ISO 27034 mandates a framework for application security within an organization. According to the standard, each organization should have a(n) _______________, and each application within the organization should have its own _______________.

1. Organizational Normative Framework (ONF), Application Normative Framework (ANF)
2. Application Normative Framework (ANF), Organizational Normative Framework (ONF)
3. Standard Application Security (SAS), Application Normative Framework (ANF)
4. Organizational Normative Framework (ONF), Standard Application Security (SAS)

According to ISO 27034, there is one Organizational Normative Framework (ONF) in the organization, and _______________ Application Normative Framework (ANF[s]) for each application within that organization.

1. Many
2. Three
3. No
4. One

What language is used in the Simple Object Access Protocol (SOAP) application design protocol?

1. Hypertext Markup Language (HTML)
2. X.509
3. Extensible Markup Language (XML)
4. Hypertext Transfer Protocol (HTTP)

Typically, representational state transfer (REST) interactions do not require _______________.

1. Credentials
2. Sessions
3. Servers
4. Clients

Representational state transfer (REST) application programming interfaces (APIs) use _______________ protocol verbs.

1. Hypertext Markup Language (HTML)
2. Hypertext Transfer Protocol (HTTP)
3. Extensible Markup Language (XML)
4. American Standard Code for Information Interchange (ASCII)

The architecture of the World Wide Web, as it works today, is _______________.

1. JavaScript Open Notation (JSON)
2. Denial of service (DoS)
3. Representational state transfer (REST)
4. Extensible Markup Language (XML)

RESTful responses can come from the server in _______________ or _______________ formats.

1. Extensible Markup Language (XML), JavaScript Open Notation (JSON)
2. Hypertext Transfer Protocol (HTTP), X.509
3. American Standard Code for Information Interchange (ASCII), text
4. Hypertext Markup Language (HTML), Extensible Markup Language (XML)

Which of the following is an informal industry term for moving applications from a traditional environment into the cloud?

1. Instantiation
2. Porting
3. Grandslamming
4. Forklifting

Developers creating software for the cloud environment should bear in mind cloud-specific risks such as _______________ and _______________ .

1. DoS and DDoS (denial of service and distributed denial of service)
2. Multitenancy and third-party administrators
3. Unprotected servers and unprotected clients
4. Default configurations and user error

When an organization considers cloud migrations, the organization’s software developers will need to know which _______________ and which _______________ the organization will be using, in order to properly and securely create suitable applications.

1. Geographic location, native language
2. Legal restrictions, specific ISP
3. Service model, deployment model
4. Available bandwidth, telecommunications country code

Which of the following is perhaps the best method for reducing the risk of a specific application not delivering the proper level of functionality and performance when it is moved from the traditional environment into the cloud?

1. Remove the application from the organization’s production environment and replace it with something else.
2. Negotiate and conduct a trial run in the cloud environment for that application before permanently migrating.
3. Make sure the application is fully updated and patched according to all vendor specifications.
4. Run the application in an emulator.

Software developers designing applications for the cloud should expect to include options to ensure all of the following capabilities except _______________.

1. Encryption of data at rest
2. Encryption of data in transit
3. Data masking
4. Hashing database fields

In a platform as a service (PaaS) model, who should most likely be responsible for the security of the applications in the production environment?

1. Cloud customer
2. Cloud provider
3. Regulator
4. Programmers

In the testing phase of the software development lifecycle (SDLC), software performance and _______________ should both be reviewed.

1. Quality
2. Brevity
3. Requirements
4. Security

Regardless of which model the organization uses for system development, in which phase of the software development lifecycle (SDLC) will user input be requested and considered?

1. Define
2. Design
3. Develop
4. Detect

Which phase of the software development lifecycle (SDLC) is most likely to involve crypto-shredding?

1. Define
2. Design
3. Test
4. Disposal

Where are business requirements most likely to be mapped to software construction?

1. Define
2. Design
3. Test
4. Secure Operations

All of the following are usually nonfunctional requirements except _______________.

1. Color
2. Sound
3. Security
4. Function

Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that may not have been as important in the traditional environment?

1. Identity and access management (IAM) capability
2. Distributed denial of service (DDoS) resistance
3. Encryption for data at rest and in motion
4. Field validation

Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that might not have been as important in the traditional environment?

1. Application isolation
2. Inference framing
3. Known secure library components
4. Testing that uses known bad data

Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may not be able to use as readily in the cloud environment as it was deployed in the traditional environment?

1. Cryptography
2. STRIDE testing
3. Field validation
4. Logging

All of these can affect the quality of service expected from an application except _______________.

1. Encryption
2. Egress monitoring
3. Anti-malware tools
4. Use of known secure libraries/components

The possibility that a user could gain access or control of an application so as to take on administrator or management capabilities is called _______________.

1. Inversion
2. Spoofing
3. Repudiation
4. Escalation of privilege

Which of the following is not checked when using the STRIDE threat model?

1. The ability of users to gain administrative access rights without proper permission
2. The ability of internal personnel to trigger business continuity/disaster recovery activities
3. The ability of a participant in a transaction to refute that they’ve taken part in the transaction
4. The ability of an unauthorized user to pretend to be an authorized user

It is very likely that your organization’s users will use unapproved application programming interfaces (APIs), especially in a bring your own device (BYOD) environment, because _______________.

1. Users are constantly trying to break the security of your environment
2. APIs can’t ever be secure
3. Hackers are constantly infiltrating all APIs
4. Users enhance their productivity however they can

Some current software developers are not aware of security problems within the programs they’re creating because _______________.

1. Young programmers are not nearly as disciplined in their coding practices as older programmers
2. Some current programmers don’t write code line by line and instead use code component libraries
3. Coding languages have not been secure for 20 years
4. Users are not clear in defining their requirements at the outset of the software development lifecycle (SDLC)

What is the most secure form of code testing and review?

1. Open source
2. Proprietary/internal
3. Neither open source nor proprietary
4. Combination of open source and proprietary

What is the major difference between authentication and authorization?

1. Code verification/code implementation
2. Identity validation/access permission
3. Inverse incantation/obverse instantiation
4. User access/privileged access

Access should be based on _______________.

1. Regulatory mandates
2. Business needs and acceptable risk
3. User requirements and management requests
4. Optimum performance and security provision

Who should determine which users have access to which specific objects?

1. The cloud provider
2. Senior management
3. Data owners
4. System administrators

All of the following are identity federation standards commonly found in use today except _______________.

1. WS-Federation
2. OpenID
3. OAuth (Open Authorization)
4. Pretty Good Privacy (PGP)

Which of the following is a federation standard/protocol that does not rely on Simple Object Access Protocol (SOAP), Security Assertion Markup Language (SAML), or Extensible Markup Language (XML)?

1. WS-Federation
2. OpenID Connect
3. Service Organization Control (SOC) 2
4. Open Web Application Security Project (OWASP)

Authentication mechanisms typically include any or all of the following except _______________.

1. Something you know
2. Someone you know
3. Something you have
4. Something you are

Which of the following constitutes a multifactor authentication process or procedure?

1. Using an automated teller machine (ATM) to get cash with your credit or debit card
2. Using a password and personal identification number (PIN) to log into a website
3. Presenting a voice sample and fingerprint to access a secure facility
4. Displaying a birth certificate and a credit card

Typically, multifactor authentication should be used _______________.

1. In every IT transaction
2. For high-risk operations and data that is particularly sensitive
3. When remote users are logging into the cloud environment
4. Only in the traditional environment

A web application firewall (WAF) usually operates at Layer _______________ of the Open Systems Interconnection (OSI) model.

1. 2
2. 3
3. 7
4. Q

A web application firewall (WAF) can understand and act on _______________ traffic.

1. Malicious
2. Simple Mail Transfer Protocol (SMTP)
3. Internet Control Message Protocol (ICMP)
4. Hypertext Transfer Protocol (HTTP)

WAFs can be used to reduce the likelihood that _______________ attacks will be successful.

1. Social engineering
2. Physical theft
3. Obverse inflection
4. Cross-site scripting

A database activity monitor (DAM) tool usually operates at Layer _______________ of the Open Systems Interconnection (OSI) model.

1. 2
2. 3
3. 7
4. Q

Database activity monitors (DAMs) can be used to reduce the potential success of _______________ attacks.

1. SQL injection
2. Cross-site scripting
3. Insecure direct-object reference
4. Social engineering

Which security tool can perform content inspection of Secure File Transfer Protocol (SFTP) communications?

1. Web application firewall (WAF)
2. Database activity monitor (DAM)
3. Extensible Markup Language (XML) gateway
4. Single sign-on (SSO)

To deploy a set of microservices to clients instead of building one monolithic application, it is best to use a(n) _______________ to coordinate client requests.

1. Extensible Markup Language (XML) gateway
2. Application programming interface (API) gateway
3. Web application firewall (WAF)
4. Database activity monitor (DAM)

Firewalls can detect attack traffic by using all these methods except _______________.

1. Known past behavior in the environment
2. Identity of the malicious user
3. Point of origination
4. Signature matching

Transport Layer Security (TLS) provides _______________ and _______________ for communications.

1. Privacy, security
2. Security, optimization
3. Privacy, integrity
4. Enhancement, privacy

Transport Layer Security (TLS) uses a new _______________ for each secure connection.

1. Symmetric key
2. Asymmetric key
3. Public-private key pair
4. Inverse comparison

A virtual private network (VPN) is used to protect data in transit by _______________.

1. Securing each end of a client-server connection
2. Creating an encrypted tunnel between two endpoints
3. Encrypting databases
4. Restricting key access to only eight parties

The employment of users in dynamic software testing should best be augmented by _______________.

1. Having the developers review the code
2. Having the developers perform dynamic testing
3. Using automated agents to perform dynamic testing
4. Social engineering

Why do developers have an inherent conflict of interest in testing software they’ve created?

1. They are notoriously bad, as a group, at testing.
2. They work for the same department as the testing personnel.
3. They have a vested interest in having the software perform well.
4. They are never trained on testing procedures.

Sandboxing can often be used for _______________.

1. Optimizing the production environment by moving processes that are not frequently used into the sandbox
2. Allowing secure remote access for users who need resources in the cloud environment
3. Running malware for analysis purposes
4. Creating secure subnets of the production environment

Sandboxing can often be used for _______________.

1. Testing user awareness and training
2. Testing security response capabilities
3. Testing software before putting it into production
4. Testing regulatory response to new configurations and modifications

Application virtualization can typically be used for _______________.

1. Running an application in a non-native environment
2. Installing updates to a system’s operating system (OS)
3. Preventing escalation of privilege by untrusted users
4. Enhancing performance of systems

Application virtualization can typically be used for _______________.

1. Denying access to untrusted users
2. Detecting and mitigating distributed denial of service (DDoS) attacks
3. Replacing encryption as a necessary control
4. Running an application on an endpoint without installing it

Any organization that complies with ISO 27034 will have a maximum of _______________ Organizational Normative Framework(s) (ONF)(s).

1. 0
2. 1
3. 5
4. 25

Under ISO 27034, every application within a given organization will have an attendant set of controls assigned to it; the controls for a given application are listed in the _______________.

1. ONF
2. ANF
3. TTF
4. FTP

Static application security testing (SAST) is usually considered a _______________ form of testing.

1. White-box
2. Black-box
3. Gray-box
4. Parched field

Static application security testing (SAST) examines _______________.

1. Software outcomes
2. User performance
3. System durability
4. Source code

Dynamic application security testing (DAST) is usually considered a _______________ form of testing.

1. White-box
2. Black-box
3. Gray-box
4. Parched field

Dynamic application security testing (DAST) checks software functionality in _______________.

1. The production environment
2. A runtime state
3. The cloud
4. An IaaS configuration

Vulnerability scans are dependent on _______________ in order to function.

1. Privileged access
2. Vulnerability signatures
3. Malware libraries
4. Forensic analysis

Due to their reliance on vulnerability signatures, vulnerability scanners will not detect _______________.

1. User error
2. Improper control selection
3. Cloud vulnerabilities
4. Unknown vulnerabilities

Penetration testing is a(n) _______________ form of security assessment.

1. Active
2. Comprehensive
3. Total
4. Inexpensive

Dynamic software security testing should include _______________.

1. Source code review
2. User training
3. Penetration testing
4. Known bad data

According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______________.

1. Information gathering
2. User surveys
3. Configuration and deployment management testing
4. Identity management testing

According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______________.

1. Authentication testing
2. Authorization testing
3. Session management testing
4. Privacy review testing

According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______________.

1. Session initiation testing
2. Input validation testing
3. Testing for error handling
4. Testing for weak cryptography

According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______________.

1. Business logic testing
2. Client-side testing
3. Intuition testing
4. Information gathering

Static software security testing typically uses _______________ as a measure of how thorough the testing was.

1. Number of testers
2. Flaws detected
3. Code coverage
4. Malware hits

Dynamic software security testing typically uses _______________ as a measure of how thorough the testing was.

1. User coverage
2. Code coverage
3. Path coverage
4. Total coverage

Software security testing should involve both known good and known bad data in order to simulate both _______________ and _______________.

1. Managers, users
2. Regulators, users
3. Vendors, users
4. Users, attackers

Training programs should be tracked and monitored in order to fulfill both _______________ and _______________ requirements. Choose the best response.

1. Business, security
2. Regulatory, legal
3. User, managerial
4. Vendor, supplier

Task-centric training is typically for _______________.

1. All personnel
2. Specific personnel
3. Management personnel
4. HR personnel

Awareness training is typically for _______________.

1. All personnel
2. Specific personnel
3. Management personnel
4. HR personnel

Why is cloud security training particularly important for software developers?

1. Software developers are the mainstay of every cloud environment.
2. You can’t have a cloud environment without software developers.
3. Security controls cannot be added to software after the fact and must be included from the very first steps of software development.
4. Many modern software developers don’t understand how the code underlying the libraries they use actually works.

Software developers should receive cloud-specific training that highlights the challenges involved with having a production environment that operates in the cloud. One of these challenges is _______________.

1. The massive additional hacking threat, especially from foreign sources
2. The prevalent use of encryption in all data life-cycle phases
3. Drastic increase of risk due to distributed denial of service (DDoS) attacks
4. Additional regulatory mandates

Software developers should receive cloud-specific training that highlights the challenges involved with having a production environment that operates in the cloud. One of these challenges is _______________.

1. Lack of management oversight
2. Additional workload in creating governance for two environments (the cloud data center and client devices)
3. Increased threat of malware
4. The need for process isolation

Which security technique is most preferable when creating a limited functionality for customer service personnel to review account data related to sales made to your clientele?

1. Anonymization
2. Masking
3. Encryption
4. Training

At which phase of the software development lifecycle (SDLC) is user involvement most crucial?

1. Define
2. Design
3. Develop
4. Test

At which phase of the software development lifecycle (SDLC) should security personnel first be involved?

1. Define
2. Design
3. Develop
4. Test

At which phase of the software development lifecycle (SDLC) is it probably most useful to involve third-party personnel?

1. Define
2. Design
3. Develop
4. Test

In software development lifecycle (SDLC) implementations that include a Secure Operations phase, which of the following security techniques or tools are implemented during that phase?

1. Vulnerability assessments and penetration testing
2. Performance testing and security control validation
3. Requirements fulfillment testing
4. Threat modeling and secure design review

A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _______________.

1. Can lead to data breaches
2. Causes electromagnetic interference
3. Will affect quality of service
4. Can cause regulatory noncompliance

A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _______________.

1. Can lead to distributed denial of service (DDoS)
2. Allows malware infections
3. Increases the risk of adverse environmental effects
4. Is an unnecessary expense

A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _______________.

1. Can lead to customer dissatisfaction
2. Is a risk to health and human safety
3. Brings down the organization’s stock price
4. Negates the need for insurance

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be used to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. Of the following, what is the most reasonable immediate action?

1. Delete accounts of all users who had utilized unapproved APIs to access company data.
2. Suspend access for all users who had utilized unapproved APIs to access company data.
3. Block all unapproved APIs from accessing company data.
4. Notify whomever you report to in the company hierarchy, and suggest bringing the matter to the attention of senior management immediately.

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be used to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. You’ve brought the matter to the attention of the chief executive officer (CEO), who understands the issue and asks for your recommendation. What is probably the best suggestion?

1. Gather more data about how users are utilizing the APIs and for what purposes.
2. Delete accounts of all users who had utilized unapproved APIs to access company data.
3. Suspend access for all users who had utilized unapproved APIs to access company data.
4. Block all unapproved APIs from accessing company data.

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be utilized to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. Upon performing an information-gathering investigation at the behest of the chief executive officer (CEO), you determine that these APIs increased productivity 387 percent over the period since they were adopted, at a cost that is negligible compared to getting even one API through the company’s current approval process. What is your suggestion on how to handle the situation?

1. Retroactively put all the APIs currently in use through the formal approval process, and require that all future APIs users want to install also get approved.
2. Have the CEO waive formal approval processing for all APIs currently in use, granting them approval, but require all future APIs be approved through that process.
3. Punish all employees who have installed or used any of the rogue APIs for violating company policy.
4. Change the policy.

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be utilized to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. As a subject matter expert, what should you also recommend to the chief executive officer (CEO)?

1. Reward the users who committed the infractions, for aiding the company even when they were violating the policy.
2. Replace all the personnel that violated the policy, and have the new personnel use the new policy from their start of hire.
3. Restrict user access to possible APIs.
4. Augment the current set of security controls used by the company in order to offset risks posed by the anticipated use of even more APIs from unknown sources.

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to offset the risk(s) incurred by this practice?

1. Encrypt all routers between mobile users and the cloud.
2. Use additional anti-malware detection capabilities on both user devices and the environment to which they connect.
3. Implement strong multifactor authentication on all user-owned devices.
4. Employ regular performance monitoring in the cloud environment to ensure that the cloud provider is meeting the service level agreement (SLA) targets.

