Frage 1
Frage
The PRIMARY reason for incorporating security into the software
development life cycle is to protect
Antworten
-
the unauthorized disclosure of information.
-
the corporate brand and reputation
-
against hackers who intend to misuse the software.
-
the developers from releasing software with security defects.
Frage 2
Frage
The resiliency of software to withstand attacks that attempt modify or
alter data in an unauthorized manner is referred to as
Antworten
-
Confidentiality.
-
Integrity.
-
Availability.
-
Authorization.
Frage 3
Frage
The MAIN reason as to why the availability aspects of software must
be part of the organization’s software security initiatives is:
Antworten
-
software issues can cause downtime to the business.
-
developers need to be trained in the business continuity procedures.
-
testing for availability of the software and data is often ignored.
-
hackers like to conduct Denial of Service (DoS) attacks against
the organization.
Frage 4
Frage
Developing the software to monitor its functionality and report when
the software is down and unable to provide the expected service to the
business is a protection to assure which of the following?
Antworten
-
Confidentiality.
-
Integrity.
-
Availability.
-
Authentication.
Frage 5
Frage
When a customer attempts to log into their bank account, the customer
is required to enter a nonce from the token device that was issued to
the customer by the bank. This type of authentication is also known
as which of the following?
Antworten
-
Ownership based authentication.
-
Two factor authentication.
-
Characteristic based authentication.
-
Knowledge based authentication.
Frage 6
Frage
Multi-factor authentication is most closely related to which of the
following security design principles?
Antworten
-
Separation of Duties.
-
Defense in depth.
-
Complete mediation.
-
Open design.
Frage 7
Frage
Audit logs can be used for all of the following EXCEPT
Antworten
-
providing evidentiary information.
-
assuring that the user cannot deny their actions.
-
detecting the actions that were undertaken.
-
preventing a user from performing some unauthorized operations.
Frage 8
Frage
Organizations often pre-determine the acceptable number of user
errors before recording them as security violations. This number is
otherwise known as:
Frage 9
Frage
A security principle that maintains the confidentiality, integrity and
availability of the software and data, besides allowing for rapid recovery
to the state of normal operations, when unexpected events occur is the
security design principle of
Frage 10
Frage
Requiring the end user to accept an ‘AS-IS’ disclaimer clause before
installation of your software is an example of risk
Antworten
-
avoidance.
-
mitigation.
-
transference.
-
acceptance.
Frage 11
Frage
An instrument that is used to communicate and mandate organizational
and management goals and objectives at a high level is a
Antworten
-
standard.
-
policy.
-
baseline.
-
guideline.
Frage 12
Frage
The Systems Security Engineering Capability Maturity Model (SSECMM
®) is an internationally recognized standard that publishes
guidelines to
Antworten
-
provide metrics for measuring the software and its behavior, and
using the software in a specific context of use.
-
evaluate security engineering practices and organizational
management processes.
-
support accreditation and certification bodies that audit and
certify information security management systems.
-
ensure that the claimed identity of personnel are appropriately
verified.
Frage 13
Frage
Which of the following is a framework that can be used to develop
a risk based enterprise security architecture by determining security
requirements after analyzing the business initiatives.
Antworten
-
Capability Maturity Model Integration (CMMI)
-
Sherwood Applied Business Security Architecture (SABSA)
-
Control Objectives for Information and related Technology
(COBIT®)
-
Zachman Framework
Frage 14
Frage
Which of the following is a PRIMARY consideration for the software
publisher when selling Commercially Off the Shelf (COTS) software?
Antworten
-
Service Level Agreements (SLAs).
-
Intellectual Property protection.
-
Cost of customization.
-
Review of the code for backdoors and Trojan horses.
Frage 15
Frage
The Single Loss Expectancy can be determined using which of the
following formula?
Antworten
-
Annualized Rate of Occurrence (ARO) x Exposure Factor
-
Probability x Impact
-
Asset Value x Exposure Factor
-
Annualized Rate of Occurrence (ARO) x Asset Value
Frage 16
Frage
Implementing IPSec to assure the confidentiality of data when it is
transmitted is an example of risk
Antworten
-
avoidance.
-
transference.
-
mitigation.
-
acceptance.
Frage 17
Frage
The Federal Information Processing Standard (FIPS) that prescribe
guidelines for biometric authentication is
Antworten
-
FIPS 140.
-
FIPS 186.
-
FIPS 197.
-
FIPS 201.
Frage 18
Frage
Which of the following is a multi-faceted security standard that is
used to regulate organizations that collects, processes and/or stores
cardholder data as part of their business operations?
Antworten
-
FIPS 201.
-
ISO/IEC 15408.
-
NIST SP 800-64.
-
PCI DSS.
Frage 19
Frage
Which of the following is the current Federal Information Processing
Standard (FIPS) that specifies an approved cryptographic algorithm to
ensure the confidentiality of electronic data?
Antworten
-
Security Requirements for Cryptographic Modules (FIPS 140).
-
Peronal Identity Verification (PIV) of Federal Employees and
Contractors (FIPS 201).
-
Advanced Encryption Standard (FIPS 197).
-
Digital Signature Standard (FIPS 186).
Frage 20
Frage
The organization that publishes the ten most critical web application
security risks (Top Ten) is the
Antworten
-
Computer Emergency Response Team (CERT).
-
Web Application Security Consortium (WASC).
-
Open Web Application Security Project (OWASP).
-
Forums for Incident Response and Security Teams (FIRST)
Frage 21
Frage
The process of removing private information from sensitive data sets is
referred to as
Antworten
-
Sanitization.
-
Degaussing.
-
Anonymization.
-
Formatting.
Frage 22
Frage
(Domain 2)
Which of the following MUST be addressed by software security
requirements? Choose the BEST answer
Antworten
-
Technology used in building the application
-
Goals and objectives of the organization.
-
Software quality requirements
-
External auditor requirements
Frage 23
Frage
Which of the following types of information is exempt from
confidentiality requirements?
Frage 24
Frage
Requirements that are identified to protect against the destruction of
information or the software itself are commonly referred to as
Antworten
-
confidentiality requirements.
-
integrity requirements
-
availability requirements.
-
authentication requirements
Frage 25
Frage
The amount of time by which business operations need to be restored
to service levels as expected by the business when there is a security
breach or disaster is known as
Antworten
-
Maximum Tolerable Downtime (MTD).
-
Mean Time Before Failure (MTBF).
-
Minimum Security Baseline (MSB).
-
Recovery Time Objective (RTO).
Frage 26
Frage
The use of an individual’s physical characteristics such as retinal blood
patterns and fingerprints for validating and verifying the user’s identity
if referred to as
Frage 27
Frage
Which of the following policies is MOST likely to include the
following requirement? “All software processing financial transactions
need to use more than one factor to verify the identity of the entity
requesting access””
Antworten
-
Authorization
-
Authentication.
-
Auditing
-
Availability
Frage 28
Frage
A means of restricting access to objects based on the identity of subjects
and/or groups to which they belong, as mandated by the requested
resource owner is the definition of
Antworten
-
Non-discretionary Access Control (NDAC).
-
Discretionary Access Control (DAC).
-
Mandatory Access Control (MAC).
-
Role based Access Control.
Frage 29
Frage
Requirements which when implemented can help to build a history of
events that occurred in the software are known as
Antworten
-
authentication requirements.
-
archiving requirements.
-
accountability requirements.
-
authorization requirements.
Frage 30
Frage
Which of the following is the PRIMARY reason for an application to
be susceptible to a Man-in-the-Middle (MITM) attack?
Frage 31
Frage
The process of eliciting concrete software security requirements from
high level regulatory and organizational directives and mandates in
the requirements phase of the SDLC is also known as
Antworten
-
threat modeling.
-
policy decomposition.
-
subject-object modeling
-
misuse case generation.
Frage 32
Frage
The FIRST step in the Protection Needs Elicitation (PNE) process is
to
Antworten
-
engage the customer
-
model information management
-
identify least privilege applications
-
conduct threat modeling and analysis
Frage 33
Frage
A Requirements Traceability Matrix (RTM) that includes security
requirements can be used for all of the following except
Antworten
-
ensuring scope creep does not occur
-
validating and communicating user requirements
-
determining resource allocations
-
identifying privileged code sections
Frage 34
Frage
Parity bit checking mechanisms can be used for all of the following
except
Antworten
-
Error detection
-
Message corruption.
-
Integrity assurance
-
Input validation
Frage 35
Frage
Which of the following is an activity that can be performed to clarify
requirements with the business users using diagrams that model the
expected behavior of the software?
Antworten
-
Threat modeling
-
Use case modeling
-
Misuse case modeling
-
Data modeling
Frage 36
Frage
Which of the following is LEAST LIKELY to be identified by misuse
case modeling?
Antworten
-
Race conditions
-
Mis-actors
-
Attacker’s perspective
-
Negative requirements
Frage 37
Frage
Data classification is a core activity that is conducted as part of which
of the following?
Frage 38
Frage
Web farm data corruption issues and card holder data encryption
requirements need to be captured as part of which of the following
requirements?
Antworten
-
Integrity.
-
Environment.
-
International.
-
Procurement.
Frage 39
Frage
When software is purchased from a third party instead of being built
in-house, it is imperative to have contractual protection in place and
have the software requirements explicitly specified in which of the
following?
Frage 40
Frage
When software is able to withstand attacks from a threat agent and
not violate the security policy it is said to be exhibiting which of the
following attributes of software assurance?
Antworten
-
Reliability
-
Resiliency.
-
Recoverability
-
Redundancy.
Frage 41
Frage
Infinite loops and improper memory calls are often known to cause
threats to which of the following?
Antworten
-
Availability.
-
Authentication.
-
Authorization.
-
Accountability.
Frage 42
Frage
Which of the following is used to communicate and enforce availability
requirements of the business or client?
Frage 43
Frage
Software security requirements that are identified to protect against
disclosure of data to unauthorized users is otherwise known as
Antworten
-
integrity requirements
-
authorization requirements
-
confidentiality requirements.
-
non-repudiation requirements.
Frage 44
Frage
The requirements that assure reliability and prevent alterations are to be
identified in which section of the software requirements specifications
(SRS) documentation?
Antworten
-
Confidentiality.
-
Integrity.
-
Availability.
