CISSP Prep- Application Security

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Cindymurray
C
Cindymurray
Community Contributor
Quizzes Created: 8 | Total Attempts: 15,187
| Attempts: 307 | Questions: 22
Please wait...
Question 1 / 22
0 %
0/100
Score 0/100
1. It is extremely important that as one follows a software development project, security activities are performed

Explanation

Security activities should be done in parallel with project initiation
activities and, indeed, with every task throughout the project. Page 182.

Submit
Please wait...
About This Quiz
CISSP Quizzes & Trivia

This CISSP Prep quiz focuses on Application Security, assessing key concepts like data confidentiality, integrity, and availability. It evaluates understanding of security policies, bytecode, covert channels, and common... see morevulnerabilities such as XSS, enhancing readiness for CISSP certification. see less

2. Audit logs are what type of control?

Explanation

Audit logs can be used to fi nd out who (identity) did what
(action), when (timestamp), and where (objects or resources aff ected) and are therefore
detective in nature. Page 245.

Submit
3. Your organization has a Web site with a guest book feature, where visitors to your Web site can input their names and comments about your Web site. You notice that each time the guest book web page loads, a message box is prompted with the message "You have been Crossed" followed by redirection to a diff erent Web site. Analysis reveals that the no input validation or output encoding is being performed in the web application. Th is is the basis for the following type of attack?

Explanation

A Web site that allows users to input information for later
retrieval by other users, such as a guestbook comment page or blog, without
proper input validation, may fail to detect when such input comes in is in the
form of active scripting. Without appropriate output encoding, the script can
be actively read and executed by the browser causing denial of service (Web
site defacement) or other serious impacts. Th is is the basis of cross-site scripting
attacks. Page 177.

Submit
4. Th e key objective of application security is to ensure

Explanation

Th e objective of application security is to make sure that the
system and its resources are available when needed, that the integrity of the processing
of the data and the data itself are ensured, and that the confi dentiality of
the data is protected. All of these purposes rely upon secure, consistent, reliable,
and properly operating software. Ensuring confi dentiality, integrity, and availability
will mitigate the chances and impact of a hacking incident or data theft,
but it must be recognized that total hacker proof software is utopian. Auditing
(logging) functionality in software can help with detecting software and user
activity, but this is not the key objective of application security. Software security
controls can reduce the likelihood of data theft but they are not necessarily
preventative. Page 164.

Submit
5. A plot to take insignificant pennies from a user's bank account and move them to the attacker's bank account is an example of

Explanation

A variant on the concept of logic bombs involves what is known
as the salami scam. Th e basic idea involves siphoning off small amounts of money
(in some versions, fractions of a cent) credited to a specifi c account, over a large
number of transactions. Pranks are very much a part of the computer culture, so
much so that you can now buy commercially produced joke packages that allow
you to perform “stupid Mac (or PC or Windows) tricks.” Hoaxes use an odd kind
of social engineering, relying on people’s naturally gregarious nature and desire to
communicate, and on a sense of urgency and importance, using the ambition that
people have to be the fi rst to provide important new information. Page 224.

Submit
6. The art of infl uencing people to divulge sensitive information about themselves or their organization by either coercion or masquerading as a valid entity is known as

Explanation

Social engineering is the art of getting people to divulge sensitive
information to others either in a friendly manner, as an attempt to be “helpful,”
or through intimidation. Phishing is the form of social engineering using electronic
means such as e-mail. Shoulder surfi ng is a disclosure attack wherein, you stand
over the shoulders of someone and read the sensitive information they are viewing.
Masking of information (asterisking password) can mitigate shoulder surfi ng.
Dumpster diving is another disclosure attack in which dumpsters are searched to
glean sensitive information. Page 178.

Submit
7. Your audit logs indicate that an employee that you terminated in the morning was still able to access certain sensitive resources on his or his system, on your internal network, that afternoon. Th e logs indicate that the employee had logged on successfully before he or she was terminated but there is no record of him or her logging off before he was terminated. Th is is an example of this type of attack?

Explanation

TOC/TOU is a common type of attack that occurs when
some control changes between the time that the system security functions check
the contents of variables and the time the variables actually are used during operations.
For instance, a user logs on to a system in the morning and later is fi red. As a
result of the termination, the security administrator removes the user from the user
database. Because the user did not log off , he or she still has access to the system
and might try to get even. Logic bombs are software modules set up to run in a
quiescent state, but to monitor for a specifi c condition or set of conditions and to
activate their payload under those conditions. Remote-access trojans are malicious
programs designed to be installed, usually remotely, after systems are installed and
working. Phishing attempts to get the user to provide information that will be useful
for identity theft-type frauds. Pages 178–179.

Submit
8. A security protection mechanism in which untrusted code, which is not signed, is restricted from accessing system resources is known as

Explanation

One of the control mechanisms for mobile code is the sandbox.
Th e sandbox provides a protective area for program execution. Limits are placed on the
amount of memory and processor resources the program can consume. If the program
exceeds these limits, the Web browser terminates the process and logs an error code.
Th is can ensure the safety of the browser’s performance. Non-repudiation is a security
control mechanism in which the user or process cannot deny its action. Separation of
duties is about ensuring that a security policy cannot be violated by a single user or
process. Obfuscation is the process of rendering source code to be unreadable and
unintelligible as a protection against reversing and IP issues. Pages 209–210.

Submit
9. A program that does not reproduce itself but pretends to be performing a legitimate action, while acting performing malicious operations in the background is the characteristic of which of the following?

Explanation

A Trojan is a program that pretends to do one thing while performing
another, unwanted action. A Trojan does not reproduce itself as do worms
and viruses in order to spread. A trapdoor or backdoor is a hidden mechanism
that bypasses access control measures. It is an entry point into a program that is
inserted in software by programmers during the program’s development to provide
a method of gaining access into the program for modifi cation if the access control
mechanism malfunctions and locks them out. Developers often refer to them as
maintenance hooks. Page 217.

Submit
10. Role-based access control to protect confi dentiality of data in databases can be achieved by which of the following?

Explanation

A view is a feature that allows for virtual tables in a database;
these virtual tables are created from one or more real tables in the database. For
example, a view can be set up for each user (or group of users) on the system so that
the user can then only view those virtual tables (or views). Encryption, hashing,
and masking can all provide confi dentiality as well, but for databases, views based
access control which is a content dependent access control mechanism is the best
answer. Page 236.

Submit
11. Th ere is no inherent diff erence between the representation of data and programming in computer memory can lead to injection attacks, characterized by executing data as instructions. Th is is the fundamental aspect of which of the following computer architecture?

Explanation

A fundamental aspect of von Neumann architecture on which
most computers today are based on is that there is no inherent diff erence between
data and programming (instructions) representations in memory. Th erefore, we
cannot tell whether the pattern 4Eh (00101110) is the letter N or a decrement operation
code (commonly known as opcode). Similarly, the pattern 72h (01110010)
may be the letter r or the fi rst byte of the “jump if below” opcode. Th erefore, without
proper input validation, an attacker can provide input data that may actually
be an instruction for the system to do something unintended. Linus’ law basically
is based on the premise that with more people reviewing the source code (as in
the case of open source), more security bugs can be detected and hence improve
security. Clark and Wilson model is an integrity model from which entity and
referential integrity (RDBMS integrity) rules are derived. Bell–LaPadula is a confi
dentiality model. Page 168.

Submit
12. Technical evaluation of assurance to ensure that security requirements have been met is known as

Explanation

Certifi cation is the process of evaluating the security stance of
the software or system against a predetermined set of security standards or policies.
Management, after reviewing the certifi cation, authorizes the software or system
to be implemented in a production status, in a specifi c environment, for a specifi c
period. Th ere are two types of accreditation: provisional and full. Management
approval is known as accreditation. Pages 185–186.

Submit
13. A property that ensures only valid or legal transactions that do not violate any user-defined integrity constraints in DBMS technologies is known as

Explanation

ACID test, which stands for atomicity, consistency, isolation,
and durability, is an important DBMS concept. Atomicity is when all the parts of
a transaction’s execution are either all committed or all rolled back—do it all or
not at all. Essentially, all changes take eff ect, or none do. Consistency occurs when
the database is transformed from one valid state to another valid state. A transaction
is allowed only if it follows user-defi ned integrity constraints. Illegal transactions
are not allowed, and if an integrity constraint cannot be satisfi ed, the
transaction is rolled back to its previously valid state and the user is informed
that the transaction has failed. Isolation is the process guaranteeing the results of
a transaction are invisible to other transactions until the transaction is complete.
Durability ensures the results of a completed transaction are permanent and can
survive future system and media failures, that is, once they are done, they cannot
be undone. Th is is similar to transaction persistence. Page 249.

Submit
14. For an application security program to be eff ective within your organization, it is critical to

Explanation

Th e underlying foundation of software security controls
is the organization’s security policy. Th e security policy refl ects the security
requirements of the organization. Th e identifi cation of regulatory and compliance
requirements such as Sarbanes–Oxley (SOX), payment card industry data
security standard (PCIDSS) are essential and must be factored into the security
policy. Without a clear understanding of what the security requirements are, as
defi ned in the security policy, educating software development teams may potentially
be still inadequate. Testing for security vulnerability can provide some
degree of software assurance, but with newer kinds of attacks against software
being discovered, security testing does not directly indicate the eff ectiveness of an
application security program. Page 165.

Submit
15. An important characteristic of bytecode is that it

Explanation

A programming language like Java compiles source code into
a sort of pseudo-object code called bytecode. Th e bytecode is then processed by the
interpreter (called the Java Virtual Machine, or JVM) for the CPU to run. Because
the bytecode is already fairly close to object code, the interpretation process is much
faster than for other interpreted languages. And because bytecode is still undergoing
an interpretation, a given Java program will run on any machine that has a
JVM. Memory management and sandboxing are important security aspects that
apply to the programming language Java, but not to bytecode itself. Th e debate over
whether a pseudo-object (bytecode) representation can be easily reverse engineered
is debatable and inconclusive. Because bytecode is more pseudo-object representation
of the source code, reversing to source code is in fact considered less diffi cult
than from object or executable code. Page 171.

Submit
16. Two cooperating processes that simultaneously compete for a shared resource, in such a way that they violate the system's security policy, is commonly known as

Explanation

A covert channel or confi nement problem is an information
fl ow issue. It is a communication channel allowing two cooperating processes to
transfer information in such a way that it violates the system’s security policy. Th ere
are two types of covert channels, viz. storage and timing. A covert storage channel
involves the direct or indirect reading of a storage location by one process and a
direct or indirect reading of the same storage location by another process. Typically,
a covert storage channel involves a fi nite resource, such as a memory location or sector
on a disk that is shared by two subjects at diff erent security levels. Th is scenario
is a description of a covert storage channel. A covert timing channel depends upon
being able to infl uence the rate that some other process is able to acquire resources,
such as the CPU, memory, or I/O devices. Covert channels as opposed to what
should be the case (overt channels) could lead to denial of service and object reuse
has to do with disclosure protection when objects in memory are reused by diff erent
processes. Pages 175–176.

Submit
17. Defect prevention rather than defect removal is characteristic of which of the following software development methodology?

Explanation

In cleanroom software development methodology, the goal
is to write code correctly the fi rst time, rather than trying to fi nd the problems
once they are there. Essentially, it focuses on defect prevention rather than defect
removal. Th e waterfall methodology is extremely structured and its key distinguishing
characteristic is that each phase (stage) must be completed before moving
on to the next, in order to prevent ad hoc scope creep. A distinguishing feature
of the spiral model is that in each phase of the waterfall there are four substages,
based on the common Deming PDCA (Plan-Do-Check-Act) model; in particular,
a risk assessment review (Check). CASE is the technique of using computers and
computer utilities to help with the systematic analysis, design, development, implementation,
and maintenance of software. Page 188.

Submit
18. Expert systems are comprised of a knowledge base comprising modeled human experience and which of the following?

Explanation

Th e expert system uses a knowledge base (a collection of
all the data, or knowledge, on a particular matter) and a set of algorithms or
rules that infer new facts from knowledge and incoming data. Th e knowledge
base could be the human experience that is available in an organization. Because
the system reacts to a set of rules, if the rules are faulty, the response will also
be faulty. Also, because human decision is removed from the point of action, if
an error were to occur, the reaction time from a human would be longer. Pages
253–254.

Submit
19. Th e two most common forms of attacks against databases are

Explanation

Aggregation is the ability to combine nonsensitive data from
separate sources to create sensitive information. For example, a user takes two
or more unclassifi ed pieces of data and combines them to form a classifi ed piece
of data that then becomes unauthorized for that user. Th us, the combined data
sensitivity can be greater than the classifi cation of individual parts. Inference
is the ability to deduce (infer) sensitive or restricted information from observing
available information. Essentially, users may be able to determine unauthorized
information from what information they can access and may never need to
directly access unauthorized data. For example, if a user is reviewing authorized
information about patients, such as the medications they have been prescribed,
the user may be able to determine the illness. Inference is one of the hardest
threats to control. All of the other attacks are primarily attacks on Web applications.
Pages 245–246.

Submit
20. Who can ensure and enforce the separation of duties by ensuring that programmers do not have access to production code?

Explanation

A software librarian ensures program or data library is controlled
in accordance with policy and procedures. Page 184.

Submit
21. Th e best defense against session hijacking and man-in-the-middle (MITM) attacks is to use the following in the development of your software?

Explanation

Th e use on non-predictable (randomized) and unique identifi
ers to identify sessions between two communicating parties is the best defense
against session hijacking and man-in-the-middle attacks. Encryption provides disclosure
protection. Prepared statements or procedures at the database layer, reduces
the likelihood of injection attacks. A database view is a preventive security control
measure against disclosure attacks. Page 256.

Submit
22. The most effective defense against a buffer overflow attack is

Explanation

Buff er overfl ows can result when a program fi lls up the assigned
buff er of memory with more data than its buff er can hold. When the program
begins to write beyond the end of the buff er, the program’s execution path can be
changed, or data can be written into areas used by the operating system itself. A
buff er overfl ow is caused by improper (or lacking) bounds checking on input to a
program. By checking for the bounds (boundaries) of allowable input size, buff er
overfl ow can be mitigated. Disallowing dynamic construction of queries is a defense
against injection attacks and encoding the output mitigates scripting attacks. Th e
collection of dangling objects in memory (garbage) can be requested but not necessarily
forced and proper memory management can help mitigate buff er overfl ow
attacks, but the most eff ective defenses against buff er overfl ow is bounds checking
and proper error checking. Pages 174–175.

Submit
View My Results

Quiz Review Timeline (Updated): Mar 20, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 20, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Dec 21, 2012
    Quiz Created by
    Cindymurray
Cancel
  • All
    All (22)
  • Unanswered
    Unanswered ()
  • Answered
    Answered ()
It is extremely important that as one follows a software development...
Audit logs are what type of control?
Your organization has a Web site with a guest book feature, where...
Th e key objective of application security is to ensure
A plot to take insignificant pennies from a user's bank account and...
The art of infl uencing people to divulge sensitive information about...
Your audit logs indicate that an employee that you terminated in the...
A security protection mechanism in which untrusted code, which is not ...
A program that does not reproduce itself but pretends to be performing...
Role-based access control to protect confi dentiality of data in...
Th ere is no inherent diff erence between the representation of data...
Technical evaluation of assurance to ensure that security requirements...
A property that ensures only valid or legal transactions that do not...
For an application security program to be eff ective within your...
An important characteristic of bytecode is that it
Two cooperating processes that simultaneously compete for a shared...
Defect prevention rather than defect removal is characteristic of...
Expert systems are comprised of a knowledge base comprising modeled ...
Th e two most common forms of attacks against databases are
Who can ensure and enforce the separation of duties by ensuring that ...
Th e best defense against session hijacking and man-in-the-middle...
The most effective defense against a buffer overflow attack is
Alert!

Advertisement