SPM401-Chapter 8

a

14. Marge has to choose a software development model that her team should follow. The application that her team is responsible for developing is a critical application that can have few to no errors. Which of the following best describes the type of model her team should follow? A. Cleanroom B. Joint Analysis Development (JAD) C. Rapid Application Development (RAD) D. Reuse model

c

15. __________ is a software testing technique that provides invalid, unexpected, or random data to the input interfaces of a program. A. Agile testing B. Structured testing C. Fuzzing D. EICAR

a

16. Which of the following is the second level of the Capability Maturity Model Integration? A. Repeatable B. Defined C. Managed D. Optimizing

a

21. ActiveX Data Objects (ADO) is an API that allows applications to access backend database systems. It is a set of ODBC interfaces that exposes the functionality of data sources through accessible objects. Which of the following are incorrect characteristics of ADO? i. It's a low-level data access programming interface to an underlying data access technology (such as OLE DB). ii. It's a set of COM objects for accessing data sources, not just database access. iii. It allows a developer to write programs that access data without knowing how the database is implemented. iv. SQL commands are required to access a database when using ADO. A. i, iv B. ii, iii C. i, ii, iii D. i, ii, iii, iv

c

22. Database software performs three main types of integrity services: semantic, referential, and entity. Which of the following correctly describes one of these services? i. A semantic integrity mechanism makes sure structural and semantic rules are enforced. ii. A database has referential integrity if all foreign keys reference existing primary keys. iii. Entity integrity guarantees that the tuples are uniquely identified by primary key values. A. ii B. ii, iii C. i, ii, iii D. i, ii

d

25. Which is the best software architecture that Sandy should introduce her team to for effective business application use? A. Distributed component object architecture B. Simple Object Access Protocol architecture C. Enterprise JavaBeans architecture D. Service-oriented architecture

a

19. Which of the following has an incorrect attack to definition mapping? A. EBJ XSS attack Content processing stages performed by the client, typically in client-side Java. B. Nonpersistent XSS attack Improper sanitation of response from a web client. C. Persistent XSS attack Data provided by attackers is saved on the server. D. DOM-based XSS attack Content processing stages performed by the client, typically in client-side JavaScript.

a

2. Which of the following best describes the term DevOps? A. The practice of incorporating development, IT, and quality assurance (QA) staff into software development projects. B. A multidisciplinary development team with representatives from many or all the stakeholder populations. C. The operationalization of software development activities to support just-intime delivery. D. A software development methodology that relies more on the use of operational prototypes than on extensive upfront planning.

b

20. John is reviewing database products. He needs a product that can manipulate a standard set of data for his company's business logic needs. Which of the following should the necessary product implement? A. Relational database B. Object-relational database C. Network database D. Dynamic-static

b

23. Which of the following is not very useful in assessing the security of acquired software? A. The reliability and maturity of the vendor B. The NIST's National Software Reference Library C. Third-party vulnerability assessments D. In-house code reviews

b

24. Which of the following is the best technology for Sandy's team to implement as it pertains to the previous scenario? A. Computer-aided software engineering tools B. Software configuration management C. Software development life-cycle management D. Software engineering best practices

d

26. Which best describes the approach Sandy's team member took when creating the business-oriented software package mentioned within the scenario? A. Software as a Service B. Cloud computing C. Web services D. Mashup

c

5. Database views provide what type of security control? A. Detective B. Corrective C. Preventive D. Administrative

a

6. Which of the following techniques or set of techniques is used to deter database inference attacks? A. Partitioning, cell suppression, and noise and perturbation B. Controlling access to the data dictionary C. Partitioning, cell suppression, and small query sets D. Partitioning, noise and perturbation, and small query sets

a

7. When should security first be addressed in a project? A. During requirements development B. During integration testing C. During design specifications D. During implementation

b

13. Tim is a software developer for a financial institution. He develops middleware software code that carries out his company's business logic functions. One of the applications he works with is written in the C programming language and seems to be taking up too much memory as it runs over time. Which of the following best describes what Tim should implement to rid this software of this type of problem? A. Bounds checking B. Garbage collector C. Parameter checking D. Compiling

b

1. An application is downloaded from the Internet to perform disk cleanup and to delete unnecessary temporary files. The application is also recording network login data and sending it to another party. This application is best described as which of the following? A. A virus B. A Trojan horse C. A worm D. A logic bomb

d

12. John is a manager of the application development department within his company. He needs to make sure his team is carrying out all of the correct testing types and at the right times of the development stages. Which of the following accurately describe types of software testing that should be carried out? i. Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions. ii. Integration testing Verifying that components work together as outlined in design specifications. iii. Acceptance testing Ensuring that the code meets customer requirements. iv. Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection. A. i, ii B. ii, iii C. i, ii, iv D. i, ii, iii, iv

b

17. One of the characteristics of object-oriented programming is deferred commitment. Which of the following is the best description for this characteristic? A. The building blocks of software are autonomous objects, cooperating through the exchange of messages. B. The internal components of an object can be redefined without changing other parts of the system. C. Classes are reused by other programs, though they may be refined through inheritance. D. Object-oriented analysis, design, and modeling map to business needs and solutions

d

18. Which of the following attack types best describes what commonly takes place when you insert specially crafted and excessively long data into an input field? A. Traversal attack B. Unicode encoding attack C. URL encoding attack D. Buffer overflow attack

c

8. An online transaction processing (OLTP) system that detects an invalid transaction should do which of the following? A. Roll back and rewrite over original data B. Terminate all transactions until properly addressed C. Write a report to be reviewed D. Checkpoint each data entry

d

9. Which of the following are rows and columns within relational databases? A. Rows and tuples B. Attributes and rows C. Keys and views D. Tuples and attributes

d

10. Databases can record transactions in real time, which usually updates more than one database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement the characteristics of what's known as the ACID test. Which of the following are incorrect characteristics of the ACID test? i. Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect. ii. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases. iii. Isolation Transactions execute in isolation until completed, without interacting with other transactions. iv. Durability Once the transaction is verified as inaccurate on all systems, it is committed and the databases cannot be rolled back. A. i, ii B. ii. iii C. ii, iv D. iv

b

11. The software development life cycle has several phases. Which of the following lists these phases in the correct order? A. Requirements gathering, design, development, maintenance, testing, release B. Requirements gathering, design, development, testing, release C. Prototyping, build and fix, increment, test, maintenance D. Prototyping, testing, requirements gathering, integration, testing

b

27. Karen wants her team to develop software that allows her company to take advantage of and use many of the web services currently available by other companies. Which of the following best describes the components that need to be in place and what their roles are? A. Web service provides the application functionality. Universal Description, Discovery, and Integration describes the web service's specifications. The Web Services Description Language provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service. B. Web service provides the application functionality. The Web Services Description Language describes the web service's specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service. C. Web service provides the application functionality. The Web Services Description Language describes the web service's specifications. The Simple Object Access Protocol provides the mechanisms for web services to be posted and discovered. Universal Description, Discovery, and Integration allows for the exchange of messages between a requester and provider of a web service. D. Web service provides the application functionality. The Simple Object Access Protocol describes the web service's specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Web Services Description Language allows for the exchange of messages between a requester and provider of a web service

b

28. Which of the following best describes attacks that could be taking place against this organization? A. Cross-site scripting and certification stealing B. URL encoding and directory traversal attacks C. Parameter validation manipulation and session management attacks D. Replay and password brute-force attacks

a

29. Which of the following functions is the web server software currently carrying out, and what is an associated security concern Brad should address? A. Client-side validation The web server should carry out a secondary set of input validation rules on the presented data before processing it. B. Server-side includes validation The web server should carry out a secondary set of input validation rules on the presented data before processing it. C. Data Source Name logical naming access The web server should be carrying out a second set of reference integrity rules. D. Data Source Name logical naming access The web server should carry out a secondary set of input validation rules on the presented data before processing it.

d

3. A system has been patched many times and has recently become infected with a dangerous virus. If antimalware software indicates that disinfecting a file may damage it, what is the correct action? A. Disinfect the file and contact the vendor B. Back up the data and disinfect the file C. Replace the file with the file saved the day before D. Restore an uninfected version of the patched file from backup media

b

30. Pertaining to the network architecture described in the previous scenario, which of the following attack types should Brad be concerned with? A. Parameter validation attack B. Injection attack C. Cross-site scripting D. Database connector attack

b

4. What is the purpose of polyinstantiation? A. To restrict lower-level subjects from accessing low-level information B. To make a copy of an object and modify the attributes of the second copy C. To create different objects that will react in different ways to the same input D. To create different objects that will take on inheritance attributes from their class