Domain 8: Review Questions Flashcards

Question 1

Q

Which of the following is the last step in the System Development Life Cycle?

A. Operate/Maintain
B. Dispose
C. Acquire/Develop
D. Initiate

Answer

A

B.

The five steps in the System Development Life Cycle are as follows:
1. Initiate
2. Acquire/Develop
3. Implement
4. Operate/Maintain
5. Dispose

Question 2

Q

In which of the following stages of the Software Development Life Cycle is the software actually coded?

A. Gather Requirements
B. Design
C. Develop
D. Test/Validate

Answer

A

C.

The Develop stage involves writing the code or instructions that make the software work. The emphasis of this phase is strict adherence to secure coding practices.

Question 3

Q

Which of the following initiatives was developed by the Department of Homeland Security?

A. WASC (Web Application Security Consortium)
B. BSI (Build Security In)
C. OWASP (Open Web Application Security Project)
D. ISO (International Organization for Standardization)

Answer

A

B.

The Department of Homeland Security (DHS) is involved in promoting software security best practices. The Build Security In (BSI) initiative promotes a process-agnostic approach that makes security recommendations with regard to architectures, testing methods, code reviews, and management processes.

Question 4

Q

Which of the following development models includes no formal control mechanisms to provide feedback?

A. Waterfall
B. V-shaped
C. Build and Fix
D. Spiral

Answer

A

C.

Though it’s not a formal model, the Build and Fix approach describes a method that has been largely discredited and is now used as a template for how not to manage a development project. In this method, the software is developed as quickly as possible and released.

The Waterfall model breaks the development process into distinct phases. The basic process is as a sequential series of steps that are followed without going back to earlier steps. Problems that are discovered during the project do not initiate a return to earlier stages but rather are dealt with after the project is complete.

The V-shaped model is also somewhat rigid but differs primarily from the Waterfall method in that verification and validation are performed at each step.

The Spiral model is actually a meta-model that incorporates a number of the software development models. It is also an iterative approach but places more emphasis on risk analysis at each stage.

Question 5

Q

Which language type delivers instructions directly to the processor?

A. Assembly languages
B. High-level languages
C. Machine languages
D. Natural languages

Answer

A

C. Machine languages deliver instructions directly to the processor. This was the only type of pro

gramming done in the 1950s and uses basic binary instructions, compiler or interpreter. (These programs convert higher language types to a form that can be executed by the processor.)

Question 6

Q

Which term describes the degree to which elements in a module are related to one another?

A. Polymorphism
B. Cohesion
C. Coupling
D. Data structures

Answer

A

B.

Cohesion describes how many different tasks a module can carry out. If a module is limited to a small number or a single function, it is said to have high cohesion.

Coupling describes how much interaction one module requires from another module to do its job. Low or loose coupling indicates that a module does not need much help from other modules, whereas high coupling indicates the opposite.

Question 7

Q

Which term describes a standard for communication between processes on the same computer?

A. CORBA (Common Object Request Broker Architecture)
B. DCOM (Distributed Component Object Model)
C. COM (Component Object Model)
D. SOA (service-oriented architecture)

Answer

A

C.

Component Object Model (COM) is a model for communication between processes on the same computer, while, as the name implies, the Distributed Component Object Model (DCOM) is a model for communication between processes in different parts of the network.

Question 8

Q

Which of the following is a Microsoft technology?

A. ActiveX
B. Java
C. SOA (service-oriented architecture)
D. CORBA (Common Object Request Broker Architecture)

Answer

A

A.

ActiveX is a Microsoft technology that uses object-oriented programming (OOP) and is based on the COM and DCOM.

Question 9

Q

Which of the following is the dividing line between the trusted parts of the system and those that are untrusted?

A. Security perimeter
B. Reference monitor
C. Trusted computer base (TCB)
D. Security kernel

Answer

A

A.

The security perimeter is the dividing line between the trusted parts of the system and those that are untrusted. According to security design best practices, components that lie within this boundary (which means they lie within the TCB) should never permit untrusted components to access critical resources in an insecure manner.

Question 10

Q

Which of the following is a system component that enforces access controls on an object?

A. Security perimeter
B. Reference monitor
C. Trusted computer base (TCB)
D. Security kernel

Answer

A

B.

A reference monitor is a system component that enforces access controls on an object. It is an access control concept that refers to an abstract machine that mediates all accesses to objects by subjects.

Question 11

Q

Which of the following tests ensures that the customer (either internal or external) is satisfied with the functionality of the software?

A. Integration testing
B. Acceptance testing
C. Regression testing
D. Accreditation

Answer

A

B.

Acceptance testing ensures that the customer (either internal or external) is satisfied with the functionality of the software. Integration testing assesses how the modules work together and determines whether functional and security specifications have been met. Regression testing takes place after changes are made to the code to ensure that the changes have reduced neither functionality nor security. Accreditation is the formal acceptance of the adequacy of a system’s overall security by management.

Question 12

Q

In which of the following software development models is less time spent on the upfront analysis and more emphasis placed on learning from the process feedback and incorporating lessons learned in real time?

A. Agile Development
B. Rapid Application Development
C. Cleanroom Model
D. Modified Waterfall

Answer

A

A.

