Pregunta 1
Pregunta
The PRIMARY reason for incorporating security into the software
development life cycle is to protect
Respuesta
-
the unauthorized disclosure of information.
-
the corporate brand and reputation
-
against hackers who intend to misuse the software.
-
the developers from releasing software with security defects.
Pregunta 2
Pregunta
The resiliency of software to withstand attacks that attempt modify or
alter data in an unauthorized manner is referred to as
Respuesta
-
Confidentiality.
-
Integrity.
-
Availability.
-
Authorization.
Pregunta 3
Pregunta
The MAIN reason as to why the availability aspects of software must
be part of the organization’s software security initiatives is:
Respuesta
-
software issues can cause downtime to the business.
-
developers need to be trained in the business continuity procedures.
-
testing for availability of the software and data is often ignored.
-
hackers like to conduct Denial of Service (DoS) attacks against
the organization.
Pregunta 4
Pregunta
Developing the software to monitor its functionality and report when
the software is down and unable to provide the expected service to the
business is a protection to assure which of the following?
Respuesta
-
Confidentiality.
-
Integrity.
-
Availability.
-
Authentication.
Pregunta 5
Pregunta
When a customer attempts to log into their bank account, the customer
is required to enter a nonce from the token device that was issued to
the customer by the bank. This type of authentication is also known
as which of the following?
Respuesta
-
Ownership based authentication.
-
Two factor authentication.
-
Characteristic based authentication.
-
Knowledge based authentication.
Pregunta 6
Pregunta
Multi-factor authentication is most closely related to which of the
following security design principles?
Respuesta
-
Separation of Duties.
-
Defense in depth.
-
Complete mediation.
-
Open design.
Pregunta 7
Pregunta
Audit logs can be used for all of the following EXCEPT
Respuesta
-
providing evidentiary information.
-
assuring that the user cannot deny their actions.
-
detecting the actions that were undertaken.
-
preventing a user from performing some unauthorized operations.
Pregunta 8
Pregunta
Organizations often pre-determine the acceptable number of user
errors before recording them as security violations. This number is
otherwise known as:
Pregunta 9
Pregunta
A security principle that maintains the confidentiality, integrity and
availability of the software and data, besides allowing for rapid recovery
to the state of normal operations, when unexpected events occur is the
security design principle of
Pregunta 10
Pregunta
Requiring the end user to accept an ‘AS-IS’ disclaimer clause before
installation of your software is an example of risk
Respuesta
-
avoidance.
-
mitigation.
-
transference.
-
acceptance.
Pregunta 11
Pregunta
An instrument that is used to communicate and mandate organizational
and management goals and objectives at a high level is a
Respuesta
-
standard.
-
policy.
-
baseline.
-
guideline.
Pregunta 12
Pregunta
The Systems Security Engineering Capability Maturity Model (SSECMM
®) is an internationally recognized standard that publishes
guidelines to
Respuesta
-
provide metrics for measuring the software and its behavior, and
using the software in a specific context of use.
-
evaluate security engineering practices and organizational
management processes.
-
support accreditation and certification bodies that audit and
certify information security management systems.
-
ensure that the claimed identity of personnel are appropriately
verified.
Pregunta 13
Pregunta
Which of the following is a framework that can be used to develop
a risk based enterprise security architecture by determining security
requirements after analyzing the business initiatives.
Respuesta
-
Capability Maturity Model Integration (CMMI)
-
Sherwood Applied Business Security Architecture (SABSA)
-
Control Objectives for Information and related Technology
(COBIT®)
-
Zachman Framework
Pregunta 14
Pregunta
Which of the following is a PRIMARY consideration for the software
publisher when selling Commercially Off the Shelf (COTS) software?
Respuesta
-
Service Level Agreements (SLAs).
-
Intellectual Property protection.
-
Cost of customization.
-
Review of the code for backdoors and Trojan horses.
Pregunta 15
Pregunta
The Single Loss Expectancy can be determined using which of the
following formula?
Respuesta
-
Annualized Rate of Occurrence (ARO) x Exposure Factor
-
Probability x Impact
-
Asset Value x Exposure Factor
-
Annualized Rate of Occurrence (ARO) x Asset Value
Pregunta 16
Pregunta
Implementing IPSec to assure the confidentiality of data when it is
transmitted is an example of risk
Respuesta
-
avoidance.
-
transference.
-
mitigation.
-
acceptance.
Pregunta 17
Pregunta
The Federal Information Processing Standard (FIPS) that prescribe
guidelines for biometric authentication is
Respuesta
-
FIPS 140.
-
FIPS 186.
-
FIPS 197.
-
FIPS 201.
Pregunta 18
Pregunta
Which of the following is a multi-faceted security standard that is
used to regulate organizations that collects, processes and/or stores
cardholder data as part of their business operations?
Respuesta
-
FIPS 201.
-
ISO/IEC 15408.
-
NIST SP 800-64.
-
PCI DSS.
Pregunta 19
Pregunta
Which of the following is the current Federal Information Processing
Standard (FIPS) that specifies an approved cryptographic algorithm to
ensure the confidentiality of electronic data?
Respuesta
-
Security Requirements for Cryptographic Modules (FIPS 140).
-
Peronal Identity Verification (PIV) of Federal Employees and
Contractors (FIPS 201).
-
Advanced Encryption Standard (FIPS 197).
-
Digital Signature Standard (FIPS 186).
Pregunta 20
Pregunta
The organization that publishes the ten most critical web application
security risks (Top Ten) is the
Respuesta
-
Computer Emergency Response Team (CERT).
