Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Application Development Security > Flashcards

Application Development Security Flashcards

1
Q 
Which of the following is a facial feature identification product that can employ artificial intelligence and can require the system to learn from experience?    
A. All of the choices. 
B. Digital nervous system. 
C. Neural networking 
D. DSV
A

Answer: C
Explanation: There are facial feature identification products that are on the market that use other technologies or methods to capture one’s face. One type of method used is neural networking technology. This type of technology can employ artificial intelligence that requires the system to “learn” from experience. This “learning” experience helps the system to close in on an identification of an individual. Most facial feature identification systems today only allow for two-dimensional frontal images of one’s face. Not DSV: Signature biometrics are often referred to dynamic signature verification (DSV) and look at the way we sign our names. [15] The dynamic nature differentiates it from the study of static signatures on paper. Within DSV a number of characteristics can be extracted from the physical signing process. Examples of these behavioral characteristics are the angle of the pen is held, the time taken to sign, velocity and acceleration of the tip of the pen, number of times the pen is lifted from the paper. Despite the fact that the way we sign is mostly learnt during the years it is very hard to forge and replicate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q 
Which option is NOT a benefit derived from the use of neural networks?   
A. Linearity 
B. Input-Output Mapping 
C. Adaptivity 
D. Fault Tolerance
A

Answer: D
Explanation: Linearity: “If the sum of the weighted inputs then exceeds the threshold, the neuron will “fire” and there will be an output from that neuron. An alternative approach would be to have the output of the neuron be a linear function of the sum of the artificial neuron inputs.”
Input-Output Mapping: “For example, if a specific output vector was required for a specific input where the relationship between input and output was non-linear, the neural network would be trained by applying a set of input vector.”
Adaptivity: “The neural network would have then be said to have learned to provide the correct response for each input vector.”
Pg. 261 Krutz: The CISSP Prep Guide

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is a characteristic of a decision support system (DSS)?
A. DSS is aimed at solving highly structured problems
B. DSS emphasizes flexibility in the decision making approach of users
C. DSS supports only structured decision-making tasks
D. DSS combines the use of models with non-traditional data access and retrieval functions

A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q 
Which of the following is a communication mechanism that enables direct conversation between two applications?  
A. DDE 
B. OLE 
C. ODBC 
D. DCOM
A

Answer: A
Explanation: “Dynamic Data Exchange (DDE) enables applications to share data by providing IPC. It is based on the client/server model and enables two programs to send commands to each other directly. DDE is a communication mechanism that enables direct conversation between two applications. The source of the data is called the server, and the receiver of the data is the client.” Pg. 718 Shon Harris: All-In-One CISSP Certification Exam Guide

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q 
Which expert system operating mode allows determining if a given hypothesis is valid?  
A. Vertical chaining 
B. Lateral chaining 
C. Forward chaining 
D. Backward chaining
A

Answer: D
Explanation: “The expert system operates in either a forward-chaining or backward-chaining mode. In a forward-chaining mode, the expert system acquires information and comes to a conclusion based on that information. Forward-chaining is the reasoning approach that can be used when there is a small number of solutions relative to the number of inputs. In a backward chaining mode, the expert system backtracks to determine if a given hypothesis is valid. Backward-chaining is generally used when there are a large number of possible solutions relative to the number of inputs. Another type of expert system is the blackboard. A blackboard is an expert system-reasoning methodology in which a solution is generated by the use of a virtual “blackboard,” wherein information or potential solutions are placed on the blackboard by the plurality of individuals or expert knowledge sources. As more information is placed on the blackboard in an iterative process, a solution is generated.” Pg 354 Krutz: The CISSP Prep Guide: Gold Edition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q 
Which one of the following is a security issue related to aggregation in a database?    
A. Polyinstantiation 
B. Inference 
C. Partitioning 
D. Data swapping
A

Answer: B
Explanation: Inference is the ability of users to infer or deduce information about data at sensitivity levels for which they do not have access privileges. –Ronald Krutz The CISSP PREP Guide (gold edition) pg 358 The other security issue is inference, which is very similar to aggregation. – Shon Harris All-in-one CISSP Certification Guide pg 727 Partitioning a database involves dividing the database into different parts, which makes it much harder for an unauthorized individual to find connecting pieces of data that can be brought together and other information that can be deduced or uncovered. – Shon Harris All-in-one CISSP Certification Guide pg 726 Polyinstantiation- This enables a relation to contain multiple tuples with the same primary keys with each instance distinguished by a security level. – Shon Harris All-in-one CISSP Certification Guide pg 727

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is polyinstantiation used to secure a multilevel database?
A. It prevents low-level database users from inferring the existence of higher level data.
B. It confirms that all constrained data items within the system conform to integrity specifications.
C. It ensures that all mechanism in a system are responsible for enforcing the database security policy.
D. Two operations at the same layer will conflict if they operate on the same data item and at least one of them is an update.

A

Answer: A
Explanation: “Polyinstantiation is the development of a detailed version of an object from another object using different values in the new object. In the database information security, this term is concerned with the same primary key for different relations at different classification levels being stored in the same database. For example, in a relational database, the same of a military unit may be classified Secret in the database and may have an identification number as the primary key. If another user at a lower classification level attempts to create a confidential entry for another military unit using the same identification number as a primary key, a rejection of this attempt would imply to the lower level user that the same identification number existed at a higher level of classification. To avoid this inference channel of information, the lower level user would be issued the same identification number for their unit and the database management system would manage this situation where the same primary key was used for different units.” Pg 352-353 Krutz: The CISSP Prep Guide: Gold Edition.
“Polyinstantiation occurs when to or more rows in the Normally, this database contains the exact position of each ship stored at the level with secret classification. However, on particular ship, the USS UpToNoGood, is on an undercover mission to a top-secret location. Military commanders do not want anyone to know that the ship deviated from its normal patrol. If the database administrators simply change the classification of the UpToNoGood’s location to top secret, a user with secret clearance would know that something unusual was going on when they couldn’t query the location of the ship. However, if polyinstantiation is used, two records could be inserted into the table. The first one, classified at the top secret level, would reflect the true location of the ship and be available only to users with the appropriate top secret security clearance. The second record, classified at the secret level, would indicate that the ship was on routine patrol and would be returned to users with a secret clearance.”
Pg. 191 Tittel: CISSP Study Guide Second Edition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following defines the software that maintains and provides access to the database?
A. database management system (DBMS)
B. relational database management systems (RDBMS)
C. database identification system (DBIS)
D. Interface Definition Language system (IDLS)

A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is not a responsibility of a database administrator?
A. Maintaining databases
B. Implementing access rules to databases
C. Reorganizing databases
D. Providing access authorization to databases

A

Answer: D
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q 
SQL commands do not include which of the following?  
A. Select, Update 
B. Grant, Revoke 
C. Delete, Insert 
D. Add, Replace
A

Answer: D
Explanation: “SQL commands include Select, Update, Delete, Insert, Grant, and Revoke.” Pg 62 Krutz: CISSP Prep Guide: Gold Edition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q 
A persistent collection of interrelated data items can be defined as which of the following?  
A. database 
B. database management system 
C. database security
D. database shadowing
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q 
Which one of the following is commonly used for retrofitting multilevel security to a Database Management System?    
A. Trusted kernel 
B. Kernel controller 
C. Front end controller 
D. Trusted front-end
A

Answer: D
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q 
Which of the following is the marriage of object-oriented and relational technologies combining the attributes of both?   
A. object-relational database 
B. object-oriented database 
C. object-linking database 
D. object-management database
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q 
A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following?  
A. content-dependent access control 
B. context-dependent access control 
C. least privileges access control 
D. ownership-based access control
A

Answer: A
Explanation: “Database security takes a different approach than operating system security. In an operating system, the identity and authentication of the subject controls access. This is done through access control lists (ACLs), capability tables, roles, and security labels. The operating system only makes decisions about where a subject can access a file; it does not make this decision based on the contents of the file itself. If Mitch can access file A, it does not matter if that file contains information about a cookie recipe or secret information from the Cold War. On the other hand, database security does look at the contents of a file when it makes an access control decision, which is referred to as content-dependent access control. This type of access control increases processing overhead, but it provides higher granular control.” Pg. 677 Shon Harris:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q 
Which of the following is an important part of database design that ensures that attributes in a table depend only on the primary key?  
A. Normalization 
B. Assimilation 
C. Reduction 
D. Compaction
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q 
Which of the following does not address Database Management Systems (DBMS) Security?  
A. Perturbation 
B. Cell suppression 
C. Padded Cells 
D. Partitioning
A