-
Accountability
Frage 45
Frage
Which of the following is a covert mechanism that assures
confidentiality?
Antworten
-
Encryption.
-
Steganography.
-
Hashing.
-
Masking.
Frage 46
Frage
As a means to assure confidentiality of copyright information, the
security analyst identifies the requirement to embed information
insider another digital audio, video or image signal. This is commonly
referred to as
Antworten
-
Encryption.
-
Hashing.
-
Licensing
-
Watermarking.
Frage 47
Frage
Checksum validation can be used to satisfy which of the following
requirements?
Antworten
-
Confidentiality.
-
Integrity.
-
Availability
-
Authentication.
Frage 48
Frage
A Requirements Traceability Matrix (RTM) that includes security
requirements can be used for all of the following EXCEPT
Antworten
-
Ensure scope creep does not occur
-
Validate and communicate user requirements
-
Determine resource allocations
-
Identifying privileged code sections
Frage 49
Frage
Domain 3
During which phase of the software development lifecycle (SDLC) is
threat modeling initiated?
Antworten
-
Requirements analysis
-
Design
-
Implementation
-
Deployment
Frage 50
Frage
Certificate Authority, Registration Authority, and Certificate
Revocation Lists are all part of which of the following?
Antworten
-
Advanced Encryption Standard (AES)
-
Steganography
-
Public Key Infrastructure (PKI)
-
Lightweight Directory Access Protocol (LDAP)
Frage 51
Frage
The use of digital signatures has the benefit of providing which of the
following that is not provided by symmetric key cryptographic design?
Frage 52
Frage
When passwords are stored in the database, the best defense against
disclosure attacks can be accomplished using
Antworten
-
encryption.
-
masking.
-
hashing.
-
obfuscation.
Frage 53
Frage
Nicole is part of the ‘author’ role as well as she is included in the
‘approver’ role, allowing her to approve her own articles before it is
posted on the company blog site. This violates the principle of
Antworten
-
least privilege.
-
least common mechanisms.
-
economy of mechanisms.
-
separation of duties
Frage 54
Frage
The primary reason for designing Single Sign On (SSO) capabilities is
to
Antworten
-
increase the security of authentication mechanisms
-
simplify user authentication.
-
have the ability to check each access request
-
allow for interoperability between wireless and wired networks.
Frage 55
Frage
Database triggers are PRIMARILY useful for providing which of the
following detective software assurance capability?
Antworten
-
Availability
-
Authorization.
-
Auditing.
-
Archiving
Frage 56
Frage
During a threat modeling exercise, the software architecture is reviewed
to identify
Antworten
-
attackers.
-
business impact.
-
critical assets
-
entry points.
Frage 57
Frage
A Man-in-the-Middle (MITM) attack is PRIMARILY an expression
of which type of the following threats?
Antworten
-
Spoofing
-
Tampering
-
Repudiation
-
Information disclosure
Frage 58
Frage
IPSec technology which helps in the secure transmission of information
operates in which layer of the Open Systems Interconnect (OSI) model?
Antworten
-
Transport.
-
Network
-
Session.
-
Application.
Frage 59
Frage
When internal business functionality is abstracted into service oriented
contract based interfaces, it is PRIMARILY used to provide for
Antworten
-
interoperability.
-
authentication.
-
authorization.
-
installation ease.
Frage 60
Frage
At which layer of the Open Systems Interconnect (OSI) model must
security controls be designed to effectively mitigate side channel attacks?
Antworten
-
Transport
-
Network
-
Data link
-
Physical
Frage 61
Frage
Which of the following software architectures is effective in distributing
the load between the client and the server, but since it includes the
client to be part of the threat vectors it increases the attack surface?
Antworten
-
Software as a Service (SaaS).
-
Service Oriented Architecture (SOA).
-
Rich Internet Application (RIA).
-
Distributed Network Architecture (DNA).
Frage 62
Frage
When designing software to work in a mobile computing environment,
the Trusted Platform Module (TPM) chip can be used to provide
which of the following types of information?
Antworten
-
Authorization.
-
Identification.
-
Archiving
-
Auditing.
Frage 63
Frage
When two or more trivial pieces of information are brought together
with the aim of gleaning sensitive information, it is referred to as what
type of attack?
Antworten
-
Injection.
-
Inference.
-
Phishing.
-
Polyinstantiation.
Frage 64
Frage
The inner workings and internal structure of backend databases can be
protected from disclosure using
Antworten
-
triggers.
-
normalization.
-
views.
-
encryption
Frage 65
Frage
Choose the BEST answer. Configurable settings for logging exceptions,
auditing and credential management must be part of
Frage 66
Frage
The token that is PRIMARILY used for authentication purposes in a
Single Sign (SSO) implementation between two different companies is
Frage 67
Frage
Syslog implementations require which additional security protection
mechanisms to mitigate disclosure attacks?
Antworten
-
Unique session identifier generation and exchange.
-
Transport Layer Security.
-
Digital Rights Management (DRM)
-
Data Loss Prevention,
Frage 68
Frage
Rights and privileges for a file can be granularly granted to each client
using which of the following technologies
Antworten
-
Data Loss Prevention (DLP).
-
Software as a Service (SaaS)
-
Flow control
-
Digital Rights Management (DRM)
Frage 69
Frage
Which of the following is known to circumvent the ring protection
mechanisms in operating systems?
