CSSLP Flashcards

Question

Which principle states that a system should have simple, well-defined interfaces and functions? a) Clear Abstractions b) Least Common Mechanism c) Modularity and Layering d) Partially Ordered Dependencies

Answer 1

a) An abstraction is a technique for arranging complexity of computer systems; clear abstractions are those with simple, well-defined interfaces

Answer 2

c) Reduced Complexity means the design should be as simple and small as possible

Answer 3

d) Security elements should enforce principles such as least privilege and separation of duties

Answer 4

a) By being able to track the business requirement to the technical requirement to the test case; there is the assurance of 100% test coverage

Answer 5

b) Non-repudiation is tied to accountability and means an actor cannot deny performing an action

Answer 6

a) There are 4 potential mitigations; warn the user (which leaves the threat unmitigated), disable the feature (making it an optional application function), remove the feature (get rid of it), technological solution (use technological solutions to mitigate the threat)

Answer 7

A, B and D - Attack surface analysis is an assessment of the total number of exploitable vulnerabilities in a system or network or other potential computer attack targets. So A, B and D all apply.

Answer 8

A, B and C - The attack surface analysis process steps are: Define the attack surface of an application, Identify and map the attack surface, Measure and assess the attack surface https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

Answer 9

d) Corrective controls restore the system or process back to the state prior to a harmful event. As such, they contain the damage and prevent further spread of the incident

Answer 10

c) A Rich Internet Application is a Web application that has many of the characteristics of desktop application software, and is typically delivered via a browser plug-in, an independent sandbox, JavaScript, or a virtual machine

Answer 11

c) A community cloud is a cloud computing solution provided to a specific computing community, and that is governed, managed and secured commonly by that participating community

Answer 12

b) Decomposing the application allows for a more detailed understanding of the mechanics of the application makes it easier to uncover more relevant and more detailed threats

Answer 13

a) The difference between Provenance and Pedigree is that Provenance is the place or source of origin; Pedigree is a chart, list or record of origin. The Pedigree is the basis for creating software supply chain paths

Answer 14

b) Language-oriented environments are developed around one language, thereby offering a tool set suitable for that particular language. They are very interactive and provide restricted support for programming-in-the-large. Structure-oriented environments include techniques that let users directly manipulate the structures. These techniques are language independent, which triggered the concept of generators for environments. Toolkit environments offer a set of tools that incorporate language independent support for programming-in-the-large tasks such as version control and configuration management. Method-based environments include support for a wide variety of routines involved in the software development process. This includes tasks such as team and project management. These environments also feature tools for certain specification and design techniques.

Answer 15

b) A service level agreement (SLA) is an agreement between two or more parties where one is the customer and the others are service providers. This can be a formal (legally binding) or an informal (for example, internal department relationships) "contract". The agreement may involve separate organizations or different teams within one organization

Answer 16

b) The GNU General Public License (GNU GPL) is a freely available, copyleft license, a license that allows end users to execute, modify, and share the software to which the license applies, and which means that any software created or modified under that license must be distributed under the same license terms. The license allows for redistribution, either for a fee or free of charge, but cannot impose any constraints further than those already enforced by the parent GLP license, such as a nondisclosure agreement or contract. The only restriction on the use of the GLP license is that two licensees must use different names for the license.

Answer 17

d) There are all sorts of other types of vulnerabilities that would be solved by input validation. If there is one thing that could solve a huge number of security vulnerabilities, including execution attacks, it would be input validation.

Answer 18

c) One way of performing output encoding is to use an Extensible Stylesheet Language (XSL) engine, which can convert the output to a different encoding.

Answer 19

d) A worm is a program that self-propagates from one computer to another over a network, using the resources on one machine to attack other machines. Worms differ from viruses in that they do not need input from users; worms are independently capable of transferring between computers.

Answer 20

c) Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.

Answer 21

c) Nonfunctional refers to aspects of the software that may not be related to a specific function or user action such as scalability or security

Answer 22

c) Penetrating testing is often executed in 5 phases: Planning, Discovery, Vulnerability Mapping, Attack and Reporting

Answer 23

d) The difference between volume, load and stress testing is as follows: Volume testing uses large amounts of data, load testing uses a large amount of users, while stress testing uses too many users and too much data with too little time and too little room

Answer 24

b) Test execution tools are also known as capture - playback capture - replay tools. The test execution tools need a scripting language to create and modify the scripts to run the tool.

Answer 25

a) A credential is an object that is verified when presented to the verifier in an authentication transaction. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authentication.

Answer 26

c) Once software has undergone all of its testing and mitigations or remediations of unacceptable test findings have been implemented, it is considered ready for release. Security checking does not stop here, however, because this is the point in the SDLC at which pre-deployment software is most vulnerable to unauthorized access when it is being staged for distribution/deployment, transferred from staging to the production environment, or in the process of being installed.

Answer 27

b) After a risk determination, organizations can respond to risk in a variety of ways: accepting risk, avoiding risk, mitigating risk, sharing risk, transferring risk, or a combination of the above.

Answer 28

c) A data retention policy, or records retention policy, is an organization's established protocol for retaining information for operational or regulatory compliance needs.

Answer 29

b) Discretionary Access Control

Answer 30

a) Passwords, tokens and biometrics

Answer 31

b) Least Privilege

Answer 32

b) Two factor

Answer 33

c) Authentication

Answer 34

d) During requirements development

Answer 35

b) Required by users

Answer 36

d) Designed originally to provide the necessary security

Answer 37

c) Operation controls

Answer 38

b) Dictionary attack

Answer 39

b) do not adversely affect implementation of the security policy

Answer 40

c) To log and control incoming and outgoing application traffic

Answer 41

c) Catch and log exceptions only at points which exceptions are actually handled

Answer 42

b) A brief high-level statement defining what is and is not permitted in the operation of a system

Answer 43

c) It provides highly granular control

Answer 44

c) Reference Monitor

Answer 45

b) To provide a clear understanding of potential risk and exposure

Answer 46

b) Vulnerabilities in software

Answer 47

b) a person or process emulating another person or process

Answer 48

d) ALE = SLE * ARO

Answer 49

d) Procedure

Answer 50

b) Cost justified for the potential loss

Answer 51

a) Separation of duties

Answer 52

d) Detection

Answer 53

a) It is relatively easy to distribute keys

Answer 54

b) Certification Authority (CA)

Answer 55

a) Data Encryption Standard (DES)

Answer 56

d) Key Exchange

Answer 57

c) It identifies the source and verifies the integrity of data

Answer 58

b) the number of people requiring access to the system or data

Answer 59

c) Need to Know

Answer 60

b) Protected subsystem

Answer 61

d) User input validation

Answer 62

d) Subject's digital signature

Answer 63

b) Client execution environment may not provide the ability to limit system access that an applet could have on a client system

Answer 64

c) Level 3

Answer 65

a) Everyone in the organization

Answer 66

b) Arbitrary code execution

Answer 67

a) Improve the quality of the software product

Answer 68

c) validate user input

Answer 69

b) the governing law in the agreements between two nations

Answer 70

a) The impact on the organization's ability to achieve its goals

Answer 71

a) User's Name

Answer 72

b) Threat Modeling

Answer 73

b) It directly reflects management's commitment to security

Answer 74

d) Statement of performance characteristics and requirements

Answer 75

a) A hierarchical definition of security policies, standards and procedures

Answer 76

b) Periodically review audit and access logs

Answer 77

b) Single Loss Expectancy

Answer 78

c) Due to its compactness, the kernel is easier to formally verify

Answer 79

b) Small - In order to facilitate the detailed analysis necessary to prove that it meets design requirements

Answer 80

c) Password

Answer 81

a) The individual must have a need to know

Answer 82

a) Availability, Confidentiality, Integrity

Answer 83

a) create a standard configuration for all systems and applications on the network

Answer 84

a) centralized or decentralized according to business and security needs

Answer 85

c) control all access by subjects requesting access to resources

Answer 86

b) Trademark

Answer 87

d) permit authenticated personnel to perform authorized changes

Answer 88

d) integrate security into the software development process

Answer 89

b) understand both use and misuse case models

Answer 90

d) develop an information classification procedure and ensure that appropriate handling procedures are in place

Answer 91

a) identifying an information owner

Answer 92

a) Single Sign On

Answer 93

a) security requirement to the components that will deliver specific security functions

Answer 94

a) define an ongoing metric for default security levels

Answer 95

a) older systems were never built with adequate security controls

Answer 96

d) the likelihood a control will not provide adequate protection in the event of an attack

Answer 97

c) ensuring no unauthorized changes are made to the code

Answer 98

c) Threat Modeling

Answer 99

d) detecting potential security vulnerabilities not just software function and features

Answer 100

c) ensures tests will cover the entire range of allowable input values in a truly random manner

Answer 101

c) allow more thorough testing when used in conjunction with manual testing

Answer 102

b) attempts to read data from an integrated circuit chip by freezing it at extremely low temperatures

Answer 103

c) Type Safety

Answer 104

d) To ensure the designed security controls were implemented correctly, operating correctly and providing the intended benefit

Answer 105

c) code that is on the attack surface of the application

Answer 106

a) ensures new changes do not unintentionally overwrite previous changes

Answer 107

c) Customers

Answer 108

a) ISO 15408

Answer 109

d) Total Risk

Answer 110

c) Exploit

Answer 111

b) Risk remaining after all controls have been applied

Answer 112

d) Asset Value * Exposure Factor

Answer 113

a) Annual Rate of Occurrence (ARO * Single Loss Expectancy (SLE) Remember : ALE = ARO * SLE -or- BEER = AROUSLE

Answer 114

b) Risk Management

Answer 115

d) Sometimes difficult to quantify software assets

Answer 116

b) Controls may cause unintended results

Answer 117

c) The organization

Answer 118

b) Document

Answer 119

b) Avoidance

Answer 120

d) Training

Answer 121

b) Privacy

Answer 122

b) Confidentiality, Integrity and Availability Budget, Schedule and Scope are the 3 tiers of the Iron Triangle.

Answer 123

a) Logging

Answer 124

a) Accountability

Answer 125

b) Denial of Service (DOS)

Answer 126

c) Least Common Mechanism

Answer 127

a) authority to access objects is checked every time access is requested

Answer 128

c) Regulatory compliance

Answer 129

c) Support of top management

Answer 130

d) Use of popular methodologies

Answer 131

d) Performance Impairment

Answer 132

d) Polymorphism

Answer 133

c) ISO 27000 series

Answer 134

a) ISO 15408

Answer 135

a) ISO 15408

Answer 136

d) NIST SP 800-64

Answer 137

c) Socratic method

Answer 138

a) Six Sigma

Answer 139

b) Psychological (User Acceptance)

Answer 140

b) Gramm-Leach Bliley Act (GLBA)

Answer 141

a) Confidentiality

Answer 142

a) Bell-LaPadula Confidentiality (BLP)

Answer 143

b) Security

Answer 144

d) Clark Wilson Integrity

Answer 145

d) Clark Wilson Integrity

Answer 146

c) Brewer Nash

Answer 147

d) White box testing

Answer 148

b) Trusted Platform Module (TPM)

Answer 149

b) User Activity Patterns

Answer 150

a) Continuously Improving This level is also known as Optimizing or Level 5. Qualitatively Controlled is actually Level 4

Answer 151

a) Compartmentalization Principle

Answer 152

c) Complete Mediation

Answer 153

b) COSO and Zachman

Answer 154

b) Executive Sponsor

Answer 155

d) Input Validation and Hashing

Answer 156

a) Critical Business, Administrative and Authentication Attempts

Answer 157

b) Acquirer

Answer 158

d) Build support, meeting collaboratively with stakeholders, sharing information and being prepared

Answer 159

b) Encoded using Base-64 encoding

Answer 160

d) Time of Check (TOC) / Time of Use (TOU)

Answer 161

a) Encryption and masking

Answer 162

d) Are assumed malicious and labeled as such

Answer 163

b) In development

Answer 164

a) Confidentiality

Answer 165

b) Integrity

Answer 166

b) Integrity

Answer 167

d) Resiliency

Answer 168

b) Defensive coding

Answer 169

d) Digest authentication

Answer 170

b) Grants admins full access

Answer 171

a) Access granularity

Answer 172

a) Demilitarized Zone (DMZ)

Answer 173

a) Canonicalization

Answer 174

b) Identity Management Requirements

Answer 175

a) Current control environment

Answer 176

b) Integrity

Answer 177

c) Availability

Answer 178

c) Referential constraints

Answer 179

c) Provide alternate ways an action can be performed

Answer 180

d) Generate sequence diagrams

Answer 181

b) Cater to variants and exceptions

Answer 182

a) Misuse case visualizations

Answer 183

c) A security Architecture and Design report

Answer 184

d) Mutual Exclusion Property | Isn't this NOT a property...look it up

Answer 185

c) Accident

Answer 186

c) Permissions are assigned to the client

Answer 187

c) Race window

Answer 188

d) Development

Answer 189

d) Relationships

Answer 190

c) Architects and lead developers

Answer 191

c) Business Impact Analysis

Answer 192

c) NIST SP 800-12

Answer 193

c) Role Based Model

Answer 194

a) Organizational policy

Answer 195

a) Actor An actor is some external entity that interacts with the system

Answer 196

b) FIPS 201

Answer 197

b) Integrity

Answer 198

c) Nothing

Answer 199

b) Data Classification

Answer 200

d) A bug is code-specific and a flaw is weakness in the logic

Answer 201

b) Symmetric and Asymmetric encryption, Hashing and Masking

Answer 202

b) Recipient's public key

Answer 203

c) Sender's private key

Answer 204

a) Integrity, Availability and Non-Repudiation

Answer 205

b) Integrity

Answer 206

c) Open connections, memory leaks and endless loops

Answer 207

d) Compartmentalization

Answer 208

a) Clark Wilson

Answer 209

d) Bell-LaPadula

Answer 210

b) Rich Internet Applications

Answer 211

a) Encryption

Answer 212

d) Increased attack surface

Answer 213

a) Integrity

Answer 214

a) Locking to prevent inconsistent updates

Answer 215

d) Confidentiality

Answer 216

b) Availability

Answer 217

d) Identifies performance implications

Answer 218

d) Non-Repudiation

Answer 219

a) Proxy between the Internet and Intranet

Answer 220

c) Removing maintenance hooks

Answer 221

b) Initial Program Load (IPL)

Answer 222

c) Document Answer key say E...but there is no E

Answer 223

a) Data and Logic

Answer 224

d) Metrics

Answer 225

b) Incident Management works to restore service while Problem Management works to improve service

Answer 226

d) Removed from service

Answer 227

b) Fingerprinting

Answer 228

b) Reviews and validates the software's functionality

Answer 229

c) Trade secret

Answer 230

a) Accreditation

Answer 231

b) Regression Testing

Answer 232

d) Performance measures

Answer 233

d) Vendor Evaluation

Answer 234

c) How long it take for an event to be elevated to an incident

Answer 235

c) Certification

Answer 236

d) Trademark

Answer 237

b) Exceptions to Policy

Answer 238

b) Stress Testing

Answer 239

d) Black Box Testing

Answer 240

c) Fuzzing

Answer 241

a) Does not exist

Answer 242

d) Integration

Answer 243

b) Denial of Service

Answer 244

c) Exception handling

Answer 245

d) Integration

Answer 246

c) Business Continuity

Answer 247

a) Coding bugs

Answer 248

b) Smishing ...and never heard of it

Answer 249

a) Chroot jail ...again, never heard of it

Answer 250

d) Application injection flaws

Answer 251

b) Easily guessable IDs

Answer 252

d) Machine, Assembly, High Level, Natural

Answer 253

a) TEMPEST

Answer 254

b) Input validation

Answer 255

d) Obfuscation

Answer 256

c) Machine

Answer 257

a) Logic Bomb

Answer 258

d) System function exploits

Answer 259

b) Forced browsing Forced browsing is an umbrella answer in that it consists of Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration. The SPECIFIC question refers to Predictable Resource Location

Answer 260

c) High Level

Answer 261

d) Temporal Both TEMPORAL and LOCAL variables are the same but because Temporal is SPECIFIC and Local is not...stupid question

Answer 262

d) Extreme Programming

Answer 263

c) Client and Server

Answer 264

b) Dangling code

Answer 265

c) Static Code Analysis

Answer 266

b) Cryptographic Next Generation (CNG)

Answer 267

d) Spear Phishing

Answer 268

a) Input Validation

Answer 269

c) Bounds Checking

Answer 270

b) Complete mediation

Answer 271

b) Reflected Cross-Site Scripting (XSS)

Answer 272

c) Upper Computer-Aided Software Engineering (CASE) Note the ONLY difference between Upper and Lower is that of ANALYSIS versus DEVELOPMENT.

Answer 273

c) Objects and Classes

Answer 274

d) Unpredictable code memory locations

Answer 275

a) Impersonation

Answer 276

c) Operating System command injection

Answer 277

b) Spatial Locality

Answer 278

a) Injection attacks

Answer 279

a) Cryptography

Answer 280

b) TEMPEST

Answer 281

d) Back Door

Answer 282

b) Obfuscation

Answer 283

a) Machine code

Answer 284

b) All functions and variables are copied into the executable image

Answer 285

d) Dangling pointer

Answer 286

a) Cyclomatic Complexity

Answer 287

b) Parameterized queries

Answer 288

d) Type safety

Answer 289

c) Sensitive information disclosure

Answer 290

c) Code signing

Answer 291

a) Survivability

Answer 292

a) Defense in Depth

Answer 293

d) Attack Surface Evaluation

Answer 294

c) Configuration and performance

Answer 295

b) Authorized data disclosure

Answer 296

d) Mutual Exclusion A race condition violates these properties, which are closely related: Exclusivity - the code sequence is given exclusive access to the shared resource Atomicity - the code sequence is behaviorally atomic

Answer 297

b) Salting

Answer 298

a) Inference

Answer 299

b) Memory Management

Answer 300

d) n(n-1)/2

Answer 301

c) Scalability

Answer 302

c) Strive for Simplicity

Answer 303

B. the corporate brand and reputation When security is incorporated in to the software development life cycle, confidentiality, integrity and availability can be assured and external hacker and insider threat attempts thwarted. Developers will generate more hack-resilient software with fewer vulnerabilities, but protection of the organization’s reputation and corporate brand is the primary reason for software assurance.

Answer 304

B. Integrity When the software program operates as it is expected to, it is said to be reliable or internally consistent. Reliability is an indicator of the integrity of software. Hack resilient software are reliable (functioning as expected), resilient (able to withstand attacks) and recoverable (capable of being restored to normal operations when breached or upon error).

Answer 305

A. software issues can cause downtime to the business. One of the tenets of software assurance is ‘availability’. Software issues can cause software unavailability and downtime to the business. This is often observed as a denial of service (DoS) attack.

Answer 306

C. Availability Confidentiality controls assures protection against unauthorized disclosure. Integrity controls assures protection unauthorized modificatons or alterations. Availability controls assures protection against downtime/denial of service and destruction of information. Authentication is the mechanism to validate the claims/credentials of an entity. Authorization has to do with rights and privileges that a subject has upon requested objects.

Answer 307

A. Ownership based authentication Authentication can be achieved in one or more of the following ways. Using something one knows (knowledge based), something one has (ownership based ) and something one is (characteristic based). Using a token device is ownership based authentication. When more than one way is used for authentication purposes, it is referred to as multifactor authentication and is recommended over single factor authentication.

Answer 308

B. Defense in depth Having more than one way of authentication provides for a layered defense which is the premise of the defense in depth security design principle.

Answer 309

D. preventing a user from performing some unauthorized operations. Audit log information can be a detective control (providing evidentiary information), a deterrent control when the users know that they are being audited but it cannot prevent any unauthorized actions. When the software logs user actions, it also provides non-repudiation capabilities because the user cannot deny their actions.

Answer 310

A. Clipping level The predetermined number of acceptable user errors before recording the error as a potential security incident is referred to as clipping level. For example is the number of allowed failed login attempts before the account is locked out is 3, then the clipping level for authentication attempts is 3.

Answer 311

C. Fail secure Fail secure principle prescribes that access decisions must be based on permission rather than exclusion. This means that the default situation is a lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify condition under which access should be refused, presents the wrong psychological base for secure system design. As design or implementation mistake in the mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allow access, a failure which may go unnoticed in normal use. This principle applies to both the outward appearance of the protection mechanism and to its underlying implementation.

Answer 312

C. Transference When an “As-Is” disclaimer clause is used, the risk is transferred from the publisher of the software to the user of the software.

Answer 313

B. Policy Policies are high level documents that communicate the mandatory goals and objectives of company management. Standards are also mandatory but are not quite as high level as policy. Guidelines provide recommendations of how to implement a standard. Procedures are usually step by step instruction of how to perform an operation. A baseline is one that has the minimum levels of control or configuration that needs to be implemented.

Answer 314

B. evaluate security engineering practices and organizational management processes. The evaluation of security engineering practices and organizational management processes are provided as guidelines and prescribed in the Systems Security Engineering Capability Maturity Model (SSE-CMM). The SSE-CMM is an internationally recognized standard that is published as ISO 21827.

Answer 315

B. Sherwood Applied Business Security Architecture (SABSA) SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Management. SABSA ensures that the needs of your enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure.

Answer 316

B. Intellectual Property protection All of the other answers are considerations for the software acquirer (purchaser)

Answer 317

C. Asset Value x Exposure Factor Single Loss Expectancy is the expected loss of a single disaster. It is computed as the product of asset value and the exposure factor. SLE = Asset Value x Exposure Factor.

Answer 318

C. Mitigation The implementation of IPSec at the network layer helps to mitigate threats to the confidentiality of transmitted data.

Answer 319

D. FIPS 201 Personal Identity Verification (PIV) of Federal Employees and Contractors is published as FIPS 201 and it prescribes some guidelines for biometric authentication.

Answer 320

D. PCI DSS The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Answer 321

C. Advanced Encryption Standard (FIPS 197) The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher than can encrypt (encipher) and decrypt (decipher) information. Encryption coverts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintest. The AES algorithm is capable of using cryptographic keys of 128, 192, 256 bits to encrypt and decrypt data in blocks of 128 bits.

Answer 322

C. Open Web Application Security Project (OWASP) The Open Web Application Security Project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.

Answer 323

C. Anonymization Anonymization is the process of removing private information from the data. Anonymization techniques such as replacement, suppression, generalization and perturbation are useful to assure data privacy. It is important that you are familiar with these techniques. Sanitation has to do with inputs and outputs as a defensive control and includes techniques such as escaping and encoding. Degaussing and Formatting are information and media sanitization techniques and they are not selective of what they remove/dispose.

Answer 324

B. Goals and objectives of the organization. When determining software security requirements, it is imperative to address the goals and objectives of the organization. Management’s goals and objectives need to be incorporated into the organizational security policies. While external auditor, internal quality requirements and technology are factors that need consideration, compliance with organizational policies must be the foremost consideration.

Answer 325

A. Directory information Information that is public is also known as directory information. The name ‘directory’ information comes from the fact that such information can be found in a public directory like a phone book, etc. When information is classified as public information, confidentiality assurance protection mechanisms are not necessary.

Answer 326

C. availability requirements Destruction is the threat against availability as disclosure is the threat against confidentiality and alternation being the threat against integrity.

Answer 327

D. Recovery Time Objective (RTO) Maximum Tolerable Downtime (MTD) is the maximum length of time a business process can be interrupted or unavailable without causing the business itself to fail. Recover Time Objective (RTO) is the time period in which the organization should have the interrupted process running again, at or near the same capacity and conditions as before the disaster/downtime. MTD and RTO are part of availability requirements. It is advisable to set the RTO to be lesser than the MTD.

Answer 328

A. biometric authentication Forms authentication has to do with usernames and passwords that are input into a for (like a web page/form). Basic authentication transmits credential s in a Base64 encoded form while digest authentication provides the credentials as a hash value (also known as a message digest). Token based authentication uses credentials in the form of specialized tokens which is often used with a token device. Biometric authentication uses physical characteristics to provide the credential information.

Answer 329

B. Authentication When two factors are used to validate an entity’s claim and/or credentials, it is referred to as two-factor authentication and when more than two factors are used for authentication purposes, it is referred to as multi-factor authentication. It is important to determine first, if there exists a need for two- or multi-factor authentication.

Answer 330

B. Discretionary Access Control (DAC) Discretionary access control (DAC) is defined as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.” The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. DAC restricts access to objects based on the identity of the subject and is distinctly characterized by the owner of the resource deciding who has access and their level of privileges or rights.

Answer 331

C. accountability requirements Accountability requirements are those that assist in building a historical record of user actions. Audit trails can help detect when an unauthorized user makes a change or an authorized user makes an unauthorized change, both of which are cases of integrity violations. Auditing requirements not only help with forensic investigations as a detective control but can also be used for troubleshooting errors and exceptions, if the actions of the software are tracked appropriately. When auditing is combined with identification, it provides for accountability.

Answer 332

A. Improper session management Easily guessable and non-random session identifiers can be hijacked and replayed if not managed appropriately and this can lead to MITM attacks.

Answer 333

B. policy decomposition The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates is referred to as policy decomposition. When the policy decomposition process completes, all the gleaned requirements must be measurable components.

Answer 334

A. engage the customer IT is there for the business and not the other way around. The first step when determining protection needs is to engage the customer followed by modeling the information and identifying least privilege scenarios. Once an application profile is developed, then we can undertake threat modeling and analysis to determine the risk levels which can be communicated to the business to prioritize the risk.

Answer 335

D. identifying privileged code sections Identifying privileged code sections is part of threat modeling and not part of a RTM

Answer 336

D. Input validation Parity bit checking is primarily used for error detection but it can be used for assuring the integrity of transferred files and messages.

Answer 337

B. Use case modeling A use case models the intended behavior of the software or system. In other words, the use case describes behavior the system owner intended. This behavior describes the sequence of actions and events that are to be taken to address a business need. Use case modeling and diagramming is very useful for specifying requirements. It can be effective in reducing ambiguous and incompletely articulated business requirements by explicitly specifying exactly when and under what conditions certain behavior occurs. Use case modeling is meant to model only the most significant system behavior and not all of it and so should not be considered a substitute for requirements specification documentation.

Answer 338

A. Race conditions Misuse cases, also known as abuse cases help identify security requirements by modeling negative scenarios. A negative scenario is an unintended behavior of the system, one that the system owner does not want to occur within the context of the use case. Misuse cases provide insight into the threats that can occur against the system or software. It provides the hostile users point of view and is an inverse of the use case. Misuse case modeling is similar to the use case modeling, except that in misuse case modeling, misactors and unintended scenarios or behavior are modeled. Misuse cases may be intentional or accidental. One of the most distinctive traits of misuse cases is that they can be used to elicit security requirements unlike other requirements determination methods that focus on end-user functional requirements.

Answer 339

B. Information Lifecycle Management Data classification is the conscious effort to assign a level of sensitivity to data assets, based on potential impact upon disclosure, alteration or destruction. The results of the classification exercise can then be used to categorize the data elements into appropriate buckets. Data classification is part of information lifecycle management.

Answer 340

B. Environment When determining requirements it is important to elicit requirements that are tied to the environment in which the data will be marshaled or processed. Viewstate corruption issues in web farm settings where all the servers were not configured identically or lack of card holder data encryption in public networks have been observed when the environmental requirements were not identified or taken into account.

Answer 341

A. Service Level Agreements (SLA) SLAs should contain the levels of service expected fro the software to provide and this becomes crucial when the software is not developed in-house.

Answer 342

B. Resiliency Software is said to be reliable when it is functioning as expected to. Resiliency is the measure of the software’s ability to withstand an attack. When the software is breach, its ability to restore itself back to normal operations is known as the recoverability of the software. Redundancy has to do with high availability.

Answer 343

A. Availability Improper coding constructs such as infinite loops and improper memory management can lead to denial of service and resource exhaustion issues, which impacted availability.

Answer 344

C. Service Level Agreements (SLA) SLAs should contain the levels of service expected for the software to provide and this becomes crucial when the software is not developed in house.

Answer 345

C. confidentiality requirements Destruction is the threat against availability as disclosure is the threat against confidentiality and alteration being the threat against integrity.

Answer 346

B. Integrity Destruction is the threat against availability as disclosure is the threat against confidentiality and alteration being the threat against integrity.

Answer 347

B. Steganography Encryption and Hashing are overt mechanisms to assure confidentiality. Masking is an obfuscating mechanism to assure confidential. Steganography which is hiding information within other media is a cover mechanisms to assure confidentiality. Steganography is more commonly referred to as invisible ink writing and is the art of camouflaging or hidden writing, where the information is hidden and the existence of the message itself is concealed. Steganography is primarily useful for covert communications and is useful and prevalent in military espionage communications.

Answer 348

D. Watermarking Digital watermarking is the process of embedding information into a digital signal. These signals can be audio, video, or pictures.

Answer 349

B. Integrity Parity bit checking is useful in the detection of errors or changes made to data when it is transmitted. A common usage of parity bit checking is to do a Cyclic Redundancy Check (CRC) for data integrity as well, especially for messages longer than one bye (8bits) long. Upon data transmission, each block of data is given a computed CRC value, commonly referred to as a checksum. If there is an alteration between the origin of data and its destination, the checksum sent at the origin will not match with the one that is computed at the destination. Corrupted media (CDs, DVDs) and incomplete downloads of software yield CRC errors.

Answer 350

D. Identifying privileged code sections. Identifying privileged code sections is part of threat modeling and not part of a RTM.

Answer 351

B. Design Although it is imperative to visit the threat model during the development, testing and deployment phase of the software development lifecycle (SDLC), the threat modeling exercise should commence in the design phase of the SDLC.

Answer 352

C. Public Key Infrastructure (PKI) PKI makes it possible to securely exchange data by hiding or keeping secret a private key on one system while distributing the public key to the other systems participating in the exchange.

Answer 353

D. Non-repudiation Nonrepudiation and proof of origin (authenticity) is provided by the certificate authority (CA) attaching its digital signature, encrypted with the private key of the sender, to the communication that is to be authenticated, and this attests the authenticity of both the document and the sender.

Answer 354

C. hashing An important use for hashes is storing passwords. The actual password should never be stored in the database. Using hashing functions, you can store the hash value of the user password and use that value to authenticate the user. Because hashes are one-way (not reversible), they offer a heightened level of confidentiality assurance.

Answer 355

D. separation of duties Separation of duties or sometimes it is referred to as separation of privilege is the principle that it is better to assign tasks to several specific individuals so that no one user has total control over the task themselves. It is closely related to the principle of least privilege which is the ideas that minimum amount of privilege is granted for the minimum (shortest) amount of tie to individuals with a need to know.

Answer 356

B. simplify user authentication. The design principle of economy of mechanism states that one must keep the design as simple and small as possible. This well known principle deserves emphasis for protection mechanisms because design and implementation errors that result in unwanted access paths will not be noticed during normal use. As a result, techniques such as line-by-line inspection of software that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential. SSO support this principle by simplifying the authentication process.

Answer 357

C. Auditing All stored procedures could be updated to incorporate auditing logic; however a better solution is to use database triggers. You can use triggers to monitor actions performed on the database tables and automatically log auditing information.

Answer 358

D. entry points During threat modeling, the application is dissected into its functional components. The development team analyzes the components at every entry point and traces data flow through all functionality to identify security weaknesses.

Answer 359

A. Spoofing Although it may seem that a MITM attack is an expression of the threat of repudiation, and it very well could be, it is PRIMARILY a spoofing threat. In a spoofing attack, an attacker impersonates a different person and pretends to be a legitimate user of the system. Spoofing attack is mitigated through authentication so that adversaries cannot be come any other user or assume the attributes of another user. When undertaking a threat modeling exercise, it is important to list all possible threats, regardless of whether they have been mitigated so that you can later generate test cases where necessary. If the threat is not documented, there is a high likelihood that the software will not be tested for those threats. Using a categorized list of threats (such as STRIDE which is Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) is useful to list all possible threats.

Answer 360

B. Network Although software security has specific implications on layer 7, the application of the OSI stack, the security at the other levels of the OSI stack is also important and should be leveraged to provide defense in depth. The seven layers of the OSI stack are Physical (layer 1), Data Link (layer 2), Network (layer 3), Transport (layer 4), Session (layer 5), Presentation (layer 6), and Application (layer 7). SSL and IPSec can be used to assure confidentiality for data in motion. SSL operates at the Transport Layer (layer 4) and IPSec operate at the Network Layer (layer3).

Answer 361

A. interoperability. A distinctive characteristic of SOA is that the business logic is abstracted into discoverable and reusable contract based interfaces to promote interoperability between heterogeneous computing ecosystem.

Answer 362

D. Physical Side channel attacks use unconventional means to compromise the security of the system and in most cases require physical access to the device or system. Therefore, to mitigate side channel attacks, physical protection can be used.

Answer 363

C. Rich Internet Application (RIA) RIAs require Internet Protocol (IP) connectivity to the backend server. Browser sandboxing is recommended since the client is also susceptible to attack now, but it is not a requirement. The workload is shared between the client and the server and the user experience and control is increased in RIA architecture.

Answer 364

B. Identification Trusted Platform Module (TPM) is the name assigned to a chip that can store cryptographic keys, passwords, or certificates. It can be sued to protect mobile devices besdies personal computers. It is also used to provice identity information for authentication purposes in mobile computing. It also assures secure startup and integrity. The TPM can be used to generate values used with whole disk encryption such as the Windows Vista’s BitLocker.

Answer 365

B. Inference An inference attack is one in which the attacker combines information that is available in the database with a suitable analysis to glean information that is presumably hidden or not as evident. This means that individual data elements when viewed collectively can reveal confidential information. It is therefore, possible to have public elements in a database reveal private information by inference. The first thing to ensure is that the database administrator does not have direct access to the data in the database and that the administrator’s access of the database is mediated by a program the application) and audited. In situations, where direct database access is necessary, it is important to ensure that the database design is not susceptible to inference attacks. Inference attacks can be mitigated by polyinstantiation.

Answer 366

C. views Views provide a number of benefits with regard to security. They abstract the source of the data being presnted, keeping the internal structure of the source of the database hdden from the user. Furthermore, views can be created on a subset of columns in a table. This capability can allow users granular access to specific data elements. Views can also be used to limit access to specific rows of data as well.

Answer 367

B. security management interfaces Security management Interfaces (SMI) are administrative interfaces for your application which have the highest level of privileges on the system and can do tasks such as: Users provisioning – adding/deleting/enabling user accounts Granting rights to different user roles. System restart Changing system security settings Accessing audit trails, user credentials, exception logs Although SMIs are often not explicitly stated in the requirements, and subsequently not threat modeled, strong controls such as least privilege and access controls must be designed and built in when developing SMI because the compromise of a SMI can be devasting, ranging from complete compromise, installing backdoors, to disclosure, alteration and destruction (DAD) attacks on audit logs, user credentials, exception logs, etc. SMI need not be deployed always with the default accounts that is set by the software publisher, although it is often observed to be.

Answer 368

B. Security Assert Markup Language (SAML) Federation technology is usually built on a centralized identity management architecture leveraging industry standard identity standard identity management protocols such as SAML, WS Federation (WS-*) or Liberty Alliance. Of the three major protocols familier associated with federation, SAML seems to be recognized as the de facto standard for enterprise to enterprise federation. SAML works in cross domain settings while Kerberos tokens are useful only within a single domain.

Answer 369

B. transport layer security The syslog network protocol has become a de facto standard for logging program and server information over the Internet. Many routers, switches and remote access devices will transmit system messages, and there are syslog servers available for Windows and UNIX operating systems. TLS protection mechanisms such as SSL wrappers are needed to protect syslog data in transmit as they are transmitted in the clear. SSL wrappers like stunnel provide transparent SSL functionality.

Answer 370

D. Digital Rights Management (DRM) Digital Rights Management (DRM) solutions give copyright owners control over access and sue of the copyright protected material. When users want to access or sue digital copyrighted material, they can do so on the terms of the copyright owner.

Answer 371

D. Rootkit Rootkits are known to compromise the operating system ring protection mechanisms and masquerade as a legitimate operating system taking siege of it.

Answer 372

D. Loose Coupling Since REST is a client/server model in which the requests and responses are built around transition state of resources, it promotes loose coupling between the client and server.

Answer 373

C. Bytecode Verifier Bytecode verifier is the most important component of the JVM from a type consistency viewpoint. The Bytecode Verifier checks to see if the .class files are in the Class file format and double checks to ensure that there aer no malicious instructions in the code that would compromise the rules of type safety in Java.

Answer 374

D. Unauthorized access Although the nefarious use of APIs, shared technologies issues that can be abused and unauthorized access of data and software hosted in the cloud, the primary security concern is related to data disclosure, which includes leakage and/or loss.

Answer 375

B. Ransomware Ransomware that locks screens on mobile devices is on the rise and predominantly observed in mobile apps that don’t implement sufficient protection controls.

Answer 376

A. they were not initially implemented with security in mind Most SCADA systems were not originally designed with security in mind. Basic protection mechanisms like authentication and authorization to these systems is weak, if at all present.

Answer 377

C. solve business problems IT and software development teams function to provide solutions to the business Manual and inefficient business processes can be automated and made efficient using software programs.

Answer 378

C. linking Linking is the process of combining the necessary functions, variables, dependent files and libraries required for the machine to run the program. The output that results from the linking process is the executable program or machine code/file the machine can understand and process. In short, linked object code is the executable. Link editors that combine object codes are known as linkers. Upon completion of the compilation process, the compiler invokes the linker to perform its function. There are two types of linking: static linking and dynamic linking.

Answer 379

B. type safety Code is said to be type safe if it only accesses memory resources that do not belong to the memory assigned to it. Type safety verification takes place during the Just In Time (JIT) compilation phase and prevents unsafe code from becoming active. Although you can disable type safety verification, it can lead to unpredictable results. The best example is that code can make unrestricted calls to unmanaged code, and if that code has malicious intent, the results can be severe. Therefore, the framework only allows fully trusted assemblies to bypass verification. Type safety is a form of “sandboxing”. Type safety must be one of the most important considerations in regards to security when selecting a programming language.

Answer 380

D. low level language A programming language in which there is little to no abstraction from the native instruction codes that the computer can understand is also referred to as low-level language. There is no abstraction from native instruction codes in machine language. Assembly languages are the lowest level in the software chain, which makes it incredibly suitable for reversing. It is therefore important to have an understanding of low-level programming languages to understand how an attacker will attempt to circumvent the security of the application at its lowest level

Answer 381

D. Man-in-the-Middle (MITM) As a defense against a Main-in-the-middle (MITM) attack, authentication and session management needs to be in place. Multifactor authentication provides greater defense than single actor authentication and is recommended. Session identifiers that are generated should be unpredictable, random and non-guessable.

Answer 382

B. session management Internet application means that the ability to manage identities as would be possible in an intranet application is not easy or in some cases infeasible. Internet applications also use stateless protocols such as HTTP or HTTPS and this requires the management of user sessions.

Answer 383

C. Cross-Site Request Forgery (CSRF) In addition to assuring that the requestor is a human, CAPTCHA’s are useful mitigating CSRF attacks. Since CFR is dependent on a pre-authenticated token to be in place, using CAPTCHA as the anti-CSRF token is an effective way of dealing with the inherent XSS problems regarding anti-SCRF tokens a long as the CAPTHA image itself is not guessable, predictabl or reserved to the attacker.

Answer 384

D. advanced encryption standard (AES) Advanced encryption standard (FIPS197) is published as the Rijndael cipher Software should be designed in such a way that you should be able to replace one cryptographic algorithm with a stronger one, when needed without much rework and recoding. This is referred to as cryptographic agility

Answer 385

C. secure sockets layer (SSL) SSL provides disclosure protection, and protection against session hijacking and replay at the transport layer (layer 4) while IPSec provides confidentiality and integrity assurance operating in the network layer (layer 3). DRM provides some degree of disclosure (primarily IP) protection and operates in the presentation layer (layer 6), and data loss prevention (DLP) technologies prevent the inadvertent disclosure of data to unauthorized individuals, predominantly who are external to the organization.

Answer 386

D. information disclosure Information disclosure is primarily a design issue and therefore is a language independent problem, although with accidental leakage, many newer high level languages can worsen the problem by providing verbose error messages that might be helpful to attack in their information gathering (reconnaissance) efforts. It must be recognized that there is a tricky balance between providing the user with the helpful information about errors and preventing attackers from learning about the internal details and architecture of the software. From a security standpoint, it is advisable to not disclose verbose error messages and still provide the users with a helpline to get additional support.

Answer 387

D. authentication of users Code signing can provide all of the following. Anti-tampering protection assuring integrity of code, Authenticity (not authentication) of code origin and runtime permissions for the code to access system resources. The primary benefit of code signing is that it provides users with the identity of the software’s creator, which is particularly important for mobile code i.e., that is downloaded from a remote location over the internet.

Answer 388

D. timing Poorly designed and implement systems are expected to be insecure, but most well designed and implemented systems also have subtle gaps between their abstract models and their physical realization due to the existence of side channels. A side channel is a potential source of information flow from a physical system to an adversary, beyond what is available via the conventional (abstract) model. These range from subtle observation of timing, electromagnetic radiations, power usage, analog signals, acoustic emanations, etc. the use of non-conventional and specialized techniques long with physical access to the target system to discover information is characteristic of side channel attacks. The analysis of delayed error messages between successful and unsuccessful query is a form of timing side channel attack.

Answer 389

B. type safe code Code is said to be type safe if it only accesses memory resources that do not belong to the memory assigned to it. Type safety verification takes place during the Just In time (JIT) compilation phase and prevents unsafe code from becoming active although you can disable type safety verification, it can lead to unpredictable results. The best example is that code has malicious intent the results can be severe. Therefore, the framework only allows fully trusted assemblies to bypass verification. Type safety is a form of ‘sandboxing’. Type safety must be one of the most important considerations in regards to security when selecting a programming language and phasing out older generation programming languages.

Answer 390

B. declarative syntax security Declarative syntax address the ‘what’ part of an action whereas imperative syntax tries to deal with the ‘how’ part when security requests are made in the form of attributes (in the metadata of the code), it is referred to as declarative security. It does not precisely define the steps as to how the security will be realized. When security requests are made through programing logic within a function or method body, it is referred to as imperative security. Declarative security is an ‘all or nothin’ kind of implementation while imperative security offers greater levels of granularity and control, because the security requests runs as line of code intermixed with the application code.

Answer 391

D. imperative security When security requests are made in the form of attributes, it is referred to as declarative security. It does not precisely define the steps as to how the security will be realized. Declarative syntax actions can be evaluated without running the code because attributes are stored as part of an assembly’s metadata while the imperative security actions are stored as Intermediary Language (IL). This means that imperative security actions can be evaluated only when the code is running. Declarative security actions are checks before a method is invoked and are placed at the class level being applicable to all methods in that class, unlike imperative security. Declarative security is an ‘all or nothing’ kind of implementation, while imperative security offers greater levels of granularity and control, because the security requests runs as lines of code intermixed with the application code.

Answer 392

C. locality of reference Computer processors tend to access memory in a very patterned way. For example, in the absence of branching, if memory location X is accessed at time t, there is a high probability that memory location X+1 will also be accessed in the near future. This kind of clustering of memory references into groups is referred to as locality of reference the basic forms of locality of reference are temporal (based on time), spatial (based on address space), branch conditional and equidistant(somewhere between spatial and branch using simple linear functions that look for equidistant locations of memory to predict which location will be accessed in the near future). While this is good from a performance vantage point, it can lead to an attacker predicting memory address spaces and causing memory corruption and buffer overflow.

Answer 393

A. are references to memory locations of destroyed objects. A dangling pointer, also known as a stray pointer, occurs when a pointer points to an invalid memory address. This is often observed when memory management is left to the developer. Dangling pointers are usually created in one of two ways: an object is destroyed (freed) but the reference to the object is not reassigned and is late used or a local object is popped from the stack when the function returns but a reference to the stack allocated object is still maintained. Attackers write exploit code to take control of dangling pointers so that they can move the pointer to where their arbitrary shell code is injected.

Answer 394

C. address space layout randomization (ASLR) In the past, the memory manager would try to load binaries at the same location in the linear address space each time the program was urn. This behavior made it easier for shell coders by ensuring that certain modules of code wuld always reside at a fixed address and could b referenced in exploit code using raw numeric literals. The address space layout randomization (ASLR) is a feature in newer operating systems (introduced in Windows Vista) which deals with this predictable and direct referencing issue. ASLR make the binary load in random address space each time the program is run.

Answer 395

B. obfuscated code Reverse engineering is used to infer how a progam works by inspecting it. Code obfuscation which makes the readability of code extremely difficult and confusing, can be used to deter reverse (not prevent) engineering attacks. Obfuscating code is not detective or corrective in its implementation.

Answer 396

A. version control The ability to track ownership, changes in code and rollback abilities is possible because of versioning which is a configuration management process. Release management of software should include proper source code control and management of software should include proper source code control and versioning. A phenomenon known as ‘regenerative bugs’ is often observed when it comes to improper release management processes. Regenerative bugs are fixed software detects that reappear in subsequent releases of the software. This happens when the software coding defect (bug) is detected in the testing environment (such as user acceptance testing) and the fix is made in that test environment and promoted to production without retrofitting it into the development environment. The latest version in the developmnet environment does not have the fix and the issue reappears in subsequent versions of the software.

Answer 397

D. errors and vulnerabilities can be detected earlier in the life cycle. The one thing that is common in all software is source code and this source code needs to be reviewed from a security perspective to ensure that security vulnerabilities are detected and addressed before the software is released into the production environment or to customers code review is the process of systematically analyzing the code for insecure and inefficient coding issues in addition to static analysis, which reviews code before it goes live, there are also dynamic analysis tools which conduct automated scans of applications in production to unearth vulnerabilities in other words, dynamic tools test from the outside in, which static tools test from the inside out. Just because the code compiles without any errors, it does not necessarily mean that is will run without errors at runtime. Dynamic tests are useful to get a quick assessment of the security of th4e applications. It comes in handy when source code is not available for review as well.

Answer 398

D. masking of data when it is displayed. Masking does not use any overt cryptography operations such as encryption, decryption, or hashing or covert operations such as data hiding as in the case of steganography to provide disclosure protection.

Answer 399

B. tokenization Tokenization is the process of replacing sensitive data with unique identification symbols that still retain the needed information about the data, without compromising its security.

Answer 400

A. sandboxing Sandboxing is an example of the principle of least privilege running code in a sandbox (or jail) restricts the access that the code has on other system resources.

Answer 401

B. recoverability When the software performs as it is expected to, it is aid to be reliable. When errors occur, the reliability of software is impacted and the software needs to be able to restore itself to expected operations the ability of the software to be restored to normal expected operations is referred to as recoverability. The ability of the software to withstand attacks against its reliability sis referred to as resiliency. Redundancy is about availability and reconnaissance is related to information gathering as in fingerprinting/footprinting.

Answer 402

B. agile Unit testing enables collective code ownership. Collective code ownership encourages everyone to contribute new ideas to all segments of the project. Any developer can change any line of code to add functionality fix bugs or re-factor. No one person becomes a bottleneck for changes. The way this works is for each developer that work in concert (usually more in agile methodologies than the traditional model) create unit tests for his/her code as it is developed. All code that is released into the source code repository includes unit tests code that is added bugs as they are fixed and old functionality as it is changed will be covered by automated testing.

Answer 403

C. leveraging existing components Test harnesses promote the principle of leveraging existing components as it can be reused by multiple projects, once it is set up.

Answer 404

A. logic IF-THEN rules are constructs of logic and when thes constructs are used for software testing it is generally referred to as logic testing.

Answer 405

A. stress Tests that assure that the service level requirements are met is characteristic of performance testing. Load and stress testing are types of performance tests while stress testing is testing by starving the software load testing is done by subjecting the software to extreme volumes or load.

Answer 406

B. stress The goal of stress testing is to determine if the software will continue to operate reliably under duress or extreme conditions often the resources that the software needs is taken away from the software and the software’s behavior observed as part of the stress test.

Answer 407

A. source code analyzers White box testing or structural analysis is about testing the software with prior knowledge of the code and configuration. Source code review is a type of white box testing. Embedded code issues such as Trojan horses, logic bombs etc. that are implanted by insiders can be detected using source code analyzers.

Answer 408

B. black box In black box or behavioral testing, test conditions are developed on the basis of the program’s or system’s functionality; that is the tester requires information about the input data and observed output, but does not know how the program or system works The tester focuses on testing the program’s behavior (or functionality) against the specification. With black box testing the tester views the program as a black box an is completely unconcerned with the internal structure of the program or system. White box testing is also referred to as clear box or glass box testing. Gray box testing is a software testing technique that uses a combination of black box and white box testing

Answer 409

A. rules of engagement. Penetration testing must be controlled and not ad hoc in nature with properly defined rules of engagement.

Answer 410

C. non-repudiation When session management is in place it provides for authentication and when authentication is combined with auditing capabilities it provides nonrepudiation i.e., the authenticated user cannot claim broken sessions and intercepted authentication and deny their user actions due to the audit logs recording their actions

Answer 411

B. lack of reverse engineering protection Disassemblers, debuggers and decompilers are utilities that can be used for reverse engineering software and software tester should have these utilities in their list of tools to validate protection against reversing.

Answer 412

C. expected results Knowledge of the expected results along with the defect information can be sued to determine the variance between what the result need to be and what is deficient.

Answer 413

B. cloaking Detection of web server versions is usually done by analyzing HTTP responses. This process is known as banner grabbing. But administrator can change the information that gets reported and this process is known as cloaking. Banner cloaking is a security through obscurity approach to protect against version enumeration.

Answer 414

B. variations of data structures that are known The process of sending random data to test security of an application is referred to as ‘fuzzing’ or ‘fuzz testing’. There are two levels of fuzzing: dumb fuzzing and smart fuzzing. Sending truly random data, known as dumb fuzzing, often doesn’t yield great results and has the potential of bringing the software down, causing a Denial of Service (DoS). If the code being fuzzed required data to be in a certain format but the fuzzer does not create data in that format, most of the fuzzed data will be rejected by the application. The more knowledge the fuzzer has of the data format, the more intelligent it can be at creating data. These more intelligent fuzzers are known as smart fuzzers.

Answer 415

C. confidentiality integrity and availability are not adversely impacted. As part of security testing, the principle of failsafe must be assured. This means confidentiality, integrity and availability are not adversely impacted when the software fails. As part of general software testing, the recoverability of the software i.e., restoration of the software to normal operation functionality is an important consideration, but it need not always be an automated process.

Answer 416

B. stress Race conditions and resource exhaustion issues are more likely to be identified when the software is starved of the resources that it expects as is done during stress testing.

Answer 417

C. the presence and effectiveness of risk mitigation controls. Security testing must include both external (blackhat) and insider threat analysis and it should be more than just testing for the ability to circumvent access control mechanisms. The resiliency of software is the ability of the software to be able to withstand attacks. The presence and effective of risk mitigate controls increase the resiliency of the software.

Answer 418

C. resiliency. Resiliency of software is defined as the ability of the software to withstand attacker attempts

Answer 419

C. unit In order for unit testing to be thorough, the unit/module and the environment for the execution of the module need to be complete. The necessary environment includes the modules that either call or are called by the unit of code being tested. Stubs and drivers are designed to provide the complete environment for a module so that unit testing can be carried out. A stub procedure is a dummy procedure that has the same input/output (I/O) parameters as the given procedure. A driver module should have the code to call the different functions of the module under test with appropriate parameter values for testing. In layman’s terms, the driver module is akin to the caller and the stub module can be seen as the callee.

Answer 420

C. performance Assurance that the software meets the expectations of the business as defined in the service level agreements (SLA) can be demonstrated by performance testing. One the importance of the performance of an application is know, it is necessary to understand how various factors affect the performance. Security features can have an impact on performance and this must be checked to ensure that service level requirements can be met.

Answer 421

B. detect the presence of loopholes and weaknesses in the software. A vulnerability is a weakness (or loophole) and vulnerability scans are sued to detect the presence of weaknesses in software.

Answer 422

B. synthetic Synthetic transactions refer to transactions that serve no business value. Querying order information of a ‘dummy’ customer is an example of a synthetic transaction. They are not necessarily useless.

Answer 423

D. subsetting The defining of subset criteria to export only certain kinds of information from the production environment to the test environment is also known as subsetting.

Answer 424

C. black box testing Since third party vendor software is often received in object code form, access to source is usually not provided and structural analysis (white box) or source code analysis is not possible. Also looking into the source code or source-code look alike by reverse engineering without explicit permission can have legal ramifications. Additionally, without documentation on the architecture and software makeup, a threat modeling exercise would most likely be incomplete. License validation is primarily used for curtailing piracy and is a component of verification and validation mechanisms. Black security of third party vendor software.

