CSSLP All-in-One Sample Exam (First Edition)
Which of the following are examples of structured data? Choose all that apply. A. Databases B. Microsoft Excel file C. Formatted file structures D. E-mails
Answer: A and C. These forms are managed by their format. B and D are incorrect. These forms are not managed by their format. Hint: Structured is managed via the structure. Reference: Chapter 6: Data Classification and Categorization Objective: 6.4 Types of data
If a certificate has been revoked, as a potential user, what could you use to verify this? Choose all that apply. A. CRL B. SAML C. X.509 D. OSCP
Answer: A and D. Two certificate revocation mechanisms are certificate revocation lists (CRL) and Online Certificate Status Protocol (OCSP). B and C are incorrect. SAML is Security Assertion Markup Language. X.509 is the certificate. Hint: Functional requirements is the key part of the question. Reference: Chapter 11: Technologies Objective: 11.2 Credential management
If the value for the attack surface of an application is increasing during development, this is a sign of: A. Increasing avenues of attack being available to an attacker B. Need for more security C. An increase in application security level D. Nothing, as the attack surface grows and shrinks on its own
Answer: A. Additional elements of code can bring additional numbers of specific attackable points, raising the attack surface. This may be normal or uncontrolled, but it is measurable. B, C, and D are incorrect; as the code base grows, the number of attack avenues can increase. More security may or may not be needed. Hint: As the application is constructed, size in all things increases. Reference: Chapter 8: Design Processes Objective: 8.1 Attack surface evaluation
Which software development process is characterized by early and frequent deliverables in an incremental fashion? A. Agile B. Waterfall C. Prototype D. Spiral
Answer: A. Agile development is characterized by early deliverables and regular incremental processes. B, C, and D are incorrect. These are all software development methodologies, but they do not provide for early and regular functional deliverables. Hint: Early and frequent are important aspects of one development methodology. Reference: Chapter 4: Software Development Methodologies Objective: 4.3 Software development models
Which of the following would be considered an authentication design defect? A. Combining authentication and authorization B. Propagating authentication permission across an enterprise C. Providing centralized control of authentication D. Delegating authentication to a third party
Answer: A. Authentication and authorization are separate processes and need to remain separate to limit damage should failures occur. B, C, and D are incorrect. These are all commonly seen in the field and used where their specific advantages benefit the system under protection. Hint: Which of these is not a standard process in widespread use? Reference: Chapter 9: Design Considerations Objective: 9.1 Application of methods to address core security concepts
To guard against data being stolen from an enterprise, _____ technology can be employed, but it is complex and difficult to employ in an enterprise of any significant size. A. DLP B. Syslog C. DRM D. Logging
Answer: A. Data loss prevention (DLP) solutions act by screening traffic, looking for traffic that meets profile parameters. B, C, and D are incorrect. B and D are about logging, which might record but not prevent loss. C is digital rights management, which deals with restricting rights for authorized users. Hint: Preventing data loss is the Objective:. Reference: Chapter 11: Technologies Objective: 11.5 Data loss prevention
Which of the following is used to preserve confidentiality in an application? A. Encryption B. Hashing C. Resilience D. Digital signatures
Answer: A. Encryption provides a means to secure a file from view except to authorized users. B, C, and D are incorrect. Hashing protects against integrity issues, resilience covers availability, and digital signatures provide both integrity and authenticity. Hint: Protect information from unauthorized viewing. Reference: Chapter 9: Design Considerations Objective: 9.1 Application of methods to address core security concepts
To prevent error conditions from cascading or propagating through a system, a designer should: A. Practice complete error mitigation, including error trapping and handling B. Practice safe coding with managed code modules C. Use a language that supports managed code D. Log all user activity for troubleshooting during testing
Answer: A. Errors should always be trapped and managed locally. B, C, and D are incorrect. B and C are about restricting language, when the question does not specify any particular language. D is good practice, but does not address the issue in question. Hint: Focus on how errors propagate through a system. Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements
Data can exist in different states. Examples of these states include: A. At rest, in transit, and being used B. Being updated, being stored, and in the customer's possession C. In a database, encrypted, and held by a third party D. Stored internally, either at a customer or a third party
Answer: A. For the purposes of development and security, these states are at rest or being stored; in transit; or being created, changed, or deleted. B, C, and D are incorrect. They all contain external elements such as a customer or a third party. Hint: Focus on what is internal to the enterprise and, therefore, under enterprise control. Reference: Chapter 6: Data Classification and Categorization Objective: 6.1 Data classification
Requirements that relate directly to business requirements are referred to as: A. Functional B. Operational C. Intrinsic D. Business
Answer: A. Functional requirements describe how the software is expected to function. B, C, and D are incorrect. Operational requirements relate to deployment. Intrinsic and business are simple related term distractors. Hint: The Answer: describes how the software is expected to work. Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements
The first step of threat modeling is: A. Identify security objectives B. System decomposition C. Threat identification D. Mitigation analysis
Answer: A. Identifying the security objectives needs to be completed before meaningful work toward them can be accomplished. B, C, and D are incorrect. These are all steps in threat modeling; they just occur after determining the security objectives. Hint: When performing a complex task, is not the goal important? Reference: Chapter 8: Design Processes Objective: 8.2 Threat modeling
All of the following are elements in an attack surface calculation except: A. Memory B. User input fields C. Protocols D. Resource files
Answer: A. Memory is not directly associated with attack surfaces. B, C, and D are incorrect. Attack surfaces can include a wide range of resources associated with the code, including user input fields, protocols, interfaces, resource files, and services. Hint: Which is not a pathway to an input to the system? Reference: Chapter 8: Design Processes Objective: 8.1 Attack surface evaluation
A method of asynchronously moving information between applications is: A. Message queuing B. SOAP C. REST D. Web services
Answer: A. Message queuing allows messages to be stored in queues until the receiver is ready for them. B, C, and D are incorrect; these are all web service-oriented methods and do not specify asynchronous communications. Hint: Asynchronous implies time delays. Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.1 Distributed computing
Passwords and other credential secrets should be accessible by which sets of users? Choose all that apply. A. The user account they apply to B. The system administrator for the particular system C. The account user's boss D. An account for archive/escrow purposes
Answer: A. Passwords and other verification credentials, personal identification numbers (PINs), passphrases, token values, etc., are secrets and should never be accessible by anyone, including system administrators. B, C, and D are incorrect. Passwords and other verification credentials, personal identification numbers (PINs), passphrases, token values, etc., are secrets and should never be accessible by anyone, including system administrators. Hint: Who should be able to see your password? Reference: Chapter 11: Technologies Objective: 11.1 Authentication and identity management
A modular architecture based on principles of being platform neutral; interoperable; and with discoverable, contract-based interfaces describes: A. SOA B. SaaS C. Cloud D. SOAP
Answer: A. SOA characteristics include platform neutrality, interoperability, modularity and reusability, abstracted business functionality, contract-based interfaces, and discoverability. B, C, and D are incorrect. SaaS is Software as a Service; the cloud may or may not be service oriented; and SOAP is simple object access protocol, a programming method. Hint: Discoverable, contract-based interfaces are related to WSDL. Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.2 Service-oriented architecture
The Microsoft Security Development Lifecycle was built upon a set of principles known as: A. SD3+C B. Trusted computing base C. Address Space Layout Randomization (ASLR) D. Secure by design
Answer: A. Secure by design, secure by default, secure in deployment and communications (SD3+C) program. B, C, and D are incorrect. The trusted computing base is not a Microsoft concept. ASLR is a security feature, and secure by design is only one of the principles. Hint: There are four pillars. Reference: Chapter 4: Software Development Methodologies Objective: 4.4 Microsoft Secure Development Lifecycle
All of the following are benefits with virtualization except: A. Improved security from consolidation of servers B. Reduced cost of servers resulting from server consolidation C. Improved operational efficiencies from administrative ease of certain tasks D. Improved operational agility to scale environments
Answer: A. Server consolidation is a physical consolidation—the logical instances have the same security concerns as before; in fact, they are increased because of the added virtualization layer. B, C, and D are incorrect. The benefits derived from virtualization can include reduced cost of servers resulting from server consolidation; improved operational efficiencies from administrative ease of certain tasks; improved portability and isolation of applications, data, and platforms; and operational agility to scale environments, i.e., cloud computing. Hint: Consolidation does not improve everything. Reference: Chapter 11: Technologies Objective: 11.6 Virtualization
Security policies should ensure compliance with all external obligations. Examples of these obligations include: A. Statutory, regulatory, and contractual obligations B. Audit log and internal controls C. Internal controls and contractual obligations D. Internal SLAs, controls, and contractual obligations
Answer: A. Statutory, regulatory, and contractual obligations are all external requirements. B, C, and D are incorrect. Audit logs, internal controls, and internal SLAs are all internal elements. Hint: Which elements are external in origin? Reference: Chapter 5: Policy Decomposition Objective: 5.3 Internal and external requirements
What represents the "who" in the subject-object-activity matrix? A. Subject B. Object C. Activity D. Interaction
Answer: A. Subjects represent who, objects represent what, and activities or actions represent the how of the subject-object-activity relationship. B, C, and D are incorrect. Objects represent what and activities or actions represent the how of the subject-object-activity relationship. Interactions are an undefined term in this context. Hint: Users are also who? Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements
Which tool best helps the development team understand use-cases, including appropriate level of detail and security concerns? A. Data flow diagram (DFD) B. Subject-object-activity matrix C. Requirements traceability matrix (RTM) D. Attack tree
Answer: A. The DFD shows the flow of the data through a system, and in threat modeling is marked with threat vectors using STRIDE. B, C, and D are incorrect. Although these are valuable sources of information to the development team, they do not specifically highlight process flow information. Hint: Use-cases show process flow. What does the same in the preceding list? Reference: Chapter 8: Design Processes Objective: 8.4 Documentation
Data owners are responsible for: A. Defining data classification, controls, and access criteria B. Maintaining data classification, controls, and access criteria C. Implementing data classification, controls, and access criteria D. Performing data classification, controls, and access criteria
Answer: A. The data owner is the party who determines factors associated with specific data elements. B, C, and D are incorrect. These are all implementation oriented and belong to the data custodian function. Hint: What belongs to data custodians? Reference: Chapter 6: Data Classification and Categorization Objective: 6.2 Data ownership
IdP and RP are elements associated with: A. OpenID B. WSDL C. ESB D. SOA
Answer: A. There are two main parties in federated ID systems: a relying party (RP) and an identity provider (IdP). B, C, and D are incorrect. WSDL is Web Services Description Language, ESB is enterprise service bus, and SOA is service-oriented architecture. Hint: Identity provider (IdP) and relying party (RP). Reference: Chapter 11: Technologies Objective: 11.1 Authentication and identity management
Ensuring timely and reliable access to and use of information is a description of: A. Availability B. Integrity C. Non-repudiation D. Confidentiality
Answer: A. This is from the FIPS definition of availability: "Ensuring timely and reliable access to and use of information...." B, C, and D are incorrect; they are other descriptors involved in security aspects other than integrity. Hint: Access to information or the lack there of is an example of what? Reference: Chapter 5: Policy Decomposition Objective: 5.1 Confidentiality, integrity, and availability requirements
Platform as a Service (PaaS) is defined as: A. The offering of a computing platform in the cloud B. Cloud-based systems that are delivered as a virtual platform for computing C. The use of the cloud to avoid server cost D. The offering of software to end users from within the cloud
Answer: A. This is the definition of Platform as a Service (PaaS). B, C, and D are incorrect. B is the definition of Infrastructure as a Service (IaaS), C is a reason to use cloud computing, and D is the definition of Software as a Service (SaaS). Hint: PaaS is a marketing term for platform-based services. Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.6 Cloud Architectures
Trust boundaries separate a system into trust zones that share common: A. Privileges, rights, access, and identifiers B. CIA conditions C. User accounts D. ACL elements
Answer: A. This is the definition of a trust boundary; inside a trust boundary, items share the same privileges, rights, access, and identifiers. B, C, and D are incorrect. All of these items have things that can differ inside a trust boundary, such as CIA conditions; not all items need the same types of protection. Hint: Think of what can change, and eliminate answers. Reference: Chapter 8: Design Processes Objective: 8.1 Attack surface evaluation
When choosing security controls to cover issues on an application, first consideration should be given to: A. Standard enterprise control structures such as ACLs B. Point-of-impact controls tailored to issue C. Broad controls that cover large areas D. Controls specific to the application
Answer: A. Use of standard enterprise-level controls makes the operational workload less of an addition and allows integration into the enterprise security data flow process. B, C, and D are incorrect. Each of these options increases the workload on operations, increasing the security workload and hindering data sharing in the enterprise. Hint: Which will be most useful in an operational setting? Reference: Chapter 8: Design Processes Objective: 8.3 Control identification and prioritization
Penetration tests done with no a priori system knowledge are called: A. Black-box testing B. Code reviews C. White-box testing D. Acceptance testing
Answer: A. When there is no knowledge of the inner workings of a system, it is referred to as black-box testing. B, C, and D are incorrect. White-box testing assumes full knowledge of the system, as do code reviews. Acceptance testing is functional testing to requirements and not directly related to this topic. Hint: No a priori knowledge indicates what state? Reference: Chapter 15: Secure Software Testing Objective: 15.2.3 Security testing
The current version of X.509 is: A. 3 B. 2 C. 1 D. Not stated—it is an IETF RFC
Answer: A. X.509 version 3 is the most current version of the standard. B, C, and D are incorrect. X.509 version 3 is the most current version of the standard. Hint: It has been revised more than once. Reference: Chapter 11: Technologies Objective: 11.2 Credential management
Before using a public key of another entity, it is proper to check for revocation. What is the best way to accomplish this? Choose all that apply. A. DNSSEC B. CRL C. OSCP D. PKIX
Answer: B and C. Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OSCP) are both integrated, automated methods for verifying certificate validity. A and D are incorrect. DNSSEC is a digitally signed DNS service. PKIX is the public key infrastructure, which is much more inclusive than just key revocation. Hint: How are key revocations handled automatically? Reference: Chapter 11: Technologies Objective: 11.2 Credential management
You want to enable customers to establish their identity with your application, but you don't want to manage identity management. Which of the following specific systems could you use? Choose all that apply. A. Federated identity management B. OAuth C. OpenID D. UX
Answer: B and C. OAuth and OpenID are two of the more common federated authentication systems in use. A and D are incorrect. Federated identity management is a concept, not a specific system. UX is an acronym for user experience, not an authentication system. Hint: Which are systems where you are not hosting but will provide authentication services? Reference: Chapter 11: Technologies Objective: 11.1 Authentication and identity management
Rich Internet applications (RIAs) are commonly constructed using what? Choose all that apply. A. C/C++ B. HTML5/JavaScript C. ASP (Active Server Pages) D. Adobe Flash or Microsoft Silverlight
Answer: B and D. RIAs are created using a variety of frameworks, including Adobe Flash, Java, and Microsoft Silverlight. With the introduction of HTML5, the future appears to be one dominated by HTML5/JavaScript-based RIAs. A and C are incorrect. C/C++ is typically not used in browser-based client development, and ASP is an older technology that does not have the bandwidth for this kind of application. Hint: Which is a universal web-based technology? Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.3 Rich Internet applications
What are the two primary components associated with measuring the loss due to risk? Choose two. A. Likelihood of impact B. Magnitude of impact C. Scale of threat D. Likelihood of threat
Answer: B and D. Risk is measured in terms of the likelihood of the threat and the magnitude of the impact. A and C are incorrect. The likelihood of impact is messy because it includes not just the likelihood of the threat, but the likelihood of bypassing mitigations; this makes it difficult to use consistently. The scale of the threat is again complicated by external factors, making it less useful. Hint: What are the elements of qualitative risk assessment? Reference: Chapter 2: Risk Management Objective: 2.5 Qualitative risk management
Which of the following are examples of unstructured data? Choose all that apply. A. Databases B. Microsoft Excel file C. Formatted file structures D. E-mails
Answer: B and D. These forms are not managed by their format. A and C are incorrect. These forms are managed by their format. Hint: Structured is managed via the structure. Reference: Chapter 6: Data Classification and Categorization Objective: 6.4 Types of data
A powerful technique for determining functional requirements in developer-friendly terms is: A. Subject-object-activity matrix B. Use case C. Data flow diagram D. Misuse case
Answer: B. A use-case is a specific example of an intended behavior of the system. A, C, and D are incorrect. Subject-object-activity matrix and data flow diagrams are not directly associated with functional requirements. Misuse cases are about security issues, not functional requirements. Hint: Functional requirements is the key part of the question. Reference: Chapter 7: Requirements Objective: 7.1.6 Use-cases
The validation of a user through the use of a shared set of secret credentials is: A. Identification B. Authentication C. Authorization D. Auditing
Answer: B. Authentication is form of a validation in which the user is presenting the known shared secret. A, C, and D are incorrect, Identification is the establishment of the shared secret, authorization is a result of authentication, and auditing is a simple distractor. Hint: Tailgating when driving refers to what? Reference: Chapter 5: Policy Decomposition Objective: 5.2 Authentication, authorization, and auditing requirements
Your development group programs in C, creating high-speed financial applications for processing stock trade events from a wide customer base. Which is the most important control to employ? A. Buffer overflow checks B. Input validation C. Fuzz testing D. Bug bar
Answer: B. Because customer input is implied, input validation is paramount. A, C, and D are incorrect. Buffer overflow checks are important, but proper use of compiler directives and static code checking can alleviate most of these. Fuzz testing and bug bar are process elements, not specific controls. Hint: Consider what would be related to blocking the most damaging error category. Reference: Chapter 13: Defensive Coding Practices Objective: 13.6 Input validation
A significant risk associated with the client server architecture is: A. Flexibility B. Client-side exploit C. Cross-platform issues D. Scalability
Answer: B. Client server architectures need to employ protection against client-side attacks. A, C, and D are incorrect. Client server architectures are specifically designed to address these issues. Hint: Focus on what is internal to the enterprise and therefore under enterprise control. Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.1 Distributed computing
The application of digital signature technology to computer code is referred to as: A. Trusted code B. Code signing C. Secure code D. Code proofing
Answer: B. Code signing is the act of using digital signature technology with software distribution. A, C, and D are incorrect. These are all nonsense distractors designed to look correct. They do not have any specific meaning in this context. Hint: The act of applying a signature is called what? Reference: Chapter 11: Technologies Objective: 11.8 Trusted computing
What is specifically used to score a threat? A. STRIDE B. DREAD C. PCI DSS D. Attack tree
Answer: B. DREAD can be mapped into the probability impact model by taking the following factors into account: probability (reproducibility + exploitability + discoverability) and impact (damage potential + affected users). A, C, and D are incorrect. STRIDE describes threat type information, attack trees don't score things, and PCI DSS is a compliance framework. Hint: Probability of occurrence times the severity of impact. Reference: Chapter 8: Design Processes Objective: 8.2 Threat modeling
A risk calculation methodology developed by Microsoft is: A. STRIDE B. DREAD C. Threat modeling D. SD3 + C
Answer: B. DREAD is an acronym for damage potential, reproducibility, exploitability, affected users, and discoverability. A, C, and D are incorrect. Threat modeling includes both STRIDE and DREAD, and SD3+C is from Microsoft to describe a foundational element of their entire SDL process. Hint: At what stages can input be changed? Reference: Chapter 8: Design Processes Objective: 8.2 Threat modeling
The elements of a data lifecycle are: A. Internal, input, and output B. Generation, retention, and disposal C. Customer, supplier, and internal D. Define, maintain, and dispose
Answer: B. Data is created, used, and destroyed. A, C, and D are incorrect. These are all associated with data, but not specifically with its lifecycle. Hint: Data is created, used, and destroyed. Reference: Chapter 6: Data Classification and Categorization Objective: 6.5 Data lifecycle
FIPS 199 provides for classifying data into three levels. These levels are: A. Confidentiality, integrity, and availability B. High, medium, and low C. PII, security sensitive, and hidden D. Internal, input, and output
Answer: B. FIPS uses three levels—high, medium, and low—across three dimensions—confidentiality, integrity, and availability. A, C, and D are incorrect. A represents the dimensions. C and D are classifications of data usage. Hint: Think levels that are hierarchal. Reference: Chapter 6: Data Classification and Categorization Objective: 6.3 Labeling
If there is a need to restrict network access to a specific port, one of the simplest methods is through a(n): A. Restricted socket on the application B. Firewall C. Application ACL D. Proxy server
Answer: B. Firewalls can be very simple in operation and can enforce address and port restrictions. A, C, and D are incorrect. A restricted socket could be programmed into the application, but this would be complex and add significant operational complexity. A proxy server could do what a firewall does, but it is more complex. The application ACL would not have port-level control. Hint: Simplest is a key element. Reference: Chapter 11: Technologies Objective: 11.3 Flow control
Which type of testing is generally conducted later in the testing process and focuses on the inputs and outputs to the software with partial knowledge of the design and implementation of the software? A. White-box testing B. Gray-box testing C. Black-box testing D. Blue-box testing
Answer: B. Gray-box testing is defined by a limited set of knowledge over how a system functions. A, C, and D are incorrect. White-box testing assumes complete knowledge of how a system is designed. Black-box testing assumes no knowledge. Blue-box testing is a nonsense distractor. Hint: Partial knowledge is the key element for the question. Reference: Chapter 15: Secure Software Testing Objective: 15.2 Testing for Security and Quality Assurance
Which of the following is used to preserve integrity in an application? A. Encryption B. Hashing C. Resilience D. Digital signatures
Answer: B. Hashing can provide a means to detect changes in a file. A single bit change can have a profound change in the hash value. A, C, and D are incorrect. Encryption protects confidentiality, resilience covers availability, and digital signatures provide both integrity and authenticity. Hint: How can you detect a file has changed? Reference: Chapter 9: Design Considerations Objective: 9.1 Application of methods to address core security concepts
The three forms of audit-related risk are: A. Residual risk, inherent risk, detection risk B. Control risk, inherent risk, detection risk C. Residual risk, control risk, detection risk D. Control risk, inherent risk, residual risk
Answer: B. Inherent risks are those associated with the process and its inherent error rate, assuming no internal controls exist to handle the potential errors. Detection risk is the risk that an audit will not detect an issue that can result in material error. Control risk is the risk that controls will not detect or prevent material errors in a timely fashion. A, C, and D are incorrect. Residual risk is the term for audit-based risk in total. Hint: What is each of the listed types of risk? Reference: Chapter 5: Policy Decomposition Objective: 5.2 Authentication, authorization, and auditing requirements
The desire to minimize the number of high-value vulnerabilities is a reflection of what security principle? A. Defense in depth B. Least privilege C. Separation of duties D. Complete mediation
Answer: B. Least privilege limits the amount of time applications are in administrator level, limiting opportunity for escalation of privilege. A, C, and D are incorrect. These are all security principles, but they do not specifically address privilege escalation. Hint: High-value targets are typically administrator level. Reference: Chapter 9: Design Considerations Objective: 9.1 Application of methods to address core security concepts
What is one of the security advantages of managed code over unmanaged code? A. Lines of code B. Size of attack surface C. Flexibility of coding D. Global variables
Answer: B. Managed code offers a reduced attack surface because of the mediated connection to OS resources. A, C, and D are incorrect. There is no significant difference between managed and unmanaged code with respect to these items. Both systems offer plenty of opportunity in all of these items. Hint: What does a sandbox present to an external attacker? Reference: Chapter 8: Design Processes Objective: 8.1 Attack surface evaluation
Requirements associated with deployment are referred to as: A. Functional B. Operational C. Intrinsic D. Business
Answer: B. Operational requirements are those that deal with the integration of the application into the enterprise environment. A, C, and D are incorrect. A is the set of requirements associated with business functions. C and D are terms chosen to distract because they are related to the topic but are without contextual meaning. Hint: Deployment is connected to what aspect? Reference: Chapter 7: Requirements Objective: 7.2 Operational requirements
The use of a false identity in attacking a system is an example of: A. Psychological acceptability B. Spoofing C. Eavesdropping D. Man in the middle
Answer: B. Spoofing is the act of using false identity credentials to achieve access to a system. A, C, and D are incorrect. Psychological acceptability is making security provisions acceptable to users. Eavesdropping is just listening to traffic, and man-in-the-middle attacks involve inserting oneself into the communication stream. Hint: Change your IP address to appear as someone. Reference: Chapter 8: Design Processes Objective: 8.2 Threat modeling
What represents the "what" in the subject-object-activity matrix? A. Subject B. Object C. Activity D. Interaction
Answer: B. Subjects represent the who, objects represent the what, and activities or actions represent the how of the subject-object-activity relationship. A, C, and D are incorrect. Subjects represent the who and activities or actions represent the how of the subject-object-activity relationship. Interactions are an undefined term in this context. Hint: Users interact with the "what" element. Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements
A proven methodology for implementing single sign-on (SSO) is: A. PKI B. OpenID C. WSDL D. SOA
Answer: B. The OpenID protocol has proven to be a well-vetted and secure protocol for SSO. A, C, and D are incorrect. PKI is the set of infrastructures for managing certificates; WSDL describes web service interaction; and service-oriented architecture (SOA) is an architecture, not an SSO methodology. Hint: Which is a federated authentication element? Reference: Chapter 11: Technologies Objective: 11.2 Credential management
Which of the following is not one of the three classes of security controls? A. Technical B. Cryptographic C. Management D. Operational
Answer: B. The classes of security controls are technical, managerial, and operational. A, C, and D are incorrect. These are all classes of security controls. Hint: One way of classifying controls is based on the aspect of the business involved. Reference: Chapter 2: Risk Management Objective: 2.4 Risk controls
Which of the following elements would be considered sensitive data and require protection in a mobile system? A. What the model of the device is B. Where the device is C. What level of OS is running on the device D. How the device is connected to the Internet (Wi-Fi or 4G)
Answer: B. The current location of the device should always be treated as sensitive and be under the user's control before allowing access. A, C, and D are incorrect. A and C are common elements that can be necessary to determine what content will work on the device. D can be important with regard to download speed and network connectivity. Hint: Which element concerns the user of the device? Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.4 Pervasive/ubiquitous computing
To reduce the risk associated with reusing code, the development team should: A. Test reused code for specific vulnerabilities B. Run reused code through the same checks and tests as new code C. Reused code has less risk, as it has already been used; focus testing on new code D. Prohibit code reuse
Answer: B. The current test methodology for new code is a best practice. Why not apply it to reused code as well? A, C, and D are incorrect. Reused code is common and can have benefits, but it needs the same testing as new code. Hint: If new code testing and validation is best for new code, then... Reference: Chapter 8: Design Processes Objective: 8.6 Risk assessment for code reuse
The acronym associated with the comprehensive set of policies, processes, and technologies for managing digital identity information is: A. IdP B. IAM C. UX D. OAuth
Answer: B. The terms identity management (IDM) and identity and access management (IAM) refer to the set of policies, processes, and technologies for managing digital identity information. A, C, and D are incorrect. IdP is identity partner, UX is user experience, and OAuth is a commonly used system for federated identity management. Hint: Think access management. Reference: Chapter 11: Technologies Objective: 11.1 Authentication and identity management
Two acquisition strategies are: A. Outsourcing vs. contracting B. Build vs. buy C. COTS vs. GOTS D. Contracts vs. SLAs
Answer: B. The two options for software development are either build or buy each module. A, C, and D are incorrect. Outsourcing and contracting are basically the same; COTS and GOTS are product descriptions; and contracts and SLAs are related, with SLAs behind the contract. Hint: Compare types of algorithms and age. Reference: Chapter 3: Security Policies and Regulations Objective: 3.7 Acquisition
A list of open sockets, open named pipes, and services running by default describe part of the ____. A. Operational requirements B. Attack surface measurement C. Functional requirements D. Misuse cases
Answer: B. There is a long list of elements associated with an attack surface and its measurement. A, C, and D are incorrect. The requirements are just lists of elements without specific technical details. Misuse cases are attack scenarios, but without the technical detail to support this form of defense. Hint: Compare types of algorithms and age. Reference: Chapter 8: Design Processes Objective: 8.1 Attack surface evaluation
Preserving authorized restrictions on information modification or destruction is a description of: A. Availability B. Integrity C. Non-repudiation D. Confidentiality
Answer: B. This is from the FIPS definition of integrity: "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity...." A, C, and D are incorrect; they are descriptors involved in security aspects other than integrity. Hint: Modification or destruction is an example of what? Reference: Chapter 5: Policy Decomposition Objective: 5.1 Confidentiality, integrity, and availability requirements
During the design phase, the ______ will provide significant security information to designers. A. Attack surface B. Threat model C. Data flow diagrams D. Risk management model
Answer: B. Threat modeling is a collection of security threat information and is built during the development process from the beginning. A, C, and D are incorrect; they are other security tools. Hint: Which begins with the development effort and is built on security information? Reference: Chapter 9: Design Considerations Objective: 9.1 Application of methods to address core security concepts
The principle associated with the use of minimizing a user's authority to only what is needed is called: A. Separation of duties B. Least privilege C. Complete mediation D. Least common mechanism
Answer: B. Users should only be given the level of privilege necessary to do their assigned tasks and no more. A, C, and D are incorrect. A is about using multiple users. C involves ensuring checks are performed every time. D is about ensuring that single functions do not perform multiple tasks at different privilege levels. Hint: Which of these is associated with a user's activity? Reference: Chapter 1: Security Concepts Objective: 1.3 Security design tenets
WS-Security is: A. A method of providing confidentiality for SOAP B. A method of providing authentication, integrity, confidentiality, and non-repudiation for web services C. The encryption of SOAP messages D. A method of authenticating SOAP messages
Answer: B. WS-Security is just a collection of security mechanisms for signing, encrypting, and authenticating SOAP messages. Merely using WS-Security does not guarantee security; it must be properly configured to provide protection. A, C, and D are incorrect. WS-Security is a mechanism for providing a wide range of security functionality with SOAP, not just confidentiality, authentication, and encryption services. Hint: WS-Security can provide a range of security-related functions. Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.2 Service-oriented architecture
Which of the following functions should never be relied upon with client-side processing? Choose all that apply. A. Input errors B. Missing values C. State management D. Input validation
Answer: C and D. Because inputs can be changed by proxies between the client and the server, all security checks should only be done on the server side, including all state management and input validations. A and B are incorrect. Input errors and missing values can be checked for and validated on the client side for the purpose of improving user experience (preventing unnecessary round trips to the server). Hint: At what stages can input be changed? Reference: Chapter 13: Defensive Coding Practices Objective: 13.6 Input validation
Passwords and sensitive elements such as keys are sought after by hackers—what is the best way to store these in application programs? A. In a config file in a protected directory B. Hard-coded in the executable where they are protected C. Encrypted and stored in a file D. On a protected server
Answer: C. All sensitive data should be encrypted and stored in an appropriate place. Storing elements in the executable file makes them difficult to change, so other files are recommended. A, B, and D are incorrect. A protected directory can be bypassed, and for some secrets, a demo of the code can give away the secret. Hard-coding in the executable makes them accessible. Remote storage does not solve the confidentiality problem. Hint: What protects the confidentiality of data? Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures Objective: 12.1.3 Handling configuration parameters
Cloud computing is marked by all except: A. On-demand self-service B. Broad network access C. Use of a web browser for accessing data D. Resource pooling
Answer: C. Cloud computing does not have to involve either specific methods of interaction (i.e., web browser). A, B, and D are incorrect. These are all elements associated with cloud computing. Hint: How are clouds managed? Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.6 Cloud architectures
Predetermined access control is an example of: A. Rule-based Access Control B. Discretionary Access Control C. Mandatory Access Control D. Role-based Access Control
Answer: C. Mandatory Access Control (MAC) is characterized by a subject's access to an object, which is a predetermined property that is defined by the rules associated with the system. A, B, and D are incorrect. All of these access control systems can be optionally employed and, hence, are not predetermined. Hint: Predetermined means it always occurs. Reference: Chapter 5: Policy Decomposition Objective: 5.2 Authentication, authorization, and auditing requirements
PHI is affiliated with: A. Gramm-Leach-Bliley B. Sarbanes-Oxley C. PCI DSS D. HIPAA/HITECH
Answer: D. PHI is personal health information, which is protected by HIPAA/HITECH. A, B, and C are incorrect. Gramm-Leach-Bliley protects personal financial information, Sarbanes-Oxley is for corporate financials, and PCI DSS is for credit card information. Hint: Personal health information. Reference: Chapter 3: Security Policies and Regulations Objective: 3.1 Regulations and compliance
To comply with PCI DSS, one must have ________ or perform application code reviews. A. Language-specific rules and coding practices B. A defined security program C. A web application firewall D. A training program
Answer: C. One of the requirements of the PCI Data Security Standard is for web applications to either have a web application firewall between the server and users or to perform application code reviews. A, B, and D are incorrect. These are all elements that are good to have, but are not specifically addressed with respect to application code reviews. Hint: Which one of these can actually perform real monitoring of security? Reference: Chapter 11: Technologies Objective: 11.3 Flow control
Secure coding standards include all of the following except: A. Language-specific rules and coding practices B. Error trapping and handling C. Performance testing specifications D. Logging requirements
Answer: C. Performance specifications are not security functionality related and thus, are not typically covered by secure coding standards. A, B, and D are incorrect. These are all commonly documented in secure coding standards. Hint: Which of these is not related to security functionality? Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements
Your project involves streaming web conference content from your web servers to multiple endpoints. Because of the sensitive nature of the content, encryption is mandated. What would be the preferred algorithm? A. 3DES B. AES C. RC4 D. MD5
Answer: C. RC4 is a stream-based cipher, and the web conference traffic requires a stream cipher for performance reasons. A, B, and D are incorrect. 3DES and AES are symmetric block ciphers, but are poor choices for streaming media channels. MD5 is a hash algorithm, not an encryption method. Hint: What type of material is being encrypted and does it have any specific characteristics that are important to consider? Reference: Chapter 13: Defensive Coding PracticesObjective: 13.3 Cryptography
Which of the following is used to preserve availability in an application? A. Encryption B. Hashing C. Resilience D. Digital signatures
Answer: C. Resiliency is important to ensure an application can continue to function in spite of adverse conditions. A, B, and D are incorrect. Encryption protects confidentiality, hashing provides integrity, and digital signatures provide both integrity and authenticity. Hint: Which of these addresses the application's ability to continue operations under adverse circumstances? Reference: Chapter 9: Design Considerations Objective: 9.1 Application of methods to address core security concepts
An attacker can use interfaces, protocols, and/or ____ as entry points into an application. A. Log entries B. Error messages C. Services D. Program outputs
Answer: C. Services offer a way into an application by allowing man-in-the-middle type attacks. A, B, and D are incorrect. These are all avenues of information out of an application, and provided that no secrets are leaked, do not directly offer a means of re-entry. Hint: Entry points are ways into the program. Reference: Chapter 8: Design Processes Objective: 8.1 Attack surface evaluation
What represents the "how" in the subject-object-activity matrix? A. Subject B. Object C. Activity D. Interaction
Answer: C. Subjects represent who, objects represent what, and activities or actions represent the how of the subject-object-activity relationship. A, B, and D are incorrect. Subjects represent the who and objects represent the what. Interactions are an undefined term in this context. Hint: How relates to something that is happening. Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements
A software system designed to support interoperable machine-to-machine interaction over a network is called a(n): A. Enterprise service bus B. Rich Internet application C. Web service D. HTML5/JavaScript
Answer: C. The W3C defines web services as a software system designed to support interoperable machine-to-machine interaction over a network. A, B, and D are incorrect. Enterprise service bus is an application component; rich Internet application has a real user; and HTML5/JavaScript is a technology, not a system. Hint: Machine-to-machine eliminates which options? Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.2 Service-oriented architecture
What system associated with certificates enables the passing and verification of these digital elements between firms? A. CRL B. OSCP C. PKI D. X.509
Answer: C. The public key infrastructure (PKI) associated with certificates enables the passing and verification of these digital elements between firms. A, B, and D are incorrect. A PKI solution involves many parts, including certificate authorities, registration authorities, and certificate revocation mechanisms, either certificate revocation lists (CRL) or Online Certificate Status Protocol (OCSP). X.509 is the certificate. Hint: Think system, not element of a system. Reference: Chapter 11: Technologies Objective: 11.2 Credential management
The multitude of requirements can be managed through the use of a: A. Subject-object-activity matrix B. Requirements traceability matrix C. Functional requirements listing D. Requirements lifecycle
Answer: C. The requirements traceability matrix (RTM) is a grid that assists the development team in tracking and managing requirements and implementation details. A, B, and D are incorrect. A is a specific term used to describe interactions between users and objects. B and D are distractors created out of words that fit the topic, but have no specific contextual meaning. Hint: Managing includes what specific functions? Reference: Chapter 7: Requirements Objective: 7.1 Functional requirements
The principle associated with the use of multiple overlapping controls is: A. Least privilege B. Separation of duties C. Defense in depth D. Fail safe
Answer: C. The use of multiple independent security control mechanisms to protect a specific program is called defense in depth. A, B, and D are incorrect. These are all security design tenets that act individually. Hint: The key word in the question is multiple. Reference: Chapter 1: Security Concepts Objective: 1.3 Security design tenets
Which of the following programs does not have specific logging requirements identified? A. SOX B. PCI DSS C. DNSSEC D. HIPAA
Answer: C. DNSSEC is the securing of the DNS protocol with digital signatures. A, B, and D are incorrect. These are all compliance programs with various logging requirements. Hint: Which one of these is not a compliance program? Reference: Chapter 11: Technologies Objective: 11.4 Logging
The purpose of data classification is to: A. Provide a means to label data with CIA requirements B. Provide a method to restrict data use C. Provide a method to align protection and asset value associated with data D. Provide a means of marking data based on its sensitivity
Answer: C. Data classification is a risk management tool, with the Objective: being to reduce the costs associated with protecting data. A, B, and D are incorrect. These are all elements associated with achieving the purpose. Hint: Focus on purpose, not attribute or means to achieve the purpose. Reference: Chapter 6: Data Classification and Categorization Objective: 6.1 Data classification
Which of the following is used to preserve authenticity in an application? A. Encryption B. Hashing C. Resilience D. Digital signature
Answer: D. Digital signatures provide both integrity and authenticity controls, telling the user who signed the file. A, B, and C are incorrect. Encryption protects confidentiality, hashing provides integrity, and resilience covers availability. Hint: Authenticity implies you know who sent it. Reference: Chapter 9: Design Considerations Objective: 9.1 Application of methods to address core security concepts
A technology for sharing authentication information is: A. PKIX B. OSCP C. CRL D. SAML
Answer: D. Security Assertion Markup Language (SAML) is a commonly employed method for the sharing of authentication information. A, B, and C are incorrect. PKIX is an acronym for public key infrastructure, which includes elements for sharing, but is a much larger class of item. OSCP and CRL are certificate revocation mechanisms. Hint: To mark records, you could use a markup language. Reference: Chapter 11: Technologies Objective: 11.2 Credential management
What tool can assist in picking the appropriate mitigation type for a specific vulnerability? A. Data flow diagram (DFD) B. Subject-object-activity matrix C. Requirements traceability matrix (RTM) D. Attack tree
Answer: D. An attack tree is a graphical representation of an attack, beginning with the attack Objective: as the root node. A, B, and C are incorrect. These all provide information, but not specific to the cause of the vulnerability and how it can be mitigated. Hint: What are the elements of qualitative risk assessment? Reference: Chapter 8: Design Processes Objective: 8.2 Threat modeling
You want to implement steps to validate the security of software design. At what phase in the SDLC should you implement the security design validation process? A. After implementation B. After design C. After testing D. At the end of each phase
Answer: D. Because elements of the SDLC process can loop back and elicit new elements of previous phases, and coupled with the fact that at each phase design elements can be changed, validation should be done at the end of each phase to catch issues early. A, B, and C are incorrect. Because at each phase design elements can be changed, validation should be done at the end of each phase to catch issues early, so each single phase is an incomplete Answer. Hint: Where can changes occur that require validation? Reference: Chapter 3: Security Policies and Regulations Objective: 3.5 Software architecture
An application that is designed to be used by different classes of users would find which form of access control useful? A. Rule-based Access Control B. Discretionary Access Control C. Mandatory Access Control D. Role-based Access Control
Answer: D. Breaking users into groups based upon their roles simplifies authentication and authorization work. A, B, and C are incorrect. They are all access control mechanisms, but do not take advantage of the "groups of users" requirement. Hint: Which form of access control separates users into logical groups? Reference: Chapter 5: Policy Decomposition Objective: 5.2 Authentication, authorization, and auditing requirements
An architecture designed to allow customers to unilaterally provision and reprovision their level of service as needed is descriptive of: A. Web service-based systems B. Rich Internet application-based systems C. SOA-based systems D. Cloud-based systems
Answer: D. Cloud-based systems offer scaling that can increase and decrease on demand. A, B, and C are incorrect. A and C can be offered as part of a cloud-based solution, but they can exist in other forms too. RIA offers desktop application experience via a web browser interface. Hint: Customer-driven scalability is used to describe which system? Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.6 Cloud architectures
Credential management functions include all of the following except: A. Generation B. Revocation C. Synchronization D. Sharing
Answer: D. Credentials should never be shared, as this eliminates traceability. A, B, and C are incorrect. Managing of credentials includes tasks such as credential generation, storage, synchronization, reset, and revocation. Hint: What should never be done with credentials? Reference: Chapter 11: Technologies Objective: 11.2 Credential management
Mitigating the risk of a security control being compromised by the placement of multiple layers of overlapping controls is an example of: A. Secure by deployment B. Secure by default C. Secure by design D. Defense in depth
Answer: D. Defense in depth involves multiple layers of overlapping controls. A, B, and C are incorrect. These are all related to when and where security is invoked, not the manner in which this occurs. Hint: The key word is multiple. Reference: Chapter 8: Design Processes Objective: 8.3 Control identification and prioritization
Which elements are not in a X.509 certificate? Choose all that apply. A. Subject B. Version number C. Validity D. Key length
Answer: D. Key type is a field, as well as the key; the length is not a specified element. A, B, and C are incorrect. The subject specifies the owner of the certificate. The version number identifies the version of the X.509 standard that was followed to create the certificate, and indicates the format and fields that can be used. Validity specifies the dates through which the certificate is valid for use. Hint: Key type is a field. Reference: Chapter 11: Technologies Objective: 11.2 Credential management
The common technologies used in web services include all of the following except: A. WSDL B. REST C. SOAP D. Message queuing
Answer: D. Message queuing is an asynchronous message transport methodology, and it may or may not be associated with web services. A, B, and C are incorrect. WSDL (Web Service Description Language), REST (Representational State Transfer), and SOAP (Simple Object Access Protocol) are architectural methods frequently associated with web services. Hint: Which of these is not typically directly associated with web services? Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.2 Service-oriented architecture
Multithreaded operating systems are specifically susceptible to what types of attacks? A. Buffer overflow B. Stack-based attacks C. Arithmetic overflow attacks D. Time of check/time of use attacks
Answer: D. Race conditions tied to multithreaded issues can create opportunities for time of check/time of use attacks. A, B, and C are incorrect. These are all attack vectors, but not specifically tied to multithreading issues. Hint: Which is associated with race conditions? Reference: Chapter 7: Requirements Objective: 7.1.7 Abuse cases
Which of the following is not a technique for dealing with risk? A. Avoid B. Transfer C. Accept D. Eliminate
Answer: D. Risk can never be eliminated, only mitigated or reduced to a particular level. A, B, and C are incorrect. After a risk has been identified and assessed, four techniques can be employed to deal with the risk: avoid the risk, transfer the risk, mitigate the risk, and accept the risk. Hint: One of these is an absolute, and absolutes typically do not fit with risk management. Reference: Chapter 2: Risk Management Objective: 2.4 Risk Controls
The first step for general risk management is: A. Enumerate risks B. Security control selection C. Threat assessment D. Asset identification
Answer: D. Risks are associated with assets, or things that have value in an enterprise. A, B, and C are incorrect. Risks cannot be enumerated until the target (asset) is identified. Security controls cannot be selected until a specific threat assessment is performed. All of the steps follow asset identification. Hint: Risk is associated with something of value. Reference: Chapter 2: Risk Management Objective: 2.2 Governance, risk, and compliance
Code within an application that can be accessed by unauthorized parties is referred to as a(n): A. Bug B. Attack tree C. Threat model D. Attack surface
Answer: D. The attack surface of software is the code within the system that can be accessed by unauthorized parties. This is not just the code itself, but can also include a wide range of resources associated with the code, including user input fields, protocols, interfaces, resource files, and services. A, B, and C are incorrect. A bug refers to a defect, and no defects are specified in the question. Attack trees and threat models are answers to related questions, but not this one specifically. Hint: The term describes a collective element, not a singular one. Reference: Chapter 8: Design Processes Objective: 8.1 Attack surface evaluation
The detailed listing of what users are involved in a system form part of the _____ definition. A. User B. Role C. Requirement D. Use-case
Answer: D. The detailed listing of what users are involved in a system form part of the use-case definition. A, B, and C are incorrect. Role and user definitions are the statements of who will be using what functionality of the software. The term requirement defines program objectives. Hint: How do you document user involvement with an application? Reference: Chapter 7: Requirements Objective: 7.1.1 Role and user definitions
Data custodians are responsible for all of the following except: A. Performing data classification, controls, and access criteria B. Maintaining data classification, controls, and access criteria C. Implementing data classification, controls, and access criteria D. Defining data classification, controls, and access criteria
Answer: D. This is a data owner responsibility; all of the others belong to data custodians. A, B, and C are incorrect. These are custodian functions. Hint: Which one belongs to data owners? Reference: Chapter 6: Data Classification and Categorization Objective: 6.2 Data ownership
Preserving authorized restrictions on information access and disclosure is a description of: A. Availability B. Integrity C. Non-repudiation D. Confidentiality
Answer: D. This is from the FIPS definition of confidentiality: "Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information...." A, B, and C are incorrect; they are descriptors involved in security aspects other than integrity. Hint: Restricting access is an example of what? Reference: Chapter 5: Policy Decomposition Objective: 5.1 Confidentiality, integrity, and availability requirements
Which of the following is not a standard mitigation type? A. Redesign to eliminate the vulnerability B. Apply a standard mitigation C. Invent a new mitigation D. Transfer the vulnerability to another party for handling
Answer: D. Vulnerabilities cannot be transferred or moved to another firm. A, B, and C are incorrect. Mitigation includes four types: redesign to eliminate vulnerability, apply a standard mitigation, invent a new mitigation, or accept the vulnerability. Hint: Can vulnerabilities be moved? Reference: Chapter 8: Design Processes Objective: 8.3 Control identification and prioritization
ccREL and ODRL are associated with: A. Digital loss prevention B. Single sign-on C. Public key Infrastructure D. Digital rights management
Answer: D. ccREL and ODRL are both forms of rights expression language (REL) used in digital rights management. A, B, and C are incorrect. These are all security-related technologies, but they do not employ rights expression language elements. Hint: Open Digital Rights Language. Reference: Chapter 11: Technologies Objective: 11.7 Digital rights management
A protocol for radiofrequency (RF) communication over very short distances is: A. Bluetooth B. 802.11 Wi-Fi C. 802.15 Zigbee D. Near-field communications (NFC)
Answer: D. Near-field communications is a protocol set for very short distance RF communications. A, B, and C are incorrect. They are all wireless communication methods, but have reasonable ranges of use. Hint: Which form of access control separates users into logical groups? Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.4 Pervasive/ubiquitous computing
Pervasive/ubiquitous computing involves all of the following except: A. Wireless communication B. Hyperconnectedness C. Nearly constant connectivity D. Monoculture platforms (i.e., all Apple)
Answer: D. Pervasive/ubiquitous systems are cross-platform by nature; hence, monoculture platforms are not appropriate for this type of system. A, B, and C are incorrect. These are all commonly involved in pervasive or ubiquitous systems. Hint: If everyone is using it, which is least likely? Reference: Chapter 10: Securing Commonly Used Architecture Objective: 10.4 Pervasive/ubiquitous computing