Copiar e Editar

Secure Software Development Final

Descrição

Computer Science Quiz sobre Secure Software Development Final , criado por Thomas Kreuser em 18-04-2017.
Thomas Kreuser
Quiz por Thomas Kreuser, atualizado more than 1 year ago
Thomas Kreuser
Criado por Thomas Kreuser aproximadamente 7 anos atrás
3420
2
0

Resumo de Recurso

Questão 1

Questão
The PRIMARY reason for incorporating security into the software development life cycle is to protect
Responda
  • the unauthorized disclosure of information.
  • the corporate brand and reputation
  • against hackers who intend to misuse the software.
  • the developers from releasing software with security defects.

Questão 2

Questão
The resiliency of software to withstand attacks that attempt modify or alter data in an unauthorized manner is referred to as
Responda
  • Confidentiality.
  • Integrity.
  • Availability.
  • Authorization.

Questão 3

Questão
The MAIN reason as to why the availability aspects of software must be part of the organization’s software security initiatives is:
Responda
  • software issues can cause downtime to the business.
  • developers need to be trained in the business continuity procedures.
  • testing for availability of the software and data is often ignored.
  • hackers like to conduct Denial of Service (DoS) attacks against the organization.

Questão 4

Questão
Developing the software to monitor its functionality and report when the software is down and unable to provide the expected service to the business is a protection to assure which of the following?
Responda
  • Confidentiality.
  • Integrity.
  • Availability.
  • Authentication.

Questão 5

Questão
When a customer attempts to log into their bank account, the customer is required to enter a nonce from the token device that was issued to the customer by the bank. This type of authentication is also known as which of the following?
Responda
  • Ownership based authentication.
  • Two factor authentication.
  • Characteristic based authentication.
  • Knowledge based authentication.

Questão 6

Questão
Multi-factor authentication is most closely related to which of the following security design principles?
Responda
  • Separation of Duties.
  • Defense in depth.
  • Complete mediation.
  • Open design.

Questão 7

Questão
Audit logs can be used for all of the following EXCEPT
Responda
  • providing evidentiary information.
  • assuring that the user cannot deny their actions.
  • detecting the actions that were undertaken.
  • preventing a user from performing some unauthorized operations.

Questão 8

Questão
Organizations often pre-determine the acceptable number of user errors before recording them as security violations. This number is otherwise known as:
Responda
  • Clipping level.
  • Known Error.
  • Minimum Security Baseline.
  • Maximum Tolerable Downtime.

Questão 9

Questão
A security principle that maintains the confidentiality, integrity and availability of the software and data, besides allowing for rapid recovery to the state of normal operations, when unexpected events occur is the security design principle of
Responda
  • defense in depth.
  • economy of mechanisms.
  • fail secure
  • psychological acceptability

Questão 10

Questão
Requiring the end user to accept an ‘AS-IS’ disclaimer clause before installation of your software is an example of risk
Responda
  • avoidance.
  • mitigation.
  • transference.
  • acceptance.

Questão 11

Questão
An instrument that is used to communicate and mandate organizational and management goals and objectives at a high level is a
Responda
  • standard.
  • policy.
  • baseline.
  • guideline.

Questão 12

Questão
The Systems Security Engineering Capability Maturity Model (SSECMM ®) is an internationally recognized standard that publishes guidelines to
Responda
  • provide metrics for measuring the software and its behavior, and using the software in a specific context of use.
  • evaluate security engineering practices and organizational management processes.
  • support accreditation and certification bodies that audit and certify information security management systems.
  • ensure that the claimed identity of personnel are appropriately verified.

Questão 13

Questão
Which of the following is a framework that can be used to develop a risk based enterprise security architecture by determining security requirements after analyzing the business initiatives.
Responda
  • Capability Maturity Model Integration (CMMI)
  • Sherwood Applied Business Security Architecture (SABSA)
  • Control Objectives for Information and related Technology (COBIT®)
  • Zachman Framework

Questão 14

Questão
Which of the following is a PRIMARY consideration for the software publisher when selling Commercially Off the Shelf (COTS) software?
Responda
  • Service Level Agreements (SLAs).
  • Intellectual Property protection.
  • Cost of customization.
  • Review of the code for backdoors and Trojan horses.

Questão 15

Questão
The Single Loss Expectancy can be determined using which of the following formula?
Responda
  • Annualized Rate of Occurrence (ARO) x Exposure Factor
  • Probability x Impact
  • Asset Value x Exposure Factor
  • Annualized Rate of Occurrence (ARO) x Asset Value

Questão 16

Questão
Implementing IPSec to assure the confidentiality of data when it is transmitted is an example of risk
Responda
  • avoidance.
  • transference.
  • mitigation.
  • acceptance.

Questão 17

Questão
The Federal Information Processing Standard (FIPS) that prescribe guidelines for biometric authentication is
Responda
  • FIPS 140.
  • FIPS 186.
  • FIPS 197.
  • FIPS 201.

Questão 18

Questão
Which of the following is a multi-faceted security standard that is used to regulate organizations that collects, processes and/or stores cardholder data as part of their business operations?
Responda
  • FIPS 201.
  • ISO/IEC 15408.
  • NIST SP 800-64.
  • PCI DSS.

Questão 19

Questão
Which of the following is the current Federal Information Processing Standard (FIPS) that specifies an approved cryptographic algorithm to ensure the confidentiality of electronic data?
Responda
  • Security Requirements for Cryptographic Modules (FIPS 140).
  • Peronal Identity Verification (PIV) of Federal Employees and Contractors (FIPS 201).
  • Advanced Encryption Standard (FIPS 197).
  • Digital Signature Standard (FIPS 186).