Frage 70
Frage
When the software is designed using Representational State Transfer
(REST) architecture, it promotes which of the following good
programming practices?
Antworten
-
High Cohesion
-
Low Cohesion
-
Tight Coupling
-
Loose Coupling
Frage 71
Frage
. Which of the following components of the Java architecture is primarily
responsible to ensure type consistency, safety and assure that there are
no malicious instructions in the code?
Antworten
-
Garbage collector
-
Class Loader
-
Bytecode Verfier
-
Java Security Manager
Frage 72
Frage
The primary security concern when implementing cloud applications
is related to
Frage 73
Frage
The predominant form of malware that infects mobile apps is
Antworten
-
Virus
-
Ransomware
-
Worm
-
Spyware
Frage 74
Frage
Most Supervisory Control And Data Acquisition (SCADA) systems
are susceptible to software attacks because
Antworten
-
they were not initially implemented with security in mind
-
the skills of a hacker has increased significantly
-
the data that they collect are of top secret classification
-
the firewalls that are installed in front of these devices have been
breached.
Frage 75
Frage
Domain 4
Software developers writes software programs PRIMARILY to
Antworten
-
create new products
-
capture market share
-
solve business problems
-
mitigate hacker threats
Frage 76
Frage
The process of combining necessary functions, variables and
dependency files and libraries required for the machine to run the
program is referred to as
Antworten
-
compilation
-
interpretation
-
linking
-
instantiation
Frage 77
Frage
Which of the following is an important consideration to manage
memory and mitigate overflow attacks when choosing a programming
language?
Antworten
-
Locality of reference
-
Type safety
-
Cyclomatic complexity
-
Parametric polymorphism
Frage 78
Frage
Assembly and machine language are examples of
Frage 79
Frage
Using multifactor authentication is effective in mitigating which of the
following application security risks?
Frage 80
Frage
Impersonation attacks such as Man-in-the-Middle (MITM) attacks in
an Internet application can be BEST mitigated using proper
Frage 81
Frage
Implementing Completely Automated Public Turing test to tell
Computers and Humans Apart (CAPTCHA) protection is a means
of defending against
Antworten
-
SQL Injection
-
Cross-Site Scripting (XSS)
-
Cross-Site Request Forgery (CSRF)
-
. Insecure cryptographic storage
Frage 82
Frage
The findings of a code review indicate that cryptographic operations
in code use the Rijndael cipher, which is the original publication of
which of the following algorithms?
Antworten
-
Skipjack
-
Data Encryption Standard (DES)
-
Triple Data Encryption Standard (3DES)
-
Advanced Encryption Standard (AES)
Frage 83
Frage
Which of the following transport layer technologies can BEST mitigate
session hijacking and replay attacks in a local area network (LAN)?
Antworten
-
Data Loss Prevention (DLP)
-
Internet Protocol Security (IPSec)
-
Secure Sockets Layer (SSL)
-
Digital Rights Management (DRM)
Frage 84
Frage
Verbose error messages and unhandled exceptions can result in which
of the following software security threats?
Antworten
-
Spoofing
-
Tampering
-
Repudiation
-
Information disclosure
Frage 85
Frage
Code signing can provide all of the following EXCEPT
Antworten
-
Anti-tampering protection
-
Authenticity of code origin
-
Runtime permissions for code
-
Authentication of users
Frage 86
Frage
When an attacker uses delayed error messages between successful and
unsuccessful query probes, he is using which of the following side
channel techniques to detect injection vulnerabilities?
Antworten
-
Distant observation
-
Cold boot
-
Power analysis
-
Timing
Frage 87
Frage
When the code is not allowed to access memory at arbitrary locations
that is out of range of the memory address space that belong to the
object’s publicly exposed fields, it is referred to as which of the following
types of code?
Antworten
-
Object code
-
Type safe code
-
Obfuscated code
-
Source code
Frage 88
Frage
When the runtime permissions of the code are defined as security
attributes in the metadata of the code, it is referred to as
Frage 89
Frage
When an all-or-nothing approach to code access security is not possible
and business rules and permissions need to be set and managed more
granularly inline code functions and modules, a programmer can
leverage which of the following?
Antworten
-
Cryptographic agility
-
Parametric polymorphism
-
Declarative security
-
Imperative security
Frage 90
Frage
An understanding of which of the following programming concepts
is necessary to protect against memory manipulation buffer overflow
attacks? Choose the BEST answer.
Antworten
-
Error handling
-
Exception management
-
Locality of reference
-
Generics
Frage 91
Frage
Exploit code attempt to take control of dangling pointers which
Antworten
-
are references to memory locations of destroyed objects.
-
is the non-functional code that that is left behind in the source.
-
is the payload code that the attacker uploads into memory to
execute.
-
are references in memory locations that are used prior to being
initialized.
Frage 92
Frage
Which of the following is a feature of most recent operating systems
(OS) that makes it difficult for an attacker to guess the memory address
of the program as it makes the memory address different each time the
program is executed?
Antworten
-
Data Execution Prevention (DEP)
-
Executable Space Protection (ESP)
-
Address Space Layout Randomization (ASLR)
-
Safe Security Exception Handler (/SAFESEH)
Frage 93
Frage
When the source code is made obscure using special programs in order
to make the readability of the code difficult when disclosed, the code is
also known as
Antworten
-
object code
-
obfuscated code.
-
encrypted code.
-
hashed code.
Frage 94
Frage
The ability to track ownership, changes in code and rollback abilities is
possible because of which of the following configuration management
processes?
Antworten
-
Version control
-
Patching
-
Audit logging
-
Change control
Frage 95
Frage
The MAIN benefit of statically analyzing code is that
Antworten
-
runtime behavior of code can be analyzed.
-
business logic flaws are more easily detectable.
-
the analysis is performed in a production or production-like
environment
-
errors and vulnerabilities can be detected earlier in the life cycle.
Frage 96
Frage
Cryptographic protection includes all of the following EXCEPT
Antworten
-
encryption of data when it is processed.
-
hashing of data when it is stored.
-
hiding of data within other media objects when it is transmitted.
-
masking of data when it is displayed.
Frage 97
Frage
Replacing the Primary Account Number (PAN) with random or
pseudo-random symbols that are uniquely identifiable and still assuring
privacy is also known as
Antworten
-
Fuzzing
-
Tokenization
-
Encoding
-
Canonicalization
Frage 98
Frage
Which of the following is an implementation of the principle of least
privilege?
Antworten
-
Sandboxing
-
Tokenization
-
Versioning
-
. Concurrency
Frage 99
Frage
Domain 5
The ability of the software to restore itself to expected functionality
when the security protection that is built in is breached is also known
as
Antworten
-
redundancy.
-
recoverability.
-
resiliency.
-
reliability.
Frage 100
Frage
In which of the following software development methodologies does
unit testing enable collective code ownership and is critical to assure
software assurance?
Antworten
-
Waterfall
-
Agile
-
Spiral
-
Prototyping
Frage 101
Frage
Which of the secure design principles is promoted when test harnesses
are used?
Frage 102
Frage
The use of IF-THEN rules is characteristic of which of the following
types of software testing?
Antworten
-
Logic
-
Scalability
-
Integration
-
Unit
Frage 103
Frage
The implementation of secure features such as complete mediation and
data replication needs to undergo which of the following types of test
to ensure that the software meets the service level agreements (SLA)?
Antworten
-
Stress
-
Unit
-
Integration
-
Regression
Frage 104
Frage
Tests that are conducted to determine the breaking point of the software
after which the software will no longer be functional is characteristic
of which of the following types of software testing?
Antworten
-
Regression
-
Stress
-
Integration
-
Simulation
Frage 105
Frage
Which of the following tools or techniques can be used to facilitate the
white box testing of software for insider threats?
Antworten
-
Source code analyzers
-
Fuzzers
-
Banner grabbing software
-
Scanners
Frage 106
Frage
When very limited or no knowledge of the software is made known to
the software tester before she can test for its resiliency, it is characteristic
of which of the following types of security tests?
Antworten
-
White box
-
Black box
-
Clear box
-
Glass box
Frage 107
Frage
Penetration testing must be conducted with properly defined
Frage 108
Frage
Testing for the randomness of session identifiers and the presence of
auditing capabilities provides the software team insight into which of
the following security controls?
Antworten
-
Availability
-
Authentication.
-
Non-repudiation.
-
Authorization.
Frage 109
Frage
Disassemblers, debuggers and decompilers can be used by security
testers to PRIMARILY determine which of the following types of
coding vulnerabilities?
Frage 110
Frage
When reporting a software security defect in the software, which of
the following also needs to be reported so that variance from intended
behavior of the software can be determined?
Antworten
-
Defect identifier
-
Title
-
Expected results
-
Tester name
Frage 111
Frage
An attacker analyzes the response from the web server which indicates
that its version is the Microsoft Internet Information Server 6.0
(Microsoft-IIS/6.0), but none of the IIS exploits that the attacker
attempts to execute on the web server are successful. Which of the
following is the MOST probable security control that is implemented?
Antworten
-
Hashing
-
Cloaking
-
Masking
-
Watermarking
Frage 112
Frage
Smart fuzzing is characterized by injecting
Antworten
-
truly random data without any consideration for the data
structure.
-
variations of data structures that are known.
-
data that get interpreted as commands by a backend interpreter
-
scripts that are reflected and executed on the client browser.
Frage 113
Frage
Which of the following is the MOST important to ensure, as part
of security testing, when the software is forced to fail x? Choose the
BEST answer.
Antworten
-
Normal operational functionality is not restored automatically.
-
Access to all functionality is denied.
-
Confidentiality, integrity and availability are not adversely
impacted.
-
End users are adequately trained and self help is made available
for the end user to fix the error on their own.
Frage 114
Frage
Timing and synchronization issues such as race conditions and
resource deadlocks can be MOST LIKELY identified by which of the
following tests? Choose the BEST answer.
Antworten
-
Integration
-
Stress
-
Unit
-
Regression
Frage 115
Frage
The PRIMARY objective of resiliency testing of software is to
determine
Antworten
-
the point at which the software will break.
-
if the software can restore itself to normal business operations.
-
the presence and effectiveness of risk mitigation controls.
-
how a blackhat would circumvent access control mechanisms.
Frage 116
Frage
The ability of the software to withstand attempts of attackers who
intend to breach the security protection that is built in is also known as
Antworten
-
redundancy.
-
recoverability.
-
resiliency.
-
reliability.
Frage 117
Frage
Drivers and stub based programming are useful to conduct which of
the following tests?
Antworten
-
Integration
-
Regression
-
Unit
-
Penetration
Frage 118
Frage
Assurance that the software meets the expectations of the business as
defined in the service level agreements (SLAs) can be demonstrated by
which of the following types of tests?
Antworten
-
Unit
-
Integration
-
Performance
-
Regression
Frage 119
Frage
Vulnerability scans are used to
Antworten
-
measure the resiliency of the software by attempting to exploit
weaknesses.
-
detect the presence of loopholes and weaknesses in the software.
-
detect the effectiveness of security controls that are implemented
in the software.
-
measure the skills and technical know-how of the security tester.
Frage 120
Frage
In the context of test data management, when a transaction which
serves no business purpose is tested, it is referred to as what kind of
transaction?
Antworten
-
Non-synthetic
-
Synthetic
-
Useless
-
Discontinuous
Frage 121
Frage
As part of the test data management strategy, when a criteria is applied
to export selective information from a production system to the test
environment, it is also referred to as
Antworten
-
Subletting
-
Filtering
-
Validation
-
Subsetting
Frage 122
Frage
Domain 6
Your organization has the policy to attest the security of any software
that will be deployed into the production environment. A third party
vendor software is being evaluated for its readiness to be deployed.
Which of the following verification and validation mechanism can be
employed to attest the security of the vendor’s software?
Frage 123
Frage
To meet the goals of software assurance, when accepting software, the
acquisition phase MUST include processes to
Antworten
-
verify that installation guides and training manuals are provided.
-
assess the presence and effectiveness of protection mechanisms.
-
validate vendor’s software products.
-
assist the vendor in responding to the request for proposals.
Frage 124
Frage
The process of evaluating software to determine whether the products
of a given development phase satisfies the conditions imposed at the
start of the phase is referred to as
Antworten
-
verification
-
validation
-
authentication
-
authorization
Frage 125
Frage
When verification activities are used to determine if the software is
functioning as it is expected to, it provides insight into which of the
following aspects of software assurance?
Antworten
-
Redundancy
-
Reliability
-
Resiliency
-
Recoverability
Frage 126
Frage
When procuring software the purchasing company can request the
evaluation assurance levels (EALs) of the software product which is
determined using which of the following evaluation methodologies?
Antworten
-
Operationally Critical Assets Threats and Vulnerability Evaluation®
(OCTAVE)
-
Security Quality Requirements Engineering (SQUARE)
-
Common Criteria
-
Comprehensive, Lightweight Application Security Process
(CLASP)
Frage 127
Frage
The FINAL activity in the software acceptance process is the go/no go
decision that can be determined using
Antworten
-
regression testing.
-
integration testing.
-
unit testing.
-
user acceptance testing.
Frage 128
Frage
Management’s formal acceptance of the system after an understanding
of the residual risks to that system in the computing environment is
also referred to as
Antworten
-
patching.
-
hardening.
-
certification.
-
accreditation.
Frage 129
Frage
You determine that a legacy software running in your computing
environment is susceptible to Cross Site Request Forgery (CSRF)
attacks because of the way it manages sessions. The business has the
need to continue use of this software but you do not have the source
code available to implement security controls in code as a mitigation
measure against CSRF attacks. What is the BEST course of action to
undertake in such a situation?
Antworten
-
Avoid the risk by forcing the business to discontinue use of the
software.
-
Accept the risk with a documented exception.
-
Transfer the risk by buying insurance.
-
Ignore the risk since it is legacy software
Frage 130
Frage
As part of the accreditation process, the residual risk of a software
evaluated for deployment must be accepted formally by the
Frage 131
Frage
Domain 7
When software that worked without any issues in the test environments
fails to work in the production environment, it is indicative of
Antworten
-
inadequate integration testing
-
incompatible environment configurations.
-
incomplete threat modeling.
-
ignored code review
Frage 132
Frage
Which of the following is not characteristic of good security metrics?
Antworten
-
Quantitatively expressed
-
Objectively expressed
-
Contextually relevant
-
Collected manually
Frage 133
Frage
Removal of maintenance hooks, debugging code and flags, and
unneeded documentation before deployment are all examples of
software
Antworten
-
hardening
-
patching.
-
reversing.
-
obfuscation.
Frage 134
Frage
Which of the following has the goal of ensuring that the resiliency
levels of software is always above the acceptable risk threshold as
defined by the business post deployment?
Antworten
-
Threat modeling.
-
Code review.
-
Continuous monitoring.
-
Regression testing.
Frage 135
Frage
Logging application events such as failed login attempts, sales price
updates and user roles configuration for audit review at a later time is
an example of which of the following type of security control?
Antworten
-
Preventive
-
Corrective
-
Compensating
-
Detective
Frage 136
Frage
When a compensating control is to be used, the Payment Card Industry
Data Security Standard (PCI DSS) prescribes that the compensating
control must meet all of the following guidelines EXCEPT
Antworten
-
Meet the intent and rigor of the original requirement.
-
Provide an increased level of defense than the original requirement
-
Be implemented as part of a defense in depth measure.
-
Must commensurate with additional risk imposed by not adhering
to the requirement
Frage 137
Frage
Versioning, back-ups, check-in and check-out practices are all important
components of
Antworten
-
Patch management
-
Release management
-
Problem management
-
Incident management
Frage 138
Frage
Software that is deployed in a high trust environment such as the
environment within the organizational firewall when not continuously
monitored is MOST susceptible to which of the following types of
security attacks? Choose the BEST answer.
Frage 139
Frage
Bastion host systems can be used to continuously monitor the security
of the computing environment when it is used in conjunction with
intrusion detection systems (IDS) and which other security control?
Antworten
-
Authentication.
-
Authorization.
-
Archiving.
-
Auditing.
Frage 140
Frage
The FIRST step in the incident response process of a reported breach
is to
Antworten
-
notify management of the security breach.
-
research the validity of the alert or event further
-
inform potentially affected customers of a potential breach.
-
conduct an independent third party evaluation to investigate the
reported breach.
Frage 141
Frage
Which of the following is the BEST recommendation to champion
security objectives within the software development organization?
Antworten
-
Informing the developers that they could lose their jobs if their
software is breached.
-
Informing management that the organizational software could
be hacked.
-
Informing the project team about the recent breach of the
competitor’s software.
-
Informing the development team that there should be no injection
flaws in the payroll application.
Frage 142
Frage
Which of the following independent process provides insight into the
presence and effectiveness of security and privacy controls and is used
to determine the organization’s compliance with the regulatory and
governance (policy) requirements?
Antworten
-
Penetration testing
-
Audits
-
Threat modeling
-
Code review
Frage 143
Frage
The process of using regular expressions to parse audit logs into
information that indicate security incidents is referred to as
Antworten
-
correlation.
-
normalization.
-
collection.
-
visualization.
Frage 144
Frage
The FINAL stage of the incident management process is to
Antworten
-
detection.
-
containment.
-
eradication
-
recovery
Frage 145
Frage
Problem management aims to improve the value of Information
Technology to the business because it improves service by
Antworten
-
restoring service to the expectation of the business user
-
determining the alerts and events that need to be continuously
monitored.
-
depicting incident information in easy to understand user friendly
format.
-
identifying and eliminating the root cause of the problem
Frage 146
Frage
The process of releasing software to fix a recently reported vulnerability
without introducing any new features or changing hardware
configuration is referred to as
Antworten
-
versioning.
-
hardening.
-
patching.
-
porting.
Frage 147
Frage
Fishbone diagramming is a mechanism that is PRIMARILY used for
which of the following processes?
Antworten
-
Threat modeling
-
Requirements analysis.
-
Network deployment.
-
Root cause analysis.
Frage 148
Frage
As a means to assure the availability of the existing software functionality
after the application of a patch, the patch need to be tested for
Frage 149
Frage
Which of the following policies needs to be established to securely
dispose software and associated data and documents?
Frage 150
Frage
Discontinuance of a software with known vulnerabilities with a newer
version is an example of risk
Antworten
-
mitigation.
-
transference.
-
acceptance.
-
avoidance.
Frage 151
Frage
Printer ribbons, facsimile transmissions and printed information when
not securely disposed are susceptible to disclosure attacks by which of
the following threat agents? Choose the BEST answer.
Antworten
-
Malware
-
Dumpster divers
-
Social engineers
-
Script kiddies.
Frage 152
Frage
System resources can be protected from malicious file execution attacks
by uploading the user supplied file and running it in which of the
following environment?
Antworten
-
Honeypot
-
Sandbox
-
Simulated
-
Production
Frage 153
Frage
As a means to demonstrate the improvement in the security of code
that is developed, one must compute the relative attack surface quotient
(RASQ)
Antworten
-
at the end of development phase of the project
-
before and after the code is implemented.
-
before and after the software requirements are complete.
-
at the end of the deployment phase of the project.
Frage 154
Frage
Modifications to data directly in the database by developers must be
prevented by
Antworten
-
periodically patching database servers
-
implementing source code version control.
-
logging all database access requests.
-
proper change control management.
Frage 155
Frage
Which of the following documents is the BEST source to contain
damage and which needs to be referred to and consulted with upon
the discovery of a security breach?
Frage 156
Frage
Domain 8
The increased need for security in the software supply chain is
PRIMARILY attributed to
Antworten
-
cessation of development activities within a company
-
increase in the number of foreign trade agreements
-
incidences of malicious code and logic found in acquired software
-
decrease in the trust of consumers on software developed within
a company.
Frage 157
Frage
Which phase of the acquisition life cycle involves the issuance of
advertisements to source and evaluate suppliers?
Antworten
-
Contracting
-
Planning
-
Development
-
Delivery (Handover
Frage 158
Frage
Predictable execution means that the software demonstrates all the
following qualities EXCEPT?
Antworten
-
Authenticity
-
Conformance
-
Authorization
-
Trustworthiness
Frage 159
Frage
Which of the following is a process threat in the software supply chain?
