CISSP domain 8 questions
In which database normalization form would we divide the data into tables? 2nd normal form. 4th normal form. 1st normal form. 3rd normal form.
1st normal form. Explanation Database normalization: Used to clean up the data in a database table to make it logically concise, organized, and consistent. Removes redundant data, and improves the integrity and availability of the database. Normalization has three forms (rules): First Normal Form: Divides the base data into tables, primary key is assigned to most or all tables. Second Normal Form: Move data that is partially dependent on the primary key to another table. Third normal Form: Remove data that is not dependent on the primary key.
In database normalization, in which form would we move data that is partially dependent on the primary key to another table? 2nd normal form. 4th normal form. 3rd normal form. 1st normal form.term-26
2nd normal form. Explanation Database normalization: Used to clean up the data in a database table to make it logically concise, organized, and consistent. Removes redundant data, and improves the integrity and availability of the database. Normalization has three forms (rules): First Normal Form: Divides the base data into tables, primary key is assigned to most or all tables. Second Normal Form: Move data that is partially dependent on the primary key to another table. Third normal Form: Remove data that is not dependent on the primary key.
Which generation of programming languages often use a graphical user interfaces and drag and drops for generating the actual code? 4th generation. 1st generation. 3rd generation. 2nd generation.
4th generation. Explanation 4th Generation languages (4GL): Often uses a GUI, drag and drop, and then generating the code. It is often used for websites, databases, and reports.
We have just signed a contract with a vendor for a Software as a Service (SaaS) implementation. Where does our responsibility start, and the vendor's responsibility stop? B: Between security and application. A: After the application. C: Between virtualization and OS. D: Between storage and servers.
A: After the application. Explanation In Software as a Service (SaaS), the vendor provides everything including the applications and programs. We would provide the data for the applications.
Which project management methodology, welcomes changing requirements, frequent deliveries, and uses face-to-face meetings? Sashimi. Spiral. Agile. Waterfall
Agile. Explanation Agile software development: Describes a set of values and principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. Uses adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.
Which software project management methodology is based on responding to change rather than following a plan? Sashimi. Agile. Spiral. Waterfall
Agile. Explanation Agile software development: Describes a set of values and principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. Uses adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.
When we talk about proprietary software, we are referring to which of these? Software not released into the public domain. Open source. All of these. Closed source.
All of these. Explanation Proprietary software: Software protected by intellectual property and/or patents, often used interchangeably with Closed Source software, but it really is not. It can be both Open and Closed Source software. Any software not released into the public domain is protected by copyright.
Jane is explaining how using AI can help predict healthcare issues for patients. What is AI? Artifact Incidents. Arithmetic Interference. Artificial Intelligence. Artificial Integrity.
Artificial Intelligence. Explanation AI (Artificial Intelligence): Intelligence exhibited by machines, rather than humans or other animals. True AI is a topic of discussion; what was considered AI years ago has been achieved, and once the goal is reached, the AI definition is tweaked a little.
Which programming language uses short mnemonics like ADD and SUB, which is then matched to its full-length binary code? Source code. Compiler language. Machine code. Assembler language.
Assembler language. Explanation Assembler Language: Short mnemonics like ADD/SUB/JMP which is matched with the full length binary machine code, an assembler converts assembly language into machine language, a disassembler does the reverse.
In object-oriented databases, the objects can have different attributes. Which of these would define the characteristics of an object? Methods. Schemas. Classes. Attributes.
Attributes. Explanation Attributes: Data which defines the characteristics of an object. This data may be simple such as integers, strings, and real numbers or it may be a reference to a complex object.
Under which of these open source software license agreements, is it allowed to alter the original software and sell the altered software? BSD. Apache. GNU. CKR.
BSD. Explanation BSD (Berkeley Software Distribution): A family of permissive free software licenses, imposing minimal restrictions on the use and redistribution of covered software. This is different than copyleft licenses, which have reciprocity share-alike requirements.
Object-oriented programming tends to lean towards which programming process? Top-down. Cripple ware. Sashimi. Bottom-up.
Bottom-up. Explanation Bottom-up Programming: Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system. OOP leans tends toward Bottom-Up, you start by developing your objects and build up.
We are looking at SDLC project management software development methodologies. Which of these NOT one of them? Agile. Bottom-up. Sashimi. Waterfall.
Bottom-up. Explanation Waterfall , Agile and Sashimi are all SDLC methods, bottom-up is not.
As programming has progressed, we get newer generations of programming languages. Which of these sets are all 4th generation programming languages? ColdFusion, SQL, Perl, PHP. C++, Java, Cobol, C#. ColdFusion, SQL, C++, Perl. Cobol, SQL, Perl, C++.
ColdFusion, SQL, Perl, PHP. Explanation 4th Generation languages (4GL) include ColdFusion, Progress 4GL, SQL, PHP and Perl. Fourth-generation languages are designed to reduce programming effort and the time it takes to develop software, resulting in a reduction in the cost of software development. Increases the efficiency by automating the creation of machine code. Often uses a GUI, drag and drop, and then generates the code. Often used for websites, databases, and reports.
Which programming language often saves data as an executable file? The file is saved once and executed many times. Compiled languages. Interpreted languages. Assembled language. Source code.
Compiled languages. Explanation Compiled Languages: Translates the higher level language into machine code and saves, often as executables. Compiled once and run multiple times.
What do we release when we want users to test our software, but we are disabling key features of the software? Bloatware. Freeware. Cripple ware. Shareware.
Cripple ware. Explanation Cripple ware: Partially functioning proprietary software, often with key features disabled. The user is required to make a payment to unlock the full functionality.
In database query languages, which would use these statements: CREATE, ALTER, and DROP DDL. BGP. DRP. DML.
DDL. Explanation Data Definition Language (DDL): A standard for commands that define the different structures in a database. Creates, modifies, and removes database objects such as tables, indexes, and users. Common DDL statements are CREATE, ALTER, and DROP.
Which type of query languages would use SELECT, DELETE, and INSERT? DRP. DDL. DML. DDR.
DML. Explanation Data Manipulation Language (DML). Used for selecting, inserting, deleting and updating data in a database (SELECT, INSERT, DELETE, UPDATE). Common DDL statements are CREATE, DROP, ALTER, COMMENT.
Looking at different database query languages, which of them would use these statements? SELECT, DELETE, INSERT, and UPDATE. DDL. BGP. DML. DRP.
DML. Explanation Data Manipulation Language (DML): Used for selecting, inserting, deleting and updating data in a database. Common DML statements are SELECT, DELETE, INSERT, UPDATE.
Where would we define the attributes and values of the database tables? Database views. Database query language. Data dictionary. Database schema.
Database schema. Explanation Database schema: Describes the attributes and values of the database tables. Names should only contain letters, in the US SSNs should only contain 8 numbers, ...
When we look at software development, security should ALWAYS be what? Added only in important areas. Designed into the software. Added on later. Added when we are compromised.
Designed into the software. Explanation Security should be designed into the software and be part of the initial requirements, just as functionality is. The more breaches and compromises there are, the more we see the move towards security being part of the scope of the software design project. We use software at our jobs, in our personal lives, our homes, cars, power, water, etc. It is everywhere and it has been and still is common to write functional code. Security is an afterthought or not considered at all.
In Scrum project management, what is the development team's role? Representing the stakeholders/customers. Being a traditional project manager. Developing the code/product at the end of each sprint. Removing obstacles for the development team.
Developing the code/product at the end of each sprint. Explanation Development team: Responsible for delivering the product at the end of each sprint (sprint goal). The team is made up of 3-9 individuals who do the actual work (analysis, design, develop, test, technical communication, document, etc.).
What would we do to mitigate insufficient detection and response (OWASP A7)? Random session IDs. Centralized implementation. Do a lessons learned after an incident and implement countermeasures. Not patching servers.
Do a lessons learned after an incident and implement countermeasures. Explanation A7 Insufficient Detection and Response (NEW). Not detecting we have been compromised, due to lack of controls, detection applications. Not performing our due diligence and due care on our applications, systems, and our response to compromise. Not responding in a proper way to compromise, not informing anyone, informing too late or just ignoring the incident (at best plugging the leak). We need to not just protect against this attack, but future similar attacks, patch software and applications, close ports.
As part of the annual board retreat, senior management is wanting to put a face on the IT organization and thinks Jane is a great candidate for it. They have asked her to talk briefly about native XML vulnerabilities. Which type of database does XML use? Object-oriented. Relational. Document-oriented. Hierarchical.
Document-oriented. Explanation A document-oriented database, or document store, is a computer program designed for storing, retrieving and managing document-oriented information. XML databases are a subclass of document-oriented databases that are optimized to work with XML documents.
When we click the "I agree" button on a software license, what is it we are agreeing to? GNU. EMLA. BSD.
EULA. Explanation EULAs (End-User License Agreements): Electronic form where the user clicks "I agree" to the software terms and conditions while installing the software.
Looking at our relational databases and the errors they can have, if we talk about semantic integrity, to what are we referring? Each attribute value is consistent with the attribute data type. When the database has errors. Each tuple has a unique primary value that is not null. When every foreign key in a secondary table matches the primary key in the parent table.
Each attribute value is consistent with the attribute data type. Explanation Semantic integrity: Each attribute value is consistent with the attribute data type.
In referential data bases, we are talking about entity integrity. What does that mean? Each attribute value is consistent with the attribute data type. Each tuple has a unique primary value that is not null. When every foreign key in a secondary table matches the primary key in the parent table. When the database has errors
Each tuple has a unique primary value that is not null. Explanation Entity integrity: Each tuple (row) has a unique primary value that is not null.
In a relational database, what is the parent table's primary key seen as in the child table? Primary key. Foreign key. Secondary key. Reference key.
Foreign key. Explanation Foreign key: They are in relational databases the matching primary key of a parent database table. It is always the primary key in the local DB. Seen from the child table the child key is the primary key and the foreign key is the primary key of the parent table.
What is the difference between freeware and shareware? Freeware is free for a limited amount of time, shareware is free with no time restrictions. They are the same thing, there is no difference. Freeware is free with no time restrictions, shareware is free for a limited amount of time. Freeware is free forever, shareware you buy it, but you are allowed to share it.
Freeware is free with no time restrictions, shareware is free for a limited amount of time. Explanation Freeware: Actually free software, it is free of charge to use. Shareware: Fully functional proprietary software that is initially free to use. Often for trials to test the software, after 30 days you have to pay to continue to use.
Under which of these open source software license agreements does derivative work have to be distributed under the same software licensing terms? BSD. Apache. GNU. CKR.
GNU. Explanation GNU (General Public License): Also called GPL or GPL. Guarantees end users the freedom to run, study, share and modify the software. A copyleft license, which means that derivative work can only be distributed under the same license terms.
Jane is leading a software development team. She is using the spiral model for this project, which of these is NOT one of the phases? Engineering. Risk analysis Initiation. Planning.
Initiation. Explanation The spiral model: A risk-driven process model generator for software projects. The spiral model has four phases: Planning, Risk Analysis, Engineering and Evaluation. A software project repeatedly passes through these phases in iterations (called Spirals in this model). The baseline spiral, starting in the planning phase, requirements are gathered and risk is assessed. Each subsequent spirals builds on the baseline spiral.
What would we do to mitigate injection attacks (OWASP A1)? Random session IDs. Remove default passwords and usernames. Input length limitations. Captcha.
Input length limitations. Explanation A1 Injection: Can be any code injected into user forms; often seen is SQL/LDAP. Attackers can do this because our software does not use the following: strong enough input validation and data type limitations on input fields; input length limitations. The fix is to do just that; we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell, etc.
We want to mitigate injection attacks (OWASP A1) on our web servers. What can we implement to help with that? Secure Sockets Layer (SSL). CAPTCHA. Input validation. Non-predictable session IDs.
Input validation. Explanation A1 Injection. Can be any code injected into user forms, often seen is SQL/LDAP. Attackers can do this because our software does not use: Strong enough input validation and data type limitations input fields. Input length limitations. The fix is to do just that, we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell,
When an attacker can guess a URL they don't know about, from another similar logical URL, what is that called? CSRF. Under protected API's Unvalidated redirects. Insecure direct object reference.
Insecure direct object reference. Explanation 2013 A4 Insecure direct object reference. Users can access resources they shouldn't, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization's network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.
In which order would you use the Software Development Life Cycle (SDLC)? Analysis, investigation, design, build, implement, test, maintenance and support. Investigation, analysis, design, build, implement, test, maintenance and support. Investigation, design, analysis, build, implement, test, maintenance and support. Investigation, analysis, design, build, test, implement, maintenance and support.
Investigation, analysis, design, build, test, implement, maintenance and support. Explanation SDLC (Software Development Life Cycle): The SDLC is not really a methodology, but a description of the phases in the life cycle of software development. These phases are (in general), investigation, analysis, design, build, test, implement, maintenance and support (and disposal). Can have security built into each step of the process, for the exam it always does.
We are implementing database shadowing. How does it help us ensure we can recover from a data loss on our primary systems? It takes a full backup of our database once a week to tape. It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media. It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs. It uses a remote backups service that sends backup files electronically offsite at a certain interval or when the files change.
It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media. Explanation Database shadowing: Exact real time copy of the database or files to another location. It can be another disk in the same server, but best practices dictates another geographical location, often on a different media.
We are implementing remote journaling. How does it help us ensure we can recover from a data loss on our primary systems? It makes an exact real time copy at another location, this can bterm-59e another local disk or preferred remote to another type of media. It takes a full backup of our database once a week to tape. It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs. It uses a remote backups service that sends backups files electronically offsite at a certain interval or when the files change.
It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs. Explanation Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.
We are implementing e-vaulting. How does it help us recover from a data loss on our primary systems? It takes a full backup of our database once a week to tape. It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from he logs. It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media. It uses a remote backups service that sends backups files electronically offsite at a certain interval or when the files change.
It uses a remote backups service that sends backups files electronically offsite at a certain interval or when the files change. Explanation Electronic vaulting (e-vaulting): Using a remote backup service, backups are sent off-site electronically at a certain interval or when files change.
In our business improvement process, we are using the Capability Maturity Model (CMM). In which stages of the CMM model are processes defined? (Select all that apply). Level 1. Level 5. Level 2. Level 3. Level 4.
Level 1. Level 5. Level 3. Level 4. Explanation CMM (Capability Maturity Model): The maturity relates to the degree of formality and optimization of processes, from ad hoc practices, to formally defined repeatable steps, to managed result metrics, to active optimization of the processes. From level and upwards we have clearly defined processes. Level 1: Initial Processes at this level that they are normally undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. Level 2: Repeatable. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
In the software capability maturity model, at which level are some processes "possibly repeatable with consistent results"? Level 3. Level 4. Level 2. Level 1.