With the Agile model, less time is spent on upfront analysis, and more emphasis is placed on learning from the process and incorporating lessons learned in real time. There is also more interaction with the customer throughout the process. In the Rapid Application Development (RAD) model, less time is spent up front on design, while emphasis is placed on rapidly producing prototypes with the assumption that crucial knowledge can only be gained through trial and error. In contrast to the JAD model, the Cleanroom model strictly adheres to formal steps and a more structured method. It attempts to prevent errors and mistakes through extensive testing. In the modified Waterfall model, each phase in the development process is considered its own milestone in the project management process. Unlimited backward iteration (returning to earlier stages to address problems) is not allowed in this model.

Question 13

Q

Which of the following software development risk analysis and mitigation strategy guidelines should security professionals follow? (Choose all that apply.)

A. Integrate risk analysis and mitigation in the Software Development Life Cycle.
B. Use qualitative, quantitative, and hybrid risk analysis approaches based on standardized risk analysis methods.
C. Track and manage weaknesses that are discovered throughout risk assessment, change management, and continuous monitoring.
D. Encapsulate data to make it easier to apply the appropriate policies to objects.

Answer

A

a, b, c.

Security professionals should ensure that the software development risk analysis and mitigation strategy follows these guidelines:
* Integrate risk analysis and mitigation in the Software Development Life Cycle.
* Use qualitative, quantitative, and hybrid risk analysis approaches based on standardized risk analysis methods.
* Track and manage weaknesses that are discovered throughout risk assessment, change management, and continuous monitoring.

Question 14

Q

Which of the following are valid guidelines for providing application programming interface (API) security? (Choose all that apply.)

A. Use the same security controls for APIs as for any web application in the enterprise.
B. Use Hash-based Message Authentication Code (HMAC).
C. Use encryption when passing static keys.
D. Implement password encryption instead of single key-based authentication.

Answer

A

a, b, c, d.

Comprehensive security must protect the entire spectrum of devices in the digital workplace, including apps and APIs. API security is critical for an organization that is exposing digital assets. Guidelines for providing API security include
* Use the same security controls for APIs as for any web application in the enterprise.
* Use Hash-based Message Authentication Code (HMAC).
* Use encryption when passing static keys.
* Use a framework or an existing library to implement security solutions for APIs.
* Implement password encryption instead of single key-based authentication.

Question 15

Q

Which of the following is not one of the four phases of acquiring software?

A. Planning
B. Contracting
C. Development
D. Monitoring and accepting

Answer

A

c.

In the Software Development Life Cycle, the code or instructions that make the software work are written in the Develop phase. The process of acquiring software has the following four phases:
1. Planning: During this phase, the organization performs a needs assessment, develops the software requirements, creates the acquisition strategy, and develops evaluation criteria and a plan.
2. Contracting: When planning is complete, the organization creates a request for proposal (RFP) or other supplier solicitation forms, evaluates the supplier proposals, and negotiates the final contract with the selected seller.
3. Monitoring and accepting: When a contract is in place, the organization establishes the contract work schedule, implements change control procedures, and reviews and accepts the software deliverables.
4. Follow-up: When the software is in place, the organization must sustain the software, including managing risks and changes. At some point, the organization may need to decommission the software.

Question 16

Q

Which of the following are considered secure coding best practices that developers and security professionals should adhere to? (Choose all that apply.)

A. Sanitize all data passed to other systems.
B. Implement default deny.
C. Validate input.
D. Heed compiler warnings.

Answer

A

a, b, c, d.

Developers and security professionals should adhere to the following secure coding best practices:
* Sanitize all data passed to other systems, including command shells, processes, relational databases, and application components.
* Security professionals should ensure that, by default, access is denied and the protection scheme identifies conditions under which access is permitted.
* Developers should validate any input into an application from all untrusted data sources.
* When developers use a compiler, they should compile the code using the highest warning level available in the compiler.
* Design software to implement and enforce security policies.
* Adhere to the principle of least privilege, and practice defense in depth.

Question 17

Q

Which of the following is a sequence of activities that aims to determine whether an application conforms to the organization’s security requirements?

A. Component-Based Development
B. Change management process
C. IDEAL (Initiate, Diagnose, Establish, Act, Learn) phases
D. Application vetting process

Answer

A

D.

An app vetting process is a sequence of activities that aims to determine whether an app conforms to the organization’s security requirements. An app vetting process comprises a sequence of two main activities: app testing and app approval/rejection. The Component-Based Development method uses building blocks to assemble an application instead of build it. The advantage of this method in regard to security is that the components are tested for security prior to being used in the application. The purpose of the change management process is to ensure that all changes to the configuration of the source code and to the source code itself are approved by the proper personnel and are implemented in a safe and logical manner. The IDEAL model was developed by the Software Engineering Institute to provide guidance on software development. Its name is an acronym that stands for the five phases:
1. Initiate: Outline the business reasons behind the change, build support for the initiative, and implement the infrastructure needed.
2. Diagnose: Analyze the current organizational state and make change recommendations.
3. Establish: Take the recommendations from the previous phase and use them to develop an action plan.
4. Act: Develop, test, refine, and implement the solutions according to the action plan from the previous phase.
5. Learn: Use the quality improvement process to determine whether goals have been met and develop new actions based on the analysis.

Question 18

Q

Susan provides a public RESTful API for her organization’s data but wants to limit its use to trusted partners. She intends to use API keys. What other recommendation would you give Susan to limit the potential abuse of the service?

A. Limit request rates.
B. Force HTTP-only requests.
C. Avoid tokens due to bandwidth constraints.
D. Blacklist HTTP methods such as GET, POST, and PUT.

Answer

A

A.

Limiting request rates can prevent abuse of APIs like this one. The other suggestions are all poor recommendations. In general, requests should require HTTPS, tokens are used for security using tools like JSON web tokens (JWT), and HTTP methods may be restricted, but GET, POST, and PUT are some of the most common methods used for API access and are far more typically whitelisted.

Question 19

Q

Darren is conducting a threat-hunting exercise and would like to look for botnet indicators of compromise. Which of the following are common ways that attackers leverage botnets? (Select all that apply.)

A. Mining cryptocurrency
B. Conducting brute-force attacks
C. Scanning for vulnerable systems
D. Conducting man-in-the-middle attacks

Answer

A

A, B, C.

Botnets are used for a wide variety of malicious purposes, including scanning the network for vulnerable systems, conducting brute-force attacks against other systems, mining cryptocurrency, and sending out spam messages. They are not commonly used to conduct man-in-the-middle attacks, which are normally waged through DNS poisoning or similar mechanisms.

Question 20

Q

Which one of the following statements is not true about code review?

A. Code review should be a peer-driven process that includes multiple developers.
B. Code review may be automated.
C. Code review occurs during the design phase.
D. Code reviewers may expect to review several hundred lines of code per hour.

Answer

A

C.

Code review takes place after code has been developed, which occurs after the design phase of the system’s development life cycle (SDLC). Code review may use a combination of manual and automated techniques or rely solely on one or the other. It should be a peer-driven process that includes developers who did not write the code. Developers should expect to complete the review of around 300 lines per hour, on average.

Question 21

Q

Kathleen is reviewing the Ruby code shown here. What security technique is this code using?

A. Parameterization
B. Typecasting
C. Gem cutting
D. Stored procedures

Answer

A

A.

This code is an example of parameterization, which can help avoid SQL injection. Note that each parameter has a placeholder, which is then passed to the query.

Question 22

Q

Jessica is reviewing her organization’s change management process and would like to verify that changes to software include acceptance testing. Which process is responsible for achieving this goal?

A. Request control
B. Change control
C. Release control
D. Configuration control

Answer

A

C.

One of the responsibilities of the release control process is ensuring that acceptance testing is performed, to ensure that any alterations to end-user tasks are understood and functional prior to code release. The request control, change control, and configuration control processes do not include acceptance testing.

Question 23

Q

Ashley is investigating an attack that compromised an account of one of her users. In the attack, the attacker forced the submission of an authenticated request to a third-party site by exploiting trust relationships in the user’s browser. What type of attack most likely took place?

A. XSS
B. CSRF
C. SQL injection
D. Session hijacking

Answer

A

B.

Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated requests to third-party sites. Session hijacking attacks attempt to steal previously authenticated sessions but do not force the browser to submit requests. A SQL injection directly attacks a database through a web application. Cross-site scripting uses reflected input to trick a user’s browser into executing untrusted code from a trusted site.

Question 24

Q

Arnold is creating a new software package and is making use of the OpenSSL library. What term best describes the library he is using?

A. Open source
B. COTS
C. Third-party
D. Managed

Answer

A

A.

The OpenSSL package is a widely used implementation of TLS encryption that is available as an open-source package. It is not commercial off-the-shelf software (COTS). While it might be developed by third parties, it is more accurate to describe it as open source. The library is available as code for free use, but not as a managed service.

Question 25

Q

Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message shown here. What state has this computer entered?

A. Fail open
B. Irrecoverable error
C. Memory exhaustion
D. Fail secure

Answer

A

D.

The error message shown in the figure is the infamous “Blue Screen of Death” that occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If the system had “failed open,” it would have continued operation. The error described is a memory fault that is likely recoverable by rebooting the system. There is no indication that the system has run out of usable memory.

Question 26

Q

Joshua is developing a software threat modeling program for his organization. Which of the following are appropriate goals for the program? (Select all that apply.)

A. To reduce the number of security-related design flaws
B. To reduce the number of security-related coding flaws
C. To reduce the severity of non-security-related flaws
D. To reduce the number of threat vectors

Answer

A

A, B, C.

Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws. The developer or evaluator of software has no control ov

Question 27

Q

In the diagram shown here, which is an example of a method?

A. Account
B. Owner
C. AddFunds
D. Balance

Answer

A

C.

In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.

Question 28

Q

Wanda is reviewing the application development documentation used by her organization and finds the life-cycle illustration shown here. What application development method is her organization using?

A. Waterfall
B. Spiral
C. Agile
D. RAD

Answer

A

D.

Rapid Application Development, or RAD, focuses on fast development and the ability to quickly adjust to changing requirements. RAD uses four phases: requirements planning, user design, construction, and cutover.

Question 29

Q

Which one of the following testing methodologies typically works without access to source code?

A. Dynamic testing
B. Static testing
C. White-box testing
D. Code review

Answer

A

A.

Dynamic testing of software typically occurs in a black-box environment where the tester does not have access to the source code. Static testing, white-box testing, and code review approaches all require access to the source code of the application.

Question 30

Q

Lucca is analyzing a web application that his organization acquired from a third-party vendor. Lucca determined that the application contains a flaw that causes users who are logged in to be able to take actions they should not be able to in their role. What type of security vulnerability should this be classified as?

A. Data validation
B. Session management
C. Authorization
D. Error handling

Answer

A

C.

