ISC Certified Secure Software Lifecycle Professional Practice Test

QUESTION NO: 1
Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. For what purposes is ST&E used? Each correct answer represents a complete solution. Choose all that apply.

A. To implement the design of system architecture B. To assess the degree of consistency between the system documentation and its implementation C. To uncover design, implementation, and operational flaws that may allow the violation of security policy D. To determine the adequacy of security mechanisms, assurances, and other properties to enforce the security policy

Correct Answer: B,C,D

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 2
At which of the following levels of robustness in DRM must the security functions be immune to widely available tools and specialized tools and resistant to professional tools?

A. Level 3 B. Level 1 C. Level 4 D. Level 2

Correct Answer: B

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 3
Which of the following phases of NIST SP 800-37 C&A methodology examines the residual risk for acceptability, and prepares the final security accreditation package?

A. Security Certification B. Security Accreditation C. Continuous Monitoring D. Initiation

Correct Answer: B

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 4
Which of the following tiers addresses risks from an information system perspective?

A. Tier 3 B. Tier 1 C. Tier 0 D. Tier 2

Correct Answer: A

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 5
Which of the following is an open source network intrusion detection system?

A. Explanation:
Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). The three main modes in which Snort can be configured are as follows:
Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console. Packet logger mode: It logs the packets to the disk. Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set. B. NETSH C. Sourcefire D. Macof E. Snort

Correct Answer: A,E

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 6
DRAG DROP
RCA (root cause analysis) is an iterative and reactive method that identifies the root cause of various incidents, and the actions required to prevent these incidents from reoccurring. RCA is classified in various categories. Choose appropriate categories and drop them in front of their respective functions.

Correct Answer:

Explanation:

The various categories of root cause analysis (RCA) are as follows: Safety-based RC A.
It consists of plans from the health and safety areas. Production-based RCA. It integrates quality control paradigms. Process-based RCA. It integrates business processes. Failure-based RCA. It integrates failure analysis processes as employed in engineering and maintenance. Systems-based RCA. It integrates the methods from risk and systems analysis.

QUESTION NO: 7
You work as a systems engineer for BlueWell Inc. Which of the following tools will you use to look outside your own organization to examine how others achieve their performance levels, and what processes they use to reach those levels?

A. Benchmarking B. Six Sigma C. SEI-CMM D. ISO 9001:2000

Correct Answer: A

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 8
DRAG DROP
A number of security design patterns are developed for software assurance in general. Drag and drop the appropriate security design patterns in front of their respective descriptions.

Correct Answer:

Explanation:

The various patterns applicable to software assurance in general are as follows: Hidden implementation: It limits the ability of an attacker to distinguish the internal workings of an application. Partitioned application: It splits a large and complex application into two or more simple components. Secure assertion: It distributes application-specific sanity checks throughout the system. Server sandbox: It creates a wall around the Web server to include the damage that occurs because of an undetected fault in the server or an exploited vulnerability.

QUESTION NO: 9
Which of the following testing methods verifies the interfaces between components against a software design?

A. Unit testing B. Regression testing C. Black-box testing D. Integration testing

Correct Answer: D

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 10
In which of the following testing methods is the test engineer equipped with the knowledge of system and designs test cases or test data based on system knowledge?

A. Regression testing B. Integration testing C. Whitebox testing D. Graybox testing

Correct Answer: D

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

ISC Certified Secure Software Lifecycle Professional Practice Test - CSSLP Exam Questions