-
Web Application Security Consortium (WASC).
-
Open Web Application Security Project (OWASP).
-
Forums for Incident Response and Security Teams (FIRST)
Pregunta 21
Pregunta
The process of removing private information from sensitive data sets is
referred to as
Respuesta
-
Sanitization.
-
Degaussing.
-
Anonymization.
-
Formatting.
Pregunta 22
Pregunta
(Domain 2)
Which of the following MUST be addressed by software security
requirements? Choose the BEST answer
Respuesta
-
Technology used in building the application
-
Goals and objectives of the organization.
-
Software quality requirements
-
External auditor requirements
Pregunta 23
Pregunta
Which of the following types of information is exempt from
confidentiality requirements?
Pregunta 24
Pregunta
Requirements that are identified to protect against the destruction of
information or the software itself are commonly referred to as
Respuesta
-
confidentiality requirements.
-
integrity requirements
-
availability requirements.
-
authentication requirements
Pregunta 25
Pregunta
The amount of time by which business operations need to be restored
to service levels as expected by the business when there is a security
breach or disaster is known as
Respuesta
-
Maximum Tolerable Downtime (MTD).
-
Mean Time Before Failure (MTBF).
-
Minimum Security Baseline (MSB).
-
Recovery Time Objective (RTO).
Pregunta 26
Pregunta
The use of an individual’s physical characteristics such as retinal blood
patterns and fingerprints for validating and verifying the user’s identity
if referred to as
Pregunta 27
Pregunta
Which of the following policies is MOST likely to include the
following requirement? “All software processing financial transactions
need to use more than one factor to verify the identity of the entity
requesting access””
Respuesta
-
Authorization
-
Authentication.
-
Auditing
-
Availability
Pregunta 28
Pregunta
A means of restricting access to objects based on the identity of subjects
and/or groups to which they belong, as mandated by the requested
resource owner is the definition of
Respuesta
-
Non-discretionary Access Control (NDAC).
-
Discretionary Access Control (DAC).
-
Mandatory Access Control (MAC).
-
Role based Access Control.
Pregunta 29
Pregunta
Requirements which when implemented can help to build a history of
events that occurred in the software are known as
Respuesta
-
authentication requirements.
-
archiving requirements.
-
accountability requirements.
-
authorization requirements.
Pregunta 30
Pregunta
Which of the following is the PRIMARY reason for an application to
be susceptible to a Man-in-the-Middle (MITM) attack?
Pregunta 31
Pregunta
The process of eliciting concrete software security requirements from
high level regulatory and organizational directives and mandates in
the requirements phase of the SDLC is also known as
Respuesta
-
threat modeling.
-
policy decomposition.
-
subject-object modeling
-
misuse case generation.
Pregunta 32
Pregunta
The FIRST step in the Protection Needs Elicitation (PNE) process is
to
Respuesta
-
engage the customer
-
model information management
-
identify least privilege applications
-
conduct threat modeling and analysis
Pregunta 33
Pregunta
A Requirements Traceability Matrix (RTM) that includes security
requirements can be used for all of the following except
Respuesta
-
ensuring scope creep does not occur
-
validating and communicating user requirements
-
determining resource allocations
-
identifying privileged code sections
Pregunta 34
Pregunta
Parity bit checking mechanisms can be used for all of the following
except
Respuesta
-
Error detection
-
Message corruption.
-
Integrity assurance
-
Input validation
Pregunta 35
Pregunta
Which of the following is an activity that can be performed to clarify
requirements with the business users using diagrams that model the
expected behavior of the software?
Respuesta
-
Threat modeling
-
Use case modeling
-
Misuse case modeling
-
Data modeling
Pregunta 36
Pregunta
Which of the following is LEAST LIKELY to be identified by misuse
case modeling?
Respuesta
-
Race conditions
-
Mis-actors
-
Attacker’s perspective
-
Negative requirements
Pregunta 37
Pregunta
Data classification is a core activity that is conducted as part of which
of the following?
Pregunta 38
Pregunta
Web farm data corruption issues and card holder data encryption
requirements need to be captured as part of which of the following
requirements?
Respuesta
-
Integrity.
-
Environment.
-
International.
-
Procurement.
Pregunta 39
Pregunta
When software is purchased from a third party instead of being built
in-house, it is imperative to have contractual protection in place and
have the software requirements explicitly specified in which of the
following?
Pregunta 40
Pregunta
When software is able to withstand attacks from a threat agent and
not violate the security policy it is said to be exhibiting which of the
following attributes of software assurance?
Respuesta
-
Reliability
-
Resiliency.
-
Recoverability
-
Redundancy.
Pregunta 41
Pregunta
Infinite loops and improper memory calls are often known to cause
threats to which of the following?
Respuesta
-
Availability.
-
Authentication.
-
Authorization.
-
Accountability.
Pregunta 42
Pregunta
Which of the following is used to communicate and enforce availability
requirements of the business or client?
Pregunta 43
Pregunta
Software security requirements that are identified to protect against
disclosure of data to unauthorized users is otherwise known as
Respuesta
-
integrity requirements
-
authorization requirements
-
confidentiality requirements.
-
non-repudiation requirements.
Pregunta 44
Pregunta
The requirements that assure reliability and prevent alterations are to be
identified in which section of the software requirements specifications
(SRS) documentation?
Respuesta
-
Confidentiality.
-
Integrity.
-
Availability.
-
Accountability
Pregunta 45
Pregunta
Which of the following is a covert mechanism that assures
confidentiality?
Respuesta
-
Encryption.
-
Steganography.
-
Hashing.
-
Masking.
Pregunta 46
Pregunta
As a means to assure confidentiality of copyright information, the
security analyst identifies the requirement to embed information
insider another digital audio, video or image signal. This is commonly
referred to as
Respuesta
-
Encryption.
-
Hashing.
-
Licensing
-
Watermarking.
Pregunta 47
Pregunta
Checksum validation can be used to satisfy which of the following
requirements?
Respuesta
-
Confidentiality.
-
Integrity.
-
Availability
-
Authentication.
Pregunta 48
Pregunta
A Requirements Traceability Matrix (RTM) that includes security
requirements can be used for all of the following EXCEPT
Respuesta
-
Ensure scope creep does not occur
-
Validate and communicate user requirements
-
Determine resource allocations
-
Identifying privileged code sections
Pregunta 49
Pregunta
Domain 3
During which phase of the software development lifecycle (SDLC) is
threat modeling initiated?
Respuesta
-
Requirements analysis
-
Design
-
Implementation
-
Deployment
Pregunta 50
Pregunta
Certificate Authority, Registration Authority, and Certificate
Revocation Lists are all part of which of the following?
Respuesta
-
Advanced Encryption Standard (AES)
-
Steganography
-
Public Key Infrastructure (PKI)
-
Lightweight Directory Access Protocol (LDAP)
Pregunta 51
Pregunta
The use of digital signatures has the benefit of providing which of the
following that is not provided by symmetric key cryptographic design?
Pregunta 52
Pregunta
When passwords are stored in the database, the best defense against
disclosure attacks can be accomplished using
Respuesta
-
encryption.
-
masking.
-
hashing.
-
obfuscation.
Pregunta 53
Pregunta
Nicole is part of the ‘author’ role as well as she is included in the
‘approver’ role, allowing her to approve her own articles before it is
posted on the company blog site. This violates the principle of
Respuesta
-
least privilege.
-
least common mechanisms.
-
economy of mechanisms.
-
separation of duties
Pregunta 54
Pregunta
The primary reason for designing Single Sign On (SSO) capabilities is
to
Respuesta
-
increase the security of authentication mechanisms
-
simplify user authentication.
-
have the ability to check each access request
-
allow for interoperability between wireless and wired networks.
Pregunta 55
Pregunta
Database triggers are PRIMARILY useful for providing which of the
following detective software assurance capability?
Respuesta
-
Availability
-
Authorization.
-
Auditing.
-
Archiving
Pregunta 56
Pregunta
During a threat modeling exercise, the software architecture is reviewed
to identify
Respuesta
-
attackers.
-
business impact.
-
critical assets
-
entry points.
Pregunta 57
Pregunta
A Man-in-the-Middle (MITM) attack is PRIMARILY an expression
of which type of the following threats?
Respuesta
-
Spoofing
-
Tampering
-
Repudiation
-
Information disclosure
Pregunta 58
Pregunta
IPSec technology which helps in the secure transmission of information
operates in which layer of the Open Systems Interconnect (OSI) model?
Respuesta
-
Transport.
-
Network
-
Session.
-
Application.
Pregunta 59
Pregunta
When internal business functionality is abstracted into service oriented
contract based interfaces, it is PRIMARILY used to provide for
Respuesta
-
interoperability.
-
authentication.
-
authorization.
-
installation ease.
Pregunta 60
Pregunta
At which layer of the Open Systems Interconnect (OSI) model must
security controls be designed to effectively mitigate side channel attacks?
Respuesta
-
Transport
-
Network
-
Data link
-
Physical
Pregunta 61
Pregunta
Which of the following software architectures is effective in distributing
the load between the client and the server, but since it includes the
client to be part of the threat vectors it increases the attack surface?
Respuesta
-
Software as a Service (SaaS).
-
Service Oriented Architecture (SOA).
-
Rich Internet Application (RIA).
-
Distributed Network Architecture (DNA).
Pregunta 62
Pregunta
When designing software to work in a mobile computing environment,
the Trusted Platform Module (TPM) chip can be used to provide
which of the following types of information?
Respuesta
-
Authorization.
-
Identification.
-
Archiving
-
Auditing.
Pregunta 63
Pregunta
When two or more trivial pieces of information are brought together
with the aim of gleaning sensitive information, it is referred to as what
type of attack?
Respuesta
-
Injection.
-
Inference.
-
Phishing.
-
Polyinstantiation.
Pregunta 64
Pregunta
The inner workings and internal structure of backend databases can be
protected from disclosure using
Respuesta
-
triggers.
-
normalization.
-
views.
-
encryption
Pregunta 65
Pregunta
Choose the BEST answer. Configurable settings for logging exceptions,
auditing and credential management must be part of
Pregunta 66
Pregunta
The token that is PRIMARILY used for authentication purposes in a
Single Sign (SSO) implementation between two different companies is
Pregunta 67
Pregunta
Syslog implementations require which additional security protection
mechanisms to mitigate disclosure attacks?
Respuesta
-
Unique session identifier generation and exchange.
-
Transport Layer Security.
-
Digital Rights Management (DRM)
-
Data Loss Prevention,
Pregunta 68
Pregunta
Rights and privileges for a file can be granularly granted to each client
using which of the following technologies
Respuesta
-
Data Loss Prevention (DLP).
-
Software as a Service (SaaS)
-
Flow control
-
Digital Rights Management (DRM)
Pregunta 69
Pregunta
Which of the following is known to circumvent the ring protection
mechanisms in operating systems?
Pregunta 70
Pregunta
When the software is designed using Representational State Transfer
(REST) architecture, it promotes which of the following good
programming practices?
Respuesta
-
High Cohesion
-
Low Cohesion
-
Tight Coupling
-
Loose Coupling
Pregunta 71
Pregunta
. Which of the following components of the Java architecture is primarily
responsible to ensure type consistency, safety and assure that there are
no malicious instructions in the code?
Respuesta
-
Garbage collector
-
Class Loader
-
Bytecode Verfier
-
Java Security Manager
Pregunta 72
Pregunta
The primary security concern when implementing cloud applications
is related to
Pregunta 73
Pregunta
The predominant form of malware that infects mobile apps is
Respuesta
-
Virus
-
Ransomware
-
Worm
-
Spyware
Pregunta 74
Pregunta
Most Supervisory Control And Data Acquisition (SCADA) systems
are susceptible to software attacks because
Respuesta
-
they were not initially implemented with security in mind
-
the skills of a hacker has increased significantly
-
the data that they collect are of top secret classification
-
the firewalls that are installed in front of these devices have been
breached.
Pregunta 75
Pregunta
Domain 4
Software developers writes software programs PRIMARILY to
Respuesta
-
create new products
-
capture market share
-
solve business problems
-
mitigate hacker threats
Pregunta 76
Pregunta
The process of combining necessary functions, variables and
dependency files and libraries required for the machine to run the
program is referred to as
Respuesta
-
compilation
-
interpretation
-
linking
-
instantiation
Pregunta 77
Pregunta
Which of the following is an important consideration to manage
memory and mitigate overflow attacks when choosing a programming
language?
Respuesta
-
Locality of reference
-
Type safety
-
Cyclomatic complexity
-
Parametric polymorphism
Pregunta 78
Pregunta
Assembly and machine language are examples of
Pregunta 79
Pregunta
Using multifactor authentication is effective in mitigating which of the
following application security risks?
Pregunta 80
Pregunta
Impersonation attacks such as Man-in-the-Middle (MITM) attacks in
an Internet application can be BEST mitigated using proper
Pregunta 81
Pregunta
Implementing Completely Automated Public Turing test to tell
Computers and Humans Apart (CAPTCHA) protection is a means
of defending against
Respuesta
-
SQL Injection
-
Cross-Site Scripting (XSS)
-
Cross-Site Request Forgery (CSRF)
-
. Insecure cryptographic storage
Pregunta 82
Pregunta
The findings of a code review indicate that cryptographic operations
in code use the Rijndael cipher, which is the original publication of
which of the following algorithms?
Respuesta
-
Skipjack
-
Data Encryption Standard (DES)
-
Triple Data Encryption Standard (3DES)
-
Advanced Encryption Standard (AES)
Pregunta 83
Pregunta
Which of the following transport layer technologies can BEST mitigate
session hijacking and replay attacks in a local area network (LAN)?
Respuesta
-
Data Loss Prevention (DLP)
-
Internet Protocol Security (IPSec)
-
Secure Sockets Layer (SSL)
-
Digital Rights Management (DRM)
Pregunta 84
Pregunta
Verbose error messages and unhandled exceptions can result in which
of the following software security threats?
Respuesta
-
Spoofing
-
Tampering
-
Repudiation
-
Information disclosure
Pregunta 85
Pregunta
Code signing can provide all of the following EXCEPT
Respuesta
-
Anti-tampering protection
-
Authenticity of code origin
-
Runtime permissions for code
-
Authentication of users
Pregunta 86
Pregunta
When an attacker uses delayed error messages between successful and
unsuccessful query probes, he is using which of the following side
channel techniques to detect injection vulnerabilities?
Respuesta
-
Distant observation
-
Cold boot
-
Power analysis
-
Timing
Pregunta 87
Pregunta
When the code is not allowed to access memory at arbitrary locations
that is out of range of the memory address space that belong to the
object’s publicly exposed fields, it is referred to as which of the following
types of code?
Respuesta
-
Object code
-
Type safe code
-
Obfuscated code
-
Source code
Pregunta 88
Pregunta
When the runtime permissions of the code are defined as security
attributes in the metadata of the code, it is referred to as
Pregunta 89
Pregunta
When an all-or-nothing approach to code access security is not possible
and business rules and permissions need to be set and managed more
granularly inline code functions and modules, a programmer can
leverage which of the following?
Respuesta
-
Cryptographic agility
-
Parametric polymorphism
-
Declarative security
-
Imperative security
Pregunta 90
Pregunta
An understanding of which of the following programming concepts
is necessary to protect against memory manipulation buffer overflow
attacks? Choose the BEST answer.
Respuesta
-
Error handling
-
Exception management
-
Locality of reference
-
Generics
Pregunta 91
Pregunta
Exploit code attempt to take control of dangling pointers which
Respuesta
-
are references to memory locations of destroyed objects.
-
is the non-functional code that that is left behind in the source.
-
is the payload code that the attacker uploads into memory to
execute.
-
are references in memory locations that are used prior to being
initialized.
Pregunta 92
Pregunta
Which of the following is a feature of most recent operating systems
(OS) that makes it difficult for an attacker to guess the memory address
of the program as it makes the memory address different each time the
program is executed?
Respuesta
-
Data Execution Prevention (DEP)
-
Executable Space Protection (ESP)
-
Address Space Layout Randomization (ASLR)
-
Safe Security Exception Handler (/SAFESEH)
Pregunta 93
Pregunta
When the source code is made obscure using special programs in order
to make the readability of the code difficult when disclosed, the code is
also known as
Respuesta
-
object code
-
obfuscated code.
-
encrypted code.
-
hashed code.
Pregunta 94
Pregunta
The ability to track ownership, changes in code and rollback abilities is
possible because of which of the following configuration management
processes?
Respuesta
-
Version control
-
Patching
-
Audit logging
-
Change control
Pregunta 95
Pregunta
The MAIN benefit of statically analyzing code is that
Respuesta
-
runtime behavior of code can be analyzed.
-
business logic flaws are more easily detectable.
-
the analysis is performed in a production or production-like
environment
-
errors and vulnerabilities can be detected earlier in the life cycle.
Pregunta 96
Pregunta
Cryptographic protection includes all of the following EXCEPT
Respuesta
-
encryption of data when it is processed.
-
hashing of data when it is stored.
-
hiding of data within other media objects when it is transmitted.
-
masking of data when it is displayed.
Pregunta 97
Pregunta
Replacing the Primary Account Number (PAN) with random or
pseudo-random symbols that are uniquely identifiable and still assuring
privacy is also known as
Respuesta
-
Fuzzing
-
Tokenization
-
Encoding
-
Canonicalization
Pregunta 98
Pregunta
Which of the following is an implementation of the principle of least
privilege?
Respuesta
-
Sandboxing
-
Tokenization
-
Versioning
-
. Concurrency
Pregunta 99
Pregunta
Domain 5
The ability of the software to restore itself to expected functionality
when the security protection that is built in is breached is also known
as
Respuesta
-
redundancy.
-
recoverability.
-
resiliency.
-
reliability.
Pregunta 100
Pregunta
In which of the following software development methodologies does
unit testing enable collective code ownership and is critical to assure
software assurance?
Respuesta
-
Waterfall
-
Agile
-
Spiral
-
Prototyping
Pregunta 101
Pregunta
Which of the secure design principles is promoted when test harnesses
are used?
Pregunta 102
Pregunta
The use of IF-THEN rules is characteristic of which of the following
types of software testing?
Respuesta
-
Logic
-
Scalability
-
Integration
-
Unit
Pregunta 103
Pregunta
The implementation of secure features such as complete mediation and
data replication needs to undergo which of the following types of test
to ensure that the software meets the service level agreements (SLA)?
Respuesta
-
Stress
-
Unit
-
Integration
-
Regression
Pregunta 104
Pregunta
Tests that are conducted to determine the breaking point of the software
after which the software will no longer be functional is characteristic
of which of the following types of software testing?
Respuesta
-
Regression
-
Stress
-
Integration
-
Simulation
Pregunta 105
Pregunta
Which of the following tools or techniques can be used to facilitate the
white box testing of software for insider threats?
Respuesta
-
Source code analyzers
-
Fuzzers
-
Banner grabbing software
-
Scanners
Pregunta 106
Pregunta
When very limited or no knowledge of the software is made known to
the software tester before she can test for its resiliency, it is characteristic
of which of the following types of security tests?
Respuesta
-
White box
-
Black box
-
Clear box
-
Glass box
Pregunta 107
Pregunta
Penetration testing must be conducted with properly defined
Pregunta 108
Pregunta
Testing for the randomness of session identifiers and the presence of
auditing capabilities provides the software team insight into which of
the following security controls?
Respuesta
-
Availability
-
Authentication.
-
Non-repudiation.
-
Authorization.
Pregunta 109
Pregunta
Disassemblers, debuggers and decompilers can be used by security
testers to PRIMARILY determine which of the following types of
coding vulnerabilities?
Pregunta 110
Pregunta
When reporting a software security defect in the software, which of
the following also needs to be reported so that variance from intended
behavior of the software can be determined?
Respuesta
-
Defect identifier
-
Title
-
Expected results
-
Tester name
Pregunta 111
Pregunta
An attacker analyzes the response from the web server which indicates
that its version is the Microsoft Internet Information Server 6.0
(Microsoft-IIS/6.0), but none of the IIS exploits that the attacker
attempts to execute on the web server are successful. Which of the
following is the MOST probable security control that is implemented?
Respuesta
-
Hashing
-
Cloaking
-
Masking
-
Watermarking
Pregunta 112
Pregunta
Smart fuzzing is characterized by injecting
Respuesta
-
truly random data without any consideration for the data
structure.
-
variations of data structures that are known.
-
data that get interpreted as commands by a backend interpreter
-
scripts that are reflected and executed on the client browser.
Pregunta 113
Pregunta
Which of the following is the MOST important to ensure, as part
of security testing, when the software is forced to fail x? Choose the
BEST answer.
Respuesta
-
Normal operational functionality is not restored automatically.
-
Access to all functionality is denied.
-
Confidentiality, integrity and availability are not adversely
impacted.
-
End users are adequately trained and self help is made available
for the end user to fix the error on their own.
Pregunta 114
Pregunta
Timing and synchronization issues such as race conditions and
resource deadlocks can be MOST LIKELY identified by which of the
following tests? Choose the BEST answer.
Respuesta
-
Integration
-
Stress
-
Unit
-
Regression
Pregunta 115
Pregunta
The PRIMARY objective of resiliency testing of software is to
determine
Respuesta
-
the point at which the software will break.
-
if the software can restore itself to normal business operations.
-
the presence and effectiveness of risk mitigation controls.
-
how a blackhat would circumvent access control mechanisms.
Pregunta 116
Pregunta
The ability of the software to withstand attempts of attackers who
intend to breach the security protection that is built in is also known as
Respuesta
-
redundancy.
-
recoverability.
-
resiliency.
-
reliability.
Pregunta 117
Pregunta
Drivers and stub based programming are useful to conduct which of
the following tests?
Respuesta
-
Integration
-
Regression
-
Unit
-
Penetration
Pregunta 118
Pregunta
Assurance that the software meets the expectations of the business as
defined in the service level agreements (SLAs) can be demonstrated by
which of the following types of tests?
Respuesta
-
Unit
-
Integration
-
Performance
-
Regression
Pregunta 119
Pregunta
Vulnerability scans are used to
Respuesta
-
measure the resiliency of the software by attempting to exploit
weaknesses.
-
detect the presence of loopholes and weaknesses in the software.
-
detect the effectiveness of security controls that are implemented
in the software.
-
measure the skills and technical know-how of the security tester.
Pregunta 120
Pregunta
In the context of test data management, when a transaction which
serves no business purpose is tested, it is referred to as what kind of
transaction?
Respuesta
-
Non-synthetic
-
Synthetic
-
Useless
-
Discontinuous
Pregunta 121
Pregunta
As part of the test data management strategy, when a criteria is applied
to export selective information from a production system to the test
environment, it is also referred to as
Respuesta
-
Subletting
-
Filtering
-
Validation
-
Subsetting
Pregunta 122
Pregunta
Domain 6
Your organization has the policy to attest the security of any software
that will be deployed into the production environment. A third party
vendor software is being evaluated for its readiness to be deployed.
Which of the following verification and validation mechanism can be
employed to attest the security of the vendor’s software?
Pregunta 123
Pregunta
To meet the goals of software assurance, when accepting software, the
acquisition phase MUST include processes to
Respuesta
-
verify that installation guides and training manuals are provided.
-
assess the presence and effectiveness of protection mechanisms.
-
validate vendor’s software products.
-
assist the vendor in responding to the request for proposals.
Pregunta 124
Pregunta
The process of evaluating software to determine whether the products
of a given development phase satisfies the conditions imposed at the
start of the phase is referred to as
Respuesta
-
verification
-
validation
-
authentication
-
authorization
Pregunta 125
Pregunta
When verification activities are used to determine if the software is
functioning as it is expected to, it provides insight into which of the
following aspects of software assurance?
Respuesta
-
Redundancy
-
Reliability
-
Resiliency
-
Recoverability
Pregunta 126
Pregunta
When procuring software the purchasing company can request the
evaluation assurance levels (EALs) of the software product which is
determined using which of the following evaluation methodologies?
Respuesta
-
Operationally Critical Assets Threats and Vulnerability Evaluation®
(OCTAVE)
-
Security Quality Requirements Engineering (SQUARE)
-
Common Criteria
-
Comprehensive, Lightweight Application Security Process
(CLASP)
Pregunta 127
Pregunta
The FINAL activity in the software acceptance process is the go/no go
decision that can be determined using
Respuesta
-
regression testing.
-
integration testing.
-
unit testing.
-
user acceptance testing.
Pregunta 128
Pregunta
Management’s formal acceptance of the system after an understanding
of the residual risks to that system in the computing environment is
also referred to as
Respuesta
-
patching.
-
hardening.
-
certification.
-
accreditation.
Pregunta 129
Pregunta
You determine that a legacy software running in your computing
environment is susceptible to Cross Site Request Forgery (CSRF)
attacks because of the way it manages sessions. The business has the
need to continue use of this software but you do not have the source
code available to implement security controls in code as a mitigation
measure against CSRF attacks. What is the BEST course of action to
undertake in such a situation?
Respuesta
-
Avoid the risk by forcing the business to discontinue use of the
software.
-
Accept the risk with a documented exception.
-
Transfer the risk by buying insurance.
-
Ignore the risk since it is legacy software
Pregunta 130
Pregunta
As part of the accreditation process, the residual risk of a software
evaluated for deployment must be accepted formally by the
Pregunta 131
Pregunta
Domain 7
When software that worked without any issues in the test environments
fails to work in the production environment, it is indicative of
Respuesta
-
inadequate integration testing
-
incompatible environment configurations.
-
incomplete threat modeling.
-
ignored code review
Pregunta 132
Pregunta
Which of the following is not characteristic of good security metrics?
Respuesta
-
Quantitatively expressed
-
Objectively expressed
-
Contextually relevant
-
Collected manually
Pregunta 133
Pregunta
Removal of maintenance hooks, debugging code and flags, and
unneeded documentation before deployment are all examples of
software
Respuesta
-
hardening
-
patching.
-
reversing.
-
obfuscation.
Pregunta 134
Pregunta
Which of the following has the goal of ensuring that the resiliency
levels of software is always above the acceptable risk threshold as
defined by the business post deployment?
Respuesta
-
Threat modeling.
-
Code review.
-
Continuous monitoring.
-
Regression testing.
Pregunta 135
Pregunta
Logging application events such as failed login attempts, sales price
updates and user roles configuration for audit review at a later time is
an example of which of the following type of security control?
Respuesta
-
Preventive
-
Corrective
-
Compensating
-
Detective
Pregunta 136
Pregunta
When a compensating control is to be used, the Payment Card Industry
Data Security Standard (PCI DSS) prescribes that the compensating
control must meet all of the following guidelines EXCEPT
Respuesta
-
Meet the intent and rigor of the original requirement.
-
Provide an increased level of defense than the original requirement
-
Be implemented as part of a defense in depth measure.
-
Must commensurate with additional risk imposed by not adhering
to the requirement
Pregunta 137
Pregunta
Versioning, back-ups, check-in and check-out practices are all important
components of
Respuesta
-
Patch management
-
Release management
-
Problem management
-
Incident management
Pregunta 138
Pregunta
Software that is deployed in a high trust environment such as the
environment within the organizational firewall when not continuously
monitored is MOST susceptible to which of the following types of
security attacks? Choose the BEST answer.
Pregunta 139
Pregunta
Bastion host systems can be used to continuously monitor the security
of the computing environment when it is used in conjunction with
intrusion detection systems (IDS) and which other security control?
Respuesta
-
Authentication.
-
Authorization.
-
Archiving.
-
Auditing.
Pregunta 140
Pregunta
The FIRST step in the incident response process of a reported breach
is to
Respuesta
-
notify management of the security breach.
-
research the validity of the alert or event further
-
inform potentially affected customers of a potential breach.
-
conduct an independent third party evaluation to investigate the
reported breach.
Pregunta 141
Pregunta
Which of the following is the BEST recommendation to champion
security objectives within the software development organization?
Respuesta
-
Informing the developers that they could lose their jobs if their
software is breached.
-
Informing management that the organizational software could
be hacked.
-
Informing the project team about the recent breach of the
competitor’s software.
-
Informing the development team that there should be no injection
flaws in the payroll application.
Pregunta 142
Pregunta
Which of the following independent process provides insight into the
presence and effectiveness of security and privacy controls and is used
to determine the organization’s compliance with the regulatory and
governance (policy) requirements?
Respuesta
-
Penetration testing
-
Audits
-
Threat modeling
-
Code review
Pregunta 143
Pregunta
The process of using regular expressions to parse audit logs into
information that indicate security incidents is referred to as
Respuesta
-
correlation.
-
normalization.
-
collection.
-
visualization.
Pregunta 144
Pregunta
The FINAL stage of the incident management process is to
Respuesta
-
detection.
-
containment.
-
eradication
-
recovery
Pregunta 145
Pregunta
Problem management aims to improve the value of Information
Technology to the business because it improves service by
Respuesta
-
restoring service to the expectation of the business user
-
determining the alerts and events that need to be continuously
monitored.
-
depicting incident information in easy to understand user friendly
format.
-
identifying and eliminating the root cause of the problem
Pregunta 146
Pregunta
The process of releasing software to fix a recently reported vulnerability
without introducing any new features or changing hardware
configuration is referred to as
Respuesta
-
versioning.
-
hardening.
-
patching.
-
porting.
Pregunta 147
Pregunta
Fishbone diagramming is a mechanism that is PRIMARILY used for
which of the following processes?
Respuesta
-
Threat modeling
-
Requirements analysis.
-
Network deployment.
-
Root cause analysis.
Pregunta 148
Pregunta
As a means to assure the availability of the existing software functionality
after the application of a patch, the patch need to be tested for
Pregunta 149
Pregunta
Which of the following policies needs to be established to securely
dispose software and associated data and documents?
Pregunta 150
Pregunta
Discontinuance of a software with known vulnerabilities with a newer
version is an example of risk
Respuesta
-
mitigation.
-
transference.
-
acceptance.
-
avoidance.
Pregunta 151
Pregunta
Printer ribbons, facsimile transmissions and printed information when
not securely disposed are susceptible to disclosure attacks by which of
the following threat agents? Choose the BEST answer.
Respuesta
-
Malware
-
Dumpster divers
-
Social engineers
-
Script kiddies.
Pregunta 152
Pregunta
System resources can be protected from malicious file execution attacks
by uploading the user supplied file and running it in which of the
following environment?
Respuesta
-
Honeypot
-
Sandbox
-
Simulated
-
Production
Pregunta 153
Pregunta
As a means to demonstrate the improvement in the security of code
that is developed, one must compute the relative attack surface quotient
(RASQ)
Respuesta
-
at the end of development phase of the project
-
before and after the code is implemented.
-
before and after the software requirements are complete.
-
at the end of the deployment phase of the project.
Pregunta 154
Pregunta
Modifications to data directly in the database by developers must be
prevented by
Respuesta
-
periodically patching database servers
-
implementing source code version control.
-
logging all database access requests.
-
proper change control management.
Pregunta 155
Pregunta
Which of the following documents is the BEST source to contain
damage and which needs to be referred to and consulted with upon
the discovery of a security breach?
Pregunta 156
Pregunta
Domain 8
The increased need for security in the software supply chain is
PRIMARILY attributed to
Respuesta
-
cessation of development activities within a company
-
increase in the number of foreign trade agreements
-
incidences of malicious code and logic found in acquired software
-
decrease in the trust of consumers on software developed within
a company.
Pregunta 157
Pregunta
Which phase of the acquisition life cycle involves the issuance of
advertisements to source and evaluate suppliers?
Respuesta
-
Contracting
-
Planning
-
Development
-
Delivery (Handover
Pregunta 158
Pregunta
Predictable execution means that the software demonstrates all the
following qualities EXCEPT?
Respuesta
-
Authenticity
-
Conformance
-
Authorization
-
Trustworthiness
Pregunta 159
Pregunta
Which of the following is a process threat in the software supply chain?
Respuesta
-
Counterfeit software
-
Insecure code transfer
-
Subornation
-
Piracy
Pregunta 160
Pregunta
In the context of the software supply chain, the principle of persistent
protection is also known as
Pregunta 161
Pregunta
In pre-qualifying a supplier, which of the following must be assessed to
ensure that the supplier can provide timely updates and hotfixes when
an exploitable vulnerability in their software is reported?
Respuesta
-
Foreign ownership and control or influence
-
Security track record
-
Security knowledge of the supplier’ s personnel
-
Compliance with security policies, regulatory and privacy
requirements.
Pregunta 162
Pregunta
Which of the following can provide insight into the effectiveness and
efficiencies of the supply chain processes as it pertains to assuring trust
and software security?
Respuesta
-
Key Performance Indicators (KPI)
-
Relative Attack Surface Quotient (RASQ)
-
Maximum Tolerable Downtime (MTD)
-
Requirements Traceability Matrix (RTM)
Pregunta 163
Pregunta
Which of the following contains the security requirements and the
evidence needed to prove that the acquirer requirements are met as
expected?
Pregunta 164
Pregunta
The difference between disclaimer-based protection and contractsbased
is that
Respuesta
-
Contracts-based protection is mutual.
-
Disclaimer-based protection is mutual
-
Contracts-based protection is done by one-sided notification of
terms
-
Disclaimer-based protection is legally binding.
Pregunta 165
Pregunta
Software programs, database models and images on a website can be
protected using which of the following legal instrument?
Respuesta
-
Patents
-
Copyright
-
Trademarks
-
Trade secret
Pregunta 166
Pregunta
You find out that employees in your company have been downloading
software files and sharing them using peer-to-peer based torrent
networks. These software files are not free and need to be purchase
from their respective manufacturers. You employee are violating
Respuesta
-
Trade secrets
-
Trademarks
-
Patents
-
Copyrights
Pregunta 167
Pregunta
Which of the following legal instruments assures the confidentiality
of software programs, processing logic, database schema and internal
organizational business processes and client lists?
Pregunta 168
Pregunta
When source code of Commercially Off-The-Shelf (COTS) software
is escrowed and released under a free software or open source license
when the original developer (or supplier) no longer continues to develop
that software, that software is referred to as
Respuesta
-
Trialware
-
Demoware
-
Ransomware
-
Freeware
Pregunta 169
Pregunta
Improper implementation of validity periods using length-of-use
checks in code can result in which of the following types of security
issues for legitimate users?
Respuesta
-
Tampering
-
Denial of Service
-
Authentication bypass
-
Spoofing
Pregunta 170
Pregunta
Your organization’s software is published as a trial version without any
restricted functionality from the paid version. Which of the following
MUST be designed and implemented to ensure that customers who
have not purchased the software are limited in the availability of the
software?
Respuesta
-
Disclaimers
-
Licensing
-
Validity periods
-
Encryption
Pregunta 171
Pregunta
When must the supplier inform the acquirer of any applicable export
control and foreign trade regulatory requirements in the countries of
export and import?
Pregunta 172
Pregunta
The disadvantage of using open source software from a security
standpoint is
Respuesta
-
Only the original publisher of the source code can modify the
code
-
Open source software is not supported and maintained by mature
companies or communities.
-
The attacker can look into the source code to determine its
exploitability.
-
Open source software can only be purchased using a piece-meal
approach.
Pregunta 173
Pregunta
Which of the following is the most important security testing process
that validates and verifies the integrity of software code, components
and configurations, in a software security chain?
Respuesta
-
Threat modeling
-
Fuzzing
-
Penetration testing
-
Code review
Pregunta 174
Pregunta
Which of the following is LEAST likely to be detected using a code
review process?
Respuesta
-
Backdoors
-
Logic Bombs
-
Logic Flaws
-
Trojan horses
Pregunta 175
Pregunta
Which of the following security principle is LEAST related to the
securing of code repositories?
Respuesta
-
Least privilege
-
Access Control
-
Auditing
-
Open Design
Pregunta 176
Pregunta
The integrity of build tools and the build environment is necessary to
protect against
Respuesta
-
spoofing
-
tampering
-
disclosure
-
denial of service
Pregunta 177
Pregunta
Which of the following kind of security testing tool detects the presence
of vulnerabilities through disassembly and pattern recognition?
Respuesta
-
Source code scanners
-
Binary code scanners
-
Byte code scanners
-
Compliance validators
Pregunta 178
Pregunta
When software is developed by multiple suppliers, the genuineness of
the software can be attested using which of the following processes?
Respuesta
-
Code review
-
Code signing
-
Encryption
-
Code scanning
Pregunta 179
Pregunta
Which of the following must be controlled during handoff of software
from one supplier to the next, so that no unauthorized tampering of
the software can be done?
Respuesta
-
Chain of custody
-
Separation of privileges
-
System logs
-
Application data
Pregunta 180
Pregunta
Which of the following risk management concepts is demonstrated
when using code escrows?
Respuesta
-
Avoidance
-
Transference
-
Mitigation
-
Acceptance
Pregunta 181
Pregunta
Which of the following types of testing is crucial to conduct to
determine single points of failure in a System-of-systems (SoS)?
Respuesta
-
Unit
-
Integration
-
Regression
-
Logic
Pregunta 182
Pregunta
When software is handed from one supplier to the next, the following
operational process needs to be in place so that the supplier from whom
the software is acquirer can no longer modify the software?
Respuesta
-
Runtime integrity assurance
-
Patching
-
Termination Access Control
-
Custom Code Extension Checks