CISSP PRACTICE TESTS Chapter 8▪Software Development Security (Domain8). Questions and answers, 100% ACCURATE.

CISSP PRACTICE TESTS Chapter 8▪Software Development Security (Domain8). Questions and answers, 100% ACCURATE. 1. When desgning an object-oriented model, which of the following situations is ideal? A. High cohesion, high coupling B. High cohesion, low coupling C. Low cohesion, low coupling D. Lo cohesion, high coupling - -B. High cohesion, low coupling 2. Which of the following is a common way that attackers leverage botnets? A. Sending spam messages B. Conducting brute-force attacks C. Scanning for vulnerable systems D. All of the above - -D. All of the above 3. Which one of the following statements is not true about code review? A. Code review should be a peer-driven process that includes multiple developers. B. Code review may be automated. C. Code review occurs during thebdesign phase. D. Code reviewers may expect to review several hundred lines of code per hour. - -C. Code review occurs during the design phase. 4. Harold's conpany has a strong password policy that requires a minimum length of 12 characters and the use of both alphanumeric characters and symbols. What technique would be the most effective way for an attacker to compromise passwords in Harold's organization? A. Brute-force attack B. Dictionary attack C. Rainbow table attack D. Social engineering attack - -D. Social engineering attack 5. Which process is responsible for ensuring that changes to software include acceptance testing? A. Request control B. Change control C. Release control D. Configuration control - -C. Release control 6. Which one of the following attack types attempts to exploit the trust relationship that a user's browser has with other websites by forcing the submission of an authenticated request to a third-party site? A. XSS B. CSRF C. SQL injection D. Session hijacking - -B. CSRF 7. When using the SDLC, which one of these steps should you take before the others? A. Functional requirements determination B. Control specifications development C. Code review D. Design review - -A. Functional requirements determination 8. Jaime is a technical support analyst and is asked to visit a user whose computer is displaying the error message shown here. What state has this computer entered? Refer to page 161 in the book. A. Fall open B. Irrecoverable error C. Memory exhaustion D. Fail secure - -D. Fail secure 9. Which one of the following is not a goal of software threat modeling? A.To reduce the number of security-related design flaws B. To reduce the number of security-related coding flaws C. To reduce the severity of non-security flaws D. To reduce the number of threat vectors - -D. To reduce the number of threat vectors 10. In the diagram shown here, which is an example of method? ACCOUNT Balance: currency=0 Owner: string AddFunds(deposit: currency) RemoveFunds (withdrawal: currency) A. Account B. Owner C. Add Funds D. None of theabovr - -C. Add Funds 11. Which one of the following is considered primary storage? A. Memory B. Hard disk C. Flash drive D. DVD - -A. Memory 12. Which one of the following testing methodologies typically works without access to source code? A. Dynamic testing B. Static testing C. White box testing D. Code review - -A. Dynamic testing 13. What concept in object-oriented programming allows a subclass to access methods belonging to a superclass? A. Polymorphism B. Inheritance C. Coupling D. Cohesion - -B. Inheritance 14. Bobby is investigating how an authorized data base user is gaining access to information outside his normal clearance level. Bobby believes that the user is making use of a type of function that summarizes data. What term decribes this type of function? A. Inference B. Polymorphic C. Aggregate D. Modular - -C. Aggregate 15. Which one of the following controls would best protect an application against buffer overflow attacks? A. Encryption B. Input validation C. Firewall D. Intrusion prevention system - -B. Input validation 16. Berta is analyzing the logs of the Windows Firewall on one of her servers and comes across the entries shown in this figure. What type of attack do these entries indicate? :14:52DROPTCP192.168.250.4192.168.42.-RECEIVE :14:53DROPTCP192.168.250.4192.168.42.-RECEIVE :14:54DROPTCP192.168.250.4192.168.42.-RECEIVE :14:56DROPTCP192.168.250.4192.168.42.-RECEIVE :14:59DROPTCP192.168.250.4192.168.42.-RECEIVE :15:02DROPTCP192.168.250.4192.168.42.-RECEIVE :15:03DROPTCP192.168.250.4192.168.42.RECEIVE :15:04DROPTCP192.168.250.4192.168.42.RECEIVE A. SQL injection B. Port scan C. Teardrop D. Land - -B. Port scan Questions 17-20 refer to the following scenario: Robert is a consultant who helps organizations create and develop mature software development oractices. He prefers to use the Software Capability Maturity Model ( SW-CMM) to evaluate the current and future status of organizations using both independent review and self-assessments. He is currently working with two different clients. Acme Widgets is not very well organized with their software development practices. They have a dedicated team of developers who do "whatever it takes" to get software out the door, but they do not have any formal processes. Beta Particles is a company with years of experience developing software using formal, documented software development processes. They use a standard model for software development but do not have quantitative management of those processes. 17. What phase of the SSW-CMM should Robert report as the current status of Acme Widgets? A. Defined B. Repeatable C. Initial D. Managed - -C. Initial 18. Robert is working with Acme Widgets on a strategy to advance their software development practices. What SW-CMM stage should be their next target milestone? A. Defined B. Repeatable C. Initial D. Managed - -B. Repeatable 19. What phase of the SW-CMM should Robert report as the current status of Beta Particles? A. Defined B. Repeatable C. Optimizing D. Managed - -A. Defined 20. Robert is also working with Beta Particles on a strategy to advance their software development practices. What SW-CMM stage. should be their next target milestone? A. Defined B. Repeatable C. Optimizing D. Managed - -D. Managed 21. Which one of the following database keys is used to enforce referential integrity relationships between tables? A. Primary key B. Candidate key C. Foreign key D. Master key - -C. Foreign key 22. Which one of the following files is most likely to contain a macro virus? A. projections . doc B. command . com C. command . exe D. loopmaster . exe - -A. projections . doc 23. Victor created a database table that contains information on his organization's employees. The table contains the employee's user ID, three different telephone number fields (home, work, and mobile), the employee's office location, and the employee's job title. There are 16 records in a table. What is the degree of this table? A. 3 B. 4 C. 6 D. 16 - -C. 6 24. Carrie is analyzing the application logs for her web-based application and comes across the following string: . . /. . /. . /. . / . . /. . /. . / . . /. . /etc/passwd What type of attack was likely attempted against Carrie's application? A. Command injection B. Session hijacking C. Directory traversal D. Brute force - -C. Directory traversal 25. When should a design review take place when following an SDLC approach to software development? A. After the code review B. After user acceptance testing C. After the development of functional requirements D. After the completion of unit testing - -C. After the development of functional requirements 26. Tracy is preparing to apply a patch to her organization's enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning? A. Unit testing B. Acceptance testing C. Regression testing D. Vulnerability testing - -C. Regression testing 27. What term is used to describe the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner? A. Validation B. Accreditation C. Confidence interval D. Assurance - -D. Assurance 28. Victor recently took a new position at an online dating website and is responsible for leading a team of developers. He realized quickly that the developers are having issues with production code because they are working on different projects that results in conflicting modifications to the production code. What process should Victor invest in improving? A. Request control B. Release control C. Change control D. Configuration control - -C. Change control 29. What type of database security issue exists when a collection of facts has a higher classification than classification of any of those facts standind akone? A. Inference B. SQL injection C. Multilevel security D. Aggregation - -D. Aggregation 30. What are the two types of covert channels that are commonly exploited by attackers seeking to surreptitiously exfiltrate information? A. Timing and storage B. Timing and firewall C. Storage and memory D. Firewall and storage - -A. Timing and storage 31. Vivian would like to hire a software tester to comee in and evaluate a new web application from a user's perpective. Which of the following tests best simulates that perspective? A. Black box B. Gray box C. Blue box D. White box - -A. Black box 32. Referring to the database transaction shown here, what would happen if no account exists in the Accounts table with account number 1001? BEGIN TRANSACTION UPDATE accounts Set balance = balance + 250 WHERE account_number = 1001; UPDATE accounts SET balance = balance - 250 WHERE account_number = 2002; END TRANSACTION A. The database would create a new account with this account number and give it a 250 balance. B. The database would ignore that command and still reduce the balance of the second account by $250. C. The database would roll back the transaction, ignoring the results of both commands. D. The database would generate an error message. - -B. The database would ignore that command and still reduce the balance of the second account by $250. 33. What type of malware is characterized by spreading from system to system under its own power by exploiting vulnerabilities that do not require user intervention? A. Trojan horse B. Virus C. Logic bomb D. Worm - -D. Worm 34. Kim is troubleshooting an application firewall that serves as a supplement to the organization's network and host firewalls and intrusion prevention system, providing added protection aganist web-based attacks. The issue the organization is experiencing is that the firewall technology suffers somewhat frequent restarts that render it unavailable for 10 minutes at a time. What configuration might Kim consider to maintain availability during that period at the lowest cost to the company? A. High availability cluster B. Failover device C. Fail open D. Redundant disks - -C. Fail open 35. What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level? A. SQL injection B. Multilevel security C. Aggregation D. Inference - -D. Inference 36. Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a touch time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident? A. Stealth virus B. Polymorphic virus C. Multipartite virus D. Encrypted virus - -B. Polymorphic virus Questions 37-40 refer to the following scenario: Linda is reviewing posts to a user forum on her company's website and, when she browses a certain post, a message pops up in a dialog box on her screen reading "Alert." She reviews the source code for the post and finds the following code snippe: <script>alert( ' Alert ' ) ; </ script> 37. What vulnerability definitely exists on Linda's message board? A. Cross-site scripting B. Cross-site request forgery C. SQL injection D. Improper authentication - -A. Cross-site scripting 38. What was the likely motivation of the user who posted the message on the forum containing the code? A. Reconnaissance B. Theft of sensitive information C. Credential stealing D. Social engineering - -A. Reconnaissance 39. Linda communicates with the vendor and determines that no patch is available to correct this vulnerability. Which one of the following devices would best help her defend the application against further attack? A. VPN B.WAF C. DLP D. IDS - -B. WAF 40. In further discussions with the vendor, Linda finds thst they are willing to correct the issue but do not know how to update their software. What technique would be most effective in mitigating the vulnerability of the application to this type of attack? A. Bounds checking B. Peer review C. Input validation D. OS patching - -C. Input validation 41. What property of relational databases ensures that once a database transaction is committed to the database, it is preserved? A. Atomicity B. Consistency C. Durability D. Isolation - -C. Durability 42. Which one of the following programming languages does not make use of a compiler? A. Java B. C++ C. C D. JavaScript - -D. JavaScript 43. Which one of the following is not a technique used by virus authors to hide the existence of their virus from antimalware software? A. Stealth B. Multipartitism C. Polymorphism D. Encryption - -B. Multipartitism