SG

Question 1

In information security, confidentiality “is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes”

Answer 1

Confidentiality

Question 2

In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This can be also used to validate databases to make sure none of the data is corrupt or modified in an unauthorized matter.

Answer 2

Integrity

Question 3

For any information system to serve its purpose, the information must be available when it is needed. This
means that the computing systems used to store
and process the information, the security controls used to protect it, and
the communication channels used to access it must be functioning correctly.

Answer 3

Availability

Question 4

Public Key Infrastructure (PKI) and Cryptography/Encryption is considered to fall under (C,I, or A)?

Answer 4

Confidentiality

Question 5

Offsite back-up and Redundancy is considered to fall under (C,I, or A)?

Answer 5

Availability

Question 6

Hashing, Message Digest (MD5), non repudiation and digital signatures is considered to fall under (C,I, or A)?

Answer 6

Integrity

Question 7

The software architect moves analysis to implementation and analyzes the requirements and use
cases
as activities to perform as part of the development process.
That person can also
develop class diagrams.

Answer 7

Software Architect

Question 8

Security Practitioner Roles:
Choose function for each role from the list below:
Coding, Deployment, Requirements Gathering, or Design.

Release Manager
Architect
Developer
Business Analyst/Project Manager

Answer 8

Release Manager: Deployment
Architect: Design
Developer: Coding
Business Analyst/Project Manager: Requirements Gathering

Question 9

These are teams of people familiar with the infrastructure of the company and the languages of the software
being developed. Their mission is to kill the system as the developers build it.

Answer 9

Red Team

Question 10

Static analysis
, also called
static
code
analysis
, is a method of computer program debugging that is done
by examining the code without executing the program. The process provides an understanding of the code structure, and
can help to ensure that the code adheres to industry standards.
It’
s also referred as code review.

Answer 10

Static Analysis

Question 11

The
MD5 algorithm
is a widely used hash function producing a 128
-
bit hash value. Although MD5 was
initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. I
t
can still be used as a checksum to verify data i
ntegrity, but only against unintentional corruption.
(Integrity)

Answer 11

MD5 Hash

Question 12

The 
SHA
(Secure Hash Algorithm) is one of a number of cryptographic hash functions. A cryptographic hash 
is like a signature for a text or a data file. 
SHA
-
256
algorithm generates a
n almost
-
unique, fixed size 
256
-
bit (32
-
byte) 
hash. Hash is a one
-
way function 
–
it cannot be decrypted back.
(Integrity)

Answer 12

SHA-256

Question 13

AES
(acronym of 
Advanced Encryption Standard
) is a symmetric 
encryption
algorithm. The algorithm 
was developed by two Belgian cryptographer Joan Daemen and Vincent Rijmen. 
AES
was 
designed to be efficient in both hardware and software, and supports a block length of 128 bits and key lengths of 128, 
192, and 256 bits.
(Confidentiality)

Answer 13

Advanced Encryption Standard (AES)

Question 14

The
analogy between safety and security is particularly close. The main difference is that safety
-
relevant 
faults are stochastic (
i.e.
, unintentional or accidental), whereas security
-
relevant faults are “sponsored,” 
i.e.
, intentionally 
created and activated t
hrough conscious and intentional human agency
.

Answer 14

Stochastic

Question 15

Is used to see if the system has solid exception handling to the input it receives. Is the use of malformed or
random input into a system in order to intentionally produce failure
. This is a ver
y easy process of feeding garbage to the
system when it expects a formatted input, and it is always a good idea to feed as much garbage as possible to an input
field.

Answer 15

Fuzz Testing

Question 16

The 3 tier architecture model removes the business logic from the client
end of the system. It generally
places the business logic on a separate server from the client. The data access portion of the system resides on a 3rd tier,
which is separate from both the client and the business logic platform.

Answer 16

Three (3) Tier

Question 17

USC’s Threat Model
ing based on Attacking Path analysis (T
-
MAP) is a risk management approach that
quantifies total severity weights of relevant attacking paths for COTS
-
based systems. T
-
MAP’s strengths lie in its ability
to maintain sensitivity to an organization’s business
value priorities and Information Technology (IT) environment, to
prioritize and estimate security investment effectiveness and evaluate performance, and to communicate executive
-
friendly vulnerability details as threat profiles to help evaluate cost effic
iency.

Answer 17

MAP

Question 18

Trike is an open source conceptual framework, methodology, and toolset designed to autogenerate repeatable
threat models. Its methodology enables the risk analyst to accurately and completely describe the security characteristics
of the syst
em, from high
-
level architecture to low
-
level implementation of details. It also requires building a defensive
model of the subject system
.

Answer 18

Trike

Question 19

This free tool assists in the creation of threat models. It builds on Microsoft Visio and
provides a tool for constructing graphic representation of threat models for the system without requiring expertise in
security and also has the capability of graphi
cally representing a software system and identifying vulnerabilities.

Answer 19

SDL Threat Modeling Tool

Question 20

The overall goal of performing vulnerability mapping is to determine the most likely locations within the system in
development where an attacker will strike.
Th
is is done on the design phase of the SDLC

Answer 20

Vulnerability Mapping

Question 21

This is the
highest level of vulnerability.
This is a very likely target for an attacker, such as free text input in a form.
These are the highest
priory for a security plan for the system and these should al
l be mitigated and accounted for by
established control systems in development.

Answer 21

V3

Question 22

This is the moderate level vulnerability. These are possible but not probable targets. These will include interprocess
communications on the server or traffic within the t
rust boundary of the system. Eavesdropping is the most significant risk
in this situation. V2 level vulnerabilities should always be mitigated in the system, but in a trade off analysis, strict con
trol
may not be necessary as long as a procedure is in plac
e to fail safely and protect any private or confidential data

Answer 22

V2

Question 23

This is the lowest priority level of vulnerability. These are unlikely venues of attack with little risk if they are
exploited. Failing safely is the most important concern at this level,
because the data associated with this vulnerability has
no value, and the process involved is not mission critical. An example of this level of vulnerability
would be a
transmission failure in a common HTML header coming from the system; the highest risk h
ere is that the customer will
not properly see the page and it would have to be reloaded. V1 vulnerabilities can largely be ignored, but they should be
noted in the system specification in case functionality is altered by a later system update or interacti
on because this may
allow them to become more significant.

Answer 23

V1

Question 24

Is capable of expressing resolution efforts to malformed input and potential attacks in a way other
documentation at the system level cannot. The caveat is that activity diagrams
do not contain class calls and references;
they only provide a visualization of the process logic.

Answer 24

Activity Diagram

Question 25

The Kiviat
diagram provides a visual comparison of multiple attributes and can visualize and report the
information on a single artifact based on monitored information.

Answer 25

Kiviat Diagram

Question 26

Is a threat model process that al
lows the company to identify the part that
needs to be protected from
unauthorized users.

Answer 26

Identify the Assets

Question 27

D
escribes a set of principles for software development under which requirements and solutions evolve
through the collaborative effort of self
-
organizing cross
-
functional teams. It promotes adapt
ive planning, evolutionary
development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.
These
principles support the definition and continuing evolution of many software development methods.
It also avoi
ds life
cycle activities and focuses on built a little, test a little and field a little.
It also supports informal communication and
Incremental design.

Answer 27

Agile

Model

Question 28

Software Development Models attributes:
Cyclical Process, Supports quick prototyping and limits
the time spent thinking about the problem as a whole. This describes what Software Development Model?

Answer 28

Agile

Question 29

Software Development Models attributes:
Similar to interactive model and main components are planning, development and deployment. This describes what Software Development Model?

Answer 29

Waterfall

Question 30

located developers working
on systems that are
not life
-
critical. The Crystal family of methodologies focus on efficiency and habitability as components of project safety.
Crystal Clear focuses on people, not processes or artifacts.
Roles may be filed by the same people, including
a project
manager and a business expert.

Answer 30

Chrystal Clear

Question 31

The 
waterfall model
is a sequential (non
-
iterative
/ Limited Interaction
) design process, used in software 
development processes, in which progress is seen as flowing steadily downwards (like a waterfall)
through the phases of 
conception, initiation, analysis, design, construction, testing, production/implementation and maintenance. All the 
requirements will be specified in the 1st step, uses a document driven approach
(Large Amount of documentation)
and h
as 
specific and identifiable stages.
It also provides a resource to entry level developers with limited exposure.

Answer 31

Waterfall

Question 32

Waterfall Methodology Security concerns:

Requirement Analysis:

Answer 32

Define Security Features

Question 33

Waterfall Methodology Security concerns:

Design:

Answer 33

Misuse cases and vulnerability mapping

Question 34

Waterfall Methodology Security concerns:

Construction and Implementation:

Answer 34

Secure Coding practices

Question 35

Waterfall Methodology Security concerns:

Testing:

Answer 35

Penetration Assessment

Question 36

Waterfall Methodology Security concerns:

Installation:

Answer 36

Final Security Review

Question 37

Waterfall Methodology Security concerns:

Operation or Maintenance:

Answer 37

Periodic security review and updates

Question 38

A
digital signature
is a mathematical scheme for demonstrating the authenticity of a digital message
or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known
sender, that the sender cannot deny having sent the messag
e (authentication and non
-
repudiation), and that the message
was not altered in transit (integrity).
It also can be used as proof of approval by an authorized user.

Answer 38

Digital Signatures

Question 39

D
ata redundancy
is the existence of data that is additional to the actual data
and permits correction of errors
in stored or transmitted data. The additional data can be simply a complete copy of the actual data, or only select pieces of
data that allow detection of errors and reconstruction of lost or damaged data up to a certain l
evel.
This will make sure that
all data will always be available, the data will not be lost and it will be stored at a another location for failover reasons
.

Answer 39

Redundancy

Question 40

Is the process of using an algorithm for verifying the integrity or authenticity of a
computer file. This can be
done by comparing two files bit
-
by
-
bit, but requires two copies of the same file, and may miss systematic corruptions
which might occur to both files. A more popular approach is to also store checksums (hashes) (message digests)
of files
for later comparison.

Answer 40

Hashing

Question 41

The main objective of software assurance is to ensure that the processes, procedures, and products
used to produce and sustain the software conform to all requirements and standards specified to govern th
ose processes,
procedures, and products
. This can be also used to make sure that any web application
meets the requirements of what it
was designed to do and accessible to all that are authorized whether in the office or at a remote location.

Answer 41

Software Assurance

Question 42

What can help secure a system in a high risk environment where the system is prone to attack?

Answer 42

Sandboxing, isolating trusted processes, and proper handling of errors and exceptions

Question 43

What is a common web server attack in which unsolicited TCP requests that overwhelm the web servers’ resources and make it unavailable?

Answer 43

DOS or DDOS attack

Question 44

What SQL query command can allow an attacker to access tables within that particular database without requiring elevated and/or administrator permissions and jeopardizing the structure and relevance of the data that the database contains.

Answer 44

SELECT

Question 45

One method of disallowing a SQL injection attack when handling user fields in a web from that reads or write to a
database is to_______?

Answer 45

scrub all input of malicious code.

Question 46

What are the two steps of the threat model that data flow

approaches.

Answer 46

Characterize the system and view the

system as an adversary

Question 47

The two attacks that can affect both the operating system and databases are______and______?

Answer 47

accessing ports that are not secured and/or
locked down

the exploitation of default pa
sswords that are not changed when the OS and the database were first
installed.

Question 48

Monitoring and Delivery and support are the control domains to the ___________phase of the SDLC.

Answer 48

sustainment

Question 49

Acquisition and Implementation is the control domain to the _______ and _____ phase of the SDLC.

Answer 49

analysis, design

Question 50

Coding takes place in the ________ phase of the SDLC.

Answer 50

construction

Question 51

In Task Refinement, specific security activities must be identified when integrating security
requirements into a work breakdown structure for the new software
development effort.

Answer 51

Task Refinement

Question 52

The Release Manager will conduct the code review process as one of the parts or process of the
software development.
The release manager can also be assigned the task of the deployment of the finished product to the
v
arious environments at project completion.

Answer 52

Release Manager

Question 53

Has the SDLC role to
identify the requirements of an application (example: Web Application). That
business analyst must also be able to identify who will be impacted by such application. Once t
he application is developed
in a test environment, the business analyst must insure that the user acceptance testing is completed and to standards.

Answer 53

Business Analyst

Question 54

Has the responsibility to prepare a document plan that will verify that a systems code
performs the proper
actions that it was designed to do.

Answer 54

Tester Role

Question 55

SQL injection
is a code injection technique, used to attack data
-
driven applications, in which nefarious
SQL statements are inserted into an entry field for
execution. This can be done from any form or place that allows the
attacker to enter any type of information which is somewhat connected to a database.

Answer 55

SQL Injection

Question 56

The focus of beta version
is reducing impacts to users, often incorporating usability te
sting and expectation
of functionality. Beta version software is often useful for demonstrations and previews within an organization and to
prospective customers.