Antworten
-
Counterfeit software
-
Insecure code transfer
-
Subornation
-
Piracy
Frage 160
Frage
In the context of the software supply chain, the principle of persistent
protection is also known as
Frage 161
Frage
In pre-qualifying a supplier, which of the following must be assessed to
ensure that the supplier can provide timely updates and hotfixes when
an exploitable vulnerability in their software is reported?
Antworten
-
Foreign ownership and control or influence
-
Security track record
-
Security knowledge of the supplier’ s personnel
-
Compliance with security policies, regulatory and privacy
requirements.
Frage 162
Frage
Which of the following can provide insight into the effectiveness and
efficiencies of the supply chain processes as it pertains to assuring trust
and software security?
Antworten
-
Key Performance Indicators (KPI)
-
Relative Attack Surface Quotient (RASQ)
-
Maximum Tolerable Downtime (MTD)
-
Requirements Traceability Matrix (RTM)
Frage 163
Frage
Which of the following contains the security requirements and the
evidence needed to prove that the acquirer requirements are met as
expected?
Frage 164
Frage
The difference between disclaimer-based protection and contractsbased
is that
Antworten
-
Contracts-based protection is mutual.
-
Disclaimer-based protection is mutual
-
Contracts-based protection is done by one-sided notification of
terms
-
Disclaimer-based protection is legally binding.
Frage 165
Frage
Software programs, database models and images on a website can be
protected using which of the following legal instrument?
Antworten
-
Patents
-
Copyright
-
Trademarks
-
Trade secret
Frage 166
Frage
You find out that employees in your company have been downloading
software files and sharing them using peer-to-peer based torrent
networks. These software files are not free and need to be purchase
from their respective manufacturers. You employee are violating
Antworten
-
Trade secrets
-
Trademarks
-
Patents
-
Copyrights
Frage 167
Frage
Which of the following legal instruments assures the confidentiality
of software programs, processing logic, database schema and internal
organizational business processes and client lists?
Frage 168
Frage
When source code of Commercially Off-The-Shelf (COTS) software
is escrowed and released under a free software or open source license
when the original developer (or supplier) no longer continues to develop
that software, that software is referred to as
Antworten
-
Trialware
-
Demoware
-
Ransomware
-
Freeware
Frage 169
Frage
Improper implementation of validity periods using length-of-use
checks in code can result in which of the following types of security
issues for legitimate users?
Antworten
-
Tampering
-
Denial of Service
-
Authentication bypass
-
Spoofing
Frage 170
Frage
Your organization’s software is published as a trial version without any
restricted functionality from the paid version. Which of the following
MUST be designed and implemented to ensure that customers who
have not purchased the software are limited in the availability of the
software?
Antworten
-
Disclaimers
-
Licensing
-
Validity periods
-
Encryption
Frage 171
Frage
When must the supplier inform the acquirer of any applicable export
control and foreign trade regulatory requirements in the countries of
export and import?
Frage 172
Frage
The disadvantage of using open source software from a security
standpoint is
Antworten
-
Only the original publisher of the source code can modify the
code
-
Open source software is not supported and maintained by mature
companies or communities.
-
The attacker can look into the source code to determine its
exploitability.
-
Open source software can only be purchased using a piece-meal
approach.
Frage 173
Frage
Which of the following is the most important security testing process
that validates and verifies the integrity of software code, components
and configurations, in a software security chain?
Antworten
-
Threat modeling
-
Fuzzing
-
Penetration testing
-
Code review
Frage 174
Frage
Which of the following is LEAST likely to be detected using a code
review process?
Antworten
-
Backdoors
-
Logic Bombs
-
Logic Flaws
-
Trojan horses
Frage 175
Frage
Which of the following security principle is LEAST related to the
securing of code repositories?
Antworten
-
Least privilege
-
Access Control
-
Auditing
-
Open Design
Frage 176
Frage
The integrity of build tools and the build environment is necessary to
protect against
Antworten
-
spoofing
-
tampering
-
disclosure
-
denial of service
Frage 177
Frage
Which of the following kind of security testing tool detects the presence
of vulnerabilities through disassembly and pattern recognition?
Antworten
-
Source code scanners
-
Binary code scanners
-
Byte code scanners
-
Compliance validators
Frage 178
Frage
When software is developed by multiple suppliers, the genuineness of
the software can be attested using which of the following processes?
Antworten
-
Code review
-
Code signing
-
Encryption
-
Code scanning
Frage 179
Frage
Which of the following must be controlled during handoff of software
from one supplier to the next, so that no unauthorized tampering of
the software can be done?
Antworten
-
Chain of custody
-
Separation of privileges
-
System logs
-
Application data
Frage 180
Frage
Which of the following risk management concepts is demonstrated
when using code escrows?
Antworten
-
Avoidance
-
Transference
-
Mitigation
-
Acceptance
Frage 181
Frage
Which of the following types of testing is crucial to conduct to
determine single points of failure in a System-of-systems (SoS)?
Antworten
-
Unit
-
Integration
-
Regression
-
Logic
Frage 182
Frage
When software is handed from one supplier to the next, the following
operational process needs to be in place so that the supplier from whom
the software is acquirer can no longer modify the software?
Antworten
-
Runtime integrity assurance
-
Patching
-
Termination Access Control
-
Custom Code Extension Checks