Questions from the following topics are included in this domain:
To pass the CISSP exam, you must score high in the Software Development Security domain. Domain 8 has an 11% weighting on the exam and requires you to understand details regarding the software development life cycle (SDLC), development methodologies such as Agile and Waterfall, and change management.
A thorough understanding of security controls, as well as when and where to apply them, is critical to passing the CISSP exam. Such controls include software configuration management, security orchestration, and repositories. You must also understand the difference between dynamic and static testing.
Finally, understanding the importance of securing software from outside vendors is critical. Acquired software includes application programming interfaces (APIs), commercial-off-the-shelf, and even open source. By default, these must go through normal security evaluations.
A. Passive testing
B. Fuzzing
C. Static analysis
D. Dynamic analysis
A. Certificates
B. Non-repudiation
C. Defense in depth
D. Repudiation
A. A security design that preserves data integrity
B. A security design where all access is verified
C. A security design where a kernel protects the hardware
D. A security design that uses defense in depth
A. OSSTMM
B. OWASP
C. OEC
D. OCTAVE
A. Data anonymization
B. Data protection
C. Depersonalization
D. Safe harbor
A. Speed
B. Verifiable
C. Tamperproof
D. Complete mediation
A. Choice, data integrity, security
B. Verifiable, diverse, transferable
C. Openness, complexity, nonrepudiation
D. Encryption, availability, storage
A. Planning
B. Fuzzing
C. Design
D. Maintenance
A. Spiral
B. Scrum
C. Waterfall
D. Agile
A. Something you have
B. Something you are
C. Something you know
D. Something you need
A. Impact
B. Privacy
C. Sensitivity
D. Likelihood
A. MySQL database of cybersecurity books
B. LibreOffice spreadsheet of course authors
C. Log file of SCSI drive errors
D. XML file of customer names and phone numbers
A. Behavioral diagrams
B. Use cases
C. Application modeling
D. Misuse cases
A. Error-free code
B. Complete security functionality
C. Code is economical
D. Code sans change orders
A. Infinite loops
B. Input attacks
C. Race conditions
D. Memory leaks
A. Users entering an incorrect tax identification number
B. Lack of library support
C. Buffer overflows
D. Malware
A. A requirements traceability matrix
B. A Gantt chart
C. A Pareto chart
D. A PERT chart
A. All requirements
B. Poorly defined business requirements
C. Input validation
D. Security-related requirements
A. UML
B. NVD
C. DFD
D. CVE
A. Ensure that threat models are updated at each phase
B. Ensure the quality of security actions
C. Ensure the attack models are updated
D. Ensure all steps of the SDLC are followed
A. Complete the threat model documentation in the next phase.
B. The documentation can be skipped because development has tested positive.
C. Delay the process until the documentation is complete.
D. Apply for a waiver from the security team.
A. Cannot be observed
B. Items share the same rights, access, and identifiers
C. Items have the same access control list access
D. Items share identical user accounts
A. Security control model
B. Threat model
C. Bug database
D. Configuration file
A. Separation of duties
B. Leveraging existing components
C. Least common mechanism
D. Weakest link
A. Utilize the existing SSO management system.
B. Log exception data.
C. Implement exception management systems.
D. Create a management interface within the application.
A. An approach that minimizes the opportunity to be circumvented.
B. Layered security.
C. Integrates authentication and authorization.
D. An approach that uses defense in depth and least privilege.
A. Logging and audit data
B. Psychological acceptability
C. Separation of duties
D. Integrity and availability
A. Confidentiality
B. Integrity checking
C. Authentication
D. Authorization
A. Yagi
B. Zigbee
C. NFC
D. Omni-directional
A. REST
B. SOAP
C. RPC
D. RIA
A. JSON
B. CORBA
C. ESB
D. EDI
A. Persistence
