Domain 8 Flashcards
When designing an object-oriented model, which of the following situations is ideal?
a. High cohesion, high coupling
b. High cohesion, low coupling
c. Low cohesion, low coupling
d. Low cohesion, high coupling
B. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class. When you are developing an object-oriented model, it is desirable to have high cohesion and low coupling.
Which of the following is a common way that attackers leverage botnets?
a, Sending spam messages
b. Conducting brute-force attacks
c. Scanning for vulnerable systems
d. All of the above
D. Botnets are used for a wide variety of malicious purposes, including scanning the network for vulnerable systems, conducting brute-force attacks against other systems, and sending out spam messages.
Which one of the following statements is not true about code review?
a. Code review should be a peer-driven process that includes multiple developers.
b. Code review may be automated.
c. Code review occurs during the design phase.
d. Code reviewers may expect to review several hundred lines of code per hour.
C. Code review takes place after code has been developed, which occurs after the design phase of the system’s development life cycle (SDLC). Code review may use a combination of manual and automated techniques, or rely solely on one or the other. It should be a peer-driven process that includes developers who did not write the code. Developers should expect to complete the review of around 300 lines per hour, on average.
Harold’s company has a strong password policy that requires a minimum length of 12 characters and the use of both alphanumeric characters and symbols. What technique would be the most effective way for an attacker to compromise passwords in Harold’s organization?
a. Brute-force attack
b. Dictionary attack
c. Rainbow table attack
d. Social engineering attack
D. A social engineering attack may trick a user into revealing their password to the attacker. Other attacks that depend on guessing passwords, such as brute-force attacks, rainbow table attacks, and dictionary attacks, are unlikely to be successful in light of the organization’s strong password policy.
Which process is responsible for ensuring that changes to software include acceptance testing?
a. Request control
b. Change control
c. Release control
d. Configuration control
C. One of the responsibilities of the release control process is ensuring that the process includes acceptance testing that confirms that any alterations to end-user work tasks are understood and functional prior to code release. The request control, change control, and configuration control processes do not include acceptance testing.
Which one of the following attack types attempts to exploit the trust relationship that a user’s browser has with other websites by forcing the submission of an authenticated request to a third-party site?
a. XSS
b. CSRF
c. SQL injection
d. Session hijacking
B. Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated requests to third-party sites. Session hijacking attacks attempt to steal previously authenticated sessions but do not force the browser to submit requests. SQL injection directly attacks a database through a web application. Cross-site scripting uses reflected input to trick a user’s browser into executing untrusted code from a trusted site.
When using the SDLC, which one of these steps should you take before the others?
a. Functional requirements determination
b. Control specifications development
c. Code review
d. Design review
A. The SDLC consists of seven phases, in the following order: conceptual definition, functional requirements determination, control specifications development, design review, code review, system test review, and maintenance and change management.
Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message shown here. What state has this computer entered?
a. Fail open
b. Irrecoverable error
c. Memory exhaustion
d. Fail secure

D. The error message shown in the figure is the infamous “Blue Screen of Death” that occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If the system had “failed open,” it would have continued operation. The error described is a memory fault that is likely recoverable by rebooting the system. There is no indication that the system has run out of usable memory.
Which one of the following is not a goal of software threat modeling?
a. To reduce the number of security-related design flaws
b. To reduce the number of security-related coding flaws
c. To reduce the severity of non-security-related flaws
d. To reduce the number of threat vectors
D. Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws. The developer or evaluator of software has no control over the threat environment, because it is external to the organization.
In the diagram shown here, which is an example of a method?
a. Account
b. Owner
c. AddFunds
d. None of the above

C. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.
Which one of the following is considered primary storage?
a. Memory
b. Hard disk
c. Flash drive
d. DVD
A. Primary storage is a technical term used to refer to the memory that is directly available to the CPU. Nonvolatile storage mechanisms, such as flash drives, DVDs, and hard drives, are classified as secondary storage.
Which one of the following testing methodologies typically works without access to source code?
a. Dynamic testing
b. Static testing
c. White box testing
d. Code review
A. Dynamic testing of software typically occurs in a black box environment where the tester does not have access to the source code. Static testing, white box testing, and code review approaches all require access to the source code of the application.
B. Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class. B. Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class.What concept in object-oriented programming allows a subclass to access methods belonging to a superclass?
a. Polymorphism
b. Inheritance
c. Coupling
d. Cohesion
B. Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class.
Bobby is investigating how an authorized database user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term describes this type of function?
a. Inference
b. Polymorphic
c. Aggregate
d. Modular
C. Aggregate functions summarize large amounts of data and provide only summary information as a result. When carefully crafted, aggregate functions may unintentionally reveal sensitive information.
Which one of the following controls would best protect an application against buffer overflow attacks?
a. Encryption
b. Input validation
c. Firewall
d. Intrusion prevention system
B. The best protection against buffer overflow attacks is server-side input validation. This technique limits user input to approved ranges of values that fit within allocated buffers. While firewalls and intrusion prevention systems may contain controls that limit buffer overflows, it would be more effective to perform filtering on the application server. Encryption cannot protect against buffer overflow attacks.
Berta is analyzing the logs of the Windows Firewall on one of her servers and comes across the entries shown in this figure. What type of attack do these entries indicate?
a. SQL injection
b. Port scan
c. Teardrop
d. Land

B. The log entries show the characteristic pattern of a port scan. The attacking system sends connection attempts to the target system against a series of commonly used ports
Questions 17–20 refer to the following scenario:
Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do “whatever it takes” to get software out the door, but they do not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes.
What phase of the SW-CMM should Robert report as the current status of Acme Widgets?
a. Defined
b. Repeatable
c. Initial
d. Managed
C. Acme Widgets is clearly in the initial stage of the SW-CMM. This stage is characterized by the absence of formal process. The company may still produce working code, but they do so in a disorganized fashion.
Questions 17–20 refer to the following scenario:
Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do “whatever it takes” to get software out the door, but they do not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes.
Robert is working with Acme Widgets on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?
a. Defined
b. Repeatable
c. Initial
d. Managed
B. The Repeatable stage is the second stage in the SW-CMM, following the Initial stage. It should be the next milestone goal for Acme Widgets. The Repeatable stage is characterized by basic life-cycle management processes.
Questions 17–20 refer to the following scenario:
Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do “whatever it takes” to get software out the door, but they do not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes.
What phase of the SW-CMM should Robert report as the current status of Beta Particles?
a. Defined
b. Repeatable
c. Optimizing
d. Managed
A. The Defined stage of the SW-CMM is marked by the presence of basic life-cycle management processes and reuse of code. It includes the use of requirements management, software project planning, quality assurance, and configuration management practices.
Questions 17–20 refer to the following scenario:
Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do “whatever it takes” to get software out the door, but they do not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes.
Robert is also working with Beta Particles on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?
a. Defined
b. Repeatable
c. Optimizing
d. Managed
D. The Managed stage is the fourth stage in the SW-CMM, following the Defined stage. It should be the next milestone goal for Beta Particles. The Repeatable stage is characterized by the use of quantitative software development measures.
Which one of the following database keys is used to enforce referential integrity relationships between tables?
a. Primary key
b. Candidate key
c. Foreign key
d. Master key
C. Referential integrity ensures that records exist in a secondary table when they are referenced with a foreign key from another table. Foreign keys are the mechanism used to enforce referential integrity.
Which one of the following files is most likely to contain a macro virus?
a. projections.doc
b. command.com
c. command.exe
d. loopmaster.exe
A. Macro viruses are most commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docxextension. They are not commonly found in executable files with the .com or .exe extensions.
Victor created a database table that contains information on his organization’s employees. The table contains the employee’s user ID, three different telephone number fields (home, work, and mobile), the employee’s office location, and the employee’s job title. There are 16 records in the table. What is the degree of this table?
a. 3
b. 4
c. 6
d. 16
C. The degree of a database table is the number of attributes in the table. Victor’s table has six attributes: the employee’s user ID, home telephone, office telephone, mobile telephone, office location, and job title.
Carrie is analyzing the application logs for her web-based application and comes across the following string:
../../../../../../../../../etc/passwd
What type of attack was likely attempted against Carrie’s application?
a. Command injection
b. Session hijacking
c. Directory traversal
d. Brute force
C. The string shown in the logs is characteristic of a directory traversal attack where the attacker attempts to force the web application to navigate up the file hierarchy and retrieve a file that should not normally be provided to a web user, such as the password file. The series of “double dots” is indicative of a directory traversal attack because it is the character string used to reference the directory one level up in a hierarchy.








