworten
  • compilation
  • interpretation
  • linking
  • instantiation

Frage 77

Frage
Which of the following is an important consideration to manage memory and mitigate overflow attacks when choosing a programming language?
Antworten
  • Locality of reference
  • Type safety
  • Cyclomatic complexity
  • Parametric polymorphism

Frage 78

Frage
Assembly and machine language are examples of
Antworten
  • natural language
  • very high-level language (VHLL)
  • high-level language (HLL)
  • low-level language

Frage 79

Frage
Using multifactor authentication is effective in mitigating which of the following application security risks?
Antworten
  • Injection flaws
  • Cross-Site Scripting (XSS)
  • Buffer overflow
  • Man-in-the-Middle (MITM)

Frage 80

Frage
Impersonation attacks such as Man-in-the-Middle (MITM) attacks in an Internet application can be BEST mitigated using proper
Antworten
  • Configuration Management.
  • Session Management.
  • Patch Management.
  • Exception Management.

Frage 81

Frage
Implementing Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) protection is a means of defending against
Antworten
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • . Insecure cryptographic storage

Frage 82

Frage
The findings of a code review indicate that cryptographic operations in code use the Rijndael cipher, which is the original publication of which of the following algorithms?
Antworten
  • Skipjack
  • Data Encryption Standard (DES)
  • Triple Data Encryption Standard (3DES)
  • Advanced Encryption Standard (AES)

Frage 83

Frage
Which of the following transport layer technologies can BEST mitigate session hijacking and replay attacks in a local area network (LAN)?
Antworten
  • Data Loss Prevention (DLP)
  • Internet Protocol Security (IPSec)
  • Secure Sockets Layer (SSL)
  • Digital Rights Management (DRM)

Frage 84

Frage
Verbose error messages and unhandled exceptions can result in which of the following software security threats?
Antworten
  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure

Frage 85

Frage
Code signing can provide all of the following EXCEPT
Antworten
  • Anti-tampering protection
  • Authenticity of code origin
  • Runtime permissions for code
  • Authentication of users

Frage 86

Frage
When an attacker uses delayed error messages between successful and unsuccessful query probes, he is using which of the following side channel techniques to detect injection vulnerabilities?
Antworten
  • Distant observation
  • Cold boot
  • Power analysis
  • Timing

Frage 87

Frage
When the code is not allowed to access memory at arbitrary locations that is out of range of the memory address space that belong to the object’s publicly exposed fields, it is referred to as which of the following types of code?
Antworten
  • Object code
  • Type safe code
  • Obfuscated code
  • Source code

Frage 88

Frage
When the runtime permissions of the code are defined as security attributes in the metadata of the code, it is referred to as
Antworten
  • imperative syntax security
  • declarative syntax security
  • code signing
  • code obfuscation

Frage 89

Frage
When an all-or-nothing approach to code access security is not possible and business rules and permissions need to be set and managed more granularly inline code functions and modules, a programmer can leverage which of the following?
Antworten
  • Cryptographic agility
  • Parametric polymorphism
  • Declarative security
  • Imperative security

Frage 90

Frage
An understanding of which of the following programming concepts is necessary to protect against memory manipulation buffer overflow attacks? Choose the BEST answer.
Antworten
  • Error handling
  • Exception management
  • Locality of reference
  • Generics

Frage 91

Frage
Exploit code attempt to take control of dangling pointers which
Antworten
  • are references to memory locations of destroyed objects.
  • is the non-functional code that that is left behind in the source.
  • is the payload code that the attacker uploads into memory to execute.
  • are references in memory locations that are used prior to being initialized.

Frage 92

Frage
Which of the following is a feature of most recent operating systems (OS) that makes it difficult for an attacker to guess the memory address of the program as it makes the memory address different each time the program is executed?
Antworten
  • Data Execution Prevention (DEP)
  • Executable Space Protection (ESP)
  • Address Space Layout Randomization (ASLR)
  • Safe Security Exception Handler (/SAFESEH)

Frage 93

Frage
When the source code is made obscure using special programs in order to make the readability of the code difficult when disclosed, the code is also known as
Antworten
  • object code
  • obfuscated code.
  • encrypted code.
  • hashed code.

Frage 94

Frage
The ability to track ownership, changes in code and rollback abilities is possible because of which of the following configuration management processes?
Antworten
  • Version control
  • Patching
  • Audit logging
  • Change control

Frage 95

Frage
The MAIN benefit of statically analyzing code is that
Antworten
  • runtime behavior of code can be analyzed.
  • business logic flaws are more easily detectable.
  • the analysis is performed in a production or production-like environment
  • errors and vulnerabilities can be detected earlier in the life cycle.

Frage 96

Frage
Cryptographic protection includes all of the following EXCEPT
Antworten
  • encryption of data when it is processed.
  • hashing of data when it is stored.
  • hiding of data within other media objects when it is transmitted.
  • masking of data when it is displayed.

Frage 97

Frage
Replacing the Primary Account Number (PAN) with random or pseudo-random symbols that are uniquely identifiable and still assuring privacy is also known as
Antworten
  • Fuzzing
  • Tokenization
  • Encoding
  • Canonicalization

Frage 98

Frage
Which of the following is an implementation of the principle of least privilege?
Antworten
  • Sandboxing
  • Tokenization
  • Versioning
  • . Concurrency

Frage 99

Frage
Domain 5 The ability of the software to restore itself to expected functionality when the security protection that is built in is breached is also known as
Antworten
  • redundancy.
  • recoverability.
  • resiliency.
  • reliability.

Frage 100

Frage
In which of the following software development methodologies does unit testing enable collective code ownership and is critical to assure software assurance?
Antworten
  • Waterfall
  • Agile
  • Spiral
  • Prototyping

Frage 101

Frage
Which of the secure design principles is promoted when test harnesses are used?
Antworten
  • Least privilege
  • Separation of duties
  • Leveraging existing components
  • Psychological acceptability

Frage 102

Frage
The use of IF-THEN rules is characteristic of which of the following types of software testing?
Antworten
  • Logic
  • Scalability
  • Integration
  • Unit

Frage 103

Frage
The implementation of secure features such as complete mediation and data replication needs to undergo which of the following types of test to ensure that the software meets the service level agreements (SLA)?
Antworten
  • Stress
  • Unit
  • Integration
  • Regression

Frage 104

Frage
Tests that are conducted to determine the breaking point of the software after which the software will no longer be functional is characteristic of which of the following types of software testing?
Antworten
  • Regression
  • Stress
  • Integration
  • Simulation

Frage 105

Frage
Which of the following tools or techniques can be used to facilitate the white box testing of software for insider threats?
Antworten
  • Source code analyzers
  • Fuzzers
  • Banner grabbing software
  • Scanners

Frage 106

Frage
When very limited or no knowledge of the software is made known to the software tester before she can test for its resiliency, it is characteristic of which of the following types of security tests?
Antworten
  • White box
  • Black box
  • Clear box
  • Glass box

Frage 107

Frage
Penetration testing must be conducted with properly defined
Antworten
  • rules of engagement.
  • role based access control mechanisms
  • threat models.
  • use cases

Frage 108

Frage
Testing for the randomness of session identifiers and the presence of auditing capabilities provides the software team insight into which of the following security controls?
Antworten
  • Availability
  • Authentication.
  • Non-repudiation.
  • Authorization.

Frage 109

Frage
Disassemblers, debuggers and decompilers can be used by security testers to PRIMARILY determine which of the following types of coding vulnerabilities?
Antworten
  • Injection flaws
  • Lack of reverse engineering protection.
  • Cross-Site Scripting.
  • Broken session management.

Frage 110

Frage
When reporting a software security defect in the software, which of the following also needs to be reported so that variance from intended behavior of the software can be determined?
Antworten
  • Defect identifier
  • Title
  • Expected results
  • Tester name

Frage 111

Frage
An attacker analyzes the response from the web server which indicates that its version is the Microsoft Internet Information Server 6.0 (Microsoft-IIS/6.0), but none of the IIS exploits that the attacker attempts to execute on the web server are successful. Which of the following is the MOST probable security control that is implemented?
Antworten
  • Hashing
  • Cloaking
  • Masking
  • Watermarking

Frage 112

Frage
Smart fuzzing is characterized by injecting
Antworten
  • truly random data without any consideration for the data structure.
  • variations of data structures that are known.
  • data that get interpreted as commands by a backend interpreter
  • scripts that are reflected and executed on the client browser.

Frage 113

Frage
Which of the following is the MOST important to ensure, as part of security testing, when the software is forced to fail x? Choose the BEST answer.
Antworten
  • Normal operational functionality is not restored automatically.
  • Access to all functionality is denied.
  • Confidentiality, integrity and availability are not adversely impacted.
  • End users are adequately trained and self help is made available for the end user to fix the error on their own.

