When designing an object-oriented model, which of the following situations is ideal?
Which of the following is a common way that attackers leverage botnets?
Which one of the following statements is not true about code review?
Harold’s company has a strong password policy that requires a minimum length of 12 characters and the use of both alphanumeric characters and symbols. What technique would be the most effective way for an attacker to compromise passwords in Harold’s organization?
Which process is responsible for ensuring that changes to software include acceptance testing?
Which one of the following attack types attempts to exploit the trust relationship that a user’s browser has with other websites by forcing the submission of an authenticated request to a third-party site?
When using the SDLC, which one of these steps should you take before the others?
Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message shown here. What state has this computer entered?
Which one of the following is not a goal of software threat modeling?
In the diagram shown here, which is an example of a method?
Which one of the following is considered primary storage?
Which one of the following testing methodologies typically works without access to source code?
The web application that Lucca built has a flaw that causes users who are logged in to be able to take actions they should not be able to in their role. What type of security vulnerability should this be classified as?
Bobby is investigating how an authorized database user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term describes this type of function?
Which one of the following controls would best protect an application against buffer overflow attacks?
Berta is analyzing the logs of the Windows Firewall on one of her servers and comes across the entries shown in this figure. What type of attack do these entries indicate?
What phase of the SW-CMM should Robert report as the current status of Acme Widgets?
Robert is working with Acme Widgets on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?
What phase of the SW-CMM should Robert report as the current status of Beta Particles?
Robert is also working with Beta Particles on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?
Which one of the following database keys is used to enforce referential integrity relationships between tables?
Which one of the following files is most likely to contain a macro virus?
Victor created a database table that contains information on his organization’s employees. The table contains the employee’s user ID, three different telephone number fields (home, work, and mobile), the employee’s office location, and the employee’s job title. There are 16 records in the table. What is the degree of this table?
Carrie is analyzing the application logs for her web-based application and comes across the following string:
../../../../../../../../../etc/passwd
What type of attack was likely attempted against Carrie’s application?
When should a design review take place when following an SDLC approach to software development?
Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?
What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner?
Victor recently took a new position at an online dating website and is responsible for leading a team of developers. He realized quickly that the developers are having issues with production code because they are working on different projects that result in conflicting modifications to the production code. What process should Victor invest in improving?
What type of database security issue exists when a collection of facts has a higher classification than the classification of any of those facts standing alone?
What are the two types of covert channels that are commonly exploited by attackers seeking to surreptitiously exfiltrate information?
Vivian would like to hire a software tester to come in and evaluate a new web application from a user’s perspective. Which of the following tests best simulates that perspective?
Referring to the database transaction shown here, what would happen if no account exists in the Accounts table with account number 1001?
What type of malware is characterized by spreading from system to system under its own power by exploiting vulnerabilities that do not require user intervention?
Kim is troubleshooting an application firewall that serves as a supplement to the organization’s network and host firewalls and intrusion prevention system, providing added protection against web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company?
What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level?
Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?
What vulnerability definitely exists on Linda’s message board?
What was the likely motivation of the user who posted the message on the forum containing this code?
Linda communicates with the vendor and determines that no patch is available to correct this vulnerability. Which one of the following devices would best help her defend the application against further attack?
In further discussions with the vendor, Linda finds that they are willing to correct the issue but do not know how to update their software. What technique would be most effective in mitigating the vulnerability of the application to this type of attack?
What property of relational databases ensures that once a database transaction is committed to the database, it is preserved?
Lauren wants to use software review process for the application she is working on. Which of the following processes would work best if she is a remote worker who works different hours from the rest of her team?
Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software?
Which one of the following types of software testing usually occurs last and is executed against test scenarios?
What type of requirement specifies what software must do by describing the inputs, behavior, and outputs of software?
Which of the following organizations is widely considered as the definitive source for information on web-based attack vectors?
If Chris is writing code for an application, what phase of the Agile process is he in?
Lisa is attempting to prevent her network from being targeted by IP spoofing attacks as well as preventing her network from being the source of those attacks. Which one of the following rules is NOT a best practice that Lisa can configure at her network border?
What type of attack is demonstrated in the following C programming language example?
int myarray[10];
myarray[10] = 8;
Which one of the following database issues occurs when one transaction writes a value to the database that overwrites a value that was needed by transactions with earlier precedence?
Which one of the following is the most effective control against session hijacking attacks?
Faith is looking at the /etc/passwd file on a system configured to use shadowed passwords. When she examines a line in the file for a user with interactive login permissions, what should she expect to see in the password field?
What type of vulnerability does a TOCTOU attack target?
While evaluating a potential security incident, Harry comes across a log entry from a web server request showing that a user entered the following input into a form field:
CARROT’&1=1;--
What type of attack was attempted?
Which one of the following is not an effective control against SQL injection attacks?
What type of project management tool is shown in the figure?
In what software testing technique does the evaluator retest a large number of scenarios each time that the software changes to verify that the results are consistent with a standard baseline?
Which one of the following conditions may make an application most vulnerable to a cross-site scripting (XSS) attack?
Roger is conducting a software test for a tax preparation application developed by his company. End users will access the application over the Web, but Roger is conducting his test on the back end, evaluating the source code on the web server. What type of test is Roger conducting?
Which of the following statements is true about heuristic-based antimalware software?
Martin is inspecting a system where the user reported unusual activity, including disk activity when the system is idle and abnormal CPU and network usage. He suspects that the machine is infected by a virus but scans come up clean. What malware technique might be in use here that would explain the clean scan results?
Tomas discovers a line in his application log that appears to correspond with an attempt to conduct a directory traversal attack. He believes the attack was conducted using URL encoding. The line reads:
%252E%252E%252F%252E%252E%252Fetc/passwd
What character is represented by the %252E value?
An attacker posted a message to a public discussion forum that contains an embedded malicious script that is not displayed to the user but executes on the user’s system when read. What type of attack is this?
Which one of the following is not a principle of the Agile software development process?
Match the numbered code testing methods to their lettered definition:
Code testing methods
Definitions
What are the two components of an expert system?
Neal is working with a DynamoDB database. The database is not structured like a relational database but allows Neal to store data using a key-value store. What type of database is DynamoDB?
In the transaction shown here, what would happen if the database failed in between the first and second update statements?
In the diagram shown here, which is an example of an attribute?
Which one of the following statements is true about software testing?
David is working on developing a project schedule for a software development effort, and he comes across the chart shown here. What type of chart is this?
Barry is a software tester who is working with a new gaming application developed by his company. He is playing the game on a smartphone to conduct his testing in an environment that best simulates a normal end user, but he is referencing the source code as he conducts his test. What type of test is Barry conducting?
Miguel recently completed a penetration test of the applications that his organization uses to handle sensitive information. During his testing, he discovered a condition where an attacker can exploit a timing condition to manipulate software into allowing him to perform an unauthorized action. Which one of the following attack types fits this scenario?
What part of the security review process are the input parameters shown in the diagram used for?
What application security process can be described in these three major steps?
Which one of the following approaches to failure management is the most conservative from a security perspective?
What software development model is shown in the figure?
Which of the following database keys is used by an RDBMS to uniquely identify each row in a database table?
Which one of the following change management processes is initiated by users rather than developers?
Which one of the following techniques is an effective countermeasure against some inference attacks?
Ursula is a government web developer who recently created a public application that offers property records. She would like to make it available for other developers to integrate into their applications. What can Ursula create to make it easiest for developers to call her code directly and integrate the output into their applications?
During what phase of the IDEAL model do organizations develop a specific plan of action for implementing change?
TJ is inspecting a system where the user reported a strange error message and the inability to access files. He sees the window shown in this figure. What type of malware should TJ suspect?
Charles is developing a mission-critical application that has a direct impact on human safety. Time and cost are less important than correctly functioning software. Which of the following software development methodologies should he choose given these requirements?
Which one of the following types of artificial intelligence attempts to use complex computations to replicate the partial function of the human mind?
At which level of the Software Capability Maturity Model (SW-CMM) does an organization introduce basic life-cycle management processes?
Lucas runs the accounting systems for his company. The morning after a key employee was fired, systems began mysteriously losing information. Lucas suspects that the fired employee tampered with the systems prior to his departure. What type of attack should Lucas suspect?
Which one of the following principles would not be favored in an Agile approach to software development?
What technique do API developers most commonly use to limit access to an API to authorized individuals and applications?
Which one of the following statements about malware is correct?
Which one of the following is the proper order of steps in the waterfall model of software development?
Which component of the database ACID model ensures that database transactions are an “all or nothing” affair?
Tom is writing a software program that calculates the sales tax for online orders placed from various jurisdictions. The application includes a user-defined field that allows the entry of the total sale amount. Tom would like to ensure that the data entered in this field is a properly formatted dollar amount. What technique should he use?
Match the following numbered terms to their lettered definitions:
Which of the following vulnerabilities might be discovered during a penetration test of a web-based application?
What approach to technology management integrates the three components of technology management shown in this illustration?
Which one of the following tools might an attacker use to best identify vulnerabilities in a targeted system?
Which one of the following database concurrency issues occurs when one transaction reads information that was written to a database by a second transaction that never committed?
What type of virus works by altering the system boot process to redirect the BIOS or UEFI firmware to load malware before the operating system loads?
What type of virus is characterized by the use of two or more different propagation mechanisms to improve its likelihood of spreading between systems?
What root security issue causes the following issues?
What application development method uses the cycle shown here?
Kathleen is reviewing the Ruby code shown here. What security technique is this code using?
Susan provides a public RESTful API for her organization’s data but wants to limit its use to trusted partners. She intends to use API keys. What other recommendation would you give Susan to limit the potential abuse of the service?
3.137.188.11