ISC2 Certified Secure Software Lifecycle Professional CSSLP Exam Questions

Answer : D

Designated Approving Authority (DAA) is also known as the accreditor.

Answer A is incorrect. The data owner (information owner) is usually a member of management, in charge of a specific business unit,

and is ultimately responsible for the protection and use of a specific subset of information.

Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief

Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,

and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,

financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk

and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management

(ERM) approach.

Answer C is incorrect. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the

most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals. The

CIO plays the role of a leader and reports to the chief executive officer, chief operations officer, or chief financial officer. In military

organizations, they report to the commanding officer.

Answer : B

Regression testing can be performed any time when a program needs to be modified either to add a feature or to fix an error. It is a process

of repeating Unit testing and Integration testing whenever existing tests need to be performed again along with the new tests. Regression

testing is performed to ensure that no existing errors reappear, and no new errors are introduced.

Answer D is incorrect. The acceptance testing is performed on the application before its implementation into the production

environment. It is done either by a client or an application specialist to ensure that the software meets the requirement for which it was

made.

Answer A is incorrect. Integration testing is a logical extension of unit testing. It is performed to identify the problems that occur when

two or more units are combined into a component. During integration testing, a developer combines two units that have already been tested

into a component, and tests the interface between the two units. Although integration testing can be performed in various ways, the

following three approaches are generally used:

The top-down approach

The bottom-up approach

The umbrella approach

Answer C is incorrect. Unit testing is a type of testing in which each independent unit of an application is tested separately. During unit

testing, a developer takes the smallest unit of an application, isolates it from the rest of the application code, and tests it to determine

whether it works as expected. Unit testing is performed before integrating these independent units into modules. The most common approach

to unit testing requires drivers and stubs to be written. Drivers and stubs are programs. A driver simulates a calling unit, and a stub simulates

a called unit.

Answer : B, C, D

The various methods of the HttpServletRequest interface are as follows:

getRemoteUser(): It returns the user name that is used for the client authentication. The value of the getRemoteUser() method

returns null if no user is authenticated.

isUserInRole(): It determines whether the remote user is granted a specified user role. The value of the isUserInRole() method returns

true if the remote user is granted the specified user role; otherwise it returns false.

getUserPrincipal(): It determines the principle name of the current user and returns the java.security.Principal object. The

java.security.Principal object contains the remote user name. The value of the getUserPrincipal() method returns null if no user is

authenticated.

Answer A is incorrect. It is not defined in the HttpServletRequest interface. The getCallerIdentity() method is used to obtain the

java.security.Identity of the caller.

Answer : C

NIST has developed a suite of documents for conducting Certification & Accreditation (C&A). These documents are as follows:

1.NIST Special Publication 800-37: This document is a guide for the security certification and accreditation of Federal Information

Systems.

2.NIST Special Publication 800-53: This document provides a guideline for security controls for Federal Information Systems.

3.NIST Special Publication 800-53A. This document consists of techniques and procedures for verifying the effectiveness of security

controls in Federal Information System.

4.NIST Special Publication 800-59: This document provides a guideline for identifying an information system as a National Security

System.

5.NIST Special Publication 800-60: This document is a guide for mapping types of information and information systems to security

objectives and risk levels.

Answer : B

Removing the IPP printing capability from a server is a good countermeasure against an IIS buffer overflow attack. A Network Administrator

should take the following steps to prevent a Web server from IIS buffer overflow attacks:

Conduct frequent scans for server vulnerabilities.

Install the upgrades of Microsoft service packs.

Implement effective firewalls.

Apply URLScan and IISLockdown utilities.

Remove the IPP printing capability.

Answer D is incorrect. The following are the DNS zone transfer countermeasures:

Do not allow DNS zone transfer using the DNS property sheet:

a.Open DNS.

b.Right-click a DNS zone and click Properties.

c.On the Zone Transfer tab, clear the Allow zone transfers check box.

Configure the master DNS server to allow zone transfers only from secondary DNS servers:

a.Open DNS.

b.Right-click a DNS zone and click Properties.

c.On the zone transfer tab, select the Allow zone transfers check box, and then do one of the following:

To allow zone transfers only to the DNS servers listed on the name servers tab, click on the Only to the servers listed on

the Name Server tab.

To allow zone transfers only to specific DNS servers, click Only to the following servers, and add the IP address of one or

more servers.

Deny all unauthorized inbound connections to TCP port 53.

Implement DNS keys and encrypted DNS payloads.

Answer A is incorrect. The following are the countermeasures against SNMP enumeration:

1.Removing the SNMP agent or disabling the SNMP service

2.Changing the default PUBLIC community name when 'shutting off SNMP' is not an option

3.Implementing the Group Policy security option called Additional restrictions for anonymous connections

4.Restricting access to NULL session pipes and NULL session shares

5.Upgrading SNMP Version 1 with the latest version

6.Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets

Answer C is incorrect. NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the

infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities:

1.Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a Network Administrator.

2.A Network Administrator can also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.

3.A Network Administrator can also restrict the anonymous user by editing the registry values:

a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.

b.Choose edit > add value.

Value name: RestrictAnonymous

Data Type: REG_WORD

Value: 2

Answer : A, B, D

Declarative security applies the security policies on the software applications at their runtime. In this type of security, the security decisions

are based on explicit statements that confine security behavior. Declarative security applies security permissions that are required for the

software application to access the local resources and provides role-based access control to an individual software component and software

application. It is employed in a layer that relies outside of the software code or uses attributes of the code.

Answer C is incorrect. In declarative security, authentication decisions are coarse-grained in nature from an operational or external

security perspective.

Answer : D

Data remanence refers to the data that remains even after the efforts have been made for removing or erasing the data. This event occurs

because of data being left intact by an insignificant file deletion operation, by storage media reformatting, or through physical properties of

the storage medium. Data remanence can make unintentional disclosure of sensitive information possible. So, it is required that the storage

media is released into an uncontrolled environment.

Answer C and B are incorrect. These are the made-up disasters.

Answer A is incorrect. Object reuse refers to reassigning some other object of a storage media that has one or more objects.