CISSP Chapter 8
A new software development company has been launched to create mobile device apps for different customers. The company has talented software programmers employed, but has not been able to implement standardized development processes that can be improved upon overtime. Which of the following would be the best approach for this company to take in order to improve its software development processes? A. Capability maturity model Integration B. system development life cycle C. ISO / IEC 27002 D. certification and accreditation processes
A
Of the following steps that describe the development of a botnet, which best describes the steps that come first? A. Infected server scent Pak commands to the botnet. B. Spammer pays a hacker for the use of a botnet. C. Controller server instructs infected systems to send spam to mail servers. D. Malicious code is sent out that has bought software as its payload.
D
There are many types of viruses that hackers can use the damage systems. Which of the following is not a correct description of a polymorphic virus? A. Intercepts and Thyme hours call to the operating system for file and system information. B. Fairies the sequence of its instructions using a noise, a mutation engine, or a random number generator. C. Can you use different encryption schemes requiring different decryption routines. D. Produces multiple varied copies of itself
A
Trent is the new manager of his company's internal software development department. He has been told by his management that the group needs to be compliant with the international standard that provides guidance to organizations in integrating security into the processes used for managing their applications. His new boss told him that he should join and get familiar with the open web application security project (OWASP) and Trent just received an email stating that one of the companies currently deployed applications has a zero-day vulnerability. Which of the following best describes the Consortium trance boss wants him to join? A. Nonprofit organization that produces open source software and follows widely agreed-upon best practice security standards for the World Wide Web B. US DHS group that provides best practices, tools, guidelines, rules, principles, and other resources for software developers, Architects, and security practitioners to use C. Group of experts who create proprietary software tools used to help improve the security of software worldwide D. groups of experts in organizations who certified products based on an agreed upon security criteria
A
Which are the best reasons why a code versioning system (CVS) is an important part of development infrastructure? i. It can ensure that code modifications are made according to corporate policies. ii. It will document who made which changes to ensure accountability. iii. It will reduce the cost of the development infrastructure. iv. It can provide control over unauthorised access to proprietary code A. i, ii, iv B. iii C. iii, iv D. all of the above
A
Which of the following anti malware detection methods is the most recent to the industry and monitors suspicious code as it executes within the operating system? A. Behavior blocking B. fingerprint detection C. signature-based detection D. heuristic detection
A
Which of the following best describes change management? A. It is a systematic approach to deliberately regulating the changing nature of projects. B. It is the process of controlling the specific changes that take place during the life cycle of a system. C. It is an Enterprise program for instituting programmatic changes and source code repositories. D. It is the process of controlling how changes to firewalls and other network devices are made.
A
Which of the following correctly best describes an object-oriented database? A. When an application queries for data, it receives both the data and the procedure. B. It is structured simply to mention that work for redundancy and fast data retrieval. C. Subjects must have knowledge of the well-defined access path in order to access data. D. The relationships between data and duties provide the framework for organizing data.
A
______________ Provides a machine-readable description of the specific operations provided by a specific web service. _____________ Provides a method for web services to be registered by service providers and located by service consumers. A. Web services description language; Universal description, Discovery and integration B. Universal description, Discovery and integration; web services description language C. web services description language; simple object access protocol D. simple object access protocol; Universal description, Discovery and integration
A
Cross-site scripting is an application security vulnerability usually found in web applications. What type of xss vulnerability occurs when a victim is tricked into opening a URL programmed with a rope script to seal sensitive information? A. Persistent xss vulnerability B. non-persistent xss vulnerability C. second-order vulnerability D. Dom-based vulnerability
B
Database software should meet the requirements of what is known as the ACID test. Why should database software carry out atomic transactions, which is one requirement of the ACID test, when OLTP is used? A. So that the rules for database Integrity can be established B. so that the database performs transactions as a single unit without interruption C. to ensure that rollbacks cannot take place D. to prevent concurrent processes from interacting with each other
B
John is a network administrator and has been told by one of his network staff members that two servers on the network have recently had suspicious traffic traveling through them and then from them in a sporadic manner. The traffic has been mainly ICMP, but the patterns were unusual compared to traffic on other servers over the last 30 days. John lists the directories and subdirectories on the systems and finds nothing unusual. He inspects the running processes and again finds nothing suspicious. He sees that the systems' NICs are not in promiscuous mode, so he is assured that sniffers have not been planted. Which of the following describes the most likely situation as described in this scenario? A. Servers are not infected, but the traffic illustrates attack attempts. B. Servers have been infected with rootkits. C. Servers are vulnerable and need to be patched. D. servers have been infected by spyware.
B
Mary is creating malicious code that will steal a user's cookies by modifying the original client-side Java script. What type of cross-site scripting vulnerability is she exploiting? A. Second-order B. DOM-based C. persistent D. non-persistent
B
Robert has been asked to increase the overall efficiency of the sales database by implementing a procedure that structures data to minimize duplication and inconsistencies. What procedure is this? A. Polymorphism B. normalization C. implementation of database views D. constructing schema
B
What are the three major elements crucial to the security of software development environments? A. The software languages, the integrated development environments, and the complainers B. the development platforms, the code repositories, and the software configurations C. the design teams, the development teams, and the testing team D. the code repositories, the versioning systems, and the deployment processes
B
Which of the following best describes Change Control? A. It is a systematic approach to deliberately regulating the changing nature of projects. B. It is the process of controlling the specific changes that take place during the life cycle of a system. C. It is an Enterprise program for instituting programmatic changes and source code repositories. D. It is the process of controlling how changes to firewalls and other network devices are made.
B
Which of the following best describes the role of the job of virtual machine in the execution of java applets? A. Converts the source code into bytecode and blocks the sandbox B. converts the bytecode into Machine-level code C. operates only on specific processes within specific operating systems D. develops the applets, which run in a user's browser
B
Which of the following describes object-oriented programming deferred commitment? A. Autonomous objects, which cooperate through exchanges of messages B. the internal components of an object which can be refined without changing other parts of the system C. object-oriented analysis, design, and modeling maps to businesses needs and solutions D. other programs using same objects
B
Which of the following is a correct description of the pros and cons associated with third Generation programming languages? A. The use of heuristics reduced programming effort, but the amount of manual coding for a specific task is usually more than the preceding generation. B. The use of syntax similar to human language reduced development time, but the language is resource-intensive. C. The use of binary was extremely time-consuming but resulted in fewer errors. D. The use of symbols reduced programming time, but the language required knowledge of machine architecture.
B
It can be very challenging for programmers to know what types of security should be built into the software that they create. The amount of vulnerabilities, threats, and risks involved with software development can seem endless. Which of the following describes the best first step for developers to take to identify the security controls that should be coded into a software project? A. Penetration testing B. regression testing C. threat modeling D. attack surface analysis
C
John is a network administrator and has been told by one of his network staff members that two servers on the network have recently had suspicious traffic traveling through them and then from them in a sporadic manner. The traffic has been mainly ICMP, but the patterns were unusual compared to traffic on other servers over the last 30 days. John lists the directories and subdirectories on the systems and finds nothing unusual. He inspects the running processes and again finds nothing suspicious. He sees that the systems' NICs are not in promiscuous mode, so he is assured that sniffers have not been planted. Which of the following best explains why John does not see anything suspicious on the reported systems? A. The systems have not yet been infected. B. He is not running the correct tools. He needs to carry out a penetration test on the two systems. C. Trojan files have been loaded and executed. D. A back door has been installed and the attacker enters the system sporadically.
C
Lisa has learned that most databases Implement concurrency controls. What is concurrency, and why must it be controlled? A. Processes running at different levels, which can negatively affect the Integrity of database if not properly controlled B. the ability to deduce new information from reviewing accessible data, which can allow an interface attack to take place C. processes running simultaneously, which can negatively affect the Integrity of a database if not properly control D. storing data in more than one place within a database, which can negatively affect the Integrity of the database if not properly controlled
C
Sally has found out that software programmers in her company are making changes to software components and uploading them to the main software repository without following Version Control or documenting their changes. This is causing a lot of confusion and has caused several teams to use the older versions. Which of the following would be the best solution for this situation? A. Software Change Control Management B. software escrow C. software configuration management D. software configuration management escrow
C
Trent is the new manager of his company's internal software development department. He has been told by his management that the group needs to be compliant with the international standard that provides guidance to organizations in integrating security into the processes used for managing their applications. His new boss told him that he should join and get familiar with the open web application security project (OWASP) and Trent just received an email stating that one of the companies currently deployed applications has a zero-day vulnerability. Which of the following best describes the type of vulnerability mentioned in this scenario? A. Dynamic vulnerability that is polymorphic B. static vulnerability that is exploited by server-side injection parameters C. vulnerability that does not currently have an Associated soul D. database vulnerability that directly affects concurrency
C
Trent is the new manager of his company's internal software development department. He has been told by his management that the group needs to be compliant with the international standard that provides guidance to organizations in integrating security into the processes used for managing their applications. His new boss told him that he should join and get familiar with the open web application security project (OWASP) and Trent just received an email stating that one of the companies currently deployed applications has a zero-day vulnerability. Which of the following is most likely the standard trans company wants to comply with? A. ISO IEC 27005 B. ISO IEC 27001 C. ISO / IEC 27034 D. BS 7799
C
What is generally the safest, most secure way to acquire software? A. From a reputable vendor of proprietary software, once tested in the deployment environment B. downloading very popular open-source software that has been inspected for bugs by a large and active C. downloading eater proprietary or open source software but fussing it in a lab environment prior to deployment D. downloading open source software and deploying it only after the code base has been verified by cryptographic checksum
C
What type of database software integrity service guarantees that tuples are uniquely identified by primary key values? A. Concurrent integrity B. referential integrity C. entity integrity D. semantic integrity
C
Which of the following is the best description of a component based system development method? A. Components periodically revisit previous stages to update and verified design requirements. B. Minimize the use of arbitrary transfer control statements between components. C. Uses independent and standardize modules that are assembled into serviceable programs. D. Implemented in module base scenarios requiring rapid adaptations to changing client requirements
C
Which of the following statements does not correctly describe SOAP and remote procedure calls? A. SOAP was designed to overcome compatibility and security issues associated with remote procedure calls. B. Both SOAP and remote procedure calls were created to enable application-layer communication. C. SOAP enables the use of remote procedure calls for information exchange between applications over the internet. D. HTTP was not designed to work with remote procedure calls, but SOAP was designed to work with HTTP.
C
Widgets Inc.'s software development processes are documented, and the organization is capable of producing its own standard of software processes. Which of the following capability maturity model integration levels best describes widgets Inc.? A. Initial B. repeatable C. Defined D. managed
C
Fred has been told he needs to test a component of the new content management application under development to validate its data structure, logic, and boundary conditions. What type of testing should he carry out? A. Acceptance testing B. regression testing C. integration testing D. unit testing
D
In computer programming, cohesion and coupling are used to describe molecules of code. Which of the following is a favorable combination of cohesion and coupling? A. Low cohesion, low coupling B. High cohesion, hi coupling C. low cohesion, hi coupling D. High cohesion, low coupling
D
The approach of employing an integrated product team (IPT) for software development is designed to achieve which of the following objectives? A. Developing and testing software with fewer security flaws B. developing and testing software with fewer defective features C. developing and testing software that will be most profitable D. developing and testing software best suited to the deployment environment
D
Which of the following are key elements of secure coding practices? A. Using object-oriented languages instead of procedural ones, and heating compiler warnings. B. Ensuring that quality assurance is thorough, and performed by multiple teams. C. Parallel programming, agile methodologies, and iterative testing D. validating inputs, adhering to the least privilege principle, and keeping code as simple as possible.
D