CSSLP : Certified Secure Software Lifecycle Professional : Part 15

CSSLP : Certified Secure Software Lifecycle Professional : Part 15

1. Which of the following provides an easy way to programmers for writing lower-risk applications and retrofitting security into an existing application?

   • Watermarking
   • Code obfuscation
   • Encryption wrapper
   • ESAPI
   Explanation:

   ESAPI (Enterprise Security API) is a group of classes that encapsulate the key security operations, needed by most of the applications. It is a free, open source, Web application security control library. ESAPI provides an easy way to programmers for writing lower-risk applications and retrofitting security into an existing application. It offers a solid foundation for new development. Answer: C is incorrect. An encryption wrapper is a device that encrypts and decrypts the critical or all software codes at runtime. Answer: B is incorrect. Code obfuscation transforms the code so that it is less intelligible for a person. Answer: A is incorrect. Watermarking is the irreversible process of embedding information into a digital media. The purpose of digital watermarks is to provide copyright protection for intellectual property that is in digital form.

2. In which of the following DIACAP phases is residual risk analyzed?

   • Phase 1
   • Phase 5
   • Phase 2
   • Phase 4
   • Phase 3
   Explanation:
   The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is a process defined by the United States Department of Defense (DoD) for managing risk. The Certification Determination and Accreditation phase is the third phase in the DIACAP process. Its subordinate tasks are as follows: Analyze residual risk. Issue certification determination. Make accreditation decision. Answer: A is incorrect. Phase 1 is known as Initiate and Plan IA C&A. Answer: C is incorrect. Phase 2 is used to implement and validate assigned IA controls. Answer: E is incorrect. Phase 3 is used to make certification determination and accreditation decisions. Answer: B is incorrect. Phase 5 is known as decommission system and is used to conduct activities related to the disposition of the system data and objects.

3. Which of the following security controls will you use for the deployment phase of the SDLC to build secure software? Each correct answer represents a complete solution. Choose all that apply.

   • Change and Configuration Control
   • Security Certification and Accreditation (C&A)
   • Vulnerability Assessment and Penetration Testing
   • Risk Adjustments
   Explanation: 
   The various security controls in the SDLC deployment phase are as follows: Secure Installation: While performing any software installation, it should kept in mind that the security configuration of the environment should never be reduced. If it is reduced then security issues and overall risks can affect the environment. Vulnerability Assessment and Penetration Testing: Vulnerability assessments (VA) and penetration testing (PT) is used to determine the risk and attest to the strength of the software after it has been deployed. Security Certification and Accreditation (C&A): Security certification is the process used to ensure controls which are effectively implemented through established verification techniques and procedures, giving organization officials confidence that the appropriate safeguards and countermeasures are in place as means of protection. Accreditation is the provisioning of the necessary security authorization by a senior organization official to process, store, or transmit information.
   Risk Adjustments: Contingency plans and exceptions should be generated so that the residual risk be above the acceptable threshold.

4. In which of the following architecture styles does a device receive input from connectors and generate transformed outputs?

   • N-tiered
   • Heterogeneous
   • Pipes and filters 
   • Layered
   Explanation:
   In the pipes and filters architecture style, a device receives input from connectors and generates transformed outputs. A pipeline has a series of processing elements in which the output of each element works as an input of the next element. A little amount of buffering is provided between the two successive elements.

5. Which of the following agencies is responsible for funding the development of many technologies such as computer networking, as well as NLS?

   • DIAP
   • DTIC
   • DARPA 
   • DISA
   Explanation:
   The Defense Advanced Research Projects Agency (DARPA) is an agency of the United States Department of Defense responsible for the development of new technology for use by the military. DARPA has been responsible for funding the development of many technologies which have had a major effect on the world, including computer networking, as well as NLS, which was both the first hypertext system, and an important precursor to the contemporary ubiquitous graphical user interface. DARPA supplies technological options for the entire Department, and is designed to be the “technological engine” for transforming DoD. Answer: D is incorrect. The Defense Information Systems Agency is a United States Department of Defense combat support agency with the goal of providing real-time information technology (IT) and communications support to the President, Vice President, Secretary of Defense, the military Services, and the Combatant Commands. DISA, a Combat Support Agency, engineers and provides command and control capabilities and enterprise infrastructure to continuously operate and assure a global net-centric enterprise in direct support to joint warfighters, National level leaders, and other mission and coalition partners across the full spectrum of operations. Answer: B is incorrect. The Defense Technical Information Center (DTIC) is a repository of scientific and technical documents for the United States Department of Defense. DTIC serves the DoD community as the largest central resource for DoD and government-funded scientific, technical, engineering, and business related information available today. DTIC’s documents are available to DoD personnel and defense contractors, with unclassified documents also available to the public. DTIC’s aim is to serve a vital link in the transfer of information among DoD personnel, DoD contractors, and potential contractors and other U.S. Government agency personnel and their contractors. Answer: A is incorrect. The Defense-wide Information Assurance Program (DIAP) protects and supports DoD information, information systems, and information networks, which is important to the Department and the armed forces throughout the day-to-day operations, and in the time of crisis. The DIAP uses the OSD method to plan, observe, organize, and incorporate IA activities. The role of DIAP is to act as a facilitator for program execution by the combatant commanders, Military Services, and Defense Agencies. The DIAP staff combines functional and programmatic skills for a comprehensive Defense-wide approach to IA. The DIAP’s main objective is to ensure that the DoD’s vital information resources are secured and protected by incorporating IA activities to get a secure net-centric GIG operation enablement and information supremacy by applying a Defense-in-Depth methodology that integrates the capabilities of people, operations, and technology to establish a multi-layer, multidimensional protection.

6. Which of the following are the scanning methods used in penetration testing? Each correct answer represents a complete solution. Choose all that apply.

   • Vulnerability
   • Port
   • Services
   • Network
   Explanation:
   The vulnerability, port, and network scanning tools are used in penetration testing. Vulnerability scanning is a process in which a Penetration Tester uses various tools to assess computers, computer systems, networks or applications for weaknesses. There are a number of types of vulnerability scanners available today, distinguished from one another by a focus on particular targets. While functionality varies between different types of vulnerability scanners, they share a common, core purpose of enumerating the vulnerabilities present in one or more targets. Vulnerability scanners are a core technology component of Vulnerability management. Port scanning is the first basic step to get the details of open ports on the target system. Port scanning is used to find a hackable server with a hole or vulnerability. A port is a medium of communication between two computers. Every service on a host is identified by a unique 16-bit number called a port. A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by hackers to identify running services on a host with the view to compromising it. Port scanning is used to find the open ports, so that it is possible to search exploits related to that service and application. Network scanning is a penetration testing activity in which a penetration tester or an attacker identifies active hosts on a network, either to attack them or to perform security assessment. A penetration tester uses various tools to identify all the live or responding hosts on the network and their corresponding IP addresses. Answer: C is incorrect. This option comes under vulnerability scanning.

7. Which of the following is the process of finding weaknesses in cryptographic algorithms and obtaining the plaintext or key from the ciphertext?

   • Cryptographer
   • Cryptography
   • Kerberos
   • Cryptanalysis
   Explanation:

   Cryptanalysis is the process of analyzing cipher text and finding weaknesses in cryptographic algorithms. These weaknesses can be used to decipher the cipher text without knowing the secret key. Answer: C is incorrect. Kerberos is an industry standard authentication protocol used to verify user or host identity. Kerberos v5 authentication protocol is the default authentication service for Windows 2000. It is integrated into the administrative and security model, and provides secure communication between Windows 2000 Server domains and clients. Answer: A is incorrect. A cryptographer is a person who is involved in cryptography.

   Answer: B is incorrect. Cryptography is a branch of computer science and mathematics. It is used for protecting information by encoding it into an unreadable format known as cipher text.

8. Companies use some special marks to distinguish their products from those of other companies. These marks can include words, letters, numbers, drawings, etc. Which of the following terms describes these special marks?

   • Business mark
   • Trademark 
   • Sales mark
   • Product mark
   Explanation:
   A trademark is a mark that is used by a company to distinguish its products from those of other companies. There are various ways a company uses its trademark to distinguish its products from others. It can use words, letters, numbers, drawings, pictures, and so on, in its trademark. Answer: D, A, and C are incorrect. There is no such mark as product mark, business mark, or sales mark.

9. Which of the following features of SIEM products is used in analysis for identifying potential problems and reviewing all available data that are associated with the problems?

   • Security knowledge base
   • Graphical user interface
   • Asset information storage and correlation
   • Incident tracking and reporting
   Explanation:
   SIEM product has a graphical user interface (GUI) which is used in analysis for identifying potential problems and reviewing all available data that are associated with the problems. A graphical user interface (GUI) is a type of user interface that allows people to interact with programs in more ways than typing commands on computers. The term came into existence because the first interactive user interfaces to computers were not graphical; they were text- and-keyboard oriented and usually consisted of commands a user had to remember and computer responses that were infamously brief. A GUI offers graphical icons, and visual indicators, as opposed to text-based interfaces, typed command labels or text navigation to fully represent the information and actions available to a user. The actions are usually performed through direct manipulation of the graphical elements.

10. Which of the following is an example of penetration testing?

    • Implementing NIDS on a network
    • Implementing HIDS on a computer
    • Simulating an actual attack on a network 
    • Configuring firewall to block unauthorized traffic
    Explanation:
    Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration testing is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit. Answer: A, B, and D are incorrect. Implementing NIDS and HIDS and configuring firewall to block unauthorized traffic are not examples of penetration testing.

11. Which of the following security controls works as the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy?

    • Common data security architecture (CDSA)
    • Application program interface (API)
    • Trusted computing base (TCB) 
    • Internet Protocol Security (IPSec)
    Explanation:
    Trusted computing base (TCB) refers to hardware, software, controls, and processes that cause a computer system or network to be devoid of malicious software or hardware. Maintaining the trusted computing base (TCB) is essential for security policy to be implemented successfully. Answer: D is incorrect. Internet Protocol Security (IPSec) is a standard-based protocol that provides the highest level of VPN security. IPSec can encrypt virtually everything above the networking layer. It is used for VPN connections that use the L2TP protocol. It secures both data and password. IPSec cannot be used with Point-to-Point Tunneling Protocol (PPTP). Answer: A is incorrect. The Common data security architecture (CDSA) is a set of layered security services and cryptographic framework. It deals with the communications and data security problems in the emerging Internet and intranet application space. It presents an infrastructure for building cross-platform, interoperable, security-enabled applications for client-server environments. Answer: B is incorrect. An application programming interface (API) is an interface implemented by a software program which enables it to interact with other software. It facilitates interaction between different software programs similar to the way the user interface facilitates interaction between humans and computers. An API is implemented by applications, libraries, and operating systems to determine their vocabularies and calling conventions, and is used to access their services. It may include specifications for routines, data structures, object classes, and protocols used to communicate between the consumer and the implementer of the API.

12. Which of the following types of attacks occurs when an attacker successfully inserts an intermediary software or program between two communicating hosts?

    • Denial-of-service attack
    • Dictionary attack
    • Man-in-the-middle attack 
    • Password guessing attack
    Explanation:
    When an attacker successfully inserts an intermediary software or program between two communicating hosts, it is known as man-in-the-middle attack.

13. Which of the following methods can be helpful to eliminate social engineering threat? Each correct answer represents a complete solution. Choose three.

    • Password policies
    • Data classification
    • Data encryption
    • Vulnerability assessments
    Explanation:
    The following methods can be helpful to eliminate social engineering threat: Password policies Vulnerability assessments Data classification Password policy should specify that how the password can be shared. Company should implement periodic penetration and vulnerability assessments. These assessments usually consist of using known hacker tools and common hacker techniques to breach a network security. Social engineering should also be used for an accurate assessment. Since social engineers use the knowledge of others to attain information, it is essential to have a data classification model in place that all employees know and follow. Data classification assigns level of sensitivity of company information. Each classification level specifies that who can view and edit data, and how it can be shared.

14. Digital rights management (DRM) consists of compliance and robustness rules. Which of the following features does the robustness rule have? Each correct answer represents a complete solution. Choose three.

    • It specifies the various levels of robustness that are needed for asset security.
    • It specifies minimum techniques for asset security.
    • It specifies the behaviors of the DRM implementation and applications accessing the implementation.
    • It contains assets, such as device key, content key, algorithm, and profiling data.
    Explanation:
    The DRM (digital rights management) technology includes the following rules: 1.Compliance rule: This rule specifies the behaviors of the DRM implementation, and applications that are accessing the implementation. The compliance rule specifies the following elements: Definition of specific license rights Device requirements Revocation of license path or penalties when the implementation is not robust enough or noncompliant 2.Robustness rule: This rule has the following features: It specifies the various levels of robustness that are needed for asset security. It contains assets, such as device key, content key, algorithm, and profiling data. It specifies minimum techniques for asset security.

15. What are the various phases of the Software Assurance Acquisition process according to the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS) Acquisition and Outsourcing Working Group?

    • Implementing, contracting, auditing, monitoring
    • Requirements, planning, monitoring, auditing
    • Planning, contracting, monitoring and acceptance, follow-on 
    • Designing, implementing, contracting, monitoring
    Explanation:
    Software Assurance Acquisition process defines the level of confidence that software is free from vulnerabilities. It is designed into the software or accidentally inserted at anytime during its lifecycle, and the software works in a planned manner. According to the U.S. Department of Defense and Department of Homeland Security Acquisition and Outsourcing Working Group, the Software Assurance Acquisition process contains the following phases: 1.Planning 2.Contracting 3.Monitoring and acceptance 4.Follow-on

16. What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment?

    • Risk analysis plan
    • Staffing management plan
    • Risk management plan 
    • Human resource management plan
    Explanation:
    The risk management plan defines how risks will be identified, analyzed, responded to, and then monitored and controlled regardless of the structure of the organization. Answer: D is incorrect. The human resources management plan does define how risks will be analyzed. Answer: B is incorrect. The staffing management plan does define how risks will be analyzed. Answer: A is incorrect. The risk analysis plan does define how risks will be analyzed.

17. The DoD 8500 policy series represents the Department’s information assurance strategy. Which of the following objectives are defined by the DoD 8500 series? Each correct answer represents a complete solution. Choose all that apply.

    • Defending systems
    • Providing IA Certification and Accreditation
    • Providing command and control and situational awareness
    • Protecting information
    Explanation:
    The various objectives of the DoD 8500 series are as follows: Protecting information Defending systems Providing command and control and situational awareness Making sure that the information assurance is integrated into processes Increasing security awareness throughout the DoD’s workforce

18. Which of the following statements are true about declarative security? Each correct answer represents a complete solution. Choose all that apply.

    • It is employed in a layer that relies outside of the software code or uses attributes of the code.
    • It applies the security policies on the software applications at their runtime.
    • In this security, authentication decisions are made based on the business logic.
    • In this security, the security decisions are based on explicit statements.
    Explanation:
    Declarative security applies the security policies on the software applications at their runtime. In this type of security, the security decisions are based on explicit statements that confine security behavior. Declarative security applies security permissions that are required for the software application to access the local resources and provides role-based access control to an individual software component and software application. It is employed in a layer that relies outside of the software code or uses attributes of the code. Answer: C is incorrect. In declarative security, authentication decisions are coarse-grained in nature from an operational or external security perspective.

19. Fred is the project manager of the CPS project. He is working with his project team to prioritize the identified risks within the CPS project. He and the team are prioritizing risks for further analysis or action by assessing and combining the risks probability of occurrence and impact. What process is Fred completing?

    • Risk identification
    • Risk Breakdown Structure creation
    • Perform qualitative analysis 
    • Perform quantitative analysis
    Explanation:
    Qualitative ranks the probability and impact and then helps the project manager and team to determine which risks need further analysis. Perform Qualitative Risk Analysis is the process of prioritizing risks for further analysis and action. It combines risks and their probability of occurrences and ranks them accordingly. It enables organizations to improve the project’s performance by focusing on high-priority risks. Perform Qualitative Risk Analysis is usually a rapid and cost-effective means of establishing priorities for Plan Risk Responses. It also lays the foundation for Perform Quantitative Risk Analysis. Answer: A is incorrect. Risk identification precedes this activity. Answer: B is incorrect. This process does not describe the decomposition and organization of risks that you will complete in a risk breakdown structure.
    Answer: D is incorrect. Quantitative analysis is the final step of risk analysis. Note the question tells you that Fred and the team will identify risks for additional analysis.

20. Which of the following are the levels of public or commercial data classification system? Each correct answer represents a complete solution. Choose all that apply.

    • Sensitive
    • Private
    • Unclassified
    • Confidential
    • Secret
    • Public
    Explanation:
    The public or commercial data classification is also built upon a four-level model, which are as follows: Public Sensitive Private Confidential Each level (top to bottom) represents an increasing level of sensitivity. The public level is similar to unclassified level military classification system. This level of data should not cause any damage if disclosed. Sensitive is a higher level of classification than public level data. This level of data requires a greater level of protection to maintain confidentiality. The Private level of data is intended for company use only. Disclosure of this level of data can damage the company. The Confidential level of data is considered very sensitive and is intended for internal use only. Disclosure of this level of data can cause serious damage to the company. Answer: C and E are incorrect. Unclassified and secret are the levels of military data classification.