Answer 425

B. assess the presence and effectiveness of protection mechanisms. To maintain the confidentiality, integrity and availability of software and the data it processes, prior to the acceptance of software, vendor claims of security must be assessed not only for their presence but also their effectiveness within your computing ecosystem.

Answer 426

A. verification Verification is defined as the process of evaluating software to determine whether the products of a given development phase satisfies the conditions imposed at the start of the phase. In other words, verification ensures that the software performs as required and designed to. Validation is the process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements. In other words validation ensures that the software meets required specifications.

Answer 427

B. reliability Verification ensures that the software performs as required and designed to which is a measure of the software’s reliability.

Answer 428

C. Common Criteria The common criteria (ISO 15408) is a security product evaluation methodology with clearly defined ratings, such as Evaluation Assurance Levels (EALs). In addition to assurance validation, the common criteria also validates software functionality for the security target. EALs rating assure the owner of the assurance capability of the software/system and so the common criteria is also referred to as an owner assurance model.

Answer 429

D. user acceptance testing The end users of the business have the final say on whether the software can be deployed or not. User acceptance testing (UAT) is used to determine the readiness of the software for deployment to the production environment or release to an external customer.

Answer 430

D. accreditation While certification is the assessment of the technical and nontechnical security controls of the software, accreditation is a management activity that assures that the software has adequate levels of software assurance protection mechanisms.

Answer 431

B. Accept the risk with a documented exception When there are known vulnerabilities in legacy software and there is not much you can do to mitigate the vulnerabilities, it is recommended that the business accepts the risk with a documented exception to the security policy. When accepting this risk, the exception to policy process must ensure that there is a contingency plan in place to address the risk by either replacing the software with a new version or discontinuing its use (risk avoidance). Transferring the risk may not be a viable option for legacy software that is already in your production environment and one must never ignore the risk or take the vulnerable software out of the scope of an external audit.

Answer 432

B. business owner Risk must always be accepted formally by the business owner.

Answer 433

B. incompatible environment configurations. When the production environment does not mirror the development or test environments, software that works fine in non-production environments are observed to experience issues when it is deployed into the production environment this stresses the need for simulation testing.

Answer 434

D. collected manually A good security metric is expressed quantitatively and is contextually accurate. Irrespective of how many times the metrics is collected, the results are not significantly variant. Good metrics are usually collected in an automated manner so that the collector’s subjectivity does not come into effect.

Answer 435

A. hardening Locking down the software by reducing the attack surface of the software by removing unneeded code and documentation is referred to as software hardening. Before hardening the software, it is crucially important to harden the operating system of the host on which the software program will be run.

Answer 436

C. continuous monitoring Operations security is about staying secure by keeping the resiliency levels of the software above the acceptable risk levels. It is the assurance the software will continue to function as expected in a reliable fashion for the business, without compromising its state of security by monitoring, managing and applying the needed controls to protect resources (assets).

Answer 437

D. detective Audit logging is a type of detective control. When the users are made aware that their activities are logged, audit logging could function as a deterrent control, but it is primarily used for detective purposes. Audit logs can be used to control, but it is primarily used for detective purposes. Audit logs can be sued to build the sequence o historical events and give insight into who (subject such as user/process) did what (action), where (object) and when (timestamp).

Answer 438

B. provide an increased level of defense than the original requirement. PCI DSS prescribes that the compensating control that is used must provide a similar level, not increased level of defense as the original requirement.

Answer 439

B. release management It is extremely important that versioning, backups, check-in and check-out practices are all managed as part of the release management process

Answer 440

C. logic bombs Logic Bombs can be planted by an insider and when the internal network is not monitored, the likelihood of these are much higher.

Answer 441

D. auditing IDS and auditing are both detective types of controls which can be used to continuously monitor the security health of the computing environment.

Answer 442

B. research the validity of the alert or event further. Upon the report of a breach, it is important to go into a triaging phase in which the validity and severity of the alert/event is investigated further. This reduces the number of false positives that are reported to management

Answer 443

D. informing the development team that there should be no injection flaws in the payroll application. Using security metrics over Fear, Uncertainty and Doubt (FUD) is the best recommendation to champion security objectives within the software development organization.

Answer 444

B. audits Periodic audits (both internal and external) can be used to assess the overall state of security health of the organization.

Answer 445

B. normalization To normalize logs means that duplicate and redundant information is removed from the logs after the time is synchronized for each log set and the logs are parsed to deduce patterns that are identified in the correlation phase.

Answer 446

D. recovery The incident response process involves preparation, detection, analysis, containment, eradication and recovery. The goal of incident management is the restore (recover) service to normal business operations.

Answer 447

D. identifying and eliminating the root cause of the problem. The goal of problem management is to identify and eliminate the root cause of the problem. All of the other definitions are related to incident management. The goal of incident management is to restore service while the goal of problem management is to improve service.

Answer 448

C. patching Patching is the process of applying updates and hot fixes. Porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed (e.g. different processor architecture, Operating System or third party software library)

Answer 449

D. root cause analysis Ishikawa diagrams or fish bone diagrams are used to identify the cause and effect of a problem and are used commonly to determine the root cause of the problem.

Answer 450

C. backward compatibility. Regression testing of patches are crucial to ensure that there were no newer side effects and that all previous functionality as expected were still available.

Answer 451

A. end-of-life End-of-Life (EOL) policies are used for disposing code configuration and documents based on organizational and regulatory requirements.

Answer 452

D. avoidance When software with known vulnerabilities is replaced with a secure version, it is an example of avoiding the risk. It is not transference, as the new version may not have the same risks. It is not mitigation since no controls are implemented to address the risk of the old software. It is not acceptance, since the risk of the software is replaced with the risk of the newer version. It is not ignorance, because the risk is not left unhandled.

Answer 453

B. dumpster divers Dumpster divers are threat agents that can steal information from printed media (printer ribbons, facsimiles transmission and printed paper).

Answer 454

B. sandbox Preventing malicious file execution attacks takes some careful planning during the architectural and design phases of the SDLC, through thorough testing. In general, a well-written application will not use user-supplied input or any filename for any server-based resource (such as images, XML and XSL transform documents, or script inclusions), and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server. However, many legacy applications continue to have a need to accept user supplied input and files without the adequate levels of validation built in. When this is the case, it is advisable to separate the production environment and upload the files to a sandbox environment before the files can be processed.

Answer 455

B. before and after the code is implemented In order to understand if there is an improvement in the resiliency of the software code, the RASQ (which attempts to quantify the number and kinds of vectors available to an attacker) needs to be computed before and after code development is completed and the code is frozen.

Answer 456

D. proper change control management Proper change control management is useful to provide separation of duties as it can prevent direct access to backend databases by developers.

Answer 457

C. incident response plan An Incident Response Plan (IRP) must be developed and tested for completeness as it is the document that one should refer to and follow in the event of a security breach. The effectiveness of an IRP is dependent on the awareness of users on how to respond to an incident and increased awareness can be achieved by proper education and training.

Answer 458

C. incidences of malicious code and logic found in acquired software Although there is an increase in the offshoring and outsourcing activities, complete cessation of software development activities within a company is not usually the case. Increases in foreign trade agreements have opened up markets, but this is not the primary driver for the increased need for security in the software supply chain. Software developed within a company is likely to be more trusted than ones developed outside the purview of a company’s control. An observable increase of malicious code and logic implanted in software that is acquired has made the need for security in the supply chain no longer optional.

Answer 459

A. contracting After the planning, and before the development phase of the acquisition life cycle is the sourcing of suppliers, evaluating their responses and issuance of a contract award to the winning supplier.

Answer 460

C. authorization The three goals of software supply chain includes conformance, trustworthiness and authenticity.

Answer 461

B. insecure code transfer Counterfeit and pirated software are product threats. Subornation is a people threat. Transferring code without appropriate security controls is indicative of a breakdown in the process and is deemed a process threat.

Answer 462

B. location agnostic protection End-to-end encryption and cryptographic agility are concepts that are tied to cryptography to assure protection against unauthorized disclosure. Locality of reference is a memory management concept. Location agnostic protection, means that the security of the software is not dependent on where (location) it is developed, but instead, it is dependent on the maturity of the software development practices. This Is the one concept that is related to the software supply chain.

Answer 463

B. security track record While all of the option choices need to be evaluated, the supplier’s past performance (track record) can be used to determine if he supplier is capable of providing timely updates and hotfixes.

Answer 464

A. Key Performance Indicators (KPI) RASQ is computed to determine the attackability of software. MTD is a business continuity and disaster recovery concept. RTMs are used to trace deviations from expected functionality. When KPIs are evaluated and managed, they can provide insight into the effectiveness and efficiencies of the supply chain processes as it pertains to assuring trust and software security.

Answer 465

D. Assurance Plan An assurance plan addresses the development and maintenance of an assurance case for software and the assurance case contains the required security requirements and the evidence needed to prove that the supplier meets the assurance needs of the acquirer.

Answer 466

A. contracts-based protection is mutual Unlike disclaimer-based protection, wherein there exists only a one-sided notification of terms, contracts require that both parties engaged in the transaction mutually agree to abide by any terms of the agreement contracts are legally binding.

Answer 467

B. copyright Patents protect an idea while copyrights protect the expression of an idea software programs, database models and images on a website are expressions of an idea trade secrets ensures that the company has a competitive advantage and is not disclosed while trademarks are disclosed to uniquely identify a manufacturer.

Answer 468

D. copyrights Peer-to-peer torrent’s unauthorized sharing of copyrighted information such as a software or music files constitutes copyright violations.

Answer 469

B. non-disclosure agreements (NDA) Non-disclosure agreements assure confidentiality of sensitive information such as software program processing logic, database schema and internal organizational business processes and client lists.

Answer 470

C. ransomware In some situations the source code of COTS may be escrowed and released under a free software or open source license when the original developer (supplier) no longer continues to develop that software or if stipulated fundraising conditions are met this model is referred to as the ransom model of software publishing and the software is known a ransomware.

Answer 471

B. denial of service If the validity period set in software is not properly implemented then legitimate users can be potentially denied service. It is therefore imperative to ensure that the duration and checking mechanism of validity periods is properly implemented.

Answer 472

C. validity periods Software functionality can be restricted using validity period as is often observed in the ‘try-before you-buy’ or ‘demo’ versions of software. It is recommended to have a stripped down version of he software for the demo version and if feasible it is advisable to include the legal team to determine the duration of the validity period (especially in the context of digital signatures and Public Key Infrastructure solutions).

Answer 473

A. before delivery (handover) Prior to the delivery of the software, the supplier must provide the acquirer with all the applicable export compliance requirements.

Answer 474

C. the attacker can look into the source code to determine its exploitability. Some open source software are supported and maintained by very well established companies and communities and they don’t necessarily have to be purchased as components alone and integrated some open source software offer entire enterprise solutions which don’t require a piece-meal approach. Open source software is modifiable and while insight into how the software is architected can be viewed by the acquirer, an attacker also has the advantage of looking into the software and writing tailored exploits against it.

Answer 475

D. code review Threat modeling primarily addresses the design aspects of software and fuzzing and penetration testing usually deals with the software after it deployed, the integrity of the code can be determined using code review.

Answer 476

C. logic flaws Logic flaws or semantic issues are design related and can be detected using threat modeling. Backdoors, logic bombs and Trojan horses are code or syntactic issues are primarily detected using a code review process. When acquirer software from a supplier, it is imperative that a code review process is in place to detect malicious code that arises from the presence of backdoors, logic bomb and Trojan horses implanted in the code.

Answer 477

D. open design Developers should only have access to the version of code necessary to complete their responsibilities for only the time period that they need to complete their operation. In other works, least privilege must be enforced on a need-to-know basis. Source code control systems (or code repositories) can provide such granular levels of access control. Identity management with auditing in place can provide accountability and so any code changes that are made and checked back into the code repositories must be traceable and identifiable to individuals who are making the change this reduces the likelihood of malicious code implanted into the code.

Answer 478

B. tampering If the integrity of the build process is questionable, and the build tools and environment not protected then the confidence of pristine untampered code is not assured and all efforts previously undertaken to protect the assurance of the software can be nullified.

Answer 479

B. binary code scanners Source code and byte code scanners detect the presence of vulnerabilities in source or byte code form of code while binary code scanners have to disassemble the object code form while analyzing, executables for vulnerabilities. Compliance validators primarily use an interview format to detect non-compliance.

Answer 480

B. code signing Code signing is the process of encrypting the hash value of software with the publisher’s (or suppliers) private key. This creates a unique digital signature which can be used to attest the genuineness of the software encryption alone cannot provide such pedigree attestation. Code review and code scanning are primarily detective in nature and are used to detect the presence of vulnerabilities in the software and not proof of origin or authenticity.

Answer 481

A. chain of custody As software code or components move from supplier to supplier in a software supply chain, it is extremely important to make sure that the chain of custody is controlled, until the software reaches the final user or acquirer of the software, so that unauthorized tampering of the software is mitigated.

Answer 482

B. transference Code escrows can be regarded as a form of risk transference by insurance, because it insures the licensee continued business operations, should the licensor be no longer alive (in case of a sole proprietorship), go out of business, or file for bankruptcy (in case of a Corporation).

Answer 483

B. integration Integration testing s useful to test the interfaces and interdependencies between components that are integrated in an SoS to reveal single points of failure or weak links that can render the entire SoS exploitable.

