Test your basic knowledge |

CISSP Secure Software Development

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Style of programming that promotes discipline; allows introspection; and providing controlled flexibility; requires refined processes and modular development; each phase subject to review and approval; allows for security to be added in a formalized
Structured Programming development
Data hiding
Methods
Type-safe programming

2. Inter Process Communications- mechanisms that facilitate communication between processes or threads
Cross-site scripting?
Separation of privilege (least privilege)
OMG
IPC

3. identifies open ports on a host
Data Warehousing
Virus
Software librarian
Port Scans

4. A software development methodology that focuses on Defect prevention rather than defect removal. The goal is to write the code correctly the first time!
Heuristics
Open source Code
Cleanroom
Logic bomb

5. looking for unprotected modems
User Acceptance Testing
Cross-site scripting?
War Dialing
Encapsulation

6. identifies hosts that are alive
ADO
Distributed database
Encapsulation
IP Probes/Ping sweeps

7. A database with relationships between data sets with the freedom of a network database - but without the constraints of a hierarchical database. The structure is defined by its schema.
Citizen programmers
Class hierarchy
Limit checks
Relational database

8. exploits flaw in DNS software-no validation of source;provides data to DNS that is not authentication;redirects traffic to an alternate server without victims knowledge
Application Development
Virus types
Cleanroom
DNS Cache poisoning

9. packets in excess of 65535 bytes sent targeted machine
Ping of death
COM
Web Protection
Change Management

10. Online Transaction Processing- records all business transactions as they occur;acts as monitor; detects process aborts;restarts aborted processes;backs out failed transaction;allows distribution of multiple copies of application servers;performs dyna
Antivirus mechanisms
OLTP
Limit checks
SQL

11. The art of getting people to divulge sensitive information to others in a friendly manner or through intimidation?
Social Engineering
SQL Types
Heuristics
Foreign key

12. looking for Wireless Access points
War driving
Logic bomb
Structured Programming development
Virus types

13. is a high-level description of a system--typically containing no details.
Instantiation
Dictionary attack
Conceptual definition
Salami Scam

14. spiral method; nested version of waterfall method; estimated costs and schedules are revised at the end of the assessment Decision to proceed/cancel project is revisited after each risk assessment
Spiral Development
Relational database
Distributed application
COM

15. Conceal a lower level processes from higher level processes
Inference
Java Applet
Data hiding
Inheritance

16. Virtual machine;restricts the applets access to system resources
OLE
Access control
Rootkit
Sandbox

17. Memory management involves allocating memory to a process; reallocating it upon process completion; then re-allocating to a new process- can result in residual information
Citizen programmers
Fail-open
Memory re-use
Executable content/mobile code

18. The act of limiting running processes ability to view or modify memory and cache that's assigned to another process.
Covert channels
Process isolation
Dictionary attack
DB threat deadlocking

19. The tree structure of a collection of objects and classes
Malware
Class hierarchy
Sandbox
Distributed database

20. An action that is performed on a database that results in the addition or alteration or removal of data.
Salami Scam
Virus
OLE
Transaction

21. A varient of logic bombs. A plot that takes insignificant pennies from a user's bank account and move them to an attacker's bank account is an example of...
Pseudo flaw
Salami Scam
Cross-site scripting
Accreditation

22. Maintenance or programming hook; software entry point that is inserted by programmer; allows developers to bypass normal acces restrictions
DB threat data contamination
DB threat bypass
Compiler
Trapdoor/backdoor

23. A software development methodology that focuses on Defect prevention rather than defect removal. The goal is to write the code correctly the first time!
Encapsulation
Expert systems
Worms
Cleanroom

24. One of the 3 concepts for securing distributed systems other than software integrity and data integrity.
Access control
Cleanroom
Compiler
Defense in Depth (layering)

25. Combines data from multiple databases;data is extracted and transferred to central store;OLAP
Data Warehousing
Social Engineering
Aggregation
Configuration management

26. A process of viewing an application from its highest-level functions which makes all lower-level functions into abstractions
Software librarian
Memory re-use
Process Isolation
Abstraction

27. A software component in a distributed system that performs a particular service or function. (e.g. Patch management or Host-based intrusion detection systems (HIDS) and performance and capacity monitoring.
SQL
View
Change Management
Agent

28. Not trained or bound by sys dev practices; no proper app design no change control no support; apps lack security
Virus
Clean room
Citizen programmers
Object database

29. Channel allowing two cooperating processes to transfer info in a way it violated sec policy; either storage; one process writes; another process reads or timing one process relays info to another by modulating its use of sys resources
Neural networks
View
Covert channels
Behavior

30. Joint Application Development- management process that allows developers to work directly with users
Tuple/record
Access control
Pseudo flaw
JAD

31. Ensures seperation of duties by ensuring programmers do not have access to production code.
Inference
Software librarian
Ping of death
System high mode

32. Online Analytical Processing
Agent
Relational
OLAP
Digital Signatures

33. Access to data at the same time; both denied
Transaction
View
DB threat deadlocking
Granularity

34. An attack that invloves sending a user to a different webpage they did not click on. It can lead to DOS attacks.
OMA
Cross-site scripting
IP spoofing
Encapsulation

35. The best defense against a session hijacking and MITM attacks which should be incorporated in the development of software? Use randomized and unique ids to id sessions between two communicating targets.
Unique and random id
Assembler
Methods
Distributed application

36. Allows for successive refinements of requirements; design and coding; requires change control mechanism;prototyping initial concept; desing and implement initial prototype; refine prototype; complete and release
OLTP
Iterative Development
Database
Aggregation

37. A template that defines the methods and variables to be included in a particular type of object
Abstraction
Data hiding
DB threat Compromising data views
Class

38. Each process has its own memory space
DNS amplification
Access control
Process Isolation
CMM Level 1

39. The process of developing one object from another object but with different values in the new object
EJB
Polyinstantiation
Message
SQL

40. checks Semantic-structural enforcement;referential; cascading update/delete;entity tables must have Primary Key; Primary columns must be unique and not null
Polyinstantiation
Instance
Reference monitor
DB Integrity

41. A malicious program that spreads by attacking known weaknesses on computer systems.
IP Probes/Ping sweeps
Process Isolation
Hierarchial
Worms

42. Database structure
Schema
Process isolation
Heuristics
Encapsulation

43. Ensures seperation of duties by ensuring programmers do not have access to production code.
EJB
Software librarian
Cross-site scripting
Database Interface Languages

44. Attribute related to another table
DNS Cache poisoning
Pseudoflaws
Foreign key
Pseudo flaw

45. Training; explicit policies; do not double-click attachments;disable windows scrpit host; activeX; Vbscript; and javascript;do not send HTML formatted Email; use more than one scaner and scan everything
Change Management
Malware Protections
Assembly Language
Class

46. A feature which allows virtual tables in a database.Role ased access control to protect confidentiality of data in databases can be achieved by what? A view can be set up for each user on the system so that the user can only view those virtual tables
View
Functional specifications
Reference monitor
Distributed database

47. Applets containing a digital signature and can run outside the virtual machine and be given access to system resources based on the trust
Digital Signatures
Virus
Type-safe programming
Dictionary attack

48. An attack that is a special form of social engineering in which an attacker posing as a system or security administrator or vendor tells unsuspecting users that a security flaw has been discovered on their system and that they should install a certai
DB threat data contamination
Pseudo flaw
Instantiation
Rootkit

49. formal processes in place and repeatable
CMM level 2
SDLC
Type-safe programming
EJB

50. reconfigures a system to use the IP of a trusted system-correct with packet filtering techniques
Salami Scam
IP spoofing
Data warehouse
Spiral Development