Frage 114

Frage
Timing and synchronization issues such as race conditions and resource deadlocks can be MOST LIKELY identified by which of the following tests? Choose the BEST answer.
Antworten
  • Integration
  • Stress
  • Unit
  • Regression

Frage 115

Frage
The PRIMARY objective of resiliency testing of software is to determine
Antworten
  • the point at which the software will break.
  • if the software can restore itself to normal business operations.
  • the presence and effectiveness of risk mitigation controls.
  • how a blackhat would circumvent access control mechanisms.

Frage 116

Frage
The ability of the software to withstand attempts of attackers who intend to breach the security protection that is built in is also known as
Antworten
  • redundancy.
  • recoverability.
  • resiliency.
  • reliability.

Frage 117

Frage
Drivers and stub based programming are useful to conduct which of the following tests?
Antworten
  • Integration
  • Regression
  • Unit
  • Penetration

Frage 118

Frage
Assurance that the software meets the expectations of the business as defined in the service level agreements (SLAs) can be demonstrated by which of the following types of tests?
Antworten
  • Unit
  • Integration
  • Performance
  • Regression

Frage 119

Frage
Vulnerability scans are used to
Antworten
  • measure the resiliency of the software by attempting to exploit weaknesses.
  • detect the presence of loopholes and weaknesses in the software.
  • detect the effectiveness of security controls that are implemented in the software.
  • measure the skills and technical know-how of the security tester.

Frage 120

Frage
In the context of test data management, when a transaction which serves no business purpose is tested, it is referred to as what kind of transaction?
Antworten
  • Non-synthetic
  • Synthetic
  • Useless
  • Discontinuous

Frage 121

Frage
As part of the test data management strategy, when a criteria is applied to export selective information from a production system to the test environment, it is also referred to as
Antworten
  • Subletting
  • Filtering
  • Validation
  • Subsetting

Frage 122

Frage
Domain 6 Your organization has the policy to attest the security of any software that will be deployed into the production environment. A third party vendor software is being evaluated for its readiness to be deployed. Which of the following verification and validation mechanism can be employed to attest the security of the vendor’s software?
Antworten
  • Source code review
  • Threat modeling the software
  • Black box testing
  • Structural analysis

Frage 123

Frage
To meet the goals of software assurance, when accepting software, the acquisition phase MUST include processes to
Antworten
  • verify that installation guides and training manuals are provided.
  • assess the presence and effectiveness of protection mechanisms.
  • validate vendor’s software products.
  • assist the vendor in responding to the request for proposals.

Frage 124

Frage
The process of evaluating software to determine whether the products of a given development phase satisfies the conditions imposed at the start of the phase is referred to as
Antworten
  • verification
  • validation
  • authentication
  • authorization

Frage 125

Frage
When verification activities are used to determine if the software is functioning as it is expected to, it provides insight into which of the following aspects of software assurance?
Antworten
  • Redundancy
  • Reliability
  • Resiliency
  • Recoverability

Frage 126

Frage
When procuring software the purchasing company can request the evaluation assurance levels (EALs) of the software product which is determined using which of the following evaluation methodologies?
Antworten
  • Operationally Critical Assets Threats and Vulnerability Evaluation® (OCTAVE)
  • Security Quality Requirements Engineering (SQUARE)
  • Common Criteria
  • Comprehensive, Lightweight Application Security Process (CLASP)

Frage 127

Frage
The FINAL activity in the software acceptance process is the go/no go decision that can be determined using
Antworten
  • regression testing.
  • integration testing.
  • unit testing.
  • user acceptance testing.

Frage 128

Frage
Management’s formal acceptance of the system after an understanding of the residual risks to that system in the computing environment is also referred to as
Antworten
  • patching.
  • hardening.
  • certification.
  • accreditation.

Frage 129

Frage
You determine that a legacy software running in your computing environment is susceptible to Cross Site Request Forgery (CSRF) attacks because of the way it manages sessions. The business has the need to continue use of this software but you do not have the source code available to implement security controls in code as a mitigation measure against CSRF attacks. What is the BEST course of action to undertake in such a situation?
Antworten
  • Avoid the risk by forcing the business to discontinue use of the software.
  • Accept the risk with a documented exception.
  • Transfer the risk by buying insurance.
  • Ignore the risk since it is legacy software

Frage 130

Frage
As part of the accreditation process, the residual risk of a software evaluated for deployment must be accepted formally by the
Antworten
  • board members and executive management
  • business owner.
  • information technology (IT) management
  • security organization

Frage 131

Frage
Domain 7 When software that worked without any issues in the test environments fails to work in the production environment, it is indicative of
Antworten
  • inadequate integration testing
  • incompatible environment configurations.
  • incomplete threat modeling.
  • ignored code review

Frage 132

Frage
Which of the following is not characteristic of good security metrics?
Antworten
  • Quantitatively expressed
  • Objectively expressed
  • Contextually relevant
  • Collected manually

Frage 133

Frage
Removal of maintenance hooks, debugging code and flags, and unneeded documentation before deployment are all examples of software
Antworten
  • hardening
  • patching.
  • reversing.
  • obfuscation.

Frage 134

Frage
Which of the following has the goal of ensuring that the resiliency levels of software is always above the acceptable risk threshold as defined by the business post deployment?
Antworten
  • Threat modeling.
  • Code review.
  • Continuous monitoring.
  • Regression testing.

Frage 135

Frage
Logging application events such as failed login attempts, sales price updates and user roles configuration for audit review at a later time is an example of which of the following type of security control?
Antworten
  • Preventive
  • Corrective
  • Compensating
  • Detective

Frage 136

Frage
When a compensating control is to be used, the Payment Card Industry Data Security Standard (PCI DSS) prescribes that the compensating control must meet all of the following guidelines EXCEPT
Antworten
  • Meet the intent and rigor of the original requirement.
  • Provide an increased level of defense than the original requirement
  • Be implemented as part of a defense in depth measure.
  • Must commensurate with additional risk imposed by not adhering to the requirement

Frage 137

Frage
Versioning, back-ups, check-in and check-out practices are all important components of
Antworten
  • Patch management
  • Release management
  • Problem management
  • Incident management

Frage 138

Frage
Software that is deployed in a high trust environment such as the environment within the organizational firewall when not continuously monitored is MOST susceptible to which of the following types of security attacks? Choose the BEST answer.
Antworten
  • Distributed Denial of Service (DDoS)
  • Malware
  • Logic Bombs
  • DNS poisoning

Frage 139

Frage
Bastion host systems can be used to continuously monitor the security of the computing environment when it is used in conjunction with intrusion detection systems (IDS) and which other security control?
Antworten
  • Authentication.
  • Authorization.
  • Archiving.
  • Auditing.

Frage 140

Frage
The FIRST step in the incident response process of a reported breach is to
Antworten
  • notify management of the security breach.
  • research the validity of the alert or event further
  • inform potentially affected customers of a potential breach.
  • conduct an independent third party evaluation to investigate the reported breach.

Frage 141

Frage
Which of the following is the BEST recommendation to champion security objectives within the software development organization?
Antworten
  • Informing the developers that they could lose their jobs if their software is breached.
  • Informing management that the organizational software could be hacked.
  • Informing the project team about the recent breach of the competitor’s software.
  • Informing the development team that there should be no injection flaws in the payroll application.

Frage 142

Frage
Which of the following independent process provides insight into the presence and effectiveness of security and privacy controls and is used to determine the organization’s compliance with the regulatory and governance (policy) requirements?
Antworten
  • Penetration testing
  • Audits
  • Threat modeling
  • Code review

Frage 143

Frage
The process of using regular expressions to parse audit logs into information that indicate security incidents is referred to as
Antworten
  • correlation.
  • normalization.
  • collection.
  • visualization.

Frage 144

Frage
The FINAL stage of the incident management process is to
Antworten
  • detection.
  • containment.
  • eradication
  • recovery

Frage 145

Frage
Problem management aims to improve the value of Information Technology to the business because it improves service by
Antworten
  • restoring service to the expectation of the business user
  • determining the alerts and events that need to be continuously monitored.
  • depicting incident information in easy to understand user friendly format.
  • identifying and eliminating the root cause of the problem

Frage 146

Frage
The process of releasing software to fix a recently reported vulnerability without introducing any new features or changing hardware configuration is referred to as
Antworten
  • versioning.
  • hardening.
  • patching.
  • porting.

Frage 147

Frage
Fishbone diagramming is a mechanism that is PRIMARILY used for which of the following processes?
Antworten
  • Threat modeling
  • Requirements analysis.
  • Network deployment.
  • Root cause analysis.

Frage 148

Frage
As a means to assure the availability of the existing software functionality after the application of a patch, the patch need to be tested for
Antworten
  • the proper functioning of new features
  • cryptographic agility
  • backward compatibility.
  • the enabling of previously disabled services

Frage 149

Frage
Which of the following policies needs to be established to securely dispose software and associated data and documents?
Antworten
  • End-of-life.
  • Vulnerability management.
  • Privacy.
  • Data classification.

Frage 150

Frage
Discontinuance of a software with known vulnerabilities with a newer version is an example of risk
Antworten
  • mitigation.
  • transference.
  • acceptance.
  • avoidance.

Frage 151

Frage
Printer ribbons, facsimile transmissions and printed information when not securely disposed are susceptible to disclosure attacks by which of the following threat agents? Choose the BEST answer.
Antworten
  • Malware
  • Dumpster divers
  • Social engineers
  • Script kiddies.

Frage 152

Frage
System resources can be protected from malicious file execution attacks by uploading the user supplied file and running it in which of the following environment?
Antworten
  • Honeypot
  • Sandbox
  • Simulated
  • Production

Frage 153

Frage
As a means to demonstrate the improvement in the security of code that is developed, one must compute the relative attack surface quotient (RASQ)
Antworten
  • at the end of development phase of the project
  • before and after the code is implemented.
  • before and after the software requirements are complete.
  • at the end of the deployment phase of the project.

Frage 154

Frage
Modifications to data directly in the database by developers must be prevented by
Antworten
  • periodically patching database servers
  • implementing source code version control.
  • logging all database access requests.
  • proper change control management.

Frage 155

Frage
Which of the following documents is the BEST source to contain damage and which needs to be referred to and consulted with upon the discovery of a security breach?
Antworten
  • Disaster Recovery Plan.
  • Project Management Plan.
  • Incident Response Plan.
  • Quality Assurance and Testing Plan.

Frage 156

Frage
Domain 8 The increased need for security in the software supply chain is PRIMARILY attributed to
Antworten
  • cessation of development activities within a company
  • increase in the number of foreign trade agreements
  • incidences of malicious code and logic found in acquired software
  • decrease in the trust of consumers on software developed within a company.

Frage 157

Frage
Which phase of the acquisition life cycle involves the issuance of advertisements to source and evaluate suppliers?
Antworten
  • Contracting
  • Planning
  • Development
  • Delivery (Handover

Frage 158

Frage
Predictable execution means that the software demonstrates all the following qualities EXCEPT?
Antworten
  • Authenticity
  • Conformance
  • Authorization
  • Trustworthiness

Frage 159

Frage
Which of the following is a process threat in the software supply chain?
Antworten
  • Counterfeit software
  • Insecure code transfer
  • Subornation
  • Piracy

Frage 160

Frage
In the context of the software supply chain, the principle of persistent protection is also known as
Antworten
  • End-to-end encryption
  • Location agnostic protection
  • Locality of reference
  • Cryptographic agility

Frage 161

Frage
In pre-qualifying a supplier, which of the following must be assessed to ensure that the supplier can provide timely updates and hotfixes when an exploitable vulnerability in their software is reported?
Antworten
  • Foreign ownership and control or influence
  • Security track record
  • Security knowledge of the supplier’ s personnel
  • Compliance with security policies, regulatory and privacy requirements.

Frage 162

Frage
Which of the following can provide insight into the effectiveness and efficiencies of the supply chain processes as it pertains to assuring trust and software security?
Antworten
  • Key Performance Indicators (KPI)
  • Relative Attack Surface Quotient (RASQ)
  • Maximum Tolerable Downtime (MTD)
  • Requirements Traceability Matrix (RTM)

Frage 163

Frage
Which of the following contains the security requirements and the evidence needed to prove that the acquirer requirements are met as expected?
Antworten
  • Software Configuration Management Plan
  • Minimum Security Baseline
  • Service Level Agreements
  • Assurance Plan

Frage 164

Frage
The difference between disclaimer-based protection and contractsbased is that
Antworten
  • Contracts-based protection is mutual.
  • Disclaimer-based protection is mutual
  • Contracts-based protection is done by one-sided notification of terms
  • Disclaimer-based protection is legally binding.

Frage 165

Frage
Software programs, database models and images on a website can be protected using which of the following legal instrument?
Antworten
  • Patents
  • Copyright
  • Trademarks
  • Trade secret

Frage 166

Frage
You find out that employees in your company have been downloading software files and sharing them using peer-to-peer based torrent networks. These software files are not free and need to be purchase from their respective manufacturers. You employee are violating
Antworten
  • Trade secrets
  • Trademarks
  • Patents
  • Copyrights

Frage 167

Frage
Which of the following legal instruments assures the confidentiality of software programs, processing logic, database schema and internal organizational business processes and client lists?
Antworten
  • Standards
  • Non-Disclosure Agreements (NDA)
  • Service Level Agreements (SLA)
  • Trademarks

Frage 168

Frage
When source code of Commercially Off-The-Shelf (COTS) software is escrowed and released under a free software or open source license when the original developer (or supplier) no longer continues to develop that software, that software is referred to as
Antworten
  • Trialware
  • Demoware
  • Ransomware
  • Freeware

Frage 169

Frage
Improper implementation of validity periods using length-of-use checks in code can result in which of the following types of security issues for legitimate users?
Antworten
  • Tampering
  • Denial of Service
  • Authentication bypass
  • Spoofing

Frage 170

Frage
Your organization’s software is published as a trial version without any restricted functionality from the paid version. Which of the following MUST be designed and implemented to ensure that customers who have not purchased the software are limited in the availability of the software?
Antworten
  • Disclaimers
  • Licensing
  • Validity periods
  • Encryption

Frage 171

Frage
When must the supplier inform the acquirer of any applicable export control and foreign trade regulatory requirements in the countries of export and import?
Antworten
  • Before delivery (handover)
  • Before code inspection.
  • After deployment.
  • Before retirement.

Frage 172

Frage
The disadvantage of using open source software from a security standpoint is
Antworten
  • Only the original publisher of the source code can modify the code
  • Open source software is not supported and maintained by mature companies or communities.
  • The attacker can look into the source code to determine its exploitability.
  • Open source software can only be purchased using a piece-meal approach.

Frage 173

Frage
Which of the following is the most important security testing process that validates and verifies the integrity of software code, components and configurations, in a software security chain?
Antworten
  • Threat modeling
  • Fuzzing
  • Penetration testing
  • Code review

Frage 174

Frage
Which of the following is LEAST likely to be detected using a code review process?
Antworten
  • Backdoors
  • Logic Bombs
  • Logic Flaws
  • Trojan horses

Frage 175

Frage
Which of the following security principle is LEAST related to the securing of code repositories?
Antworten
  • Least privilege
  • Access Control
  • Auditing
  • Open Design

Frage 176

Frage
The integrity of build tools and the build environment is necessary to protect against
Antworten
  • spoofing
  • tampering
  • disclosure
  • denial of service

Frage 177

Frage
Which of the following kind of security testing tool detects the presence of vulnerabilities through disassembly and pattern recognition?
Antworten
  • Source code scanners
  • Binary code scanners
  • Byte code scanners
  • Compliance validators

Frage 178

Frage
When software is developed by multiple suppliers, the genuineness of the software can be attested using which of the following processes?
Antworten
  • Code review
  • Code signing
  • Encryption
  • Code scanning

Frage 179

Frage
Which of the following must be controlled during handoff of software from one supplier to the next, so that no unauthorized tampering of the software can be done?
Antworten
  • Chain of custody
  • Separation of privileges
  • System logs
  • Application data

Frage 180

Frage
Which of the following risk management concepts is demonstrated when using code escrows?
Antworten
  • Avoidance
  • Transference
  • Mitigation
  • Acceptance

Frage 181

Frage
Which of the following types of testing is crucial to conduct to determine single points of failure in a System-of-systems (SoS)?
Antworten
  • Unit
  • Integration
  • Regression
  • Logic

Frage 182

Frage
When software is handed from one supplier to the next, the following operational process needs to be in place so that the supplier from whom the software is acquirer can no longer modify the software?
Antworten
  • Runtime integrity assurance
  • Patching
  • Termination Access Control
  • Custom Code Extension Checks
Zusammenfassung anzeigen Zusammenfassung ausblenden

Möchten Sie mit GoConqr kostenlos Ihre eigenen Quiz erstellen? eigenen Mehr erfahren.

ähnlicher Inhalt

Computing Hardware - CPU and Memory
ollietablet123
SFDC App Builder 2
Parker Webb-Mitchell
Data Types
Jacob Sedore
Intake7 BIM L1
Stanley Chia
Software Processes
Nurul Aiman Abdu
Design Patterns
Erica Solum
CCNA Answers – CCNA Exam
Abdul Demir
Abstraction
Shannon Anderson-Rush
Spyware
Sam2
HTTPS explained with Carrier Pigeons
Shannon Anderson-Rush
Data Analytics
anelvr
Bibliothek durchsuchen