Domain 4

1. ISO 27034 mandates a framework for application security within an organization. According to the standard, each organization should have ______ and each application within the organization should have its own _________ 1. Organizational Normative Framework (ONF), Application Normative Framework (ANF) 2. Application Normative Framework (ANF), Organizational Normative Framework CONF) 3. Standard Application Security (SAS), Application Normative Framework (ANF) 4. Organizational Normative Framework (ONF), Standard Application Security (SAS)

1. A. The ONF lists all the controls used in all the applications within an organization; each ANF lists the particular controls used in each application the organization has. Standard Application Security is a made-up term therefore options C and D are incorrect.

10. When an organization considers cloud migrations, the organization's software developers will need to know which the organization will be using, in order to properly and securely create suitable applications 1. Geographic location, native language 2. Legal restrictions, specific ISP 3. Service model, deployment model 4. Available bandwidth, telecommunications country code

10. C. In order for developers to properly create and secure applications, they v.ill need to understand the extent of resource sharing (public/private/hybrid/community) and level of control (infrastructure as a service LlaaS), platform as a service LPaaSJ, software as a service LSaaS)) the organization will expect in the cloud environment. Each of the other options includes at least one element that programmers don't need to know (specifically, the native language, Internet service provider (ISP), country code) and is therefore incorrect.

100. Web application firewalls and database activity monitors function at levels _____ and ___ of the Open Systems Interconnection (OSI) model, respectively. 1. 1 and 7 2. 7 and 1 3, 7 and 7 4. 3 and 4

100. C. These are both Layer 7 tools. All the other answers are incorrect.

101. What can tokenization be used for? 1. Encryption 2. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) 3. Enhancing the user experience 4. Giving management oversight to e-commerce functions

101. B. Aside from encryption, PCI DSS allows for tokenization as a means to protect account and cardholder data at rest. Tokenization is not encryption; there is no encryption engine and no key involved in the process. Option A is incorrect. Tokenization does not necessarily enhance or detract from the user experience; option C is incorrect. Management is not allowed any additional oversight into any particular function by tokenization; option D is incorrect.

102. Merchants who accept credit card payments can avoid some of the compliance burden for the Payment Card Industry Data Security Standard (PCI DSS) by outsourcing the tokenization function to ___ 1. A third party 2. The data owner 3. The data subject 4. The PCI Security Standards Council

102. A. By offloading privacy data to a tokenizing third party, merchants can free themselves of the contractual burdens for protecting cardholder data at rest. The data owner is the merchants themselves, and the data subject is the person to whom the privacy data applies, so privacy data cannot be outsourced to either of these, and options B and C are incorrect. The PCI Council is the body that promulgates and enforces the PCI DSS; they will not process data on behalf of any merchant. Option D is incorrect.

103. Which of the following is an example of useful and sufficient data masking of the string "CCSP"? 1. XCSP 2. PSCC 3. TtLp 4. 3X91

103. C. This answer requires some thought about how the original data is displayed and its properties. Option A masks only one letter in a four-letter string; this is not sufficient because the original string could be identified with a very low- work factor, brute-force attack of only 26 possible combinations. Option B is likewise easy to break; it only reverses the content of the string, which is very simple to determine, and would allow easy recovery of any other similar strings in the data set. Option D mixes numeric characters into what was originally only an alphabetic string; this may detract from the utility of the string if the masked version is to be used for software testing. Option C completely obscures the original content but retains the qualities of the original (all alphabetic characters). It may affect the use of the string by mixing uppercase and lowercase, but this is still the best choice of the four possible answers.

104. A cloud-based sandbox should not be used for _______ 1. Application interoperability testing 2. Processing sensitive data 3. Application security testing 4. Malware analysis

104. D. Installing malware on systems owned by someone else may be illegal in many jurisdictions. While on-premises sandboxes are fine for this purpose, it may be a felony if performed in the cloud. the other options are good uses of cloud-based sandboxes.

105. Which of the following should occur at each stage of the software development lifecycle (SDLC)? 1. Added functionality 2. Management review 3. Verification and validation 4. Repurposing of any newly developed components

105. C. It is important to verify and validate the program at each stage of the SDLC. Adding functionality at each stage of the SDLC is the definition of scope creep, which is what we'd like to avoid. Option A is incorrect. Management should not have to shepherd software through the development process; this is the process of the development team. Option B is incorrect. Option D is a distractor and makes no actual sense.

106. Software that includes security elements from the outset of the software development lifecycle (SDLC) process will be ________ 1. More secure in deployment 2. Less secure in deployment 3. More likely to malfunction 4. Less likely to malfunction

106. A. It is important to verify and validate the program at each stage of the SDLC. Adding functionality at each stage of the SDLC is the definition of scope creep, which is what we'd like to avoid. Option A is incorrect. Management should not have to shepherd software through the development process; this is the process of the development team. Option B is incorrect. Option D makes no sense: you can't repurpose something that has just been developed.

107. Software that includes security elements from the outset of the software development lifecycle (SDLC) process will ___ 1. Be less expensive to operate securely in the production environment 2. Be more expensive to operate securely in the production environment 3. Not be interoperable with other software and systems in the production environment 4. Have a greater likelihood of interoperability with other software and systems in the production environment

107. A. security is created as an aspect of the software itself, there is less need to acquire and apply additional security controls to mitigate risks after deployment. Option B is also wrong for this same reason. Options C and D are incorrect because the inclusion of security aspects in software design should not affect interoperability in any significant way.

108. The inclusion of security controls in the software design process is dictated by ____ 1. The National Institute of Standards and Technology (NIST) 800-37 2. The American Institute of Certified Public Accountants (AICPA) 3. ISO 27034 4. The Health Insurance Portability and Accountability Act (HIPAA)

108. C. ISO 27034 addresses the sets of controls used in software throughout the environment. 800-37 is the Risk Management Framework, which is about the organization's overall security, not software development, so option A is incorrect. The AICPA is a standards-making body, not a standard itself, so option B is incorrect. HIPAA deals with health care privacy, so option D is incorrect.

