ISC2 CSSLP Certified Secure Software Lifecycle Professional Exam Practice Test

Page: 1 / 14
Total 357 questions
Question 1

Which of the following tiers addresses risks from an information system perspective?



Answer : B

The information system level is the tier 3. It addresses risks from an information system perspective, and is guided by the risk decisions at tiers 1 and 2. Risk decisions at tiers 1 and 2 impact the ultimate selection and deployment of requisite safeguards. This also has an impact on the countermeasures at the information system level. The RMF primarily operates at tier3 but it can also have interactions at tiers 1 and 2.

Answer A is incorrect. It is an invalid Tier description.

Answer D is incorrect. The Organization Level is the Tier 1, and it addresses risks from an organizational perspective.

Answer C is incorrect. The mission and business process level is the Tier 2, and it addresses risks from the mission and business process perspective.


Question 2

At which of the following levels of robustness in DRM must the security functions be immune to widely available tools and specialized tools and resistant to professional tools?



Answer : C

At Level 1 of robustness in DRM, the security functions must be immune to widely available tools and specialized tools and resistant to

professional tools.


Question 3

Which of the following phases of the DITSCAP C&A process is used to define the C&A level of effort, to identify the main C&A roles and responsibilities, and to create an agreement on the method for implementing the security requirements?



Answer : A

The Phase 1 of the DITSCAP C&A process is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the

main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements.

Answer C is incorrect. The Phase 2 of the DITSCAP C&A process is known as Verification.

Answer D is incorrect. The Phase 3 of the DITSCAP C&A process is known as Validation.

Answer B is incorrect. The Phase 4 of the DITSCAP C&A process is known as Post Accreditation.


Question 4

Which of the following types of redundancy prevents attacks in which an attacker can get physical control of a machine, insert unauthorized software, and alter data?



Answer : C

Process redundancy permits software to run simultaneously on multiple geographically distributed locations, with voting on results. It

prevents attacks in which an attacker can get physical control of a machine, insert unauthorized software, and alter data.


Question 5

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you're creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?



Answer : A

This is an example of transference as you have transferred the risk to a third party. Transference almost always is done with a negative risk event and it usually requires a contractual relationship.


Question 6

Which of the following are the scanning methods used in penetration testing?

Each correct answer represents a complete solution. Choose all that apply.



Answer : A, B, D

The vulnerability, port, and network scanning tools are used in penetration testing.

Vulnerability scanning is a process in which a Penetration Tester uses various tools to assess computers, computer systems, networks or

applications for weaknesses. There are a number of types of vulnerability scanners available today, distinguished from one another by a focus

on particular targets. While functionality varies between different types of vulnerability scanners, they share a common, core purpose of

enumerating the vulnerabilities present in one or more targets. Vulnerability scanners are a core technology component of Vulnerability

management.

Port scanning is the first basic step to get the details of open ports on the target system. Port scanning is used to find a hackable server with

a hole or vulnerability. A port is a medium of communication between two computers. Every service on a host is identified by a unique 16-bit

number called a port.

A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the

security of their networks and by hackers to identify running services on a host with the view to compromising it. Port scanning is used to find

the open ports, so that it is possible to search exploits related to that service and application.

Network scanning is a penetration testing activity in which a penetration tester or an attacker identifies active hosts on a network, either to

attack them or to perform security assessment. A penetration tester uses various tools to identify all the live or responding hosts on the

network and their corresponding IP addresses.

Answer C is incorrect. This option comes under vulnerability scanning.


Question 7

Which of the following are examples of the application programming interface (API)?

Each correct answer represents a complete solution. Choose three.



Answer : B, C, D

Perl, .NET, and PHP are examples of the application programming interface (API). API is a set of routines, protocols, and tools that users can

use to work with a component, application, or operating system. It consists of one or more DLLs that provide specific functionality. API helps in

reducing the development time of applications by reducing application code. Most operating environments, such as MS-Windows, provide an

API so that programmers can write applications consistent with the operating environment.

Answer A is incorrect. HTML stands for Hypertext Markup Language. It is a set of markup symbols or codes used to create Web pages

and define formatting specifications. The markup tells the Web browser how to display the content of the Web page.


Page:    1 / 14   
Total 357 questions