Answer 484

C. termination access control Once software is handed over from one supplier to another or to the acquirer, only the receiving part’s personnel should be allowed to access and/or modify the software code components and configuration.

Answer 485

B. Corporate brand and reputation When security is incorporated into the software development life cycle, confidentiality, integrity, and availability can be assured and external hacker and insider threat attempts thwarted. Developers will generate more hack-resilient software with fewer vulnerabilities, but protection of the organization’s reputation and corporate brand is the primary reason for software assurance.

Answer 486

B. Integrity When the software program operates as expected, it is said to be reliable or internally consistent. Reliability is an indicator of the integrity of software. Hack-resilient software are reliable (functioning as expected), resilient (able to withstand attacks), and recoverable (capable of being restored to normal operations when breached or upon error).

Answer 487

A. Software issues can cause downtime to the business. One of the tenets of software assurance is “availability.” Software issues can cause software unavailability and downtime to the business. This is often observed as a denial of service (DoS) attack.

Answer 488

C. Availability Confidentiality controls assure protection against unauthorized disclosure. Integrity controls assure protection against unauthorized modifications or alterations. Availability controls assure protection against downtime/denial of service and destruction of information. Authentication is the mechanism to validate the claims/credentials of an entity. Authorization covers the subject’s rights and privileges upon requested objects.

Answer 489

A. Ownership-based authentication Authentication can be achieved in one or more of the following ways: using something one knows (knowledge-based), something one has (ownership-based), and something one is (characteristic-based). Using a token device is ownership-based authentication. When more than one way is used for authentication purposes, it is referred to as multifactor authentication, and this is recommended over single-factor authentication.

Answer 490

B. Defense in-depth Having more than one way of authentication provides for a layered defense, which is the premise of the defense in depth security design principle.

Answer 491

D. Preventing a user from performing some unauthorized operations Audit log information can be a detective control (providing evidentiary information) and a deterrent control when the users know that they are being audited, but it cannot prevent any unauthorized actions. When the software logs user actions, it also provides nonrepudiation capabilities because the user cannot deny their actions.

Answer 492

B. Session management An Internet application means that the ability to manage identities as would be possible in an Intranet application is not easy and, in some cases, infeasible. Internet applications also use stateless protocols, such as HTTP or HTTPS, and this requires the management of user sessions.

Answer 493

A. Clipping level The predetermined number of acceptable user errors before recording the error as a potential security incident is referred to as the clipping level. For example, if the number of allowed failed login attempts before the account is locked out is three, then the clipping level for authentication attempts is three.

Answer 494

C. Fail safe The failsafe principle prescribes that access decisions must be based on permission rather than exclusion. This means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, which is a safe situation since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure that may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation.

Answer 495

C. Transference When an “as is” disclaimer clause is used, the risk is transferred from the publisher of the software to the user of the software.

Answer 496

B. Policy Policies are high-level documents that communicate the mandatory goals and objectives of company management. Standards are also mandatory, but not quite at the same high level as policy. Guidelines provide recommendations on how to implement a standard. Procedures are usually step-by-step instructions of how to perform an operation. A baseline has the minimum levels of controls or configurations that need to be implemented.

Answer 497

B. Evaluate security engineering practices and organizational management processes The evaluation of security engineering practices and organizational management processes are provided as guidelines and prescribed in the Systems Security Engineering Capability Maturity Model (SSE-CMM®). The SSE-CMM is an internationally recognized standard that is published as ISO 21827.

Answer 498

B. Sherwood Applied Business Security Architecture (SABSA) SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Management. SABSA ensures that the needs of your enterprise are met completely and that security services are designed, delivered, and supported as an integral part of your business and IT management infrastructure.

Answer 499

A. Not allowing the process to write above its security level The Biba integrity model prevents unauthorized modification. It states that the maintenance of integrity requires that data not flow from a receptacle of a given integrity to a receptacle of higher integrity. If a process can write above its security level, trustworthy data could be contaminated by the addition of less trustworthy data.

Answer 500

D. Rootkit Rootkits are known to compromise the operating system ring protection mechanisms and masquerade as a legitimate operating system taking control of it.

Answer 501

B. Intellectual property protection All of the other options are considerations for the software acquirer (purchaser).

Answer 502

C. Asset value × exposure factor Single loss expectancy is the expected loss of a single disaster. It is computed as the product of asset value and the exposure factor. SLE = asset value ⨯ exposure factor.

Answer 503

C. Mitigation The implementation of IPSec at the network layer helps to mitigate threats to the confidentiality of transmitted data.

Answer 504

D. FIPS 201 Personal identity verification (PIV) of federal employees and contractors is published as FIPS 201, and it prescribes some guidelines for biometric authentication.

Answer 505

D. PCI DSS The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Answer 506

C. Advanced Encryption Standard (FIPS 197) The advanced encryption standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into their original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.

Answer 507

C. Open Web Application Security Project (OWASP) The Open Web Application Security Project (OWASP) Top Ten provides a powerful awareness document for Web application security. The OWASP Top Ten represents a broad consensus about what the most critical Web application security flaws are.

Answer 508

B. Goals and objectives of the organization When determining software security requirements, it is imperative to address the goals and objectives of the organization. Management’s goals and objectives need to be incorporated into the organizational security policies. While external auditor, internal quality requirements, and technology are factors that need consideration, compliance with organizational policies must be the foremost consideration.

Answer 509

A. Directory information Information that is public is also known as directory information. The name “directory” information comes from the fact that such information can be found in a public directory, such as a phone book. When information is classified as public information, confidentiality assurance protection mechanisms are not necessary.

Answer 510

C. Availability requirements Destruction is the threat against availability, as disclosure is the threat against confidentiality, and alteration is the threat against integrity.

Answer 511

D. Recovery time objective (RTO) The maximum tolerable downtime (MTD) is the maximum length of time a business process can be interrupted or unavailable without causing the business itself to fail. The recovery time objective (RTO) is the time period in which the organization should have the interrupted process running again at or near the same capacity and conditions as before the disaster/downtime. MTD and RTO are part of availability requirements. It is advisable to set the RTO to be less than the MTD.

Answer 512

A. Biometric authentication Forms authentication has to do with usernames and passwords that are input into a form (e.g., a Web page/form). Basic authentication transmits the credentials in Base64 encoded form, while digest authentication provides the credentials as a hash value (also known as a message digest). Token-based authentication uses credentials in the form of specialized tokens and is often used with a token device. Biometric authentication uses physical characteristics to provide the credential information.

Answer 513

B. Authentication When two factors are used to validate an entity’s claim and/or credentials, it is referred to as two-factor authentication, and when more than two factors are used for authentication purposes, it is referred to as multifactor authentication. It is important to determine first whether if there exists a need for two- or multifactor authentication.

Answer 514

B. Discretionary access control (DAC) Discretionary access control (DAC) is defined as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.” The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. DAC restricts access to objects based on the identity of the subject and is distinctly characterized by the decision of the owner of the resource regarding who has access and their level of privileges or rights.

Answer 515

C. Auditing requirements Auditing requirements are those that assist in building a historical record of user actions. Audit trails can help detect when an unauthorized user makes a change or an authorized user makes an unauthorized change, both of which are cases of integrity violations. Auditing requirements not only help with forensic investigations as a detective control, but can also be used for troubleshooting errors and exceptions, if the actions of the software are tracked appropriately.

Answer 516

A. Improper session management Easily guessable and nonrandom session identifiers can be hijacked and replayed if not managed appropriately, and this can lead to MITM attacks.

Answer 517

B. Policy decomposition The process of eliciting concrete software security requirements from high-level regulatory and organizational directives and mandates is referred to as policy decomposition. When the policy decomposition process completes, all the gleaned requirements must be measurable components.

Answer 518

A. Engage the customer IT is there for the business and not the other way around. The first step when determining protection needs is to engage the customer, followed by modeling the information and identifying least privilege scenarios. Once an application profile is developed, we can undertake threat modeling and analysis to determine the risk levels, which can be communicated to the business to prioritize the risk.

Answer 519

D. Identifying privileged code sections Identifying privileged code sections is part of threat modeling and not part of an RTM.

Answer 520

D. Input validation Parity bit checking is primarily used for error detection, but it can be used for assuring the integrity of transferred files and messages.

Answer 521

B. Use case modeling A use case models the intended behavior of the software or system. In other words, the use case describes behavior that the system owner intended. This behavior describes the sequence of actions and events that are to be taken to address a business need. Use case modeling and diagramming are very useful for specifying requirements. It can be effective in reducing ambiguous and incompletely articulated business requirements by explicitly specifying exactly when and under what conditions certain behaviors occur. Use case modeling is meant to model only the most significant system behavior, not all, and so it should not be considered a substitute for requirements specification documentation.

Answer 522

A. Race conditions Misuse cases, also known as abuse cases, help identify security requirements by modeling negative scenarios. A negative scenario is an unintended behavior of the system, one that the system owner does not want to have occur within the context of the use case. Misuse cases provide insight into the threats that can occur to the system or software. It provides the hostile users’ point of view and is an inverse of the use case. Misuse case modeling is similar to the use case modeling, except that the former models misactors and unintended scenarios or behavior. Misuse cases may be intentional or accidental. One of the most distinctive traits of misuse cases is that they can be used to elicit security requirements, unlike other requirements determination methods that focus on end user functional requirements.

Answer 523

B. Information Life Cycle Management Data classification is the conscious effort to assign a level of sensitivity to data assets based on potential impact upon disclosure, alteration, or destruction. The results of the classification exercise can then be used to categorize the data elements into appropriate buckets. Data classification is part of information life cycle management.

Answer 524

B. Environment When determining requirements, it is important to elicit requirements that are tied to the environment in which the data will be marshaled or processed. Viewstate corruption issues in Web farm settings where all the servers were not configured identically or lack of card holder data encryption in public networks have been observed when the environmental requirements were not identified or taken into account.

Answer 525

A. Service level agreements (SLAs) SLAs should contain the levels of service expected for the software to provide, and this becomes crucial when the software is not developed in-house.

Answer 526

B. Resiliency Software is said to be reliable when it is functioning as expected. Resiliency is the measure of the software’s ability to withstand an attack. When the software is breached, its ability to restore itself back to normal operations is known as the recoverability of the software. Redundancy has to do with high availability.

Answer 527

A. Availability Improper coding constructs such as infinite loops and improper memory management can lead to denial of service and resource exhaustion issues, which impact availability.

Answer 528

C. Service level agreements SLAs should contain the levels of service the software is expected to provide, and this becomes crucial when the software is not developed in-house.

Answer 529

C. Confidentiality requirements Destruction is the threat against availability, as disclosure is the threat against confidentiality, and alteration is the threat against integrity.

Answer 530

B. Integrity Destruction is the threat against availability, as disclosure is the threat against confidentiality, and alteration is the threat against integrity.

Answer 531

B. Steganography Encryption and hashing are overt mechanisms to assure confidentiality. Masking is an obfuscating mechanism to assure confidentiality. Steganography is hiding information within other media as a cover mechanism to assure confidentiality. Steganography is more commonly referred to as invisible ink writing and is the art of camouflaging or hidden writing, where the information is hidden and the existence of the message itself is concealed. Steganography is primarily useful for covert communications and is prevalent in military espionage communications.

Answer 532

D. Watermarking Digital watermarking is the process of embedding information into a digital signal. These signals can be audio, video, or pictures.

Answer 533

B. Integrity Parity bit checking is useful in the detection of errors or changes made to data when they are transmitted. A common use of parity bit checking is to do a cyclic redundancy check (CRC) for data integrity as well, especially for messages longer than one byte (8 bits) long. Upon data transmission, each block of data is given a computed CRC value, commonly referred to as a checksum. If there is an alteration between the origin of data and their destination, the checksum sent at the origin will not match the one computed at the destination. Corrupted media (CDs, DVDs) and incomplete downloads of software yield CRC errors.

Answer 534

B. Design Although it is important to visit the threat model during the development, testing, and deployment phase of the software development life cycle (SDLC), the threat modeling exercise should commence in the design phase of the SDLC.

Answer 535

C. Public Key Infrastructure (PKI) PKI makes it possible to exchange data securely by hiding or keeping secret a private key on one system while distributing the public key to the other systems participating in the exchange.

Answer 536

D. Nonrepudiation Nonrepudiation and proof of origin (authenticity) are provided by the certificate authority’s (CA) attaching its digital signature, encrypted with the private key of the sender, to the communication that is to be authenticated, and this attests to the authenticity of both the document and the sender.

Answer 537

C. Hashing An important use for hashes is storing passwords. The actual password should never be stored in the database. Using hashing functions, you can store the hash value of the user password and use that value to authenticate the user. Because hashes are one-way (not reversible), they offer a heightened level of confidentiality assurance.

Answer 538

D. Separation of duties Separation of duties, or separation of privilege, is the principle that it is better to assign tasks to several specific individuals so that no one user has total control over the task. It is closely related to the principle of least privilege, the idea that a minimum amount of privilege is granted to individuals with a need to know for the minimum (shortest) amount of time.

Answer 539

B. Simplify user authentication The design principle of economy of mechanism states that one must keep the design as simple and small as possible. This well known principle deserves emphasis for protection mechanisms because design and implementation errors that result in unwanted access paths will not be noticed during normal use. As a result, techniques that implement protection mechanisms, such as line-by-line inspection of software, are necessary. For such techniques to be successful, a small and simple design is essential. SSO supports this principle by simplifying the authentication process.

Answer 540

C. Auditing All stored procedures could be updated to incorporate auditing logic, but a better solution is to use database triggers. You can use triggers to monitor actions performed on the database tables and automatically log auditing information.

Answer 541

D. Entry points During threat modeling, the application is dissected into its functional components. The development team analyzes the components at every entry point and traces data flow through all functionality to identify security weaknesses.

Answer 542

A. Spoofing Although it may seem that an MITM attack is an expression of the threat of repudiation, and it can be, it is primarily a spoofing threat. In a spoofing attack, an attacker impersonates a legitimate user of the system. A spoofing attack is mitigated through authentication so that adversaries cannot become any other user or assume the attributes of another user. When undertaking a threat modeling exercise, it is important to list all possible threats, regardless of whether they have been mitigated, so that you can later generate test cases where necessary. If the threat is not documented, there is a high likelihood that the software will not be tested for those threats. Using a categorized list of threats (such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege [STRIDE]) is useful to address all possible threats.

Answer 543

B. Network Although software security has specific implications on layer seven, the application of the OSI stack, the security at other levels of the OSI stack is also important and should be leveraged to provide defense in depth. The seven layers of the OSI stack are physical (1), data link (2), network (3), transport (4), session (5), presentation (6), and application (7). SSL and IPSec can be used to assure confidentiality for data in motion. SSL operates at the transport layer (4), and IPSec operates at the network layer (3) of the OSI model.

Answer 544

A. Interoperability A distinctive characteristic of SOA is that the business logic is abstracted into discoverable and reusable contract-based interfaces to promote interoperability between heterogeneous computing ecosystems.

Answer 545

D. Physical Side channel attacks use unconventional means to compromise the security of the system and, in most cases, require physical access to the device or system. Therefore, to mitigate side channel attacks, physical protection must be used.

Answer 546

C. Rich Internet application (RIA) RIAs require Internet protocol (IP) connectivity to the backend server. Browser sandboxing is recommended since the client is also susceptible to attack now, but it is not a requirement. The workload is shared between the client and the server, and the user’s experience and control is increased in RIA architecture.

Answer 547

B. Identification Trusted platform module (TPM) is the name assigned to a chip that can store cryptographic keys, passwords, and certificates. It can be used to protect mobile devices other than personal computers. It is also used to provide identity information for authentication purposes in mobile computing. It also assures secure startup and integrity. The TPM can be used to generate values used with whole-disk encryption, such as the Windows Vista’s BitLocker. It is developed to specifications of the Trusted Computing Group.

Answer 548

B. Inference An inference attack is one in which the attacker combines information available in the database with a suitable analysis to glean information that is presumably hidden or not as evident. This means that individual data elements when viewed collectively can reveal confidential information. It is therefore possible to have public elements in a database reveal private information by inference. The first things to ensure are that the database administrator does not have direct access to the data in the database and that the administrator’s access to the database is mediated by a program (the application) and audited. In situations where direct database access is necessary, it is important to ensure that the database design is not susceptible to inference attacks. Inference attacks can be mitigated by polyinstantiation.

Answer 549

C. Views Views provide a number of security benefits. They abstract the source of the data being presented, keeping the internal structure of the database hidden from the user. Furthermore, views can be created on a subset of columns in a table. This capability can allow users granular access to specific data elements. Views can also be used to limit access to specific rows of data.

Answer 550

B. Security management interfaces Security management interfaces (SMIs) are administrative interfaces for your application that have the highest level of privileges on the system and can do tasks such as User provisioning: adding/deleting/enabling user accounts Granting rights to different user roles System restarting Changing system security settings Accessing audit trails, user credentials, exception logs

Answer 551

B. Security Assert Markup Language (SAML) Federation technology is usually built on a centralized identity management architecture leveraging industry standard identity management protocols, such as SAML, WS Federation (WS-*), and Liberty Alliance. Of the three major protocol families associated with federation, SAML seems to be recognized as the de facto standard for enterprise-to-enterprise federation. SAML works in cross-domain settings, while Kerberos tokens are useful only within a single domain.

Answer 552

B. Transport layer security The syslog network protocol has become a de facto standard for logging programs and server information over the Internet. Many routers, switches, and remote access devices will transmit system messages, and there are syslog servers available for Windows and UNIX operating systems. TLS protection mechanisms such as SSL wrappers are needed to protect syslog data in transit as they are transmitted in the clear. SSL wrappers such as stunnel provide transparent SSL functionality.

Answer 553

D. Digital Rights Management Digital rights management (DRM) solutions give copyright owners control over access and use of copyright protected material. When users want to access or sue digital copyrighted material, they can do so on the terms of the copyright owner.

Answer 554

C. solve business problems IT and software development teams function to provide solutions to the business. Manual and inefficient business processes can be automated and made efficient using software programs.

Answer 555

C. linking Linking is the process of combining the necessary functions, variables, and dependencies files and libraries required for the machine to run the program. The output that results from the linking process is the executable program or machine code/file that the machine can understand and process. In short, linked object code is the executable. Link editors that combine object codes are known as linkers. Upon the completion of the compilation process, the compiler invokes the linker to perform its function. There are two types of linking: static linking and dynamic linking.

Answer 556

B. type safety Code is said to be type safe if it only accesses memory resources that do not belong to the memory assigned to it. Type safety verification takes place during the just in time (JIT) compilation phase and prevents unsafe code from becoming active. Although you can disable type safety verification, code can then make unrestricted calls to unmanaged code, and if that code has malicious intent, the results can be severe. Therefore, the framework only allows fully trusted assemblies to bypass verification. Type safety is a form of “sandboxing.” Type safety must be one of the most important considerations in regards to security when selecting a programming language.

Answer 557

D. Man-in-the-Middle (MITM) As a defense against man-in-the-middle (MITM) attacks, authentication and session management need to be in place. Multifactor authentication provides greater defense than single factor authentication and is recommended. Session identifiers that are generated should be unpredictable, random, and non-guessable.

Answer 558

C. Cross-Site Request Forgery (CSRF) In addition to assuring that the requestor is a human, CAPTCHAs are useful in mitigating CSRF attacks. Since CSRF is dependent on a preauthenticated token’s being in place, using CAPTCHA as the anti-CSRF token is an effective way of dealing with the inherent XSS problems regarding anti-CSRF tokens, as long as the CAPTCHA image itself is not guessable, predictable, or re-served to the attacker.

Answer 559

D. Advanced Encryption Standard (AES) Advanced encryption standard (FIPS 197) is published as the Rijndael cipher. Software should be designed so that you should be able to replace one cryptographic algorithm with a stronger one, when needed, without much rework or recoding. This is referred to as cryptographic agility.

Answer 560

C. Secure Sockets Layer (SSL) SSL provides disclosure protection and protection against session hijacking and replay at the transport layer (layer 4), while IPSec provides confidentiality and integrity assurance operating in the network layer (layer 3). DRM provides some degree of disclosure (primarily IP) protection and operates in the presentation layer (layer 6), and data loss prevention (DLP) technologies prevent the inadvertent disclosure of data to unauthorized individuals, predominantly those external to the organization.

Answer 561

D. information disclosure Information disclosure is primarily a design issue and therefore is a language-independent problem. There is a tricky balance between providing the user with helpful information about errors and preventing attackers from learning about the internal details and architecture of the software. From a security standpoint, it is advisable not to disclose verbose error messages and provide the users with a helpline to get additional support.

Answer 562

D. authentication of users Code signing can provide all of the following: anti-tampering protection assuring integrity of code, authenticity (not authentication) of code origin, and runtime permissions for the code to access system resources. The primary benefit of code signing is that it provides users with the identity of the software’s creator, and this is particularly important for mobile code, which is code downloaded from a remote location over the Internet.

Answer 563

D. timing A side channel is a potential source of information flow from a physical system to an adversary beyond what is available via the conventional (abstract) model. These include subtle observation of timing, electromagnetic radiations, power usage, analog signals, and acoustic emanations. The use of nonconventional and specialized techniques along with physical access to the target system to discover information is characteristic of side channel attacks. The analysis of delayed error messages between successful and unsuccessful queries is a form of timing side channel attacks.

Answer 564

B. declarative syntax security There are two types of security syntax: declarative security and imperative security. Declarative syntax addresses the “what” part of an action, whereas imperative syntax tries to deal with the “how” part. When security requests are made in the form of attributes (in the metadata of the code), it is referred to as declarative security. When security requests are made through programming logic within a function or method body, it is referred to as imperative security. Declarative security is an all-or-nothing kind of implementation, while imperative security offers greater levels of granularity and control because the security requests run as lines of code intermixed with the application code.

Answer 565

D. imperative security When security requests are made in the form of attributes, it is referred to as declarative security. It does not precisely define the steps as to how the security will be realized. Declarative syntax actions can be evaluated without running the code because attributes are stored as part of an assembly’s metadata, while the imperative security actions are stored as intermediary language (IL). This means that imperative security actions can be evaluated only when the code is running. Declarative security actions are checks before a method is invoked and are placed at the class level, being applicable to all methods in that class, unlike imperative security. Declarative security is an all-or-nothing kind of implementation, while imperative security offers greater levels of granularity and control, because the security requests run as lines of code intermixed with the application code.

Answer 566

C. locality of reference Computer processors tend to access memory in a very patterned way. The basic forms of locality of reference are temporal (based on time), spatial (based on address space), (branch conditional), and equidistant (somewhere between spatial and branch using simple linear functions that look for equidistant locations of memory to predict which location will be accessed in the near future). While this is good from a performance vantage point, it can lead to an attacker’s predicting memory address spaces and causing memory corruption and buffer overflow.

Answer 567

A. are references to memory locations of destroyed objects A dangling pointer, aka stray pointer, occurs when a pointer points to an invalid memory address. Dangling pointers are usually created in one of two ways. An object is destroyed (freed), but the reference to the object is not reassigned and is later used. Or a local object is popped from the stack when the function returns, but a reference to the stack-allocated object is still maintained. Attackers write exploit code to take control of dangling pointers so that they can move the pointer to where their arbitrary shell code is injected.

Answer 568

C. Address Space Layout Randomization (ASLR) In the past, the memory manager would try to load binaries at the same location in the linear address space each time the program was run. This behavior made it easier for shell coders by ensuring that certain modules of code would always reside at a fixed address and could be referenced in exploit code using raw numeric literals. Address space layout randomization (ASLR) is a feature in newer operating systems (introduced in Windows Vista) that deals with this predictable and direct referencing issue.

Answer 569

B. obfuscated code Reverse engineering is used to infer how a program works by inspecting it. Code obfuscation, which makes the readability of code extremely difficult and confusing, can be used to deter (not prevent) reverse engineering attacks. Obfuscating code is not detective or corrective in its implementation.

Answer 570

A. version control The ability to track ownership, changes in code, and rollback abilities is possible because of versioning, which is a configuration management process. A phenomenon known as “regenerative bugs” is often observed when it comes to improper release management processes. Regenerative bugs are fixed software defects that reappear in subsequent releases of the software. This happens when the software coding defect (bug) is detected in the testing environment (such as user acceptance testing), and the fix is made in that test environment and promoted to production without retrofitting it into the development environment. The latest version in the development environment does not have the fix, and the issue reappears in subsequent versions of the software.

Answer 571

D. errors and vulnerabilities can be detected earlier in the life cycle Code review is the process of systematically analyzing the code for insecure and inefficient coding issues. In addition to static analysis, which reviews code before it goes live, there are also dynamic analysis tools, which conduct automated scans of applications in production to unearth vulnerabilities. In other words, dynamic tools test from the outside in, while static tools test from the inside out. Just because the code compiles without any errors, it does not necessarily mean that it will run without errors at runtime.

Answer 572

D. masking of data when they are displayed Masking does not use any overt cryptography operations, such as encryption, decryption, or hashing, or covert operations, such as data hiding, as in the case of steganography, to provide disclosure protection.

Answer 573

D. Low-Level Language A programming language in which there is little to no abstraction from the native instruction codes that the computer can understand is also referred to as low-level language. There is no abstraction from native instruction codes in machine language. Assembly languages are the lowest level in the software chain, which makes them incredibly suitable for reversing.

Answer 574

B. Recoverability When the software performs as it is expected to, it is said to be reliable. When errors occur, the reliability of software is impacted, and the software needs to be able to restore itself to expected operations. The ability of the software to be restored to normal, expected operations is referred to as recoverability. The ability of the software to withstand attacks against its reliability is referred to as resiliency. Redundancy is about availability, and reconnaissance is related to information gathering, as in fingerprinting/footprinting.

Answer 575

B. Agile Unit testing enables collective code ownership. Collective code ownership encourages everyone to contribute new ideas to all segments of the project. Any developer can change any line of code to add functionality, fix bugs, or re-factor. No one person becomes a bottleneck for changes. The way this works is for each developer to work in concert (usually more in agile methodologies than the traditional model) to create unit tests for his code as it is developed. All code released into the source code repository includes unit tests. Code that is added, bugs as they are fixed, and old functionality as it is changed will be covered by automated testing.

Answer 576

A. Logic If-then rules are constructs of logic, and when these constructs are used for software testing, it is generally referred to as logic testing.

Answer 577

A. Stress Tests that assure that the service level requirements are met are characteristic of performance testing. Load and stress testing are types of performance tests. While stress testing is testing by starving the software, load testing is done by subjecting the software to extreme volumes or loads.

Answer 578

B. Stress The goal of stress testing is to determine if the software will continue to operate reliably under duress or extreme conditions. Often the resources that the software needs are taken away from the software, and the software’s behavior is observed as part of the stress test.

Answer 579

A. Source code analyzers White box testing, or structural analysis, is about testing the software with prior knowledge of the code and configuration. Source code review is a type of white box testing. Embedded code issues that are implanted by insiders, such as Trojan horses and logic bombs, can be detected using source code analyzers.

Answer 580

B. Black box In black box or behavioral testing, test conditions are developed on the basis of the program’s or system’s functionality; that is, the tester requires information about the input data and observed output, but does not know how the program or system works. The tester focuses on testing the program’s behavior (or functionality) against the specification. With black box testing, the tester views the program as a black box and is completely unconcerned with the internal structure of the program or system.

Answer 581

A. Rules of engagement Penetration testing must be controlled, not ad hoc in nature, with properly defined rules of engagement.

Answer 582

C. Nonrepudiation When session management is in place, it provides for authentication, and when authentication is combined with auditing capabilities, it provides nonrepudiation. In other words, the authenticated user cannot claim broken sessions or intercepted authentication and deny their user actions due to the audit logs’ recording their actions.

Answer 583

B. Lack of reverse engineering protection Disassemblers, debuggers, and decompilers are utilities that can be used for reverse engineering software, and software testers should have these utilities in their list of tools to validate protection against reversing.

Answer 584

C. Expected results Knowledge of the expected results along with the defect information can be used to determine the variance between what the results need to be and what is deficient.

Answer 585

B. Cloaking Detection of Web server versions is usually done by analyzing HTTP responses. This process is known as banner grabbing. But the administrator can change the information that gets reported, and this process is known as cloaking. Banner cloaking is a security through obscurity approach to protect against version enumeration.

Answer 586

B. Variations of data structures that are known The process of sending random data to test security of an application is referred to as “fuzzing” or “fuzz testing.” There are two levels of fuzzing: dumb fuzzing and smart fuzzing. Sending truly random data, known as dumb fuzzing, often does not yield great results and has the potential of bringing the software down, causing a denial of service (DoS). If the code being fuzzed requires data to be in a certain format but the fuzzer does not create data in that format, most of the fuzzed data will be rejected by the application. The more knowledge the fuzzer has of the data format, the more intelligent it can be at creating data. These more intelligent fuzzers are known as smart fuzzers.

Answer 587

C. Confidentiality, integrity, and availability are not adversely impacted As part of security testing, the principle of failsafe must be assured. This means that confidentiality, integrity, and availability are not adversely impacted when the software fails. As part of general software testing, the recoverability of the software, or restoration of the software to normal operational functionality, is an important consideration, but it need not always be an automated process.

Answer 588

B. Stress Race conditions and resource exhaustion issues are more likely to be identified when the software is starved of the resources that it expects, as is done during stress testing.

Answer 589

C. The presence and effectiveness of risk mitigation controls Security testing must include both external (blackhat) and insider threat analysis, and it should be more than just testing for the ability to circumvent access control mechanisms. The resiliency of software is the ability of the software to be able to withstand attacks. The presence and effectiveness of risk mitigation controls increase the resiliency of the software.

Answer 590

C. Resiliency Resiliency of software is defined as the ability of the software to withstand attacker attempts.

Answer 591

C. Unit In order for unit testing to be thorough, the unit/module and the environment for the execution of the module need to be complete. The necessary environment includes the modules that either call or are called by the unit of code being tested. Stubs and drivers are designed to provide the complete environment for a module so that unit testing can be carried out. A stub procedure is a dummy procedure that has the same input/output (I/O) parameters as the given procedure. A driver module should have the code to call the different functions of the module being tested with appropriate parameter values for testing.

Answer 592

C. Performance Assurance that the software meets the expectations of the business as defined in the service level agreements (SLAs) can be demonstrated by performance testing. Once the importance of the performance of an application is known, it is necessary to understand how various factors affect the performance. Security features can have an impact on performance, and this must be checked to ensure that service level requirements can be met.

Answer 593

B. Detect the presence of loopholes and weaknesses in the software A vulnerability is a weakness (or loophole), and vulnerability scans are used to detect the presence of weaknesses in software.

Answer 594

C. Black box testing Third party vendor software is often received in object code form, access to source code is usually not provided, and structural analysis (white box) or source code analysis is not possible. Looking into the source code or source code look-alike by reverse engineering without explicit permission can have legal ramifications. Additionally, without documentation on the architecture and software makeup, a threat modeling exercise would most likely be incomplete. License validation is primarily used for curtailing piracy and is a component of verification and validation mechanisms. Black box testing or behavioral analysis would be the best option to attest the security of third party vendor software.

Answer 595

B. Canonicalization issues The process of canonicalization resolves multiple forms into standard canonical forms. In software that needs to support multilingual, multicultural capabilities such as Unicode, input filtration can be bypassed by a hacker who sends in data in an alternate form from the standard form. Input validation for alternate forms is therefore necessary.

Answer 596

B. Assess the presence and effectiveness of protection mechanisms To maintain the confidentiality, integrity, and availability of software and the data it processes, prior to the acceptance of software, vendor claims of security must be assessed not only for their presence, but also their effectiveness within your computing ecosystem.

Answer 597

C. Validity periods Software functionality can be restricted using a validity period as is often observed in the “try-before-you-buy” or “demo” versions of software. It is recommended to have a stripped down version of the software for the demo version, and if feasible, it is advisable to include the legal team to determine the duration of the validity period.

Answer 598

D. Transference Since there is an independent third party engaged in an escrow agreement, business continuity is assured for the acquirer when the escrow agency maintains a copy of the source/object code from the publisher. For the publisher, it protects the intellectual property since the source code is not handed to the acquirer directly, but to the independent third escrow party. For both the acquirer and the publishers, some risk is transferred to the escrow party, who is responsible for maintaining the terms of the escrow agreement.

Answer 599

B. Nondisclosure agreements (NDA) Nondisclosure agreements assure confidentiality of sensitive information, such as software programs, processing logic, database schema, and internal organizational business processes and client lists.

Answer 600

B. End users Disclaimers, or “as is” clauses, transfer the risk from the software provider to the end user.

Answer 601

B. Denial of service If the validity period set in the software is not properly implemented, then legitimate users can potentially be denied service. It is therefore imperative to ensure that the duration and checking mechanism of validity periods is properly implemented.

Answer 602

A. Verification Verification is defined as the process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of the phase. In other words, verification ensures that the software performs as it is required and designed to do. Validation is the process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements. In other words, validation ensures that the software meets required specifications.

Answer 603

B. Reliability Verification ensures that the software performs as it is required and designed to do, which is a measure of the software’s reliability.

Answer 604

C. Common criteria Common criteria (ISO 15408) are a security product evaluation methodology with clearly defined ratings, such as evaluation assurance levels (EALs). In addition to assurance validation, the common criteria also validate software functionality for the security target. EALs ratings assure the owner of the assurance capability of the software/system, so common criteria are also referred to as an owner assurance model.

Answer 605

D. User acceptance testing The end users of the business have the final say on whether the software can be deployed/released. User acceptance testing (UAT) determines the readiness of the software for deployment to the production environment or release to an external customer.

Answer 606

D. Accreditation While certification is the assessment of the technical and nontechnical security controls of the software, accreditation is a management activity that assures that the software has adequate levels of software assurance protection mechanisms.

Answer 607

B. Accept the risk with a documented exception When there are known vulnerabilities in legacy software and there is not much you can do to mitigate the vulnerabilities, it is recommended that the business accept the risk with a documented exception to the security policy. When accepting this risk, the exception to policy process must ensure that there is a contingency plan in place to address the risk by either replacing the software with a new version or discontinuing its use (risk avoidance). Transferring the risk may not be a viable option for legacy software that is already in your production environment, and one must never ignore the risk or take the vulnerable software out of the scope of an external audit.

Answer 608

B. Business owner Risk must always be accepted formally by the business owner.

Answer 609

B. Incompatible environment configurations When the production environment does not mirror the development or test environments, software that works fine in nonproduction environments are observed to experience issues when deployed in the production environment. This underlines the need for simulation testing.

Answer 610

D. Collected manually A good security metric is expressed quantitatively and is contextually accurate. Regardless of how many times the metrics are collected, the results are not significantly variant. Good metrics are usually collected in an automated manner so that the collector’s subjectivity does not come into effect.

Answer 611

A. Hardening Locking down the software by removing unneeded code and documentation to reduce the attack surface of the software is referred to as software hardening. Before hardening the software, it is crucial to harden the operating system of the host on which the software program will be run.

Answer 612

C. Continuous monitoring Operations security is about staying secure or keeping the resiliency levels of the software above the acceptable risk levels. It is the assurance that the software will continue to function as expected in a reliable fashion for the business without compromising its state of security by monitoring, managing, and applying the needed controls to protect resources (assets).

Answer 613

D. Detective Audit logging is a type of detective control. When the users are made aware that their activities are logged, audit logging could function as a deterrent control, but it is primarily used for detective purposes. Audit logs can be used to build the sequence of historical events and give insight into who (subject such as user/process) did what (action), where (object), and when (timestamp).

Answer 614

B. Provide a higher level of defense than the original requirement PCI DSS prescribes that the compensating control must provide a similar level, not an increased level of defense over the original requirement.

Answer 615

C. Logic bombs Logic bombs can be planted by an insider, and when the internal network is not monitored, the likelihood of this is much higher.

Answer 616

D. Auditing IDS and auditing are both detective types of controls that can be used to monitor the security health of the computing environment continuously.

Answer 617

B. Research the validity of the alert or event further Upon the report of a breach, it is important to go into a triaging phase in which the validity and severity of the alert/event is investigated further. This reduces the number of false positives that are reported to management.

Answer 618

D. Informing the development team that there should be no injection flaws in the payroll application Using security metrics over fear, uncertainty, and doubt (FUD) is the best recommendation to champion security objectives within the software development organization.

Answer 619

B. Audits Periodic audits (both internal and external) can be used to assess the overall state of the organization’s security health.

Answer 620

B. Normalization Normalizing logs means that duplicate and redundant information is removed from the logs after the time is synchronized for each log set, and the logs are parsed to deduce patterns that are identified in the correlation phase.

Answer 621

D. Recovery The incident response process involves preparation, detection, analysis, containment, eradication, and recovery. The goal of incident management is to restore (recover) service to normal business operations.

Answer 622

D. Identifying and eliminating the root cause of the problem The goal of problem management is to identify and eliminate the root cause of the problem. All of the other definitions are related to incident management. The goal of incident management is to restore service, while the goal of problem management is to improve service.

Answer 623

C. Patching Patching is the process of applying updates and hot fixes. Porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed (e.g., different processor architecture, operating system, or third party software library).

Answer 624

D. Root cause analysis Ishikawa diagrams or fishbone diagrams are used to identify the cause and effect of a problem and are commonly used to determine the root cause of the problem.

Answer 625

C. Backward compatibility Regression testing of patches is crucial to ensure that there were no newer side effects and that all previous functionality as expected is still available.

Answer 626

A. End-of-life End-of-life (EOL) policies are used for the disposal of code, configuration, and documents based on organizational and regulatory requirements.

Answer 627

D. Avoidance When software with known vulnerabilities is replaced with a secure version, it is an example of avoiding the risk. It is not transference because the new version may not have the same risks. It is not mitigation since no controls are implemented to address the risk of the old software. It is not acceptance since the risk of the old software is replaced with the risk of the newer version. It is not ignorance, because the risk is not left unhandled.

Answer 628

B. Dumpster divers Dumpster divers are threat agents that can steal information from printed media (e.g., printer ribbons, facsimile transmission, printed paper).

Answer 629

B. Sandbox Preventing malicious file execution attacks takes some careful planning from the architectural and design phases of the SDLC to thorough testing. In general, a well written application will not use user-supplied input in any filename for any server-based resource (such as images, XML and XSL transform documents, or script inclusions) and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server. However, many legacy applications continue to have a need to accept user-supplied input and files without the adequate levels of validation built in. When this is the case, it is advisable to separate the production environment and upload the files to a sandbox environment before the files can be processed.

Answer 630

B. Before and after the code is implemented In order to understand if there is an improvement in the resiliency of the software code, the RASQ, which attempts to quantify the number and kinds of vectors available to an attacker, needs to be computed before and after code development is completed and the code is frozen.

Answer 631

B. Type safe code Code is said to be type safe if it only accesses memory resources that do not belong to the memory assigned to it. Type safety verification takes place during the just in time (JIT) compilation phase and prevents unsafe code from becoming active. Although you can disable type safety verification, it can lead to unpredictable results. The best example is that code can make unrestricted calls to unmanaged code, and if that code has malicious intent, the results can be severe. Therefore, the framework only allows fully trusted assemblies to bypass verification. Type safety is a form of “sandboxing.” Type safety must be one of the most important considerations in regards to security when selecting a programming language and phasing out older generation programming languages.

Answer 632

D. Proper change control management Proper change control management is useful to provide separation of duties as it can prevent direct access to backend databases by developers.

Answer 633

C. Incident Response Plan An Incident Response Plan (IRP) must be developed and tested for completeness as it is the document that one should refer to and follow in the event of a security breach. The effectiveness of an IRP is dependent on the awareness of users on how to respond to an incident, and increased awareness can be achieved by proper education and training.