CSSLP-Exam Practice Test-ME2 CSSLP-
Exam Practice Test-ME2
Question Number: 401 Question: Which of the following models
uses a directed graph to specify the rights that a subject can
transfer to an object or that a subject can take from another
subject?
Option 1: Biba model
Option 2: Bell-LaPadula model
Option 3: Clark-Wilson model
Option 4: Lattice-based model -
correct answer ✅Correct Response: 1 Explanation: The correct
option is "Biba model." The Biba model uses a directed graph to
specify the rights that a subject can transfer to an object or that a
subject can take from another subject. The model focuses on
preserving data integrity and preventing unauthorized modification
or corruption of data. It ensures that subjects with lower integrity
levels cannot modify or write to objects with higher integrity levels,
preventing the spread of inaccurate or malicious data
modifications.
Question: Which Software Project & Org process is least relevant?
Option 1: Software configuration management
,CSSLP-Exam Practice Test-ME2 CSSLP-
Exam Practice Test-ME2
Option 2: Software quality assurance
Option 3: Facility, site, physical security
Option 4: Budget, schedule, reporting -
correct answer ✅Correct Response: 3
Explanation: Physical security is less relevant to software practices.
Question: Scenario: As a software developer working on a project
for a client who follows U.S. Department of Defense (DoD)
Instruction 8500.2, you are required to implement the Information
Assurance (IA) controls defined by the DoD. What is the primary
area of IA you should focus on according to DoD Instruction
8500.2?
Option 1: Software Development Security
Option 2: Network Infrastructure Security
Option 3: Physical and Environmental Security
Option 4: Personnel Security -
correct answer ✅Correct Response: 1 Explanation: As a software
developer, your primary focus according to DoD Instruction 8500.2
would be Software Development Security (A). This area involves
ensuring the application of security principles and practices in the
,CSSLP-Exam Practice Test-ME2 CSSLP-
Exam Practice Test-ME2
development of systems and software. It's a critical part of the
eight areas of IA defined by the DoD, particularly for your role.
Question Number: 404 Question: Which statement about ISSO and
ISSE is false?
Option 1: ISSO is CNSS 4011 certified
Option 2: ISSE advises on engineering
Option 3: ISSO performs IA operations
Option 4: ISSE supports IA engineering -
correct answer ✅Correct Response: 1 Explanation: ISSOs are not
required to be 4011 certified.
Question Number: 405 Question: Which of the following security
design patterns provides an alternative by requiring that a user's
authentication credentials be verified by the database before
providing access to that user's data?Option 1: Role-Based Access
Control (RBAC) Option 2: Attribute-Based Access Control (ABAC)
Option 3: Mandatory Access Control (MAC) Option 4: Database
Authentication -
correct answer ✅Correct Response: 4 Explanation: The correct
option is "Database Authentication." Database Authentication is a
security design pattern that verifies a user's authentication
, CSSLP-Exam Practice Test-ME2 CSSLP-
Exam Practice Test-ME2
credentials against the database before granting access to that
user's data. This pattern ensures that the user's credentials are
valid and authenticated by the database, providing an additional
layer of security for data access.
Question Number: 406 Question: Scenario: You are a software
developer working on a project that requires a high level of
security. The project is nearing completion, and your team is
working on a process that concludes with an agreement that the
system provides adequate protection controls in its current
configuration. Which process is your team currently focusing on?
Option 1: Risk Assessment
Option 2: System Certification
Option 3: Security Audit
Option 4: Vulnerability Scanning -
correct answer ✅Correct Response: 2 Explanation: The process
your team is currently working on is System Certification (B). This
process involves a comprehensive evaluation of the technical and
non-technical security controls of the system to ensure they
provide adequate protection. It culminates in an agreement, often
documented as a Certification Statement, stating that the system
meets a certain set of security standards.
Exam Practice Test-ME2
Question Number: 401 Question: Which of the following models
uses a directed graph to specify the rights that a subject can
transfer to an object or that a subject can take from another
subject?
Option 1: Biba model
Option 2: Bell-LaPadula model
Option 3: Clark-Wilson model
Option 4: Lattice-based model -
correct answer ✅Correct Response: 1 Explanation: The correct
option is "Biba model." The Biba model uses a directed graph to
specify the rights that a subject can transfer to an object or that a
subject can take from another subject. The model focuses on
preserving data integrity and preventing unauthorized modification
or corruption of data. It ensures that subjects with lower integrity
levels cannot modify or write to objects with higher integrity levels,
preventing the spread of inaccurate or malicious data
modifications.
Question: Which Software Project & Org process is least relevant?
Option 1: Software configuration management
,CSSLP-Exam Practice Test-ME2 CSSLP-
Exam Practice Test-ME2
Option 2: Software quality assurance
Option 3: Facility, site, physical security
Option 4: Budget, schedule, reporting -
correct answer ✅Correct Response: 3
Explanation: Physical security is less relevant to software practices.
Question: Scenario: As a software developer working on a project
for a client who follows U.S. Department of Defense (DoD)
Instruction 8500.2, you are required to implement the Information
Assurance (IA) controls defined by the DoD. What is the primary
area of IA you should focus on according to DoD Instruction
8500.2?
Option 1: Software Development Security
Option 2: Network Infrastructure Security
Option 3: Physical and Environmental Security
Option 4: Personnel Security -
correct answer ✅Correct Response: 1 Explanation: As a software
developer, your primary focus according to DoD Instruction 8500.2
would be Software Development Security (A). This area involves
ensuring the application of security principles and practices in the
,CSSLP-Exam Practice Test-ME2 CSSLP-
Exam Practice Test-ME2
development of systems and software. It's a critical part of the
eight areas of IA defined by the DoD, particularly for your role.
Question Number: 404 Question: Which statement about ISSO and
ISSE is false?
Option 1: ISSO is CNSS 4011 certified
Option 2: ISSE advises on engineering
Option 3: ISSO performs IA operations
Option 4: ISSE supports IA engineering -
correct answer ✅Correct Response: 1 Explanation: ISSOs are not
required to be 4011 certified.
Question Number: 405 Question: Which of the following security
design patterns provides an alternative by requiring that a user's
authentication credentials be verified by the database before
providing access to that user's data?Option 1: Role-Based Access
Control (RBAC) Option 2: Attribute-Based Access Control (ABAC)
Option 3: Mandatory Access Control (MAC) Option 4: Database
Authentication -
correct answer ✅Correct Response: 4 Explanation: The correct
option is "Database Authentication." Database Authentication is a
security design pattern that verifies a user's authentication
, CSSLP-Exam Practice Test-ME2 CSSLP-
Exam Practice Test-ME2
credentials against the database before granting access to that
user's data. This pattern ensures that the user's credentials are
valid and authenticated by the database, providing an additional
layer of security for data access.
Question Number: 406 Question: Scenario: You are a software
developer working on a project that requires a high level of
security. The project is nearing completion, and your team is
working on a process that concludes with an agreement that the
system provides adequate protection controls in its current
configuration. Which process is your team currently focusing on?
Option 1: Risk Assessment
Option 2: System Certification
Option 3: Security Audit
Option 4: Vulnerability Scanning -
correct answer ✅Correct Response: 2 Explanation: The process
your team is currently working on is System Certification (B). This
process involves a comprehensive evaluation of the technical and
non-technical security controls of the system to ensure they
provide adequate protection. It culminates in an agreement, often
documented as a Certification Statement, stating that the system
meets a certain set of security standards.
