New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CSSLP Certified Secure Software Lifecycle Professional Questions and Answers

Questions 4

Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose two.

Options:

A.

Biba model

B.

Clark-Biba model

C.

Clark-Wilson model

D.

Bell-LaPadula model

Buy Now
Questions 5

What are the subordinate tasks of the Initiate and Plan IA C&A phase of the DIACAP process? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Initiate IA implementation plan

B.

Develop DIACAP strategy

C.

Assign IA controls.

D.

Assemble DIACAP team

E.

Register system with DoD Component IA Program.

F.

Conduct validation activity.

Buy Now
Questions 6

Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?

Options:

A.

The custodian makes the initial information classification assignments, and the operations manager implements the scheme.

B.

The data owner implements the information classification scheme after the initial assignment by the custodian.

C.

The custodian implements the information classification scheme after the initial assignment by the operations manager.

D.

The data custodian implements the information classification scheme after the initial assignment by the data owner.

Buy Now
Questions 7

Which of the following models uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject?

Options:

A.

Take-Grant Protection Model

B.

Biba Integrity Model

C.

Bell-LaPadula Model

D.

Access Matrix

Buy Now
Questions 8

Which of the following cryptographic system services ensures that information will not be disclosed to any unauthorized person on a local network?

Options:

A.

Authentication

B.

Integrity

C.

Non-repudiation

D.

Confidentiality

Buy Now
Questions 9

Which of the following individuals inspects whether the security policies, standards, guidelines, and procedures are efficiently performed in accordance with the company's stated security objectives?

Options:

A.

Information system security professional

B.

Data owner

C.

Senior management

D.

Information system auditor

Buy Now
Questions 10

In which of the following alternative processing sites is the backup facility maintained in a constant order, with a full complement of servers, workstations, and communication links ready to assume the primary operations responsibility?

Options:

A.

Cold Site

B.

Hot Site

C.

Warm Site

D.

Mobile Site

Buy Now
Questions 11

Which of the following methods does the Java Servlet Specification v2.4 define in the HttpServletRequest interface that control programmatic security? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

getCallerIdentity()

B.

isUserInRole()

C.

getUserPrincipal()

D.

getRemoteUser()

Buy Now
Questions 12

Which of the following secure coding principles and practices defines the appearance of code listing so that a code reviewer and maintainer who have not written that code can easily understand it?

Options:

A.

Make code forward and backward traceable

B.

Review code during and after coding

C.

Use a consistent coding style

D.

Keep code simple and small

Buy Now
Questions 13

Which of the following life cycle modeling activities establishes service relationships and message exchange paths?

Options:

A.

Service-oriented logical design modeling

B.

Service-oriented conceptual architecture modeling

C.

Service-oriented discovery and analysis modeling

D.

Service-oriented business integration modeling

Buy Now
Questions 14

Which of the following is a name, symbol, or slogan with which a product is identified?

Options:

A.

Trademark

B.

Copyright

C.

Trade secret

D.

Patent

Buy Now
Questions 15

To help review or design security controls, they can be classified by several criteria . One of these criteria is based on their nature. According to this criterion, which of the following controls consists of incident response processes, management oversight, security awareness, and training?

Options:

A.

Compliance control

B.

Physical control

C.

Procedural control

D.

Technical control

Buy Now
Questions 16

Which of the following software review processes increases the software security by removing the common vulnerabilities, such as format string exploits, race conditions, memory leaks, and buffer overflows?

Options:

A.

Management review

B.

Code review

C.

Peer review

D.

Software audit review

Buy Now
Questions 17

Which of the following types of redundancy prevents attacks in which an attacker can get physical control of a machine, insert unauthorized software, and alter data?

Options:

A.

Data redundancy

B.

Hardware redundancy

C.

Process redundancy

D.

Application redundancy

Buy Now
Questions 18

What are the various activities performed in the planning phase of the Software Assurance Acquisition process? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Develop software requirements.

B.

Implement change control procedures.

C.

Develop evaluation criteria and evaluation plan.

D.

Create acquisition strategy.

Buy Now
Questions 19

There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events?

Options:

A.

Acceptance

B.

Transference

C.

Sharing

D.

Mitigation

Buy Now
Questions 20

Which of the following types of signatures is used in an Intrusion Detection System to trigger on attacks that attempt to reduce the level of a resource or system, or to cause it to crash?

Options:

A.

Access

B.

Benign

C.

DoS

D.

Reconnaissance

Buy Now
Questions 21

The Data and Analysis Center for Software (DACS) specifies three general principles for software assurance which work as a framework in order to categorize various secure design principles. Which of the following principles and practices does the General Principle 1 include? Each correct answer represents a complete solution. Choose two.

Options:

A.

Principle of separation of privileges, duties, and roles

B.

Assume environment data is not trustworthy

C.

Simplify the design

D.

Principle of least privilege

Buy Now
Questions 22

You are responsible for network and information security at a large hospital. It is a significant concern that any change to any patient record can be easily traced back to the person who made that change. What is this called?

Options:

A.

Availability

B.

Confidentiality

C.

Non repudiation

D.

Data Protection

Buy Now
Questions 23

Which of the following plans is designed to protect critical business processes from natural or man-made failures or disasters and the resultant loss of capital due to the unavailability of normal business processes?

Options:

A.

Contingency plan

B.

Business continuity plan

C.

Crisis communication plan

D.

Disaster recovery plan

Buy Now
Questions 24

You work as a security engineer for BlueWell Inc. According to you, which of the following DITSCAP/NIACAP model phases occurs at the initiation of the project, or at the initial C&A effort of a legacy system?

Options:

A.

Validation

B.

Definition

C.

Verification

D.

Post Accreditation

Buy Now
Questions 25

Which of the following types of attacks occurs when an attacker successfully inserts an intermediary software or program between two communicating hosts?

Options:

A.

Denial-of-service attack

B.

Dictionary attack

C.

Man-in-the-middle attack

D.

Password guessing attack

Buy Now
Questions 26

The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Risk Monitoring and Control

B.

Risk Management Planning

C.

Quantitative Risk Analysis

D.

Potential Risk Monitoring

Buy Now
Questions 27

In which of the following deployment models of cloud is the cloud infrastructure operated exclusively for an organization?

Options:

A.

Public cloud

B.

Community cloud

C.

Private cloud

D.

Hybrid cloud

Buy Now
Questions 28

Which of the following types of obfuscation transformation increases the difficulty for a de-obfuscation tool so that it cannot extract the true application from the obfuscated version?

Options:

A.

Preventive transformation

B.

Data obfuscation

C.

Control obfuscation

D.

Layout obfuscation

Buy Now
Questions 29

Which of the following terms related to risk management represents the estimated frequency at which a threat is expected to occur?

Options:

A.

Single Loss Expectancy (SLE)

B.

Annualized Rate of Occurrence (ARO)

C.

Safeguard

D.

Exposure Factor (EF)

Buy Now
Questions 30

Fill in the blank with the appropriate security mechanism. is a computer hardware mechanism or programming language construct which handles the occurrence of exceptional events.

Options:

A.

Exception handling

Buy Now
Questions 31

Which of the following is an open source network intrusion detection system?

Options:

A.

NETSH

B.

Macof

C.

Sourcefire

D.

Snort

Buy Now
Questions 32

In which of the following DIACAP phases is residual risk analyzed?

Options:

A.

Phase 1

B.

Phase 5

C.

Phase 2

D.

Phase 4

E.

Phase 3

Buy Now
Questions 33

What are the various phases of the Software Assurance Acquisition process according to the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS) Acquisition and Outsourcing Working Group?

Options:

A.

Implementing, contracting, auditing, monitoring

B.

Requirements, planning, monitoring, auditing

C.

Planning, contracting, monitoring and acceptance, follow-on

D.

Designing, implementing, contracting, monitoring

Buy Now
Questions 34

The Software Configuration Management (SCM) process defines the need to trace changes, and the ability to verify that the final delivered software has all of the planned enhancements that are supposed to be included in the release. What are the procedures that must be defined for each software project to ensure that a sound SCM process is implemented? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Configuration status accounting

B.

Configuration change control

C.

Configuration identification

D.

Configuration audits

E.

Configuration implementation

F.

Configuration deployment

Buy Now
Questions 35

Which of the following sections come under the ISO/IEC 27002 standard?

Options:

A.

Security policy

B.

Asset management

C.

Financial assessment

D.

Risk assessment

Buy Now
Questions 36

Which of the following strategies is used to minimize the effects of a disruptive event on a company, and is created to prevent interruptions to normal business activity?

Options:

A.

Continuity of Operations Plan

B.

Contingency Plan

C.

Disaster Recovery Plan

D.

Business Continuity Plan

Buy Now
Questions 37

Mark is the project manager of the NHQ project in StarTech Inc. The project has an asset valued at $195,000 and is subjected to an exposure factor of 35 percent. What will be the Single Loss Expectancy of the project?

Options:

A.

$68,250

B.

$92,600

C.

$72,650

D.

$67,250

Buy Now
Questions 38

Which of the following security related areas are used to protect the confidentiality, integrity, and availability of federal information systems and information processed by those systems?

Options:

A.

Personnel security

B.

Access control

C.

Configuration management

D.

Media protection

E.

Risk assessment

Buy Now
Questions 39

Which of the following steps of the LeGrand Vulnerability-Oriented Risk Management method determines the necessary compliance offered by risk management practices and assessment of risk levels?

Options:

A.

Assessment, monitoring, and assurance

B.

Vulnerability management

C.

Risk assessment

D.

Adherence to security standards and policies for development and deployment

Buy Now
Questions 40

Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?

Options:

A.

Verification, Definition, Validation, and Post Accreditation

B.

Definition, Validation, Verification, and Post Accreditation

C.

Definition, Verification, Validation, and Post Accreditation

D.

Verification, Validation, Definition, and Post Accreditation

Buy Now
Questions 41

In which of the following deployment models of cloud is the cloud infrastructure administered by the organizations or a third party? Each correct answer represents a complete solution. Choose two.

Options:

A.

Private cloud

B.

Public cloud

C.

Hybrid cloud

D.

Community cloud

Buy Now
Questions 42

Which of the following documents were developed by NIST for conducting Certification & Accreditation (C&A)? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

NIST Special Publication 800-60

B.

NIST Special Publication 800-53

C.

NIST Special Publication 800-37A

D.

NIST Special Publication 800-59

E.

NIST Special Publication 800-37

F.

NIST Special Publication 800-53A

Buy Now
Questions 43

Which of the following NIST documents provides a guideline for identifying an information system as a National Security System?

Options:

A.

NIST SP 800-37

B.

NIST SP 800-59

C.

NIST SP 800-53

D.

NIST SP 800-60

E.

NIST SP 800-53A

Buy Now
Questions 44

Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. What are the different categories of penetration testing? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Open-box

B.

Closed-box

C.

Zero-knowledge test

D.

Full-box

E.

Full-knowledge test

F.

Partial-knowledge test

Buy Now
Questions 45

The Phase 2 of DITSCAP C&A is known as Verification. The goal of this phase is to obtain a fully integrated system for certification testing and accreditation. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Certification analysis

B.

Assessment of the Analysis Results

C.

Configuring refinement of the SSAA

D.

System development

E.

Registration

Buy Now
Questions 46

Fill in the blank with an appropriate security type. applies the internal security policies of the software applications when they are deployed.

Options:

A.

Programmatic security

Buy Now
Questions 47

Fill in the blank with an appropriate phrase The is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity.

Options:

A.

Biba model

Buy Now
Questions 48

You work as a Security Manager for Tech Perfect Inc. You find that some applications have failed to encrypt network traffic while ensuring secure communications in the organization. Which of the following will you use to resolve the issue?

Options:

A.

SCP

B.

TLS

C.

IPSec

D.

HTTPS

Buy Now
Questions 49

Which of the following disaster recovery tests includes the operations that shut down at the primary site, and are shifted to the recovery site according to the disaster recovery plan?

Options:

A.

Structured walk-through test

B.

Full-interruption test

C.

Parallel test

D.

Simulation test

Buy Now
Questions 50

FIPS 199 defines the three levels of potential impact on organizations: low, moderate, and high. Which of the following are the effects of loss of confidentiality, integrity, or availability in a high level potential impact?

Options:

A.

The loss of confidentiality, integrity, or availability might result in a major damage to organizational assets.

B.

The loss of confidentiality, integrity, or availability might result in severe damages like life threatening injuries or loss of life.

C.

The loss of confidentiality, integrity, or availability might result in major financial losses.

D.

The loss of confidentiality, integrity, or availability might cause severe degradation in or loss of mission capability to an extent.

Buy Now
Questions 51

According to the NIST SAMATE, dynamic analysis tools operate by generating runtime vulnerability scenario using some functions. Which of the following are functions that are used by the dynamic analysis tools and are summarized in the NIST SAMATE? Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Implementation attack

B.

Source code security

C.

File corruption

D.

Network fault injection

Buy Now
Questions 52

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He finds that the We-are-secure server is vulnerable to attacks. As a countermeasure, he suggests that the Network Administrator should remove the IPP printing capability from the server. He is suggesting this as a countermeasure against __________.

Options:

A.

SNMP enumeration

B.

IIS buffer overflow

C.

NetBIOS NULL session

D.

DNS zone transfer

Buy Now
Exam Code: CSSLP
Exam Name: Certified Secure Software Lifecycle Professional
Last Update: Dec 22, 2024
Questions: 0

PDF + Testing Engine

$850

Testing Engine

$99.99

PDF (Q&A)

$84.99