B. Integrity checking
C. Encryption
D. Copy restriction
A. Interpreting
B. Dynamic linking
C. Early linking
D. Static linking
A. Lenovo
B. Java virtual machine (JVM)
C. Pascal
D. Android
A. Automation
B. Revision control
C. Isolation
D. Sandboxing
A. Garbage collection
B. Runs faster
C. Security
D. Error-free
A. Salt the hash.
B. Revert to MD5 hashing.
C. Use longer hash functions.
D. Triple hashing.
A. Static code analysis
B. Misuse case testing
C. Dynamic code analysis
D. Code review
A. Buffer overflow
B. Memory relocation
C. Data remanence
D. ASLR
A. SIEMs rank threats and generate alerts.
B. SOARs identify deviations from the baseline.
C. SIEMs aggregate data from multiple sources.
D. SOARs use automation to respond to threats.
A. TCB
B. SDLC
C. IPT
D. CMMI
A. Pascal
B. Git
C. Fortran
D. Java
A. Managing processes and tools for software builds
B. Conducting source code reviews
C. Defect-tracking back to the source
D. Ensuring that the configurations meet all your requirements
A. Continuous development
B. Continuous delivery
C. Continuous integration
D. Continuous installation
A. The application is written in a language prone to buffer overflows.
B. The developers are slow at releasing security patches.
C. The application has not been tested for input attacks.
D. The creator(s) has/ve poor security software design policies.
A. Security as code
B. Software-defined security
C. Commercial-off-the-shelf (COTS)
D. Open source
A. APIs
B. Software versioning
C. Type-safe code
D. Cryptographic abilities
A. API is authentic
B. API is free of errors
C. API is published by LYI Corp
D. API integrity
A. Static analysis
B. Code review
C. Dynamic analysis
D. Code walkthrough
A. Unit testing
B. Performance testing
C. Dynamic testing
D. Attack surface area testing
A. Penetration testing
B. Sandbox testing
C. Simulation testing
D. Production testing
A. Creating new features
B. Responding to requests
C. Training
D. Getting the latest software development and testing tools
A. RNG
B. Secret encryption techniques
C. Encryption algorithms
D. Key distribution
A. SDLC process requirements
B. Bug bar
C. Trust boundaries
D. Security gates
A. Recoverability
B. Reliability
C. Restorability
D. Resilience
A. Buffer security check
B. Graphics speedup
C. Enable input validation
D. Graphics security
A. Type-safe code
B. Runs on one operating system
C. Faster execution
D. Improved memory management
A. Declarative programming describes which security principles to apply, but not how to do it.
B. Imperative programming techniques create applications with high portability.
C. Declarative programming uses a container-based approach to aid in security.
D. Imperative programming programs specific security features into an application.
A. Continuous integration and continuous delivery
B. Honeypot
C. Software-defined security
D. DevSecOps
A. Code review
B. Dynamic code analysis
C. Code identification
D. Static code analysis
A. The source code is visible by anyone in the world.
B. The operations department does not install version updates and patches in a timely manner.
C. The creator(s) of the application may not have used secure software development procedures.
D. The creator(s) decide to discontinue further development of the application.
A. The risk that management cannot track project activity
B. The risk that developers will reuse metrics before they are reassessed by management
C. The risk that developers do not understand the sprint process
D. The risk that high-priority bugs will go unresolved
A. Fairy
B. Canary
C. Sparrow
D. Gnome
A. RCS manages the software and the hardware hosting system.
B. SCM primarily focuses on application configurations, not source code.
C. RCS primarily focuses on application configurations, not source code.
D. SCM performs defect tracking, whereas RCS does not.
A. Compilers
B. Bug tracking
C. Code review
D. Personal repository
A. SOAR
B. IDS
C. IPS
D. Firewall
A. Work products are created collectively in standard work groups.
B. Consensus is essential in IPTs.
C. Work products are individually focused on standard work groups.
D. Teams delegate work in IPTs.
A. SQL injection
B. Directory traversal
C. Percentage injection
D. Buffer overflow
A. Availability
B. Encryption
C. Hashing
D. Software platforms
A. OSCP
B. GPG
C. PGP
D. X.509
A. MySQL
B. SAML
C. OpenID
D. OSCP
A. Linking
B. Compiling
C. GUI
D. Interpreting
A. Interoperability
B. Uniform testing framework
C. Modularity
D. Platform neutrality
A. Resource pooling
B. Provisionable
C. Broad network access
D. Measured service
A. Personal
B. Private
C. Hybrid
D. Community
A. Open design
B. Single point of failure
C. Least common mechanism
D. Fail safe
A. Governance, design, implementation, verification, operations
B. Governance, threat assessment, implementation, verification, operations
C. Strategy, threat assessment, secure build, architecture, incident management
D. Policy, secure requirements, deployment, testing, operations
A. Open design
B. Economy of mechanism
C. Complete mediation
D. Psychological acceptability
A. Never reuse code because it is poor practice.
B. Never reuse code because it brings bugs into the application.
C. Test and validate the reused code as if it were new code.
D. Never reuse code because it is inherently insecure.
A. Acceptance of the vulnerability
B. Encryption
C. Novel, state-of-the-art security controls
D. Commonly used standard corporate security controls
A. Accept the vulnerability.
B. Redesign to avoid vulnerabilities.
C. Modify the security requirement to disregard the threat.
D. Apply normal mitigation.
A. Single threading
B. Race windows
C. Atomic actions
D. Mutual exclusion
A. Security
B. Misuse case
C. Abuse case
D. Use case
A. JavaScript
B. Functional requirements
C. Security concerns
D. White box testing
A. Preserved
B. Personally identifiable information
C. Personal health information
D. Classified
A. Degaussing
B. Generation
C. Retention
D. Disposal
A. Audit risk
B. Control risk
C. Inherent risk
D. Detection risk
A. Internal requirements
B. External requirements
C. Customer requirements
D. Job requirements
A. Systems that control risk
B. Determine who is authorized to see specific data segments
C. Obtain error detection and correction
D. Ensure systems are available for authorized users
A. Bug bar
B. Attack surface analysis
C. Threat model
D. Fuzz testing framework
A. SMART
B. DREAD
C. STRIDE
D. Waterfall
A. Requirements
B. Security
C. Validation
D. Training
A. PII
B. PHI
C. PCI
D. PFI
A. Incomplete
B. Initial
C. Defined
D. Optimizing
A. GDPR
B. Safe harbor
C. FISMA
D. UNTC
A. Regulatory
B. Privacy
C. Encryption
D. Change management
A. Economy of mechanism
B. Simple security rule
C. Layered security
D. Least privilege
A. Defense in depth
B. Security through obscurity
C. Mutual authentication
D. Implicit deny
A. Weakest link
B. Leverage existing components
C. Separation of duties
D. Least common mechanism
A. Black box testing
B. Gray box testing
C. White box testing
Learn more here: https://web.ecs.syr.edu/~wedu/seed/Labs/Reference-Monitor/.
Reference:"OWASP Testing Guide", OWASP Foundation, p. 155, 2008 v3.0.
Learn more here: https://www.altexsoft.com/blog/soap-vs-rest-vs-graphql-vs-rpc/.
Reference: Software Configuration Management, Coordination for Team Productivity, W. A. Babich, Addison-Wesley, 1986.
Reference: Imperative, Declarative, Functional and Domain-Specific Programming… Oh My!, Patrick McCormick, SOS 20 Workshop, Los Alamos National Laboratory, March 2016.
Reference: "Integrated Project Team (IPT) Start-up Guide", Creekmore, Muscella, and Petrun, The MITRE Corporation, October 2008.
Reference: "Misuse Cases and Abuse Cases in Eliciting Security Requirements", Chin Wei, Department of Computer Science, University of Auckland, October 25, 2005.
Learn more here: https://www.microsoft.com/security/blog/2007/09/11/stride-chart/.
Learn more here: https://cmmiinstitute.com/learning/appraisals/levels.
Learn more here:
https://us-cert.cisa.gov/bsi/articles/knowledge/principles/economy-of-mechanism.
Learn more here: https://us-cert.cisa.gov/ncas/tips/ST04-002.
18.220.126.5