Level 2. Explanation Level 2: Repeatable This level of maturity that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Which programming language is executed directly by the Central Processing Unit (CPU)? Assembler language. Source code. Compiler language. Machine code. Explanation Machine Code: Software executed directly by the CPU, 0's and 1's understood by the CPU.
Machine code. Explanation Machine Code: Software executed directly by the CPU, 0's and 1's understood by the CPU.
In object-oriented databases, the objects can have different attributes. Which of them would define the behavior of an object? Methods. Attributes. Classes. Schemas.
Methods. Explanation Methods: Defines the behavior of an object and are what was formally called procedures or functions. Objects contain both executable code and data.
If we are using object-oriented analysis and design (OOAD), when would we apply the constraints to the conceptual model? OOD. OOA. OOM. OOR.
OOD. Explanation OOD (Object-oriented design):The developer applies the constraints to the conceptual model produced in object-oriented analysis. Such constraints could include the hardware and software platforms, the performance requirements, persistent storage and transaction, usability of the system, and limitations imposed by budgets and time. Concepts in the analysis model which is technology independent, are mapped onto implementing classes and interfaces resulting in a model of the how the system is to be built on specific technologies. Important topics during OOD also include the design of software architectures by applying architectural patterns and design patterns with object-oriented design principles.
In Object-Oriented Analysis and Design (OOAD), which would be used heavily by both the object-oriented analysis and design? OOD. OOR. OOM. OOA.
OOM. Explanation OOM (Object-oriented modeling): Common approach to modeling applications, systems, and business domains by using the object-oriented paradigm throughout the entire development life cycles. It is heavily used by both OOA and OOD activities in modern software engineering.
Jane is looking at Java vulnerabilities for a report. She needs to present it to senior management at the end of the week. Which type of database does Java use? Relational. Document-oriented. Hierarchical. Object-oriented.
Object-oriented. Explanation Object-Oriented Databases (Object Database Management Systems): Object databases store objects rather than data such as integers, strings or real numbers. Objects are used in object oriented languages such as Smalltalk, C++, Java, etc. Objects, in an object-oriented database, reference the ability to develop a product, then define and name it. The object can then be referenced, or called later, as a unit without having to go into its complexities.
In CASE programming, designers use these categories of tools, EXCEPT which? Environments. Tools. Objects. Workbenches.
Objects. Explanation CASE (Computer-Aided Software Engineering): Similar to and were partly inspired by computer-aided design (CAD) tools used for designing hardware products. Used for developing high-quality, defect-free, and maintainable software. Often associated with methods for the development of information systems together with automated tools that can be used in the software development process. CASE software is classified into 3 categories: Tools support specific tasks in the software life-cycle. Workbenches combine two or more tools focused on a specific part of the software life-cycle. Environments combine two or more tools or workbenches and support the complete software life-cycle.
We are in the process of developing some new software. On some of our previous releases of different software we have had security problems. We are considering releasing the source code for the new software, what would that make our software? Proprietary software. Closed source. Open source. Prevented software.
Open source. Explanation Open source: We release the code publicly, where it can be tested, improved and corrected, but it also allows attackers to find the flaws in the code.
Which of these is NOT a type of open-source software licensing? GNU. Apache. Oracle. BSD.
Oracle. Explanation Open source software can be protected by a variety of licensing agreement. GNU (General Public License), BSD (Berkeley Software Distribution) and Apache are all examples of this.
When you discover a software vulnerability, you notify the vendor of the vulnerability for them to fix it. What is the term used for this? Partial disclosure. Predictable disclosure. No disclosure. Full disclosure.
Partial disclosure. Explanation Responsible/Partial disclosure: Telling the vendor, they have time to develop a patch and then disclose it. If they do nothing we can revert to the full disclosure forcing them to act.
When we buy software from a vendor, what should we ALWAYS do? Assume it is secure enough for our organization since others use it already. Look at reviews, and if they are good we can go ahead and buy it. Trust the vendors security claims. Perform a full security assessment to determine if they meet our security posture.
Perform a full security assessment to determine if they meet our security posture. Explanation Buying software from other companies: When we buy software from vendors either COTS (Commercial Off The Shelf) or custom built software we need to ensure it is as secure as we need it to be. Vendors claims of security posture should until proven be seen as marketing claims. We need to do our due care and due diligence, as well as use outside council if needed.
You are discussing 4th generation programming languages with a colleague. Which of these are 4th generation languages? (Select all that apply). Java Perl. SQL. PHP. Cobol.
Perl. SQL. PHP. Explanation 4th Generation languages (4GL): Fourth-generation languages are designed to reduce programming effort and the time it takes to develop software, resulting in a reduction in the cost of software development. Increases the efficiency by automating the creation of machine code. Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports. 4th Generation languages include ColdFusion, Progress 4GL, SQL, PHP, Perl, etc. Java and Cobol are 3rd generation languages.
