Appendix B
Practice Exam
Q1. Your project involves streaming web conference content from your web servers to multiple endpoints. Because of the sensitive nature of the content, encryption is mandated. What would be the preferred algorithm?
A. 3DES
B. AES
C. RC4
D. MD5
Hint: What type of material is being encrypted and does it have any specific characteristics that are important to consider?
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.3 Cryptography
Answer: C. RC4 is a stream-based cipher, and the web conference traffic requires a stream cipher for performance reasons.
A, B, and D are incorrect. 3DES and AES are symmetric block ciphers, but are poor choices for streaming media channels. MD5 is a hash algorithm, not an encryption method.
Q2. Before using a public key of another entity, it is proper to check for revocation. What is the best way to accomplish this? Choose all that apply.
A. DNSSEC
B. CRL
C. OSCP
D. PKIX
Hint: How are key revocations handled automatically?
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: B and C. Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OSCP) are both integrated, automated methods for verifying certificate validity.
A and D are incorrect. A is only for DBS-type records, and D defeats the automated method, adds time, and in some cases, isn’t relevant.
Q3. WS-Security is:
A. A method of providing confidentiality for SOAP
B. A method of providing authentication, integrity, confidentiality, and non-repudiation for web services
C. The encryption of SOAP messages
D. A method of authenticating SOAP messages
Hint: WS-Security can provide a range of security-related functions.
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.2 Service-oriented architecture
Answer: B. WS-Security is just a collection of security mechanisms for signing, encrypting, and authenticating SOAP messages. Merely using WS-Security does not guarantee security; it must be properly configured to provide protection.
A, C, and D are incorrect. WS-Security is a mechanism for providing a wide range of security functionality with SOAP, not just confidentiality, authentication, and encryption services.
Q4. Passwords and sensitive elements such as keys are sought after by hackers—what is the best way to store these in application programs?
A. In a config file in a protected directory
B. Hard-coded in the executable where they are protected
C. Encrypted and stored in a file
D. On a protected server
Hint: What protects the confidentiality of data?
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.1.3 Handling configuration parameters
Answer: C. All sensitive data should be encrypted and stored in an appropriate place. Storing elements in the executable file makes them difficult to change, so other files are recommended.
A, B, and D are incorrect. A protected directory can be bypassed, and for some secrets, a demo of the code can give away the secret. Hard-coding in the executable makes them accessible. Remote storage does not solve the confidentiality problem.
Q5. Which of the following functions should never be relied upon with client-side processing? Choose all that apply.
A. Input errors
B. Missing values
C. State management
D. Input validation
Hint: At what stages can input be changed?
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.6 Input validation
Answer: C and D. Because inputs can be changed by proxies between the client and the server, all security checks should only be done on the server side, including all state management and input validations.
A and B are incorrect. Input errors and missing values can be checked for and validated on the client side for the purpose of improving user experience (preventing unnecessary round trips to the server).
Q6. Your development group programs in C, creating high-speed financial applications for processing stock trade events from a wide customer base. Which is the most important control to employ?
A. Buffer overflow checks
B. Input validation
C. Fuzz testing
D. Bug bar
Hint: Consider what would be related to blocking the most damaging error category.
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.6 Input validation
Answer: B. Because customer input is implied, input validation is paramount.
A, C, and D are incorrect. Buffer overflow checks are important, but proper use of compiler directives and static code checking can alleviate most of these. Fuzz testing and bug bar are process elements, not specific controls.
Q7. Penetration tests done with no a priori system knowledge are called:
A. Black-box testing
B. Code reviews
C. White-box testing
D. Acceptance testing
Hint: No a priori knowledge indicates what state?
Reference: Chapter 15: Secure Software Testing
Objective: 15.2.3 Security testing
Answer: A. When there is no knowledge of the inner workings of a system, it is referred to as black-box testing.
B, C, and D are incorrect. White-box testing assumes full knowledge of the system, as do code reviews. Acceptance testing is functional testing to requirements and not directly related to this topic.
Q8. The first step for general risk management is:
A. Enumerate risks
B. Security control selection
C. Threat assessment
D. Asset identification
Hint: Risk is associated with something of value.
Reference: Chapter 2: Risk Management
Objective: 2.2 Governance, risk, and compliance
Answer: D. Risks are associated with assets, or things that have value in an enterprise.
A, B, and C are incorrect. Risks cannot be enumerated until the target (asset) is identified. Security controls cannot be selected until a specific threat assessment is performed. All of the steps follow asset identification.
Q9. What are the two primary components associated with measuring the loss due to risk? Choose two.
A. Likelihood of impact
B. Magnitude of impact
C. Scale of threat
D. Likelihood of threat
Hint: What are the elements of qualitative risk assessment?
Reference: Chapter 2: Risk Management
Objective: 2.5 Qualitative risk management
Answer: B and D. Risk is measured in terms of the likelihood of the threat and the magnitude of the impact.
A and C are incorrect. The likelihood of impact is messy because it includes not just the likelihood of the threat, but the likelihood of bypassing mitigations; this makes it difficult to use consistently. The scale of the threat is again complicated by external factors, making it less useful.
Q10. PHI is affiliated with:
A. Gramm-Leach-Bliley
B. Sarbanes-Oxley
C. PCI DSS
D. HIPAA/HITECH
Hint: Personal h_____ information.
Reference: Chapter 3: Security Policies and Regulations
Objective: 3.1 Regulations and compliance
Answer: D. PHI is personal health information, which is protected by HIPAA/HITECH.
A, B, and C are incorrect. Gramm-Leach-Bliley protects personal financial information, Sarbanes-Oxley is for corporate financials, and PCI DSS is for credit card information.
Q11. Which of the following is not a technique for dealing with risk?
A. Avoid
B. Transfer
C. Accept
D. Eliminate
Hint: One of these is an absolute, and absolutes typically do not fit with risk management.
Reference: Chapter 2: Risk Management
Objective: 2.4 Risk Controls
Answer: D. Risk can never be eliminated, only mitigated or reduced to a particular level.
A, B, and C are incorrect. After a risk has been identified and assessed, four techniques can be employed to deal with the risk: avoid the risk, transfer the risk, mitigate the risk, and accept the risk.
Q12. Which type of testing is generally conducted later in the testing process and focuses on the inputs and outputs to the software with partial knowledge of the design and implementation of the software?
A. White-box testing
B. Gray-box testing
C. Black-box testing
D. Blue-box testing
Hint: Partial knowledge is the key element for the question.
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for Security and Quality Assurance
Answer: B. Gray-box testing is defined by a limited set of knowledge over how a system functions.
A, C, and D are incorrect. White-box testing assumes complete knowledge of how a system is designed. Black-box testing assumes no knowledge. Blue-box testing is a nonsense distractor.
Q13. You want to implement steps to validate the security of software design. At what phase in the SDLC should you implement the security design validation process?
A. After implementation
B. After design
C. After testing
D. At the end of each phase
Hint: Where can changes occur that require validation?
Reference: Chapter 3: Security Policies and Regulations
Objective: 3.5 Software architecture
Answer: D. Because elements of the SDLC process can loop back and elicit new elements of previous phases, and coupled with the fact that at each phase design elements can be changed, validation should be done at the end of each phase to catch issues early.
A, B, and C are incorrect. Because at each phase design elements can be changed, validation should be done at the end of each phase to catch issues early, so each single phase is an incomplete Answer:.
Q14. Platform as a Service (PaaS) is defined as:
A. The offering of a computing platform in the cloud
B. Cloud-based systems that are delivered as a virtual platform for computing
C. The use of the cloud to avoid server cost
D. The offering of software to end users from within the cloud
Hint: PaaS is a marketing term for platform-based services.
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.6 Cloud Architectures
Answer: A. This is the definition of Platform as a Service (PaaS).
B, C, and D are incorrect. B is the definition of Infrastructure as a Service (IaaS), C is a reason to use cloud computing, and D is the definition of Software as a Service (SaaS).
Q15. Which of the following is not one of the three classes of security controls?
A. Technical
B. Cryptographic
C. Management
D. Operational
Hint: One way of classifying controls is based on the aspect of the business involved.
Reference: Chapter 2: Risk Management
Objective: 2.4 Risk controls
Answer: B. The classes of security controls are technical, managerial, and operational.
A, C, and D are incorrect. These are all classes of security controls.
Q16. The principle associated with the use of multiple overlapping controls is:
A. Least privilege
B. Separation of duties
C. Defense in depth
D. Fail safe
Hint: The key word in the question is multiple.
Reference: Chapter 1: Security Concepts
Objective: 1.3 Security design tenets
Answer: C. The use of multiple independent security control mechanisms to protect a specific program is called defense in depth.
A, B, and D are incorrect. These are all security design tenets that act individually.
Q17. The principle associated with the use of minimizing a user’s authority to only what is needed is called:
A. Separation of duties
B. Least privilege
C. Complete mediation
D. Least common mechanism
Hint: Which of these is associated with a user’s activity?
Reference: Chapter 1: Security Concepts
Objective: 1.3 Security design tenets
Answer: B. Users should only be given the level of privilege necessary to do their assigned tasks and no more.
A, C, and D are incorrect. A is about using multiple users. C involves ensuring checks are performed every time. D is about ensuring that single functions do not perform multiple tasks at different privilege levels.
Q18. Which software development process is characterized by early and frequent deliverables in an incremental fashion?
A. Agile
B. Waterfall
C. Prototype
D. Spiral
Hint: Early and frequent are important aspects of one development methodology.
Reference: Chapter 4: Software Development Methodologies
Objective: 4.3 Software development models
Answer: A. Agile development is characterized by early deliverables and regular incremental processes.
B, C, and D are incorrect. These are all software development methodologies, but they do not provide for early and regular functional deliverables.
Q19. The Microsoft Security Development Lifecycle was built upon a set of principles known as:
A. SD3+C
B. Trusted computing base
C. Address Space Layout Randomization (ASLR)
D. Secure by design
Hint: There are four pillars.
Reference: Chapter 4: Software Development Methodologies
Objective: 4.4 Microsoft Secure Development Lifecycle
Answer: A. Secure by design, secure by default, secure in deployment and communications (SD3+C) program.
B, C, and D are incorrect. The trusted computing base is not a Microsoft concept. ASLR is a security feature, and secure by design is only one of the principles.
Q20. Two acquisition strategies are:
A. Outsourcing vs. contracting
B. Build vs. buy
C. COTS vs. GOTS
D. Contracts vs. SLAs
Hint: Compare types of algorithms and age.
Reference: Chapter 3: Security Policies and Regulations
Objective: 3.7 Acquisition
Answer: B. The two options for software development are either build or buy each module.
A, C, and D are incorrect. Outsourcing and contracting are basically the same; COTS and GOTS are product descriptions; and contracts and SLAs are related, with SLAs behind the contract.
Q21. Preserving authorized restrictions on information access and disclosure is a description of:
A. Availability
B. Integrity
C. Non-repudiation
D. Confidentiality
Hint: Restricting access is an example of what?
Reference: Chapter 5: Policy Decomposition
Objective: 5.1 Confidentiality, integrity, and availability requirements
Answer: D. This is from the FIPS definition of confidentiality: “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information….”
A, B, and C are incorrect; they are descriptors involved in security aspects other than integrity.
Q22. Preserving authorized restrictions on information modification or destruction is a description of:
A. Availability
B. Integrity
C. Non-repudiation
D. Confidentiality
Hint: Modification or destruction is an example of what?
Reference: Chapter 5: Policy Decomposition
Objective: 5.1 Confidentiality, integrity, and availability requirements
Answer: B. This is from the FIPS definition of integrity: “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity….”
A, C, and D are incorrect; they are descriptors involved in security aspects other than integrity.
Q23. Ensuring timely and reliable access to and use of information is a description of:
A. Availability
B. Integrity
C. Non-repudiation
D. Confidentiality
Hint: Access to information or the lack there of is an example of what?
Reference: Chapter 5: Policy Decomposition
Objective: 5.1 Confidentiality, integrity, and availability requirements
Answer: A. This is from the FIPS definition of availability: “Ensuring timely and reliable access to and use of information….”
B, C, and D are incorrect; they are other descriptors involved in security aspects other than integrity.
Q24. The validation of a user through the use of a shared set of secret credentials is:
A. Identification
B. Authentication
C. Authorization
D. Auditing
Hint: Tailgating when driving refers to what?
Reference: Chapter 5: Policy Decomposition
Objective: 5.2 Authentication, authorization, and auditing requirements
Answer: B. Authentication is form of a validation in which the user is presenting the known shared secret.
A, C, and D are incorrect, Identification is the establishment of the shared secret, authorization is a result of authentication, and auditing is a simple distractor.
Q25. Predetermined access control is an example of:
A. Rule-based Access Control
B. Discretionary Access Control
C. Mandatory Access Control
D. Role-based Access Control
Hint: Predetermined means it always occurs.
Reference: Chapter 5: Policy Decomposition
Objective: 5.2 Authentication, authorization, and auditing requirements
Answer: C. Mandatory Access Control (MAC) is characterized by a subject’s access to an object, which is a predetermined property that is defined by the rules associated with the system.
A, B, and D are incorrect. All of these access control systems can be optionally employed and, hence, are not predetermined.
Q26. The three forms of audit-related risk are:
A. Residual risk, inherent risk, detection risk
B. Control risk, inherent risk, detection risk
C. Residual risk, control risk, detection risk
D. Control risk, inherent risk, residual risk
Hint: What is each of the listed types of risk?
Reference: Chapter 5: Policy Decomposition
Objective: 5.2 Authentication, authorization, and auditing requirements
Answer: B. Inherent risks are those associated with the process and its inherent error rate, assuming no internal controls exist to handle the potential errors. Detection risk is the risk that an audit will not detect an issue that can result in material error. Control risk is the risk that controls will not detect or prevent material errors in a timely fashion.
A, C, and D are incorrect. Residual risk is the term for audit-based risk in total.
Q27. Security policies should ensure compliance with all external obligations. Examples of these obligations include:
A. Statutory, regulatory, and contractual obligations
B. Audit log and internal controls
C. Internal controls and contractual obligations
D. Internal SLAs, controls, and contractual obligations
Hint: Which elements are external in origin?
Reference: Chapter 5: Policy Decomposition
Objective: 5.3 Internal and external requirements
Answer: A. Statutory, regulatory, and contractual obligations are all external requirements.
B, C, and D are incorrect. Audit logs, internal controls, and internal SLAs are all internal elements.
Q28. An application that is designed to be used by different classes of users would find which form of access control useful?
A. Rule-based Access Control
B. Discretionary Access Control
C. Mandatory Access Control
D. Role-based Access Control
Hint: Which form of access control separates users into logical groups?
Reference: Chapter 5: Policy Decomposition
Objective: 5.2 Authentication, authorization, and auditing requirements
Answer: D. Breaking users into groups based upon their roles simplifies authentication and authorization work.
A, B, and C are incorrect. They are all access control mechanisms, but do not take advantage of the “groups of users” requirement.
Q29. The purpose of data classification is to:
A. Provide a means to label data with CIA requirements
B. Provide a method to restrict data use
C. Provide a method to align protection and asset value associated with data
D. Provide a means of marking data based on its sensitivity
Hint: Focus on purpose, not attribute or means to achieve the purpose.
Reference: Chapter 6: Data Classification and Categorization
Objective: 6.1 Data classification
Answer: C. Data classification is a risk management tool, with the Objective: being to reduce the costs associated with protecting data.
A, B, and D are incorrect. These are all elements associated with achieving the purpose.
Q30. Data can exist in different states. Examples of these states include:
A. At rest, in transit, and being used
B. Being updated, being stored, and in the customer’s possession
C. In a database, encrypted, and held by a third party
D. Stored internally, either at a customer or a third party
Hint: Focus on what is internal to the enterprise and, therefore, under enterprise control.
Reference: Chapter 6: Data Classification and Categorization
Objective: 6.1 Data classification
Answer: A. For the purposes of development and security, these states are at rest or being stored; in transit; or being created, changed, or deleted.
B, C, and D are incorrect. They all contain external elements such as a customer or a third party.
Q31. Data owners are responsible for:
A. Defining data classification, controls, and access criteria
B. Maintaining data classification, controls, and access criteria
C. Implementing data classification, controls, and access criteria
D. Performing data classification, controls, and access criteria
Hint: What belongs to data custodians?
Reference: Chapter 6: Data Classification and Categorization
Objective: 6.2 Data ownership
Answer: A. The data owner is the party who determines factors associated with specific data elements.
B, C, and D are incorrect. These are all implementation oriented and belong to the data custodian function.
Q32. Data custodians are responsible for all of the following except:
A. Performing data classification, controls, and access criteria
B. Maintaining data classification, controls, and access criteria
C. Implementing data classification, controls, and access criteria
D. Defining data classification, controls, and access criteria
Hint: Which one belongs to data owners?
Reference: Chapter 6: Data Classification and Categorization
Objective: 6.2 Data ownership
Answer: D. This is a data owner responsibility; all of the others belong to data custodians. A, B, and C are incorrect. These are custodian functions.
Q33. FIPS 199 provides for classifying data into three levels. These levels are:
A. Confidentiality, integrity, and availability
B. High, medium, and low
C. PII, security sensitive, and hidden
D. Internal, input, and output
Hint: Think levels that are hierarchal.
Reference: Chapter 6: Data Classification and Categorization
Objective: 6.3 Labeling
Answer: B. FIPS uses three levels—high, medium, and low—across three dimensions—confidentiality, integrity, and availability.
A, C, and D are incorrect. A represents the dimensions. C and D are classifications of data usage.
Q34. Which of the following are examples of structured data? Choose all that apply.
A. Databases
B. Microsoft Excel file
C. Formatted file structures
D. E-mails
Hint: Structured is managed via the structure.
Reference: Chapter 6: Data Classification and Categorization
Objective: 6.4 Types of data
Answer: A and C. These forms are managed by their format.
B and D are incorrect. These forms are not managed by their format.
Q35. Which of the following are examples of unstructured data? Choose all that apply.
A. Databases
B. Microsoft Excel file
C. Formatted file structures
D. E-mails
Hint: Structured is managed via the structure.
Reference: Chapter 6: Data Classification and Categorization
Objective: 6.4 Types of data
Answer: B and D. These forms are not managed by their format.
A and C are incorrect. These forms are managed by their format.
Q36. The elements of a data lifecycle are:
A. Internal, input, and output
B. Generation, retention, and disposal
C. Customer, supplier, and internal
D. Define, maintain, and dispose
Hint: Data is created, used, and destroyed.
Reference: Chapter 6: Data Classification and Categorization
Objective: 6.5 Data lifecycle
Answer: B. Data is created, used, and destroyed.
A, C, and D are incorrect. These are all associated with data, but not specifically with its lifecycle.
Q37. Requirements that relate directly to business requirements are referred to as:
A. Functional
B. Operational
C. Intrinsic
D. Business
Hint: The Answer: describes how the software is expected to work.
Reference: Chapter 7: Requirements
Objective: 7.1 Functional requirements
Answer: A. Functional requirements describe how the software is expected to function.
B, C, and D are incorrect. Operational requirements relate to deployment. Intrinsic and business are simple related term distractors.
Q38. The detailed listing of what users are involved in a system form part of the _____ definition.
A. User
B. Role
C. Requirement
D. Use-case
Hint: How do you document user involvement with an application?
Reference: Chapter 7: Requirements
Objective: 7.1.1 Role and user definitions
Answer: D. The detailed listing of what users are involved in a system form part of the use-case definition.
A, B, and C are incorrect. Role and user definitions are the statements of who will be using what functionality of the software. The term requirement defines program objectives.
Q39. What represents the “who” in the subject-object-activity matrix?
A. Subject
B. Object
C. Activity
D. Interaction
Hint: Users are also who?
Reference: Chapter 7: Requirements
Objective: 7.1 Functional requirements
Answer: A. Subjects represent who, objects represent what, and activities or actions represent the how of the subject-object-activity relationship.
B, C, and D are incorrect. Objects represent what and activities or actions represent the how of the subject-object-activity relationship. Interactions are an undefined term in this context.
Q40. What represents the “what” in the subject-object-activity matrix?
A. Subject
B. Object
C. Activity
D. Interaction
Hint: Users interact with the “what” element.
Reference: Chapter 7: Requirements
Objective: 7.1 Functional requirements
Answer: B. Subjects represent the who, objects represent the what, and activities or actions represent the how of the subject-object-activity relationship.
A, C, and D are incorrect. Subjects represent the who and activities or actions represent the how of the subject-object-activity relationship. Interactions are an undefined term in this context.
Q41. What represents the “how” in the subject-object-activity matrix?
A. Subject
B. Object
C. Activity
D. Interaction
Hint: How relates to something that is happening.
Reference: Chapter 7: Requirements
Objective: 7.1 Functional requirements
Answer: C. Subjects represent who, objects represent what, and activities or actions represent the how of the subject-object-activity relationship.
A, B, and D are incorrect. Subjects represent the who and objects represent the what. Interactions are an undefined term in this context.
Q42. A powerful technique for determining functional requirements in developer-friendly terms is:
A. Subject-object-activity matrix
B. Use case
C. Data flow diagram
D. Misuse case
Hint: Functional requirements is the key part of the question.
Reference: Chapter 7: Requirements
Objective: 7.1.6 Use-cases
Answer: B. A use-case is a specific example of an intended behavior of the system.
A, C, and D are incorrect. Subject-object-activity matrix and data flow diagrams are not directly associated with functional requirements. Misuse cases are about security issues, not functional requirements.
Q43. Multithreaded operating systems are specifically susceptible to what types of attacks?
A. Buffer overflow
B. Stack-based attacks
C. Arithmetic overflow attacks
D. Time of check/time of use attacks
Hint: Which is associated with race conditions?
Reference: Chapter 7: Requirements
Objective: 7.1.7 Abuse cases
Answer: D. Race conditions tied to multithreaded issues can create opportunities for time of check/time of use attacks.
A, B, and C are incorrect. These are all attack vectors, but not specifically tied to multithreading issues.
Q44. Requirements associated with deployment are referred to as:
A. Functional
B. Operational
C. Intrinsic
D. Business
Hint: Deployment is connected to what aspect?
Reference: Chapter 7: Requirements
Objective: 7.2 Operational requirements
Answer: B. Operational requirements are those that deal with the integration of the application into the enterprise environment.
A, C, and D are incorrect. A is the set of requirements associated with business functions. C and D are terms chosen to distract because they are related to the topic but are without contextual meaning.
Q45. Secure coding standards include all of the following except:
A. Language-specific rules and coding practices
B. Error trapping and handling
C. Performance testing specifications
D. Logging requirements
Hint: Which of these is not related to security functionality?
Reference: Chapter 7: Requirements
Objective: 7.1 Functional requirements
Answer: C. Performance specifications are not security functionality related and thus, are not typically covered by secure coding standards.
A, B, and D are incorrect. These are all commonly documented in secure coding standards.
Q46. The multitude of requirements can be managed through the use of a:
A. Subject-object-activity matrix
B. Requirements traceability matrix
C. Functional requirements listing
D. Requirements lifecycle
Hint: Managing includes what specific functions?
Reference: Chapter 7: Requirements
Objective: 7.1 Functional requirements
Answer: C. The requirements traceability matrix (RTM) is a grid that assists the development team in tracking and managing requirements and implementation details.
A, B, and D are incorrect. A is a specific term used to describe interactions between users and objects. B and D are distractors created out of words that fit the topic, but have no specific contextual meaning.
Q47. To prevent error conditions from cascading or propagating through a system, a designer should:
A. Practice complete error mitigation, including error trapping and handling
B. Practice safe coding with managed code modules
C. Use a language that supports managed code
D. Log all user activity for troubleshooting during testing
Hint: Focus on how errors propagate through a system.
Reference: Chapter 7: Requirements
Objective: 7.1 Functional requirements
Answer: A. Errors should always be trapped and managed locally.
B, C, and D are incorrect. B and C are about restricting language, when the question does not specify any particular language. D is good practice, but does not address the issue in question.
Q48. Code within an application that can be accessed by unauthorized parties is referred to as a(n):
A. Bug
B. Attack tree
C. Threat model
D. Attack surface
Hint: The term describes a collective element, not a singular one.
Reference: Chapter 8: Design Processes
Objective: 8.1 Attack surface evaluation
Answer: D. The attack surface of software is the code within the system that can be accessed by unauthorized parties. This is not just the code itself, but can also include a wide range of resources associated with the code, including user input fields, protocols, interfaces, resource files, and services.
A, B, and C are incorrect. A bug refers to a defect, and no defects are specified in the question. Attack trees and threat models are answers to related questions, but not this one specifically.
Q49. All of the following are elements in an attack surface calculation except:
A. Memory
B. User input fields
C. Protocols
D. Resource files
Hint: Which is not a pathway to an input to the system?
Reference: Chapter 8: Design Processes
Objective: 8.1 Attack surface evaluation
Answer: A. Memory is not directly associated with attack surfaces.
B, C, and D are incorrect. Attack surfaces can include a wide range of resources associated with the code, including user input fields, protocols, interfaces, resource files, and services.
Q50. A list of open sockets, open named pipes, and services running by default describe part of the ____.
A. Operational requirements
B. Attack surface measurement
C. Functional requirements
D. Misuse cases
Hint: Compare types of algorithms and age.
Reference: Chapter 8: Design Processes
Objective: 8.1 Attack surface evaluation
Answer: B. There is a long list of elements associated with an attack surface and its measurement.
A, C, and D are incorrect. The requirements are just lists of elements without specific technical details. Misuse cases are attack scenarios, but without the technical detail to support this form of defense.
Q51. An attacker can use interfaces, protocols, and/or ____ as entry points into an application.
A. Log entries
B. Error messages
C. Services
D. Program outputs
Hint: Entry points are ways into the program.
Reference: Chapter 8: Design Processes
Objective: 8.1 Attack surface evaluation
Answer: C. Services offer a way into an application by allowing man-in-the-middle type attacks.
A, B, and D are incorrect. These are all avenues of information out of an application, and provided that no secrets are leaked, do not directly offer a means of re-entry.
Q52. What is one of the security advantages of managed code over unmanaged code?
A. Lines of code
B. Size of attack surface
C. Flexibility of coding
D. Global variables
Hint: What does a sandbox present to an external attacker?
Reference: Chapter 8: Design Processes
Objective: 8.1 Attack surface evaluation
Answer: B. Managed code offers a reduced attack surface because of the mediated connection to OS resources.
A, C, and D are incorrect. There is no significant difference between managed and unmanaged code with respect to these items. Both systems offer plenty of opportunity in all of these items.
Q53. Mitigating the risk of a security control being compromised by the placement of multiple layers of overlapping controls is an example of:
A. Secure by deployment
B. Secure by default
C. Secure by design
D. Defense in depth
Hint: The key word is multiple.
Reference: Chapter 8: Design Processes
Objective: 8.3 Control identification and prioritization
Answer: D. Defense in depth involves multiple layers of overlapping controls.
A, B, and C are incorrect. These are all related to when and where security is invoked, not the manner in which this occurs.
Q54. The first step of threat modeling is:
A. Identify security objectives
B. System decomposition
C. Threat identification
D. Mitigation analysis
Hint: When performing a complex task, is not the goal important?
Reference: Chapter 8: Design Processes
Objective: 8.2 Threat modeling
Answer: A. Identifying the security objectives needs to be completed before meaningful work toward them can be accomplished.
B, C, and D are incorrect. These are all steps in threat modeling; they just occur after determining the security objectives.
Q55. A risk calculation methodology developed by Microsoft is:
A. STRIDE
B. DREAD
C. Threat modeling
D. SD3 + C
Hint: At what stages can input be changed?
Reference: Chapter 8: Design Processes
Objective: 8.2 Threat modeling
Answer: B. DREAD is an acronym for damage potential, reproducibility, exploitability, affected users, and discoverability.
A, C, and D are incorrect. Threat modeling includes both STRIDE and DREAD, and SD3+C is from Microsoft to describe a foundational element of their entire SDL process.
Q56. The use of a false identity in attacking a system is an example of:
A. Psychological acceptability
B. Spoofing
C. Eavesdropping
D. Man in the middle
Hint: Change your IP address to appear as someone.
Reference: Chapter 8: Design Processes
Objective: 8.2 Threat modeling
Answer: B. Spoofing is the act of using false identity credentials to achieve access to a system.
A, C, and D are incorrect. Psychological acceptability is making security provisions acceptable to users. Eavesdropping is just listening to traffic, and man-in-the-middle attacks involve inserting oneself into the communication stream.
Q57. Which tool best helps the development team understand use-cases, including appropriate level of detail and security concerns?
A. Data flow diagram (DFD)
B. Subject-object-activity matrix
C. Requirements traceability matrix (RTM)
D. Attack tree
Hint: Use-cases show process flow. What does the same in the preceding list?
Reference: Chapter 8: Design Processes
Objective: 8.4 Documentation
Answer: A. The DFD shows the flow of the data through a system, and in threat modeling is marked with threat vectors using STRIDE.
B, C, and D are incorrect. Although these are valuable sources of information to the development team, they do not specifically highlight process flow information.
Q58. Which of the following is not a standard mitigation type?
A. Redesign to eliminate the vulnerability
B. Apply a standard mitigation
C. Invent a new mitigation
D. Transfer the vulnerability to another party for handling
Hint: Can vulnerabilities be moved?
Reference: Chapter 8: Design Processes
Objective: 8.3 Control identification and prioritization
Answer: D. Vulnerabilities cannot be transferred or moved to another firm.
A, B, and C are incorrect. Mitigation includes four types: redesign to eliminate vulnerability, apply a standard mitigation, invent a new mitigation, or accept the vulnerability.
Q59. What tool can assist in picking the appropriate mitigation type for a specific vulnerability?
A. Data flow diagram (DFD)
B. Subject-object-activity matrix
C. Requirements traceability matrix (RTM)
D. Attack tree
Hint: What are the elements of qualitative risk assessment?
Reference: Chapter 8: Design Processes
Objective: 8.2 Threat modeling
Answer: D. An attack tree is a graphical representation of an attack, beginning with the attack Objective: as the root node.
A, B, and C are incorrect. These all provide information, but not specific to the cause of the vulnerability and how it can be mitigated.
Q60. What is specifically used to score a threat?
A. STRIDE
B. DREAD
C. PCI DSS
D. Attack tree
Hint: Probability of occurrence times the severity of impact.
Reference: Chapter 8: Design Processes
Objective: 8.2 Threat modeling
Answer: B. DREAD can be mapped into the probability impact model by taking the following factors into account: probability (reproducibility + exploitability + discoverability) and impact (damage potential + affected users).
A, C, and D are incorrect. STRIDE describes threat type information, attack trees don’t score things, and PCI DSS is a compliance framework.
Q61. When choosing security controls to cover issues on an application, first consideration should be given to:
A. Standard enterprise control structures such as ACLs
B. Point-of-impact controls tailored to issue
C. Broad controls that cover large areas
D. Controls specific to the application
Hint: Which will be most useful in an operational setting?
Reference: Chapter 8: Design Processes
Objective: 8.3 Control identification and prioritization
Answer: A. Use of standard enterprise-level controls makes the operational workload less of an addition and allows integration into the enterprise security data flow process.
B, C, and D are incorrect. Each of these options increases the workload on operations, increasing the security workload and hindering data sharing in the enterprise.
Q62. Which type of testing is generally conducted later in the testing process and focuses on the inputs and outputs to the software with partial knowledge of the design and implementation of the software?
A. White-box testing
B. Gray-box testing
C. Black-box testing
D. Blue-box testing
Hint: Partial knowledge is the key element for the question.
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for Security and Quality Assurance
Answer: B. Gray-box testing is defined by a limited set of knowledge over how a system functions.
A, C, and D are incorrect. White-box testing assumes complete knowledge of how a system is designed. Black-box testing assumes no knowledge. Blue-box testing is a nonsense distractor.
Q63. Which of the following is used to preserve confidentiality in an application?
A. Encryption
B. Hashing
C. Resilience
D. Digital signatures
Hint: Protect information from unauthorized viewing.
Reference: Chapter 9: Design Considerations
Objective: 9.1 Application of methods to address core security concepts
Answer: A. Encryption provides a means to secure a file from view except to authorized users.
B, C, and D are incorrect. Hashing protects against integrity issues, resilience covers availability, and digital signatures provide both integrity and authenticity.
Q64. Which of the following is used to preserve integrity in an application?
A. Encryption
B. Hashing
C. Resilience
D. Digital signatures
Hint: How can you detect a file has changed?
Reference: Chapter 9: Design Considerations
Objective: 9.1 Application of methods to address core security concepts
Answer: B. Hashing can provide a means to detect changes in a file. A single bit change can have a profound change in the hash value.
A, C, and D are incorrect. Encryption protects confidentiality, resilience covers availability, and digital signatures provide both integrity and authenticity.
Q65. Which of the following is used to preserve availability in an application?
A. Encryption
B. Hashing
C. Resilience
D. Digital signatures
Hint: Which of these addresses the application’s ability to continue operations under adverse circumstances?
Reference: Chapter 9: Design Considerations
Objective: 9.1 Application of methods to address core security concepts
Answer: C. Resiliency is important to ensure an application can continue to function in spite of adverse conditions.
A, B, and D are incorrect. Encryption protects confidentiality, hashing provides integrity, and digital signatures provide both integrity and authenticity.
Q66. Which of the following is used to preserve authenticity in an application?
A. Encryption
B. Hashing
C. Resilience
D. Digital signature
Hint: Authenticity implies you know who sent it.
Reference: Chapter 9: Design Considerations
Objective: 9.1 Application of methods to address core security concepts
Answer: D. Digital signatures provide both integrity and authenticity controls, telling the user who signed the file.
A, B, and C are incorrect. Encryption protects confidentiality, hashing provides integrity, and resilience covers availability.
Q67. Which of the following would be considered an authentication design defect?
A. Combining authentication and authorization
B. Propagating authentication permission across an enterprise
C. Providing centralized control of authentication
D. Delegating authentication to a third party
Hint: Which of these is not a standard process in widespread use?
Reference: Chapter 9: Design Considerations
Objective: 9.1 Application of methods to address core security concepts
Answer: A. Authentication and authorization are separate processes and need to remain separate to limit damage should failures occur.
B, C, and D are incorrect. These are all commonly seen in the field and used where their specific advantages benefit the system under protection.
Q68. The desire to minimize the number of high-value vulnerabilities is a reflection of what security principle?
A. Defense in depth
B. Least privilege
C. Separation of duties
D. Complete mediation
Hint: High-value targets are typically administrator level.
Reference: Chapter 9: Design Considerations
Objective: 9.1 Application of methods to address core security concepts
Answer: B. Least privilege limits the amount of time applications are in administrator level, limiting opportunity for escalation of privilege.
A, C, and D are incorrect. These are all security principles, but they do not specifically address privilege escalation.
Q69. Trust boundaries separate a system into trust zones that share common:
A. Privileges, rights, access, and identifiers
B. CIA conditions
C. User accounts
D. ACL elements
Hint: Think of what can change, and eliminate answers.
Reference: Chapter 8: Design Processes
Objective: 8.1 Attack surface evaluation
Answer: A. This is the definition of a trust boundary; inside a trust boundary, items share the same privileges, rights, access, and identifiers.
B, C, and D are incorrect. All of these items have things that can differ inside a trust boundary, such as CIA conditions; not all items need the same types of protection.
Q70. To reduce the risk associated with reusing code, the development team should:
A. Test reused code for specific vulnerabilities
B. Run reused code through the same checks and tests as new code
C. Reused code has less risk, as it has already been used; focus testing on new code
D. Prohibit code reuse
Hint: If new code testing and validation is best for new code, then…
Reference: Chapter 8: Design Processes
Objective: 8.6 Risk assessment for code reuse
Answer: B. The current test methodology for new code is a best practice. Why not apply it to reused code as well?
A, C, and D are incorrect. Reused code is common and can have benefits, but it needs the same testing as new code.
Q71. If the value for the attack surface of an application is increasing during development, this is a sign of:
A. Increasing avenues of attack being available to an attacker
B. Need for more security
C. An increase in application security level
D. Nothing, as the attack surface grows and shrinks on its own
Hint: As the application is constructed, size in all things increases.
Reference: Chapter 8: Design Processes
Objective: 8.1 Attack surface evaluation
Answer: A. Additional elements of code can bring additional numbers of specific attackable points, raising the attack surface. This may be normal or uncontrolled, but it is measurable.
B, C, and D are incorrect; as the code base grows, the number of attack avenues can increase. More security may or may not be needed.
Q72. During the design phase, the ______ will provide significant security information to designers.
A. Attack surface
B. Threat model
C. Data flow diagrams
D. Risk management model
Hint: Which begins with the development effort and is built on security information?
Reference: Chapter 9: Design Considerations
Objective: 9.1 Application of methods to address core security concepts
Answer: B. Threat modeling is a collection of security threat information and is built during the development process from the beginning.
A, C, and D are incorrect; they are other security tools.
Q73. A method of asynchronously moving information between applications is:
A. Message queuing
B. SOAP
C. REST
D. Web services
Hint: Asynchronous implies time delays.
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.1 Distributed computing
Answer: A. Message queuing allows messages to be stored in queues until the receiver is ready for them.
B, C, and D are incorrect; these are all web service–oriented methods and do not specify asynchronous communications.
Q74. A software system designed to support interoperable machine-to-machine interaction over a network is called a(n):
A. Enterprise service bus
B. Rich Internet application
C. Web service
D. HTML5/JavaScript
Hint: Machine-to-machine eliminates which options?
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.2 Service-oriented architecture
Answer: C. The W3C defines web services as a software system designed to support interoperable machine-to-machine interaction over a network.
A, B, and D are incorrect. Enterprise service bus is an application component; rich Internet application has a real user; and HTML5/JavaScript is a technology, not a system.
Q75. The common technologies used in web services include all of the following except:
A. WSDL
B. REST
C. SOAP
D. Message queuing
Hint: Which of these is not typically directly associated with web services?
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.2 Service-oriented architecture
Answer: D. Message queuing is an asynchronous message transport methodology, and it may or may not be associated with web services.
A, B, and C are incorrect. WSDL (Web Service Description Language), REST (Representational State Transfer), and SOAP (Simple Object Access Protocol) are architectural methods frequently associated with web services.
Q76. Rich Internet applications (RIAs) are commonly constructed using what? Choose all that apply.
A. C/C++
B. HTML5/JavaScript
C. ASP (Active Server Pages)
D. Adobe Flash or Microsoft Silverlight
Hint: Which is a universal web-based technology?
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.3 Rich Internet applications
Answer: B and D. RIAs are created using a variety of frameworks, including Adobe Flash, Java, and Microsoft Silverlight. With the introduction of HTML5, the future appears to be one dominated by HTML5/JavaScript-based RIAs.
A and C are incorrect. C/C++ is typically not used in browser-based client development, and ASP is an older technology that does not have the bandwidth for this kind of application.
Q77. Pervasive/ubiquitous computing involves all of the following except:
A. Wireless communication
B. Hyperconnectedness
C. Nearly constant connectivity
D. Monoculture platforms (i.e., all Apple)
Hint: If everyone is using it, which is least likely?
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.4 Pervasive/ubiquitous computing
Answer: D. Pervasive/ubiquitous systems are cross-platform by nature; hence, monoculture platforms are not appropriate for this type of system.
A, B, and C are incorrect. These are all commonly involved in pervasive or ubiquitous systems.
Q78. A protocol for radiofrequency (RF) communication over very short distances is:
A. Bluetooth
B. 802.11 Wi-Fi
C. 802.15 Zigbee
D. Near-field communications (NFC)
Hint: Which form of access control separates users into logical groups?
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.4 Pervasive/ubiquitous computing
Answer: D. Near-field communications is a protocol set for very short distance RF communications.
A, B, and C are incorrect. They are all wireless communication methods, but have reasonable ranges of use.
Q79. Cloud computing is marked by all except:
A. On-demand self-service
B. Broad network access
C. Use of a web browser for accessing data
D. Resource pooling
Hint: How are clouds managed?
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.6 Cloud architectures
Answer: C. Cloud computing does not have to involve either specific methods of interaction (i.e., web browser).
A, B, and D are incorrect. These are all elements associated with cloud computing.
Q80. A significant risk associated with the client server architecture is:
A. Flexibility
B. Client-side exploit
C. Cross-platform issues
D. Scalability
Hint: Focus on what is internal to the enterprise and therefore under enterprise control.
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.1 Distributed computing
Answer: B. Client server architectures need to employ protection against client-side attacks.
A, C, and D are incorrect. Client server architectures are specifically designed to address these issues.
Q81. A modular architecture based on principles of being platform neutral; interoperable; and with discoverable, contract-based interfaces describes:
A. SOA
B. SaaS
C. Cloud
D. SOAP
Hint: Discoverable, contract-based interfaces are related to WSDL.
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.2 Service-oriented architecture
Answer: A. SOA characteristics include platform neutrality, interoperability, modularity and reusability, abstracted business functionality, contract-based interfaces, and discoverability.
B, C, and D are incorrect. SaaS is Software as a Service; the cloud may or may not be service oriented; and SOAP is simple object access protocol, a programming method.
Q82. An architecture designed to allow customers to unilaterally provision and reprovision their level of service as needed is descriptive of:
A. Web service–based systems
B. Rich Internet application–based systems
C. SOA-based systems
D. Cloud-based systems
Hint: Customer-driven scalability is used to describe which system?
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.6 Cloud architectures
Answer: D. Cloud-based systems offer scaling that can increase and decrease on demand.
A, B, and C are incorrect. A and C can be offered as part of a cloud-based solution, but they can exist in other forms too. RIA offers desktop application experience via a web browser interface.
Q83. Which of the following elements would be considered sensitive data and require protection in a mobile system?
A. What the model of the device is
B. Where the device is
C. What level of OS is running on the device
D. How the device is connected to the Internet (Wi-Fi or 4G)
Hint: Which element concerns the user of the device?
Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.4 Pervasive/ubiquitous computing
Answer: B. The current location of the device should always be treated as sensitive and be under the user’s control before allowing access.
A, C, and D are incorrect. A and C are common elements that can be necessary to determine what content will work on the device. D can be important with regard to download speed and network connectivity.
Q84. Passwords and other credential secrets should be accessible by which sets of users? Choose all that apply.
A. The user account they apply to
B. The system administrator for the particular system
C. The account user’s boss
D. An account for archive/escrow purposes
Hint: Who should be able to see your password?
Reference: Chapter 11: Technologies
Objective: 11.1 Authentication and identity management
Answer: A. Passwords and other verification credentials, personal identification numbers (PINs), passphrases, token values, etc., are secrets and should never be accessible by anyone, including system administrators.
B, C, and D are incorrect. Passwords and other verification credentials, personal identification numbers (PINs), passphrases, token values, etc., are secrets and should never be accessible by anyone, including system administrators.
Q85. The acronym associated with the comprehensive set of policies, processes, and technologies for managing digital identity information is:
A. IdP
B. IAM
C. UX
D. OAuth
Hint: Think access management.
Reference: Chapter 11: Technologies
Objective: 11.1 Authentication and identity management
Answer: B. The terms identity management (IDM) and identity and access management (IAM) refer to the set of policies, processes, and technologies for managing digital identity information.
A, C, and D are incorrect. IdP is identity partner, UX is user experience, and OAuth is a commonly used system for federated identity management.
Q86. You want to enable customers to establish their identity with your application, but you don’t want to manage identity management. Which of the following specific systems could you use? Choose all that apply.
A. Federated identity management
B. OAuth
C. OpenID
D. UX
Hint: Which are systems where you are not hosting but will provide authentication services?
Reference: Chapter 11: Technologies
Objective: 11.1 Authentication and identity management
Answer: B and C. OAuth and OpenID are two of the more common federated authentication systems in use.
A and D are incorrect. Federated identity management is a concept, not a specific system. UX is an acronym for user experience, not an authentication system.
Q87. IdP and RP are elements associated with:
A. OpenID
B. WSDL
C. ESB
D. SOA
Hint: Identity provider (IdP) and relying party (RP).
Reference: Chapter 11: Technologies
Objective: 11.1 Authentication and identity management
Answer: A. There are two main parties in federated ID systems: a relying party (RP) and an identity provider (IdP).
B, C, and D are incorrect. WSDL is Web Services Description Language, ESB is enterprise service bus, and SOA is service-oriented architecture.
Q88. Credential management functions include all of the following except:
A. Generation
B. Revocation
C. Synchronization
D. Sharing
Hint: What should never be done with credentials?
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: D. Credentials should never be shared, as this eliminates traceability.
A, B, and C are incorrect. Managing of credentials includes tasks such as credential generation, storage, synchronization, reset, and revocation.
Q89. The current version of X.509 is:
A. 3
B. 2
C. 1
D. Not stated—it is an IETF RFC
Hint: It has been revised more than once.
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: A. X.509 version 3 is the most current version of the standard.
B, C, and D are incorrect. X.509 version 3 is the most current version of the standard.
Q90. Which elements are not in a X.509 certificate? Choose all that apply.
A. Subject
B. Version number
C. Validity
D. Key length
Hint: Key type is a field.
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: D. Key type is a field, as well as the key; the length is not a specified element.
A, B, and C are incorrect. The subject specifies the owner of the certificate. The version number identifies the version of the X.509 standard that was followed to create the certificate, and indicates the format and fields that can be used. Validity specifies the dates through which the certificate is valid for use.
Q91. What system associated with certificates enables the passing and verification of these digital elements between firms?
A. CRL
B. OSCP
C. PKI
D. X.509
Hint: Think system, not element of a system.
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: C. The public key infrastructure (PKI) associated with certificates enables the passing and verification of these digital elements between firms.
A, B, and D are incorrect. A PKI solution involves many parts, including certificate authorities, registration authorities, and certificate revocation mechanisms, either certificate revocation lists (CRL) or Online Certificate Status Protocol (OCSP). X.509 is the certificate.
Q92. If a certificate has been revoked, as a potential user, what could you use to verify this? Choose all that apply.
A. CRL
B. SAML
C. X.509
D. OSCP
Hint: Functional requirements is the key part of the question.
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: A and D. Two certificate revocation mechanisms are certificate revocation lists (CRL) and Online Certificate Status Protocol (OCSP).
B and C are incorrect. SAML is Security Assertion Markup Language. X.509 is the certificate.
Q93. A technology for sharing authentication information is:
A. PKIX
B. OSCP
C. CRL
D. SAML
Hint: To mark records, you could use a markup language.
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: D is correct. Security Assertion Markup Language (SAML) is a commonly employed method for the sharing of authentication information.
A, B, and C are incorrect. PKIX is an acronym for public key infrastructure, which includes elements for sharing, but is a much larger class of item. OSCP and CRL are certificate revocation mechanisms.
Q94. If there is a need to restrict network access to a specific port, one of the simplest methods is through a(n):
A. Restricted socket on the application
B. Firewall
C. Application ACL
D. Proxy server
Hint: Simplest is a key element.
Reference: Chapter 11: Technologies
Objective: 11.3 Flow control
Answer: B. Firewalls can be very simple in operation and can enforce address and port restrictions.
A, C, and D are incorrect. A restricted socket could be programmed into the application, but this would be complex and add significant operational complexity. A proxy server could do what a firewall does, but it is more complex. The application ACL would not have port-level control.
Q95. To comply with PCI DSS, one must have ________ or perform application code reviews.
A. Language-specific rules and coding practices
B. A defined security program
C. A web application firewall
D. A training program
Hint: Which one of these can actually perform real monitoring of security?
Reference: Chapter 11: Technologies
Objective: 11.3 Flow control
Answer: C. One of the requirements of the PCI Data Security Standard is for web applications to either have a web application firewall between the server and users or to perform application code reviews.
A, B, and D are incorrect. These are all elements that are good to have, but are not specifically addressed with respect to application code reviews.
Q96. Which of the following programs does not have specific logging requirements identified?
A. SOX
B. PCI DSS
C. DNSSEC
D. HIPAA
Hint: Which one of these is not a compliance program?
Reference: Chapter 11: Technologies
Objective: 11.4 Logging
Answer: C. DNSSEC is the securing of the DNS protocol with digital signatures.
A, B, and D are incorrect. These are all compliance programs with various logging requirements.
Q97. To guard against data being stolen from an enterprise, _____ technology can be employed, but it is complex and difficult to employ in an enterprise of any significant size.
A. DLP
B. Syslog
C. DRM
D. Logging
Hint: Preventing data loss is the Objective:.
Reference: Chapter 11: Technologies
Objective: 11.5 Data loss prevention
Answer: A. Data loss prevention (DLP) solutions act by screening traffic, looking for traffic that meets profile parameters.
B, C, and D are incorrect. B and D are about logging, which might record but not prevent loss. C is digital rights management, which deals with restricting rights for authorized users.
Q98. ccREL and ODRL are associated with:
A. Digital loss prevention
B. Single sign-on
C. Public key Infrastructure
D. Digital rights management
Hint: Open Digital Rights Language.
Reference: Chapter 11: Technologies
Objective: 11.7 Digital rights management
Answer: D. ccREL and ODRL are both forms of rights expression language (REL) used in digital rights management.
A, B, and C are incorrect. These are all security-related technologies, but they do not employ rights expression language elements.
Q99. All of the following are benefits with virtualization except:
A. Improved security from consolidation of servers
B. Reduced cost of servers resulting from server consolidation
C. Improved operational efficiencies from administrative ease of certain tasks
D. Improved operational agility to scale environments
Hint: Consolidation does not improve everything.
Reference: Chapter 11: Technologies
Objective: 11.6 Virtualization
Answer: A. Server consolidation is a physical consolidation—the logical instances have the same security concerns as before; in fact, they are increased because of the added virtualization layer.
B, C, and D are incorrect. The benefits derived from virtualization can include reduced cost of servers resulting from server consolidation; improved operational efficiencies from administrative ease of certain tasks; improved portability and isolation of applications, data, and platforms; and operational agility to scale environments, i.e., cloud computing.
Q100. A proven methodology for implementing single sign-on (SSO) is:
A. PKI
B. OpenID
C. WSDL
D. SOA
Hint: Which is a federated authentication element?
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: B. The OpenID protocol has proven to be a well-vetted and secure protocol for SSO.
A, C, and D are incorrect. PKI is the set of infrastructures for managing certificates; WSDL describes web service interaction; and service-oriented architecture (SOA) is an architecture, not an SSO methodology.
Q101. The set of all hardware, firmware, and/or software components that are critical to its security is referred to as:
A. Trusted computing (TC)
B. Trusted Platform Module (TPM)
C. Trusted computing base (TCB)
D. Trustworthy computing
Hint: The key idea is “set of all.”
Reference: Chapter 11: Technologies
Objective: 11.8 Trusted computing
Answer: C. The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security.
A, B, and D are incorrect. Trusted computing (TC) is a term used to describe technology developed and promoted by the Trusted Computing Group. The Trusted Platform Module is a hardware implementation of a set of cryptographic functions on a computer’s motherboard. Trustworthy computing is a Microsoft marketing term.
Q102. Before using a public key of another entity, it is proper to check for revocation. What is the best way to accomplish this? Choose all that apply.
A. DNSSEC
B. CRL
C. OSCP
D. PKIX
Hint: How are key revocations handled automatically?
Reference: Chapter 11: Technologies
Objective: 11.2 Credential management
Answer: B and C. Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OSCP) are both integrated, automated methods for verifying certificate validity.
A and D are incorrect. DNSSEC is a digitally signed DNS service. PKIX is the public key infrastructure, which is much more inclusive than just key revocation.
Q103. The application of digital signature technology to computer code is referred to as:
A. Trusted code
B. Code signing
C. Secure code
D. Code proofing
Hint: The act of applying a signature is called what?
Reference: Chapter 11: Technologies
Objective: 11.8 Trusted computing
Answer: B. Code signing is the act of using digital signature technology with software distribution.
A, C, and D are incorrect. These are all nonsense distractors designed to look correct. They do not have any specific meaning in this context.
Q104. Numerous factors need to be considered when creating a database encryption strategy, except for the following. Choose all that apply.
A. The usage pattern of the data—how is it protected in transit and in use
B. The level of risk classification associated with the data
C. The size of the data being encrypted
D. The database vendor
Hint: How do we determine encryption strategies for nondatabase data?
Reference: Chapter 11: Technologies
Objective: 11.9 Database security
Answer: C and D. The size of the data is not an issue, as database encryption strategies by their very nature need to be scalable. The database vendor does not apply, as virtually all major database vendors have proven capability.
A and B are incorrect. These are common criteria to consider before any encryption strategy, including databases.
Q105. Common elements requiring database encryption are those associated with what? Choose all that apply.
A. PCI DSS
B. Primary database keys
C. PII
D. PHI
Hint: What cannot be masked/hidden in a database?
Reference: Chapter 11: Technologies
Objective: 11.9 Database security
Answer: B. Primary keys are used to index and join tables, and as such cannot be obfuscated or encrypted. This is a good reason not to use PII or PHI elements as primary keys.
A, C, and D are incorrect. Regulations such as GLBA, HIPAA, and PCI DSS can impose protection requirements around certain data elements, such as PII, PHI, and PCI DSS data elements.
Q106. The software construction process that involves placing the names and relative locations of dependencies in the code, with these being resolved at runtime when all elements are loaded into memory, is called:
A. Compiling
B. Dynamic linking
C. Static linking
D. Interpreting
Hint: Resolving later implies change, not static connections.
Reference: Chapter 11: Technologies
Objective: 11.10 Programming language environment
Answer: B. Dynamic linking involves placing the names and relative locations of dependencies in the code, with these being resolved at runtime when all elements are loaded into memory.
A, C, and D are incorrect. The compiling process converts the source code into a set of processor-specific codes. Static linking resolves addresses at the time of linking, and interpreting converts code to executable form at runtime.
Q107. Microsoft .NET programming involves the following technologies except:
A. JVM
B. CIL
C. CLR
D. MSIL
Hint: One is related to a non-Microsoft language.
Reference: Chapter 11: Technologies
Objective: 11.10 Programming language environment
Answer: A. JVM is the Java Virtual Machine, which is involved in the execution of Java, a non-Microsoft language.
B, C, and D are incorrect. CIL is Microsoft’s common intermediate language, also known as Microsoft Intermediate Language (MSIL). These are executed using the common language runtime (CLR).
Q108. Compiler switches can be used for what? Choose all that apply.
A. Stack protection
B. Hashing
C. Exception handling
D. Code signing
Hint: Think /GS and /SAFEH.
Reference: Chapter 11: Technologies
Objective: 11.10 Programming language environment
Answer: A and C. Compiler switches enable the development teams to control how the compiler handles certain aspects of program construction. A wide range of options are available, manipulating elements such as memory, stack protection, and exception handling.
B and D are incorrect. Hashing is a mathematical function that would not make any sense in this context, and code signing is premature at compile time.
Q109. What is the primary architectural mechanism used to execute untrusted code, code from guests, and unverified programs, isolating code from direct access to the host system?
A. Trusted OS
B. Virtual machines
C. Sandboxing
D. Server-side code
Hint: Code from guests and unverified programs are key elements.
Reference: Chapter 11: Technologies
Objective: 11.10 Programming language environment
Answer: C. Sandboxing is a term for the execution of computer code in an environment designed to isolate the code from direct contact with the target system.
A, B, and D are incorrect. Trusted OS is not relevant in this context. Virtual machines are more of a complete platform; the code from guests and unverified platforms are indicative of a simpler solution. Server-side code could cover some, but not isolation from the host machine.
Q110. Dedicated systems, where the hardware and software are coupled together to perform a specific purpose, are called:
A. TPM
B. Firmware
C. Control systems
D. Embedded systems
Hint: They are usually included in the device they control.
Reference: Chapter 11: Technologies
Objective: 11.12 Embedded systems
Answer: D. Embedded systems are dedicated systems where the hardware and software are coupled together to perform a specific purpose.
A, B, and C are incorrect. TPM is the Trusted Platform Module in a computer system. Firmware is software that is electronically in a chip. Control systems are general-purpose systems for controlling physical devices.
Q111. Software used in embedded systems has many attributes. Which of the following is not typically one of them?
A. Memory constraints
B. Real-time operational constraints
C. Difficult to patch/update
D. High-speed computation
Hint: Which is not typically considered a constraint?
Reference: Chapter 11: Technologies
Objective: 11.12 Embedded systems
Answer: D. High-speed computation typically requires more processing power than is available in most embedded systems.
A, B, and C are incorrect. These are all common traits of firmware-based systems.
Q112. Which of the following is a common language for describing software security weaknesses in design or implementation?
A. SANS Top 25
B. CWE
C. CVE
D. OWASP Top 10
Hint: The key word in the question is weakness.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: B. CWE is Common Weakness Enumeration, a listing of common weaknesses.
A, C, and D are incorrect. SANS Top 25 and OWASP Top 10 are specific listings of the top issues in software. CVE is Common Vulnerability (not Weakness) Enumeration.
Q113. Which of the following is a common language for describing software security vulnerabilities, whether from design or implementation?
A. SANS Top 25
B. CWE
C. CVE
D. OWASP Top 10
Hint: The key word in the question is vulnerability.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: C. CVE is Common Vulnerabilities Enumeration, a listing of common vulnerabilities.
A, B, and D are incorrect. SANS Top 25 and OWASP Top 10 are specific listings of the top issues in software. CWE is Common Weakness (not Vulnerability) Enumeration.
Q114. Which of the following is a list of the most common programming errors in all types of software?
A. SANS Top 25
B. CWE
C. CVE
D. OWASP Top 10
Hint: All types of software.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: A. The SANS Top 25 is a list of the most common errors in all types of software.
B, C, and D are incorrect. CWE is Common Weakness Enumeration, a listing of common weaknesses. CVE is Common Vulnerabilities Enumeration, a listing of common vulnerabilities. The OWASP Top 10 is a list of the most common errors in web application software.
Q115. Which of the following is a list of the most common programming errors in web applications?
A. SANS Top 25
B. CWE
C. CVE
D. OWASP Top 10
Hint: Errors in web applications.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: D. The OWASP Top 10 is a list of the most common errors in web application software.
A, B, and C are incorrect. CWE is Common Weakness Enumeration, a listing of common weaknesses. CVE is Common Vulnerabilities Enumeration, a listing of common vulnerabilities. The SANS Top 25 is a list of the most common errors in all types of software.
Q116. Which kind of vulnerability is characterized by user input being interpreted incorrectly as a command or query?
A. Malicious file execution
B. Insecure direct object Reference:
C. Injection flaw
D. Cross-site request forgery
Hint: Command _____ and SQL _____ attacks.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: C. Injection flaws are when malicious input is processed by command or database engines, resulting in undesired behaviors.
A, B, and D are incorrect. Insecure direct object references are when developers permit access to internal constructs. Malicious file execution errors are when input is allowed to be executed as a file in the system. Cross-site request forgery attacks are when a browser’s input is maliciously directed to another site using a user’s credentials to do malicious activity.
Q117. Which kind of vulnerability is characterized by an attacker using a web browser to redirect an attack to another site?
A. Malicious file execution
B. Insecure direct object Reference:
C. Injection flaw
D. Cross-site request forgery
Hint: Using a user’s credentials against another website—the key word is website.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: D. Cross-site request forgery attacks are when a browser’s input is maliciously directed to another site using a user’s credentials to do malicious activity.
A, B, and C are incorrect. Injection flaws are when malicious input is processed by command or database engines, resulting in undesired behaviors. Malicious file execution errors are when input is allowed to be executed as a file in the system. Insecure direct object references are when developers permit access to internal constructs.
Q118. Which kind of vulnerability is characterized by hostile input to a file or stream function?
A. Malicious file execution
B. Insecure direct object Reference:
C. Injection flaw
D. Cross-site request forgery
Hint: This is why we have antivirus software.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: A. Malicious file execution errors are when input is allowed to be executed as a file in the system.
B, C, and D are incorrect. Injection flaws are when malicious input is processed by command or database engines, resulting in undesired behaviors. Cross-site request forgery attacks are when a browser’s input is maliciously directed to another site using a user’s credentials to do malicious activity. Insecure direct object references are when developers permit access to internal constructs.
Q119. Which kind of vulnerability is characterized by a Reference: to an internal implementation structure?
A. Malicious file execution
B. Insecure direct object Reference:
C. Injection flaw
D. Cross-site request forgery
Hint: Internal as opposed to external Reference:.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: B. Insecure direct object references are when developers permit access to internal constructs.
A, C, and D are incorrect. Injection flaws are when malicious input is processed by command or database engines, resulting in undesired behaviors. Cross-site request forgery attacks are when a browser’s input is maliciously directed to another site using a user’s credentials to do malicious activity. Malicious file execution errors are when input is allowed to be executed as a file in the system.
Q120. Failure to validate input can result in what type of error in a web application?
A. Insecure cryptographic storage
B. Cross-site scripting
C. Information leakage
D. Insecure direct object Reference:
Hint: The key phrase in the question is web application.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: B. Input validation failures can result in malicious user input being processed by web applications, resulting in cross-site scripting attacks.
A, C, and D are incorrect. Insecure cryptographic storage is when secrets are not properly guarded. Information leakage is when secrets are not protected, and insecure direct object references are when developers permit access to internal constructs.
Q121. When an application uses homegrown cryptography to protect secrets, it risks the following failure mode.
A. Information leakage
B. Side channel attack
C. Cryptanalysis attack
D. Insecure cryptographic storage
Hint: Focus on the failure mode, not the attack method.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: D. Insecure cryptographic storage occurs when the cryptographic mechanism fails.
A, B, and C are incorrect. Information leakage occurs when secrets are revealed—this is a result, not a failure mode. Side channel and cryptanalysis attacks are attacks, not failure modes.
Q122. One of the most common software failures is:
A. Hard-coded credentials
B. Buffer overflow
C. Command injection
D. Integer overflow
Hint: What is used to inject code into a running process?
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: B. Buffer overflows are one of the most common errors and can allow code to be injected directly into running processes.
A, C, and D are incorrect. Hard-coded credentials, command injections, and integer overflows are all failures, but nowhere near as common as buffer overflows in use by attackers.
Q123. Errors associated with array size and bounds are called:
A. Off-by-one errors
B. Canonical errors
C. Overflow errors
D. Encoding errors
Hint: Access to information or the lack thereof is an example of what?
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: A. Off-by-one errors occur when the index of an array exceeds the boundaries of an array, which can occur when the developer forgets that arrays begin at 0, not 1.
B, C, and D are incorrect. Canonical and encoding errors are parser manipulation errors. Overflow errors are related to mathematical functions.
Q124. The following are examples of specific input validation errors, except:
A. Buffer overflow
B. Broken cryptographic algorithm
C. SQL injection
D. Integer overflow
Hint: Which errors are related to user input?
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: B. Broken cryptographic algorithms are not related to user inputs.
A, C, and D are incorrect. All of these attacks involve user inputs.
Q125. Which of the following tools can address boundary functions?
A. Address Space Layout Randomization
B. Compiler flags
C. Safe software libraries
D. Memory management
Hint: String function library functions can result in boundary errors.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: C. Safe software libraries exist to address boundary errors that can occur with some function calls.
A, B, and D are incorrect. Address Space Layout Randomization prevents direct memory access, compiler flags are for other issues, and memory management is not directly involved.
Q126. Finding input strings similar to %2e%2e%2f are indicative of what type of attack?
A. Code injection
B. Directory traversal
C. Cross-site scripting
D. Canonical representation
Hint: The characters are “../”.
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.2 Vulnerability databases/lists
Answer: B. The string value of “../” is used in directory traversal attacks.
A, C, and D are incorrect. Code injection attacks are directed at either command or database processors. Cross-site scripting is a web attack, and canonical representation deals with encoding changes.
Q127. A self-sustaining startup process is called:
A. Bootstrapping
B. Configuration parameters
C. Memory management
D. Type-safe practices
Hint: Power on self-test (POST) is an example of what?
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.13 Configuration parameter management
Answer: A. Bootstrapping refers to the self-sustaining startup process that occurs when a computer starts or a program is initiated.
B, C, and D are incorrect. Configuration parameters provide information a program needs to execute. Memory management refers to the managing of memory structures, including creation and cleanup of memory areas. Type-safe practices refer to the use of specific variable types.
Q128. The level of security associated with configuration files should be determined by:
A. Configuration parameters should be checked before use, eliminating the need to secure the file
B. Configuration files should be self-securing
C. Configuration files should always be secured
D. The risk associated with altered files
Hint: What should always be the driving force behind security decisions?
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.13 Configuration parameter management
Answer: D. Risk is the driving factor behind all security decisions.
A, B, and C are incorrect. Configuration files need security at a level commensurate with the risk associated with errors in the implementation.
Q129. Attackers can use which of the following as direct entry points into software? Choose all that apply.
A. Cryptographic agility
B. Unmanaged code
C. APIs
D. Managed code
Hint: Entry points include function calls.
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.10 Safe APIs
Answer: C. APIs are the application program interface, a normal entry point for both legitimate and malicious use.
A, B, and D are incorrect. Managed and unmanaged code have no direct link to the question. Cryptographic agility is a technique used to make a program more maintainable.
Q130. Using configuration files to store security attributes for a system is an example of:
A. Declarative programming
B. Managed code
C. Imperative programming
D. Unmanaged code
Hint: Defining elements in line with the code is imperative in nature.
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.2 Configuration
Answer: A. Declarative security involves having security defined at the container level, such as metadata.
B, C, and D are incorrect. The Answer: is independent of managed or unmanaged code, and imperative programming puts all the essential elements in the program code itself.
Q131. Cryptographic agility is useful for all of the following except:
A. International distribution
B. Changing cryptographic algorithms via patching
C. Cryptographic flexibility
D. Configuration control of cryptographic functions
Hint: Agility can allow the code to be managed via configurations.
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.3 Cryptography
Answer: B. Cryptographic agility allows programmatic change of cryptographic functions without patching.
A, C, and D are incorrect. Cryptographic agility allows for the change of cryptographic functions via configuration parameters, which enables international versions, flexibility, and configuration control.
Q132. To defend against memory locality attacks, one can employ:
A. Attack surface analysis
B. Code obfuscation
C. Source code analysis
D. Address Space Layout Randomization (ASLR)
Hint: Which one protects memory in use?
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.12 Memory management
Answer: D. Address Space Layout Randomization (ASLR) is a specific memory management technique used to randomize memory locations by breaking up the locality problem.
A, B, and C are incorrect. These are security tools that are not directly associated with memory management in operation.
Q133. Standard elements of defensive coding include all of the following except:
A. Establish and maintain control over all of your inputs.
B. Create specific security features for vulnerabilities in the code.
C. Establish and maintain control over all of your outputs.
D. Use industry-accepted security features.
Hint: Think levels that are hierarchal.
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.0 Defensive coding practices
Answer: B. Creating your own security practices is not a best practice; one should use industry-accepted mitigations.
A, C, and D are incorrect. These are all standard primary mitigations.
Q134. Common exceptions to be handled include what? Choose all that apply.
A. Arithmetic overflows
B. Business logic
C. Input string errors
D. Privilege escalation
Hint: What can be detected at a low level?
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.9 Exception Management
Answer: A and C. These are common forms of exceptions that can be trapped and managed.
B and D are incorrect. Business logic errors will not normally trip an exception condition, nor will privilege escalation.
Q135. Examining code without executing it is referred to as:
A. Static code analysis
B. Binary analysis
C. Dynamic code analysis
D. Tracing
Hint: Type of analysis without running the code.
Reference: Chapter 14: Secure Software Coding Operations
Objective: 14.4 Code analysis
Answer: A. Static analysis involves examination of the code without execution.
B, C, and D are incorrect. These are all examples of dynamic analysis, a form of analysis involving code execution.
Q136. The examination of code while it is being executed is referred to as:
A. Static code analysis
B. Code reviews
C. Dynamic code analysis
D. Code walkthroughs
Hint: Code changes when running—change indicates what?
Reference: Chapter 14: Secure Software Coding Operations
Objective: 14.4 Code analysis
Answer: C. Dynamic analysis involves the execution of the code as part of the testing.
A, B, and D are incorrect. Static analysis involves examination of the code without execution. Code reviews and code walkthroughs are forms of static code analysis.
Q137. Code signing provides what value to the end user? Choose all that apply.
A. Proof of secure code
B. Proof of integrity of the code
C. Authentication of the source
D. Authentication that the code is the latest version
Hint: What attributes can a digital signature provide?
Reference: Chapter 14: Secure Software Coding Operations
Objective: 14.5 Antitampering techniques
Answer: B and C. Code signing can provide authentication and integrity guarantees.
A and D are incorrect. Digital signatures do not provide information as to code quality or whether a version is the current version.
Q138. Code walkthroughs can easily identify the following types of errors except:
A. Inefficient code
B. Input validation errors
C. Business logic errors
D. SANS Top 25 errors
Hint: Which of the choices is not easily defined to the review team?
Reference: Chapter 14: Secure Software Coding Operations
Objective: 14.3 Code/peer review
Answer: C. Business logic functionality can be complex and difficult to navigate in individual modules.
A, B, and D are incorrect. Code walkthroughs are very good at finding inefficient code, input validation weaknesses and SANS Top 25 errors, all of which are clearly defined and relatively easy to examine and test for.
Q139. Embedded systems can benefit greatly from what form of testing?
A. Static
B. Dynamic
C. Code review
D. Attack surface analysis
Hint: What is the primary purpose of embedded code?
Reference: Chapter 14: Secure Software Coding Operations
Objective: 14.4 Code Analysis
Answer: B. Dynamic testing can run the code through the operational set of states expected in operation, providing assurance against many forms of failure. Because embedded systems tend to have fewer states than general-purpose machines, this analysis can be very thorough.
A, C, and D are incorrect. All of the others are forms of static testing. Dynamic testing is more suitable for closed systems, such as embedded systems, for some failure mode detection.
Q140. What is the purpose of the Microsoft /GS compiler flag?
A. Invoke exception handling
B. Stack overflow protection
C. Invoke type-safe options
D. Memory management protection
Hint: Produces a cookie that is checked on function returns.
Reference: Chapter 14: Secure Software Coding Operations
Objective: 14.2 Development and build environment
Answer: B. Microsoft’s /GS compiler switch enables stack overflow protection in the form of a cookie to be checked at the end of the function prior to the use of the return address. Use of this option can enhance code security by eliminating common stack overflow conditions.
A, C, and D are incorrect. Exception handling is done by another compiler switch. Invoking type safety and memory management protection are not compiler-type operations.
Q141. What are common cryptographic failures in application design? Choose all that apply.
A. Key expiration
B. Key revocation
C. Poor random number generation
D. Algorithm implementation issues
Hint: The key words in the question are common and design.
Reference: Chapter 14: Secure Software Coding Operations
Objective: 14.2 Development and build environment
Answer: C and D. Poor random number generation and improper algorithm implementation are common failures that can be avoided through the use of proper library functions.
A and B are incorrect. Key revocation and expiration are operational issues, not design issues.
Q142. When the tester has complete knowledge of the inner workings of a system, the process is referred to as:
A. Black-box testing
B. Transparent-box testing
C. Gray-box testing
D. White-box testing
Hint: This is a definition question—no Hint:.
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for security and quality assurance
Answer: D. White-box testing is the name used to describe the testing process where the tester has complete knowledge of how the system under test works.
A, B, and C are incorrect. Gray-box testing is the name used to describe the testing process where the tester has limited knowledge of how the system under test works. Transparent-box testing is a nonsense distractor. Black-box testing is when the tester has no knowledge of the inner workings of a system.
Q143. When the tester has no knowledge of the inner workings of a system, the process is referred to as:
A. Black-box testing
B. Transparent-box testing
C. Gray-box testing
D. White-box testing
Hint: This is a definition question—no Hint:.
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for security and quality assurance
Answer: A. Black-box testing is when the tester has no knowledge of the inner workings of a system.
B, C, and D are incorrect. White-box testing is the name used to describe the testing process where the tester has complete knowledge of how the system under test works. Gray-box testing is the name used to describe the testing process where the tester has limited knowledge of how the system under test works. Transparent-box testing is a nonsense distractor.
Q144. When the tester has limited knowledge of the inner workings of a system, the process is referred to as:
A. Black-box testing
B. Transparent-box testing
C. Gray-box testing
D. White-box testing
Hint: This is a definition question—no Hint:.
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for security and quality assurance
Answer: C. Gray-box testing is the name used to describe the testing process where the tester has limited knowledge of how the system under test works.
A, B, and D are incorrect. White-box testing is the name used to describe the testing process where the tester has complete knowledge of how the system under test works. Transparent-box testing is a nonsense distractor. Black-box testing is when the tester has no knowledge of the inner workings of a system.
Q145. Functional testing includes what steps? Choose all that apply.
A. Identifying the requirements that the software is expected to perform
B. Determining the error states of the application
C. Creating input test data
D. Code review (walkthrough)
Hint: Which of these is not related to security functionality?
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for security and quality assurance
Answer: A and C. Functional testing involves the following steps in order: Identifying the functions (requirements) that the software is expected to perform; creating input test data based on the function’s specifications; determining expected output test results based on the function’s specifications; executing the test cases corresponding to functional requirements; and comparing actual and expected outputs to determine functional compliance.
B and D are incorrect. Error states and code reviews are part of security testing, not functional testing.
Q146. A principal advantage of unit testing is:
A. Testing of emergent qualities
B. Faster error correction
C. Early error detection
D. Provides performance data
Hint: When does unit testing occur?
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for security and quality assurance
Answer: C. One of the principal advantages of unit testing is that it is done by the development team and catches errors early, before they leave the development phase.
A, B, and D are incorrect. Emergent properties and performance data exist at levels of testing higher than unit testing. Faster error correction may or may not exist.
Q147. The ability of an application to restore itself to expected levels of functionality after the security protection is breached or bypassed is called:
A. Recoverability
B. Resilience
C. Availability
D. Restoration
Hint: This is a definition-based question—no Hint:.
Reference: Chapter 15: Secure Software Testing
Objective: 15.3 Impact assessment and corrective action
Answer: A. Recoverability is the ability of an application to restore itself to expected levels of functionality after the security protection is breached or bypassed.
B, C, and D are incorrect. These are all nonspecific distractors.
Q148. Which of the following can be used to remediate bugs? Choose all that apply.
A. Removal of defect
B. Trapping of error
C. Change of requirements
D. Mitigation of defect
Hint: Similar to options for risk handling.
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for security and quality assurance
Answer: A and D. Remediation of bugs can take many forms, but they can be categorized into four forms: removal of the defect, mitigation of the defect, transfer of responsibility, and ignore the issue.
B and C are incorrect. Trapping the error does not address the bug, and changing requirements also doesn’t address the bug.
Q149. An operational measure for what constitutes a minimum level of quality in the code is a definition for:
A. Bug bar
B. Security level
C. Security requirements
D. Bug criticality
Hint: View this as a hurdle to be overcome.
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for security and quality assurance
Answer: A. This is the definition of a bug bar.
B, C, and D are incorrect. These are all distractors built from related terms with no specific meaning in this context.
Q150. What form of testing is used to determine compliance with requirements in the areas of reliability, logic, performance, and scalability?
A. Operational
B. Unit
C. Functional
D. System
Hint: Compare types of algorithms and age.
Reference: Chapter 15: Secure Software Testing
Objective: 15.2 Testing for security and quality assurance
Answer: C. Functional testing is used to determine compliance with requirements in the areas of reliability, logic, performance, and scalability.
A, B, and D are incorrect. Operational testing is the testing of a system in operation. Unit and system testing describe the level of structure under test.
Q151. The automated enumeration of specific characteristics of an application or network is called:
A. Fuzzing
B. Regression
C. Scanning
D. Penetration
Hint: Looking at a bunch of systems.
Reference: Chapter 16: Security Testing
Objective: 16.1 Types of testing
Answer: C. Scanning is the automated enumeration of specific characteristics of an application or network.
A, B, and D are incorrect. Fuzz testing is a brute force method of addressing input validation issues and vulnerabilities. Penetration testing is an active form of examining the system for weaknesses and vulnerabilities. The testing of various versions of software is referred to as regression testing.
Q152. A brute force method of addressing input validation issues and vulnerabilities is:
A. Fuzzing
B. Regression
C. Scanning
D. Penetration
Hint: Brute force testing of input validation.
Reference: Chapter 16: Security Testing
Objective: 16.1 Types of testing
Answer: A. Fuzz testing is a brute force method of addressing input validation issues and vulnerabilities.
B, C, and D are incorrect. Scanning is the automated enumeration of specific characteristics of an application or network. The testing of various versions of software is referred to as regression testing. Penetration testing is an active form of examining the system for weaknesses and vulnerabilities.
Q153. The testing of various versions of software is referred to as:
A. Fuzzing
B. Regression
C. Scanning
D. Penetration
Hint: Ensuring patches don’t break other versions of software.
Reference: Chapter 16: Security Testing
Objective: 16.1 Types of testing
Answer: B. Testing various versions of software is referred to as regression testing.
A, C, and D are incorrect. Scanning is the automated enumeration of specific characteristics of an application or network. Fuzz testing is a brute force method of addressing input validation issues and vulnerabilities. Penetration testing is an active form of examining the system for weaknesses and vulnerabilities.
Q154. An active form of examining the system for weaknesses and vulnerabilities is called:
A. Fuzzing
B. Regression
C. Scanning
D. Penetration
Hint: Active examination of vulnerabilities is what?
Reference: Chapter 16: Security Testing
Objective: 16.1 Types of testing
Answer: D. Penetration testing is an active form of examining the system for weaknesses and vulnerabilities.
A, B, and C are incorrect. Scanning is the automated enumeration of specific characteristics of an application or network. Fuzz testing is a brute force method of addressing input validation issues and vulnerabilities. The testing of various versions of software is referred to as regression testing.
Q155. Testing the application in an environment that mirrors the production environment associated with the application is called:
A. Fuzzing
B. Simulation
C. Scanning
D. Penetration
Hint: Mirroring production is synonymous with which term?
Reference: Chapter 16: Security Testing
Objective: 16.1 Types of testing
Answer: B. Simulation testing involves testing the application in an environment that mirrors the production environment associated with the application.
A, C, and D are incorrect. Scanning is the automated enumeration of specific characteristics of an application or network. Fuzz testing is a brute force method of addressing input validation issues and vulnerabilities. Penetration testing is an active form of examining the system for weaknesses and vulnerabilities.
Q156. Bugs are measured in terms of what? Choose all that apply.
A. Probability
B. Size
C. Impact
D. Reproducibility
Hint: Measure the bug, a known entity.
Reference: Chapter 16: Security Testing
Objective: 16.1 Types of testing
Answer: C. Bugs are measured in terms of their impact on the system, and this impact can be used to prioritize corrective action efforts.
A, B, and D are incorrect. Probability and reproducibility relate to the exploitation action, not the bug. Size is a simple distractor.
Q157. What document specifies requirements, specifications, and testing of cryptographic systems for the U.S. federal government?
A. SP 800-53
B. FIPS 199
C. FIPS 200
D. FIPS 140-2
Hint: Use-cases show process flow. What does the same in this list?
Reference: Chapter 16: Security Testing
Objective: 16.1 Types of testing
Answer: D. FIPS 140-2 is a prescribed standard, part of the Federal Information Processing Standards series that relates to the implementation of cryptographic functions.
A, B, and C are incorrect. SP 800-53 relates to security controls. FIPS 199 and 200 relate to security requirement frameworks.
Q158. The type of testing where a website is tested under a range of loads to determine at what point the system’s response time degrades or fails is called:
A. Stress
B. Regression
C. White box
D. Penetration
Hint: Can vulnerabilities be moved?
Reference: Chapter 17: Secure Software Acceptance
Objective: 17.1 Pre-release and pre-deployment
Answer: A. Stress testing is a term that is often used interchangeably with “load” and “performance” testing by professionals. It serves the same purpose as load testing in the sense that it is looking to predict failure thresholds.
B, C, and D are incorrect. Testing various versions of software is referred to as regression testing. Penetration testing is an active form of examining the system for weaknesses and vulnerabilities. White-box testing is when testers have full knowledge of the inner workings of a system.
Q159. What is the term used to refer to the software property that meets the specified user requirements?
A. Verification
B. Assurance
C. Assessment
D. Validation
Hint: Part of the definition of V&V.
Reference: Chapter 17: Secure Software Acceptance
Objective: 17.2 Post-release activities
Answer: D. Validation is the term used to refer to the software property that meets the specified user requirements.
A, B, and C are incorrect. Verification is the term used to describe proper construction. Assessment is the measurement, and assurance is proof of compliance.
Q160. The term used to describe proper construction of a system is:
A. Assurance
B. Verification
C. Assessment
D. Validation
Hint: Part of the definition of V&V.
Reference: Chapter 17: Secure Software Acceptance
Objective: 17.2 Post-release activities
Answer: B. Verification is the term used to describe proper construction.
A, C, and D are incorrect. Assessment is the measurement, and assurance is proof of compliance. Validation is the term used to refer to the software property that meets the specified user requirements.
Q161. Tests that take place when it is assumed that the product is complete, with their aim being to exercise the product in its environment, are called:
A. Regression testing
B. Alpha testing
C. Beta testing
D. Release testing
Hint: Consumers are frequently enlisted to do this.
Reference: Chapter 17: Secure Software Acceptance
Objective: 17.1 Pre-release and pre-deployment
Answer: C. Beta testing takes place when development and testing are essentially completed and final bugs and problems need to be found before final release.
A, B, and D are incorrect. Alpha testing takes place when a product is nearing delivery. It is understood that minor design changes will still be made as a result of such testing. The testing of various versions of software is referred to as regression testing.
Q162. Tests that take place as the product is nearing completion but is not considered to be a completed product yet are called:
A. Regression testing
B. Alpha testing
C. Beta testing
D. Release testing
Hint: Not a finished product is the key.
Reference: Chapter 17: Secure Software Acceptance
Objective: 17.1 Pre-release and pre-deployment
Answer: B. Alpha testing takes place when a product is nearing delivery. It is understood that minor design changes will still be made as a result of such testing.
A, C, and D are incorrect. Beta testing takes place when development and testing are essentially completed and final bugs and problems need to be found before final release. The testing of various versions of software is referred to as regression testing.
Q163. A document that describes an input, action, or event that is expected to produce a predictable response is a(n):
A. Test case
B. Use-case
C. Misuse case
D. Formal analysis
Hint: Input and response.
Reference: Chapter 17: Secure Software Acceptance
Objective: 17.1 Pre-release and pre-deployment
Answer: A. A test case is a document that describes an input, action, or event that is expected to produce a predictable response.
B, C, and D are incorrect. Use-cases and misuse cases are built around the processes a system is designed to implement.
Q164. Which of the following are generic criteria for judging the suitability of a product? Choose all that apply.
A. Functionality
B. Reliability
C. Safety
D. Portability
Hint: ISO 9126 criteria.
Reference: Chapter 17: Secure Software Acceptance
Objective: 17.2 Post-release activities
Answer: A, B, and D. ISO 9126 defines six generic criteria for judging the suitability of a product as functionality, reliability, usability, efficiency, maintainability, and portability.
C is incorrect. Safety is not a typical generic criterion for judging the suitability of a product.
Q165. The term that refers to the entire collection of processes, from the turning on of the power until the operating system is in complete control of the system, is:
A. Bootstrapping
B. Boot up
C. Secure startup
D. Initial program load
Hint: The key words are entire collection, not part of the collection.
Reference: Chapter 18: Secure Software Installation and Deployment
Objective: 18.1 Installation and deployment
Answer: C. Secure startup refers to the entire collection of processes, from the turning on of the power until the operating system is in complete control of the system.
A, B, and D are incorrect. Booting and bootstrapping are parts of the secure startup. The initial program load occurs after the boot sequence.
Q166. The set of practices that describe how an organization controls its software assets is called:
A. Deployment
B. Setup
C. Baselining
D. Configuration management
Hint: Controlling software assets is the key part of the question.
Reference: Chapter 18: Secure Software Installation and Deployment
Objective: 18.1 Installation and deployment
Answer: D. Configuration management’s specific function is to exercise rational control of changes to software and related artifacts during development and after release.
A, B, and C are incorrect. Deployment, setup, and baselining are not about controlling software assets.
Q167. Rational control of changes to software and related artifacts during development and after release is referred to as:
A. Deployment
B. Configuration management
C. Baselining
D. Maintainability
Hint: Control is a higher-level function.
Reference: Chapter 18: Secure Software Installation and Deployment
Objective: 18.1 Installation and deployment
Answer: B. Configuration management’s specific function is to exercise rational control of changes to software and related artifacts during development and after release.
A, C, and D are incorrect. Deployment, maintainability, and baselining are not about rational control of changes to software assets.
Q168. The entity that authorizes changes to a production system is referred to as a:
A. SCM
B. CCB
C. CMS
D. CMDB
Hint: Typically a group of people.
Reference: Chapter 18: Secure Software Installation and Deployment
Objective: 18.1 Installation and deployment
Answer: B. A control entity called a configuration control board (CCB) authorizes changes to baselines at predefined levels of authority.
A, C, and D are incorrect. The software configuration management (SCM), configuration management system (CMS), and configuration management database (CMDB) do not authorize things.
Q169. Which of the following is not part of the configuration management process?
A. Configuration record
B. Configuration control
C. Release management
D. Configuration identification
Hint: Think of major activities associated with CMS.
Reference: Chapter 18: Secure Software Installation and Deployment
Objective: 18.1 Installation and deployment
Answer: A. Configuration record is a document, not a process element.
B, C, and D are incorrect. The configuration management process is composed of six major activities: process implementation, configuration identification, configuration control, configuration status accounting, configuration evaluation, and release management and delivery.
Q170. A common manner of keeping track of changes in a configuration management system is through a:
A. CMS
B. CMDB
C. SCM
D. CCB
Hint: Collection and tracking of data is done with a what?
Reference: Chapter 18: Secure Software Installation and Deployment
Objective: 18.1 Installation and deployment
Answer: B. A common manner of keeping track of changes is through a configuration management database (CMDB).
A, C, and D are incorrect. The software configuration management (SCM), configuration management system (CMS), and change control board (CCB) are not principal data-tracking mechanisms.
Q171. The term ______ is commonly used in the security industry to refer to the process of labeling different releases of software such that the end user has the ability to determine which specific release they are using.
A. Regression testing
B. Baseline configuration
C. Version control
D. Current baseline
Hint: Think of a term that covers multiple elements.
Reference: Chapter 18: Secure Software Installation and Deployment
Objective: 18.1 Installation and deployment
Answer: C. The term version control is commonly used in the security industry to refer to the process of labeling different releases of software such that the end user has the ability to determine which specific release they are using.
A, B, and D are incorrect. Regression testing is a testing method, not a labeling schema. Current baseline and baseline configuration are specific versions, not the general term.
Q172. Typical activities associated with operations and maintenance of software include what? Choose all that apply.
A. Monitoring
B. Incident management
C. Retirement
D. Risk management model
Hint: Which begins with the development effort and is built on security information?
Reference: Chapter 19: Secure Software Operations and Maintenance
Objective: 19.1 Secure software operations and maintenance
Answer: A and B. The typical ongoing activities associated with operations/maintenance of software and monitoring, incident management, problem management, and change management (patching/updating).
C and D are incorrect. System retirement is not a typical process. Risk management modeling is not an operations event.
Q173. Monitoring activities during operations for software include what? Choose all that apply.
A. Metrics
B. SLAs
C. Backup
D. Version control
Hint: To monitor means you can measure.
Reference: Chapter 19: Secure Software Operations and Maintenance
Objective: 19.1 Secure software operations and maintenance
Answer: A and B. Metrics and SLAs are measureable and hence can be monitored.
C and D are incorrect. These are activities, but they are not involved with monitoring.
Q174. There are numerous methods of delivery and packaging of patches from a vendor. What are some common terms used? Choose all that apply.
A. Patches
B. Plugins
C. Hot-fix
D. Code repairs
Hint: Normal changes and immediate changes.
Reference: Chapter 19: Secure Software Operations and Maintenance
Objective: 19.1 Secure software operations and maintenance
Answer: A and C. Patches can be labeled as patches, hot-fixes, and quick-fix engineering (QFE).
B and D are incorrect. Plug-ins are add-ons for browsers, and code repairs is a generic term used as a distractor.
Q175. To identify and maintain an appropriate set of risk controls within the overall supply chain, one would perform:
A. Supply chain testing
B. Supplier testing
C. Supply chain assessment
D. Supplier risk assessment
Hint: Risk governs all decisions.
Reference: Chapter 20: Supply Chain and Software Acquisition
Objective: 20.1 Supplier risk assessment
Answer: D. Supplier risk assessments identify specific threats to the organization’s supply chain and then evaluate how likely those threats are to occur, as well as the consequences of each threat should it happen.
A, B, and C are incorrect. These terms are all variants based on common words associated with the topic, but with no specific meaning in this context.
Q176. The elements of a patch management process include what? Choose all that apply.
A. Patch preparation
B. Patch validation
C. Patch creation
D. Patch reporting
Hint: What steps are needed in an enterprise?
Reference: Chapter 20: Supply Chain and Software Acquisition
Objective: 20.3 Software development and test
Answer: A and B. Patch preparation and validation are important operational patch process steps.
C and D are incorrect. Patch creation and reporting are outside the patch management process.
Q177. Common supply chain threats include what? Choose all that apply.
A. Malicious code
B. Introduction of vulnerabilities
C. Reduced functionality
D. Expired/legacy code
Hint: Which ones are threats?
Reference: Chapter 20: Supply Chain and Software Acquisition
Objective: 20.5 Supplier transitioning
Answer: A and B. Introduction of malicious code or vulnerabilities into a system can be common risks associated with all supply chains.
C and D are incorrect. Reduced functionality can be avoided by not upgrading if a key functional element of the application is deprecated. Expired/legacy code can be sandboxed and not directly connected to more vulnerable systems. However, neither of these is common.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.