CISSP - Software Development Chp 20-21
A database view is the results of which of the following operations? A. Join and Select. B. Join, Insert, and Project. C. Join, Project, and Create. D. Join, Project, and Select.
D
A security evaluation report and an accreditation statement are produced in which of the following phases of the system development life cycle? A. project initiation and planning phase B. system design specification phase C. development & documentation phase D. acceptance phase
D
A shared resource matrix is a technique commonly used to locate: A. Malicious code B. Security flaws C. Trap doors D. Covert channels
D
A system file that has been patched numerous times becomes infected with a virus. The anti-virus software warns that disinfecting the file may damage it. What course of action should be taken? A. Replace the file with the original version from master media B. Proceed with automated disinfection C. Research the virus to see if it is benign D. Restore an uninfected version of the patched file from backup media
D
At what stage of the applications development process should the security department become involved? A. Prior to the implementation B. Prior to systems testing C. During unit testing D. During requirements development
D
Buffer overflow and boundary condition errors are subsets of which of the following? A. Race condition errors. B. Access validation errors. C. Exceptional condition handling errors. D. Input validation errors.
D
Normalizing data within a database could include all or some of the following except which one? A. Eliminate duplicative columns from the same table. B. Eliminates functional dependencies on a partial key by putting the fields in a separate table from those that are dependent on the whole key C. Eliminates Functional dependencies on non-key fields by putting them in a separate table. At this level, all non-key fields are dependent on the primary key. D. Eliminating duplicate key fields by putting them into separate tables.
D
SQL commands do not include which of the following? A. Select, Update B. Grant, Revoke C. Delete, Insert D. Add, Relist
D
The information security staff's participation in which of the following system development life cycle phases provides maximum benefit to the organization? A. project initiation and planning phase B. system design specifications phase C. development and documentation phase D. in parallel with every phase throughout the project
D
Which of the following defines the software that maintains and provides access to the database? A. database management system (DBMS) B. relational database management system (RDBMS) C. database identification system (DBIS) D. Interface Definition Language system (IDLS)
A
A virus is a program that can replicate itself on a system but not necessarily spread itself by network connections. What is malware that can spread itself over open network connections? A. Worm B. Rootkit C. Adware D. Logic Bomb
A
Complex applications involving multimedia, computer aided design, video, graphics, and expert systems are more suited to which of the following database type? A. Object-Oriented Databases (OODB) B. Object-Relational Databases C. Relational Databases D. Database management systems (DBMS)
A
Which of the following is an advantage of prototyping? A. Prototype systems can provide significant time and cost savings. B. Change control is often less complicated with prototype systems. C. It ensures that functions or extras are not added to the intended system. D. Strong internal controls are easier to implement.
A
A 'Pseudo flaw' is which of the following? A. An apparent loophole deliberately implanted in an operating system program as a trap for intruders. B. An omission when generating Pseudo-code. C. Used for testing for bounds violations in application programming. D. A normally generated page fault causing the system to halt.
A
A persistent collection of interrelated data items can be defined as which of the following? A. database B. database management system C. database security D. database shadowing
A
Debbie from finance called to tell you that she downloaded and installed a free wallpaper program that sets the wallpaper on her computer to match the current weather outside but now her computer runs slowly and the disk drive activity light is always on. You take a closer look and when you do a simple port scan to see which ports are open on her computer, you notice that TCP/80 is open. You point a web browser at her computer's IP Address and port and see a site selling prescription drugs. Apart from the wallpaper changing software, what did Debbie install without her knowledge? A. Trojan horse B. Network mobile code C. Virus D. Logic Bomb
A
Examine the following characteristics and identify which answer best indicates the likely cause of this behavior: ✑ Core operating system files are hidden ✑ Backdoor access for attackers to return ✑ Permissions changing on key files ✑ A suspicious device driver ✑ Encryption applied to certain files without explanation ✑ Logfiles being wiped A. Kernel-mode Rootkit B. User-mode Rootkit C. Malware D. Kernel-mode Badware
A
In a database management system (DBMS), what is the "cardinality"? A. The number of rows in a relation. B. The number of columns in a relation. C. The set of allowable values that an attribute can take. D. The number of relations in a database.
