CISSP : Certified Information Systems Security Professional : Part 23

Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution?
- Password requirements are simplified.
- Risk associated with orphan accounts is reduced.
- Segregation of duties is automatically enforced.
- Data confidentiality is increased.
Which of the following statements is TRUE regarding state-based analysis as a functional software testing technique?
- It is characterized by the stateless behavior of a process implemented in a function
- Test inputs are obtained from the derived boundaries of the given functional specifications
- An entire partition can be covered by considering only one representative value from that partition
- It is useful for testing communications protocols and graphical user interfaces
Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?
- Code quality, security, and origin
- Architecture, hardware, and firmware
- Data quality, provenance, and scaling
- Distributed, agile, and bench testing
Which of the following steps should be performed FIRST when purchasing Commercial Off-The-Shelf (COTS) software?
- undergo a security assessment as part of authorization process
- establish a risk management strategy
- harden the hosting server, and perform hosting and application vulnerability scans
- establish policies and procedures on system and services acquisition
An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses?
- The Data Protection Authority (DPA)
- The Cloud Service Provider (CSP)
- The application developers
- The data owner
What is the PRIMARY role of a scrum master in agile development?
- To choose the primary development language
- To choose the integrated development environment
- To match the software requirements to the delivery plan
- To project manage the software delivery
What capability would typically be included in a commercially available software package designed for access control?
- Password encryption
- File encryption
- Source library control
- File authentication
An organization plan on purchasing a custom software product developed by a small vendor to support its business model.

Which unique consideration should be made part of the contractual agreement potential long-term risks associated with creating this dependency?
- A source code escrow clause
- Right to request an independent review of the software source code
- Due diligence form requesting statements of compliance with security requirements
- Access to the technical documentation
When developing solutions for mobile devices, in which phase of the Software Development Life Cycle (SDLC) should technical limitations related to devices be specified?
- Implementation
- Initiation
- Review
- Development
Which of the following is the MOST important security goal when performing application interface testing?
- Confirm that all platforms are supported and function properly
- Evaluate whether systems or components pass data and control correctly to one another
- Verify compatibility of software, hardware, and network connections
- Examine error conditions related to external interfaces to prevent application details leakage
Which of the following is the MOST common method of memory protection?
- Compartmentalization
- Segmentation
- Error correction
- Virtual Local Area Network (VLAN) tagging
Attack trees are MOST useful for which of the following?
- Determining system security scopes
- Generating attack libraries
- Enumerating threats
- Evaluating Denial of Service (DoS) attacks
Which of the following techniques is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections?
- Automated dynamic analysis
- Automated static analysis
- Manual code review
- Fuzzing
Which one of the following is an advantage of an effective release control strategy form a configuration control standpoint?
- Ensures that a trace for all deliverables is maintained and auditable
- Enforces backward compatibility between releases
- Ensures that there is no loss of functionality between releases
- Allows for future enhancements to existing features
The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity?
- Application authentication
- Input validation
- Digital signing
- Device encryption
Why is lexical obfuscation in software development discouraged by many organizations?
- Problems compiling the code
- Problems writing test cases
- Problems maintaining data connections
- Problems recovering systems after disaster
Which of the following is the BEST technique to facilitate secure software development?
- Adhere to secure coding practices for the software application under development
- Conduct penetrating testing for the software application under development
- Develop a threat modeling review for the software application under development
- Perform a code review process for the software application under development
What is the purpose of code signing?
- The signer verifies that the software being loaded is the software originated by the signer
- The vendor certifies the software being loaded is free of malicious code and that it was originated by the signer
- The signer verifies that the software being loaded is free of malicious code
- Both vendor and the signer certify the software being loaded is free of malicious code and it was originated by the signer
Which of the following is used to support the concept of defense in depth during the development phase of a software product?
- Maintenance hooks
- Polyinstantiation
- Known vulnerability list
- Security auditing
Which of the following practices provides the development team with a definition of security and identification of threats in designing software?
- Penetration testing
- Stakeholder review
- Threat modeling
- Requirements review

CISSP : Certified Information Systems Security Professional : All Parts
CISSP Part 01	CISSP Part 08	CISSP Part 15	CISSP Part 22
CISSP Part 02	CISSP Part 09	CISSP Part 16	CISSP Part 23
CISSP Part 03	CISSP Part 10	CISSP Part 17	CISSP Part 24
CISSP Part 04	CISSP Part 11	CISSP Part 18	CISSP Part 25
CISSP Part 05	CISSP Part 12	CISSP Part 19	CISSP Part 26
CISSP Part 06	CISSP Part 13	CISSP Part 20	CISSP Part 27
CISSP Part 07	CISSP Part 14	CISSP Part 21	CISSP Part 28

CISSP : Certified Information Systems Security Professional : All Parts
CISSP Part 01	CISSP Part 08	CISSP Part 15	CISSP Part 22
CISSP Part 02	CISSP Part 09	CISSP Part 16	CISSP Part 23
CISSP Part 03	CISSP Part 10	CISSP Part 17	CISSP Part 24
CISSP Part 04	CISSP Part 11	CISSP Part 18	CISSP Part 25
CISSP Part 05	CISSP Part 12	CISSP Part 19	CISSP Part 26
CISSP Part 06	CISSP Part 13	CISSP Part 20	CISSP Part 27
CISSP Part 07	CISSP Part 14	CISSP Part 21	CISSP Part 28

CISSP : Certified Information Systems Security Professional : Part 23

Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution?

Which of the following statements is TRUE regarding state-based analysis as a functional software testing technique?

Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?

Which of the following steps should be performed FIRST when purchasing Commercial Off-The-Shelf (COTS) software?

An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses?

What is the PRIMARY role of a scrum master in agile development?

What capability would typically be included in a commercially available software package designed for access control?

An organization plan on purchasing a custom software product developed by a small vendor to support its business model.

Which unique consideration should be made part of the contractual agreement potential long-term risks associated with creating this dependency?

When developing solutions for mobile devices, in which phase of the Software Development Life Cycle (SDLC) should technical limitations related to devices be specified?

Which of the following is the MOST important security goal when performing application interface testing?

Which of the following is the MOST common method of memory protection?

Attack trees are MOST useful for which of the following?

Which of the following techniques is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections?

Which one of the following is an advantage of an effective release control strategy form a configuration control standpoint?

The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity?

Why is lexical obfuscation in software development discouraged by many organizations?

Which of the following is the BEST technique to facilitate secure software development?

What is the purpose of code signing?

Which of the following is used to support the concept of defense in depth during the development phase of a software product?

Which of the following practices provides the development team with a definition of security and identification of threats in designing software?