SSD MCQ Answers PDF
Document Details
Uploaded by DiversifiedGrossular4526
SLIIT
Tags
Summary
This document contains multiple-choice questions and answers on software security topics. It covers various aspects of software assurance, including DRM, TPM, vulnerabilities, and more.
Full Transcript
1. Rights and privileges for a file can be granularly granted to each client using which of the following technologies Digital rights Management(DRM) 2. When designing software to work in a mobile computing environment, the Trusted Platform Module (TPM) chip can be used to provide whic...
1. Rights and privileges for a file can be granularly granted to each client using which of the following technologies Digital rights Management(DRM) 2. When designing software to work in a mobile computing environment, the Trusted Platform Module (TPM) chip can be used to provide which of the following types of information? Identification 3. Vulnerability scans are used to Detect the presence of loopholes and weakness in the software 4. Implementing Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) protection is a means of defending against Cross-site request Forgery 5. The process of removing private information from sensitive data sets is referred to as Formatting 6. Bastion host systems can be used to continuously monitor the security of the computing environment when it is used in conjunction with intrusion detection systems (IDS) and which other security control? Auditing 7. Disassemblers, debuggers and decompilers can be used by security testers to PRIMARILY determine which of the following types of coding vulnerabilities? Lack of reverse engineering protection 8. When verification activities are used to determine if the software is functioning as it is expected to, it provides insight into which of the following aspects of software assurance? Reliability 9. When source code of Commercially Off-The-Shelf (COTS) software is escrowed and released under a free software or open source license when the original developer (or supplier) no longer continues to develop that software, that software is referred to as Ransomware 10. Infinite loops and improper memory calls are often known to cause threats to which of the following? Availability 11. When software is handed from one supplier to the next, the following operational process needs to be in place so that the supplier from whom the software is acquirer can no longer modify the software? Termination Access Control 12. Most Supervisory Control And Data Acquisition (SCADA) systems are susceptible to software attacks because They were not initially implemented with security in mind 13. Modifications to data directly in the database by developers must be prevented by Proper Change Control Management 14. Smart fuzzing is characterized by injecting Variations of data structures that are known 15. The ability of the software to restore itself to expected functionality when the security protection that is built in is breached is also known as - Recoverability 16. Implementing IPSec to assure the confidentiality of data when it is transmitted is an example of risk – Mitigation 17. To meet the goals of software assurance, when accepting software, the acquisition phase MUST include processes to – Access the presence and effectiveness of protection mechanism 18. Timing and synchronization issues such as race conditions and resource deadlocks can be MOST LIKELY identified by which of the following tests? Choose the BEST answer.- Stress 19. Database triggers are PRIMARILY useful for providing which of the following detective software assurance capability? – Auditing 20. Web farm data corruption issues and card holder data encryption requirements need to be captured as part of which of the following requirements? – Environment 21. Requirements which when implemented can help to build a history of events that occurred in the software are known as – Accountability Requirement 22. The use of IF-THEN rules is characteristic of which of the following types of software testing? – Logic 23. The process of releasing software to fix a recently reported vulnerability without introducing any new features or changing hardware configuration is referred to as- patching 24. Which of the following is a multi-faceted security standard that is used to regulate organizations that collects, processes and/or stores cardholder data as part of their business operations? – PCI DSS 25. You determine that a legacy software running in your computing environment is susceptible to Cross Site Request Forgery (CSRF) attacks because of the way it manages sessions. The business has the need to continue use of this software but you do not have the source code available to implement security controls in code as a mitigation measure against CSRF attacks. What is the BEST course of action to undertake in such a situation? – Accept the risk with a document exception 26. Data classification is a core activity that is conducted as part of which of the following? – Information lifecycle Management 27. Which of the following MUST be addressed by software security requirements? Choose the BEST answer – Goals and the objectives of the organization 28. The implementation of secure features such as complete mediation and data replication needs to undergo which of the following types of test to ensure that the software meets the service level agreements (SLA)? – Stress 29. Which of the secure design principles is promoted when test harnesses are used? – Phycological Acceptability 30. Which of the following types of information is exempt from confidentiality requirements? – Directory Information 31. The disadvantage of using open source software from a security standpoint is – The attackers can look into the source code to determine it’s exploitability 32. Syslog implementations require which additional security protection mechanisms to mitigate disclosure attacks? – Transport Layer Security 33. Testing for the randomness of session identifiers and the presence of auditing capabilities provides the software team insight into which of the following security controls? – Non- Repudiation 34. Choose the BEST answer. Configurable settings for logging exceptions, auditing and credential management must be part of – Security Management Interfaces 35. The FINAL activity in the software acceptance process is the go/no go decision that can be determined using – User Acceptance Testing 36. The Single Loss Expectancy can be determined using which of the following formula? – Asset Value X Exposure Factor 37. Code signing can provide all of the following EXCEPT – Authentication of users 38. As part of the accreditation process, the residual risk of a software evaluated for deployment must be accepted formally by the – Business owner 39. Which of the following is the MOST important to ensure, as part of security testing, when the software is forced to fail x? Choose the BEST answer. – Confidentiality, Integrity and availability are not adversely impacted. 40. Which of the following is a covert mechanism that assures confidentiality? – Steganography 41. Replacing the Primary Account Number (PAN) with random or pseudo-random symbols that are uniquely identifiable and still assuring privacy is also known as – Tokenization 42. Which of the following security principle is LEAST related to the securing of code repositories? – Open Design 43. Penetration testing must be conducted with properly defined – rules of engagement 44. Which of the following kind of security testing tool detects the presence of vulnerabilities through disassembly and pattern recognition? – Binary code Scanners 45. Which of the following documents is the BEST source to contain damage and which needs to be referred to and consulted with upon the discovery of a security breach? – Incident Response Plan 46. Which of the following is a PRIMARY consideration for the software publisher when selling Commercially Off the Shelf (COTS) software? – Intellectual Property protection 47. Which of the following is used to communicate and enforce availability requirements of the business or client? – Service Level Agreements(SLA) 48. The process of combining necessary functions, variables and dependency files and libraries required for the machine to run the program is referred to as – Linking 49. Which of the following is LEAST likely to be detected using a code review process? – Logic Flaws 50. The primary reason for designing Single Sign On (SSO) capabilities is to – simplify User Authentication 51. When procuring software the purchasing company can request the evaluation assurance levels (EALs) of the software product which is determined using which of the following evaluation methodologies? – Common Criteria 52. The organization that publishes the ten most critical web application security risks (Top Ten) is the – Open Web Application Security Project 53. Which of the following is the PRIMARY reason for an application to be susceptible to a Man-in-the-Middle (MITM) attack? – Improper Session Management 54. The use of an individual’s physical characteristics such as retinal blood patterns and fingerprints for validating and verifying the user’s identity if referred to as – Biometric Authentication 55. When the software is designed using Representational State Transfer (REST) architecture, it promotes which of the following good programming practices? – Lose Coupling 56. Which phase of the acquisition life cycle involves the issuance of advertisements to source and evaluate suppliers? – Contracting 57. At which layer of the Open Systems Interconnect (OSI) model must security controls be designed to effectively mitigate side channel attacks? – Physical 58. Which of the following legal instruments assures the confidentiality of software programs, processing logic, database schema and internal organizational business processes and client lists? – Non-Disclosure Agreements(NDA) 59. Which of the following independent process provides insight into the presence and effectiveness of security and privacy controls and is used to determine the organization’s compliance with the regulatory and governance (policy) requirements? – Audits 60. The FIRST step in the Protection Needs Elicitation (PNE) process is to – Engage the Customer 61. Cryptographic protection includes all of the following EXCEPT – masking of data when it is displayed 62. Problem management aims to improve the value of Information Technology to the business because it improves service by – identifying and eliminating the root cause of the problem 63. Which of the following tools or techniques can be used to facilitate the white box testing of software for insider threats? – Source code Analyzers 64. Which of the following is an important consideration to manage memory and mitigate overflow attacks when choosing a programming language? – type Safety 65. Which of the following software architectures is effective in distributing the load between the client and the server, but since it includes the client to be part of the threat vectors it increases the attack surface? – Rich Internet Application 66. A Man-in-the-Middle (MITM) attack is PRIMARILY an expression of which type of the following threats? – Spoofing 67. A security principle that maintains the confidentiality, integrity and availability of the software and data, besides allowing for rapid recovery to the state of normal operations, when unexpected events occur is the security design principle of – fail secure 68. Tests that are conducted to determine the breaking point of the software after which the software will no longer be functional is characteristic of which of the following types of software testing? – Stress 69. The requirements that assure reliability and prevent alterations are to be identified in which section of the software requirements specifications (SRS) documentation? – Integrity 70. Which of the following transport layer technologies can BEST mitigate session hijacking and replay attacks in a local area network (LAN)? – Secure Sockets Layer(SSL) 71. The use of digital signatures has the benefit of providing which of the following that is not provided by symmetric key cryptographic design? – Non-Repudiation 72. Which of the following policies is MOST likely to include the following requirement? “All software processing financial transactions need to use more than one factor to verify the identity of the entity requesting access”” – Authentication 73. Developing the software to monitor its functionality and report when the software is down and unable to provide the expected service to the business is a protection to assure which of the following? – Availability 74. The resiliency of software to withstand attacks that attempt modify or alter data in an unauthorized manner is referred to as – Integrity 75. An instrument that is used to communicate and mandate organizational and management goals and objectives at a high level is a – Policy 76. Certificate Authority, Registration Authority, and Certificate Revocation Lists are all part of which of the following? – Public Key Infrastructure 77. Logging application events such as failed login attempts, sales price updates and user roles configuration for audit review at a later time is an example of which of the following type of security control? – Detective 78. When software is able to withstand attacks from a threat agent and not violate the security policy it is said to be exhibiting which of the following attributes of software assurance? – Resiliency 79. The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates in the requirements phase of the SDLC is also known as – policy decomposition 80. Fishbone diagramming is a mechanism that is PRIMARILY used for which of the following processes? – Root Cause Analysis 81. Which of the following must be controlled during handoff of software from one supplier to the next, so that no unauthorized tampering of the software can be done? – Chain of custody 82. Which of the following has the goal of ensuring that the resiliency levels of software is always above the acceptable risk threshold as defined by the business post deployment? – Continuous monitoring 83. A Requirements Traceability Matrix (RTM) that includes security requirements can be used for all of the following EXCEPT – Identifying Privileged code sections 84. An attacker analyzes the response from the web server which indicates that its version is the Microsoft Internet Information Server 6.0 (Microsoft-IIS/6.0), but none of the IIS exploits that the attacker attempts to execute on the web server are successful. Which of the following is the MOST probable security control that is implemented? – Cloaking 85. System resources can be protected from malicious file execution attacks by uploading the user supplied file and running it in which of the following environment? – Sandbox 86. Your organization’s software is published as a trial version without any restricted functionality from the paid version. Which of the following MUST be designed and implemented to ensure that customers who have not purchased the software are limited in the availability of the software? – validity period 87. The process of removing private information from sensitive data sets is referred to as – Formatting 88. Which of the following risk management concepts is demonstrated when using code escrows? – Avoidance 89. Bastion host systems can be used to continuously monitor the security of the computing environment when it is used in conjunction with intrusion detection systems (IDS) and which other security control? – Auditing 90. In pre-qualifying a supplier, which of the following must be assessed to ensure that the supplier can provide timely updates and hotfixes when an exploitable vulnerability in their software is reported? – Security track Record 91. Which of the following is LEAST LIKELY to be identified by misuse case modeling? – Race Conditions 92. Software developers writes software programs PRIMARILY to – solve business problems 93. A means of restricting access to objects based on the identity of subjects and/or groups to which they belong, as mandated by the requested resource owner is the definition of – Discretionary Access control 94. The FIRST step in the incident response process of a reported breach – Research the validity of the alert or event further 95. Exploit code attempt to take control of dangling pointers which – are references to memory locations of destroyed objects 96. When verification activities are used to determine if the software is functioning as it is expected to, it provides insight into which of the following aspects of software assurance? – Reliability 97. Which of the following contains the security requirements and the evidence needed to prove that the acquirer requirements are met as expected? – Assurance Plan 98. IPSec technology which helps in the secure transmission of information operates in which layer of the Open Systems Interconnect (OSI) model? – Network 99. Most Supervisory Control And Data Acquisition (SCADA) systems are susceptible to software attacks because -they were not initially implemented with security in mind 100. Which of the following is not characteristic of good security metrics? – Collected Manually 101. As a means to assure the availability of the existing software functionality after the application of a patch, the patch need to be tested for – backward Compatibility 102. When software is purchased from a third party instead of being built in-house, it is imperative to have contractual protection in place and have the software requirements explicitly specified in which of the following? – Service Level Agreements(SLA) 103. During which phase of the software development lifecycle (SDLC) is threat modeling initiated? – Design 104. The amount of time by which business operations need to be restored to service levels as expected by the business when there is a security breach or disaster is known as – Recovery Time Objective(RTO) 105. The PRIMARY objective of resiliency testing of software is to determine – the presence and effectiveness of risk mitigation control 106. Which of the following is an activity that can be performed to clarify requirements with the business users using diagrams that model the expected behavior of the software? – Use case Modeling 107. The increased need for security in the software supply chain is PRIMARILY attributed to – incidences of malicious code and logic found in acquired software 108. The MAIN reason as to why the availability aspects of software must be part of the organization’s software security initiatives is: - software issues can cause downtime to the business 109. Which of the following policies needs to be established to securely dispose software and associated data and documents? – End-of-life 110. The primary security concern when implementing cloud applications is related to – Unauthorized Access 111. Disassemblers, debuggers and decompilers can be used by security testers to PRIMARILY determine which of the following types of coding vulnerabilities? – lack of Reverse Engineering Protection 112. An understanding of which of the following programming concepts is necessary to protect against memory manipulation buffer overflow attacks? Choose the BEST answer. – Locality of Reference 113. Predictable execution means that the software demonstrates all the following qualities EXCEPT? – Authorization 114. When software that worked without any issues in the test environments fails to work in the production environment, it is indicative of – Incompatible Environment Configuration 115. Which of the following is the current Federal Information Processing Standard (FIPS) that specifies an approved cryptographic algorithm to ensure the confidentiality of electronic data? – Advance Encryption Standard (FIPS 197) 116. Assurance that the software meets the expectations of the business as defined in the service level agreements (SLAs) can be demonstrated by which of the following types of tests? – performance 117. Your organization has the policy to attest the security of any software that will be deployed into the production environment. A third party vendor software is being evaluated for its readiness to be deployed. Which of the following verification and validation mechanism can be employed to attest the security of the vendor’s software? – Black Box Testing 118. In which of the following software development methodologies does unit testing enable collective code ownership and is critical to assure software assurance? – Agile 119. When an attacker uses delayed error messages between successful and unsuccessful query probes, he is using which of the following side channel techniques to detect injection vulnerabilities? – Timing 120. Verbose error messages and unhandled exceptions can result in which of the following software security threats? – Information Disclosure 121. As a means to demonstrate the improvement in the security of code that is developed, one must compute the relative attack surface quotient (RASQ) – before and after the code is implemented 122. When very limited or no knowledge of the software is made known to the software tester before she can test for its resiliency, it is characteristic of which of the following types of security tests? – Black Box 123. When software is developed by multiple suppliers, the genuineness of the software can be attested using which of the following processes? – code signing 124. Requirements that are identified to protect against the destruction of information or the software itself are commonly referred to as – Availability Requirements 125. When reporting a software security defect in the software, which of the following also needs to be reported so that variance from intended behavior of the software can be determined? – Expected results 126. As part of the test data management strategy, when a criteria is applied to export selective information from a production system to the test environment, it is also referred to as – Filtering 127. The difference between disclaimer-based protection and contracts based is that – Contracts-based protection is mutual 128. Nicole is part of the ‘author’ role as well as she is included in the ‘approver’ role, allowing her to approve her own articles before it is posted on the company blog site. This violates the principle of – Separation of duties 129. When the code is not allowed to access memory at arbitrary locations that is out of range of the memory address space that belong to the object’s publicly exposed fields, it is referred to as which of the following types of code? – Type safe code 130. You find out that employees in your company have been downloading software files and sharing them using peer-to-peer based torrent networks. These software files are not free and need to be purchase from their respective manufacturers. You employee are violating – Copyrights 131. As a means to assure confidentiality of copyright information, the security analyst identifies the requirement to embed information insider another digital audio, video or image signal. This is commonly referred to as – Watermarking 132. When a compensating control is to be used, the Payment Card Industry Data Security Standard (PCI DSS) prescribes that the compensating control must meet all of the following guidelines EXCEPT – provide an increased level of defense than the original requirement 133. Which of the following components of the Java architecture is primarily responsible to ensure type consistency, safety and assure that there are no malicious instructions in the code? – Bytecode Verifier 134. The ability of the software to withstand attempts of attackers who intend to breach the security protection that is built in is also known as – resiliency 135. Software that is deployed in a high trust environment such as the environment within the organizational firewall when not continuously monitored is MOST susceptible to which of the following types of security attacks? Choose the BEST answer. – Logic Bombs 136. Using multifactor authentication is effective in mitigating which of the following application security risks? – Man-in-the-Middle(MITM) 137. When an all-or-nothing approach to code access security is not possible and business rules and permissions need to be set and managed more granularly inline code functions and modules, a programmer can leverage which of the following? – Imperative Security 138. Drivers and stub based programming are useful to conduct which of the following tests? – Unit 139. The findings of a code review indicate that cryptographic operations in code use the Rijndael cipher, which is the original publication of which of the following algorithms? – Advanced Encryption Standard(AES) 140. Printer ribbons, facsimile transmissions and printed information when not securely disposed are susceptible to disclosure attacks by which of the following threat agents? Choose the BEST answer. – Dumpster divers 141. Discontinuance of a software with known vulnerabilities with a newer version is an example of risk – Avoidance 142. The token that is PRIMARILY used for authentication purposes in a Single Sign (SSO) implementation between two different companies is – Security Assert Markup Language(SAML) 143. During a threat modeling exercise, the software architecture is reviewed to identify – entry Points 144. Parity bit checking mechanisms can be used for all of the following except – Input Validation 145. The Systems Security Engineering Capability Maturity Model (SSECMM ®) is an internationally recognized standard that publishes guidelines to – evaluate security engineering practices and organizational management process 146. Software programs, database models and images on a website can be protected using which of the following legal instrument? – Copyright 147. The ability to track ownership, changes in code and rollback abilities is possible because of which of the following configuration management processes? – version control 148. Improper implementation of validity periods using length-of-use checks in code can result in which of the following types of security issues for legitimate users? -Denial of service 149. The inner workings and internal structure of backend databases can be protected from disclosure using – views 150. In the context of the software supply chain, the principle of persistent protection is also known as – Location agnostic protection 151. Multi-factor authentication is most closely related to which of the following security design principles? – Defense in depth 152. Software security requirements that are identified to protect against disclosure of data to unauthorized users is otherwise known as – Confidentiality Requirement 153. Which of the following can provide insight into the effectiveness and efficiencies of the supply chain processes as it pertains to assuring trust and software security? – Key Performance Indicator 154. Which of the following is the BEST recommendation to champion security objectives within the software development organization? – Informing the development team that there should be no injection flaws in the payroll application 155. The FINAL stage of the incident management process is to – recovery 156. Which of the following is an implementation of the principle of least privilege? – Sandboxing 157. The predominant form of malware that infects mobile apps is – Ransomware 158. When must the supplier inform the acquirer of any applicable export control and foreign trade regulatory requirements in the countries of export and import? – before Delivery (Handover) 159. The MAIN benefit of statically analyzing code is that – errors and vulnerabilities can be detected earlier in the life cycle 160. When the source code is made obscure using special programs in order to make the readability of the code difficult when disclosed, the code is also known as – obfuscated code 161. The process of using regular expressions to parse audit logs into information that indicate security incidents is referred to as – normalization 162. Impersonation attacks such as Man-in-the-Middle (MITM) attacks in an Internet application can be BEST mitigated using proper – session management 163. Which of the following types of testing is crucial to conduct to determine single points of failure in a System-of-systems (SoS)? – Integration 164. Organizations often pre-determine the acceptable number of user errors before recording them as security violations. This number is otherwise known as: - Clipping level 165. The process of evaluating software to determine whether the products of a given development phase satisfies the conditions imposed at the start of the phase is referred to as – verification 166. When internal business functionality is abstracted into service oriented contract based interfaces, it is PRIMARILY used to provide for – interoperability 167. Removal of maintenance hooks, debugging code and flags, and unneeded documentation before deployment are all examples of software – hardening 168. When two or more trivial pieces of information are brought together with the aim of gleaning sensitive information, it is referred to as what type of attack? – Inference 169. When a customer attempts to log into their bank account, the customer is required to enter a nonce from the token device that was issued to the customer by the bank. This type of authentication is also known as which of the following? – ownership based authentication 170. When passwords are stored in the database, the best defense against disclosure attacks can be accomplished using – hashing 171. When the runtime permissions of the code are defined as security attributes in the metadata of the code, it is referred to as – declarative syntax security 172. The PRIMARY reason for incorporating security into the software development life cycle is to protect – the corporate brand and reputation 173. Management’s formal acceptance of the system after an understanding of the residual risks to that system in the computing environment is also referred to as – accreditation 174. Requiring the end user to accept an ‘AS-IS’ disclaimer clause before installation of your software is an example of risk – transference 175. The Federal Information Processing Standard (FIPS) that prescribe guidelines for biometric authentication is -FIPS 201 176. Assembly and machine language are examples of – low level language 177. Which of the following is a process threat in the software supply chain? – Insecure code transfer 178. Which of the following is known to circumvent the ring protection mechanisms in operating systems? - Rootkit 179. Which of the following is a framework that can be used to develop a risk based enterprise security architecture by determining security requirements after analyzing the business initiatives. – Sherwood Applied business security Architecture(SABSA) 180. Which of the following is a feature of most recent operating systems (OS) that makes it difficult for an attacker to guess the memory address of the program as it makes the memory address different each time the program is executed? – Address Space Layout Randomization 181. Checksum validation can be used to satisfy which of the following requirements? – Integrity 182. Audit logs can be used for all of the following EXCEPT – preventing a user from performing some unauthorized operation 183. Versioning, back-ups, check-in and check-out practices are all important components of – Release Management 184. The integrity of build tools and the build environment is necessary to protect against – tampering 185. In the context of test data management, when a transaction which serves no business purpose is tested, it is referred to as what kind of transaction? – Synthetic 186. Which of the following is the most important security testing process that validates and verifies the integrity of software code, components and configurations, in a software security chain? – code review 187. Which of the following are true regarding application security and software Security Application security may delay………… Software Security can be costly……… 188. which of the following statements are not correct regarding web application security Cross site scripting attacks……….. Server side request forgery…… 189. Which of the following statements are NOT true regarding mobile application security? Cross platform development may not require……. Compared to web applications, mobile applications do not cause any additional data….. 190. Which of the following statements are NOT true regarding threat modeling? Quality assurance Engineers/leads need not get involve….. 191. Which of the following statements are NOT true regarding buffer overflow attacks? Checking the size of an input……….. Buffer overflow attacks are common type………… 192. Which of the following claims are NOT true regarding OAuth protocol? Authorization code grant type is more suited………. Implicit grant type uses an authorization code…….. 193. Which of the following are not correct classifications of the given authorization measure? Using an antivirus program to identify……… Restoring a corrupt database……… 194. Which of the following are potential application of the OAuth protocol? It can be used to build single-sign-on(SSO) applications…. It can be used to securely share user-specific information…….. 195. Which of the following are not appropriate practices in ensuring that the third-party libraries/ components don’t introduce vulnerabilities in the development of a software system? It’s sufficient to check for the vulnerabilities…….. In a large organization, each team may have……….. 196. Which of the following statement are NOT true regarding addressing web application vulnerabilities? Union based SQL injection attacks……… Ensuring only the POST method….. 197. Which of the following vulnerability correspond to the given vulnerability type? An xml object being parsed……….. An input field of a web application………….. – Cross site scripting 198. Which of the following are NOT possible challengers in ensuring the security of web application. The web applications using the TLS protocol………. The browser preventing the web application……….. 199. Which of the following are NOT potential applications of smart contrast? When there’s a legal requirement to have………… When a trade agreement need to be………… 200. Which of the following are possible applications of the Blockchain technology? A donation tracing application that…… A tracking application of organic food………… 201. Which of the following are NOT true regrading TLS protocol? TLS uses asymmetric encryption………. TLS is based on the idea of………….. 202. Which of the following are NOT valid steps in the TLS protocol? The client application(e.g. Browser) sending a remote call to… 203. Which of the following are NOT possible tasks under the S-SDLC? Penetration testing Performance Testing Unit Testing 204.