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to offset the risk(s) incurred by this practice?

1. Regular and widespread integrity checks on sampled data throughout the managed environment
2. More extensive and granular background checks on all employees, particularly new hires
3. Inclusion of references to all applicable regulations in the policy documents
4. Increased enforcement of separation of duties for all workflows

You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to offset the risk(s) incurred by this practice?

1. Enact secure connections between the user devices and the cloud environment using end-to-end encryption.
2. Enact secure connections between the user devices and the cloud environment using link encryption.
3. Employ additional user training.
4. Tunnel all connections with a virtual private network (VPN).

Users in your organization have been leveraging application programming interfaces (APIs) for enhancing their productivity in the cloud environment. To ensure that you are securing API access to the production environment, you should deploy _______________ and _______________.

1. Secure Sockets Layer (SSL) and message-level cryptography
2. Transport Layer Security (TLS) and message-level cryptography
3. SSL and whole drive encryption
4. TLS and whole drive encryption

You implement identity and access management (IAM) in order to control access between subjects and objects. What is the ultimate purpose of this effort?

1. Identification. Determine who the specific, individual subjects are.
2. Authentication. Verify and validate any identification assertions.
3. Authorization. Grant subjects permissions to objects once they’ve been authenticated.
4. Accountability. Be able to reconstruct a narrative of who accessed what.

_______________ is perhaps the main external factor driving identity and access management (IAM) efforts.

1. Regulation
2. Business need
3. The evolving threat landscape
4. Monetary value

Whether in a cloud or traditional environment, it is important to implement both _______________ and _______________ access controls.

1. Internal and managed
2. Provider and customer
3. Physical and logical
4. Administrative and technical

Access to specific data sets should be granted by _______________.

1. The data subjects
2. The data owners
3. The data processors
4. The data regulators

Access should be granted based on all of the following except _______________.

1. Policy
2. Business needs
3. Performance
4. Acceptable risk

Federation allows _______________ across organizations.

1. Role replication
2. Encryption
3. Policy
4. Access

Federation should be _______________ to the users.

1. Hostile
2. Proportional
3. Transparent
4. Expensive

A web application firewall (WAF) understands which protocol(s)?

1. All protocols that use the Internet as a medium
2. Transport Layer Security (TLS)
3. Hypertext Transfer Protocol (HTTP)
4. File Transfer Protocol (FTP)

Web application firewalls and database activity monitors function at levels _______________ and _______________ of the Open Systems Interconnection (OSI) model, respectively.

1. 1 and 7
2. 7 and 1
3. 7 and 7
4. 3 and 4

What can tokenization be used for?

1. Encryption
2. Compliance with the Payment Card Industry Data Security Standard (PCI DSS)
3. Enhancing the user experience
4. Giving management oversight to e-commerce functions

Merchants who accept credit card payments can avoid some of the compliance burden for the Payment Card Industry Data Security Standard (PCI DSS) by outsourcing the tokenization function to _______________.

1. A third party
2. The data owner
3. The data subject
4. The PCI Security Standards Council

Which of the following is an example of useful and sufficient data masking of the string “CCSP”?

1. XCSP
2. PSCC
3. TtLp
4. 3X91

A cloud-based sandbox should not be used for _______________.

1. Application interoperability testing
2. Processing sensitive data
3. Application security testing
4. Malware analysis

Which of the following should occur at each stage of the software development lifecycle (SDLC)?

1. Added functionality
2. Management review
3. Verification and validation
4. Repurposing of any newly developed components

Software that includes security elements from the outset of the software development lifecycle (SDLC) process will be _______________.

1. More secure in deployment
2. Less secure in deployment
3. More likely to malfunction
4. Less likely to malfunction

Software that includes security elements from the outset of the software development lifecycle (SDLC) process will _______________.

1. Be less expensive to operate securely in the production environment
2. Be more expensive to operate securely in the production environment
3. Not be interoperable with other software and systems in the production environment
4. Have a greater likelihood of interoperability with other software and systems in the production environment

The inclusion of security controls in the software design process is dictated by _______________.

1. The National Institute of Standards and Technology (NIST) 800-37
2. The American Institute of Certified Public Accountants (AICPA)
3. ISO 27034
4. The Health Insurance Portability and Accountability Act (HIPAA)

Software development should be perceived as _______________.

1. Including all members of the organization
2. The paramount goal of the organization
3. The greatest risk to the organization
4. A lifecycle

Dynamic testing of software is perhaps most useful for _______________.

1. Simulating negative test cases
2. Finding errors in the source code
3. Determining the effect of social engineering
4. Penetration tests