Given the list of options here, the root cause is most likely an issue with an authorization check that does not properly limit users to the authorization that they should have. Data validation issues are more likely to allow injection attacks or to allow bad data to be input, while session management issues would allow session hijacking or might actually cause them to be logged in as another user. Finally, error handling would show up as a problem when errors occurred, which this problem does not indicate.

Question 31

Q

Bobby is investigating how an authorized database user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term describes this type of function?

A. Inference
B. Polymorphic
C. Aggregate
D. Modular

Answer

A

C.

Aggregate functions summarize large amounts of data and provide only summary information as a result. When carefully crafted, aggregate functions may unintentionally reveal sensitive information.

Question 32

Q

Taylor would like to better protect the applications developed by her organization against buffer overflow attacks. Which of the following controls would best provide this protection?

A. Encryption
B. Input validation
C. Firewall
D. Intrusion prevention system

Answer

A

B.

The best protection against buffer overflow attacks is server-side input validation. This technique limits user input to approved ranges of values that fit within allocated buffers. While firewalls and intrusion prevention systems may contain controls that limit buffer overflows, it would be more effective to perform filtering on the application server. Encryption cannot protect against buffer overflow attacks.

Question 33

Q

Kayla recently completed a thorough risk analysis and mitigation review of the software developed by her team and identified three persistent issues:
1. Cross-site scripting
2. SQL injection
3. Buffer overflows

What is the most significant deficiency in her team’s work identified by these issues?
A. Lack of API security
B. Improper error handling
C. Improper or missing input validation
D. Source code design issues

Answer

A

C. Each of these problems is caused by improper or missing input validation and can be resolved by handling inputs properly. In many cases, this can be done using libraries or methods already built into the language or framework that the developer is using.

Question 34

Q

Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not well organized with its software development practices. It does have a dedicated team of developers who do “whatever it takes” to get software out the door, but it does not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. It uses a standard model for software development but does not have quantitative management of those processes.

What phase of the SW-CMM should Robert report as the current status of Acme Widgets?

A. Defined
B. Repeatable
C. Initial
D. Managed

Answer

A

C.

Acme Widgets is clearly in the initial stage of the SW-CMM. This stage is characterized by the absence of formal process. The company may still produce working code, but it does so in a disorganized fashion.

Question 35

Q

Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not well organized with its software development practices. It does have a dedicated team of developers who do “whatever it takes” to get software out the door, but it does not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. It uses a standard model for software development but does not have quantitative management of those processes.

Robert is working with Acme Widgets on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?

A. Defined
B. Repeatable
C. Initial
D. Managed

Answer

A

B.

The Repeatable stage is the second stage in the SW-CMM, following the Initial stage. It should be the next milestone goal for Acme Widgets. The Repeatable stage is characterized by basic life cycle management processes.

Question 36

Q

Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not well organized with its software development practices. It does have a dedicated team of developers who do “whatever it takes” to get software out the door, but it does not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. It uses a standard model for software development but does not have quantitative management of those processes.

What phase of the SW-CMM should Robert report as the current status of Beta Particles?

A. Defined
B. Repeatable
C. Optimizing
D. Managed

Answer

A

A.

The Defined stage of the SW-CMM is marked by the presence of basic life cycle management processes and reuse of code. It includes the use of requirements management, software project planning, quality assurance, and configuration management practices.

Question 37

Q

Robert is a consultant who helps organizations create and develop mature software development practices. He prefers to use the Software Capability Maturity Model (SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients.
Acme Widgets is not well organized with its software development practices. It does have a dedicated team of developers who do “whatever it takes” to get software out the door, but it does not have any formal processes.
Beta Particles is a company with years of experience developing software using formal, documented software development processes. It uses a standard model for software development but does not have quantitative management of those processes.

Robert is also working with Beta Particles on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone?

A. Defined
B. Repeatable
C. Optimizing
D. Managed

Answer

A

D.

The Managed stage is the fourth stage in the SW-CMM, following the Defined stage. It should be the next milestone goal for Beta Particles. The Managed stage is characterized by the use of quantitative software development measures.

Question 38

Q

Which one of the following database keys is used to enforce referential integrity relationships between tables?

A. Primary key
B. Candidate key
C. Foreign key
D. Master key

Answer

A

C.

Referential integrity ensures that records exist in a secondary table when they are referenced with a foreign key from another table. Foreign keys are the mechanism used to enforce referential integrity.

Question 39

Q

Brynn believes that a system in her organization may have been compromised by a macro virus. Which one of the following files is most likely to be the culprit?

A. projections.doc
B. command.com
C. command.exe
D. loopmaster.exe

Answer

A

A.

Macro viruses are most commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docx extension. They are not commonly found in executable files with the .com or .exe extension.

Question 40

Q

Victor created a database table that contains information on his organization’s employees. The table contains the employee’s user ID, three different telephone number fields (home, work, and mobile), the employee’s office location, and the employee’s job title. There are 16 records in the table. What is the degree of this table?

A. 3
B. 4
C. 6
D. 16

Answer

A

C.

The degree of a database table is the number of attributes in the table. Victor’s table has six attributes: the employee’s user ID, home telephone, office telephone, mobile telephone, office location, and job title.

Question 41

Q

Carrie is analyzing the application logs for her web-based application and comes across the following string:

../../../../../../../../../etc/passwd

What type of attack was likely attempted against Carrie’s application?

