Questão 1
Questão
Linda is reviewing posts to a user forum on her company’s website
and, when she browses a certain post, a message pops up in a
dialog box on her screen reading “Alert.” She reviews the source
code for the post and finds the following code snippet:
<script>alert(‘Alert’);</script>
Linda communicates with the vendor and determines that no patch is
available to correct this vulnerability. Which one of the following
devices would best help her defend the application against further
attack?
Responda
-
A. VPN
-
B. WAF
-
C. DLP
-
D. IDS
Questão 2
Questão
Linda is reviewing posts to a user forum on her company’s website
and, when she browses a certain post, a message pops up in a
dialog box on her screen reading “Alert.” She reviews the source
code for the post and finds the following code snippet:
<script>alert(‘Alert’);</script>
What was the likely motivation of the user who posted the message on
the forum containing this code?
Questão 3
Questão
Linda is reviewing posts to a user forum on her company’s website
and, when she browses a certain post, a message pops up in a
dialog box on her screen reading “Alert.” She reviews the source
code for the post and finds the following code snippet:
<script>alert(‘Alert’);</script>
In further discussions with the vendor, Linda finds that they are
willing to correct the issue but do not know how to update their
software. What technique would be most effective in mitigating the
vulnerability of the application to this type of attack?
Responda
-
A. Bounds checking
-
B. Peer review
-
C. Input validation
-
D. OS patching
Questão 4
Questão
What property of relational databases ensures that once a database
transaction is committed to the database, it is preserved?
Responda
-
A. Atomicity
-
B. Consistency
-
C. Durability
-
D. Isolation
Questão 5
Questão
Lauren wants to use software review process for the application she is
working on. Which of the following processes would work best if she
is a remote worker who works different hours from the rest of her
team?
Responda
-
A. Pass around
-
B. Pair programming
-
C. Team review
-
D. Fagan inspection
Questão 6
Questão
Which one of the following is not a technique used by virus authors to
hide the existence of their virus from antimalware software?
Responda
-
A. Stealth
-
B. Multipartitism
-
C. Polymorphism
-
D. Encryption
Questão 7
Questão
Which one of the following types of software testing usually occurs
last and is executed against test scenarios?
Questão 8
Questão
What type of requirement specifies what software must do by
describing the inputs, behavior, and outputs of software?
Responda
-
A. Derived requirements
-
B. Structural requirements
-
C. Behavioral requirements
-
D. Functional requirements
Questão 9
Questão
Which of the following organizations is widely considered as the
definitive source for information on web-based attack vectors?
Responda
-
A. (ISC)2
-
B. ISACA
-
C. OWASP
-
D. Mozilla Foundation
Questão 10
Questão
If Chris is writing code for an application, what phase of the Agile
process is he in?
Responda
-
A. Planning
-
B. Sprints
-
C. Deployment
-
D. Development
Questão 11
Questão
Lisa is attempting to prevent her network from being targeted by IP
spoofing attacks as well as preventing her network from being the
source of those attacks. Which one of the following rules is NOT a
best practice that Lisa can configure at her network border?
Responda
-
A. Block packets with internal source addresses from entering the
network.
-
B. Block packets with external source addresses from leaving the
network.
-
C. Block packets with private IP addresses from exiting the network.
-
D. Block packets with public IP addresses from entering the network.
Questão 12
Questão
What type of attack is demonstrated in the following C programming
language example?
int myarray[10];
myarray[10] = 8;
Responda
-
A. Mismatched data types
-
B. Overflow
-
C. SQL injection
-
D. Covert channel
Questão 13
Questão
Which one of the following database issues occurs when one
transaction writes a value to the database that overwrites a value that
was needed by transactions with earlier precedence?
Responda
-
A. Dirty read
-
B. Incorrect summary
-
C. Lost update
-
D. SQL injection
Questão 14
Questão
Which one of the following is the most effective control against
session hijacking attacks?
Questão 15
Questão
Faith is looking at the /etc/passwd file on a system configured to use
shadowed passwords. When she examines a line in the file for a user
with interactive login permissions, what should she expect to see in
the password field?
Responda
-
A. Plaintext password
-
B. Hashed password
-
C. x
-
D. *
Questão 16
Questão
What type of vulnerability does a TOCTOU attack target?
Questão 17
Questão
While evaluating a potential security incident, Harry comes across a
log entry from a web server request showing that a user entered the
following input into a form field:
CARROT’&1=1;--
What type of attack was attempted?
Questão 18
Questão
Which one of the following is not an effective control against SQL
injection attacks?
Questão 19
Questão
What type of project management tool is shown in the figure?
Responda
-
A. WBS chart
-
B. PERT chart
-
C. Gantt chart
-
D. Wireframe diagram
Questão 20
Questão
In what software testing technique does the evaluator retest a large
number of scenarios each time that the software changes to verify that
the results are consistent with a standard baseline?
Questão 21
Questão
Which one of the following conditions may make an application most
vulnerable to a cross-site scripting (XSS) attack?
Questão 22
Questão
Roger is conducting a software test for a tax preparation application
developed by his company. End users will access the application over
the Web, but Roger is conducting his test on the back end, evaluating
the source code on the web server. What type of test is Roger
conducting?
Responda
-
A. White box
-
B. Gray box
-
C. Blue box
-
D. Black box
Questão 23
Questão
Which of the following statements is true about heuristic-based
antimalware software?
Responda
-
A. It has a lower false positive rate than signature detection.
-
B. It requires frequent definition updates to detect new malware.
-
C. It has a higher likelihood of detecting zero-day exploits than
signature detection.
-
D. It monitors systems for files with content known to be viruses.
Questão 24
Questão
Martin is inspecting a system where the user reported unusual
activity, including disk activity when the system is idle and abnormal
CPU and network usage. He suspects that the machine is infected by a
virus but scans come up clean. What malware technique might be in
use here that would explain the clean scan results?
Questão 25
Questão
Tomas discovers a line in his application log that appears to
correspond with an attempt to conduct a directory traversal attack.
He believes the attack was conducted using URL encoding. The line
reads:
%252E%252E%252F%252E%252E%252Fetc/passwd
What character is represented by the %252E value?
Questão 26
Questão
An attacker posted a message to a public discussion forum that
contains an embedded malicious script that is not displayed to the
user but executes on the user’s system when read. What type of attack
is this?
Responda
-
A. Persistent XSRF
-
B. Nonpersistent XSRF
-
C. Persistent XSS
-
D. Nonpersistent XSS
Questão 27
Questão
Which one of the following is not a principle of the Agile software
development process?
Responda
-
A. Welcome changing requirements, even late in the development
process.
-
B. Maximizing the amount of work not done is essential.
-
C. Clear documentation is the primary measure of progress.
-
D. Build projects around motivated individuals.
Questão 28
Questão
What are the two components of an expert system?
Responda
-
A. Decision support system and neural network
-
B. Inference engine and neural network
-
C. Neural network and knowledge bank
-
D. Knowledge bank and inference engine
Questão 29
Questão
Neal is working with a DynamoDB database. The database is not
structured like a relational database but allows Neal to store data
using a key-value store. What type of database is DynamoDB?
Responda
-
A. Relational database
-
B. Graph database
-
C. Hierarchical database
-
D. NoSQL database
Questão 30
Questão
In the transaction shown here, what would happen if the database
failed in between the first and second update statements?
Responda
-
A. The database would credit the first account with $250 in funds but
then not reduce the balance of the second account.
-
B. The database would ignore the first command and only reduce the
balance of the second account by $250.
-
C. The database would roll back the transaction, ignoring the results
of both commands.
-
D. The database would successfully execute both commands.
Questão 31
Questão
In the diagram shown here, which is an example of an attribute?
Responda
-
A. Account
-
B. Owner
-
C. AddFunds
-
D. None of the above
Questão 32
Questão
Which one of the following statements is true about software testing?
Responda
-
A. Static testing works on runtime environments.
-
B. Static testing performs code analysis.
-
C. Dynamic testing uses automated tools, but static testing does not.
-
D. Static testing is a more important testing technique than dynamic
testing.
Questão 33
Questão
David is working on developing a project schedule for a software
development effort, and he comes across the chart shown here. What
type of chart is this?
Questão 34
Questão
Barry is a software tester who is working with a new gaming
application developed by his company. He is playing the game on a
smartphone to conduct his testing in an environment that best
simulates a normal end user, but he is referencing the source code as
he conducts his test. What type of test is Barry conducting?
Responda
-
A. White box
-
B. Black box
-
C. Blue box
-
D. Gray box
Questão 35
Questão
Miguel recently completed a penetration test of the applications that
his organization uses to handle sensitive information. During his
testing, he discovered a condition where an attacker can exploit a
timing condition to manipulate software into allowing him to perform
an unauthorized action. Which one of the following attack types fits
this scenario?
Responda
-
A. SQL injection
-
B. Cross-site scripting
-
C. Pass the hash
-
D. TOC/TOU
Questão 36
Questão
What part of the security review process are the input parameters
shown in the diagram used for?
Questão 37
Questão
What application security process can be described in these three
major steps?
1. Decomposing the application
2. Determining and ranking threats
3. Determining countermeasures and mitigation
Responda
-
A. Fagan inspection
-
B. Threat modeling
-
C. Penetration testing
-
D. Code review
Questão 38
Questão
Which one of the following approaches to failure management is the
most conservative from a security perspective?
Responda
-
A. Fail open
-
B. Fail mitigation
-
C. Fail clear
-
D. Fail closed
Questão 39
Questão
What software development model is shown in the figure?
Responda
-
A. Waterfall
-
B. Agile
-
C. Lean
-
D. Spiral
Questão 40
Questão
Which of the following database keys is used by an RDBMS to
uniquely identify each row in a database table?
Responda
-
A. Foreign key
-
B. Primary key
-
C. Candidate key
-
D. Referential key
Questão 41
Questão
Which one of the following change management processes is initiated
by users rather than developers?
Responda
-
A. Request control
-
B. Change control
-
C. Release control
-
D. Design review
Questão 42
Questão
Which one of the following techniques is an effective countermeasure
against some inference attacks?
Questão 43
Questão
Ursula is a government web developer who recently created a public
application that offers property records. She would like to make it
available for other developers to integrate into their applications.
What can Ursula create to make it easiest for developers to call her
code directly and integrate the output into their applications?
Responda
-
A. Object model
-
B. Data dictionary
-
C. API
-
D. Primary key
Questão 44
Questão
During what phase of the IDEAL model do organizations develop a
specific plan of action for implementing change?
Responda
-
A. Initiating
-
B. Diagnosing
-
C. Establishing
-
D. Acting
Questão 45
Questão
TJ is inspecting a system where the user reported a strange error
message and the inability to access files. He sees the window shown in
this figure. What type of malware should TJ suspect?
Responda
-
A. Service injection
-
B. Encrypted virus
-
C. SQL injection
-
D. Ransomware
Questão 46
Questão
Charles is developing a mission-critical application that has a direct
impact on human safety. Time and cost are less important than
correctly functioning software. Which of the following software
development methodologies should he choose given these
requirements?
Responda
-
A. Agile
-
B. DevOps
-
C. Spiral
-
D. Waterfall
Questão 47
Questão
Which one of the following types of artificial intelligence attempts to
use complex computations to replicate the partial function of the
human mind?
Questão 48
Questão
At which level of the Software Capability Maturity Model (SW-CMM)
does an organization introduce basic life-cycle management
processes?
Responda
-
A. Initial
-
B. Repeatable
-
C. Defined
-
D. Managed
Questão 49
Questão
Lucas runs the accounting systems for his company. The morning
after a key employee was fired, systems began mysteriously losing
information. Lucas suspects that the fired employee tampered with
the systems prior to his departure. What type of attack should Lucas
suspect?
Responda
-
A. Privilege escalation
-
B. SQL injection
-
C. Logic bomb
-
D. Remote code execution
Questão 50
Questão
Which one of the following principles would not be favored in an
Agile approach to software development?
Responda
-
A. Processes and tools over individuals and interactions
-
B. Working software over comprehensive documentation
-
C. Customer collaboration over contract negotiations
-
D. Responding to change over following a plan