CISSP Prep- Application Security

22 Questions | Total Attempts: 191

SettingsSettingsSettings
CISSP Quizzes & Trivia

Questions and Answers
  • 1. 
    Th e key objective of application security is to ensure
    • A. 

      Th at the software is hacker proof

    • B. 

      Th e confi dentiality, integrity, and availability of data

    • C. 

      Accountability of software and user activity

    • D. 

      Prevent data theft

  • 2. 
    For an application security program to be eff ective within your organization, it is critical to
    • A. 

      Identify regulatory and compliance requirements.

    • B. 

      Educate the software development organization the impact of insecure programming.

    • C. 

      Develop the security policy that can be enforced.

    • D. 

      Properly test all the software that is developed by your organization for security vulnerabilities.

  • 3. 
    Th ere is no inherent diff erence between the representation of data and programming in computer memory can lead to injection attacks, characterized by executing data as instructions. Th is is the fundamental aspect of which of the following computer architecture?
    • A. 

      Von Neumann

    • B. 

      Linus’ law

    • C. 

      Clark and Wilson

    • D. 

      Bell–LaPadula

  • 4. 
    An important characteristic of bytecode is that it
    • A. 

      Has increased secure inherently due to sandboxing

    • B. 

      Manages memory operations automatically

    • C. 

      Is more diffi cult to reverse engineer

    • D. 

      Is faster than interpreted languages

  • 5. 
    Two cooperating processes that simultaneously compete for a shared resource, in such a way that they violate the system’s security policy, is commonly known as
    • A. 

      Covert channel

    • B. 

      Denial of service

    • C. 

      Overt channel

    • D. 

      Object reuse

  • 6. 
    Your organization has a Web site with a guest book feature, where visitors to your Web site can input their names and comments about your Web site. You notice that each time the guest book web page loads, a message box is prompted with the message “You have been Crossed” followed by redirection to a diff erent Web site. Analysis reveals that the no input validation or output encoding is being performed in the web application. Th is is the basis for the following type of attack?
    • A. 

      Denial of service

    • B. 

      Cross-site scripting (XSS)

    • C. 

      Malicious file execution

    • D. 

      Injection flaws

  • 7. 
    The art of infl uencing people to divulge sensitive information about themselves or their organization by either coercion or masquerading as a valid entity is known as
    • A. 

      Dumpster diving

    • B. 

      Shoulder surfing

    • C. 

      Phishing

    • D. 

      Social engineering

  • 8. 
    Your audit logs indicate that an employee that you terminated in the morning was still able to access certain sensitive resources on his or his system, on your internal network, that afternoon. Th e logs indicate that the employee had logged on successfully before he or she was terminated but there is no record of him or her logging off before he was terminated. Th is is an example of this type of attack?
    • A. 

      Time of check/Time of use (TOC/TOU)

    • B. 

      Logic bomb

    • C. 

      Remote-access trojans (RATS)

    • D. 

      Phishing

  • 9. 
    The most effective defense against a buffer overflow attack is
    • A. 

      Disallow dynamic construction of queries

    • B. 

      Bounds checking

    • C. 

      Encode the output

    • D. 

      Forced garbage collection

  • 10. 
    It is extremely important that as one follows a software development project, security activities are performed
    • A. 

      Before release to production, so that the project is not delayed

    • B. 

      If a vulnerability is detected in your software

    • C. 

      In each stage of the life cycle

    • D. 

      When management mandates it

  • 11. 
    Audit logs are what type of control?
    • A. 

      Preventive

    • B. 

      Detective

    • C. 

      Compensating

    • D. 

      Corrective

  • 12. 
    Who can ensure and enforce the separation of duties by ensuring that programmers do not have access to production code?
    • A. 

      Operations personnel

    • B. 

      Software librarian

    • C. 

      Management

    • D. 

      Quality assurance personnel

  • 13. 
    Technical evaluation of assurance to ensure that security requirements have been met is known as
    • A. 

      Accreditation

    • B. 

      Certification

    • C. 

      Validation

    • D. 

      Verification

  • 14. 
    Defect prevention rather than defect removal is characteristic of which of the following software development methodology?
    • A. 

      Computer aided software engineering (CASE)

    • B. 

      Spiral

    • C. 

      Waterfall

    • D. 

      Cleanroom

  • 15. 
    A security protection mechanism in which untrusted code, which is not signed, is restricted from accessing system resources is known as
    • A. 

      Sandboxing

    • B. 

      Non-repudiation

    • C. 

      Separation of duties

    • D. 

      Obfuscation

  • 16. 
    A program that does not reproduce itself but pretends to be performing a legitimate action, while acting performing malicious operations in the background is the characteristic of which of the following?
    • A. 

      Worms

    • B. 

      Trapdoor

    • C. 

      Virus

    • D. 

      Trojan

  • 17. 
    A plot to take insignificant pennies from a user’s bank account and move them to the attacker’s bank account is an example of
    • A. 

      Social engineering

    • B. 

      Salami scam

    • C. 

      Pranks

    • D. 

      Hoaxes

  • 18. 
    Role-based access control to protect confi dentiality of data in databases can be achieved by which of the following?
    • A. 

      Views

    • B. 

      Encryption

    • C. 

      Hashing

    • D. 

      Masking

  • 19. 
    Th e two most common forms of attacks against databases are
    • A. 

      Injection and scripting

    • B. 

      Session hijacking and cookie poisoning

    • C. 

      Aggregation and inference

    • D. 

      Bypassing authentication and insecure cryptography

  • 20. 
    A property that ensures only valid or legal transactions that do not violate any user-defined integrity constraints in DBMS technologies is known as
    • A. 

      Atomicity

    • B. 

      Consistency

    • C. 

      Isolation

    • D. 

      Durability

  • 21. 
    Expert systems are comprised of a knowledge base comprising modeled human experience and which of the following?
    • A. 

      Inference engine

    • B. 

      Statistical models

    • C. 

      Neural networks

    • D. 

      Roles

  • 22. 
    Th e best defense against session hijacking and man-in-the-middle (MITM) attacks is to use the following in the development of your software?
    • A. 

      Unique and random identification

    • B. 

      Use prepared statements and procedures

    • C. 

      Database views

    • D. 

      Encryption