Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP 2024 > Domain 8: Review Questions > Flashcards

Domain 8: Review Questions Flashcards

1
Q

Which of the following is the last step in the System Development Life Cycle?

A. Operate/Maintain
B. Dispose
C. Acquire/Develop
D. Initiate

A

b.

The five steps in the System Development Life Cycle are as follows:
1. Initiate
2. Acquire/Develop
3. Implement
4. Operate/Maintain
5. Dispose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In which of the following stages of the Software Development Life Cycle is the software actually coded?

A. Gather Requirements
B. Design
C. Develop
D. Test/Validate

A

C. The Develop stage involves writing the code or instructions that make the software work. The emphasis of this phase is strict adherence to secure coding practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following initiatives was developed by the Department of Homeland Security?

A. WASC (Web Application Security Consortium)
B. BSI (Build Security In)
C. OWASP (Open Web Application Security Project)
D. ISO (International Organization for Standardization)

A

B. The Department of Homeland Security (DHS) is involved in promoting software security best practices. The Build Security In (BSI) initiative promotes a process-agnostic approach that makes security recommendations with regard to architectures, testing methods, code reviews, and management processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following development models includes no formal control mechanisms to provide feedback?

A. Waterfall
B. V-shaped
C. Build and Fix
D. Spiral

A

C. Though it’s not a formal model, the Build and Fix approach describes a method that has been largely discredited and is now used as a template for how not to manage a development project. Simply put, in this method, the software is developed as quickly as possible and released.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which language type delivers instructions directly to the processor?

A. Assembly languages
B. High-level languages
C. Machine languages
D. Natural languages

A

C. Machine languages deliver instructions directly to the processor. This was the only type of programming done in the 1950s and uses basic binary instructions, compiler or interpreter. (These programs convert higher language types to a form that can be executed by the processor.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which term describes the degree to which elements in a module are related to one another?

A. Polymorphism
B. Cohesion
C. Coupling
D. Data structures

A

B. Cohesion describes how many different tasks a module can carry out. If a module is limited to a small number or a single function, it is said to have high cohesion.

Coupling describes how much interaction one module requires from another module to do its job. Low or loose coupling indicates that a module does not need much help from other modules, whereas high coupling indicates the opposite.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which term describes a standard for communication between processes on the same computer?

A. CORBA (Common Object Request Broker Architecture)
B. DCOM (Distributed Component Object Model)
C. COM (Component Object Model)
D. SOA (service-oriented architecture)

A

C. Component Object Model (COM) is a model for communication between processes on the same computer, while, as the name implies, the Distributed Component Object Model (DCOM) is a model for communication between processes in different parts of the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is a Microsoft technology?

A. ActiveX
B. Java
C. SOA (service-oriented architecture)
D. CORBA (Common Object Request Broker Architecture)

A

A. ActiveX is a Microsoft technology that uses object-oriented programming (OOP) and is based on the COM and DCOM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is the dividing line between the trusted parts of the system and those that are untrusted?

A. Security perimeter
B. Reference monitor
C. Trusted computer base (TCB)
D. Security kernel

A

A. The security perimeter is the dividing line between the trusted parts of the system and those that are untrusted. According to security design best practices, components that lie within this boundary (which means they lie within the TCB) should never permit untrusted components to access critical resources in an insecure manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is a system component that enforces access controls on an object?

A. Security perimeter
B. Reference monitor
C. Trusted computer base (TCB)
D. Security kernel

A

B. A reference monitor is a system component that enforces access controls on an object. It is an access control concept that refers to an abstract machine that mediates all accesses to objects by subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following tests ensures that the customer (either internal or external) is satisfied with the functionality of the software?

A. Integration testing
B. Acceptance testing
C. Regression testing
D. Accreditation

A

B. Acceptance testing ensures that the customer (either internal or external) is satisfied with the functionality of the software. Integration testing assesses how the modules work together and determines whether functional and security specifications have been met. Regression testing takes place after changes are made to the code to ensure that the changes have reduced neither functionality nor security. Accreditation is the formal acceptance of the adequacy of a system’s overall security by management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In which of the following software development models is less time spent on the upfront analysis and more emphasis placed on learning from the process feedback and incorporating lessons learned in real time?

A. Agile Development
B. Rapid Application Development
C. Cleanroom Model
D. Modified Waterfall

A

B. Acceptance testing ensures that the customer (either internal or external) is satisfied with the functionality of the software. Integration testing assesses how the modules work together and determines whether functional and security specifications have been met. Regression testing takes place after changes are made to the code to ensure that the changes have reduced neither functionality nor security. Accreditation is the formal acceptance of the adequacy of a system’s overall security by management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following software development risk analysis and mitigation strategy guidelines should security professionals follow? (Choose all that apply.)

A. Integrate risk analysis and mitigation in the Software Development Life Cycle.
B. Use qualitative, quantitative, and hybrid risk analysis approaches based on standardized risk analysis methods.
C. Track and manage weaknesses that are discovered throughout risk assessment, change management, and continuous monitoring.
D. Encapsulate data to make it easier to apply the appropriate policies to objects.

A

A. With the Agile model, less time is spent on upfront analysis, and more emphasis is placed on learning from the process and incorporating lessons learned in real time. There is also more interaction with the customer throughout the process. In the Rapid Application Development (RAD) model, less time is spent up front on design, while emphasis is placed on rapidly producing prototypes with the assumption that crucial knowledge can only be gained through trial and error. In contrast to the JAD model, the Cleanroom model strictly adheres to formal steps and a more structured method. It attempts to prevent errors and mistakes through extensive testing. In the modified Waterfall model, each phase in the development process is considered its own milestone in the project management process. Unlimited backward iteration (returning to earlier stages to address problems) is not allowed in this model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following are valid guidelines for providing application programming interface (API) security? (Choose all that apply.)

A. Use the same security controls for APIs as for any web application in the enterprise.
B. Use Hash-based Message Authentication Code (HMAC).
C. Use encryption when passing static keys.
D. Implement password encryption instead of single key-based authentication.

A

a, b, c, d.

Comprehensive security must protect the entire spectrum of devices in the digital workplace, including apps and APIs. API security is critical for an organization that is exposing digital assets. Guidelines for providing API security include
* Use the same security controls for APIs as for any web application in the enterprise.
* Use Hash-based Message Authentication Code (HMAC).
* Use encryption when passing static keys.
* Use a framework or an existing library to implement security solutions for APIs.
* Implement password encryption instead of single key-based authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is not one of the four phases of acquiring software?

A. Planning
B. Contracting
C. Development
D. Monitoring and accepting

A

c.

In the Software Development Life Cycle, the code or instructions that make the software work are written in the Develop phase. The process of acquiring software has the following four phases:
1. Planning: During this phase, the organization performs a needs assessment, develops the software requirements, creates the acquisition strategy, and develops evaluation criteria and a plan.
2. Contracting: When planning is complete, the organization creates a request for proposal (RFP) or other supplier solicitation forms, evaluates the supplier proposals, and negotiates the final contract with the selected seller.
3. Monitoring and accepting: When a contract is in place, the organization establishes the contract work schedule, implements change control procedures, and reviews and accepts the software deliverables.
4. Follow-up: When the software is in place, the organization must sustain the software, including managing risks and changes. At some point, the organization may need to decommission the software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following are considered secure coding best practices that developers and security professionals should adhere to? (Choose all that apply.)

A. Sanitize all data passed to other systems.
B. Implement default deny.
C. Validate input.
D. Heed compiler warnings.

A

a, b, c, d.

Developers and security professionals should adhere to the following secure coding best practices:
* Sanitize all data passed to other systems, including command shells, processes, relational databases, and application components.
* Security professionals should ensure that, by default, access is denied and the protection scheme identifies conditions under which access is permitted.
* Developers should validate any input into an application from all untrusted data sources.
* When developers use a compiler, they should compile the code using the highest warning level available in the compiler.
* Design software to implement and enforce security policies.
* Adhere to the principle of least privilege, and practice defense in depth.

17
Q

Which of the following is a sequence of activities that aims to determine whether an application conforms to the organization’s security requirements?

A. Component-Based Development
B. Change management process
C. IDEAL (Initiate, Diagnose, Establish, Act, Learn) phases
D. Application vetting process

A

D.

An app vetting process is a sequence of activities that aims to determine whether an app conforms to the organization’s security requirements. An app vetting process comprises a sequence of two main activities: app testing and app approval/rejection. The Component-Based Development method uses building blocks to assemble an application instead of build it. The advantage of this method in regard to security is that the components are tested for security prior to being used in the application. The purpose of the change management process is to ensure that all changes to the configuration of the source code and to the source code itself are approved by the proper personnel and are implemented in a safe and logical manner. The IDEAL model was developed by the Software Engineering Institute to provide guidance on software development. Its name is an acronym that stands for the five phases:
1. Initiate: Outline the business reasons behind the change, build support for the initiative, and implement the infrastructure needed.
2. Diagnose: Analyze the current organizational state and make change recommendations.
3. Establish: Take the recommendations from the previous phase and use them to develop an action plan.
4. Act: Develop, test, refine, and implement the solutions according to the action plan from the previous phase.
5. Learn: Use the quality improvement process to determine whether goals have been met and develop new actions based on the analysis.

CISSP 2024 (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions