CISSP PRACTICE TESTS Chapter 8▪Software Development Security (Domain8)

62. Tomas discovers a line in his application log that appears to correspond with an attempt to conduct a ditectory ttaversal attack. He believes the attack was conducted using URL encoding. The line reads: %252E%252E%252F%252E%252E%252Fetc/passwd Which character is represented by the %254E value? A. . B. , C. ; D. /

A. .

74. In the diagram shown here, which is an example of a class? Account Balance: currency = 0 Owner: string AddFunds(deposit: currency) RemoveFunds (withdrawal: currency) A. Account B. Owner C. AddFunds D. None of the above

A. Account

92. Which component of the database ACID model ensures that database transactions are an "all or nothing" affair? A. Atomicity B. Consistency C. Isolation D. Durability

A. Atomicity

31. Vivian would like to hire a software tester to comee in and evaluate a new web application from a user's perpective. Which of the following tests best simulates that perspective? A. Black box B. Gray box C. Blue box D. White box

A. Black box

Questions 37-40 refer to the following scenario: Linda is reviewing posts to a user forum on her company's website and, when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the source code for the post and finds the following code snippe: <script>alert( ' Alert ' ) ; </ script> 37. What vulnerability definitely exists on Linda's message board? A. Cross-site scripting B. Cross-site request forgery C. SQL injection D. Improper authentication

A. Cross-site scripting

19. What phase of the SW-CMM should Robert report as the current status of Beta Particles? A. Defined B. Repeatable C. Optimizing D. Managed

A. Defined

12. Which one of the following testing methodologies typically works without access to source code? A. Dynamic testing B. Static testing C. White box testing D. Code review

A. Dynamic testing

7. When using the SDLC, which one of these steps should you take before the others? A. Functional requirements determination B. Control specifications development C. Code review D. Design review

A. Functional requirements determination

11. Which one of the following is considered primary storage? A. Memory B. Hard disk C. Flash drive D. DVD

A. Memory

88. Which one of the following principles would not be favored in an Angile approach to software development? A. Processes and tools over individuals and interactions B. Working software over comprehensive documentation C. Customer collaboration over contact negotiations D. Responding to change over following a plan

A. Processes and tools over individuals and interactions

38. What was the likely motivation of the user who posted the message on the forum containing the code? A. Reconnaissance B. Theft of sensitive information C. Credential stealing D. Social engineering

A. Reconnaissance

79. Which one of the following change management processes is intitiated by users rather than developers? A. Request control B. Change control C. Release control D. Design review

A. Request control

94. Mail is eavesdropping on the unencryted communication between the user of a website and the web server. She manages to intercept the cookies from a request header. What type of attack can she perform with these cookies? A. Session hijacking B. Cross-site scripting C. Cross-site request forgery D. SQL injection

A. Session hijacking

51. Which one of the following is the most effective control aganist session hijacking attacks? A. TLS B. Complex session cookies C. SSL D. Expiring cookies frequently

A. TLS

30. What are the two types of covert channels that are commonly exploited by attackers seeking to surreptitiously exfiltrate information? A. Timing and storage B. Timing and firewall C. Storage and memory D. Firewall and storage

A. Timing and storage

59. Roger is conducting a software test for a tax preparation application developed by his company. End users will access the application over the web, but Roger is conducting his test on the back end, evaluating the source code on the web server. What type of test is Roger conducting? A. White box B. Gray box C. Blue box D. Black box

A. White box

84. What function can be used to convert a string to a safe value for use in passing from a PHP application to a database? A. bin2hex( ) B. hex2bin( ) C. dechex( ) D. hexdec( )

A. bin2hex( )

22. Which one of the following files is most likely to contain a macro virus? A. projections . doc B. command . com C. command . exe D. loopmaster . exe

A. projections . doc

6. Which one of the following attack types attempts to exploit the trust relationship that a user's browser has with other websites by forcing the submission of an authenticated request to a third-party site? A. XSS B. CSRF C. SQL injection D. Session hijacking

B. CSRF

55. Which one of the following is not an effective control against SQL injection attacks? A. Escaping B.Client-side input validation C. Parameterization D. Limiting database permissions

B. Client-side input valdidation

1. When desgning an object-oriented model, which of the following situations is ideal? A. High cohesion, high coupling B. High cohesion, low coupling C. Low cohesion, low coupling D. Lo cohesion, high coupling

B. High cohesion, low coupling

75. Gary is designing a database-driven application that relies on the use of aggregate functions. Which one of the following database concurrency issues might occur with aggregate functions and should be one of Gary's top concern? A. Lost updates B. Incorrect summaries C. SQL injections D. Dirty reads

B. Incorrect summaries

13. What concept in object-oriented programming allows a subclass to access methods belonging to a superclass? A. Polymorphism B. Inheritance C. Coupling D. Cohesion

B. Inheritance

15. Which one of the following controls would best protect an application against buffer overflow attacks? A. Encryption B. Input validation C. Firewall D. Intrusion prevention system

B. Input validation

99. What type of virus works by altering the system boot process to redirect the BIOS to load malware before the operating system loads? A. File infector B. MBR C. Polymorphic D. Service injection

B. MBR

47. In an object-oriented programming language, what does one object invoke in a second object to interact with the second object? A. Instance B. Method C. Behavior D. Class

B. Method

43. Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software? A. Stealth B. Multipartitism C. Polymorphism D. Encryption

B. Multipartitism

49. What type of attack is demonstrated in the C programming language example below? int myarray[10] ; myarray [10] = 8 ; A. Mismatched data types B. Overflow C. SQL injection D. Covert channel

B. Overflow

69. In the digram shown here, which is an example of an attribute? Account Balance: currency = 0 Owner : string AddFunds(deposit: currency) RemoveFunds (withdrawal: currency) A. Account B. Owner C. AddFunds D. None of the above

B. Owner

56. What type of project management tool is shown in the figure? Refer to page 171 in the book. A. WSB chart B. PERT chart C. Gant chart D. Wireframe diagram

B. PERT chart

36. Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a touch time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident? A. Stealth virus B. Polymorphic virus C. Multipartite virus D. Encrypted virus

B. Polymorphic virus

16. Berta is analyzing the logs of the Windows Firewall on one of her servers and comes across the entries shown in this figure. What type of attack do these entries indicate? 2016-04-2105:14:52DROPTCP192.168.250.4192.168.42.14 4004 21-RECEIVE 2016-04-21 05:14:53DROPTCP192.168.250.4192.168.42.14400522-RECEIVE 2016-04-2105:14:54DROPTCP192.168.250.4192.168.42.14400623-RECEIVE 2016-04-2105:14:56DROPTCP192.168.250.4192.168.42.14400725-RECEIVE 2016-04-2105:14:59DROPTCP192.168.250.4192.168.42.14400853-RECEIVE 2016-04-2105:15:02DROPTCP192.168.250.4192.168.42.14400980-RECEIVE 2016-04-2105:15:03DROPTCP192.168.250.4192.168.42.144010111RECEIVE 2016-04-2105:15:04DROPTCP192.168.250.4192.168.42.144011111RECEIVE A. SQL injection B. Port scan C. Teardrop D. Land

B. Port scan

78. Which of the following database keys is used by an RDBMS to uniquely identify each row in a database table? A. Foreign key B. Primary key C. Candidate key D. Referential key

B. Primary key

53. What type of vulnerability does a TOC/TOU attack target? A. Lack of input validation B. Race condition C. Injection flaw D. Lack of encryption

B. Race condition

58. Which one of the following conditions may make an application most vulnerable to a cross-site scripting (XSS) attack? A. Input valdation B. Reflected input C. Unpatched server D.Promiscuous firewall rules

B. Reflected input

18. Robert is working with Acme Widgets on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone? A. Defined B. Repeatable C. Initial D. Managed

B. Repeatable

86. At which level of the Software Capability Maturity Model (SW-CMM) does an organization introduce basic life-cycle management processes? A. Initial B. Repeatable C. Defined D. Managed

B. Repeatable

91. Which one of the following is the proper order of steps in the waterfall model of software development? A. Requirements, Design, Testing, Coding, Maintenance B. Requirements, Design, Coding, Testing, Maintenance C. Design, Requirements, Coding, Testing, Maintenance D. Design, Requirements, Testing, Coding, Maintenance

B. Requirements, Design, Coding, Testing, Maintenance

70. Which one of the following statements is true about software testing? A. Static testing works on runtine environments. B. Static testing performs code analysis. C. Dynamic testing uses automated tools but static testing does not. D. Static testing is a more important testing technique than dynamic testing.

B. Static testing performs code analysis

32. Referring to the database transaction shown here, what would happen if no account exists in the Accounts table with account number 1001? BEGIN TRANSACTION UPDATE accounts Set balance = balance + 250 WHERE account_number = 1001; UPDATE accounts SET balance = balance - 250 WHERE account_number = 2002; END TRANSACTION A. The database would create a new account with this account number and give it a 250 balance. B. The database would ignore that command and still reduce the balance of the second account by $250. C. The database would roll back the transaction, ignoring the results of both commands. D. The database would generate an error message.

B. The database would ignore that command and still reduce the balance of the second account by $250.

39. Linda communicates with the vendor and determines that no patch is available to correct this vulnerability. Which one of the following devices would best help her defend the application against further attack? A. VPN B.WAF C. DLP D. IDS

B. WAF

97. Which one of the following tools might an attacker use to best identify vulnerabilities in a targeted system? A. nmap B. nessus C. ipconfig D. traceroute

B. nessus

23. Victor created a database table that contains information on his organization's employees. The table contains the employee's user ID, three different telephone number fields (home, work, and mobile), the employee's office location, and the employee's job title. There are 16 records in a table. What is the degree of this table? A. 3 B. 4 C. 6 D. 16

C. 6

81. Ursula is a government web developer who recently created a public application that offers property records. She would like to make it available for other developers to integrate into directly and integrate the output into their application? A. Object model B. Data dictionary C. API D. Primary key

C. API

89. What technique do API developers most commonly use to limit access to an API to authorized individuals and applications? A. Encryption B. Input validation C. API keys D. IP filters

C. API keys

10. In the diagram shown here, which is an example of method? ACCOUNT Balance: currency=0 Owner: string AddFunds(deposit: currency) RemoveFunds (withdrawal: currency) A. Account B. Owner C. Add Funds D. None of theabovr

C. Add Funds

25. When should a design review take place when following an SDLC approach to software development? A. After the code review B. After user acceptance testing C. After the development of functional requirements D. After the completion of unit testing

C. After the development of functional requirements

14. Bobby is investigating how an authorized data base user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term decribes this type of function? A. Inference B. Polymorphic C. Aggregate D. Modular

C. Aggregate

28. Victor recently took a new position at an online dating website and is responsible for leading a team of developers. He realized quickly that the developers are having issues with production code because they are working on different projects that results in conflicting modifications to the production code. What process should Victor invest in improving? A. Request control B. Release control C. Change control D. Configuration control

C. Change control

64. Which one of the following is not a principle of the Agile software development process? A. Welcome changing requirements, even late in the development process. B. Maximizing the amount of work not done is essential. C. Clear documentation is the primary measure of progress. D. Build projects around movitated individuals.

C. Clear documentation is the primary measure of progress.

3. Which one of the following statements is not true about code review? A. Code review should be a peer-driven process that includes multiple developers. B. Code review may be automated. C. Code review occurs during thebdesign phase. D. Code reviewers may expect to review several hundred lines of code per hour.

C. Code review occurs during the design phase.

96. What approach to technology management integrates the three components of technology management shown in this illustration? (Software Development) (Quality Assurance)(Operations) Image reprint from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition c John Wiley & Sons 2015, reprinted with permission. A. Agile B. Lean C. DevOps D. ITIL

C. DevOps

24. Carrie is analyzing the application logs for her web-based application and comes across the following string: . . /. . /. . /. . / . . /. . /. . / . . /. . /etc/passwd What type of attack was likely attempted against Carrie's application? A. Command injection B. Session hijacking C. Directory traversal D. Brute force

C. Directory traversal

41. What property of relational databases ensures that once a database transaction is committed to the database, it is preserved? A. Atomicity B. Consistency C. Durability D. Isolation

C. Durability

82. During what phase of the IDEAL model do organizations develop a specific plan of action for implementing change? A. Initiating B. Diagnosing C. Establishing D. Acting

C. Establishing

34. Kim is troubleshooting an application firewall that serves as a supplement to the organization's network and host firewalls and intrusion prevention system, providing added protection aganist web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company? A. High availability cluster B. Failover device C. Fail open D. Redundant disks

C. Fail open

21. Which one of the following database keys is used to enforce referential integrity relationships between tables? A. Primary key B. Candidate key C. Foreign key D. Master key

C. Foreign key

Questions 17-20 refer to the following scenario: Robert is a consultant who helps organizations create and develop mature software development oractices. He prefers to use the Software Capability Maturity Model ( SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes. 17. What phase of the SSW-CMM should Robert report as the current status of Acme Widgets? A. Defined B. Repeatable C. Initial D. Managed

C. Initial

40. In further discussions with the vendor, Linda finds thst they are willing to correct the issue but do not know how to update their software. What technique would be most effective in mitigating the vulnerability of the application to this type of attack? A. Bounds checking B. Peer review C. Input validation D. OS patching

C. Input validation

60. Which of the following statements is true about heuristic-based antimalwar software? A. It has a lower false positive raye than signature detection. B. Its requires frequent definition updates to detect nee malware. C. It has a higher likelihood of detecting zero-day exploits than signature detection. D. It monitors systems for files with content know to be viruses.

C. It has a higher likelihood of detecting zero-day exploits than signature detection.

87. Lucas runs the accounting systems for his company. The morning after a key employee was fired, systems began mysteriously losing information. Luscas suspects that the fired employee tampered with the systems prior to his departure. What type of attack should Lucas suspect? A. Privilege escalation B. SQL injection C. Logic bomb D. Remote code execution

C. Logic bomb

50. Which one of the following database issues occurs when one transaction writes a value to the database that overwrites a value that was needed by transactions with earlier precedence? A. Dirty read B. Incorrect summary C. Lost update D. SQL injection

C. Lost update

100. What type of virus is characterized by the use of two or more different propagation mechanisms to improve its likelihood of spreading between systems? A. Stealth virus B. Polymorphic virus C. Multipartite virus D. Encrypted virus

C. Multipartite virus

46. Which of the following organizations is widely considered as the definitive source for information on web-based attack vectors? A. (ISC)2 B. ISACA C. OWASP D. Mozilla Foundation

C. OWASP

63. An attacker posted a message to a publicdiscussion forum that contains an enbedded maliciious script that is not displayed to the user but executes on the user's system when read. What type of attack is this? A. Persistent XSRF B. Nonpersistent XSRF C. Persistent XSS D. Nonpersistent XSS

C. Persistent XSS

80. Which one of the following techniques is an effective countermeasure aganist some inference attacks? A. Inputs validation B. Parameterization C. Polyinstantiation D. Server-side validation

C. Polyinstantiation

26. Tracy is preparing to apply a patch to her organization's enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning? A. Unit testing B. Acceptance testing C. Regression testing D. Vulnerability testing

C. Regression testing

5. Which process is responsible for ensuring that changes to software include acceptance testing? A. Request control B. Change control C. Release control D. Configuration control

C. Release control

54. While evaluating a potential security incident, Harrg comes across a log entry from a web server request showing that a user entered the following input into a form field: CARROT ' &1=1 ;-- What type of attack was attempted? A. Buffer overflow B. Cross-site scripting C. SQL injection D. Cross-site request forgery

C. SQL injection

90. Which one of the following statements about malware is correct? A. Malware authors do not target Macintosh or Linux systems. B. The most reliable way to detect known malware is watching for unusual system activity. C. Signature detection is the most effective technique to combat known malware. D. APT attackers typically use malware designed to exploit vulnerabilities identified in security bulletins.

C. Signature detection is the most effective technique to combat known malware.

68. In the transaction shown here, what would happen if the database failed in between the first and second update statement? Begin transaction UPDATE accounts SET balance = balance + 250 WHERE account_number = 1001; UPDATE accounts SET balance = balance - 250 WHERE account_number = 2002; COMMIT TRANSACTION A. The database would credit the first account with $250 in funds but thennot reduce the balance of the secondaccount. B. The database would ignore the first command and only reduce the balance of the second account by $250. C. The database would roll back the transaction, ignoring the results of both commands. D. The database would successfully execute both commands.

C. The database would roll back the transaction, ignoring the results of both commands.

65. Samantha is responsible for the development of three new code modules that will form part of a complex system that her compantmy is developing. She is perpared to publish her code and runs a series of tests against each module to verify that it works as intended. What type of testing is Samantha conducing? A. Regression testing B. Integration testing C. Unit testing D. System testing

C. Unit testing

44. Which one of the following types of software testing usually occurs last and is executed against test scenarios? A. Unit testing B. Integration testing C. User acceptance testing D. System testing

C. User acceptance testing

52. Faith is looking at the / etc /passwd file on a system configured to use shadowed passwords. When she examines a line in the file for a user with interactive login permissions, what should she expect to see in the password field? A. Plaintext password B. Hashed password C. x D. *

C. x

29. What type of database security issue exists when a collection of facts has a higher classification than classification of any of those facts standind akone? A. Inference B. SQL injection C. Multilevel security D. Aggregation

D. Aggregation

2. Which of the following is a common way that attackers leverage botnets? A. Sending spam messages B. Conducting brute-force attacks C. Scanning for vulnerable systems D. All of the above

D. All of the above

95. Which of the following vulnerabilities might be discovered during a penetration test of a web-based application? A. Cross-site scripting B. Cross-site request forgery C. SQL injection D. All of the above

D. All of the above

27. What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner? A. Validation B. Accreditation C. Confidence interval D. Assurance

D. Assurance

48. Lisa is attempting to prevent her network from being targeted by IP spoofing attacks as well as preventing her network from being the source of those attacks. Which one of the following rules is not a best practice that Lisa can configure at her network border? A. Block packets with internal source addresses from entering the network. B. Block packets with external source addresses from leaving the network. C. Block packets with private IP addresses from exiting the network. D. Block packets with public IP addresses from entering the network.

D. Block packets with public IP addresses from entering the network.

98. Which one of the following database concurrency issues occurs when one trnsaction reads information that was written to a database by a second transaction that never committed? A. Lost update B. SQL injection C. Incorrect summary D. Dirty read

D. Dirty read

76. Which one of the following approaches to failure management is the most conservative from a security perspective? A. Fail open B. Fail mitigation C. Fail clear D. Fail closed

D. Fail closed

8. Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message shown here. What state has this computer entered? Refer to page 161 in the book. A. Fall open B. Irrecoverable error C. Memory exhaustion D. Fail secure

D. Fail secure

45. What type of requirements soecifies what software must do by describing the inputs, behavior, and outputs of software? A. Derived requirements B. Structural requirements C. Behavioral requirements D. Functional requirements

D. Functional requirements

71. David is working on developinga project schedule for a software development effort, and he comes across the chart shown here. What type of chart is this? Refer to page 174 in book. A. Work breakdown structure B. Functional requirements C. PERT chart D. Gant chart

D. Grant chart

72. Barry is a software tester who is working with a new gaming application developed by his company. He is playing the game on a smartphone to conduct his testing in an environment that best simulates a normal end user, but he is referencing the source code as he conducts his test. What type of test is Barry conducting? A. White box B. Black box C. Blue box D. Gray box

D. Gray box

35. What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level? A. SQL injection B. Multilevel security C. Aggregation D. Inference

D. Inference

93. Tom is writing a software program that calculates the sales tax for online orders placed from various jurisdictions. The application includes a user-defined field that allows the entry of the total sale amount. Tom would like to ensure that the data entered in this field is properly formatted dollar amount. What technique should he use? A. Limit check B. Fail open C. Fail secure D. Input validation

D. Input validation

42. Which one of the following programming languages does not make use of a compiler? A. Java B. C++ C. C D. JavaScript

D. JavaScript

66. What are the two components of an expert system? A. Decision support system and neural network B. Inference engine and neural network C. Neural network and knowledge bank D. Knowledge bank and inference engine

D. Knowledge bank and inference engine

20. Robert is also working with Beta Particles on a strategy to advance their software development practices. What SW-CMM stage. should be their next target milestone? A. Defined B. Repeatable C. Optimizing D. Managed

D. Managed

85. Which one of the following types of artificial intelligence attempts to use complex computations to replicate the partial function of the human mind? A. Decision support systems B. Expert systems C. Knowledge bank D. Neural networks

D. Neural networks

67. Neal is working with a Dy amoDB database. The database is not structured like a relational database but allows Neal to store data using a key-value store. What type of database is DynamoDB? A. Relational database B. Graph database C. Heerarchical database D.NoSQL database

D. NoSQL database

83. TJ inspecting a system where the user reported a strange error message and the inability to access files. He sees the window shown in this figure. What type of malware should TJ suspect? Refer to page 177 in the book. A. Service injection B. Encrypted virus C. SQL injection D. Ransomware

D. Ransomware

57. In what software testing technique does the evaluator retest a large number of scenarios each time that the software changes to verify that the results are consistent with a standard baseline? A. Orthogonal array testing B. Pattern testing C. Maxtrix testing D. Regression testing

D. Regression testing

4. Harold's conpany has a strong password policy that requires a minimum length of 12 characters and the use of both alphanumeric characters and symbols. What technique would be the most effective way for an attacker to compromise passwords in Harold's organization? A. Brute-force attack B. Dictionary attack C. Rainbow table attack D. Social engineering attack

D. Social engineering attack

77. What software development model is shown in the figure? Refer to page 176 in book. A.Waterfall B. Agile C. Lean D. Spiral

D. Spiral

73. Miguel recently completed a pentration test of the applications that his organization uses to handle sensitive information. During his testing, he discovered a condition where an attacker can exploit a timing condition to manipulate software into allowing him to perform an unauthorized action. Which one of the following attack types fits this scenario? A. SQL injection B. Cross-site scripting C. Pass the hash D. TOC/TOU

D. TOC/TOU

9. Which one of the following is not a goal of software threat modeling? A.To reduce the number of security-related design flaws B. To reduce the number of security-related coding flaws C. To reduce the severity of non-security flaws D. To reduce the number of threat vectors

D. To reduce the number of threat vectors

33. What type of malware is characterized by spreading from system to system under its own power by exploiting vulnerabilities that do not require user intervention? A. Trojan horse B. Virus C. Logic bomb D. Worm

D. Worm

61. Martin is inspecting a sustem where the user reported unusual activity, including disk activity when the system is idle and abnormal CPU and network usage. He suspects that the machine is infected by a virus but scans come up clean. What malware technique might be in use here that would explain the clean scan results? A. File infector virus B. MBR virus C. Service injection virus D. Stealth virus

D. stealth virus