Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Domain 8 Software Development > Flashcards

Domain 8 Software Development Flashcards

1
Q 
What database technology, if implemented for web forms, can limit the potential for SQL injection? 
A) Triggers
B) Stored procedures
C) Column encryption 
D) Concurrency control
A

B) Stored procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q 
What condition is necessary on a web page for it to be used in a cross-site scripting attack? 
A) Reflected input 
B) Database-driven content 
C) .NET technology
D) CGI scripts
A

A) Reflected input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q 
What technology does the JAVA language use to minimize the threat posed by applets?
A) Confidentiality 
B) Encryption 
C) Stealth 
D) Sandbox
A

D) Sandbox

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q 
When designing an object-oriented model, which of the following situations is ideal? 
A) High cohesion, high coupling 
B) High cohesion, low coupling 
C) Low cohesion, low coupling 
D) Low  cohesion, high coupling
A

B) Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class. When you are developing an object-oriented model, it is desirable to have high cohesion and low coupling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q 
Which of the following is a common way that attackers leverage botnets? 
A) Sending spam messages 
B) Conducting brute-force attacks 
C) Scanning for vulnerable systems 
D) All of the above
A

D) Botnets are used for a wide variety of malicious purpose, including scanning the network for vulnerable systems, conducting brute-force attacks against other systems, and sending out spam messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which one of the following statements is not true about code review?
A) Code review should be a peer-driven process that includes multiple developers
B) Code review may be automated
C) Code review occurs during the design phase
D) Code reviewers may expect to review several hundred lines of code per hour

A

C) Code review takes place after code has been developed, which occurs after the design phase of the system’s development life cycle (SDLC). Code review may use a combination of manual and automated techniques , or rely solely on one or the other. IT should be a peer-driven process that includes developers who did not write the code. Developers should expect to complete the review of around 300 lines per hour, on average.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q 
Which process is responsible for ensuring that changes to software include acceptance testing? 
A) Request control 
B)  Change control 
C) Release control 
D) Configuration control
A

C) One of the responsibilities of the release control process is ensuring that the process includes acceptance testing that confirms that any alterations to end-user work tasks are understood and functional prior to code release. Te request control, change control, and configuration control processes do not include acceptance testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which one of the following is not a goal of software threat modeling?
A) To reduce the number of security-related design flaws
B) To reduce the number of security-related coding flaws
C) To reduce the severity of non-security related flaws
D)To reduce the number of threat vectors

A

D) Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws.The developer or evaluator of software has no control over the threat environment, because it is external to the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a method in databases?

A

Object methods, also known as subprograms, are functions or procedures that you can declare in an object type definition to implement behavior that you want objects of that type to perform (the verb of the object)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q 
Which one of the following is considered primary storage? 
A) Memory
B) Hard disk 
C) Flash drive
D) DVD
A

A) Primary storage is a technical term used to refer to the memory that is directly available to the CPU. Nonvolatile storage mechanisms, such as flash drives, DVDs, and hard drives, are classified as secondary storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q 
Bobby is investigating how an authorized database user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term describes this type of function? 
A) Inference 
B) Polymorphic 
C) Aggregate 
D) Modular
A

C) Aggregate functions summarize large amounts of data and provide only summary information as a result. When carefully crafted, aggregate functions may unintentionally reveal sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Carrie is analyzing the application logs for her web-based application and comes across the following string:

../../../../../../../../../etc./passwd

What type of attack was likely attempted against Carrie’s application?

A) Command injection
B) Session hijacking
C) Directory Transversal
D) Bruteforce

A

C) The string shown in the logs is characteristic of a directory transversal attack where the attacker attempts to force the web application to navigate up the file that should not normally be provided to a web user, such as password file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner?

A) Validation
B) Accredidation
C) Confidence interval
D) Assurance

A

Assurance, when it comes to software is the level of confidence that software is free from vulnerabilities s, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner. It is a term typically used in military and defense environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Referring to the database transaction shown here, what would happen if no account exists in the accounts table with account number 1001?

“BEGIN TRANSACTION
UPDATE accounts
SET balance= balance +250
WHERE Account_number=1001

Update accounts
SET balance = balance - 250
WHERE account_number=2002;

END TRANSACTION

A) The database would create a new account with this account number and give it a $250 balance
B) The database would ignore that command and still reduce the balance of the second account by $250
C) The database would roll back the transaction, ignoring the results of both commands.
D) The database would generate an error messgae.

A

B) In this example, the two SQL commands are indeed bundled in a transaction, but it is not an error to issue an update command that does not match any rows. Therefore, the first command would “succeed” in updating zero rows and not generate an error or cause the transaction to roll back. The second command would then execute, reducing the balance of the second account by $250 .

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What was the likely motivation of the user who posted the message on the forum containing cross-site scripting code?

A) Reconnaissance
B) Theft of sensitive information
C) Credential stealing
D) Social engineering

A

A) The script that Linda discovered merely pops up a message on a user’s screen and does not perform any more malicious action. This type of script using an alert() call, is commonly used to probe websites for cross-site scripting vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Linda communicates with the vendor and determines that no patch is available to correct this vulnerability (XSS). Which one of the following devices would best help her defned the application against further attack?

A) VPN
B) WAF
C) DLP
D) IDS

A

B) Web application firewalls (WAFs) sit in front of web applications and watch for potentially malicious web attacks including cross-site scripting. They then block that traffic from reaching the web application. An intrusion detection system (IDS) may detect the attack but is unable to to take action to prevent it. DLP and VPN solutions are unable to detect web application attacks.

17
Q

Lauren wants to use software review process for the application she is working on. Which of the following processes would work best if she is a remote worker who works different hours from the rest of her team?

A) Pass around
B) Pair programming
C) Team review
D) Fagan inspection

A

A) Pass-around reviews are often done via email or using or using a central code review system, allowing developers to review code asynchronously. Pair programming requires two programmers to work together, with one writing code and the other reviewing and tracking progress. Team reviews are typically done in a group, and Fagan inspection is a formal review process that would involve both the developer and a team to review the code using a formal process.

18
Q

If Chris is writing code for an application, what phase of the Agile process is he in?

A) Planning
B) Sprints
C) Deployment
D) Development

A

B) Chris is in an Agile sprint and is likely developing code based on user stories. Planning includes stakeholder stories, as well as design and test case preparation . Deployment of the application includes actual deployment of the application, as well as additional verification and testing.

19
Q

What type of attack is demonstrated in the following C programming language?

int myarray [10];
myarray[10]= 8;

A) Mismatched data types
b) overflow
c) SQL injection
D) Covert channel

A

This is an example of a specific type of buffer overflow known as an off-by-one error. The first line of code defines an array of 10 elements , which would be numbered 0-9. The second line of code tries to place a value in the 11th element of the array (remember array counting begins at 0!), which would cause an overflow.

20
Q

Which one of the following database issues occurs when one transaction writes a value to the database that overwrites a value that was needed by a transaction with earlier precedence?

A) Dirty read
B) Incorrect summary
C) Lost update
D) SQL injection

A

C) Lost updates occur when one transaction write a value to the database that overwrites a value a value needed by transactions that have earlier precedence, causing those transactions to to read an incorrect value. Dirty reads occur when one transaction reads value from a database that was written by another transaction that did not commit. Incorrect summary occur when one transaction is using an aggregate function to summarize data stored in a database while a second trnsaction is making modifications to the database, causing the summary to include incorrect information. SQL injection is clearly not relevant.

21
Q

Which one of the following is the most effective control against session hijacking attacks?

A) TLS
B) Complex session cookies
C) SSL
D) Expiring cookies frequently

A

A) Transport layer security (TLS) provides the most effective defense because it encrypts all traffic between the client and the server, preventing the attacker from stealing session credentials. Secure Sockets Layer also encrypts traffic, but is vulnerable to attacks against encryption technology. Complex and expiring cookies are a good idea, but they are not sufficient protection against session hijacking.

22
Q

Faith is looking at the / etc/passwd file on a system configured to use shadowed passwords. When she exampines a line in the file for a user with interactive login permissions, what should she expect to see in the password field?

A) Plaintext password
B) Hashed password
C) X
D) *

A

C) When a system uses shadowed passwords, the hased password value is stored in /etc/shawdow instead of /etc/passwd. The etc.passwd file would not contain the password in plaintext or hashed form. Instead, it would contain an x to indicate that the password hash is in the shadow file . The * character is normally used to disable interactive logins to an account.

23
Q

While evaluating a potential security incident, Harry comes across a log entry from a web server request showing that a user entered the the following input into a form field. CARROT’ 1=1;–
What type of attack was attempted?

A) Buffer overflow
B) Cross-site scripting
C) SQL injection
D) Cross-site request forgery

A

C) The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside the SQL code’s input field, and the text following is used to directly manipulate the SQL command sent from the web application to the database.

24
Q

Which one of the following is not an effective control against SQL injection attacks?

A) Escaping
B) Client-side input validation
C) Parameterization
D) Limiting database permissions

A

B) Client-side input validation is not an effective control against any type of attack because the attacker can easily bypass the validation by altering the code on the client. Escaping restricted characters prevents them from being passed to the database, as does parameterization. Limiting database permissions prevents dangerous code from executing.

25
Q

What is a PERT chart? What is a Gantt chart? What is a WBS?

A

PERT charts use nodes to represent milestones or deliverables and then show the estimated time to move between milestones. Gantt charts use a different format with row a row for each task and lines showing the expected duration of a task. A work breakdown sturcture (WBS) are an earlier deliverable that divides project work into achievable tasks.

26
Q

Scott is inspecting a system where the user reported unusual activity, including disk activity when the system is idel and abnormal CPU and network usage. HE suspects the machine is infected by a virus but scans come up clean. What malware technique might be in use here that would explain the clean scan results?

A) File infector virus
B) MBR virus
C) Service injection virus
D) Stealth virus

A

D) One possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct-looking version of the infected file.

27
Q

Tomas discovers a line in his application log that appears to correspond with an attempt to conduct a directory traversal attack. He believes the attack was conducted using URL encoding. The line reads:

%252E%252E%252F%252E%252E%252Fetc/passwd

What character is represented by the %252E value?

A) .
B) ,
C) ;
D) /

A

A) In URL encoding, the . character is replaced by %25E and the / charter is replaced by %s252F. You can see this in log entry the log entry, where the expected pattern of ../../ is replaced by %252E%252E%252F%252E%252E%

28
Q

An attacker posted a message to a public to a public discussion forum that contains an embedded malicious script that is not displayed to the user but executes on the user’s system when read. What type of attack is this?

A) Persistent XSRF
B) Nonpersistent XSRF
C) Persistent XSS
D) Nonpersistent XSS

A

Attacks where malicious users tricks the victim’s web browser into executing a script through the use of a 3rd party are known as cross-site scripting (XSS) attacks. This particular attack is a persistent XSS attack because it remamins on the discussion forum until an administrator discovers and deletes it, giving it the ability to effect many users.

29
Q

Scott is working with DynamoDB database. The database is not structured like a relational database but allows Scott to store data using a key-value store. What type of database id Dynamo DB?

A) Relational database
B) Graph database
C) Hierarchical database
D) NOSQL database

A

D) A key-value store is an emaple of a NOSQL database that does not follow a relational or hierarchical model like traditional databases. A graph database is another example of a NoSQL database, but it uses nodes and edges to store data rather than keys and values.

30
Q

In the transaction shown here, what would happen if the databse failed in between the first and second update statements.

BEGIN TRANSACTION

UPDATE accounts
SET balance= balance + 250
WHERE account _number= 1001;

UPDATE accounts
SET balance=balance-250
WHERE account_number= 2002;

COMMIT TRANSACTION

A) Te database would credit the first account with $250 in funds but then not reduce the balance of the second account
B) The database would ignore the first command and only reduce the balance of the second account by $250
C) The database would roll back the transaction, ignoring the results of both commands.
D) The database would successfully execute both commands.

A

C) Database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command.

31
Q

What part of the security review process are the input parameters shown in the diagram used for?

BOX 1: Configuration input parameters BOX 2: User input parameters BOX 3: Control input parameters BOX 4: Back-end input parameters BOX 5: Parameter tracking through code

A) SQL injection
B) Sprint review
C) Fagan inspection
D) Attack surface identification

A

D) Each of these input parameters makes up part of the attack surface of the application. Attackers may opt to target any of them to attack the code or its supporting infrastructure

32
Q

At which level of the software capability maturity model (SW-CMM) does an organization introduce basic life-cycle management processes?

A) Initial
B) Repeatable
C) Defined
D) Managed

A

B) In level 2, the repeatable level of SW-CMM, an organization introduces basic life cycle management processes. Reuse of code in an organized fashion begins, and repeatable results are expected from similar projects. The key process area for this level include requirements management, software project management, software project tracking and oversight, software subcontract management, software quality assurance, and software configuration management.

33
Q

Which one of the following database concurrency issues occurs when one transaction reads information that was written to a database by a second transaction that never committed?

A) Lost update
B) SQL injection
C) Incorrect summary
D) Dirty read

A

D) Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. Incorrect summary occurs when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information.

34
Q

What is parameterization and what is stored procedures?

A

Parameterization: A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the “parameters” (think “variables”) that need to be inserted into the statement for it to be executed

Stored procedures:A stored procedure is a prepared SQL code that you can save, so the code can be reused over and over again. So if you have an SQL query that you write over and over again, save it as a stored procedure, and then just call it to execute it.

CISSP (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions