Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SP4 > Domain 8 - Security in the Software Development Life Cycle > Flashcards

Domain 8 - Security in the Software Development Life Cycle Flashcards

1
Q
  1. The key objective of application security is to ensure…

A. that the software is hacker proof
B. the confidentiality, integrity and availability of data
C. accountability of software and user activity
D. prevent data theft

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. For an application security program to be effective within an organization, it is critical to…

A. identify regulatory and compliance requirements.
B. educate the software development organization the impact of insecure programming.
C. develop the security policy that can be enforced.
D. properly test all the software that is developed by your organization for security vulnerabilities.

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which of the following architectures states: “There is no inherent difference between data and programming representations in computer memory” which can lead to injection attacks, characterized by executing data as instructions.

A. Von Neumann
B. Linus’ Law
C. Clark and Wilson
D. Bell LaPadula

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. An important characteristic of bytecode is that it…

A. has increased secure inherently due to sandboxing
B. manages memory operations automatically
C. is more difficult to reverse engineer
D. is faster than interpreted languages

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Two cooperating processes that simultaneously compete for a shared resource, in such a way that they violate the system’s security policy, is commonly known as…

A. Covert channel
B. Denial of Service
C. Overt channel
D. Object reuse

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. An organization has a website with a guest book feature, where visitors to the web site can input their names and comments about the organization. Each time the guest book web page loads, a message box is prompted with the message “You have been P0wnd” followed by redirection to a different website. Analysis reveals that the no input validation or output encoding is being performed in the web application. This is the basis for the following type of attack?

A. Denial of Service
B. Cross-site Scripting (XSS)
C. Malicious File Execution
D. Injection Flaws

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. The art of influencing people to divulge sensitive information about themselves or their organization by either coercion or masquerading as a valid entity is known as…

A. Dumpster diving
B. Shoulder surfing
C. Phishing
D. Social engineering

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. An organization’s server audit logs indicate that an employee that was terminated in the morning was still able to access certain sensitive resources on his system, on the internal network, that afternoon. The logs indicate that the employee had logged on successfully before he was terminated but there is no record of him logging off before he was terminated. This is an example of what type of attack?

A. Time of Check/Time of Use (TOC/TOU)
B. Logic Bomb
C. Remote-Access Trojans (RATS)
D. Phishing

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. The most effective defense against a buffer overflow attack is…

A. disallow dynamic construction of queries
B. bounds checking
C. encode the output
D. forced garbage collection

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. It is extremely important that as one follows a software development project, security activities are performed…

A. before release to production, so that the project is not delayed
B. if a vulnerability is detected in your software
C. in each stage of the life cycle
D. When management mandates it

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Software Acquisition (SwA) can be organized around the major phases of a generic acquisition process. The major phases are:

A. Planning, contracting, monitoring and acceptance, follow on
B. Contracting, planning, monitoring and acceptance, follow on
C. Planning, contracting, monitoring and certification, follow on
D. Planning, contracting, monitoring and accreditation, follow on

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Who can ensure and enforce the separation of duties by ensuring that programmers don’t have access to production code?

A. Operations personnel
B. Software librarian
C. Management
D. Quality assurance personnel

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Technical evaluation of assurance to ensure that security requirements have been met is known as?

A. Accreditation
B. Certification
C. Validation
D. Verification

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Defect prevention rather than defect removal is characteristic of which of the following software development methodologies?

A. Computer Aided Software Engineering (CASE)
B. Spiral
C. Waterfall
D. Cleanroom

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. A security protection mechanism in which untrusted code, which is not signed, is restricted from accessing system resources is known as?

A. Sandboxing
B. Non-repudiation
C. Separation of Duties
D. Obfuscation

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. A program that does not reproduce itself but pretends to be performing a legitimate action, while performing malicious operations in the background is the characteristic of which of the following?

A. Worms
B. Trapdoor
C. Virus
D. Trojan

A

D

17
Q
  1. A plot to take insignificant pennies from a user’s bank account and move them to the attacker’s bank account is an example of …

A. Social Engineering
B. Salami Scam
C. Pranks
D. Hoaxes

A

B

18
Q
  1. Role-based access control to protect confidentiality of data in databases can be achieved by which of the following?

A. Views
B. Encryption
C. Hashing
D. Masking

A

A

19
Q
  1. The two most dangerous types of attacks against databases containing disparate non-sensitive information are…

A. Injection and scripting
B. Session hijacking and cookie poisoning
C. Aggregation and inference
D. Bypassing authentication and insecure cryptography

A

C

20
Q
  1. A property that ensures only valid or legal transactions that do not violate any user-defined integrity constraints in DBMS technologies is known as?

A. Atomicity
B. Consistency
C. Isolation
D. Durability

A

B

21
Q
  1. Expert systems are comprised of a knowledge base comprising modeled human experience and which of the following?

A. Inference engine
B. Statistical models
C. Neural networks
D. Roles

A

A

22
Q
  1. The best defense against session hijacking and man-in-the-middle (MITM) attacks is to use the following in the development of your software?

A. Unique and random identification
B. Use prepared statements and procedures
C. Database views
D. Encryption

A

A

SP4 (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions