Chapter 15

Question 1

verifying a control is functioning properly; include scans, pen tests

Answer 1

security tests

Question 2

comprehensive reviews of a system’s security; involves a risk assessment

Answer 2

security assessment

Question 3

essentially an outsourced security assessment

Answer 3

security audit

Question 4

two Third party audit standards

Answer 4

SSAE 18 - Statement on Standards for Attestation Engagements
ISAE 3402 - International Standard for Attestation Engagements

Question 5

This level of SOC Engagement assesses the organization’s controls that might impact the accuracy of financial reporting

Answer 5

SOC 1

Question 6

This level of SOC Engagement assesses the organization’s controls that affect the security and privacy of information - these are usually confidential

Answer 6

SOC 2

Question 7

This level of SOC Engagement assesses the organization’s controls that affect the security and privacy of information and are intended for public disclosure

Answer 7

SOC 3

Question 8

This kind of SOC report provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls.

Answer 8

Type I Report

Question 9

This kind of SOC report provides the auditor’s opinion on the operating effectiveness of the controls

Answer 9

Type II Report

Question 10

A framework for conducting audits that is maintained by ISACA

Answer 10

COBIT - Control Objectives for Information and Related Technologies

Question 11

NIST language for describing and evaluating vulnerabilities

Answer 11

Security Content Automation Protocol (SCAP)

Question 12

a language for specifying security checklists

Answer 12

XCCDF - Extensible Configuration Checklist Description Format

Question 13

a language for describing security testing procedures

Answer 13

OVAL - Open Vulnerability and Assessment Language

Question 14

a scan that only sends a SYN message but never finishes the handshake

Answer 14

TCP SYN / half-open scan

Question 15

a scan that completes a handshake, then closes the connection

Answer 15

TCP Connect Scanning

Question 16

a scan that sends an ACK message to test firewall configurations

Answer 16

TCP ACK Scan

Question 17

a scan that looks for open UDP ports

Answer 17

UDP scan

Question 18

a scan with the FIN, PSH, and URG flags set

Answer 18

Xmas Scan

Question 19

the most formal code review process, containing 6 steps

Answer 19

Fagan inspections

Question 20

6 steps of Fagan inspections

Answer 20

1. Planning
2. Overview
3. Preparation
4. Inspection
5. Rework
6. Follow-Up

Question 21

evaluating the security of software without running it by analyzing either the source code or the compiled application

Answer 21

static application security testing (SAST)

Question 22

evaluating the security of a software in a runtime environment

Answer 22

dynamic application security testing (DAST)

Question 23

scripted transactions with known expected results

Answer 23

synthetic transactions

Question 24

real-time analysis of runtime behavior, application performance, HTTP/HTTPS traffic, framework, components, and backend connections

Answer 24

IAST - Interactive Application Security Testing

Question 25

a tool that runs on a server and intercepts calls to and from an application and validates data requests

Answer 25

RASP - Runtime Application Self-Protection

Question 26

assessing the performance of modules against the interface specifications to ensure they are working together properly when development efforts are complete

Answer 26

interface testing