A
In an online transaction processing system (OLTP), which of the following actions should be taken when erroneous or invalid transactions are detected? A. The transactions should be dropped from processing. B. The transactions should be processed after the program makes adjustments. C. The transactions should be written to a report and reviewed. D. The transactions should be corrected and reprocessed.
A
In regards to relational database operations using the Structure Query Language (SQL), which of the following is a value that can be bound to a placeholder declared within an SQL statement? A. A bind value B. An assimilation value C. A reduction value D. A resolution value
A
In regards to the query function of relational database operations, which of the following represent implementation procedures that correspond to each of the low- level operations in the query? A. query plan B. relational plan C. database plan D. structuring plan
A
Matches between which of the following are important because they represent references from one relation to another and establish the connections among these relations? A. foreign key to primary key B. foreign key to candidate key C. candidate key to primary key D. primary key to secondary key
A
Referential Integrity requires that for any foreign key attribute, the referenced relation must have a tuple with the same value for which of the following? A. primary key B. secondary key C. foreign key D. candidate key
A
Sensitivity labels are an example of what application control type? A. Preventive security controls B. Detective security controls C. Compensating administrative controls D. Preventive accuracy controls
A
What are user interfaces that limit the functions that can be selected by a user called? A. Constrained user interfaces B. Limited user interfaces C. Mini user interfaces D. Unlimited user interfaces
A
What is RAD? A. A development methodology B. A project management technique C. A measure of system complexity D. Risk-assessment diagramming
A
What is one disadvantage of content-dependent protection of information? A. It increases processing overhead. B. It requires additional password entry. C. It exposes the system to data locking. D. It limits the user's individual address space.
A
What would you call an attack where an attacker can influence the state of the resource between check and use? This attack can happen with shared resources such as files, memory, or even variables in multithreaded programs. This can cause the software to perform invalid actions when the resource is in an unexpected state. The steps followed by this attack are usually the following: the software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. A. TOCTOU attack B. Input checking attack C. Time of Check attack D. Time of Use attack
A
When considering all the reasons that buffer overflow vulnerabilities exist what is the real reason? A. Human error B. The Windows Operating system C. Insecure programming languages D. Insecure Transport Protocols
A
Which answer BEST describes a computer software attack that takes advantage of a previously unpublished vulnerability? A. Zero-Day Attack B. Exploit Attack C. Vulnerability Attack D. Software Crack
A
Which of the following answer specifies the correct sequence of levels within the Capability Maturity Model (CMM)? A. Initial, Managed, Defined, Quantitatively managed, Optimized B. Initial, Managed, Defined, Optimized, Quantitatively managed C. Initial, Defined, Managed, Quantitatively managed, Optimized D. Initial, Managed, Quantitatively managed, Defined, Optimized
A
Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server? A. Bind variables B. Assimilation variables C. Reduction variables D. Resolution variables
A
Which of the following can be defined as THE unique attribute used as a unique identifier within a given table to identify a tuple? A. primary key B. candidate key C. foreign key D. secondary key
A
Which of the following can be defined as a unique identifier in the table that unambiguously points to an individual tuple or record in the table? A. primary key B. candidate key C. secondary key D. foreign key
A
Which of the following can be defined as an attribute in one relation that has values matching the primary key in another relation? A. foreign key B. candidate key C. primary key D. secondary key
A
Which of the following can be defined as the set of allowable values that an attribute can take? A. domain of a relation B. domain name service of a relation C. domain analysis of a relation D. domains, in database of a relation
A
Which of the following is an important part of database design that ensures that attributes in a table depend only on the primary key? A. Normalization B. Assimilation C. Reduction D. Compaction
A
Which of the following is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes? A. The Software Capability Maturity Model (CMM) B. The Spiral Model C. The Waterfall Model D. Expert Systems Model
A
Which of the following is best defined as a circumstance in which a collection of information items is required to be classified at a higher security level than any of the individual items that comprise it? A. Aggregation B. Inference C. Clustering D. Collision
A
Which of the following is commonly used for retrofitting multilevel security to a database management system? A. trusted front-end B. trusted back-end C. controller D. kernel
A
Which of the following is one of the oldest and most common problem in software development that is still very prevalent today? A. Buffer Overflow B. Social Engineering C. Code injection for machine language D. Unassembled reversible DOS instructions.
A
Which of the following is the marriage of object-oriented and relational technologies combining the attributes of both? A. object-relational database B. object-oriented database C. object-linking database D. object-management database
A
Which of the following is used to create and modify the structure of your tables and other objects in the database? A. SQL Data Definition Language (DDL) B. SQL Data Manipulation Language (DML) C. SQL Data Relational Language (DRL) D. SQL Data Identification Language (DIL)
A
Which of the following technologies is a target of XSS or CSS (Cross-Site Scripting) attacks? A. Web Applications B. Intrusion Detection Systems C. Firewalls D. DNS Servers
A
Which of the following would not correspond to the number of primary keys values found in a table in a relational database? A. Degree B. Number of tuples C. Cardinality D. Number of rows
A
Which one of the following is NOT a check for Input or Information Accuracy in Software Development security? A. Review check B. Range Check C. Relationship Check D. Reasonableness check
A
Why does compiled code pose more of a security risk than interpreted code? A. Because malicious code can be embedded in compiled code and be difficult to detect. B. If the executed compiled code fails, there is a chance it will fail insecurely. C. Because compilers are not reliable. D. There is no risk difference between interpreted code and compiled code.
A
With regard to databases, which of the following has characteristics of ease of reusing code and analysis and reduced maintenance? A. Object-Oriented Databases (OODB) B. Object-Relational Databases (ORDB) C. Relational Databases D. Database management systems (DBMS)
A
What is the appropriate role of the security analyst in the application system development or acquisition project? A. policeman B. control evaluator & consultant C. data owner D. application user
B
Java follows which security model: A. least privilege B. Sand box C. CIA D. OSI
B
The Open Web Application Security Project (OWASP) Top Ten list of risks during the past several years. The following items have been on the list for many years. What of the choices below represent threats that have been at the top of the list for many years? A. Cross Site Scripting and Dynamic Unicode injection attacks B. SQL Injection and Cross Site Scripting attacks C. SQL Injection and Weak Authentication and Session Management attacks D. Cross Site Scripting and Security Misconfigurations attacks
B
What is used to hide data from unauthorized users by allowing a relation in a database to contain multiple tuples with the same primary keys with each instance distinguished by a security level? A. Data mining B. Polyinstantiation C. Cell suppression D. Noise and perturbation
B
Which of the following best describes the purpose of debugging programs? A. To generate random data that can be used to test programs before implementing them. B. To ensure that program coding flaws are detected and corrected. C. To protect, during the programming phase, valid changes from being overwritten by other changes. D. To compare source code versions before transferring to the test environment
B
Which of the following characteristics pertaining to databases is NOT true? A. A data model should exist and all entities should have a significant name. B. Justifications must exist for normalized data. C. No NULLs should be allowed for primary keys. D. All relations must have a specific cardinality.
B
Which of the following determines that the product developed meets the projects goals? A. verification B. validation C. concurrence D. accuracy
B
Which of the following is an advantage in using a bottom-up versus a top-down approach to software testing? A. Interface errors are detected earlier. B. Errors in critical modules are detected earlier. C. Confidence in the system is achieved earlier. D. Major functions and processing are tested earlier.