Answer: C
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q 
Which of the following is commonly used for retrofitting multilevel security to a database management system?  
A. trusted front-end 
B. trusted back-end 
C. controller 
D. kernel
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Normalizing data within a database includes all of the following except which?
A. Eliminating repeating groups by putting them into separate tables
B. Eliminating redundant data
C. Eliminating attributes in a table that are not dependent on the primary key of that table
D. Eliminating duplicate key fields by putting them into separate tables

A

Answer: D
Explanation: “Data Normalization Normalization is an important part of database design that ensures that attributes in a table depend only on the primary key. This process makes it easier to maintain data and have consistent reports.
Normalizing data in the database consists of three steps: 1.)Eliminating any repeating groups by putting them into separate tables 2.)Eliminating redundant data (occurring in more than one table) 3.)Eliminating attributes in a table that are not dependent on the primary key of that table”
Pg. 62 Krutz: The CISSP Prep Guide: Gold Edition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q 
SQL commands do not include which of the following?  
A. Select, Update 
B. Grant, Revoke 
C. Delete, Insert 
D. Add, Replace
A

Answer: D
Explanation: “SQL commands include Select, Update, Delete, Grant, and Revoke.” Pg. 62 Krutz: The CISSP Prep Guide: Gold Edition
“Developed by IBM, SQL is a standard data manipulation and relational database definition language. The SQL Data Definition Language creates and deletes views and relations (tables). SQL commands include Select, Update, Delete, Insert, Grant, and Revoke. The latter two commands are used in access control to grant and revoke privileges to resources. Usually, the owner of an object can withhold or transfer GRANT privileges to an object to another subject. If the owner intentionally does not transfer the GRANT privileges, however, which are relative to an object to the individual A, A cannot pass on the GRANT privileges to another subject. In some instances, however, this security control can be circumvented. For example, if A copies the object, A essentially becomes the owner of that object and thus can transfer the GRANT privileges to another user, such as user B.
SQL security issues include the granularity of authorization and the number of different ways you can execute the same query.
Pg. 63 Krutz: The CISSP Prep Guide: Gold Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q 
QUESTION NO: 430  
SQL security issues include which of the following?  
A. The granularity of authorizations 
B. The size of databases 
C. The complexity of key structures 
D. The number of candidate key elements
A

Answer: A
Explanation: Developed by IBM, SQL is a standard data manipulation and relational database definition language. The SQL Data Definition Language creates and deletes views and relations (tables). SQL commands include Select, Update, Delete, Insert, Grant, and Revoke. The latter two commands are used in access control to grant and revoke privileges to resources. Usually, the owner of an object can withhold or transfer GRANT privileges to an object to another subject. If the owner intentionally does not transfer the GRANT privileges, however, which are relative to an object to the individual A, A cannot pass on the GRANT privileges to another subject. In some instances, however, this security control can be circumvented. For example, if A copies the object, A essentially becomes the owner of that object and thus can transfer the GRANT privileges to
another user, such as user B.
SQL security issues include the granularity of authorization and the number of different ways you can execute the same query.
Pg. 63 Krutz: The CISSP Prep Guide: Gold Edition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q 
Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server?  
A. Bind variables 
B. Assimilation variables 
C. Reduction variables 
D. Resolution variables
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What ensures that attributes in a table depend only on the primary key?
A. Referential integrity
B. The database management system (DBMS)
C. Data Normalization
D. Entity integrity

A

Answer: C
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q 
Which of the following represent the rows of the table in a relational database? 
A. attributes 
B. records or tuples 
C. record retention 
D. relation
A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q 
With regard to databases, which of the following has characteristics of ease of reusing code and analysis and reduced maintenance?  
A. Object-Oriented Data Bases (OODB) 
B. Object-Relational Data Bases (ORDB) 
C. Relational Data Bases 
D. Data Base management systems (DBMS)
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q 
Complex applications involving multimedia, computer aided design, video, graphics, and expert systems are more suited to which of the following?  
A. Object-Oriented Data Bases (OODB) 
B. Object-Relational Data Bases 
C. Relational Data Bases 
D. Data base management systems (DBMS)
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q 
Which of the following refers to the number of columns in a table?  
A. Schema 
B. Relation 
C. Degree 
D. Cardinality
A

Answer: C
Explanation:

27
Q 
Which of the following refers to the number of rows in a relation?  
A. cardinality 
B. degree 
C. depth 
D. breadth
A

Answer: A
Explanation:

28
Q 
Which of the following refers to the number of columns in a relation?  
A. degree 
B. cardinality 
C. depth 
D. breadth
A

Answer: A
Explanation:

29
Q

What is one disadvantage of content-dependent protection of information?
A. It increases processing overhead
B. It requires additional password entry
C. It exposes the system to data locking
D. It limits the user’s individual address space

A

Answer: A
Explanation: Content-Dependent Access Control
“Just like the name sounds, access to objects is determined by the content within the object. This is used many times in databases and the type of Web-based material a firewall allows…If a table within the database contains information about employees’ salaries, the managers were not allowed to view it, but they could view information about an employee’s work history. The content of the database fields dictates which user can see specific information within the database tables.” pg 161 Shon Harris: All-In-One CISSP Certification. Decisions will have to be made about the content, therefore increasing processing overhead.

30
Q

Which one of the following control steps is usually NOT performed in data warehousing applications?
A. Monitor summary tables for regular use.
B. Control meta data from being used interactively.
C. Monitor the data purging plan.
D. Reconcile data moved between the operations environment and data warehouse.

A

Answer: A
Explanation: Not B: It is important to control meta data from being used interactively by unauthorized users. “Data warehouses and data mining are significant to security professionals for two reasons. First, as previously mentioned, data warehouses contain large amounts of potentially sensitive information vulnerable to aggregation and inference attacks, and security practitioners must ensure that adequate access controls and other security measures are in place to safeguard this data.” Pg 192 Tittel: CISSP Study Guide
Not C: “The data in the data warehouse must be maintained to ensure that it is timely and valid. The term data scrubbing refers to maintenance of the data warehouse by deleting information that is unreliable or no longer relevant.” Pg 358-359 Krutz: The CISSP Prep Guide: Gold Edition Not D: “To create a data warehouse, data is taken from an operational database, redundancies are removed, and the data is “cleaned up” in general.” Pg 358 Krutz: The CISSP Prep Guide: Gold Edition

31
Q 
A storage information architecture does not address which of the following?  
A. archiving of data 
B. collection of data 
C. management of data 
D. use of data
A

Answer: A
Explanation:

32
Q 
Which of the following can be defined as the set of allowable values that an attribute can take?  
A. domain of a relation 
B. domain name service of a relation 
C. domain analysis of a relation 
D. domains, in database of a relation
A

Answer: A
Explanation:

33
Q 
Programmed procedures which ensure that valid transactions are processed accurately and only once in the current timescale are referred to as 
A. Data installation controls 
B. Application controls 
C. Operation controls 
D. Physical controls
A

Answer: B
Explanation:

34
Q

What is the most effective means of determining how controls are functioning within an operating system?
A. Interview with computer operator
B. Review of software control features and/or parameters
C. Review of operating system manual
D. Interview with product vendor

A

Answer: B
Explanation:

35
Q

What is the most effective means of determining how controls are functioning within an operating system?
A. Interview with computer operator
B. Review of software control features and/or parameters
C. Review of operating system manual
D. Interview with product vendor

A

Answer: B
Explanation:

36
Q

Program change controls must ensure that all changes are
A. Audited to verify intent.
B. Tested to ensure correctness.
C. Implemented into production systems.
D. Within established performance criteria.

A

Answer: B
Explanation: Document of the change. Once the change is approved, it should be entered into a change log and the log should be updated as the process continues toward completion. Tested and presented. The change must be fully tested to uncover any unforeseen results. Depending on the severity of the change and the company’s organization, the change and implementation may need to be presented to a change control committee. This helps show different sides to the purpose and outcome of the change and the possible ramifications. - Shon Harris All-in-one CISSP Certification Guide pg 815

37
Q

Which question is NOT true concerning Application Control?
A. It limits end users use of applications in such a way that only particular screens are visible
B. Only specific records can be requested choice
C. Particular uses of application can be recorded for audit purposes
D. Is non-transparent to the endpoint applications so changes are needed to the applications involved

A

Answer: D
Explanation:

38
Q 
A computer program used to process the weekly payroll contains an instruction that the amount of the gross pay cannot exceed $2,500 for any one employee. This instruction is an example of a control that is referred to as a: 
A. sequence check 
B. check digit 
C. limit check 
D. record check
A

Answer: C
Explanation:

39
Q 
What are edit controls?  
A. Preventive controls 
B. Detective controls 
C. Corrective controls 
D. Compensating controls
A

Answer: A
Explanation: “Edit control” / concurrency – a preventative security mechanism to help ensure database is correct (integrity & availability protected).

40
Q 
Which one of the following properties of a transaction processing system ensures that once a transaction completes successfully (commits), the update service even if there is a system failure?    
A. Atomicity 
B. Consistency 
C. Isolation 
D. Durability
A

Answer: D
Explanation:

41
Q 
To ensure integrity, a payroll application program may record transactions in the appropriate accounting period by using   
A. Application checkpoints 
B. Time and date stamps 
C. Accrual journal entries 
D. End of period journals
A

Answer: B
Explanation:

42
Q 
What ensures that the control mechanisms correctly implement the security policy for the entire life cycle of an information system?  
A. Accountability controls 
B. Mandatory access controls 
C. Assurance procedures 
D. Administrative controls
A

Answer: C
Explanation: Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. Pg 33 Krutz: The CISSP Prep Guide.

43
Q 
Development staff should:
A. Implement systems 
B. Support production data 
C. Perform unit testing 
D. Perform acceptance testing
A

Answer: C
Explanation:

44
Q

Which of the following is not used as a cost estimating technique during the project planning stage?
A. Delphi technique
B. Expert Judgment
C. Program Evaluation Review Technique (PERT) charts
D. Function points (FP)

A

Answer: C
Explanation: “Methods and techniques for cost estimation: Experts’ evaluation Delphi Bottom-up approaches Empirical models COCOMO Function Points Combining Methods”

45
Q

Which of the following methodologies is appropriate for planning and controlling activities and resources in a system project?
A. Gantt charts
B. Program evaluation review technique (PERT)
C. Critical path methodology (CPM)
D. Function point analysis (FP)

A

Answer: A
Explanation: A Gantt chart is a popular type of bar chart showing the interrelationships of how projects, schedules, and other time-related systems progress over time.
Not B:
Program Evaluation and Review Technique - (PERT) A method used to size a software product and calculate the Standard Deviation (SD) for risk assessment. The PERT equation (beta distribution) estimates the Equivalent Delivered Source Instructions (EDSIs) and the SD based on the analyst’s estimates of the lowest possible size, the most likely size, and the highest possible size of each computer program component (CPC).
http://computing-dictionary.thefreedictionary.com/

46
Q

Which of the following is an advantage of using a high-level programming language?
A. It decreases the total amount of code writers
B. It allows programmers to define syntax
C. It requires programmer-controlled storage management
D. It enforces coding standards

A

Answer: A
Explanation:

47
Q

The design phase in a system development life cycle includes all of the following EXCEPT
A. Determining sufficient security controls.
B. Conducting a detailed design review.
C. Developing an operations and maintenance manual.
D. Developing a validation, verification, and testing plan.

A

Answer: C
Explanation: Systems Development Life Cycle Conceptual Defintion Functional Requirements Determination Protection Specifications Development Design Review Code Review Walk-Through System Test Review Certification and Accreditation Maintenance
Pg 224-228 Tittel: CISSP Study Guide.

48
Q 
By far, the largest security exposure in application system development relates to    
A. Maintenance and debugging hooks. 
B. Deliberate compromise. 
C. Change control. 
D. Errors and lack of training
A

Answer: A
Explanation: Maintenance hook - instructions within a program’s code that enable the developer or maintainer to enter the program without having to go through the usual access control and authentication processes. They should be removed from the code before being released for production; otherwise, they can cause serious security risks. They are also referred to as trapdoors. - Shon Harris All-in-one CISSP Certification Guide pg 933

49
Q 
Which of the following is a 5th Generation Language?  
A. LISP 
B. BASIC 
C. NATURAL 
D. Assembly Language
A

Answer: A
Explanation:

50
Q

When considering the IT Development Life-Cycle, security should be:
A. Mostly considered during the initiation phase.
B. Mostly considered during the development phase.
C. Treated as an integral part of the overall system design.
D. Add once the design is completed.

A

Answer: C
Explanation:

51
Q 
Which of the following represents the best programming?  
A. Low cohesion, low coupling 
B. Low cohesion, high coupling 
C. High cohesion, low coupling 
D. High cohesion, high coupling
A

Answer: C
Explanation:

52
Q 
he INITIAL phase of the system development life cycle would normally include 
A. Cost-benefit analysis 
B. System design review 
C. Executive project approval 
D. Project status summary
A

Answer: C
Explanation: Project management is an important part of product development and security management is an important part of project management. - Shon Harris All-in-one CISSP Certification Guide pg 732

53
Q

Which of the following computer design approaches is based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle?
A. Pipelining
B. Reduced Instruction Set Computers (RISC)
C. Complex Instruction Set Computers (CISC)
D. Scolar processors

A

Answer: C
Reference: pg 255 Krutz: CISSP Prep Guide: Gold Edition

54
Q 
Which one of the following tests determines whether the content of data within an application program falls within predetermined limits?   
A. Parity check 
B. Reasonableness check 
C. Mathematical accuracy check 
D. Check digit verification
A

Answer: B
Explanation: Reasonableness check: A test to determine whether a value conforms to specified criteria. Note: A reasonableness check can be used to eliminate questionable data points from subsequent processing.

55
Q

Buffer overflow and boundary condition errors are subsets of:
A. Race condition errors
B. Access validation errors
C. Exceptional condition handling errors
D. Input validation errors

A

Answer: D
Explanation:

56
Q

Which of the following statements pertaining to software testing approaches is correct?
A. A bottom-up approach allows interface errors to be detected earlier
B. A top-down approach allows errors in critical modules to be detected earlier
C. The test plan and results should be retained as part of the system’s permanent documentation
D. Black box testing is predicated on a close examination of procedural detail

A

Answer: C
Explanation:

57
Q 
Which of the following phases of a system development life-cycle is most concerned with authenticating users and processes to ensure appropriate access control decisions?  
A. Development/acquisition 
B. Implementation 
C. Operation/Maintenance 
D. Initiation
A

Answer: C
Explanation:

58
Q

Which of the following would be the most serious risk where a systems development life cycle methodology is inadequate?
A. The project will be completed late
B. The project will exceed the cost estimates
C. The project will be incompatible with existing systems
D. The project will fail to meet business and user needs

A

Answer: D
Explanation:

59
Q

Which of the following would best describe the difference between white-box testing and black-box testing?
A. White-box testing is performed by an independent programmer team
B. Black-box testing uses the bottom-up approach
C. White-box testing examines the program internal logical structure
D. Black-box testing involves the business units

A

Answer: C
Explanation:

60
Q 
Which of the following refers to the work product satisfying the real-world requirements and concepts?  
A. validation 
B. verification 
C. concurrence 
D. accuracy
A

Answer: A
Reference: pg 820 Hansche: Official (ISC)2 Guide to the CISSP Exam

61
Q

Which model, based on the premise that the quality of a software product is a direct function of the quality of it’s associated software development and maintenance processes, introduced five levels with which the maturity of an organization involved in the software process is evaluated?
A. The total Quality Model (TQM)
B. The IDEAL Model
C. The Software Capability Maturity Model
D. The Spiral Model

A

Answer: C
Explanation:

62
Q

Which of the following would provide the best stress testing environment?
A. Test environment using test data
B. Test environment using live workloads
C. Production environment using test data
D. Production environment using live workloads

A

Answer: B
Explanation:

63
Q 
In a change control environment, which one of the following REDUCES the assurance of proper changes to source programs in production status?  
A. Authorization of the change. 
B. Testing of the change. 
C. Programmer access. 
D. Documentation of the change.
A

Answer: C
Explanation: I think I am going to disagree with the original answer (B testing of the change) here. The question has REDUCES the assurance. “Personnel separate from the programmers should conduct this testing.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 345

64
Q

Why should batch files and scripts be stored in a protected area?
A. Because of the least privilege concept
B. Because they cannot be accessed by operators
C. Because they may contain credentials
D. Because of the need-to-know concept

A

Answer: C

Explanation

CISSP (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions