Certified Secure Software Lifecycle Professional v1.0 (CSSLP)

Page:    1 / 24   
Total 355 questions

Which of the following statements is true about residual risks?

  • A. It is the probabilistic risk after implementing all security measures.
  • B. It can be considered as an indicator of threats coupled with vulnerability.
  • C. It is a weakness or lack of safeguard that can be exploited by a threat.
  • D. It is the probabilistic risk before implementing all security measures.


Answer : vulnerability). Answer: B is incorrect. In information security, security risks are considered as an indicator of threats coupled with vulnerability. In other words,

Explanation: The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats security risk is a probabilistic function of a given threat agent exercising a particular vulnerability and the impact of that risk on the organization. Security risks can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware , operating systems, firmware, applications, and configuration files. Vulnerability has been variously defined in the current context as follows: 1.A security weakness in a Target of Evaluation due to failures in analysis, design, implementation, or operation and such. 2.Weakness in an information system or components (e.g. system security procedures, hardware design, or internal controls that could be exploited to produce an information-related misfortune.) 3.The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.

To help review or design security controls, they can be classified by several criteria . One of these criteria is based on their nature. According to this criterion, which of the following controls consists of incident response processes, management oversight, security awareness, and training?

  • A. Compliance control
  • B. Physical control
  • C. Procedural control
  • D. Technical control


Answer : Explanation: Procedural controls include incident response processes, management oversight, security awareness, and training. Answer: B is incorrect. Physical

A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark's financial and personal details to another company. Which of the following Internet laws has the credit card issuing company violated?

  • A. Trademark law
  • B. Security law
  • C. Privacy law
  • D. Copyright law


Answer : financial and personal details to other companies. Answer: A is incorrect. Trademark laws facilitate the protection of trademarks around the world. Answer: B is

Explanation: The credit card issuing company has violated the Privacy law. According to the Internet Privacy law, a company cannot provide their customer's dramatic, musical, artistic, and certain other intellectual works.

There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events?

  • A. Acceptance
  • B. Transference
  • C. Sharing
  • D. Mitigation


Answer : contingency reserves to deal with risks, in case they occur. Acceptance is the only response for both threats and opportunities. Answer: C is incorrect. Sharing is a

Explanation: Only acceptance is appropriate for both positive and negative risk events. Often sharing is used for low probability and low impact risk events regardless of the positive or negative effects the risk event may bring the project. Acceptance response is a part of Risk Response planning process. Acceptance response delineates that the project plan will not be changed to deal with the risk. Management may develop a contingency plan if the risk does occur.
Acceptance response to a risk event is a strategy that can be used for risks that pose either threats or opportunities. Acceptance response can be of two types:
Passive acceptance: It is a strategy in which no plans are made to try or avoid or mitigate the risk. Active acceptance: Such responses include developing seeks to lower the probability and/or impact of a risk event.

You work as a Security Manager for Tech Perfect Inc. In the organization, Syslog is used for computer system management and security auditing, as well as for generalized informational, analysis, and debugging messages. You want to prevent a denial of service (DoS) for the Syslog server and the loss of Syslog messages from other sources. What will you do to accomplish the task?

  • A. Use a different message format other than Syslog in order to accept data.
  • B. Enable the storage of log entries in both traditional Syslog files and a database.
  • C. Limit the number of Syslog messages or TCP connections from a specific source for a certain time period.
  • D. Encrypt rotated log files automatically using third-party or OS mechanisms.


Answer : This will prevent a denial of service (DoS) for the Syslog server and the loss of Syslog messages from other sources. Answer: D is incorrect. You can encrypt

Explanation: In order to accomplish the task, you should limit the number of Syslog messages or TCP connections from a specific source for a certain time period. entries in both traditional Syslog files and a database for creating a database storage for logs.

You work as a project manager for a company. The company has started a new security software project. The software configuration management will be used throughout the lifecycle of the project. You are tasked to modify the functional features and the basic logic of the software and then make them compatible to the initial design of the project. Which of the following procedures of the configuration management will you follow to accomplish the task?

  • A. Configuration status accounting
  • B. Configuration control
  • C. Configuration audits
  • D. Configuration identification


Answer : time, and performs systematic control of changes to the identified attributes. Answer: C is incorrect. Configuration audits confirm that the configuration

Explanation: Configuration control is a procedure of the Configuration management. Configuration control is a set of processes and approval stages required to change a configuration item's attributes and to re-baseline them. It supports the change of the functional and physical attributes of software at various points in identification for a configured item is accurate, complete, and will meet specified program needs. Configuration audits are broken into functional and physical configuration audits. They occur either at delivery or at the moment of effecting the change. A functional configuration audit ensures that functional and performance attributes of a configuration item are achieved, while a physical configuration audit ensures that a configuration item is installed in accordance with every aspect of a configuration item. A configuration item is a product (hardware and/or software) that has an end-user purpose. These attributes are recorded in configuration documentation and baselined. Baselining an attribute forces formal configuration change control processes to be effected in the event that these associated with each configuration item at any moment of time. It supports the functional and physical attributes of software at various points in time, and performs systematic control of accounting to the identified attributes for the purpose of maintaining software integrity and traceability throughout the software development life cycle.

Which of the following areas of information system, as separated by Information Assurance Framework, is a collection of local computing devices, regardless of physical location, that are interconnected via local area networks (LANs) and governed by a single security policy?

  • A. Local Computing Environments
  • B. Networks and Infrastructures
  • C. Supporting Infrastructures
  • D. Enclave Boundaries


Answer : D

Explanation: The areas of information system, as separated by Information Assurance Framework, are as follows: Local Computing Environments: This area includes servers, client workstations, operating system, and applications. Enclave Boundaries: This area consists of collection of local computing devices, regardless of physical location, that are interconnected via local area networks (LANs) and governed by a single security policy. Networks and Infrastructures: This area provides the network connectivity between enclaves. It includes operational area networks (OANs), metropolitan area networks (MANs), and campus area networks (CANs). Supporting Infrastructures: This area provides security services for networks, client workstations, Web servers, operating systems, applications, files, and single-use infrastructure machines

Which of the following is a signature-based intrusion detection system (IDS) ?

  • A. RealSecure
  • B. StealthWatch
  • C. Tripwire
  • D. Snort


Answer : Snort to analyze network traffic for matches against a user-defined rule set. Answer: B is incorrect. StealthWatch is a behavior-based intrusion detection system.

Explanation: Snort is a signature-based intrusion detection system. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including
Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). The three main modes in which Snort can be configured are as follows: Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console. Packet logger mode: It logs the packets to the disk. Network intrusion detection mode: It is the most complex and configurable configuration, allowing incorrect. Tripwire is a file integrity checker for UNIX/Linux that can be used for host-based intrusion detection.

Which of the following statements about the availability concept of Information security management is true?

  • A. It ensures that modifications are not made to data by unauthorized personnel or processes.
  • B. It determines actions and behaviors of a single individual within a system.
  • C. It ensures reliable and timely access to resources.
  • D. It ensures that unauthorized modifications are not made to data by authorized personnel or processes.


Answer : running when needed. The availability concept also ensures that the security services are in working order. Answer: A and D are incorrect. The concept of integrity

Explanation: The concept of availability ensures reliable and timely access to data or resources. In other words, availability ensures that the systems are up and ensures that modifications are not made to data by unauthorized personnel or processes. It also ensures that unauthorized modifications are not made to data by particular individual. Audit trails and logs support accountability.

A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Which of the following are required to be addressed in a well designed policy? Each correct answer represents a part of the solution. Choose all that apply.

  • A. What is being secured?
  • B. Where is the vulnerability, threat, or risk?
  • C. Who is expected to exploit the vulnerability?
  • D. Who is expected to comply with the policy?


Answer : ABD

Explanation: A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A well designed policy addresses the following: What is being secured? - Typically an asset. Who is expected to comply with the policy? - Typically employees. Where is the vulnerability, threat, or risk? - Typically an issue of integrity or responsibility.

The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

  • A. Security operations
  • B. Maintenance of the SSAA
  • C. Compliance validation
  • D. Change management
  • E. System operations
  • F. Continue to review and refine the SSAA


Answer : phase are as follows: System operations Security operations Maintenance of the SSAA Change management Compliance validation Answer: F is incorrect. It is a

Explanation: The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in the Phase 3. The goal of this phase is to continue to operate and manage the system and to ensure that it will maintain an acceptable level of residual risk. The process activities of this
Phase 3 activity.

You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of
Federal Information Systems?

  • A. NIST Special Publication 800-60
  • B. NIST Special Publication 800-53
  • C. NIST Special Publication 800-37
  • D. NIST Special Publication 800-59


Answer : C

Explanation: NIST has developed a suite of documents for conducting Certification & Accreditation (C&A). These documents are as follows: NIST Special
Publication 800-37: This document is a guide for the security certification and accreditation of Federal Information Systems.
NIST Special Publication 800-53: This document provides a guideline for security controls for Federal Information Systems. NIST Special Publication 800-53A.
This document consists of techniques and procedures for verifying the effectiveness of security controls in Federal Information System. NIST Special Publication
800-59: This document is a guideline for identifying an information system as a National Security System. NIST Special Publication 800-60: This document is a guide for mapping types of information and information systems to security objectives and risk levels.

Which of the following is an example of over-the-air (OTA) provisioning in digital rights management?

  • A. Use of shared secrets to initiate or rebuild trust.
  • B. Use of software to meet the deployment goals.
  • C. Use of concealment to avoid tampering attacks.
  • D. Use of device properties for unique identification.


Answer : copyrighted software to a mobile device. For example, use of shared secrets to initiate or rebuild trust. Answer: D and C are incorrect. The use of device

Explanation: Over- the- air provisioning is a mechanism to deploy MIDlet suites over a network. It is a method of distributing MIDlet suites. MIDlet suite providers install their MIDlet suites on Web servers and provide a hypertext link for downloading. A user can use this link to download the MIDlet suite either through the
Internet microbrowser or through WAP on his device. Over-the-air provisioning is required for end-to-end encryption or other security purposes in order to deliver properties for unique identification and the use of concealment to avoid tampering attacks are the security challenges in digital rights management (DRM).

The service-oriented modeling framework (SOMF) provides a common modeling notation to address alignment between business and IT organizations. Which of the following principles does the SOMF concentrate on? Each correct answer represents a part of the solution. Choose all that apply.

  • A. Architectural components abstraction
  • B. SOA value proposition
  • C. Business traceability
  • D. Disaster recovery planning
  • E. Software assets reuse


Answer : Architectural components abstraction Answer: D is incorrect. The service-oriented modeling framework (SOMF) does not concentrate on it.

Explanation: The service-oriented modeling framework (SOMF) concentrates on the following principles: Business traceability Architectural best-practices traceability Technological traceability SOA value proposition Software assets reuse SOA integration strategies Technological abstraction and generalization

Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual?

  • A. DoD 8910.1
  • B. DoD 7950.1-M
  • C. DoDD 8000.1
  • D. DoD 5200.22-M
  • E. DoD 5200.1-R


Answer : B

Explanation: The various DoD directives are as follows:
DoD 5200.1-R: This DoD directive refers to the 'Information Security Program Regulation'. DoD 5200.22-M: This DoD directive refers the 'National Industrial
Security Program Operating Manual'. DoD 7950.1-M: This DoD directive refers to the 'Defense Automation Resources Management Manual'. DoDD 8000.1: This
DoD directive refers to the 'Defense Information Management (IM) Program'. DoD 8910.1: This DoD directive refers to the 'Management and Control of
Information Requirements'.

Page:    1 / 24   
Total 355 questions