B
Which of the following is often the GREATEST challenge of distributed computing solutions? A. scalability B. security C. heterogeneity D. usability
B
Which of the following is used in database information security to hide information? A. Inheritance B. Polyinstantiation C. Polymorphism D. Delegation
B
Which of the following represents a relation, which is the basis of a relational database? A. One-dimensional table B. Two-dimensional table C. Three-dimensional table D. Four-dimensional table
B
Which of the following represents the rows of the table in a relational database? A. attributes B. records or tuples C. record retention D. relation
B
Which of the following test makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems? A. Recovery testing B. Security testing C. Stress/volume testing D. Interface testing
B
Which of the following translates source code one command at a time for execution on a computer? A. A translator B. An interpreter C. A compiler D. An assembler
B
Which virus category has the capability of changing its own code, making it harder to detect by anti-virus software? A. Stealth viruses B. Polymorphic viruses C. Trojan horses D. Logic bombs
B
Why do buffer overflows happen? What is the main cause? A. Because buffers can only hold so much data B. Because of improper parameter checking within the application C. Because they are an easy weakness to exploit D. Because of insufficient system memory
B
Why would a database be denormalized? A. To ensure data integrity B. To increase processing efficiency C. To prevent duplication of data D. To save storage space
B
Which of the following is less likely to be included in the change control sub-phase of the maintenance phase of a software product? A. Estimating the cost of the changes requested B. Recreating and analyzing the problem C. Determining the interface that is presented to the user D. Establishing the priorities of requests
C
Which of the following phases of a software development life cycle normally incorporates the security specifications, determines access controls, and evaluates encryption options? A. Detailed design B. Implementation C. Product design D. Software plans and requirements
C
Which of the following represents the best programming? A. Low cohesion, low coupling B. Low cohesion, high coupling C. High cohesion, low coupling D. High cohesion, high coupling
C
Which of the following statements pertaining to software testing approaches is correct? A. A bottom-up approach allows interface errors to be detected earlier. B. A top-down approach allows errors in critical modules to be detected earlier. C. The test plan and results should be retained as part of the system's permanent documentation. D. Black box testing is predicated on a close examination of procedural detail.
C
Which of the following statements pertaining to software testing is incorrect? A. Unit testing should be addressed and considered when the modules are being designed. B. Test data should be part of the specifications. C. Testing should be performed with live data to cover all possible situations. D. Test data generators can be used to systematically generate random test data that can be used to test programs.
C
Which of the following statements relating to Distributed Computing Environment (DCE) is FALSE? A. It is a layer of software that sits on the top of the network layer and provides services to the applications above it. B. It uses a Universal Unique Identifier (UUID) to uniquely identify users, resources and components. C. It provides the same functionality as DCOM, but it is more proprietary than DCOM. D. It is a set of management services with a communication layer based on RPC.
C
Which software development model is actually a meta-model that incorporates a number of the software development models? A. The Waterfall model B. The modified Waterfall model C. The Spiral model D. The Critical Path Model (CPM)
C
Business rules can be enforced within a database through the use of A. Proxy B. Redundancy C. Views D. Authentication
C
In computing what is the name of a non-self-replicating type of malware program containing malicious code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it, when executed, carries out actions that are unknown to the person installing it, typically causing loss or theft of data, and possible system harm. A. virus B. worm C. Trojan horse D. trapdoor
C
In what way could Java applets pose a security threat? A. Their transport can interrupt the secure distribution of World Wide Web pages over the Internet by removing SSL and S-HTTP B. Java interpreters do not provide the ability to limit system access that an applet could have on a client system. C. Executables from the Internet may attempt an intentional attack when they are downloaded on a client system. D. Java does not check the bytecode at runtime or provide other safety mechanisms for program isolation from the client system.
C
Java is not: A. Object-oriented. B. Distributed. C. Architecture Specific. D. Multithreaded.
C
The description of the database is called a schema. The schema is defined by which of the following? A. Data Control Language (DCL). B. Data Manipulation Language (DML). C. Data Definition Language (DDL). D. Search Query Language (SQL).
C
What allows a relation to contain multiple rows with a same primary key? A. RDBMS B. Polymorphism C. Polyinstantiation D. It is not possible
C
What does "System Integrity" mean? A. The software of the system has been implemented as designed. B. Users can't tamper with processes they do not own. C. Hardware and firmware have undergone periodic testing to verify that they are functioning properly. D. Design specifications have been verified against the formal top-level specification.
C
What is called the number of columns in a table? A. Schema B. Relation C. Degree D. Cardinality
C
What is the act of obtaining information of a higher sensitivity by combining information from lower levels of sensitivity? A. Polyinstantiation B. Inference C. Aggregation D. Data mining
C
What is the purpose of Trusted Distribution? A. To ensure that messages sent from a central office to remote locations are free from tampering. B. To prevent the sniffing of data as it travels through an untrusted network enroute to a trusted network. C. To ensure that the Trusted Computing Base is not tampered with during shipment or installation. D. To ensure that messages received at the Trusted Computing Base are not old messages being resent as part of a replay attack.
C
Which model, based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes, introduced five levels with which the maturity of an organization involved in the software process is evaluated? A. The Total Quality Model (TQM) B. The IDEAL Model C. The Software Capability Maturity Model D. The Spiral Model
C
Which of the following BEST explains why computerized information systems frequently fail to meet the needs of users? A. Inadequate quality assurance (QA) tools. B. Constantly changing user needs. C. Inadequate user participation in defining the system's requirements. D. Inadequate project management.
C
Which of the following attack could be avoided by creating more security awareness in the organization and provide adequate security knowledge to all employees? A. Smurf attack B. Traffic analysis C. Phishing D. Interrupt attack
C
Which of the following attack includes social engineering, link manipulation or web site forgery techniques? A. Smurf attack B. Traffic analysis C. Phishing D. Interrupt attack
C
Which of the following can be defined as the process of rerunning a portion of the test scenario or test plan to ensure that changes or corrections have not introduced new errors? A. Unit testing B. Pilot testing C. Regression testing D. Parallel testing
C
Which of the following does not address Database Management Systems (DBMS) Security? A. Perturbation B. Cell suppression C. Padded cells D. Partitioning
C
The object-relational and object-oriented models are better suited to managing complex data such as required for which of the following? A. computer-aided development and imaging B. computer-aided duplexing and imaging C. computer-aided processing and imaging D. computer-aided design and imaging
D
The security of a computer application is MOST effective and economical in which of the following cases? A. The system is optimized prior to the addition of security. B. The system is procured off-the-shelf. C. The system is customized to meet the specific security threat. D. The system is originally designed to provide the necessary security.
D
What is NOT included in a data dictionary? A. Data Element Definitions B. Schema Objects C. Reference Keys D. Structured Query Language
D
What is the BEST definition of SQL injection? A. SQL injection is a database problem. B. SQL injection is a web Server problem. C. SQL injection is a windows and Linux website problem that could be corrected by applying a website vendors patch. D. SQL injection is an input validation problem.
D
Which expert system operating mode allows determining if a given hypothesis is valid? A. Blackboard B. Lateral chaining C. Forward chaining D. Backward chaining
D
Which of the following is NOT true concerning Application Control? A. It limits end users use of applications in such a way that only particular screens are visible. B. Only specific records can be requested through the application controls C. Particular usage of the application can be recorded for audit purposes D. It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved
D
Which of the following is a Microsoft technology for communication among software components distributed across networked computers? A. DDE B. OLE C. ODBC D. DCOM
D
Which of the following is an advantage of using a high-level programming language? A. It decreases execution times for programs B. It allows programmers to define syntax C. It requires programmer-controlled storage management D. It enforces coding standards
D
Which of the following is not a defined maturity level within the Software Capability Maturity Model? A. Repeatable B. Defined C. Managed D. Oriented
D
Which of the following is not an element of a relational database model? A. Relations, tuples, attributes and domains B. Data Manipulation Language (DML) on how the data will be accessed and manipulated C. Constraints to determine valid ranges and values D. Security structures called referential validation within tables
D
Which of the following phases of a software development life cycle normally addresses Due Care and Due Diligence? A. Implementation B. System feasibility C. Product design D. Software plans and requirements
D
Which of the following virus types changes some of its characteristics as it spreads? A. Boot Sector B. Parasitic C. Stealth D. Polymorphic
D