Questão 20

Questão
The organization that publishes the ten most critical web application security risks (Top Ten) is the
Responda
  • Computer Emergency Response Team (CERT).
  • Web Application Security Consortium (WASC).
  • Open Web Application Security Project (OWASP).
  • Forums for Incident Response and Security Teams (FIRST)

Questão 21

Questão
The process of removing private information from sensitive data sets is referred to as
Responda
  • Sanitization.
  • Degaussing.
  • Anonymization.
  • Formatting.

Questão 22

Questão
(Domain 2) Which of the following MUST be addressed by software security requirements? Choose the BEST answer
Responda
  • Technology used in building the application
  • Goals and objectives of the organization.
  • Software quality requirements
  • External auditor requirements

Questão 23

Questão
Which of the following types of information is exempt from confidentiality requirements?
Responda
  • Directory information.
  • Personally identifiable information (PII).
  • User’s card holder data.
  • Software architecture and network diagram

Questão 24

Questão
Requirements that are identified to protect against the destruction of information or the software itself are commonly referred to as
Responda
  • confidentiality requirements.
  • integrity requirements
  • availability requirements.
  • authentication requirements

Questão 25

Questão
The amount of time by which business operations need to be restored to service levels as expected by the business when there is a security breach or disaster is known as
Responda
  • Maximum Tolerable Downtime (MTD).
  • Mean Time Before Failure (MTBF).
  • Minimum Security Baseline (MSB).
  • Recovery Time Objective (RTO).

Questão 26

Questão
The use of an individual’s physical characteristics such as retinal blood patterns and fingerprints for validating and verifying the user’s identity if referred to as
Responda
  • biometric authentication.
  • forms authentication.
  • digest authentication.
  • integrated authentication.

Questão 27

Questão
Which of the following policies is MOST likely to include the following requirement? “All software processing financial transactions need to use more than one factor to verify the identity of the entity requesting access””
Responda
  • Authorization
  • Authentication.
  • Auditing
  • Availability

Questão 28

Questão
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong, as mandated by the requested resource owner is the definition of
Responda
  • Non-discretionary Access Control (NDAC).
  • Discretionary Access Control (DAC).
  • Mandatory Access Control (MAC).
  • Role based Access Control.

Questão 29

Questão
Requirements which when implemented can help to build a history of events that occurred in the software are known as
Responda
  • authentication requirements.
  • archiving requirements.
  • accountability requirements.
  • authorization requirements.

Questão 30

Questão
Which of the following is the PRIMARY reason for an application to be susceptible to a Man-in-the-Middle (MITM) attack?
Responda
  • Improper session management
  • Lack of auditing
  • Improper archiving
  • Lack of encryption

Questão 31

Questão
The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates in the requirements phase of the SDLC is also known as
Responda
  • threat modeling.
  • policy decomposition.
  • subject-object modeling
  • misuse case generation.

Questão 32

Questão
The FIRST step in the Protection Needs Elicitation (PNE) process is to
Responda
  • engage the customer
  • model information management
  • identify least privilege applications
  • conduct threat modeling and analysis

Questão 33

Questão
A Requirements Traceability Matrix (RTM) that includes security requirements can be used for all of the following except
Responda
  • ensuring scope creep does not occur
  • validating and communicating user requirements
  • determining resource allocations
  • identifying privileged code sections

Questão 34

Questão
Parity bit checking mechanisms can be used for all of the following except
Responda
  • Error detection
  • Message corruption.
  • Integrity assurance
  • Input validation

Questão 35

Questão
Which of the following is an activity that can be performed to clarify requirements with the business users using diagrams that model the expected behavior of the software?
Responda
  • Threat modeling
  • Use case modeling
  • Misuse case modeling
  • Data modeling

Questão 36

Questão
Which of the following is LEAST LIKELY to be identified by misuse case modeling?
Responda
  • Race conditions
  • Mis-actors
  • Attacker’s perspective
  • Negative requirements

Questão 37

Questão
Data classification is a core activity that is conducted as part of which of the following?
Responda
  • Key Management Lifecycle
  • Information Lifecycle Management
  • Configuration Management
  • Problem Management

Questão 38

Questão
Web farm data corruption issues and card holder data encryption requirements need to be captured as part of which of the following requirements?
Responda
  • Integrity.
  • Environment.
  • International.
  • Procurement.

Questão 39

Questão
When software is purchased from a third party instead of being built in-house, it is imperative to have contractual protection in place and have the software requirements explicitly specified in which of the following?
Responda
  • Service Level Agreements (SLA).
  • Non-Disclosure Agreements (NDA)
  • Non-compete Agreements
  • Project plan.

Questão 40

Questão
When software is able to withstand attacks from a threat agent and not violate the security policy it is said to be exhibiting which of the following attributes of software assurance?
Responda
  • Reliability
  • Resiliency.
  • Recoverability
  • Redundancy.

Questão 41

Questão
Infinite loops and improper memory calls are often known to cause threats to which of the following?
Responda
  • Availability.
  • Authentication.
  • Authorization.
  • Accountability.

Questão 42

Questão
Which of the following is used to communicate and enforce availability requirements of the business or client?
Responda
  • Non-Disclosure Agreement (NDA).
  • Corporate Contract.
  • Service Level Agreements (SLA).
  • Threat model.

Questão 43

Questão
Software security requirements that are identified to protect against disclosure of data to unauthorized users is otherwise known as
Responda
  • integrity requirements
  • authorization requirements
  • confidentiality requirements.
  • non-repudiation requirements.

Questão 44

Questão
The requirements that assure reliability and prevent alterations are to be identified in which section of the software requirements specifications (SRS) documentation?
Responda
  • Confidentiality.
  • Integrity.
  • Availability.
  • Accountability

Questão 45

Questão
Which of the following is a covert mechanism that assures confidentiality?
Responda
  • Encryption.
  • Steganography.
  • Hashing.
  • Masking.

Questão 46

Questão
As a means to assure confidentiality of copyright information, the security analyst identifies the requirement to embed information insider another digital audio, video or image signal. This is commonly referred to as
Responda
  • Encryption.
  • Hashing.
  • Licensing
  • Watermarking.

Questão 47

Questão
Checksum validation can be used to satisfy which of the following requirements?
Responda
  • Confidentiality.
  • Integrity.
  • Availability
  • Authentication.

Questão 48

Questão
A Requirements Traceability Matrix (RTM) that includes security requirements can be used for all of the following EXCEPT
Responda
  • Ensure scope creep does not occur
  • Validate and communicate user requirements
  • Determine resource allocations
  • Identifying privileged code sections

Questão 49

Questão
Domain 3 During which phase of the software development lifecycle (SDLC) is threat modeling initiated?
Responda
  • Requirements analysis
  • Design
  • Implementation
  • Deployment

Questão 50

Questão
Certificate Authority, Registration Authority, and Certificate Revocation Lists are all part of which of the following?
Responda
  • Advanced Encryption Standard (AES)
  • Steganography
  • Public Key Infrastructure (PKI)
  • Lightweight Directory Access Protocol (LDAP)

Questão 51

Questão
The use of digital signatures has the benefit of providing which of the following that is not provided by symmetric key cryptographic design?
Responda
  • Speed of cryptographic operations
  • Confidentiality assurance
  • Key exchange
  • Non-repudiation

Questão 52

Questão
When passwords are stored in the database, the best defense against disclosure attacks can be accomplished using
Responda
  • encryption.
  • masking.
  • hashing.
  • obfuscation.

Questão 53

Questão
Nicole is part of the ‘author’ role as well as she is included in the ‘approver’ role, allowing her to approve her own articles before it is posted on the company blog site. This violates the principle of
Responda
  • least privilege.
  • least common mechanisms.
  • economy of mechanisms.
  • separation of duties

Questão 54

Questão
The primary reason for designing Single Sign On (SSO) capabilities is to
Responda
  • increase the security of authentication mechanisms
  • simplify user authentication.
  • have the ability to check each access request
  • allow for interoperability between wireless and wired networks.

Questão 55

Questão
Database triggers are PRIMARILY useful for providing which of the following detective software assurance capability?
Responda
  • Availability
  • Authorization.
  • Auditing.
  • Archiving

Questão 56

Questão
During a threat modeling exercise, the software architecture is reviewed to identify
Responda
  • attackers.
  • business impact.
  • critical assets
  • entry points.

Questão 57

Questão
A Man-in-the-Middle (MITM) attack is PRIMARILY an expression of which type of the following threats?
Responda
  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure

Questão 58

Questão
IPSec technology which helps in the secure transmission of information operates in which layer of the Open Systems Interconnect (OSI) model?
Responda
  • Transport.
  • Network
  • Session.
  • Application.

Questão 59

Questão
When internal business functionality is abstracted into service oriented contract based interfaces, it is PRIMARILY used to provide for
Responda
  • interoperability.
  • authentication.
  • authorization.
  • installation ease.

Questão 60

Questão
At which layer of the Open Systems Interconnect (OSI) model must security controls be designed to effectively mitigate side channel attacks?
Responda
  • Transport
  • Network
  • Data link
  • Physical

Questão 61

Questão
Which of the following software architectures is effective in distributing the load between the client and the server, but since it includes the client to be part of the threat vectors it increases the attack surface?
Responda
  • Software as a Service (SaaS).
  • Service Oriented Architecture (SOA).
  • Rich Internet Application (RIA).
  • Distributed Network Architecture (DNA).

Questão 62

Questão
When designing software to work in a mobile computing environment, the Trusted Platform Module (TPM) chip can be used to provide which of the following types of information?
Responda
  • Authorization.
  • Identification.
  • Archiving
  • Auditing.

Questão 63

Questão
When two or more trivial pieces of information are brought together with the aim of gleaning sensitive information, it is referred to as what type of attack?
Responda
  • Injection.
  • Inference.
  • Phishing.
  • Polyinstantiation.

Questão 64

Questão
The inner workings and internal structure of backend databases can be protected from disclosure using
Responda
  • triggers.
  • normalization.
  • views.
  • encryption

Questão 65

Questão
Choose the BEST answer. Configurable settings for logging exceptions, auditing and credential management must be part of
Responda
  • database views.
  • security management interfaces.
  • global files.
  • exception handling.

Questão 66

Questão
The token that is PRIMARILY used for authentication purposes in a Single Sign (SSO) implementation between two different companies is
Responda
  • Kerberos
  • Security Assert Markup Language (SAML)
  • Liberty alliance ID-FF
  • One Time password (OTP)

Questão 67

Questão
Syslog implementations require which additional security protection mechanisms to mitigate disclosure attacks?
Responda
  • Unique session identifier generation and exchange.
  • Transport Layer Security.
  • Digital Rights Management (DRM)
  • Data Loss Prevention,

Questão 68

Questão
Rights and privileges for a file can be granularly granted to each client using which of the following technologies
Responda
  • Data Loss Prevention (DLP).
  • Software as a Service (SaaS)
  • Flow control
  • Digital Rights Management (DRM)

Questão 69

Questão
Which of the following is known to circumvent the ring protection mechanisms in operating systems?
Responda
  • Cross Site Request Forgery (CSRF)
  • Coolboot
  • SQL Injection
  • Rootkit

Questão 70

Questão
When the software is designed using Representational State Transfer (REST) architecture, it promotes which of the following good programming practices?
Responda
  • High Cohesion
  • Low Cohesion
  • Tight Coupling
  • Loose Coupling

Questão 71

Questão
. Which of the following components of the Java architecture is primarily responsible to ensure type consistency, safety and assure that there are no malicious instructions in the code?
Responda
  • Garbage collector
  • Class Loader
  • Bytecode Verfier
  • Java Security Manager

Questão 72

Questão
The primary security concern when implementing cloud applications is related to
Responda
  • Insecure APIs
  • Data leakage and/or loss
  • Abuse of computing resources
  • Unauthorized access

Questão 73

Questão
The predominant form of malware that infects mobile apps is
Responda
  • Virus
  • Ransomware
  • Worm
  • Spyware

Questão 74

Questão
Most Supervisory Control And Data Acquisition (SCADA) systems are susceptible to software attacks because
Responda
  • they were not initially implemented with security in mind
  • the skills of a hacker has increased significantly
  • the data that they collect are of top secret classification
  • the firewalls that are installed in front of these devices have been breached.

Questão 75

Questão
Domain 4 Software developers writes software programs PRIMARILY to
Responda
  • create new products
  • capture market share
  • solve business problems
  • mitigate hacker threats

Questão 76

Questão
The process of combining necessary functions, variables and dependency files and libraries required for the machine to run the program is referred to as
Responda
  • compilation
  • interpretation
  • linking
  • instantiation

Questão 77

Questão
Which of the following is an important consideration to manage memory and mitigate overflow attacks when choosing a programming language?
Responda
  • Locality of reference
  • Type safety
  • Cyclomatic complexity
  • Parametric polymorphism

Questão 78

Questão
Assembly and machine language are examples of
Responda
  • natural language
  • very high-level language (VHLL)
  • high-level language (HLL)
  • low-level language

Questão 79

Questão
Using multifactor authentication is effective in mitigating which of the following application security risks?
Responda
  • Injection flaws
  • Cross-Site Scripting (XSS)
  • Buffer overflow
  • Man-in-the-Middle (MITM)

Questão 80

Questão
Impersonation attacks such as Man-in-the-Middle (MITM) attacks in an Internet application can be BEST mitigated using proper
Responda
  • Configuration Management.
  • Session Management.
  • Patch Management.
  • Exception Management.

Questão 81

Questão
Implementing Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) protection is a means of defending against
Responda
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • . Insecure cryptographic storage

Questão 82

Questão
The findings of a code review indicate that cryptographic operations in code use the Rijndael cipher, which is the original publication of which of the following algorithms?
Responda
  • Skipjack
  • Data Encryption Standard (DES)
  • Triple Data Encryption Standard (3DES)
  • Advanced Encryption Standard (AES)

Questão 83

Questão
Which of the following transport layer technologies can BEST mitigate session hijacking and replay attacks in a local area network (LAN)?
Responda
  • Data Loss Prevention (DLP)
  • Internet Protocol Security (IPSec)
  • Secure Sockets Layer (SSL)
  • Digital Rights Management (DRM)

Questão 84

Questão
Verbose error messages and unhandled exceptions can result in which of the following software security threats?
Responda
  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure

Questão 85

Questão
Code signing can provide all of the following EXCEPT
Responda
  • Anti-tampering protection
  • Authenticity of code origin
  • Runtime permissions for code
  • Authentication of users

Questão 86

Questão
When an attacker uses delayed error messages between successful and unsuccessful query probes, he is using which of the following side channel techniques to detect injection vulnerabilities?
Responda
  • Distant observation
  • Cold boot
  • Power analysis
  • Timing

Questão 87

Questão
When the code is not allowed to access memory at arbitrary locations that is out of range of the memory address space that belong to the object’s publicly exposed fields, it is referred to as which of the following types of code?
Responda
  • Object code
  • Type safe code
  • Obfuscated code
  • Source code

Questão 88

Questão
When the runtime permissions of the code are defined as security attributes in the metadata of the code, it is referred to as
Responda
  • imperative syntax security
  • declarative syntax security
  • code signing
  • code obfuscation

Questão 89

Questão
When an all-or-nothing approach to code access security is not possible and business rules and permissions need to be set and managed more granularly inline code functions and modules, a programmer can leverage which of the following?
Responda
  • Cryptographic agility
  • Parametric polymorphism
  • Declarative security
  • Imperative security

Questão 90

Questão
An understanding of which of the following programming concepts is necessary to protect against memory manipulation buffer overflow attacks? Choose the BEST answer.
Responda
  • Error handling
  • Exception management
  • Locality of reference
  • Generics

Questão 91

Questão
Exploit code attempt to take control of dangling pointers which
Responda
  • are references to memory locations of destroyed objects.
  • is the non-functional code that that is left behind in the source.
  • is the payload code that the attacker uploads into memory to execute.
  • are references in memory locations that are used prior to being initialized.

Questão 92

Questão
Which of the following is a feature of most recent operating systems (OS) that makes it difficult for an attacker to guess the memory address of the program as it makes the memory address different each time the program is executed?
Responda
  • Data Execution Prevention (DEP)
  • Executable Space Protection (ESP)
  • Address Space Layout Randomization (ASLR)
  • Safe Security Exception Handler (/SAFESEH)

Questão 93

Questão
When the source code is made obscure using special programs in order to make the readability of the code difficult when disclosed, the code is also known as
Responda
  • object code
  • obfuscated code.
  • encrypted code.
  • hashed code.

Questão 94

Questão
The ability to track ownership, changes in code and rollback abilities is possible because of which of the following configuration management processes?
Responda
  • Version control
  • Patching
  • Audit logging
  • Change control

Questão 95

Questão
The MAIN benefit of statically analyzing code is that
Responda
  • runtime behavior of code can be analyzed.
  • business logic flaws are more easily detectable.
  • the analysis is performed in a production or production-like environment
  • errors and vulnerabilities can be detected earlier in the life cycle.

Questão 96

Questão
Cryptographic protection includes all of the following EXCEPT
Responda
  • encryption of data when it is processed.
  • hashing of data when it is stored.
  • hiding of data within other media objects when it is transmitted.
  • masking of data when it is displayed.

Questão 97

Questão
Replacing the Primary Account Number (PAN) with random or pseudo-random symbols that are uniquely identifiable and still assuring privacy is also known as
Responda
  • Fuzzing
  • Tokenization
  • Encoding
  • Canonicalization

Questão 98

Questão
Which of the following is an implementation of the principle of least privilege?
Responda
  • Sandboxing
  • Tokenization
  • Versioning
  • . Concurrency

Questão 99

Questão
Domain 5 The ability of the software to restore itself to expected functionality when the security protection that is built in is breached is also known as
Responda
  • redundancy.
  • recoverability.
  • resiliency.
  • reliability.

Questão 100

Questão
In which of the following software development methodologies does unit testing enable collective code ownership and is critical to assure software assurance?
Responda
  • Waterfall
  • Agile
  • Spiral
  • Prototyping

Questão 101

Questão
Which of the secure design principles is promoted when test harnesses are used?
Responda
  • Least privilege
  • Separation of duties
  • Leveraging existing components
  • Psychological acceptability

Questão 102

Questão
The use of IF-THEN rules is characteristic of which of the following types of software testing?
Responda
  • Logic
  • Scalability
  • Integration
  • Unit

Questão 103

Questão
The implementation of secure features such as complete mediation and data replication needs to undergo which of the following types of test to ensure that the software meets the service level agreements (SLA)?
Responda
  • Stress
  • Unit
  • Integration
  • Regression

Questão 104

Questão
Tests that are conducted to determine the breaking point of the software after which the software will no longer be functional is characteristic of which of the following types of software testing?
Responda
  • Regression
  • Stress
  • Integration
  • Simulation

Questão 105

Questão
Which of the following tools or techniques can be used to facilitate the white box testing of software for insider threats?
Responda
  • Source code analyzers
  • Fuzzers
  • Banner grabbing software
  • Scanners

Questão 106

Questão
When very limited or no knowledge of the software is made known to the software tester before she can test for its resiliency, it is characteristic of which of the following types of security tests?
Responda
  • White box
  • Black box
  • Clear box
  • Glass box

Questão 107

Questão
Penetration testing must be conducted with properly defined
Responda
  • rules of engagement.
  • role based access control mechanisms
  • threat models.
  • use cases

Questão 108

Questão
Testing for the randomness of session identifiers and the presence of auditing capabilities provides the software team insight into which of the following security controls?
Responda
  • Availability
  • Authentication.
  • Non-repudiation.
  • Authorization.

Questão 109

Questão
Disassemblers, debuggers and decompilers can be used by security testers to PRIMARILY determine which of the following types of coding vulnerabilities?
Responda
  • Injection flaws
  • Lack of reverse engineering protection.
  • Cross-Site Scripting.
  • Broken session management.

Questão 110

Questão
When reporting a software security defect in the software, which of the following also needs to be reported so that variance from intended behavior of the software can be determined?
Responda
  • Defect identifier
  • Title
  • Expected results
  • Tester name

Questão 111

Questão
An attacker analyzes the response from the web server which indicates that its version is the Microsoft Internet Information Server 6.0 (Microsoft-IIS/6.0), but none of the IIS exploits that the attacker attempts to execute on the web server are successful. Which of the following is the MOST probable security control that is implemented?
Responda
  • Hashing
  • Cloaking
  • Masking
  • Watermarking

Questão 112

Questão
Smart fuzzing is characterized by injecting
Responda
  • truly random data without any consideration for the data structure.
  • variations of data structures that are known.
  • data that get interpreted as commands by a backend interpreter
  • scripts that are reflected and executed on the client browser.

Questão 113

Questão
Which of the following is the MOST important to ensure, as part of security testing, when the software is forced to fail x? Choose the BEST answer.
Responda
  • Normal operational functionality is not restored automatically.
  • Access to all functionality is denied.
  • Confidentiality, integrity and availability are not adversely impacted.
  • End users are adequately trained and self help is made available for the end user to fix the error on their own.

Questão 114

Questão
Timing and synchronization issues such as race conditions and resource deadlocks can be MOST LIKELY identified by which of the following tests? Choose the BEST answer.
Responda
  • Integration
  • Stress
  • Unit
  • Regression

Questão 115

Questão
The PRIMARY objective of resiliency testing of software is to determine
Responda
  • the point at which the software will break.
  • if the software can restore itself to normal business operations.
  • the presence and effectiveness of risk mitigation controls.
  • how a blackhat would circumvent access control mechanisms.

Questão 116

Questão
The ability of the software to withstand attempts of attackers who intend to breach the security protection that is built in is also known as
Responda
  • redundancy.
  • recoverability.
  • resiliency.
  • reliability.

Questão 117

Questão
Drivers and stub based programming are useful to conduct which of the following tests?
Responda
  • Integration
  • Regression
  • Unit
  • Penetration

Questão 118

Questão
Assurance that the software meets the expectations of the business as defined in the service level agreements (SLAs) can be demonstrated by which of the following types of tests?
Responda
  • Unit
  • Integration
  • Performance
  • Regression

Questão 119

Questão
Vulnerability scans are used to
Responda
  • measure the resiliency of the software by attempting to exploit weaknesses.
  • detect the presence of loopholes and weaknesses in the software.
  • detect the effectiveness of security controls that are implemented in the software.
  • measure the skills and technical know-how of the security tester.

Questão 120

Questão
In the context of test data management, when a transaction which serves no business purpose is tested, it is referred to as what kind of transaction?
Responda
  • Non-synthetic
  • Synthetic
  • Useless
  • Discontinuous

Questão 121

Questão
As part of the test data management strategy, when a criteria is applied to export selective information from a production system to the test environment, it is also referred to as
Responda
  • Subletting
  • Filtering
  • Validation
  • Subsetting

Questão 122

Questão
Domain 6 Your organization has the policy to attest the security of any software that will be deployed into the production environment. A third party vendor software is being evaluated for its readiness to be deployed. Which of the following verification and validation mechanism can be employed to attest the security of the vendor’s software?
Responda
  • Source code review
  • Threat modeling the software
  • Black box testing
  • Structural analysis

Questão 123

Questão
To meet the goals of software assurance, when accepting software, the acquisition phase MUST include processes to
Responda
  • verify that installation guides and training manuals are provided.
  • assess the presence and effectiveness of protection mechanisms.
  • validate vendor’s software products.
  • assist the vendor in responding to the request for proposals.

Questão 124

Questão
The process of evaluating software to determine whether the products of a given development phase satisfies the conditions imposed at the start of the phase is referred to as
Responda
  • verification
  • validation
  • authentication
  • authorization

Questão 125

Questão
When verification activities are used to determine if the software is functioning as it is expected to, it provides insight into which of the following aspects of software assurance?
Responda
  • Redundancy
  • Reliability
  • Resiliency
  • Recoverability

Questão 126

Questão
When procuring software the purchasing company can request the evaluation assurance levels (EALs) of the software product which is determined using which of the following evaluation methodologies?
Responda
  • Operationally Critical Assets Threats and Vulnerability Evaluation® (OCTAVE)
  • Security Quality Requirements Engineering (SQUARE)
  • Common Criteria
  • Comprehensive, Lightweight Application Security Process (CLASP)

Questão 127

Questão
The FINAL activity in the software acceptance process is the go/no go decision that can be determined using
Responda
  • regression testing.
  • integration testing.
  • unit testing.
  • user acceptance testing.

Questão 128

Questão
Management’s formal acceptance of the system after an understanding of the residual risks to that system in the computing environment is also referred to as
Responda
  • patching.
  • hardening.
  • certification.
  • accreditation.

Questão 129

Questão
You determine that a legacy software running in your computing environment is susceptible to Cross Site Request Forgery (CSRF) attacks because of the way it manages sessions. The business has the need to continue use of this software but you do not have the source code available to implement security controls in code as a mitigation measure against CSRF attacks. What is the BEST course of action to undertake in such a situation?
Responda
  • Avoid the risk by forcing the business to discontinue use of the software.
  • Accept the risk with a documented exception.
  • Transfer the risk by buying insurance.
  • Ignore the risk since it is legacy software

Questão 130

Questão
As part of the accreditation process, the residual risk of a software evaluated for deployment must be accepted formally by the
Responda
  • board members and executive management
  • business owner.
  • information technology (IT) management
  • security organization

Questão 131

Questão
Domain 7 When software that worked without any issues in the test environments fails to work in the production environment, it is indicative of
Responda
  • inadequate integration testing
  • incompatible environment configurations.
  • incomplete threat modeling.
  • ignored code review

Questão 132

Questão
Which of the following is not characteristic of good security metrics?
Responda
  • Quantitatively expressed
  • Objectively expressed
  • Contextually relevant
  • Collected manually

Questão 133

Questão
Removal of maintenance hooks, debugging code and flags, and unneeded documentation before deployment are all examples of software
Responda
  • hardening
  • patching.
  • reversing.
  • obfuscation.

Questão 134

Questão
Which of the following has the goal of ensuring that the resiliency levels of software is always above the acceptable risk threshold as defined by the business post deployment?
Responda
  • Threat modeling.
  • Code review.
  • Continuous monitoring.
  • Regression testing.

Questão 135

Questão
Logging application events such as failed login attempts, sales price updates and user roles configuration for audit review at a later time is an example of which of the following type of security control?
Responda
  • Preventive
  • Corrective
  • Compensating
  • Detective

Questão 136

Questão
When a compensating control is to be used, the Payment Card Industry Data Security Standard (PCI DSS) prescribes that the compensating control must meet all of the following guidelines EXCEPT
Responda
  • Meet the intent and rigor of the original requirement.
  • Provide an increased level of defense than the original requirement
  • Be implemented as part of a defense in depth measure.
  • Must commensurate with additional risk imposed by not adhering to the requirement

Questão 137

Questão
Versioning, back-ups, check-in and check-out practices are all important components of
Responda
  • Patch management
  • Release management
  • Problem management
  • Incident management

Questão 138

Questão
Software that is deployed in a high trust environment such as the environment within the organizational firewall when not continuously monitored is MOST susceptible to which of the following types of security attacks? Choose the BEST answer.
Responda
  • Distributed Denial of Service (DDoS)
  • Malware
  • Logic Bombs
  • DNS poisoning

Questão 139

Questão
Bastion host systems can be used to continuously monitor the security of the computing environment when it is used in conjunction with intrusion detection systems (IDS) and which other security control?
Responda
  • Authentication.
  • Authorization.
  • Archiving.
  • Auditing.

Questão 140

Questão
The FIRST step in the incident response process of a reported breach is to
Responda
  • notify management of the security breach.
  • research the validity of the alert or event further
  • inform potentially affected customers of a potential breach.
  • conduct an independent third party evaluation to investigate the reported breach.

Questão 141

Questão
Which of the following is the BEST recommendation to champion security objectives within the software development organization?
Responda
  • Informing the developers that they could lose their jobs if their software is breached.
  • Informing management that the organizational software could be hacked.
  • Informing the project team about the recent breach of the competitor’s software.
  • Informing the development team that there should be no injection flaws in the payroll application.

Questão 142

Questão
Which of the following independent process provides insight into the presence and effectiveness of security and privacy controls and is used to determine the organization’s compliance with the regulatory and governance (policy) requirements?
Responda
  • Penetration testing
  • Audits
  • Threat modeling
  • Code review

Questão 143

Questão
The process of using regular expressions to parse audit logs into information that indicate security incidents is referred to as
Responda
  • correlation.
  • normalization.
  • collection.
  • visualization.

Questão 144

Questão
The FINAL stage of the incident management process is to
Responda
  • detection.
  • containment.
  • eradication
  • recovery

Questão 145

Questão
Problem management aims to improve the value of Information Technology to the business because it improves service by
Responda
  • restoring service to the expectation of the business user
  • determining the alerts and events that need to be continuously monitored.
  • depicting incident information in easy to understand user friendly format.
  • identifying and eliminating the root cause of the problem

Questão 146

Questão
The process of releasing software to fix a recently reported vulnerability without introducing any new features or changing hardware configuration is referred to as
Responda
  • versioning.
  • hardening.
  • patching.
  • porting.

Questão 147

Questão
Fishbone diagramming is a mechanism that is PRIMARILY used for which of the following processes?
Responda
  • Threat modeling
  • Requirements analysis.
  • Network deployment.
  • Root cause analysis.

Questão 148

Questão
As a means to assure the availability of the existing software functionality after the application of a patch, the patch need to be tested for
Responda
  • the proper functioning of new features
  • cryptographic agility
  • backward compatibility.
  • the enabling of previously disabled services

Questão 149

Questão
Which of the following policies needs to be established to securely dispose software and associated data and documents?
Responda
  • End-of-life.
  • Vulnerability management.
  • Privacy.
  • Data classification.

Questão 150

Questão
Discontinuance of a software with known vulnerabilities with a newer version is an example of risk
Responda
  • mitigation.
  • transference.
  • acceptance.
  • avoidance.

Questão 151

Questão
Printer ribbons, facsimile transmissions and printed information when not securely disposed are susceptible to disclosure attacks by which of the following threat agents? Choose the BEST answer.
Responda
  • Malware
  • Dumpster divers
  • Social engineers
  • Script kiddies.

Questão 152

Questão
System resources can be protected from malicious file execution attacks by uploading the user supplied file and running it in which of the following environment?
Responda
  • Honeypot
  • Sandbox
  • Simulated
  • Production

Questão 153

Questão
As a means to demonstrate the improvement in the security of code that is developed, one must compute the relative attack surface quotient (RASQ)
Responda
  • at the end of development phase of the project
  • before and after the code is implemented.
  • before and after the software requirements are complete.
  • at the end of the deployment phase of the project.

Questão 154

Questão
Modifications to data directly in the database by developers must be prevented by
Responda
  • periodically patching database servers
  • implementing source code version control.
  • logging all database access requests.
  • proper change control management.

Questão 155

Questão
Which of the following documents is the BEST source to contain damage and which needs to be referred to and consulted with upon the discovery of a security breach?
Responda
  • Disaster Recovery Plan.
  • Project Management Plan.
  • Incident Response Plan.
  • Quality Assurance and Testing Plan.

Questão 156

Questão
Domain 8 The increased need for security in the software supply chain is PRIMARILY attributed to
Responda
  • cessation of development activities within a company
  • increase in the number of foreign trade agreements
  • incidences of malicious code and logic found in acquired software
  • decrease in the trust of consumers on software developed within a company.

Questão 157

Questão
Which phase of the acquisition life cycle involves the issuance of advertisements to source and evaluate suppliers?
Responda
  • Contracting
  • Planning
  • Development
  • Delivery (Handover

Questão 158

Questão
Predictable execution means that the software demonstrates all the following qualities EXCEPT?
Responda
  • Authenticity
  • Conformance
  • Authorization
  • Trustworthiness

Questão 159

Questão
Which of the following is a process threat in the software supply chain?
Responda
  • Counterfeit software
  • Insecure code transfer
  • Subornation
  • Piracy

Questão 160

Questão
In the context of the software supply chain, the principle of persistent protection is also known as
Responda
  • End-to-end encryption
  • Location agnostic protection
  • Locality of reference
  • Cryptographic agility

Questão 161

Questão
In pre-qualifying a supplier, which of the following must be assessed to ensure that the supplier can provide timely updates and hotfixes when an exploitable vulnerability in their software is reported?
Responda
  • Foreign ownership and control or influence
  • Security track record
  • Security knowledge of the supplier’ s personnel
  • Compliance with security policies, regulatory and privacy requirements.

Questão 162

Questão
Which of the following can provide insight into the effectiveness and efficiencies of the supply chain processes as it pertains to assuring trust and software security?
Responda
  • Key Performance Indicators (KPI)
  • Relative Attack Surface Quotient (RASQ)
  • Maximum Tolerable Downtime (MTD)
  • Requirements Traceability Matrix (RTM)

Questão 163

Questão
Which of the following contains the security requirements and the evidence needed to prove that the acquirer requirements are met as expected?
Responda
  • Software Configuration Management Plan
  • Minimum Security Baseline
  • Service Level Agreements
  • Assurance Plan

Questão 164

Questão
The difference between disclaimer-based protection and contractsbased is that
Responda
  • Contracts-based protection is mutual.
  • Disclaimer-based protection is mutual
  • Contracts-based protection is done by one-sided notification of terms
  • Disclaimer-based protection is legally binding.

Questão 165

Questão
Software programs, database models and images on a website can be protected using which of the following legal instrument?
Responda
  • Patents
  • Copyright
  • Trademarks
  • Trade secret

Questão 166

Questão
You find out that employees in your company have been downloading software files and sharing them using peer-to-peer based torrent networks. These software files are not free and need to be purchase from their respective manufacturers. You employee are violating
Responda
  • Trade secrets
  • Trademarks
  • Patents
  • Copyrights

Questão 167

Questão
Which of the following legal instruments assures the confidentiality of software programs, processing logic, database schema and internal organizational business processes and client lists?
Responda
  • Standards
  • Non-Disclosure Agreements (NDA)
  • Service Level Agreements (SLA)
  • Trademarks

Questão 168

Questão
When source code of Commercially Off-The-Shelf (COTS) software is escrowed and released under a free software or open source license when the original developer (or supplier) no longer continues to develop that software, that software is referred to as
Responda
  • Trialware
  • Demoware
  • Ransomware
  • Freeware

Questão 169

Questão
Improper implementation of validity periods using length-of-use checks in code can result in which of the following types of security issues for legitimate users?
Responda
  • Tampering
  • Denial of Service
  • Authentication bypass
  • Spoofing

Questão 170

Questão
Your organization’s software is published as a trial version without any restricted functionality from the paid version. Which of the following MUST be designed and implemented to ensure that customers who have not purchased the software are limited in the availability of the software?
Responda
  • Disclaimers
  • Licensing
  • Validity periods
  • Encryption

Questão 171

Questão
When must the supplier inform the acquirer of any applicable export control and foreign trade regulatory requirements in the countries of export and import?
Responda
  • Before delivery (handover)
  • Before code inspection.
  • After deployment.
  • Before retirement.

Questão 172

Questão
The disadvantage of using open source software from a security standpoint is
Responda
  • Only the original publisher of the source code can modify the code
  • Open source software is not supported and maintained by mature companies or communities.
  • The attacker can look into the source code to determine its exploitability.
  • Open source software can only be purchased using a piece-meal approach.

Questão 173

Questão
Which of the following is the most important security testing process that validates and verifies the integrity of software code, components and configurations, in a software security chain?
Responda
  • Threat modeling
  • Fuzzing
  • Penetration testing
  • Code review

Questão 174

Questão
Which of the following is LEAST likely to be detected using a code review process?
Responda
  • Backdoors
  • Logic Bombs
  • Logic Flaws
  • Trojan horses

Questão 175

Questão
Which of the following security principle is LEAST related to the securing of code repositories?
Responda
  • Least privilege
  • Access Control
  • Auditing
  • Open Design

Questão 176

Questão
The integrity of build tools and the build environment is necessary to protect against
Responda
  • spoofing
  • tampering
  • disclosure
  • denial of service

Questão 177

Questão
Which of the following kind of security testing tool detects the presence of vulnerabilities through disassembly and pattern recognition?
Responda
  • Source code scanners
  • Binary code scanners
  • Byte code scanners
  • Compliance validators

Questão 178

Questão
When software is developed by multiple suppliers, the genuineness of the software can be attested using which of the following processes?
Responda
  • Code review
  • Code signing
  • Encryption
  • Code scanning

Questão 179

Questão
Which of the following must be controlled during handoff of software from one supplier to the next, so that no unauthorized tampering of the software can be done?
Responda
  • Chain of custody
  • Separation of privileges
  • System logs
  • Application data

Questão 180

Questão
Which of the following risk management concepts is demonstrated when using code escrows?
Responda
  • Avoidance
  • Transference
  • Mitigation
  • Acceptance

Questão 181

Questão
Which of the following types of testing is crucial to conduct to determine single points of failure in a System-of-systems (SoS)?
Responda
  • Unit
  • Integration
  • Regression
  • Logic

Questão 182

Questão
When software is handed from one supplier to the next, the following operational process needs to be in place so that the supplier from whom the software is acquirer can no longer modify the software?
Responda
  • Runtime integrity assurance
  • Patching
  • Termination Access Control
  • Custom Code Extension Checks

Quer criar seus próprios Quizzes gratuitos com a GoConqr? Saiba mais.

Semelhante

Computing Hardware - CPU and Memory
ollietablet123
SFDC App Builder 2
Parker Webb-Mitchell
Data Types
Jacob Sedore
Intake7 BIM L1
Stanley Chia
Software Processes
Nurul Aiman Abdu
Design Patterns
Erica Solum
CCNA Answers – CCNA Exam
Abdul Demir
Abstraction
Shannon Anderson-Rush
Spyware
Sam2
HTTPS explained with Carrier Pigeons
Shannon Anderson-Rush
Data Analytics
anelvr
Explore a Biblioteca