PRACTICE EXAM QUESTIONS
WITH CORRECT DETAILED
ANSWERS | ALREADY GRADED
A+<RECENT VERSION>
1) What are the four phases of penetration testing? - ANSWER assess, identify,
evaluate and plan, and deploy.
2) What are scans that target security issues that are found outside the firewall? -
ANSWER external scans
3) What are scans that require software to log onto a system to scan it? - ANSWER
authenticated scans
4) What are scans to identify security issues that a malicious attacker could exploit from
inside the network? - ANSWER internal scans
5) What are scans to exploit a vulnerability when it is identified? - ANSWER
intrusive target search
6) What are regulations regarding the software licensing of in-house products -
ANSWER open-source software license compliance
7) Which activity in the Ship (A5) phase of the security development cycle sets
requirements for quality gates that must be met before release? - ANSWER A5
policy compliance analysis
,8) The company's website uses query string parameters to filter products by category.
The URL, when filtering on a product category, looks like this:
company.com/products? category=2.If the security team saw a URL of
company.com/products? category=2 OR 1=1 in the logs, what assumption should they
make? - ANSWER An attacker is attempting to use SQL injection to gain access to
information.
9) The model used to assess the severity of a vulnerability... - ANSWER Common
Vulnerability Scoring System (CVSS)
10) The team that receives, investigates, and reports security vulnerabilities... -
ANSWER Product Security Incident Response Team (PSIRT)
11) What is the phase of the SDLC in which organizations prepare for vulnerabilities after
the product has been released? - ANSWER Post-Release Support phase
12) Who responds to software product security incidents that involve the external
discovery of post-release software vulnerabilities? - ANSWER Post-Release
PSIRT Response
13) Who is an expert on promoting security awareness, best practices, and simplifying
software security? - ANSWER Software Security Champion (SSC)
14) Who is an expert to promote awareness of products to the wider software community?
- ANSWER Software Security Evangelist (SSE)
15) Which post-release support activity (PRSA) details the process for investigating,
mitigating, and communicating findings when security vulnerabilities are discovered
in a software product? - ANSWER External vulnerability disclosure response
16) Which post-release support key success factor says that any change or component
reuse should trigger security development life cycle activities? - ANSWER SDL
cycle for any architectural changes or code reuses
,17) What are the four categories in BSIMM? - ANSWER governance, intelligence,
software security development life cycle touchpoints, and deployment.
18) In which OpenSAMM core practice area would one find environment hardening? -
ANSWER Deployment
19) Which step will you find in the SANS Institute Cyber Defense seven-step recipe for
conducting threat modeling and application risk analysis? - ANSWER Brainstorm
threats from adversaries
20) Which practice in the Ship (A5) phase of the security development cycle verifies
whether the product meets security mandates? - ANSWER A5 policy compliance
analysis
21) Which post-release support activity defines the process to communicate, identify, and
alleviate security threats? - ANSWER PRSA1: External vulnerability disclosure
response
22) Within OpenSAMM, what focuses on the processes and activities related to
organizational software development activities within OpenSAMM practice areas? -
ANSWER Governance
23) Within Open SAMM, what focuses on the processes and activities related to creating
software within development projects within Open SAMM practice areas? -
ANSWER Construction
24) Which practice in the Ship (A5) phase of the security development cycle uses tools to
identify weaknesses in the product? - ANSWER Vulnerability scan
25) Which post-release support activity should be completed when companies are joining
together? - ANSWER Security architectural reviews
26) Which of the Ship (A5) deliverables of the security development cycle are performed
with code-assisted penetration testing? - ANSWER white-box security testing
, 27) Which of the Ship (A5) deliverables of the security development cycle are performed
with open-source licensing review? - ANSWER license compliance
28) Which of the Ship (A5) deliverables of the security development cycle are performed
with final security review? - ANSWER release and ship
29) Which phase of penetration testing allows for remediation to be performed? -
ANSWER deploy
30) Which key deliverable occurs during post-release support? - ANSWER Third-
party reviews
31) Which business function of Open SAMM is associated with the following core
practices, governance? - ANSWER policy and compliance
32) Which business function of Open SAMM is associated with the following core
practices, construction? - ANSWER threat assessment
33) Which business function of Open SAMM is associated with the following core
practices, verification? - ANSWER code review
34) What is a unified conceptual framework for security auditing? - ANSWER Trike
Threat Model
35) What is the path an attacker can take to exploit a vulnerability? - ANSWER threat
vector
36) What is reusable software developed externally from the organization's platforms? -
ANSWER third party codes
37) What is maliciously changing or modifying persistent data? - ANSWER
Tampering