Domain 4: Cloud Application Security Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 65). Wiley.

Question 1

Mikayla wants to validate a component of her software that she has downloaded from GitHub. How can she validate that the underlying software does not have security flaws when it is downloaded and included in her environment as part of her integration process?

A. Validate the checksum of the file.
B. Validate the signature of the file.
C. Validate the hash of the file.
D. Mikayla cannot ensure that there are no security flaws via the options described.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 66). Wiley. Kindle Edition.

Answer 1

D. Mikayla cannot ensure that there are no security flaws via the options described.

Explanation:
Mikayla cant validate third party software lack of vulnerabilities or other security issues simply by validating that is signed, that its hash matches an officially posted hash, or that the checksum matches ensuring the file is intact. Shell need to test the software herself or identify a third party that she can rely on that does appropriate software testing. Even then, the software could still contain flaws

Question 2

Lin wants to allow her users to use existing credentials provided by a third-party identity provider when they access her service. What element will she have to provide from the following list?

A. User IDs
B. Authentication
C. Authorization
D. Identity proofing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 66). Wiley. Kindle Edition.

Answer 2

C. Authorization

Explanation:
Lin will need to provide authorization to use her organizations services. The third party identity provider will supply user IDs and will authenticate them, then provide Lin with a token or validation that the user is who they claim to be. Identity proofing is not necessarily provided by either party in this scenario, which can make accepting third party credentials challenging if verifying that someone is who they claim to be is important instead of just allowing access to the service

Question 3

Joanna’s software vendor does not provide source code to their clients. In the following list, what is her best option to test the security of the vendor’s software package?

A. Perform static analysis of the software.
B. Implement pair-programming techniques.
C. Review the software for hard-coded secrets.
D. Perform dynamic testing.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 66). Wiley. Kindle Edition.

Answer 3

D. Perform dynamic testing.

Explanation:
Joanna knows she cant access the source code meaning that static analysis isnt an option and that identifying secrets may be difficult

Question 4

What SDLC model is most frequently associated with cloud development processes?

A. Agile
B. RAD
C. Spiral
D. Waterfall

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 66). Wiley. Kindle Edition.

Answer 4

A. Agile

Explanation:
The Agile development model is most frequently associated with cloud services and development. Rapid application development, spiral and waterfall methods are more frequently associated with traditional development environments but can be used for cloud services and systems

Question 5

Susan wants to avoid common pitfalls in cloud application development. Which of the following pitfalls is frequently associated with cloud environments?

A. Reliability of applications built in the cloud
B. Scalability of applications built in the cloud
C. Redundancy of applications built in the cloud
D. Security of applications built in the cloud

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 66). Wiley. Kindle Edition.

Answer 5

D. Security of applications built in the cloud

Explanation:
Susan knows that cloud services will allow her to build her applications on reliable, scalable infrastructure that can leverage redundancy in multiple ways. She also knows that securing code remains a concern regardless of the environment that it is built or run in

Question 6

Susan wants to avoid issues with data integration. She is aware that the OWASP Cloud Top 10 includes service and data integration security issues, and is deploying a REST-based API for her customers to use when accessing her service. She is using API keys, but she is concerned about third parties intercepting and accessing the data. What should she include in her implementation to address this concern?

A. Data tokenization
B. Ensure encryption at rest
C. Ensure encryption in transit
D. Data masking

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 66). Wiley. Kindle Edition.

Answer 6

C. Ensure encryption in transit

Explanation:
Susan knows that encryption in transit, typically via TLS, is the right solution to prevent third parties from intercepting and accessing data that is sent to her customers via API calls. Tokenization and masking are used to protect data in applications, but they do not meet the need to prevent interception, and the data will be in transit rather than at rest in the scenario described

Question 7

Ben wants to gather business requirements for his software development effort and is using an Agile methodology. Which of the following is not a common means of gathering user requirements in an Agile process?

A. Brainstorming
B. Documentation review
C. User observation
D. Surveys

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 67). Wiley. Kindle Edition.

Answer 7

B. Documentation review

Explanation:
Brainstorming, surveys, workshops, user observation, and many other techniques are commonly used to gather business requirements. Documentation, however doesnt involve user requirements of feedback

Question 8

Encryption at rest is a protective design element included in SDLCs for cloud environments due to what common cloud design motif?

A. Rapid elasticity
B. Multitenancy
C. Measured services
D. Scalability

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 67). Wiley. Kindle Edition.

Answer 8

B. Multitenancy

Explanation:
Since multiple tenants share the same underlying infrastructure, encryption at rest provides protection against inadvertent data exposure or remnant data on reused infrastructure. Elasticity, measured services and scalability do not require encryption at rest and may in fact result in slightly higher costs due to encryption overhead

Question 9

Nick wants to avoid common pitfalls in his CI/CD pipeline. Which of the following is a common CI/CD pitfall that can harm cloud development efforts?

A. Automation of processes
B. Use of metrics
C. Using multiple deployment paths
D. Reliance on a version control system

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 67). Wiley. Kindle Edition.

Answer 9

C. Using multiple deployment paths

Explanation:
Having multiple deployment paths means that elements or processes in a CI/CD system can be avoided. A single path with an emergency process backing it up helps to avoid this problem. Automation, use of metrics and using version control are all recommended best practices for CI/CD

Question 10

Maria wants to integrate her existing identity provider with her cloud provider’s services. What common standard is used for most cloud identity provider integration?

A. IDPL
B. OpenLDAP
C. SAML
D. ConnectID

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 67). Wiley. Kindle Edition.

Answer 10

C. SAML

Explanation:
Maria knows that IdPs typically integrate with either OpenID Connect or SAML, OpenLDAP is an open source implementation of LDAP, but it isnt used for this type of integration since it is a directory service, ConnectID and IDPL were made up for this question

Question 11

Jack wants to enable his team to develop cloud-native applications. Which of the following is not a common element in a cloud-native application design?

A. Optimized assembly code
B. Automated release pipelines
C. Containers
D. Microservices

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 67). Wiley. Kindle Edition.

Answer 11

A. Optimized assembly code

Explanation:
Jack knows that languages that best fir cloud applications make the most sense and that assembly language isnt likely to fit his CI/CD environment. Use of automated release, pipelines, containers and microservices are all common elements in cloud application development and design

Question 12

At which phase of the software development life cycle (SDLC) is user involvement most crucial?

A. Define
B. Design
C. Development
D. Test

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 67). Wiley. Kindle Edition.

Answer 12

A. Define

Explanation:
While some development models allow for user involvement in the entirety of the process, user input is most necessary in the Define phase, where developers can understand the business/user requirements - what the system/software is actually suppose to produce, in terms of function and performance. Involvement throughout the process is helpful, but without user input in Define, the entire process wont have the right starting point

Question 13

Brian wants to ensure that he takes the OWASP Top 10 Cloud risks into account in his development process. He knows that regulatory compliance is on the list, and he wants to include it in the SDLC. During what phase of the SDLC would it make the most sense to consider regulatory compliance?

A. Analysis and requirements definition
B. Design
C. Implementation
D. Testing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 68-69). Wiley. Kindle Edition.

Answer 13

A. Analysis and requirements definition

Explanation:
Brian needs to bring up regulatory compliance during the Requirements Gathering phase of the SDLC. If it isnt a requirement, it wont make it into the design and implementation. Testing for regulatory compliance can be challenging as not all compliance can be tested for by technical means

Question 14

The testing process that Angie is using for her organization includes access to the design specifications, source code, and running applications. What type of security testing methodology is she using?

A. White box
B. Gray box
C. Red box
D. Black box

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 14

A. White box

Explanation:
Angine is using a white box, or full knowledge, testing metholdogy. Gray box or partial knowledge, testing provides some but not all access to an environment or system.

Question 15

The CWE/SANS Top 25 most dangerous software errors includes the use of hard-coded credentials. What common cloud service component can be used to avoid this problem for cloud-hosted software and applications?

A. An MFA token
B. A TPM
C. A KMS
D. An API key

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 15

C. A KMS

Explanation:
KMSs, or key management services, are used to securely store and access secrets, allowing them to be used when needed without hard coding them. TPMs are used to store secrets for hardware devices, MFA tokens are used securely authenticate to and access APIs, but none of them provide the functionality needed to avoid hard coded credentials in cloud applications

Question 16

Dana’s organization requires an SBOM for each application it deploys. What OWASP Top 10 item does an SBOM help to avoid?

A. Vulnerable and outdated components
B. Broken access control
C. Injection
D. Security misconfiguration

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 16

A. Vulnerable and outdated components

Explanation: A software bill of materials (SBOM) is used to identify each component in a software package. Dana knows that having a SBOM will help her tot rack the versions and updates available for each component of her software stack

Question 17

The company that Yun works for provides API access to customers. Yun wants to rate-limit API access and gather billing information while using a central authorization and access management system. What type of tool should Yun put in place to meet these requirements?

A. An API gateway
B. An API proxy
C. An API firewall
D. A next-generation API manager

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 17

A. An API gateway

Explanation:
API Gateways are designed to aggregate API access, provide authentication for API use, rate limit, and gather statistics and data about API Usage. API proxies are used to decouple software components, API firewalls are purpose built firewalls for APIs that protect specific APIs and next generation API managers were made up for this question

Question 18

What phase of the SDLC is IAST typically associated with?

A. Design
B. Testing
C. Implementation
D. Deployment

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 18

B. Testing

Explanation:
Interactive application security testing (IAST) uses software instrumentation to monitor applications as they run and to gather information about what occurs and how the software performs. It is normally implemented during the QA or Testing phase of the SDLC

Question 19

Gary’s cloud service provides customers with access to APIs. Which of the following is a common security flaw in APIs?

A. Use of unstructured data
B. Lack of authentication
C. Use of semi-structured data
D. Lack of encryption

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 19

B. Lack of authentication

Explanation:
Unsecured APIs are a common issue, and lack of authentication is a major problem. How data is provided - structured, unstructured or semi structured - is not a security issue. Encryption is typically not provided by the API and is instead provided by the web server or underlying service

Question 20

Dan wants to encrypt data at rest in his cloud environment. What encryption standard should he look for when encrypting data at rest?

A. TLS
B. AES-256
C. SSL
D. Blowfish

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 20

B. AES-256

Explanation:
AES 256 is a commonly accepted and used standard for encryption of data at rest. TLS is used for encryption in transit. SSL is outmoded, and Blowfish has known vulnerabilities

Question 21

Mark wants to ensure that his software vendor is using industry best practices as part of their software validation process. He knows that NIST defines a number of recommended minimums for verification of code by developers. Which of the following is not a NIST recommended minimum standard for vendor or developer verification of code?

A. Use automated testing.
B. Perform code-based (static) analysis.
C. Only check internally developed software.
D. Conduct threat modeling.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 21

C. Only check internally developed software.

Explanation:
Checking whether included software is internally or externally developed is a best practice, and only checking your own components will often leave a lot of unchecked software in a package

Question 22

Lori wants to ensure that the included software components provided by her vendor are secure. What type of process should she use to conduct an assessment of those packages?

A. A web application vulnerability scan
B. A software composition analysis
C. A vulnerability scan
D. A version number validation process

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 22

B. A software composition analysis

Explanation:
Loris best option is to conduct a software composition analysis (SCA) process using an SCA tool that can identify open source libraries and other components. Vulnerability scans wont identify all of the components associated with software, and a version number validation process was made up for this question

Question 23

Christine has documented a software testing user story that states: “As an attacker, I will upload malicious software as part of my form submission which will exploit the parsing software that reads user submissions.” What type of testing is Christine preparing for?

A. Abuse case testing
B. Static testing
C. QA testing
D. SCA testing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 69). Wiley. Kindle Edition.

Answer 23

A. Abuse case testing

Explanation:
Christine is preparing for abuse case testing, which documents abuse of software functionality. Static testing reviews source code, QA resting validates the quality of software, and SCA is software composition analysis, which looks at underlying components of software

Question 24

OWASP’S Application Security Verification Standard (ASVS) has three primary usage models. Which of the following is not an intended usage model based on its design objectives?

A. To be used as a metric
B. To be used for auditing
C. To be used as guidance
D. To be used during procurement

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 69-70). Wiley. Kindle Edition.

Answer 24

B. To be used for auditing

Explanation
ASVS is intended to be used as a metric to assess the degree of trust that can be placed in web applications, to provide guidance to developers on how to build in security controls, and as part of procurement processes to specify application security validation requirements in contracts. It isnt designed as an audit standard

Question 25

Ian wants to use a cloud-specific list of application issues. Which of the following options should he choose?

A. The OWASP Top 10
B. The NIST Dirty Dozen
C. The SANS Top 25
D. The MITRE ATT&CK-RS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 70). Wiley. Kindle Edition.

Answer 25

A. The OWASP Top 10

Explanation:
The OWASP Top 10 is a cloud specific list whereas the SANS top 25 describes software errors in general. The NIST Dirty Dozen and the MITRE ATT&CK RS were made up for this question

Question 26

Nick wants to use a common format for his team’s software versioning. What versioning format should he use if he wants to use a common industry practice?

A. Codename.version
B. Major.build.minor.patch
C. RFC number.version.patch
D. Major.minor.patch

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 70). Wiley. Kindle Edition.

Answer 26

D. Major.minor.patch

Explanationn:
Major.minor.patch is a common format for versioning. While there is no industry standard, having the versioning numbers is an order of scale is a common practice

Question 27

What term is used to describe the list of all of the software components of a product?

A. Component index
B. SBOM
C. Version catalog
D. SCCM

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 70). Wiley. Kindle Edition.

Answer 27

B. SBOM

Explanation:
A software bill of materials (SBOM) is a listing of all the components of a software package or program, and it is considered increasingly important as part of a software security program

Question 28

Valerie’s company has recently experienced successful SQL injection attacks against a third-party application they use. The vendor has not yet provided a patch for the SQL injection flaw, but Valerie needs to keep the application in production due to business requirements. What type of tool could Valerie put in place to protect against the SQL injection attacks on her web application?

A. A DAM
B. A WAF
C. An XML firewall
D. An API gateway

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 70). Wiley. Kindle Edition.

Answer 28

B. A WAF

Explanation:
Web application firewalls (WAFs) typically have built in protection against common attacks like SQL injection. Valerie should choose a WAF to protect against both the SQL injection shes aware of and other common attacks against web applications

Question 29

Jackie wants to allow applications to run using the libraries and other dependencies they need without having to have an independent operating system for each application. What technology should she use to allow her to easily move application packages between different operating systems?

A. Packages
B. Containers
C. Virtual machines
D. Hypervisors

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 70). Wiley. Kindle Edition.

Answer 29

B. Containers

Explanation:
Containers allow applications to be moved easily because they contain the dependencies and components the application needs without requiring a complete OS to be packaged with them. Packages are software components, and virtual machines run on hypervisors

Question 30

Charles logs in using his organization’s credentials and is able to use that login throughout a variety of systems and applications. What technology is Charles using?

A. SAML
B. SSO
C. OpenID
D. Connect OTP

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 71). Wiley. Kindle Edition.

Answer 30

B. SSO

Explanation:
Charles is suing a SSO technology to allow him to log in once and use many systems, SAML and OpenID Connect are used for federation, while OTP is a one time password

Question 31

Henry wants to ensure that only authorized customers are able to use his organization’s public-facing APIs. What common security technique is for this purpose?

A. API keys
B. Single sign-on
C. API federation
D. Complex API passwords

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 71). Wiley. Kindle Edition.

Answer 31

A. API keys

Explanation:
Henrys organization should use API keys to ensure that only authorized users are able to use APIs that they expose for customer use

Question 32

Nancy wants to ensure that her organization does not have an issue with licensing for her software, and she knows that the vendor controls access using a licensing server that each installation checks in with. Which of the following should she pay particular attention to in order to ensure that she does not have a service interruption at some point in the future?

A. The license term
B. Whether the terms of the license can be disclosed
C. The license cost
D. Third party sub-licenses included in the contract

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 71). Wiley. Kindle Edition.

Answer 32

A. The license term

Explanation:
Nancy knows that she should keep track of the license term, or how long the license is valid for, so that the software does not disable itself when the license or contract expires. The cost, whether the terms can be disclosed and if there is a third party software involved are less likely to be the cause of service interruptions

Question 33

Isaac wants to ensure that his cloud service provider is using cryptographic systems that meet widely accepted standards. What U.S. government standard should he expect his provider to comply with their cryptographic systems?

A. GDPR
B. FIPS 140-2
C. SSL
D. SHA-2

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 71). Wiley. Kindle Edition.

Answer 33

B. FIPS 140-2

Explanation:
FIPS 140-2, a Federal information Processing Standard, defines the requirements for cryptographic systems and its only the currently valid cryptographic standard listed here.

Question 34

Megan wants to increase the auditability of the use of privileges in her infrastructure. Which of the following solutions will have the biggest positive impact on auditability?

A. Use shared service accounts.
B. Use multifactor authentication.
C. Use dynamic secrets.
D. Use API keys.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 71). Wiley. Kindle Edition.

Answer 34

C. Use dynamic secrets.

Explanation:
Using dynamic secrets - secrets that are generated and used as they are needed – allows for granular auditing of uses because each secret is created as needed and thus their specific usage can be reviewed as needed. Shared accounts dont allow auditing because actions cannot be provably linked to individual users

Question 35

In the testing phase of the software development life cycle (SDLC), software performance and ___________________ should both be reviewed.

A. Version
B. Complexity
C. Size
D. Security

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 71). Wiley. Kindle Edition.

Answer 35

D. Security

Explanation:
Testing the performance and security of software and security of software is expected in the testing phase of the SDLC. The version complexity and size of the code are not commonly tested elements

Question 36

Chris wants to use a cloud provider–hosted mechanism to store and manage his organization’s secrets. What type of solution should he look for?

A. KMS
B. PKI
C. CA
D. KCS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 72). Wiley. Kindle Edition.

Answer 36

A. KMS

Explanation:
Chris should look for a key management service (KMS). KMSs allow creation, storage, management and auditing of keys. A PKI is a public key infrastructure, a CA is a certification of authority

Question 38

Docker is an example of what sort of tool?

A. Microservices launcher
B. Cloud application security broker
C. A containerization platform
D. A web application firewall

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 72). Wiley. Kindle Edition.

Answer 38

C. A containerization platform

Explanation:
Docker is a containerization tool

Question 39

Yasmine is working with a software as a service vendor. What part of the environment does Yasmine’s company have responsibility for?

A. Applications and data storage.
B. The OS, middleware, and runtime.
C. Storage and networking.
D. The vendor is responsible for the environment.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 72). Wiley. Kindle Edition.

Answer 39

D. The vendor is responsible for the environment.

Explanation:
Yasmine knows that in a SaaS environment the vendor is responsible for the applications, data storage, runtime and middleware, OS and servers, storage and networking
Yasmines company will be responsible for how they operate the software, who they provide access to and what rights they provide to their users, as well as ensuring that her data is safe and secure

Question 40

Jason wants to use multifactor authentication. Which of the following lists a valid multifactor set?

A. A username, password, and PIN
B. A username, password, and app-generated code on a phone
C. A username, voiceprint, and fingerprint
D. A username, app-generated code, and token-generated code

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 72). Wiley. Kindle Edition.

Answer 40

B. A username, password, and app-generated code on a phone

Explanation:
MFA relies on using two different types of factors: something you know, like a password or a PIN; something you have like a hardware token or application generated PIN; or something you are, such as a biometric identifier. Jason knows that a password and an app generated PIN counts as using multiple factors

Question 41

Kim wants to use version control for her software. What common tool could her organization use to perform this function?

A. Jenkins
B. Chef
C. Git
D. Puppet

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 72). Wiley. Kindle Edition.

Answer 41

C. Git

Explanation:
Git provides version management as part of its capabilities. Jenkins is a CI/CD tool used for continuous integration. Puppet and Chef are both infrastructure automation tools

Question 42

Ramon’s organization uses Office 365 but relies on their own Active Directory credentials to log into O365. What is this type of configuration called?

A. Federated identity
B. Structured identity
C. Shared identity
D. Constrained identity

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 72-73). Wiley. Kindle Edition.

Answer 42

A. Federated identity

Explanation:
Ramons organizations is using Azures federation capability to leverage their existing on site credentials in the cloud. Structured, shared and constrained identity were made up

Question 43

Gretchen wants to ensure that her organization is in compliance with their software licenses. Which of the following is the most important step for most organizations in ensuring license compliance?

A. Using only open source software
B. Tracking all software versions
C. Using only commercial software
D. Software inventory

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 73). Wiley. Kindle Edition.

Answer 43

D. Software inventory

Explanation:
Having a complete software inventory allows organization like Gretchens to ensure that they are aware of their software license compliances, terms and conditions as well as their license expiration dates. While only using open source software might seem like an easy solution, there are multiple open source software licenses that have different requirements, making a software inventory necessary. Using only commercial software doesnt simplify the requirement and software versioning is important but would be part of a complete inventory

Question 44

Laura wants to use a threat modeling tool to assess threats in her environment. Which of the following models has been abandoned by Microsoft and replaced with a new model?

A. DREAD
B. PASTA
C. STRIDE
D. ATASM

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 73). Wiley. Kindle Edition.

Answer 44

A. DREAD

Explanation:
DREAD has been replaced with STRIDE by Microsoft

Question 45

Aisha’s organization has deployed a cloud application security broker. Which of the following is not a typical purpose for a CASB to be deployed?

A. To control usage-based costs
B. To limit access based on service categories
C. To help limit the potential for sensitive data loss
D. To detect anomalous usage patterns

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 73). Wiley. Kindle Edition.

Answer 45

A. To control usage-based costs

Explanation:
CASBs are often used to control usage based on roles and rights, but they arent used to monitor based on costs in the cloud service itself - instead, cost limiting rules are often used in the cloud services themselves. They are also used to limit the potential for sensitive data loss and to detect anomalous usage patterns

Question 46

Kathleen wants to test potentially malicious software in a secure way. What cloud application architecture concept can she apply to help her do so?

A. An IPS
B. A SIEM
C. Sandboxing
D. Antivirus

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 73). Wiley. Kindle Edition.

Answer 46

C. Sandboxing

Explanation:
Kathleen knows that sandboxing, or creating a secure and isolated environment, is commonly used for malicious software testing.

Question 47

Kieran’s team has deployed a CASB and wants to focus on data protection. Which of the following capabilities will most effectively help protect against third parties accessing data while it travels between Kieran’s on-premises location and their cloud vendors?

A. Encryption
B. Tokenization
C. Masking
D. Upload prevention

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 73). Wiley. Kindle Edition.

Answer 47

A. Encryption

Explanation:
Using the CASBs to enforce encryption between an onpremises location and cloud providers will provide the most effective protection against third parties seeing the data in transit. Tokenization and masking help protect data while it is being accessed but do not prevent it from being exposed in transit.

Question 48

Selah is preparing a container to deploy her application to a cloud service provider’s containerization service. Which of the following components will not be included in the container?

A. The host kernel for the operating system
B. The libraries needed by the application
C. The configuration files for the application
D. The binaries belonging to the application

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 74). Wiley. Kindle Edition.

Answer 48

A. The host kernel for the operating system

Explanation:
Containers contain elements of the OS, but share the hosts kernel. They also contain libraries, configuration files and the application files or binaries themselves.

Question 49

Olivia is preparing to generate API keys and knows that they need to have certain characteristics to be secure. Which of the following best describes an API key that will be considered secure?

A. Unique, random, and non-guessable
B. Unique, sequential, and traceable
C. Repeatable, sequential, and traceable
D. Repeatable, logged, and traceable

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 74). Wiley. Kindle Edition.

Answer 49

A. Unique, random, and non-guessable

Explanation:
API keys should be unique, random and non guessable, to ensure that attackers cannot guess or otherwise identify them

Question 50

Ian is using a CASB to control usage of cloud services. He wants to ensure that users in his organization only use cloud services that are approved for their role. What two elements should he define in his rules to most effectively accomplish this?

A. Identity and activity
B. Activity and data
C. Identity and service
D. Service and data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 74). Wiley. Kindle Edition.

Answer 50

C. Identity and service

Explanation:
Ian can filter based on user identity and the service the users are attempting to use to most effectively filter service usage by role.

Question 51

Jack wants to use the ATASM model. Which of the following is not one of the key elements of an ATASM assessment?

A. Attacks
B. Threats
C. Architecture
D. Mitigations

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 74). Wiley. Kindle Edition.

Answer 51

A. Attacks

Explanation:
ATASM considers architecture, threats, attack surfaces (not attacks) and mitigation

Question 52

Testing done on running code is known as what type of testing?

A. Dynamic
B. Automatic
C. Structured
D. Static

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 74). Wiley. Kindle Edition.

Answer 52

A. Dynamic

Explanation:
Testing done against running code is called dynamic testing

Question 53

A web application firewall (WAF) can understand and act on what type of traffic?

A. Border Gateway Protocol (BGP)
B. Simple Mail Transfer Protocol (SMTP)
C. Internet Control Message Protocol (ICMP)
D. Hypertext Transfer Protocol (HTTP)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 74). Wiley. Kindle Edition.

Answer 53

D. Hypertext Transfer Protocol (HTTP)

Explanation:
WAFs focus on web traffic and thus typically scan HTTP traffic rather than BGP, ICMP or SMTP traffic

Question 54

Henry wants to design his SDLC to help prevent the most common application security issues. Where in the SDLC should he insert controls to ensure that his application architecture is secure?

A. Analysis and requirements definition
B. Design
C. Deployment
D. Operations and maintenance

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 75). Wiley. Kindle Edition.

Answer 54

B. Design

Explanation:
The Design phase allows Henry to include security design elements that will help ensure that his application is secure. The Requirements phase should include the need for security but wont specify how it will be accomplished, and deployment and maintenance are too late as the architecture has already been designed and implemented

Question 55

Jacinda’s manager has asked her to set up a sandbox environment to help validate third party software before it is run. What should Jacinda prepare an environment to handle?

A. Optimizing the production environment by moving processes that are not frequently used into the sandbox
B. Allowing secure remote access for users who need resources in the cloud environment
C. Running malware for analysis purposes
D. Creating secure subnets of the production environment

Answer 55

C. Running malware for analysis purposes

Explanation:
A sandbox can be used to run malware for analysis purposes as it won’t affect (or infect) the production environment; it’s worth nothing, though, that some malware is sandbox aware, so additional antimalware measures are advisable. Optimizing production by moving tasks isn’t a typical use for a sandbox, remote secure access systems are called jumpboxes, and subnets are created using network configurations.

Question 56

Valerie wants to decouple her application infrastructure from her underlying OS platforms to allow her to more easily migrate between cloud service providers. What type of solution will best fit her needs?

A. Use custom configured Linux virtual machines to host the application.
B. Use containers configured for the application to host the application.
C. Use the cloud providers native serverless infrastructure to host the applications
D. Use default Linux systems with default configurations to host the application

Answer 56

B. Use containers configured for the application to host the application.

Explanation:
Containerization best meets the platform agnostic approach that matches Valeries requirements. While serverless is powerful, moving between native serverless platforms typically requires building to each providers requirements.

Question 57

Gary wants to monitor privileged credential use in his MIcrosoft SQL Server environment, which he hosts with an IaaS provider. What type of too should Gary select to help with this need?

A. A WAF
B. A database SIEM
C. A DB IPS
D. A DAM

Answer 57

D. A DAM

Explanation:
A Database Activity Monitor (DAM) solution provides database activity monitoring that includes privileged account usage logging and monitoring in addition to other security and monitoring features

Question 58

Paul wants to avoid denial of service attacks against her API. What controls should she select to most effectively provide this type of security?

A. Use an IPS and scalable architecture
B. Use a scalable architecture and set throttling limits and quotas
C. Require authentication and use an IPS
D. Require authentication and set throttling limits and quotas

Answer 58

D. Require authentication and set throttling limits and quotas

Explanation:
Requiring authentication and setting throttling limits and quotas help to prevent DoS attacks on APIs.

Question 59

Sandboxing can often be used for:

A. Testing user awareness and training
B. Testing API Security
C. Testing software before putting it into production
D. Testing software to validate its compliance with regulatory requirements

Answer 59

C. Testing software before putting it into production

Explanation:
Software that has either been purchased from a vendor or developed internally can be tested in a sandboxed environment to determine whether there will be any interoperability problems when it is installed into actual production

Question 60

Jen wants to ensure that the encryption modules she is using in her application design are secure. What type of validation or certification should she look for?

A. PCI compliant
B. AES Cert
C. FIPS 140-2
D. GLBA Validated

Answer 60

C. FIPS 140-2

Explanation:
GIPS 140-2 is a US government standard that specifies the security requirements for cryptographic modules

Question 61

Kwame wants to limit the impact of potentially compromised secrets in his environment. What should he do to most effectively limit the issues compromised secrets can cause?

A. Extends secrets lifecycle
B. Rotate secrets
C. Replace secrets with tokens
D. Implement a secret expiration list

Answer 61

B. Rotate secrets

Explanation:
Rotating secrets limits the blast radius of exposed or compromised secrets. Extending their lifecycle does the opposite.

Question 62

As part of her organizations SDLC, Olivia is testing whether the business logic in a new application generates correct output. What type of testing is Olivia conducting?

A. Stress testing
B. Functional testing
C. Load testing
D. Nonfunctional testing

Answer 62

B. Functional testing

Explanation:
Olivia is conducting functional testing that seeks to test whether software meets business requirements. This does not specify a load or stress test scenario.

Question 63

Olivia’s organization wants to adopt MFA. Which of the following MFA models is considered less secure than others?

A. Hardware tokens
B. Mobile applications
C. SMS factors
D. USB Tokens

Answer 63

C. SMS factors

Explanation:
SMS Factors are considered the least secure of these options because of SIM Swapping and VoIP based attacks on SMS messages

Question 64

Ben wants to validate open source software packages used in his environment. Which of the following is not a valid dynamic testing option?

A. Use manual security testing of the live application
B. Use an application vulnerability scanner
C. Use manual security testing of the source code
D. Conduct unit and integration testing of the application

Answer 64

C. Use manual security testing of the source code

Explanation:
Review of the source code is static testing and does not meet Bens needs. The other answers all include dynamic testing options

Question 65

Yariv’s abuse case testing has identified an issue with their web application that allows bots to conduct automated attacks. What type of protection could he implement to limit the impact of bots performing actions like this?

A. Filter known SQL Injection attacks from web queries
B. Use a CAPTCHA before allowing user actions
C. Require users to log in before performing actions
D. Prevent XSS by limiting special characters in form submissions

Answer 65

B. Use a CAPTCHA before allowing user actions

Explanation:
CAPTCHA based security systems help to reduce the impact of bots by requriing human interaction. While there are ways to work around CAPTCHAs, Yariv knows that they require additional work from attackers and will help reduce the overall load from bots

Question 66

Emily logs in to a third party website using her Google credentials. What role is Google playing in the authentication process?

A. Google is the service provider
B. Google is the storage provider
C. Google is the authorization provider
D. Google is the identity provider

Answer 66

D. Google is the identity provider

Explanation:
When Emily logs in using her Google credentials, Google acts as the identity provider and tells the third party service provider that she has logged in using her user ID and passwords successfully.

Question 67

Software developers designing applications that allow access to protected customer information for the cloud should expect to include options to ensure all of the following capabilities except ___________________.

A. Encryption of data at rest
B. Encryption of data in transit
C. Data masking
D. Randomizing customer data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 77). Wiley. Kindle Edition.

Answer 67

D. Randomizing customer data

Explanation:
Not all programs (or organizations) will require database access, or even use databases. and hashing is not a common requirement since the data will not be readable. Encryption at rest and in transit, as well as data masking, are all commonly employed to protect sensitive

Question 68

Kristen wants to filter her SAML traffic for potential attacks, including rate-limiting requests and validating content. Which of the following solutions is purpose-built for this type of security design?

A. A DAM with OpenID support
B. A SAML compliant IDS
C. An XML firewall
D. A WAF

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 77). Wiley. Kindle Edition.

Answer 68

C. An XML firewall

Explanation:
SAML is an XML based protocol, and Kristen knows that an XML firewall that is SAML aware with appropriate rules for identity based protection would be her best option. IDS systems cannot rate limit even if they are SAML aware. WAFs are designed for web applications rather than specifically for XML and SAML based filtering, and a DAM is a database specific tool

Question 69

Which of the following is not true about single sign-on (SSO)?

A. Reduction in password fatigue
B. Reduces password reuse
C. Prevents the use of multifactor authentication
D. Makes end-user credential management easier

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 77). Wiley. Kindle Edition.

Answer 69

D. Makes end-user credential management easier

Explanation:
Using SSO does not prevent the use of MFA. In fact, it often makes it easier since organizations can centralize their use of MFA

Question 70

What does static application security testing (SAST) examine?

A. Software outcomes
B. User performance
C. System durability
D. Source code

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 77). Wiley. Kindle Edition.

Answer 70

D. Source code

Explanation:
Static testing reviews source code. Dynamic testing would test outcomes and performance

Question 71

Angela wants to deploy multifactor authentication (MFA) for her organization and wants to integrate with her cloud provider. Which of the following MFA options is least likely to be easily supported by a cloud provider?

A. Hardware tokens
B. Biometric readers
C. Mobile applications
D. SMS factors

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 77). Wiley. Kindle Edition.

Answer 71

B. Biometric readers

Explanation:
Biometric readers are the least likely secondary factor to be supported by cloud vendors. Hardware and software tokens as well as SMS factors are commonly supported by cloud providers.

Question 72

Christina is following a typical SDLC process and has completed the planning phase. What phase typically follows the Planning phase in most SDLCs?

A. Design
B. Deployment
C. Maintenance
D. Requirements Gathering

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 78). Wiley. Kindle Edition.

Answer 72

D. Requirements Gathering

Explanation:
Once planning is done, organizations typically move into the Requirements Gathering phase to ensure that they know what the software they will build will do. Design, Build, Test, Deploy and Maintain are common follow up phases.

Question 73

Annie’s organization uses a waterfall methodology for its SDLC. What description best fits a waterfall methodology?

A. Development efforts can move easily between phases to meet organizational needs.
B. The outcome of each phase serves as the input to the next phase.
C. Development efforts repeat in cycles until the development is complete.
D. The outcome of each phase determines whether the process moves forward or backward in the SDLC process.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 78). Wiley. Kindle Edition.

Answer 73

B. The outcome of each phase serves as the input to the next phase.

Explanation:
Waterfall phases each serve as the input for the next phase and move only in one direction

Question 74

During what phase of the SDLC are business requirements most likely to be mapped to how the software will be built?

A. Requirements Definition
B. Design
C. Testing
D. Secure Operations

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 78). Wiley. Kindle Edition.

Answer 74

B. Design

Explanation:
Requirements are typically mapped to the software in the Design phase. Requirements will be created in the Define phase, validated in the Test Phase, and of course the software will be run in production in the Operations phase.

Question 75

Stress testing is a form of what type of testing?

A. Black box
B. Functional testing
C. White box
D. Nonfunctional testing

Answer 75

D. Nonfunctional testing

Explanation:
Nonfunctional testing seeks to test to meet customer expectations and performance requirements, including how software behaves under abnormal conditions. Black box, or zero knowledge, testing attempts to replicate an attackers experience; white box, or full knowledge, testing provides complete insight into an environment or tool, including access to source code and documentation, and functional testing is conducted based on business requirements

Question 76

Gabriel’s organization wants to ensure that their open source software is properly licensed. What should they were do?

A. Contact the authors of each component to request permission to use them. B. Engage a third-party license management vendor to ensure compliance with the licenses.
C. Pay appropriate licensing fees to the licensing organization for each software component.
D. Review the licenses for each component to ensure they are in compliance.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 78). Wiley. Kindle Edition.

Answer 76

D. Review the licenses for each component to ensure they are in compliance.

Explanation:
Since there are a number of different open source licenses, Gabriel’s best bet is to ensure that his organization reviews the licenses that apply to each software package or component they use. This can be complex and time consuming, and organizations often limit the licenses they are willing to accept to reduce this burden

Question 77

Sofia is preparing a list of the likely attacks against her APIs. Which of the following is not a common attack against APIs?

A. Injection
B. Malware
C. Distributed denial-of-service
D. Credential stuffing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 78). Wiley. Kindle Edition.

Answer 77

B. Malware

Explanation:
Injection, distributed DoS, cross site scripting, on path and credential stuffing attacks are all commonly aimed at APIs. Malware attacks, however are not a common API threat

Question 78

The SAFECode Fundamental Practices for Secure Software Development includes a section on handling errors. What common development best practice does it reference?

A. Providing too much information in errors
B. Handling errors in a secure and graceful way
C. Ensuring unanticipated errors are provided only to administrators
D. Ensuring unanticipated errors are provided only to users

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 79). Wiley. Kindle Edition.

Answer 78

B. Handling errors in a secure and graceful way

Explanation:
The SAFECode fundamental practices note that errors should be handled in a secure and graceful way. It recommends against providing too much information in errors and that unanticipated errors should be flagged to both users and admins but with different levels of information appropriate to each group

Question 79

Jason wants to use TLS to protect his organization’s production web traffic. Who should generate the x.509 certificate for his website?

A. Jason should generate it on the web servers.
B. Jason should use his company’s internal certificate authority.
C. Jason should use a commercial certificate authority.
D. Jason should generate the certificate on a separate administrative workstation used only for that purpose.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 79). Wiley. Kindle Edition.

Answer 79

C. Jason should use a commercial certificate authority.

Explanation:
Jason should use a commercial certificate authority for any certificate used in production. This allows users to validate the certificate and the certificate chain to ensure trust

Question 80

Lisa wants to ensure that the open source software package she has downloaded is legitimate. The software download site provides an SHA2 hash, a cryptographic signature, a file size, and a version number. Which of these options provides the greatest level of certainty?

A. The SHA2 hash
B. The cryptographic signature
C. The file size
D. The version number

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 79). Wiley. Kindle Edition.

Answer 80

B. The cryptographic signature

Explanation:
A signature ensures that the file is both the correct file and that it has not been changed, and validates that it was provided by the signer. An SHA2 hash is the second best option, although attackers might modify the hash on the site or modify the file before it is hashed. File size and version number are the least useful options

Question 81

James has created monitoring instrumentation for his application and uses the instrumentation to assess performance as well as function during the QA stage of his SDLC. What type of software validation methodology is he using?

A. IAST
B. Interactive DST
C. SCA
D. Structured DST

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 79). Wiley. Kindle Edition.

Answer 81

A. IAST

Explanation:
Interactive application security testing (IAST) uses software instrumentation to validate performance and function and is typically conducted during the QA/Test phase of the SDLC.
SCA or software composition analysis reviews the components that make up an application.
Interactive and structured DST were made up for this question

Question 82

Michelle is using the SAFECode Fundamental Practices for Secure Software Development as an underlying foundation for her organization’s development practices. She wants to develop an encryption strategy and knows that SAFECode describes how to do so. Which of the following is not a best practice for developing an encryption strategy for applications according to SAFECode?

A. Ensuring encryption algorithms cannot be changed easily
B. Defining what to protect
C. Assessing what encryption mechanisms meet the organization’s requirements
D. Deciding on a key management solution

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 79). Wiley. Kindle Edition.

Answer 82

A. Ensuring encryption algorithms cannot be changed easily

Explanation:
Changing encryption algorithms if a problem is found with one that is currently in use is actually a best practice that SAFECode recommends. They call it crytographic agility and note that you need to be able to transition to new mechanisms, libraries and keys when needed. Defining what to protect, what mechanisms will be used, and how keys and certificates will be managed are all common best practices and are also recommended by SAFECode

Question 83

In a platform as a service (PaaS) model, who should most likely be responsible for the security of the applications in the production environment?

A. Cloud customer
B. Cloud provider
C. Regulator
D. Programmers

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 80). Wiley. Kindle Edition.

Answer 83

A. Cloud customer

Explanation:
In a PaaS environment, the customer is responsible for the security of applications in the production environment. The service provider will be responsible for the underlying hardware and platform itself

Question 84

James wants to test his software for business logic issues that knowledgeable users could use to take advantage of his software. What type of testing should he invest in?

A. Abuse case testing
B. Black box testing
C. Use case testing
D. White box testing

Answer 84

A. Abuse case testing

Explanation:
Abuse case testing will test how users could abuse the software, including the type of issues James is concerned about.

Question 85

Frankie wants to implement single sign on for her organization. Which of the following options is not commonly support for SSO in cloud environments?

A. Cloud provider native SSO
B. Active Directory
C. SAML
D. LDAP

Answer 85

D. LDAP

Explanation:
Active Directory, SAML and vendor native SSO options are all commonly supported, but LDAP is not a commonly supported SSO option for most cloud vendors

Question 86

Regardless of which model the organization uses for system development life cycle (SDLC) will user input be requested and considered?

A. Define
B. Design
C. Development
D. Detect

Answer 86

A. Define

Explanation:
In the Define phase, organizations work to determine the purpose of the software and what it needs to do to meet the needs of users. Design and Development stages then work to architect and build software that meets those requirements. Detect is not an SDLC phase

Question 87

Pete is reviewing his environment based on the OWASP Cloud Native Application Security Top 10. He knows that container configuration is a top concern and has identified that his containers currently run as root. How can he remediate this issue?

A. Set the OS to prevent root logins
B. Set a non privileged user as the container owner
C. Set a non privileged user as the process owner
D. Use MFA for the root user

Answer 87

C. Set a non privileged user as the process owner

Explanation:
Setting a nonprivileged user as the process owner will work in many cases. Setting the container owner as nonprivileged user wont stop root from running it in a poor configuration. Limiting root login or requiring MFA wont stop a process as running as root either

Question 88

Jessica’s quality assurance testing process involves identifying software flaws, including business logic flaws and other coding mistakes.
What type of testing should she perform to most effectively identify underlying code quality issues?

A. Static testing
B. Black box testing
C. Dynamic testing
D. Software composition analysis

Answer 88

A. Static testing

Explanation:
Jessica should perform static testing to help her organization identify code quality issues by reviewing the source code for the application. Dynamic testing can identify functional issues but may not identify code quality or business logic flows.

Question 89

Which of the following is not checked when using the STRIDE threat model?

A. The ability of users to gain administrative access rights without proper permissions
B. The ability of internal personnel to trigger business continuity/disaster recovery activities
C. The ability of a participant in a transaction to refute that they’ve taken part in the transaction
D. The ability of an unauthorized user to pretend to be an authorized user

Answer 89

B. The ability of internal personnel to trigger business continuity/disaster recovery activities

Explanation:
The STRIDE threat model does not deal with business continuity and disaster recovery (BC/DR) actions. All the other options are elements of STRIDE: escalation of privilege, repudiation and spoofing

Question 90

Kathleens organization uses a microservices architecture to deliver its major applications. What type of security tool is best suited to providing security for microservice that rely on APIs and service discovery?

A. CASB
B. XML Firewall
C. RPC Gateway
D. API Gateway

Answer 90

D. API Gateway

Explanation:
API Gateways are well suited for this type of architecture because they focus on service discovery and API security as well as rate limiting and other security controls like authentication. XML firewalls and cloud application security brokers are both used for other purposes and RPC gateways allow remote procedure calls to other networks and services

Question 91

At which phase of the SDLC should security personnel first be involved?

A. Define
B. Design
C. Develop
D. Test

Answer 91

A. Define

Explanation:
The earlier security inputs are included in the project, the more efficient and less costly security controls are overall.

Question 92

Tahir configures his organizations QA environment to simulate logins for 25% more users than typically log in at the maximum usage for their major web application. Which term best describes the type of testing Tahir is conducting?

A. Dynamic, nonfunctional testing
B. Dynamic, functional testing
C. Static, functional testing
D. Static testing, nonfunctional testing

Answer 92

A. Dynamic, nonfunctional testing

Explanation:
Tahir is conducting a nonfunctional test that checks for behavior under load and since the program is actually running, it is dynamic testing rather than static testing of source code

Question 93

When Joanna logs into a service provider that her organization works with, the service provider sends a request to her organizations identity provider to determine if she is already authentication. If she is, the identity provider sends a token to the service provider confirming that she is authenticated, and her browser will pass a token to the service provider that is validated based on the trust relationship the service provider has with the identity provider. What type of infrastructure is Joanna using?

A. RDP
B. SSO
C. OTP
D. MFA

Answer 93

B. SSO

Explanation:
Joanna is using a single sign on infrastructure to allow her to sign on in one location and to use those credentials in multiple locations and to use those credentials in multiple locations with various service providers. RDP is used for graphical access to Windows systems, OTP is a one time password and MFA is authentication

Question 94

Ben’s team uses the STRIDE model to identify security threats. What security property does tampering impact in the STRIDE Model?

A. Integrity
B. Confidentiality
C. Availability
D. Authorization

Answer 94

A. Integrity

Explanation:
Tampering impacts the integrity of data by modifying it

Question 95

Carmen’s organization wants to provide awareness training using a community-based web application security guide. What community standard is best suited to this type of training?

A. ASVS
B. CVE
C. OWASP
D. NIST

Answer 95

C. OWASP

Explanation:
OWASP, The Open Web Application Security Project, provides both cloud and web application security top 10 lists that are community sourced and which are well suited to awareness training. ASVS sets standards for application validation and security testing. CVE and NIST are not community-based web application security guides

Question 96

Henry uses an IAST process as part of his SLDC. What SDLC phase is IAST most likely to occur in?

A. Planning
B. Building
C. Deployment
D. Testing

Answer 96

D. Testing

Explanation:
Interactive application security testing (IAST) would be most likely to occur during the Testing phase of the SDLC

Question 97

Malika wants to ensure that human error doesnt influence the security of her secrets in her organization. Which of the following practices will most effectively prevent human related issues from influencing her secrets security?

A. Use a common passphrase word list in an automated CI/CD pipeline
B. Require password complexity
C. Generate passphrases randomly
D. Exclusively use shared passphrases

Answer 97

C. Generate passphrases randomly

Explanation:
Using automated creation tools for passphrases will prevent staff members from reusing passwords or falling into habits that result in easily guessed passphrases and passwords. Using a word list, shared passphrases, or simply adding complexity will not meet Malika’s needs

Question 98

Frank knows that his organization intends to use federated identities as part of its cloud services environment. What standard should he ensure that his existing on site identity management system supports to help with this?

A. SAML
B. FIPS 140-2
C. XML
D. FIM

Answer 98

A. SAML

Explanation:
SAML is commonly used to enable identity federation. FIPS 140-2 is a US government encryption mechanism standard, XML may be needed but is a very broad standard for extensible markup languages, and FIM is federated identity management, a generic term describing the overall concept, not a technology or technological capability

Question 99

James uses a CI/CD pipeline at the core of his development process. What design pattern should he use to ensure his QA process doesnt impact production?

A. Add software going through QA to his production environment to allow live testing
B. Create a new environment for QA testing, then promote to production after testing
C. Replicate the production environment for QA testing, then promote to production after testing
D. Add software to the QA environment for testing, then allow production users to access QA with instrumentation in place

Answer 99

C. Replicate the production environment for QA testing, then promote to production after testing

Explanation:
Replicating production for QA testing, then promoting from QA to production once testing is complete, is a common design practice in application development environments. Adding software going through QA to production environments or allowing users to use QA systems instead of production can lead to a negative user experience, and creating a QA environment that doesnt match production may invalidate testing

Question 100

Tara’s organization uses a three level application security verification standard, and requires that their most secure applications reach level 3 with in depth validation and testing. What application security standard are they using?

A. ASVS
B. SAFECode
C. OWASP
D. SANS/CWE

Answer 100

A. ASVS

Explanation:
ASVS uses a three level code validation assurance level model, with level 3 requiring critical applications to meet in depth validation and testing requirements