A. Command injection
B. Session hijacking
C. Directory traversal
D. Brute-force

Answer

A

C.

The string shown in the logs is characteristic of a directory traversal attack where the attacker attempts to force the web application to navigate up the file hierarchy and retrieve a file that should not normally be provided to a web user, such as the password file. The series of “double dots” is indicative of a directory traversal attack because it is the character string used to reference the directory one level up in a hierarchy.

Question 42

Q

When should a design review take place when following an SDLC approach to software development?

A. After the code review
B. After user acceptance testing
C. After the development of functional requirements
D. After the completion of unit testing

Answer

A

C.

Design reviews should take place after the development of functional and control specifications but before the creation of code. The code review, unit testing, and functional testing all take place after the creation of code and, therefore, after the design review.

Question 43

Q

Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?

A. Unit testing
B. Acceptance testing
C. Regression testing
D. Vulnerability testing

Answer

A

C.

Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software. It is designed to capture unanticipated consequences of deploying new code versions prior to introducing them into a production environment.

Question 44

Q

What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner?

A. Validation
B. Accreditation
C. Confidence interval
D. Assurance

Answer

A

D.

Assurance, when it comes to software, is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner. It is a term typically used in military and defense environments.

Question 45

Q

Victor recently took a new position at an online dating website and is responsible for leading a team of developers. He realized quickly that the developers are having issues with production code because they are working on different projects that result in conflicting modifications to the production code. What process should Victor invest in improving?

A. Request control
B. Release control
C. Change control
D. Configuration control

Answer

A

C.

The change control process is responsible for providing an organized framework within which multiple developers can create and test a solution prior to rolling it out in a production environment. Request control provides a framework for user requests. Release control manages the deployment of code into production. Configuration control ensures that changes to software versions are made in accordance with the change and configuration management policies.

Question 46

Q

Tom is assessing security risks related to a database he manages. Examining user access controls, he determines that users have access to individual records in a table that match their clearances, but if they pull multiple records, that collection of facts has a higher classification than the classification of any of those facts standing alone and exceeds the permitted access. What type of issue has Tom identified?

A. Inference
B. SQL injection
C. Multilevel security
D. Aggregation

Answer

A

D.

Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.

Question 47

Q

Ron leads a team of software developers who find themselves often re-creating code that performs common functions. What software development tool could he use to best address this situation?

A. Code repositories
B. Code libraries
C. IDEs
D. DAST

Answer

A

B.

Code libraries are packages of reusable functions that may be incorporated into individual development projects. Ron could use libraries to easily share code among his team. Code repositories may be used to manage the distribution and updating of these libraries, but that is a second-order use case, making code libraries the best answer. Integrated development environments (IDEs) are tools used by developers to create software, while dynamic application security testing (DAST) is used to verify the correct implementation of code.

Question 48

Q

Vivian would like to hire a software tester to come in and evaluate a new web application from a user’s perspective. Which of the following tests best simulates that perspective?

A. Black box
B. Gray box
C. Blue box
D. White box

Answer

A

A.

Black-box testing begins with no prior knowledge of the system implementation, simulating a user’s perspective. White-box and gray-box testing provide full and partial knowledge of the system, respectively, in advance of the test. Blue boxes are a phone hacking tool and are not used in software testing.

Question 49

Q

Referring to the database transaction shown here, what would happen if no account exists in the Accounts table with account number 1001?

A. The database would create a new account with this account number and give it a $250 balance.
B. The database would ignore that command and still reduce the balance of the second account by $250.
C. The database would roll back the transaction, ignoring the results of both commands.
D. The database would generate an error message.

Answer

A

B.

In this example, the two SQL commands are indeed bundled in a transaction, but it is not an error to issue an update command that does not match any rows. Therefore, the first command would “succeed” in updating zero rows and not generate an error or cause the transaction to roll back. The second command would then execute, reducing the balance of the second account by $250.

Question 50

Q

Brandon is a software developer seeking to integrate his software with a popular social media site. The site provides him with software libraries that he can use to better integrate his code as well as other tools that make his work easier. What term best describes the service he is using?

A. SDK
B. DLP
C. IDE
D. API

Answer

A

A.

Software development kits (SDKs) are code libraries and other tools made available to assist developers in creating code. An integrated development environment (IDE) may be a component of an SDK, but it is not necessarily part of every SDK. An application programming interface (API) is a set of functions made available to external developers, but the code does not execute on the users’ machine, as would a code library or other SDK tools. Data loss prevention (DLP) capabilities are not a component of software development toolsets.

Question 51

Q

Kim is troubleshooting an application firewall that serves as a supplement to the organization’s network and host firewalls and intrusion prevention system, providing added protection against web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company?

A. High availability cluster
B. Failover device
C. Fail open
D. Redundant disks

Answer

A

C.

A fail open configuration may be appropriate in this case. In this configuration, the firewall would continue to pass traffic without inspection while it is restarting. This would minimize downtime, and the traffic would still be protected by the other security controls described in the scenario. Failover devices and high availability clusters would indeed increase availability, but at potentially significant expense. Redundant disks would not help in this scenario because no disk failure is described.

Question 52

Q

What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level?

A. SQL injection
B. Multilevel security
C. Parameterization
D. Inference

Answer

A

D.

An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels. Parameterization is a security control used to reduce the likelihood of attacks that rely upon improper user input.

Question 53

Q

Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?

A. Stealth virus
B. Polymorphic virus
C. Multipartite virus
D. Encrypted virus

Answer

A

B.

Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.

Question 54

Q

Linda is reviewing posts to a user forum on her company’s website, and when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:

<script>
alert(‘Alert’);
</script>

What vulnerability definitely exists on Linda’s message board?

A. Cross-site scripting
B. Cross-site request forgery
C. SQL injection
D. Improper authentication

Answer

A

A.

The message forum is clearly susceptible to a cross-site scripting (XSS) attack. The code that Linda discovered in the message is a definitive example of an attempt to conduct cross-site scripting, and the alert box that she received demonstrates that the vulnerability exists. The website may also be vulnerable to cross-site request forgery, SQL injection, improper authentication, and other attacks, but there is no evidence of this provided in the scenario.

Question 55

Q

Linda is reviewing posts to a user forum on her company’s website, and when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:

<script>
alert(‘Alert’);
</script>

What was the likely motivation of the user who posted the message on the forum containing this code?

A. Reconnaissance
B. Theft of sensitive information
C. Credential stealing
D. Social engineering

Answer

A

A.

The script that Linda discovered merely pops up a message on a user’s screen and does not perform any more malicious action. This type of script, using an alert() call, is commonly used to probe websites for cross-site scripting vulnerabilities.

Question 56

Q

Linda is reviewing posts to a user forum on her company’s website, and when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:

<script>
alert(‘Alert’);
</script>

Linda communicates with the vendor and determines that no patch is available to correct this vulnerability. Which one of the following devices would best help her defend the application against further attack?

A. VPN
B. WAF
C. DLP
D. IDS

Answer

A

B.

Web application firewalls (WAFs) sit in front of web applications and watch for potentially malicious web attacks, including cross-site scripting. They then block that traffic from reaching the web application. An intrusion detection system (IDS) may detect the attack but is unable to take action to prevent it. DLP and VPN solutions are unable to detect web application attacks.

Question 57

Q

Linda is reviewing posts to a user forum on her company’s website, and when she browses a certain post, a message pops up in a dialog box on her screen reading “Alert.” She reviews the source code for the post and finds the following code snippet:

<script>
alert(‘Alert’);
</script>

In further discussions with the vendor, Linda finds that they are willing to correct the issue but do not know how to update their software. What technique would be most effective in mitigating the vulnerability of the application to this type of attack?

A. Bounds checking
B. Peer review
C. Input validation
D. OS patching

Answer

A

C.

Input validation verifies that user-supplied input does not violate security conditions and is the most effective defense against cross-site scripting attacks. Bounds checking is a form of input validation, but it is typically used to ensure that numeric input falls within an acceptable range and is not applicable against cross-site scripting attacks. Peer review and OS patching are both good security practices but are unlikely to be effective against a cross-site scripting attack.

Question 58

Q

Hannah is a software developer working on creating statistical software using the R programming language. She uses the RStudio tool, shown here, to assist her in writing this code. What term best describes this tool?

A. SDK
B. IDE
C. API
D. DLP

Answer

A

B.

RStudio is a tool used to assist in the creation of code, otherwise known as an integrated development environment (IDE). Software development kits (SDKs) are code libraries and other tools made available to assist developers in creating code. An application programming interface (API) is a set of functions made available to external developers, but the code does not execute on the users’ machine, as would a code library or other SDK tools. Data loss prevention (DLP) capabilities are not a component of software development toolsets.

Question 59

Q

Which of the following configurations within the Scaled Agile Framework (SAFe) is specifically designed to support enterprises in building and maintaining large integrated solutions with the collaboration of hundreds of practitioners?

A. Large Solution SAFe
B. Portfolio SAFe
C. Essential SAFe
D. Full SAFe

Answer

A

D.

Full SAFe is designed to support enterprises in building and maintaining large integrated solutions with the collaboration of hundreds of practitioners. It provides the most extensive level of guidance, with roles, responsibilities, and activities needed to sustainably deliver complex solutions. Essential SAFe focuses on the basic elements of the framework needed to be agile, Large Solution SAFe is for developing large and complex solutions that do not require the constructs of the portfolio level, and Portfolio SAFe is for aligning enterprise strategy with execution but does not address the complexity of building large solutions that Full SAFe is designed for.

Question 60

Q

Alan is deploying Java code to a variety of machines in his environment and must install the JVM on those machines first. What term best describes the JVM in this case?

A. Repository
B. Change manager
C. Runtime
D. Sandbox

Answer

A

C.

The JVM is the runtime virtual machine that allows the execution of Java code on a device. The JVM implements the Java sandbox, but that is only one of its many functions. The JVM itself is not a change manager or code repository.

Question 61

Q

Christine is nearing the final stages of testing a new software package. Which one of the following types of software testing usually occurs last and is executed against test scenarios?

A. Unit testing
B. Integration testing
C. User acceptance testing
D. System testing

Answer

A

C.

User acceptance testing (UAT) is typically the last phase of the testing process. It verifies that the solution developed meets user requirements and validates it against use cases. Unit testing, integration testing, and system testing are all conducted earlier in the process leading up to UAT.

Question 62

Q

Alexis’ organization recently moved to a CI/CD approach for software development where they intend to speed up the deployment of code supporting their website. What is the most reasonable frequency that they can expect to achieve using this type of approach?

A. Monthly deployments
B. Weekly deployments
C. Daily deployments
D. Hundreds of daily deployments

Answer

A

D.

When organizations adopt a continuous integration/continuous delivery (CI/CD) approach to software development, they may deploy code extremely rapidly. In fact, some organizations deploy new code to production hundreds or even thousands of times per day using this approach.

Question 63

Q

Amber is conducting a threat intelligence project and would like to find a source of information on threats to her organization’s web applications. Which of the following organizations is widely considered as the definitive source for information on web-based attack vectors?

A. ISC2
B. ISACA
C. OWASP
D. Mozilla Foundation

Answer

A

C.

The Open Worldwide Application Security Project (OWASP) is widely considered as the most authoritative source on web application security issues. They publish the OWASP Top Ten list that publicizes the most critical web application security issues.

Question 64

Q

Chris is a software developer, and he is actively writing code for an application. What phase of the Agile process is he in?

A. Planning
B. Sprints
C. Deployment
D. Testing

Answer

A

B.

Chris is in an Agile sprint phase and is likely developing code based on user stories. Planning includes stakeholder stories, as well as design and test case preparation. Testing involves ensuring that the code works properly and meets requirements. Deployment includes the actual deployment of the application, as well as additional verification and testing.

Answer 65

A

D.

Security information and event management (SIEM) systems do correlate information from multiple sources and perform analysis, but they stop short of providing automated playbook responses. That is the realm of security orchestration, automation, and response (SOAR) platforms. Intrusion prevention platforms have a more limited scope, allowing the blocking of traffic based upon analysis performed by the IPS itself. Log repositories simply collect log information and do not perform analysis.

Answer 66

A

B.

This is an example of a specific type of buffer overflow known as an off-by-one error. The first line of the code defines an array of 10 elements, which would be numbered 0 through 9. The second line of code tries to place a value in the 11th element of the array (remember, array counting begins at 0!), which would cause an overflow.

Answer 67

A

C.

Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. SQL injection is a web application security flaw, not a database concurrency problem.

Answer 68

A

A.

Transport Layer Security (TLS) provides the most effective defense against session hijacking because it encrypts all traffic between the client and server, preventing the attacker from stealing session credentials. Secure Sockets Layer (SSL) also encrypts traffic, but it is vulnerable to attacks against its encryption technology. Complex and expiring cookies are a good idea, but they are not sufficient protection against session hijacking.

Answer 69

A

C.

The purpose of the change advisory board (CAB) is to review and then approve or reject proposed code changes. The CAB is not normally involved in the approval of developer credentials, the conduct of lessons learned sessions, or the prioritization of software development efforts.

Answer 70

A

The Scaled Agile Framework (SAFe) is a comprehensive approach to applying agile principles and practices at the enterprise scale.

Essential SAFe: This is where the traditional Agile practices, like Scrum, come into play. Teams work in Agile Release Trains (ARTs), which are groups of teams that align to deliver larger pieces of value, often in the form of program increments. Each program increment typically lasts around 8–12 weeks.
Large Solution SAFe: For particularly vast systems that require multiple ARTs, this SAFe configuration provides additional roles and artifacts to ensure alignment and coordination. This isn’t always needed but comes into play in exceptionally large implementations.
Portfolio SAFe: This SAFe configuration is where strategic direction is translated into actionable items. Investment themes guide the organization’s work, ensuring alignment with business objectives. Lean Portfolio Management (LPM) principles drive the efforts, ensuring minimal overhead and focusing on delivering the maximum value.
Full SAFe: It’s designed to support enterprises that build and maintain large, integrated solutions that require hundreds of practitioners to collaborate effectively.

Answer 71

A

B.

git is a version management tool that is very commonly used by developers to interact with code repositories, such as those hosted by GitHub. grep is a command-line tool used to search files for specific content. lsof is a command used to list the open files on a system. gcc is a C language compiler used to transform source code into executable code.

Answer 72

A

C.

The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The single quotation mark is used to escape outside the SQL code’s input field, and the text following it is used to directly manipulate the SQL command sent from the web application to the database.

Answer 73

A

B.

Client-side input validation is not an effective control against any type of attack because the attacker can easily bypass the validation by altering the code on the client. Escaping restricted characters prevents them from being passed to the database, as does parameterization. Limiting database permissions prevents dangerous code from executing.

Answer 74

A

B.

PERT charts use nodes to represent milestones or deliverables and then show the estimated time to move between milestones. Gantt charts use a different format with a row for each task and lines showing the expected duration of the task. Work breakdown structures are an earlier deliverable that divides project work into achievable tasks. Wireframe diagrams are used in application UI design.

Answer 75

A

D.

Regression testing is performed after developers make changes to an application. It reruns a number of test cases and compares the results to baseline results. Orthogonal array testing is a method for generating test cases based on statistical analysis. Pattern testing uses records of past software bugs to inform the analysis. Matrix testing develops a matrix of all possible inputs and outputs to inform the test plan.

Answer 76

A

B.

Cross-site scripting (XSS) attacks may take advantage of the use of reflected input in a web application where input provided by one user is displayed to another user. Input validation is a control used to prevent XSS attacks. XSS does not require an unpatched server or any firewall rules beyond those permitting access to the web application.

Answer 77

A

A.

In a white-box test, the tester has access to full implementation details of the system, including source code, prior to beginning the test. In gray-box testing, the tester has partial knowledge. In black-box testing, the tester has no knowledge of the system and tests it from a user perspective. Blue boxes are a phone hacking tool and are not used in software testing.

Answer 78

A

C.

Heuristic-based antimalware software has a higher likelihood of detecting a zero-day exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.

Answer 79

A

D.

One possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct-looking version of the infected file. The system may also be the victim of a zero-day attack, using a virus that is not yet included in the signature definition files provided by the antivirus vendor.

Answer 80

A

A.

In URL encoding, the . character is replaced by %252E, and the / character is replaced by %252F. You can see this in the log entry, where the expected pattern of ../../ is replaced by %252E%252E%252F%252E%252E%252F.

Answer 81

A

C.

Attacks where the malicious user tricks the victim’s web browser into executing a script through the use of a third-party site are known as cross-site scripting (XSS) attacks. This particular attack is a persistent XSS attack because it remains on the discussion forum until an administrator discovers and deletes it, giving it the ability to affect many users.

Answer 82

A

C.

The Agile Manifesto includes 12 principles for software development. Three of those are listed as answer choices: maximizing the amount of work not done is essential, build projects around motivated individuals, and welcome changing requirements throughout the development process. Agile does not, however, consider clear documentation the primary measure of progress. Instead, working software is the primary measure of progress.

Answer 83

A

B.

Each change should be the result of a reviewed and approved request for change (RFC). These RFCs may be approved by the change advisory board (CAB). The security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms used by the organization would not normally contain information about the change management process.

Answer 84

A

D.

A key-value store is an example of a NoSQL database that does not follow a relational or hierarchical model like traditional databases. A graph database is another example of a NoSQL database, but it uses nodes and edges to store data rather than keys and values.

Answer 85

A

C.

A database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command because doing so would violate the atomicity property of the transaction.

Answer 86

A

B.

When using commercial off-the-shelf (COTS) software, customers do not generally have access to the source code and must depend upon the vendor to release security patches that correct vulnerabilities. Other controls, such as intrusion prevention systems and firewalls, may be able to help mitigate the issue, depending upon the nature of the flaw, but they will not correct it.

Answer 87

A

B.

Static testing performs code analysis in an offline fashion, without actually executing the code. Dynamic testing evaluates code in a runtime environment. Both static and dynamic testing may use automated tools, and both are important security testing techniques.

Answer 88

A

The 12 principles, as stated in the Agile Manifesto, are as follows:

Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.
Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.
Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.
Business people and developers must work together daily throughout the project.
Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.
The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.
Working software is the primary measure of progress.
Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
Continuous attention to technical excellence and good design enhances agility.
Simplicity—the art of maximizing the amount of work not done—is essential.
The best architectures, requirements, and designs emerge from self-organizing teams.
At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

Answer 89

A

The 12 principles, as stated in the Agile Manifesto, are as follows:

Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.
Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.
Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.
Business people and developers must work together daily throughout the project.
Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.
The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.
Working software is the primary measure of progress.
Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
Continuous attention to technical excellence and good design enhances agility.
Simplicity—the art of maximizing the amount of work not done—is essential.
The best architectures, requirements, and designs emerge from self-organizing teams.
At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

Answer 90

A

The 12 principles, as stated in the Agile Manifesto, are as follows:

Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.
Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.
Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.
Business people and developers must work together daily throughout the project.
Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.
The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.
Working software is the primary measure of progress.
Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
Continuous attention to technical excellence and good design enhances agility.
Simplicity—the art of maximizing the amount of work not done—is essential.
The best architectures, requirements, and designs emerge from self-organizing teams.
At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

Answer 91

A

D.

The chart shown in the figure is a Gantt chart, showing the proposed start and end dates for different activities. It is developed based on the work breakdown structure (WBS), which is developed based on functional requirements. Program Evaluation Review Technique (PERT) charts show the project schedule as a series of numbered nodes.

Answer 92

A

D.

In a gray-box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White-box tests also have access to the source code but perform testing from a developer’s perspective. Black-box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.

Answer 93

A

D.

The Time of Check to Time of Use (TOC/TOU) attack exploits timing differences between when a system verifies authorization and software uses that authorization to perform an action. It is an example of a race condition attack. The other three attacks mentioned do not depend on precise timing.

Answer 94

A

D.

Each of these input parameters makes up part of the attack surface of the application. Attackers may opt to target any of them to attack the code or its supporting infrastructure.

Answer 95

A

B.

Threat modeling commonly involves decomposing the application to understand it and how it interacts with other components or users. Next, identifying and ranking threats allows you to focus on the threats that should be prioritized. Finally, identifying how to mitigate those threats finishes the process. Once complete, an organization can take action to handle the threats that were identified with appropriate controls.

Answer 96

A

D.

The fail closed approach prevents any activity from taking place during a system security failure and is the most conservative approach to failure management. Fail open takes the opposite philosophy, allowing all activity in the event of a security control failure. Fail clear and fail mitigation are not failure management approaches.

Answer 97

A

D.

The illustration shows the spiral model of software development. In this approach, developers use multiple iterations of a waterfall-style software development process. This becomes a “loop” of iterations through similar processes. The original waterfall approach does not iterate through the entire process repeatedly. Some variants do allow iteration, but only by allowing movement backward and forward one stage. The Agile approach to software development focuses on iterative improvement and does not follow a rigorous SDLC model. Lean is a process improvement methodology and not a software development model.

Brainscape's Knowledge GenomeTM

Domain 8: Review Questions Flashcards

Brainscape's Knowledge Genome^TM