Which type of these software types can be copyright protected? Prevented software. Open source. Proprietary software. Closed source.
Proprietary software. Explanation Proprietary software: Software protected by intellectual property and/or patents, often used interchangeably with Closed Source software, but it really is not. It can be both Open and Closed Source software. Any software not released into the public domain is protected by copyright.
Which software development methodology breaks the project into smaller tasks and builds multiple models of system design features? RAD. Prototyping. XP. Scrum.
Prototyping. Explanation Prototyping: Breaks projects into smaller tasks, creating multiple prototypes of system design features. A working model of software with some limited functionality, rather than designing the full software up front. Has a high level of customer involvement, the customer has inspects the prototypes to ensure that the project is on track and meeting its objective.
Bob is looking at GUI builders for an upcoming project. Which type of methodology is Bob MOST LIKELY going to use? Agile. Spiral. RAD. Prototyping.
RAD. Explanation RAD (Rapid Application Development): Puts an emphasize adaptability and the necessity of adjusting requirements in response to knowledge gained as the project progresses. Prototypes are often used in addition to or sometimes even in place of design specifications. Very suited for developing software that is driven by user interface requirements. GUI builders are often called rapid application development tools.
Which software development methodology uses prototypes in addition to, or instead of, design specifications. RAD. Prototyping. Scrum. XP.
RAD. Explanation RAD (Rapid Application Development): Puts an emphasize adaptability and the necessity of adjusting requirements in response to knowledge gained as the project progresses. Prototypes are often used in addition to or sometimes even in place of design specifications. Very suited for developing software that is driven by user interface requirements. GUI builders are often called rapid application development tools.
What could be something we could implement to mitigate broken authentication and session management (OWASP A2)? Random session IDs Captcha. Data type limitations. Remove default passwords and usernames.
Random session IDs Explanation A2 Broken Authentication and Session Management. Sessions do not expire or they take too long to expire. Session IDs are predictable. 001, 002, 003, 004, etc. Tokens, Session ID's, Passwords, etc. are kept in plaintext.
Having a single, well-controlled, defined data integrity system increases all of these EXCEPT which? Performance. Maintainability. Stability. Redundant data.
Redundant data. Explanation Having a single, well controlled, and well defined data-integrity system increases: Stability: One centralized system performs all data integrity operations. Performance: All data integrity operations are performed in the same tier as the consistency model. Re-usability: All applications benefit from a single centralized data integrity system. Maintainability: One centralized system for all data integrity administration.
In CASE programming, designers use these categories of tools, EXCEPT which? References. Environments. Workbenches. Tools.
References. Explanation CASE (Computer-Aided Software Engineering): Similar to and were partly inspired by computer-aided design (CAD) tools used for designing hardware products. Used for developing high-quality, defect-free, and maintainable software. Often associated with methods for the development of information systems together with automated tools that can be used in the software development process. CASE software is classified into 3 categories: Tools support specific tasks in the software life-cycle. Workbenches combine two or more tools focused on a specific part of the software life-cycle. Environments combine two or more tools or workbenches and support the complete software life-cycle.
Bob is doing cleanups of one of our databases. He has found foreign keys that do not match the primary key. Which type of integrity error is this? Semantic. Entity. Referential. Foreign.
Referential. Explanation Referential integrity: When every foreign key in a secondary table matches a primary key in the parent table. It is broken if not all foreign keys match the primary key.
When we release our software as open source, we do what? Release neither the software or code. Release the software, but not the code. Release the code, but not the software. Release the code and the software.
Release the code and the software. Explanation Open source: We release the code publicly, where it can be tested, improved and corrected, but it also allows attackers to find the flaws in the code.
After a security audit we need to mitigate Security misconfiguration (OWASP A5). What could be something we would implement? (Correct) Centralized implementation. Implement all websites to be HTTPS. Random session IDs
Remove default passwords and usernames. Explanation A5 Security Misconfiguration. Databases configured wrong. Not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Webserver, DBMS, applications. etc. not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.
In Scrum project management, what is the Scrum master's role? Developing the code/product at the end of each sprint. Representing the stakeholders/customers. Being a traditional project manager. Removing obstacles for the development team.
Removing obstacles for the development team. Explanation Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.
In Scrum project management, what is the product owner's role? Being a traditional project manager. Representing the stakeholders/customers. Removing obstacles for the development team. Developing the code/product at the end of each sprint.
Representing the stakeholders/customers. Explanation The product owner: Representing the product's stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business.
Jane is using relational databases. Which of these would be a TRUE statement if she is talking about tuple values? Are unique. Represent values attributed to that instance. Lists the person's SSN. Represents one entity.
Represents one entity. Explanation Relational model: Organizes data into one or more tables (or relations) of columns and rows, with a unique key identifying each row. Rows are also called records or tuples. Each table/relation represents one entity type.
Which of these is not really a methodology, but describes the phases of the software development lifecycle? Waterfall. RAD. Agile. SDLC.
SDLC. Explanation SDLC (Software Development Life Cycle): The SDLC is not really a methodology, but a description of the phases in the life cycle of software development. These phases are (in general), investigation, analysis, design, build, test, implement, maintenance and support (and disposal).
We are wanting to use the most commonly used database management system (DBMS) in our organization. What should we implement? Oracle. ModoDB. IBM DB2 SQL.
SQL. Explanation DBMS (database management system): The most common is SQL or a SQL derivative. A computer software application that interacts with the user, other applications, and the database itself to capture and analyze data. A general-purpose DBMS is designed to allow the definition, creation, querying, update, and administration of databases. MySQL, PostgreSQL, MongoDB, MariaDB, Microsoft SQL Server, Oracle, Sybase, SAP HANA, SQLite and IBM DB2.
In which of these project management methodologies do we use a linear approach, where 2 phases are overlapping, and when we close one phase, we start the next? Waterfall Spiral. Agile. Sashimi.
Sashimi. Explanation Sashimi model (Waterfall with overlapping phases): Similar to waterfall, but we always have 2 overlapping phases, if we close one phase, we add the next phase. The modified waterfall model allows us to go back to the previous phase but no further.
Which Agile software development methodology makes use of a master? Sashimi. XP. Scrum. Spiral.
Scrum. Explanation Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.
When we check our databases for integrity, we notice a value that is not consistent with the attribute data type. Which type of integrity failure is this? Semantic integrity. Entity integrity. Referential integrity. Formatted integrity.
Semantic integrity. Explanation Semantic integrity: Each attribute value is consistent with the attribute data type.
As part of our checks on our SQL databases, we want to ensure we have database integrity. Which of these are COMMON integrity we can have on relational databases? (Select all that apply). Semantic integrity. Foreign integrity. Entity integrity. Parent integrity. Referential integrity.
Semantic integrity. Entity integrity. Referential integrity. Explanation Referential integrity: When every foreign key in a secondary table matches a primary key in the parent table. It is broken if not all foreign keys match the primary key. Semantic integrity: Each attribute value is consistent with the attribute data type. Entity integrity: Each tuple (row) has a unique primary value that is not null.
Bob is doing cleanups on one of our databases. He has found entries that do not match the data type. Which kind of integrity error is this? Foreign. Referential. Entity. Semantic.
Semantic. Explanation Semantic integrity: Each attribute value is consistent with the attribute data type.
Which of these is NOT an example of broken authentication or session management (OWASP A2)? Session IDs are predictable. Session IDs are kept in plaintext. Session never expires. Session IDs are pseudo random.
Session IDs are pseudo random. Explanation A2 Broken Authentication and Session Management. Sessions do not expire or take too long to expire. Session IDs are predictable. (001, 002, 003, 004, etc.) Tokens, session IDs, and Passwords are kept in plaintext. Pseudo random session IDs would be a broken authentication counter measure.
Why would an organization offer to use a source code escrow to their customers? Because we want them to see the source code whenever they want to. To ensure the code is tested completely. To make our source code publicly available. So the customer has access to the source code if we go bankrupt.
So the customer has access to the source code if we go bankrupt. Explanation Source code escrow: The deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning. The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.
We have asked a vendor to use a source code escrow What could be a reason we would do that? So we can get the source code if they fail to maintain and update the code. So we can view the source code when we want to. So we can get the source code if we want to break the contract we have with them, because we have found a cheaper alternative. So we can get the source code if we have software errors.
So we can get the source code if they fail to maintain and update the code. Explanation Source code escrow: The deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning. The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.
Which type of programming languages are written in text and is understandable by humans? Compiler language. Assembler language. Source code. Machine code.
Source code. Explanation Source Code: Computer programming language, written in text and is human understandable, translated into machine code.
Which software project management methodology is based on 4 phases we go through over and over? Waterfall Agile. Sashimi.
Spiral. Explanation The spiral model: A risk-driven process model generator for software projects. The spiral model has four phases: Planning, Risk Analysis, Engineering and Evaluation. A software project repeatedly passes through these phases in iterations (called Spirals in this model). The baseline spiral, starting in the planning phase, requirements are gathered and risk is assessed. Each subsequent spirals builds on the baseline spiral.
At a meeting with project stakeholders and sponsors, Bob gets asked how a relational database is structured. From these choices, what should Bob answer? Star schema model. A hierarchy model. An object model.. Tables with rows and columns.
Tables with rows and columns. Explanation Relational model: Organizes data into one or more tables (or relations) of columns and rows, with a unique key identifying each row. Rows are also called records or tuples. Generally, each table/relation represents one entity type. The rows represent instances of that type of entity and the columns representing values attributed to that instance.
What is happening when we experience buffer overflows? The buffer overruns its boundaries and overwrites adjacent memory locations. We are not using SSL/TLS. The buffer overruns its boundaries and overwrites adjacent hard disk locations. User session IDs or tokens are stolen.
The buffer overruns its boundaries and overwrites adjacent memory locations. Explanation Buffer overflow (buffer overrun): An anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations, happen from improper coding when a programmer fails to perform bounds checking. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs, if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, if an anomalous transaction produces more data it could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code, and replace it with malicious code.
We are using the scrum project management methodology on one of our projects. For that project who would be responsible for the analysis, design, and documentation? The development team. The scrum master. The product owner. All of these.
The development team. Explanation Development team: Responsible for delivering the product at the end of each sprint (sprint goal). The team is made up of 3-9 individuals who do the actual work (analysis, design, develop, test, technical communication, document, etc.). Development teams are cross-functional, with all of the skills as a team necessary to create a product increment.
We are using the Scrum methodology on one of our projects. Who would be responsible for being the voice of the customer? All of these. The product owner. The scrum master. The development team.
The product owner. Explanation The product owner: Representing the product's stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business.
Jane is using the Scrum project management methodology. Which of these would be some of the core team roles in the Scrum framework? (Select all that apply). The project manager. The project sponsor. The product owner. The development team. The Scrum master.
The product owner. The development team. The Scrum master. Explanation Scrum is a framework for managing software development. Scrum is designed for teams of approximately 10 individuals, and generally relies on two-week development cycles, called "sprints", as well as short daily stand-up meetings. The three core roles in the Scrum framework. The product owner: Representing the product's stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business. Development team: Responsible for delivering the product at the end of each sprint (sprint goal). The team is made up of 3-9 individuals who do the actual work (analysis, design, develop, test, technical communication, document, etc.). Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.
An Artificial Neural Network (ANN) tries to emulate a brain. Which of these is NOT TRUE about ANNs? They are mostly used in areas that are difficult to express in a traditional computer algorithm using rule based programming. They use rule based programming and a lot of IF/THEN statements. They are organized in layers, different layers perform different transformations on their input. They can analyze images where they know a fact about, this could be "gecko" or "no gecko", the more images they process the better they become at recognizing the fact.
They use rule based programming and a lot of IF/THEN statements. Explanation ANNs do not use IF/THEN statements.
In part of our backup and disposal policy, you would find all these regarding backup tapes, EXCEPT which? Software encrypted. Hardware encrypted. Thrown in the trash when the retention period is over. Kept in a secure geographical distance climate controlled facility.
Thrown in the trash when the retention period is over. Explanation Tapes should be properly disposed of, our data is still on the tape even if the retention has expired.
What would we do to mitigate unvalidated redirects and forwarding (OWASP 2013 A10)? Random session IDs. User training and awareness. Encrypt all data at rest or in transit. Ensuring we use code and objects that are not deprecated.
User training and awareness. Explanation 2013 A10 Unvalidated Redirects and forwarding. Not confirming URL's forward and redirect us to the right page. Mitigated with user awareness and spider our site to see if it generates any redirects (HTTP response codes 300-307, typically 302.
In software acceptance testing, what is the purpose of the operational acceptance testing? To ensure the backups are in place, we have a DR plan: how patching is handled, and that the software is tested for vulnerabilities. To ensure the software is functional for and tested by the end user and the application manager. To ensure the software performs as expected in our live environment vs. our development environment. To ensure the software is as secure or more secure than the rules, laws and regulations of our industry.
To ensure the backups are in place, we have a DR plan: how patching is handled, and that the software is tested for vulnerabilities. Explanation Operational acceptance testing: Does the software and all of the components it interacts with ready requirements for operation? Tested by system administrators; are the backups in place? Do we have a DR plan? How do we handle patching? Is it checked for vulnerabilities? Etc.
In software acceptance testing, what is the purpose of compliance acceptance testing? To ensure the software is functional for and tested by the end user and the application manager. To ensure the software perform as expected in our live environment vs. our development environment. To ensure the backups are in place, we have a DR plan, how patching is handled and that the software is tested for vulnerabilities. To ensure the software is as secure or more secure than the rules, laws and regulations of our industry.
To ensure the software is as secure or more secure than the rules, laws and regulations of our industry. Explanation Compliance acceptance testing: Is the software compliant with the rules, regulations and laws of our industry?
We are finishing our software development and we are doing the software acceptance testing. What is the purpose of user acceptance testing? To ensure the backups are in place, we have a DR plan, how patching is handled and that the software is tested for vulnerabilities. To ensure the software is as secure or more secure than the rules, laws and regulations of our industry. To ensure the software perform as expected in our live environment vs. our development environment. To ensure the software is functional for and tested by the end user and the application manager.
To ensure the software is functional for and tested by the end user and the application manager. Explanation The User Acceptance test: Is the software functional for the users who will be using it, it is tested by the users and application managers.
In software acceptance testing, what is the purpose of production acceptance testing? To ensure the software is functional for and tested by the end user and the application manager. To ensure the backups are in place, we have a DR plan, how patching is handled and that the software is tested for vulnerabilities. To ensure the software perform as expected in our live environment vs. our development environment. To ensure the software is as secure or more secure than the rules, laws and regulations of our industry.
To ensure the software perform as expected in our live environment vs. our development environment. Explanation Compatibility/production testing: Does the software interface as expected with other applications or systems? Does the software perform as expected in our production environment vs. the development environment
Computer-Aided Software Engineering (CASE) is classified into 3 categories. Which of these have the correct 3? Workbenches, use cases and tools. Tools, workbenches and environments. Tools, environments and scenarios. Workbenches, environments and scenarios.
Tools, workbenches and environments. Explanation CASE (Computer-Aided Software Engineering) software is classified into 3 categories: Tools support specific tasks in the software life-cycle. Workbenches combine two or more tools focused on a specific part of the software life-cycle. Environments combine two or more tools or workbenches and support the complete software life-cycle. Used for developing high-quality, defect-free, and maintainable software. Often associated with methods for the development of information systems together with automated tools that can be used in the software development process.
Procedural programming tends to lean towards which type of programming process? Cripple ware. Top-down. Bottom-up. Sashimi.
Top-down. Explanation Top-Down Programming: Starts with the big picture, then breaks it down into smaller segments. Procedural programming leans toward Top-Down, you start with one function and add to it.
Each row in a relational database is called a/an: Attribute. Schema. Tuple. Relation.
Tuple. Explanation Relational model: Rows are also called records or tuples. Generally, each table/relation represents one entity type. The rows represent instances of that type of entity and the columns representing values attributed to that instance.
In Agile XP software development, we would normally do all of these, EXCEPT what? Expect changing requirements. Use daily stand-up meetings. Unit testing of all code. Programming pairs.
Use daily stand-up meetings. Explanation XP (Extreme programming): Intended to improve software quality and responsiveness to changing customer requirements. Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted. XP uses: Programming in pairs or doing extensive code review. Unit testing of all code. Avoiding programming of features until they are actually needed. Flat management structure. Code simplicity and clarity. Expecting changes in the customer's requirements as time passes and the problem is better understood. Frequent communication with the customer and among programmers.
In Agile XP software development, we would normally do all of these, EXCEPT which? Programming pairs. Use short 1-2 week development cycles (sprints). Unit testing of all code. Expect changing requirements.
Use short 1-2 week development cycles (sprints). Explanation XP (Extreme programming): Intended to improve software quality and responsiveness to changing customer requirements. Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted. XP uses: Programming in pairs or doing extensive code review. Unit testing of all code. Avoiding programming of features until they are actually needed. Flat management structure. Code simplicity and clarity. Expecting changes in the customer's requirements as time passes and the problem is better understood. Frequent communication with the customer and among programmers.
Which of these is NOT related to security misconfigurations (OWASP A5)? Using deprecated objects or code. Misconfigured databases. Not applying patches. Keeping default logins and passwords.
Using deprecated objects or code. Explanation While using deprecated objects or code is a security issue, is OWASP A9 using Components with Known Vulnerabilities. A5 Security Misconfiguration would be databases configured incorrectly, not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Web Server, DBMS, applications, etc. Not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.
Which project management methodology is better geared towards yearlong project, with very clearly defined software requirements that should NOT change? Waterfall. Rapid prototyping. XP. Agile.
Waterfall. Explanation Waterfall methodology is well suited for long, very clearly defined projects.
Which project management methodology uses a linear approach where each phase leads into the next and you can't go back to a previous phase? Sashimi. Waterfall. Spiral. Agile. Explanation Waterfall: Very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.
Waterfall. Explanation Waterfall: Very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.
When our organization is buying custom developed third party software, which of these should NOT be a concern? What other companies who have implemented the exact same software says about it. How good are they at what they do. Who owns the code. Who will support it when development is completed.
What other companies who have implemented the exact same software says about it. Explanation We should address support, who owns the code and how good the software development company is, we can't really see what other companies say about the software it is being custom developed for us.
When we talk about referential databases, what does referential integrity mean? Each attribute value is consistent with the attribute data type. Each tuple has a unique primary value that is not null. When every foreign key in a secondary table matches the primary key in the parent table. When the database has errors.
When every foreign key in a secondary table matches the primary key in the parent table. Explanation Referential integrity: When every foreign key in a secondary table matches a primary key in the parent table. It is broken if not all foreign keys match the primary key.
When is it appropriate to install and use backdoors and maintenance hooks? When the code is still in development. When it is easier for the users to use the software. Never. When it makes it easier for the administrators to use the software.
When the code is still in development. Explanation Backdoors: Often installed by attackers during an attack to allow them access to the systems after the initial attack is over, to continue exfiltrating data over time, or to come back and compromise other systems. Bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc. Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.
Which type of software development uses programming pairs? Scrum. Waterfall. XP. Agile.
XP. Explanation XP (Extreme programming) uses programming in pairs or doing extensive code review. Intended to improve software quality and responsiveness to changing customer requirements. Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted.