CISSP-D8 Software Development Security Questions With complete verified solutions already graded A+(PASS GUARANTEED)

Release Control

Which process is responsible for ensuring that changes to software include acceptance testing?

Cross-Site Request Forgery (CSRF)

Which attack type attempts to exploit the trust relationship that a user's browser has with other websites by forcing the submission of an authenticated request to a 3rd party site?

Durability

ACID: What property of relational databases ensures that once a database transaction is committed to the database, it is preserved?

User Acceptance Testing (UAT)

Which software testing type usually occurs last and is executed against test scenarios?

Lost Update

Name a database issue that occurs when one transaction writes a value to the database that overwrites a value that was needed by transactions with earlier precedence.

Race Condition

What type of vulnerability does a TOC/TOU attack target?

Reflected Input

Name a condition that may make an application most vulnerable to a cross-site scripting (XSS) attack.

Knowledge Bank and Reference Engine

What are the two components of an expert system?

Gray Box

(blank) box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted.

White Box

(blank) box tests have access to the source code but perform testing from a developer's perspective.

Black Box

(blank) box tests work form a user's perspective but do not have access to the source code.

Request Control

Name a change management process initiated by users rather than developers.

Polyinstantiation

Name an effective countermeasure against OOP inference attacks.

Repeatable

At which level of SW-CMM does an organization introduce basic life-cycle management processes?

Requirements, Design, Coding, Testing, Maintenance

What are the Waterfall steps?

Atomicity

ACID: Which component ensures that database transactions are "all or nothing"?

Dirty Read

Name a database concurrency issue that occurs when one transaction reads information that was written to a database by a second transaction that is never committed.

Master Boot Record (MBR) Virus

What type of virus works by altering the system boot process to redirect the BIOS to load malware before the operating system loads.

Multipartite Virus

Name a virus characterized by the use of two or more different propagation mechanisms to improve its likelihood of spreading between systems.

Attack Surface

(blank) is the collection of possible entry points for an attacker.

Threat Modeling

(blank) is a systematic approach used to understand how different threats could be realized and how a successful compromise could take place.

Fuzzing

(blank) is the act of sending random data to the target program in order to trigger failures.

ISO 27034

ISO (blank) covers application security

Initial, Repeatable, Defined, Managed, Optimizing

Name the (5) CMMI maturity levels

Software Configuration Management (SCM)

(blank) is the task of tracking and controlling changes in the software through the use of authentication, revision control, the establishment of baselines, and auditing.

Object-Oriented Programming (OOP)

(blank) programming provides modularity, reusability, and more granular control within the programs themselves compared to classical programming languages.

Messages

OOP objects communicate with each other through (blank)

Polymorphism

(blank) is when different objects are given the same input and react differently.

Data Hiding

(blank) is when data and operations internal to objects are hidden from other objects.

Common Object Request Broker Architecture (CORBA)

(blank) provides a standardized way for objects within different applications, platforms, and environments to communicate.

Expert System

What form of AI uses a knowledge base and an inference engine?

Data Definition Language

(blank) What type of database language is used to create, modify, and delete tables?

Cross-Site Request Forgery (CSRF)

Which vulnerability allows a 3rd party to redirect static content within the security context of a trusted site?

Replicated Database

What database high availability option allows multiple clients to access multiple database servers simultaneously?

Component Object Model (COM)

(blank) provides an architecture for components to interact on local system.

Distributed COM (DCOM)

(blank) uses the same interfaces as COM, but enables components to interact over a distributed, or networked environment.

Open Database Connectivity (ODBC)

(blank) enables several different applications to communicate with several different types of databases by calling the required driver and passing data through that driver.

Object Linking and Embedding (OLE)

(blank) enables a program to call another program (linking) and permits a piece of data to be inserted inside another program or document (embedding).

Service-Oriented Architectures (SOA)

(blank) provides standardized access to the most needed services to many different applications at one time.

Non-persistent XSS

(blank) XSS attack exploits the lack of proper input or output validation on dynamic websites.

Persistent XSS

(blank) XSS attack loads malicious code on a server that attacks visiting browsers.

DOM attack

(blank) XSS attack uses the DOM environment to modify the original client-side JavaScript.

Database Management System (DBMS)

(blank) is the software that controls the access restrictions, data integrity, redundancy, and the different types of manipulation available for a database.

Rows (Tuples) and Columns (attributes)

A relational database uses two-dimensional tables with (blank) and (blank)

Data Dictionary

A (blank) is a central repository that describes the data elements within a database and their relationships.

Database Integrity

(blank) is provided by concurrency mechanisms.

Entity Integrity

(blank) integrity makes sure that a row (tuple) is uniquely identified by a primary key.

Referential Integrity

(blank) integrity ensures that every foreign key refers to an existing primary key.

Partitioning the Database, Cell Suppression, Adding noise to the database

Name common ways to prevent database inference attacks

Polyinstantiation

(blank) is the process of allowing a table to have multiple rows with the same primary key. The different instances can be distinguished by their security levels or classification

Data Warehousing

(blank) is the process of searching, filtering, and associating data held within a data warehouse to provide more useful information to users.

Atomicity

ACID: (blank) divides transactions into units of work and ensures that all modifications take effect or none takes effect.

Consistency

ACID: (blank) a transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases.

Isolation

ACID: (blank) transactions execute in isolation until completed, without interacting with other transactions.

Durability

ACID: (blank) once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.

Requirements Gathering, Design, Development, Testing, Release

What are the phases of the Software Development Lifecyle

Unit Testing

SW (blank) testing: Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions.

Integration Testing

SW (blank) testing: Verifying that components work together as outlined in design specifications.

Acceptance Testing

SW (blank) testing: Ensuring that the code meets customer requirements.

Regression Testing

SW (blank) testing: After a change to a system takes place, retesting to ensure functionality, performance, and protection.

Fuzzing

(blank) is a software testing technique that provides invalid, unexpected, or random data to the input interfaces of a program.

Deferred Commitment

OOP: (blank) is when the internal components of an object can be redefined without changing other parts of the system.

Covert Channel

(blank) an information that is not controlled by a security control

Data Mining

(blank) the practice of examining large databases in order to generate new information.

Rapid Application Development (RAD)

(blank) a form of rapid prototyping that requires strict time limits on each phase and relies on tools that enable quick development

Software Assurance (SA)

(blank) level of confidence that software is free from defects

Time Multiplexing

(blank) allows the OS to provide well-defined and structured access to processes that need to use resources according to a controlled and tightly managed schedule.

Time of Check / Time of Use (TOC/TOU)

(blank) attack. Takes advantage of the dependency on the timing of events that takes place in a multitasking operating system.

Common Object Request Broker (CORBA)

(blank) a set of standards that addresses the need for interoperability between hardware and software products.