109. Software development should be perceived as ___________ 1. Including all members of the organization 2. The paramount goal of the organization 3. The greatest risk to the organization 4. A lifecycle

109. D. It is important to consider software development as having a defined process and an eventual endpoint for the useful life of the product. Not every organization is a software development company. Even in software development companies, not everyone participates in development (there are other departments/offices, such as sales, accounting, etc.).

11. Which of the following is perhaps the best method for reducing the risk of a specific application not delivering the proper level of functionality and performance when it is moved from the traditional environment into the cloud ? 1. Remove the application from the organization's production environment and replace it with something else. 2. Negotiate and conduct a trial run in the cloud environment for that application before permanently migrating. 3. Make sure the application is fully updated and patched according to all vendor specifications. 4. Run the application in an emulator.

11. B. A trial run in the cloud will reveal any functionality/performance loss before a permanent cloud migration. An emulator won't reduce the risk of degraded performance; it will probably result in degraded performance. Option D is incorrect.

110. Dynamic testing of software is perhaps most useful for ________ 1. Simulating negative test cases 2. Finding errors in the source code 3. Determining the effect of social engineering 4. Penetration tests

110. A. Running the software and allowing users to operate it is a great form of dynamic testing, which simulates both known good and known bad inputs. Dynamic testing does not involve source code review or social engineering; options B and C are incorrect. Penetration tests occur in the production environment, not on pre- deployment software; option D is incorrect.

12. Software developers designing applications for the cloud should expect to include options to ensure all of the following capabilities except ____ 1. Encryption of data at rest 2. Encryption of data in transit 3. Data masking 4. Hashing database fields

12. D. Not all programs (or organizations) will require database access, or even use databases, and hashing is not a common requirement. the other functions are expected in the majority of cloud operations.

13. In a platform as a service (PaaS) model, who should most likely be responsible for the security of the applications in the production environment ? 1 Cloud customer 2. Cloud provider 3. Regulator 4. Programmers

13. A. In PaaS, the customer is responsible for the administration (and security) of applications. Neither regulators nor programmers are responsible for the security of the applications in the production environment. That is the responsibility of the cloud customer. It may appear as though the cloud provider should be responsible for application security, however, as the cloud customer acquires more responsibility for their cloud environment, the cloud provider assumes less responsibility. Option B is incorrect.

14. In the testing phase of the software development lifecycle (SDLC), software performance and what should both be reviewed. 1. Quality 2. Brevity 3. Requirements 4. Security

14. D. Performance and security both need to be reviewed for adequacy. In this context, quality would be synonymous with performance and requirements, so D is a better answer than A or C. Brevity is not a trait w. look for in testing, exen though it may be desirable in programming, so B is incorrect.

15. Regardless of which model the organization uses for system development, in which phase of the software development lifecycle (SDLC) will user input be requested and considered? 1. Define 2. Design 3. Develop 4. Detect

15. A. In the Define phase, we're trying to determine the purpose of the software, in terms of meeting the users' needs; therefore, we may solicit input from the user community in order to figure out what they really Options B and C are other phases of the SDLC, but not all SDLC models incorporate user input in these phases, so the options are not correct. Option D is not a phase of the SDLC and is incorrect.

16. Which phase of the software development lifecycle (SDLC) is most likely to involve crypto-shredding? 1. Define 2. Design 3. Test 4. Disposal

16. D. Disposal is the only phase concerned with the sanitization of media or destruction of data. All the other options are also SDLC phases, however, cwpto-shredding is much more likely to be used in the disposal phase.

17. Where are business requirements most likely to be mapped to software construction ? 1. Define 2. Design 3. Test 4. Secure Operations

17. B. Design is the correct answer, as this is where the requirements gathered during the Define phase are mapped to system designs. All the other options are SDLC phases where requirements are not mapped to software construction.

18. Which of the following are usually nonfunctional requirements except _____ 1. Color 2. Sound 3. Security 4. Function

18. D. Function is usually the functional requirement, describing what action the tool/process satisfies. the others are usually nonfunctional requirements. Exceptions to this are when the characteristic listed is the actual desired function. For instance, if the product is a tool that enunciates text so that a blind user can hear the words, then sound would be the functional requirement. If the product is a security tool such as a firewall or data loss prevention (DLP) solution, then security would be a functional requirement. Otherwise, these are nonfunctional requirements for standard products.

19. Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that may not have been as important in the traditional environment? 1. Identity and access management (IAM) capability 2. Distributed denial of service (DDoS) resistance 3. Encryption for data at rest and in motion 4. Field validation

19. C. Traditional apps won't usually require encryption in all phases of the data lifecycle because data is protected in several stages in the traditional environment without the need for additional controls. In the cloud environment, however, data exposed at any point in the lifecycle might constitute an inadvertent disclosure, so cloud apps require encryption for data at rest and in motion (and usually in use as well). Even traditional apps require IAM and field validation functions, so options A and D are incorrect. Most anti-DDoS activity will be performed by hardware and communication software run by the cloud provider or Internet service provider (ISP); developers should not typically need to include anti-DDoS elements in their programs. Option B is incorrect.

2. According to ISO 27034, there is one Organizational Normative Framework (ONF) in the organization, and Application Normative Framework (ANFLs) for each application within that organization. 1. Many 2. Three 3. No 4. One

2. D. Each application will have its own ANF, derived from the organization's ONF. This can be a difficult question because there are many ANFs in the organization, but only one for each application. The reader needs to examine the question carefully.

20. Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that might not have been as important in the traditional environment? 1. Application isolation 2. Inference framing 3. Known secure library components 4. Testing that uses known bad data

20. A. Because the cloud is a multitenant environment, one of the concerns that developers should consider is how well the application prevents other applications/users from observing its operation and resource calls. In the traditional environment, this is not usually required because the organization owns the underlying infrastructure (as a single tenant) and there is very little risk in ex-posing the application's functionality. Inference framing is a nonsense term, used here only as a distractor. Software should include known secure components, and testing should include known bad data (fuzz testing), whether it is going to be used in the cloud or in a traditional environment, so options C and D are incorrect.

21. Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may not be able to use as readily in the cloud environment as it was deployed in the traditional environment ? 1. Cryptography 2. STRIDE testing 3. Field validation 4. Logging

21. D. The cloud provider may have controls that restrict logging, or the delivery of log data, in the environment; this can make it complicated for cloud developers to include that functionality/ security element in cloud apps. the other options are things that can (and should) be done with software whether the application is being used in traditional or cloud environments, so those options are incorrect.

22. Which of these can affect the quality of service expected from an application except ____ 1. Encryption 2. Egress monitoring 3. Anti-malware tools 4. Use of known secure libraries/ components

22. D. Using only known secure libraries and components in software design may slow down development efforts but shouldn't impact how the application runs. the other options are security controls that will degrade performance because they require additional overhead; these options are incorrect.

23. The possibility that a user could gain access or control of an application so as to take on administrator or management capabilities is called 1. Inversion 2. Spoofing 3. Repudiation 4. Escalation of privilege

23. D. This is the definition of escalation of privilege (sometimes referred to as "elevation of privilege"). Inversion is a nonsense term in this context and just a distractor. Options B and C are threat modeling elements but are not correct answers for this question.

24. Which of the following is not checked when using the STRIDE threat model ? 1. The ability of users to gain administrative access rights without proper permission 2. The ability of internal personnel to trigger business continuity/' disaster recovery activities 3. The ability of a participant in a transaction to refute that they've taken part in the transaction 4. The ability of an unauthorized user to pretend to be an authorized

24. B. The STRIDE threat model does not deal with business continuity and disaster recovery (BC/ DR) actions. the other options are elements of STRIDE (escalation of privilege, repudiation, and spoofing, respectively) and are therefore not correct.

25. It is very likely that your organization's users will use unapproved application programming interfaces (APIs), especially in a bring your own device (BYOD) environment, because ____ 1. Users are constantly trying to break the security of your environment 2. APIs can't ever be secure 3. Hackers are constantly infiltrating all APIs 4. Users enhance their productivity however they can

25. D. Users in the production environment xvill leverage whatever tools and techniques they can in order to get their job done in a better, faster way, often regardless of whether this complies with security policies. the other options are untrue and therefore cannot be the correct answer. For test-taking purposes, be very suspicious of words like, "constantlf' and "can't ever" in answer choices.

26. Some current software developers are not aware of security problems within the programs they're creating because 1. Young programmers are not nearly as disciplined in their coding practices as older programmers 2. Some current programmers don't write code line by line and instead use code component libraries 3. Coding languages have not been secure for 20 years 4. Users are not clear in defining their requirements at the outset of the software development lifecycle (SDLC)

26. B. Because many programs are currently constructed from "building block" components found in code libraries, any security issues within specific components may not be understood or identified by coders who don't know the code inside the component. Option A is an unfair generalization. Option C is another broad generalization that may or may not be true. Option B is a better answer. Option D does not relate to the question about the SDLC and is therefore a poor choice for an answer.

27. What is the most secure form of code testing and review? 1. Open source 2. Proprietary/internal 3. Neither open source nor proprietary 4. Combination of open source and proprietary

27. D. Obviously, using multiple forms of code review will produce more secure results than any one form of review, in the same way that having multiple forms of security controls (physical, logical, administrative, etc.) will provide better security than just one type.

28. What is the major difference between authentication and authorization? 1. Code verification/ code implementation 2. Identity validation/ access permission 3. Inverse incantation/ obverse instantiation 4. User access/privileged access

28. B. This is the textbook definition of these terms. All the other options are Incorrect answers.

29. Access should be based on _____ 1. Regulatory mandates 2. Business needs and acceptable risk 3. User requirements and management requests 4. Optimum performance and security provision

29. B. Business needs and risk acceptable to senior management should drive all organizational decisions, including access. Specific user or object access will, of course, be delegated down from senior management to a manageable layer of the organization, but the principle applies.

3. What language is used in the Simple Object Access Protocol (SOAP) application design protocol? 1. Hypertext Markup Language (HTML) 2. X.509 3. Extensible Markup Language (XML) 4. Hypertext Transfer Protocol (HTTP)

3. C. SOAP necessarily uses XML. HTML is a language used to tag text files so that they can be displayed with different fonts, colors, graphics and hyperlinks. HTML is not used in SOAP. Option A is incorrect. Option B is incorrect because X.509 is a standard and the question is about a programming language. Option D is incorrect because HTTP is protocol and the question is about a programming language.

30. Who should determine which users have access to which specific objects? 1. The cloud provider 2. Senior management 3. Data owners 4. System administrators

30. C. The data owner is responsible for the disposition of the data under their control; this includes access decisions.

31. Which of the following are identity federation standards commonly found in use today except ____ 1. WS-Federation 2. OpenlD 3. OAuth (Open Authorization) 4. Pretty Good Privacy (PGP)

31. D. PGP is an email encryption tool, not an identity federation standard. the other options are federation standards.

32. Which of the following is a federation standard/ protocol that does not rely on Simple Object Access Protocol (SOAP), Security Assertion Markup Language (SAML), or Extensible Markup Language (XML)? 1. WS-Federation 2. OpenlD Connect 3. Service Organization Control (SOC) 2 4. Open Web Application Security Project (OWASP)

32. B. OpenlD Connect is a federation protocol that uses representational state transfer (REST) and JavaScript Object Notation (JSON); it was specifically designed with mobile apps in mind, instead of only web- based federation. WS-Federation is a federation protocol that is part of the WS-Security family of standards and reliant on Simple Object Access Protocol (SOAP), so option A is incorrect. Option C is incorrect; SOC 2 is a type of Statement on Standards for Attestation Engagements (SSAE) 18 audit report, not a federation standard. OWASP is a volunteer group of and for web app developers, not a federation standard or protocol, so option D is incorrect.

33. Authentication mechanisms typically include any or all of the following what except ____ 1. Something you know 2. Someone you know 3. Something you have 4. Something you are

33. B. Because there is no transitive property of identification and authentication, knowing a trusted entity is not sufficient for validating an identity assertion. the other options are typical authentication mechanisms and so are incorrect.

34. Which of the following constitutes a multifactor authentication process or procedure? 1. Using an automated teller machine (ATM) to get cash with your credit or debit card 2. Using a password and personal identification number (PIN) to log into a website 3. Presenting a voice sample and fingerprint to access a secure facility 4. Displaying a birth certificate and a credit card

34. A. At the ATM, the customer will use the card (something you have) and enter a PIN (something you know). This is true multifactor authentication.

35. Typically, multifactor authentication should be used 1. In every IT transaction 2. For high-risk operations and data that is particularly sensitive 3. When remote users are logging into the cloud environment 4. Only in the traditional environment

35. B. Multifactor authentication should be considered for operations that have a significant risk or that deal with highly sensitive data (for instance, privileged user logins or when handling financial transactions).

36. A web application firewall (WAF) usually operates at Layer what of the Open Systems Interconnection (OSI) model. 1. 2 2. 3 3. 7 4. Q

36. C. A WAF is a Layer 7 tool. the other options are incorrect.

37. A web application firewall (WAF) can understand and act on traffic. 1. Malicious 2. Simple Mail Transfer Protocol (SMTP) 3. Internet Control Message Protocol (ICMP) 4. Hypertext Transfer Protocol (HTTP)

37. D. WAFs recognize HTTP traffic and can respond to traffic that matches prohibited rulesets or conditions.

38. WAFs can be used to reduce the likelihood that what attacks will be successful. 1. Social engineering 2. Physical theft 3. Obverse inflection 4. Cross-site scripting

38. D. WAFs can be used to attenuate the possibility that cross-site scripting attacks will be successful. WAFs do not protect against social engineering or physical attacks in any way, so options A and B are incorrect. Option C is a nonsense term and is therefore incorrect.

39. A database activity monitor (DAM) tool usually operates at Layer what of the Open Systems Interconnection (OSI) model. 1. 2 2. 3 3. 7 4. Q

39. C. A DAM is a Layer 7 tool. the other options are incorrect.

4. Typically, representational state transfer (REST) interactions do not require 1. Credentials 2. Sessions 3. Servers 4. Clients

4. B. Generally, a REST interaction involves the client asking the server (through an application programming interface (API) for data, sometimes as the result of processing; the server processes the request and returns the result. In REST, an enduring session, where the server has to store some temporary data about the client, is not necessary. These interactions obviously involve servers and clients, so options C and D are not correct. Using REST does not eliminate the need for credentials, so option A is not correct.

40. Database activity monitors (DAMs) can be used to reduce the potential success of what attacks 1 SQL injection 2. Cross-site scripting 3. Insecure direct-object reference 4. Social engineering

40. A. DAMs can be used to reduce the possibility that SQL injection attacks will be successful. DAMs do not protect against cross-site scripting, insecure direct-object reference, or social engineering attacks in any way, so options B, C, and D are incorrect.

41. Which security tool can perform content inspection of Secure File Transfer Protocol (SFTP) communications? 1. Web application firewall (WAF) 2. Database activity monitor (DAM) 3. Extensible Markup Language (XML) gateway 4. Single sign-on (SSO)

41. C. The XML gateway can provide this functionality, it acts as a reverse proxy and can perform content inspection on many traffic protocols. The WAF and DAM are also security tools that inspect traffic but do not usually handle SFTP content, so options A and B are incorrect. Option D, single sign-on, concerns authentication functions, not communications traffic, and is only a distractor in this context.

42. To deploy a set of microservices to clients instead of building one monolithic application, it is best to use a(n) what coordinate client requests. 1. Extensible Markup Language (XML) gateway 2. Application programming interface (API) gateway 3. Web application firewall (WAF) 4. Database activity monitor (DAM)

42. B. An API gateway translates requests from clients into multiple requests to many microservices and delivers the content as a whole via an API it assigns to that client/session. XML gateways, WAFs, and DAMs are also tools used frequently in cloud-based enterprises, but they do not handle microservice requests meaningful way.

43. Firewalls can detect attack traffic by using all these methods except _____ 1. Known past behavior in the environment 2. Identity of the malicious user 3. Point of origination 4. Signature matching

43. B. While it would be wonderful, for security purposes, to know the identity of attackers before or while they're making an attack, this is information the attacker doesn't usually share. the other options are methods firewalls can use to recognize attacks.

44. Transport Layer Security (TLS) provides for communications. 1. Privacy, security 2. Security, optimization 3. Privacy, integrity 4. Enhancement, privacy

44. C. TLS maintains the confidentiality and integrity of communications, often between a web browser and a server. In this context, privacy and security mean much the same thing; privacy is synonymous with confidentiality, which is a subset of the overall topic of security. Therefore, option A is repetitive and not TLS does not optimize performance or add any sort of enhancement, so options B and D are incorrect.

45. Transport Layer Security (TLS) uses a new ____ for each secure connection. 1. Symmetric key 2. Asymmetric key 3. Public-private key pair 4. Inverse comparison

45. A. TLS uses symmetric key crypto for each communications session in order to secure the connection; the session key is uniquely generated each time a new connection is made. Options B and C are names for another type of encryption. Asymmetric encryption is also used in establishing a secure TLS connection; however, the keys used in this portion of the process will not change from session to session, and therefore these options are incorrect. Option D is a nonsense term and is therefore incorrect.

46. A virtual private network (VPN) is used to protect data in transit by _________ 1. Securing each end of a client-server connection 2. Creating an encrypted tunnel between two endpoints 3. Encrypting databases 4. Restricting key access to only eight parties

46. B. A VPN is a temporary, synthetic encrypted tunnel between two endpoints (often a client and a server). Option A is subtly misleading; the VPN secures the connection between two endpoints, not the ends of the connection.

47. The employment of users in dynamic software testing should best be augmented by 1. Having the developers review the code 2. Having the developers perform dynamic testing 3. Using automated agents to perform dynamic testing 4. Social engineering

47. C. Users may not offer enough coverage for larger software products that have a great deal of functionality; it can be useful to also use automated agents to checks paths that users might not often attempt or utilize.

48. Why do developers have an inherent conflict of interest in testing software they've created? 1. They are notoriously bad, as a group, at testing. 2. They work for the same department as the testing personnel. 3. They have a vested interest in having the software perform well. 4. They are never trained on testing procedures.

48. C. This is the definition of "conflict of interest." the other answers are incorrect.

49. Sandboxing can often be used for _______ 1. Optimizing the production environment by moving processes that are not frequently used into the sandbox 2. secure remote access for users who need resources in the cloud environment 3. Running malware for analysis purposes 4. Creating secure subnets of the production environment

49. C. A sandbox can be used to run malware for analysis purposes as it won't affect (or infect) the production environment; it's worth noting, though, that some malware is sandbox-aware, so additional anti- malware measures are advisable.

5. Representational state transfer (REST) application programming interfaces (APIs) use protocol verbs. 1. Hypertext Markup Language (HTML) 2. Hypertext Transfer Protocol (HTTP) 3. Extensible Markup Language (XML) 4. American Standard Code for Information Interchange (ASCII)

5. B. Roy Fielding, the author of the PhD dissertation that created REST, was also the author of HTTP, so it's no surprise the command set is the same. the other options are incorrect because the REST APIs do not use HTML, XML or ASCII as protocol verbs

50. Sandboxing can often be used for _____ 1. Testing user awareness and training 2. Testing security response capabilities 3. Testing software before putting it into production 4. Testing regulatory response to new configurations and modifications

50. C. Software that has either been purchased from a vendor or developed internally can be tested in a sandboxed environment that mimics the production environment in order to determine whether there will be any interoperability problems when it is installed into actual production. All the other options aren't uses for sandboxes and are incorrect.

51. Application virtualization can typically be used for _________ 1. Running an application in a non-native environment 2. Installing updates to a system's operating system (OS) 3. Preventing escalation of privilege by untrusted users 4. Enhancing performance of systems

51. A. Virtualized applications can run on platforms that wouldn't otherwise allow them to function, such as running Microsoft apps on a Linux box. Because the virtualization engine encapsulates the application from the native runtime environment, patches can't be applied through virtualized programs;

52. Application virtualization can typically be used for ___________ 1. Denying access to untrusted users 2. Detecting and mitigating distributed denial of service (DDoS) attacks 3. Replacing encryption as a necessary control 4. Running an application on an endpoint without installing it

52. D. Application virtualization allows the software to run on a simulated environment on the device without the need to install it on the device.

53. Any organization that complies with ISO 27034 will have a maximum of ________Organizational Normative Framework(s) (ONF) 1. 0 2. 1 3. 5 4. 25

53. B. ISO 27034 dictates that an organization will have a collection of security controls used for all software within that organization; this collection is called the ONF. the other options are distractors and incorrect.

54. Under ISO 27034, every application within a given organization will have an attendant set of controls assigned to it; the controls for a given application are listed in the ___________ 1. ONF 2. ANF 3. TTF 4. FTP

54. B. Each application in an organization compliant with ISO 27034 will be assigned an Application Normative Framework (ANF), which lists all the controls assigned to that application.

55. Static application security testing (SAST) is usually considered a ___________________form of testing. 1. White-box 2. Black-box 3. Gray-box 4. Parched field

55. A. SAST is often referred to as white-box testing. Black-box testing does not include access to source code, which is required for SAST.

56. Static application security testing (SAST) examines __________ 1. Software outcomes 2. User performance 3. System durability 4. Source code

56. D. In SAST, testers review the source code of an application in order to determine security flaws and operational errors. While determining "software outcomes" may be considered a possible goal of SAST, "source code" is a much better answer as it is more specific and applicable to the question. Option D is still preferable. SAST does not check user performance or system durability; options B and C are incorrect.

57. Dynamic application security testing (DAST) is usually considered a ___________ form of testing. 1. White-box 2. Black-box 3. Gray-box 4. Parched field

57. B. DAST is often referred to as black-box testing. White-box testing requires the tester to have access to source code, which is not provided in DAST. Option A is therefore incorrect. Option C is a combination of black-box and white-box testing so option C is an incorrect answer for this question. Option D has no meaning in this context.

58. Dynamic application security testing (DAST) checks software functionality in __________ 1. The production environment 2. A runtime state 3. The cloud 4. An laaS configuration

58. B. DAST is performed while the application is running. Software testing should not take place in the production environment; option A is incorrect. DAST, like other forms of testing, may or may not take place in the cloud and is not confined to any particular service model (although it is unlikely to occur in software as a service CSaaS) environments); options C and D are incorrect.

59. Vulnerability scans are dependent on ________ in order to function. 1. Privileged access 2. Vulnerability signatures 3. Malware libraries 4. Forensic analysis

59. B. Vulnerability scans use signatures of known vulnerabilities to detect and report those vulnerabilities. Vulnerability scans do not typically require administrative access to function; option A is incorrect. Both malware libraries and forensic analysis of existing vulnerabilities may be used to create the signatures that vulnerability scanning tools utilize to detect and report vulnerabilities; however, these answers are too specific (limiting the answer), making option B a better answer than either C or D.

6. The architecture of the World Wide Web, as it works today, is 1. JavaScript Open Notation (JSON) 2. Denial of service (DOS) 3. Representational state transfer (REST) 4. Extensible Markup Language (XML)

6. C. The web is mainly HTTP, which is a RESTful protocol. the other options are incorrect because they do not answer the question about the architecture of the World Wide Web.

60. Due to their reliance on vulnerability signatures, vulnerability scanners will not detect _________ 1. User error 2. Improper control selection 3. Cloud vulnerabilities 4. Unknown vulnerabilities

60. D. Because vulnerability scanning tools require vulnerability signatures to operate effectively, unknown vulnerabilities that might exist in the scanned system won't be detected (no signature has been created by vendors until a vulnerability is known).

61. Penetration testing is a(n) ___________ form of security assessment. 1. Active 2. Comprehensive 3. Total 4. Inexpensive

61. A. A penetration test requires the tester to analyze the security of an environment from the perspective of an attacker; this also includes actually taking action that would result in breaching that environment.

62. Dynamic software security testing should include __________ 1. Source code review 2. User training 3. Penetration testing 4. Known bad data

62. D. Also called fuzz testing, dynamic testing methods should include known bad inputs in order to determine how the program will handle the "wrong" data (will it fail into a state that is less secure than normal operations, etc.)

63. According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _________ 1. Information gathering 2. User surveys 3. Configuration and deployment management testing 4. Identity management testing

63. B. User surveys are not an element of active security testing, although they might be used in acceptance testing. All of the other options are included in the OWASP guide to active security testing.

64. According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______ 1. Authentication testing 2. Authorization testing 3. Session management testing 4. Privacy review testing

64. D. Privacy review testing is not included in the OWASP guide to active security testing, although it might be included as an aspect of compliance testing (for organizations in highly regulated industries). All of the other options are included in the OWASP guide to active security testing.

65. According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except ________ 1. Session initiation testing 2. Input validation testing 3. Testing for error handling 4. Testing for weak cryptography

65. A. While session management testing is included in the OWASP guide to active software security testing, session initiation is not. All of the other options are included in the OWASP guide to active security testing.

66. According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______ 1. Business logic testing 2. Client-side testing 3. Intuition testing 4. Information gathering

66. C. Intuition testing is not part of the OWASP guide to active security testing. All of the other options are included in the OWASP guide to active security testing.

67. Static software security testing typically uses ____________ as a measure of how thorough the testing was. 1. Number of testers 2. Flaws detected 3. Code coverage 4. Malware hits

67. C. This metric is usually expressed as a percentage of lines of code. For example, "SAST covered 90% of the source code."

68. Dynamic software security testing typically uses ___________ as a measure of how thorough the testing was. 1. User coverage 2. Code coverage 3. Path coverage 4. Total coverage

68. C. In dynamic software security testing, the objective is to test a significant sample of the possible logical paths from data input to output.

69. Software security testing should involve both known good and known bad data in order to simulate both __________ and _______ 1. Managers, users 2. Regulators, users 3. Vendors, users 4. Users, attackers

69. D. Known good data is used to determine if the software fulfills the business requirements for which it was acquired. Known bad data tests the ability of the software to handle inputs and conditions that might put it into a fail state; these inputs and conditions can be invoked either purposefully (by attackers) or inadvertently (by users who make mistakes). Testing does not attempt to mimic managers, regulators, or vendors, so the other answers are incorrect.

7. RESTful responses can come from the server in ____ or ___ formats. 1. Extensible Markup Language (XML), JavaScript Open Notation (JSON) 2. Hypertext Transfer Protocol (HTTP), X. 509 3. American Standard Code for Information Interchange (ASCII), text 4. Hypertext Markup Language (HTML), Extensible Markup Language (XML)

7. A. Servers can return REST requests to clients in a number of formats, including XML and JSON. X .509 certificates are used for passing session encryption information, not data requests, so option B is incorrect. Servers usually return data requests in some sort of display format, not plain text or ASCII, so option C is incorrect. HTML responses would simply be an entire web page, not specific data, so option D is incorrect.

70. Training programs should be tracked and monitored in order to fulfill both ________ and _______ requirements. Choose the best response. 1. Business, security 2. Regulatory, legal 3. User, managerial 4. Vendor, supplier

70. B. This is not a simple question, and more than one answer could be construed as correct, but option B is the best answer. Tracking and monitoring personnel training is absolutely vital in order to demonstrate regulatory requirements (and many, if not all, organizations are obligated to comply with some regulation that mandates user training) and legal requirements (as an element of due diligence in the modern workplace).

71. Task-centric training is typically for __________ 1. personnel 2. Specific personnel 3. Management personnel 4. HR personnel

71. B. Training is usually a formal process involving detailed information. This is for those personnel who are involved with the specific topic or task for which the training is intended

72. Awareness training is typically for _________ 1. personnel 2. Specific personnel 3. Management personnel 4. HR personnel

72. A. Awareness efforts are usually intended to reach as wide an audience as possible within the organization, for generalized information. For instance, fire drills are awareness exercises; everyone in the facility needs to know how to get out and where to go. Specific personnel, management personnel, and HR personnel would all receive task-centric training in addition to the awareness instruction that all personnel receive. Options B, C, and D are incorrect.

73. Why is cloud security training particularly important for software developers? 1. Software developers are the mainstay of every cloud environment. 2. You can't have a cloud environment without software developers. 3. Security controls cannot be added to software after the fact and must be included from the very first steps of software development. 4. Many modern software developers don't understand how the code underlying the libraries they use actually works.

73. D. Modern developers usually aren't writing code—they are recombining library components in novel ways to create new functionality. They may not understand the security risks associated with their work, especially for the cloud environment, which entails a different set of challenges from the traditional environment, which the developers might be more familiar with.

74. Software developers should receive cloud-specific training that highlights the challenges involved with having a production environment that operates in the cloud. One of these challenges is ___________ 1. The massive additional hacking threat, especially from foreign 2. The prevalent use of encryption in all data life-cycle phases 3. Drastic increase of risk due to distributed denial of service (DDoS) attacks 4. Additional regulatory mandates

74. B. Because cloud operations are so dependent on encryption protections in all data life-cycle phases, developers will have to accommodate the additional overhead and interoperability encryption The hacking threat (foreign or otherwise) does not change whether the target is the cloud or the (connected) traditional environment;

75. Software developers should receive cloud-specific training that highlights the challenges involved with having a production environment that operates in the cloud. One of these challenges is __________ 1. Lack of management oversight 2. Additional workload in creating governance for two environments (the cloud data center and client devices) 3. Increased threat of malware 4. The need for process isolation

75. D. Because shared resources in the cloud may mean increased opportunity for side-channel attacks, developers will have to design programs to function in a way that ensures process isolation.

76. Which security technique is most preferable when creating a limited functionality for customer service personnel to review account data related to sales made to your clientele? 1. Anonymization 2. Masking 3. Encryption 4. Training

76. B. Masking allows customer service representatives to review clients' sales and account information without revealing the entirety of those records (for instance, obscuring credit card numbers except for the last four digits).

77. At which phase of the software development lifecycle (SDLC) is user involvement most crucial? 1. Define 2. Design 3. Develop 4. Test

77. A. While some development models allow for user involvement in the entirety of the process, user input is most necessary in the Define phase, where developers can understand the business/user requirements— what the system/ software is actually supposed to produce, in terms of function and performance. All the other options are beneficial phases to gauge user input, but not as crucial as option A.

78. At which phase of the software development lifecycle (SDLC) should security personnel first be involved ? 1. Define 2. Design 3. Develop 4. Test

78. A. The earlier security inputs are included in the project, the more efficient and less costly security controls are overall. The Define phase is the earliest part of the SDLC. All the other options are later phases and incorrect.

79. At which phase of the software development lifecycle (SDLC) is it probably most useful to involve third-party personnel? 1. Define 2. Design 3. Develop 4. Test

79. D. During testing, getting outside perspective is invaluable, for both performance and security purposes; internal development and review capabilities are enhanced by augmentation from external parties. the other phases are not normally appropriate for external participation.

8. Which of the following is an informal industry term for moving applications from a traditional environment into the cloud? 1. Instantiation 2. Porting 3. Grandslamming 4. Forklifting

8. D. All the other options are simply words used in other contexts. They are incorrect.

80. In software development lifecycle (SDLC) implementations that include a Secure Operations phase, which of the following security techniques or tools are implemented during that phase? 1. Vulnerability assessments and penetration testing 2. Performance testing and security control validation 3. Requirements fulfillment testing 4. Threat modeling and secure design review

80. A. Once the system is deployed operationally, continuous security monitoring, including periodic vulnerability assessments and penetration testing, is recommended. All the other options are security functions that should take place in phases prior to the system's deployment.

81. A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _____ 1. Can lead to data breaches 2. Causes electromagnetic interference 3. Will affect quality of service 4. Can cause regulatory noncompliance

81. C. Security and operations are always inversely related; excessive controls necessarily degrade performance. Excessive use of controls should not lead to more data breaches; if anything, it may reduce their occurrence. However, it is more likely that there will be no effect. Option A is incorrect. Many controls don't affect the electromagnetic spectrum in any way.

82. A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _____ 1. Can lead to distributed denial of service (DDoS) 2. malware infections 3. Increases the risk of adverse environmental effects 4. Is an unnecessary expense

82. D. From a simple financial perspective (which is often the managerial perspective), money spent on excessive anything is money wasted; spending to no good effect is detrimental. Overuse of controls should not result in greater risks of DDoS, malware, or environmental threats in any way. Options A, B, and C are incorrect

83. A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _____ 1. Can lead to customer dissatisfaction 2. Is a risk to health and human safety 3. Brings down the organization's stock price 4. Negates the need for insurance

83. A. If excessive controls impact the user/customer experience to the extent that system response speeds and results are delayed significantly, and performance is degraded to the point where competitors' systems are far superior, customer dissatisfaction can be a severe problem.

84. You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be used to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider's permission. This allows you to catalog all APIs that have accessed and manipulated company data that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. Of the following, what is the most reasonable immediate action? 1. Delete accounts of all users who had utilized unapproved APIs to access company data. 2. Suspend access for all users who had utilized unapproved APIs to access company data. 3. Block all unapproved APIs from accessing company data. 4. Notify whomever you report to in the company hierarchy, and suggest bringing the matter to the attention of senior management immediately.

84. D. The problem in this case is not so much that policies have been violated or that, in a more literal sense, the unapproved APIs are being used to access the data, the problem is that the violations are so pervasive and extensive that taking any immediate direct action might interfere with business activity in a drastic and potentially harmful way.

85. You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be used to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider's permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. You've brought the matter to the attention of the chief executive officer (CEO), who understands the issue and asks for your recommendation. What is probably the best suggestion? 1. Gather more data about how users are utilizing the APIs and for what purposes. 2. Delete accounts of all users who had utilized unapproved APIs to access company data. 3. Suspend access for all users who had utilized unapproved APIs to access company data. 4. Block all unapproved APIs from accessing company data

85. A. Again, before taking any action that might impact operations, it would probably be best to figure out the actual user needs being met by the unapproved APIs, and the severity of impact if they were removed from service, before performing the actions described in options B, C, and D.

86. You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be utilized to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider's permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. Upon performing an information-gathering investigation at the behest of the chief executive officer (CEO), you determine that these APIs increased productivity 387 percent over the period since they were adopted, at a cost that is negligible compared to getting even one API through the company's current approval process. What is your suggestion on how to handle the situation ? 1. Retroactively put all the APIs currently in use through the formal approval process, and require that all future APIs users want to install also get approved. 2. Have the CEO waive formal approval processing for all APIs currently in use, granting them approval, but require all future APIs be approved through that process. 3. Punish all employees who have installed or used any of the rogue APIs for violating company policy. 4. Change the policy.

86. D. It's hard to argue with success; operational capability and security are always a trade-off, but this kind of productivity increase with little attendant cost is probably too good to pass up.

87. You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be utilized to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider's permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. As a subject matter expert, what should you also recommend to the chief executive officer (CEO)? 1. Reward the users who committed the infractions, for aiding the company even when they were violating the policy. 2. Replace all the personnel that violated the policy, and have the new personnel use the new policy from their start of hire. 3. Restrict user access to possible APIs. 4. Augment the current set of security controls used by the company in order to offset risks posed by the anticipated use of even more APIs from unknown sources.

87. D. APIs chosen by users may or may not have integral security and probably weren't chosen according to how secure they are; because the company will continue to be exposed to additional risks from these (and future) APIs, additional security controls are absolutely necessary. However, personnel actions and draconian enforcement efforts at this point would be pointless and vindictive, and probably counter to the company's interests. Options A, B, and C are incorrect.

88. You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you'd like to implement to offset the risk(s) incurred by this practice? 1. Encrypt all routers between mobile users and the cloud. 2. Use additional anti-malware detection capabilities on both user devices and the environment to which they connect. 3. Implement strong multifactor authentication on all user-owned devices. 4. Employ regular performance monitoring in the cloud environment to ensure that the cloud provider is meeting the service level agreement (SLA) targets.

88. B. Because untrusted APIs may not be secured sufficiently, increased vigilance for the possibility of introducing malware into the production environment is essential. It is impossible to encrypt devices that don't belong to the organization. Option A is incorrect. Securing access to user owned devices is admirable, but it has no effect at all on securing the device (or production environment) from risks due to installed APIs; option C is incorrect. This is a security question, and option D addresses performance; this is incorrect.

89. You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you'd like to implement to offset the risk(s) incurred by this practice? 1 Regular and widespread integrity checks on sampled data throughout the managed environment 2. More extensive and granular background checks on all employees, particularly new hires 3. Inclusion of references to all applicable regulations in the policy documents 4. Increased enforcement of separation of duties for all workflows

89. A. In order to detect possible erroneous or malicious modification of the organization's data by unauthorized or security-deficient APIs, it's important to take representative samples of the production data on a continual basis and perform integrity checks.

9. Developers creating software for the cloud environment should bear in mind cloud-specific risks such as what and what 1. DOS and DDoS (denial of service and distributed denial of service) 2. Multitenancy and third-party administrators 3. Unprotected servers and unprotected clients 4. Default configurations and user error

9. B. All the other options are risks that exist in the traditional environment as well as the cloud.

90. You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you'd like to implement to offset the risk(s) incurred by this practice? 1. Enact secure connections between the user devices and the cloud environment using end-to-end encryption. 2. Enact secure connections between the user devices and the cloud environment using link encryption. 3. Employ additional user training. 4. Tunnel all connections with a virtual private network (VPN).

90. C. Additional user training would be helpful in this situation, particularly any information that helps users understand the reasons APIs from unknown sources might be less secure and the potential impacts from using them. the other answers are incorrect; securing the connection between endpoints and the cloud is irrelevant in protecting against risks caused by software installed on the client devices.

91. Users in your organization have been leveraging application programming interfaces (APIs) for enhancing their productivity in the cloud environment. To ensure that you are securing API access to the production environment, you should deploy _____ 1. Secure Sockets Layer (SSL) and message-level cryptography 2. Transport Layer Security (TLS) and message-level cryptography 3. SSL and whole drive encryption 4. TLS and whole drive encryption

91. B. Cryptography for the two main types of APIs is required; this is TLS for representational state transfer (REST) and message-level encryption for Simple Object Access Protocol (SOAP).

92. You implement identity and access management (IAM) in order to control access between subjects and objects. What is the ultimate purpose of this effort? 1. Identification. Determine who the specific, individual subjects are. 2. Authentication. Verify and validate any identification assertions. 3. Authorization. Grant subjects permissions to objects once they've been authenticated. 4. Accountability. Be able to reconstruct a narrative of who accessed

92. D. Accountability is the end purpose of all IAM efforts; all the other options are the elements of IAM that support this effort.

93. ________ is perhaps the main external factor driving identity and access management (IAM) efforts. 1. Regulation 2. Business need 3. The evolving threat landscape 4. Monetary value

93. A. Regulatory compliance has historically driven IAM efforts.

94. Whether in a cloud or traditional environment, it is important to implement both __________ and ____ access controls. 1. Internal and managed 2. Provider and customer 3. Physical and logical 4. Administrative and technical

94. C. Both physical and logical controls are possible (and necessary) to implement in both environments.

95. Access to specific data sets should be granted by ___________ 1. The data subjects 2. The data owners 3. The data processors 4. The data regulators

95. B. The data owner is most familiar with the risks and impacts associated with the data sets under their control. The data subject may grant permission for a data owner to have the subject's data but will not govern the granular assignment of access rights.

96. Access should be granted based on all of the following except _______ 1. Policy 2. Business needs 3. Performance 4. Acceptable risk

96. C. Performance should not determine who gets access to which data; the other options are the factors for making this determination.

97. Federation allows _________ across organizations. 1. Role replication 2. Encryption 3. Policy 4. Access

97. D. Federation allows users from multiple member organizations to access resources owned by various members. All the other answers are simply not correct.

98. Federation should be __________ to the users. 1. Hostile 2. Proportional 3. Transparent 4. Expensive

98. C. Federation allows ease of use for access to multiple resource providers; this provides a transparent user mechanism. The goal of federation is to enhance the user experience, the exact opposite of making the environment more hostile to them. Option A is incorrect. Option B is incorrect because it is meaningless in this context. Option D is incorrect. Users typically do not pay for the organization's IT environment.

99. A web application firewall (WAF) understands which protocol(s)? 1. protocols that use the Internet as a medium 2. Transport Layer Security (TLS) 3. Hypertext Transfer Protocol (HTTP) 4. File Transfer Protocol (FTP)

99. C. WAFs apply rulesets to web traffic, which uses HTTP. All the other answers are incorrect.