CISSP: Software Development Security Flashcards Preview

CISSP > CISSP: Software Development Security > Flashcards

Flashcards in CISSP: Software Development Security Deck (18)
Loading flashcards...

1. Masquerading as another person in order to obtain information illicitly is known as

A. Hacking
B. Social engineering
C. Extortion
D. Exhumation

B. Social engineering

Social engineering is the process of obtaining information from people by tricking them into giving up an important piece of information, such as a modem access number. Review “System Attack Methods.”


2. Viruses, rootkits, and Trojan horses are known as

A. Maniacal code
B. Fractured code
C. Infectious code
D. Malicious code

D. Malicious code

Malicious code is the generic term used to describe computer codes used to inflict damage on a computer system. Review “Malicious code.”


3. Antivirus software that detects viruses by watching for anomalous behavior uses what technique?

A. Signature matching
B. Fleuristics
C. Heroistics
D. Heuristics

D. Heuristics

Heuristics is the technique used to detect viruses by recognizing anomalous behavior. Review “Malicious code.”


4. A developer, suspecting that he may be fired soon, modifies an important program that will corrupt payroll files long after he is gone. The developer has created a(n)

A Delayed virus
B Logic bomb
C Applet bomb
D Trojan horse

B. Logic bomb

A logic bomb is a type of malicious code that’s designed to cause damage at a predetermined date in the future. Review “Malicious code.”


5. A SYN flood is an example of a

A. Dictionary attack
B. High Watermark attack
C. Buffer Overflow attack
D. Denial of Service attack

D. Denial of Service attack. These attacks are designed to incapacitate a system by flooding it with traffic. Review “Denial of Service.”


6. The process of recording changes made to systems is known as

A. Change Review Board
B. System Maintenance
C. Change Management
D. Configuration Management

D. Configuration Management

This is the process used to record all configuration changes to hardware and software. Review “Configuration Management.”


7. A system that accumulates knowledge by observing events’ inputs and outcomes is known as a(n)

A. Expert system
B. Neural network
C. Synaptic network
D. Neural array

B. Neural network

Neural networks become proficient at predicting outcomes by making large numbers of observations, noting the inputs and results of each. Review “Neural networks.”


8. The logic present in an object is known as

A. Encapsulation
B. Personality
C. Behavior
D. Method

D. Method

A method is the formal name given to business logic — also known as code — present in an object. Review “Object-Oriented Environments.”


9. The restricted environment that Java applets occupy is known as a

A. Sandbox
B. Workbox
C. Trusted Zone
D. Instantiation

A. Sandbox

This is the name given to the restricted environment in which Java applets reside. Review “Adding applets to the mix.”


10. An attacker has placed a URL on a website that, if clicked, will cause malicious javascript to execute on victims’ browsers. This is known as a

A. Phishing attack
B. Script injection attack
C. Cross-site scripting attack
D. Cross-site request forgery attack

C. Cross-site scripting attack

In a cross-site scripting attack, the attacker places malicious script language in a URL that will be executed on a victim’s browser. Review “System Attack Methods.”


The software escrow is intended to mitigate which of the following risks?
a. In case the software vendor performs poorly
b. In case the software developer goes out of business
c. In case the original source code becomes infected or corrupted
d. In case a transaction fails, and the system must roll back to a known good state.

B. If the software developer goes out of business, the customer is provided with the source code from the software escrow.


Which of the following describes the preferred characteristics of an object in OOP?
a. Tight COM and loose CORBA
b. Loose acceptance testing and tight regression testing
c. Tight methods and loose messages
d. Loose coupling and tight cohesion

D. Loose coupling implies a low reliance on other objects to perform the methods of an object. Tight cohesion implies that the methods within an object work well together, are similar to one another, and naturally belong together. These are two beneficial characteristics of objects.


Which of the following is designed to support data sharing in Microsoft databases?
a. The ACID test
b. ADO
d. The IDEAL model

B. ActiveX Data Objects (ADOs) are Microsoft COM-based objects used to access data sources.


Dot dot slash is the syntax used to commit what type of attack?
a. A race condition attack
b. a DOM cross-site scripting attack
c. A directory traversal attack
d. A buffer overflow attack

C. The ../ (dot dot slash) syntax is used to traverse to the parent directory in a UNIX or Linux operation system. On a Windows system, the syntax is ..\ (dot dot backslash).


At which stage of the software development life cycle (SDLC) should security concerns first be analyzed?
a. System design
b. Function design
c. Testing
d. Project initiation

D. Project initiation is the first phase of the SDLC, and security concerns related to the project should be considered at this early phase.


When does an application developer need to implement middleware in the application?
a. When using primary and foreign keys between two tables
b. When using multiple databases
c. When artificial intelligence is being implemented
d. When performing the garbage collection process

B. Because different databases likely use different schemas, the data from the database might be incompatible with the needs of the application or the importing database. Middleware puts data (or differing formats) into a standard format so it can be imported and processed properly.


Which of the following best describes the reason to use artificial intelligence on data?
a. To produce metadata
b. To increase the value of the application
c. To increase the value of the data
d. To manage real-time concurrency controls

C. The objective of AI is to increase the value of the data from noise to data to information to knowledge, and, ultimately, to wisdom.


Which of the following is commonly used to defend against the threat of an aggregation and inference attack?
a. Polyinstantiation
b. Static binding of messages
c. Polymorphism
d. Regression testing

A. Multiple instances, or polyinstantiation, of the truth for the various clearances of the users helps defend against the aggregation and inference attack.