Answer 56

Beta version

Question 57

a classification scheme for characterizing
/measuring
known thr
eats
/vulnerabilities
according to the kinds of
exploit that are used (or motivation of the attacker).
It a
lso focuses on the end results of possible attacks rather than on the
identification of each specific attack.

Answer 57

STRIDE

Question 58

“Identity spoofing” is a key risk for applications that have many users but provide a single
execution context at the application and database level. In particular, users should not be able to become any other user or
assume the attributes of another user
.

Answer 58

STRIDE:

(S) Spoofing Identity

Question 59

Users can potentially change data delivered to them, return it, and thereby potentially
manipulate client
-
side validation, GET and POST results, cookies, HTTP headers, and so forth. The application should
not send data to the use
r, such as interest rates or periods, which are obtainable only from within the application itself. The
application should also carefully check data received from the user and validate that it is sane and applicable before
storing or using it.

Answer 59

STRIDE:

(T) Tampering with Data

Question 60

Users may dispute transactions if there is insufficient auditing or recordkeeping of their activity. For
example, if a user says, “But I didn’t transfer any money to this external account!”, and you cannot track his/her activities
through the applicat
ion, then it is extremely likely that the transaction will have to be written off as a loss.
Therefore, consider if the application requires non
-
repudiation controls, such as web access logs, audit trails at each tier,
or the same user context from top to
bottom. Preferably, the application should run with the user’s privileges, not more,
but this may not be possible with many off
-
the
-
shelf application frameworks.

Answer 60

STRIDE:

(R) Repudiation

Question 61

Users are rightfully wary of submitting private details to a syst
em. If it is possible for an
attacker to publicly reveal user data at large, whether anonymously or as an authorized user, there will be an immediate
loss of confidence and a substantial period of reputation loss. Therefore, applications must include stron
g controls to
prevent user ID tampering and abuse, particularly if they use a single context to run the entire application.
Also, consider if the user’s web browser may leak information. Some web browsers may ignore the no caching directives
in HTTP heade
rs or handle them incorrectly. In a corresponding fashion, every secure application has a responsibility to
minimize the amount of information stored by the web browser, just in case it leaks or leaves information behind, which
can be used by an attacker t
o learn details about the application, the user, or to potentially become that user.
Finally, in implementing persistent values, keep in mind that the use of hidden fields is insecure by nature. Such storage
should not be relied on to secure sensitive inf
ormation or to provide adequate personal privacy safeguards.

Answer 61

STRIDE:

(I) Information Disclosure

Question 62

Application designers should be aware that their applications may be subject to a denial of service
attack. Therefore, the use of expensive resources such as large files, c
omplex calculations, heavy
-
duty searches, or long
queries should be reserved for authenticated and authorized users, and not available to anonymous users.
For applications that do not have this luxury, every facet of the application should be engineered t
o perform as little work
as possible, to use fast and few database queries, to avoid exposing large files or unique links per user, in order to preven
t
simple denial of service attacks.

Answer 62

STRIDE:

(D) Denial of Service

Question 63

If an application provides distinct user a
nd administrative roles, then it is vital to ensure that
the user cannot elevate his/her role to a higher privilege one. In particular, simply not displaying privileged role links is
insufficient. Instead, all actions should be gated through an authorizati
on matrix, to ensure that only the permitted roles
can access privileged functionality.

Answer 63

STRIDE:

(E) Elevation of Privilege

Question 64

assessing computer security threats previously used at Microsoft and currently used
by OpenStack an
d many other corporations. It provides a mnemonic for risk rating security threats using five categories.

Analyzes threats as part of the breakdown
structure.

Answer 64

DREAD (Risk Assessment Model):

When a given threat is assessed using DREAD, each category is given a rating
on probability and damage potential
. For
example,
3 for high, 2 for medium, 1 for low and 0 for none. (Rating scales running from 0 to 10 are common) The sum of
all ratings for a given exploit can be used to prioritize among different exploits.

Question 65

how bad would an attack be?

Ranks the extent of harm that occurs if a vulnerability is exploited.

Answer 65

DREAD (Risk Assessment Model):

Damage

Question 66

how
easy is it to reproduce the attack?
Ranks how often an attempt at exploiting a vulnerability
really works.

Answer 66

DREAD (Risk Assessment Model):

Reproducibility

Question 67

how much work is it to launch the attack?
Measures the effort required to launch the
attack.

Answer 67

DREAD (Risk Assessment Model):

Exploitability/Vulnerability

Question 68

how man
y people will be impacted?
Measures the number of installed instances of the system
affected by an exploit.

Answer 68

DREAD (Risk Assessment Model):

Affected users

Question 69

how easy is it to discover the threat?
States the likelihood
that a vulnerability will
be found by 
security researchers or hackers
.

Answer 69

DREAD (Risk Assessment Model):

Discoverability

Question 70

A threat model is a diagram and description t
hat tells a story of how an attacker could exploit the
vulnerability. This is not a step by step process, but a narrative approach to the attack that should help guide the mitigati
on
techniques that need to be put in place to protect the system at that poi
nt.
It can also define the security of an application
and reduces the number of vulnerabilities.
It also has the 2 steps of identifying and prioritizing vulnerabilities.

Answer 70

Threat Model

Question 71

Is a detailed breakdown of the communication that will occur between actors and system objects or
components. A sequence diagram bridges the gap between the business analysis and the development analysis; this type
of diagram can be considered a business
description or a development description of system functionality.

Answer 71

Sequence Diagram

Question 72

T
-
MAP defines a set of threat
-
relevant 
attributes for each
layers or nodes. These attributes can be classified as 
either probability
-
relevant, size
-
of
-
loss relevant, or descriptive. 
These class attributes are primarily derived from
Common 
Vulnerability Scoring System (CVSS).

Answer 72

Map

Question 73

SDLC Management Control Domains:
Project Definition, User Requirements Definition
and Systems Requirement Definition.

Answer 73

Planning / Organization

Question 74

SDLC Management Control Domains:
User Requirements Definition, System Requirement Definition, Analysis and Design and
System Build / Prototype / Pilot

Answer 74

Acquisition / Implementation

Question 75

SDLC Management Control Domains:
Analysis and Design, System Build / Prototype / Pilot, Implementation and Training and
Sustainment.

Answer 75

Delivery and Support

Question 76

SDLC Management Control Domains:
User Requirements Definition, Systems Requirements Definition
, Analysis and Design, System Build /
Prototype / Pilot, Implementation and Training and Sustainment.

Answer 76

Monitoring

Question 77

Is a phase of the SDLC that defines security functions that an application should satisfy. The
designated employee can also speak with several stakeholders to determine the expected end state of the application.

Answer 77

Requirements Analysis

Question 78

Security should be involved
in all phases of the SDLC, but exploitation of vulnerabilities to identify
weaknesses should be done in the testing phase

Answer 78

Testing Phase

Question 79

An
Incident response
plan
is an organized approach to addressing and managing the aftermat
h
of a security b
reach or compromise on a system or software
. The goal is to handle the situation in a way that limits
damage and reduces recovery time and costs.
The incident response plan will take place at the operation phase of the
SDLC.

Answer 79

Incident Response Plan

Question 80

Earned Value Management:

BCWS

Answer 80

Budget Cost Work Scheduled

Question 81

Earned Value Management:

BCWP

Answer 81

Budget Cost of Work Performed

Question 82

Earned Value Management:

SV

Answer 82

Scheduled Variance

Question 83

Earned Value Management:

CV

Answer 83

Cost Variance

Question 84

Earned Value Management:

SV=

Answer 84

BCWP - BCWS

Question 85

Earned Value Management:

CV=

Answer 85

BCWP - ACWP

Question 86

Steps in the Work Breakdown Structure (WBS):

Examine the set of required external deliverables.

Answer 86

1

Question 87

Steps in the Work Breakdown Structure (WBS):
Identify
and list the steps and tasks needed to produce the required deliverables, inc
luding any tasks for additional
intermediate deliverables needed to complete the final deliverable.

Answer 87

2

Question 88

Steps in the Work Breakdown Structure (WBS):

Sequence the identified tasks required to produce the deliverable.

Answer 88

3

Question 89

Steps in the Work Breakdown Structure (WBS):
Est
imate the effort required to perform each task.

Answer 89

4

Question 90

Steps in the Work Breakdown Structure (WBS):

Estimate the productivity of the resources that will be applied to the tasks.

Answer 90

5

Question 91

Steps in the Work Breakdown Structure (WBS):

Compute the time needed for each task by dividing the task effort estimates by the resource productivity estimates.

Answer 91

6

Question 92

Steps in the Work Breakdown Structure (WBS):
Lay out the time needed for each task and “label” each task with its task name and the assigned resources; this layout of
sequences of tasks with their associated time and resources essentially forms the initial schedule.

Answer 92

7

Question 93

Capability Maturity Model Integration (CMMI) levels:
Organizational innovations and deployment
Casual analysis and resolution
Overall testing to achieve efficiencies

Answer 93

ML5

Question 94

Capability Maturity Model Integration (CMMI) levels:
Organizational process performance
Quantitative project management

Answer 94

ML4

Question 95

Capability Maturity Model Integration (CMMI) levels:
Requirements development
Technical solution
Product integration
Verification
Validation
Organizational process focus
Organizational process definition
Organizational training
Integrated project management
Risk Management
Integrated teaming
Integrated supplier management
Decision analysis and resolution
Organizational environment for integration

Answer 95

ML3

Question 96

Capability Maturity Model Integration (CMMI) levels:
Requirements management 
Project planning
Project monitoring and control
Supplier agreement management 
Measurement and analysis 
Process and product quality assurance
Configuration management

Answer 96

ML2

Question 97

Capability Maturity Model Integration (CMMI) levels:

NONE

Answer 97

ML1

Question 98

The Processes areas of CMMI

1) Organizational process focus
2) Organizational process definition
3) Organizational Training
4) Organizational process performance
5) Organizational innovation and deployment

Answer 98

Process Management

Question 99

The Processes areas of CMMI

1) Project Planning
2) Project Monitoring and control
3) Supplier agreement management
4) Integrated project management
5) Risk Management
6) Integrated teaming
7) Integrated supplier management
8) Quantitative project management

Answer 99

Project Management

Question 100

The Processes areas of CMMI

1) Requirements development
2) Requirements Management
3) Technical Solution
4) Product Integration
5) Verification
6) Validation

Answer 100

Engineering

Question 101

The Processes areas of CMMI
1) Configuration Management
2) Process and product quality assurance
3) Measurement and Analysis
4) Organizational envi
ronment for integration
5) Decision analysis and resolution
6) Casual analysis and resolution

Answer 101

Support

Question 102

A software development methodology based on UML. It organizes the development of software into four phases, each consisting of one or more executable iterations of the software at that stage of development. It’s also an interactive and incremental model that utilizes the divide and conquer methodology to decompose a complex problem into smaller parts. It’s also heavy with formal, established framework.

Answer 102

Rational Unified Process (RUP)

Question 103

Based on four core values of communication, simplicity, feedback, and courage. It also
includes fundamental principles of incremen
tal change, embracing change and quality of work.

Answer 103

Extreme Programming (XP)

Question 104

A disciplined method that can be combined with other techniques.

Answer 104

Scrum

Question 105

Might be a designated building with servers, computers, and the needed office space, but with no active
connections or running servers.

Answer 105

Warm Site

Question 106

Was
the formal United States national standard cryptosystem for securing
informati
on; it’s an example of a Feistel cipher using a 56
-
birt key. It’s now considered breakable, but it survives in the
form of 3
-
DES, which is
the use of encryption using three separate keys.

Answer 106

Data Encryption Standard (DES)

Question 107

Use of establi
shed quality
assurance practices and fault tolerance techniques; Ability
of software to operate dependably, despite the presence of sponsored faults and security as a part of the software specified
in the beginning of the software development process.

Answer 107

Secure Software Assurance (SSA)

Question 108

Source code fault injection, direct code analysis and property based testing.

Answer 108

White Box Testing

Question 109

Fuzz testing, byte code, assembler code and binary code scanning.

Answer 109

Black Box Testing

Question 110

This occurs when your software prints too much information in
response to queries or when it
prints to public error logs. Internal data can often be the target of the attacker, so what you share via output in
development or in production needs to be considered as a possible source of compromise.

Answer 110

Unintentional disclosure

Question 111

In cryptography and computer security, a ________ attack is where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

Answer 111

man-in-the-middle attack

often abbreviated MitM, MiM attack, MitMA, or the same using all capital letters

Question 112

Attack surface in relation to threat:

Sniffing

Answer 112

Network

Question 113

Attack surface in relation to threat:

Rootkit

Answer 113

Operating system

Question 114

Attack surface in relation to threat:

Buffer Overflow

Answer 114

Programming Languages

Question 115

Attack surface in relation to threat:

SQL Injection

Answer 115

Database Application

Question 116

Refers to all activities designed to measure and improve
quality in a product , including the whole
process, training, preparation of the team, and activities associated with customer feedback.

Answer 116

Quality Assurance