Domain 4 - Software Development Security

Question 1

Maintenance hooks are a security risk because:

a. They allow entry into the code without the usual checks
b. They are trap doors
c. They permit remote access to code
d. They are undocumented

Answer 1

a. They allow entry into the code without the usual checks

Answer a is the correct answer. It is the best answer provided. The most significant risk that maintenance hooks present is they permit circumvention of normal checks designed into the system. Answers c may also be correct, but it cannot be considered to be as significant as answer a. Answer b and d are incorrect because the difference between a maintenance hook and a trap door is that the maintenance hook is documented, and the trap door is not.

Question 2

All of the following are effective in combating malicious software with the exception of:

a. Using only commercial software obtained from reliable vendors.
b. Testing all new software on isolated computers.
c. Creation and retention of backup copies of executable files.
d. Monthly use of virus detection software.

Answer 2

d. Monthly use of virus detection software.

Answer d is the correct answer. In order to be effective, virus detection software must be used more frequently than once a month. Answers a, b, and c are effective controls for countering malicious code.

Question 3

A polymorphic virus is a type of malicious code that:

a. Can change its appearance.
b. Can make multiple copies of itself.
c. Imitates the behavior of another form of virus.
d. Resembles many other types of viruses.

Answer 3

a. Can change its appearance.

Explanation: Answer a is the correct answer. A polymorphic virus is a form of malicious code that can change its appearance, making it more difficult to scan for. Answer b is incorrect because it describes the behavior of a worm. Answers c and d are distracters.

Question 4

A secret, undocumented entry point into a program module is referred to as a:

a. Control bypass.
b. Trap door.
c. Pseudo flaw.
d. Black hole.

Answer 4

b. Trap door.

Answer b is the correct answer. Trap door is the term normally used to refer to a secret, undocumented access point into a module. Answer a describes what a Trap door is, but uses non-standard terminology. Answer c is incorrect since a pseudo flaw, though secret from a potential intruder is not undocumented. Answer d is a distracter.

Question 5

Separation of duties functions on the principal employees are less tempted to do wrong if:

a. They must cooperate with another employee to do so.
b. They must submit transactions in the proper sequence.
c. They must perform specific functions at specific times.
d. Management performs strict oversight of their work.

Answer 5

a. They must cooperate with another employee to do so.

Answer a is the correct answer. The aim of separation of duties is to force cooperation between individuals in order to violate security controls. Answers b, c, and d are incorrect since they address performance requirements, and do not relate to the division of job functions to prevent illicit behavior.

Question 6

One of the primary reasons why computer systems have bugs is:

a. Malicious code
b. Faulty system design
c. Programming errors
d. Program specifications

Answer 6

d. Program specifications

Answer d is the correct answer. Computer systems have program errors, or bugs because the specifications are either incorrect, or they are implemented incorrectly. Answer a is incorrect since it relates to an intentional threat not caused by an error. Answer b is only partially correct since it does not include bugs caused by programming errors, while answer c is incorrect since it addresses only bugs caused by faulty implementation and does not take into account faulty program specifications.

Question 7

One of the primary reasons why computer systems have bugs is:

a. Malicious code
b. Faulty system design
c. Programming errors
d. Program specifications

Answer 7

d. Program specifications

Answer d is the correct answer. Computer systems have program errors, or bugs because the specifications are either incorrect, or they are implemented incorrectly. Answer a is incorrect since it relates to an intentional threat not caused by an error. Answer b is only partially correct since it does not include bugs caused by programming errors, while answer c is incorrect since it addresses only bugs caused by faulty implementation and does not take into account faulty program specifications.

Question 8

A time bomb is a type of what form of malicious software:

a. Virus.
b. Trojan Horse.
c. Logic bomb.
d. Worm.

Answer 8

c. Logic bomb.

Answer c is the correct answer. A logic bomb is a type of malicious code that is activated when a specific condition is met. A time bomb is a logic bomb that is triggered by a time or date. Answers a, b and d are incorrect since they are examples of malicious code that is activated upon the occurrence of a specific condition.

Question 9

Robert T. Morris designed the Internet Worm to do all of the following except

a. to determine where it could spread.
b. to spread its infection.
c. to exhaust Internet resources.
d. To remain undiscovered and undiscoverable

Answer 9

c. to exhaust Internet resources.

Answer c is the correct answer. Morris’ original intent was to find out the extent to which the worm could spread, and to actually spread without being detected. However, because of a flaw in its logic, copies of the worm did not terminate as he intended, resulting in severe degradation of system performance, and exhaustion of network resources.

Question 10

A program that moves through an address space by making a copy of itself in a new location is known as a:

a. Virus
b. Worm
c. Trojan Horse
d. Logic Bomb

Answer 10

b. Worm

Answer b is the correct answer. A worm is an independent program that moves through an address space by making a copy of itself in a new location. Answers a, c, and d are incorrect since viruses, Trojan Horses, and logic bombs are not independent programs, and spread by copying themselves onto another program.

Question 11

The files required to perform a batch update are:

a. Master file and transaction file
b. Batch file and record file
c. Update file and production file
d. Sequential file and master file

Answer 11

a. Master file and transaction file

Answer a is the correct answer. The process of updating a batch file uses information from the records in a transaction file to update information in some or all of the records in the master file. Answers b, c and d are distracters.

Question 12

A change control board is intended to evaluate all proposed changes on the basis of:

a. Cost-effectiveness and impact.
b. Desirability and correctness.
c. Privacy and security.
d. Timeliness and comprehensiveness.

Answer 12

b. Desirability and correctness.

Answer b is the correct answer. The primary purpose of the change control board is to evaluate proposed changes on the basis of how desirable and correct they are. Although answers a, c, and d may be considered by the change control board as part of its evaluation for desirability and correctness, these three answers are too limited in scope to be correct.

Question 13

A shared resource matrix is a technique commonly used to locate:

a. Malicious code
b. Security flaws
c. Trap doors
d. Covert channels

Answer 13

d. Covert channels

Answer d is the correct answer. Analyzing resources of a system is one standard for locating covert channels, because the basis of a covert channel is a shared resource. Answers a, b, and c are incorrect since a shared resource matrix will not normally lead to the identification of malicious code, security flaws, or trap doors.

Question 14

The process in which an independent security evaluation team checks on compliance with software development standards on an unannounced basis is known as:

a. Independent evaluation
b. Security audit
c. Validation
d. Certification

Answer 14

b. Security audit

Answer b is the correct answer. A security audit is the process used to ensure that standards are being effectively followed in the development of software. The security audit includes a review of designs, documentation and code to ensure standards have been followed. Answers a, c, and d are incorrect since they are processes used to provide assurance for a specific project, and are too narrow.

Question 15

The basic phases of a system life cycle are:

a. Design, programming, installation, operation, retirement.
b. Planning, development, testing, operation, disposal.
c. Initiation, development/acquisition, implementation, operation, disposal
d. Planning, programming, testing, installation, operation, retirement.

Answer 15

c. Initiation, development/acquisition, implementation, operation, disposal

Answer c is the correct answer. The system life cycle begins with project initiation followed by development or acquisition of the system, implementation of the system, system operation, and then system disposal. Answer a does not include the initiation phase and system design takes place during the development/acquisition phase. Answer b is incorrect since planning is merely a part of the initiation phase. Answer d is incorrect since planning is merely a part of the initiation phase, and testing and installation are each sub-elements of the implementation phase.

Question 16

The two basic principles that underlie most well-constructed software are:

a. Data hiding and abstraction
b. Segmentation and accountability
c. Layering and modularity
d. Isolation and separation of duties

Answer 16

c. Layering and modularity

Answer c is the correct answer. Layering and modularity are the two basic principles used in developing secure software. Layering refers to constructing processes in layers so that each layer deals with a specific kind of activity, and modularity refers to breaking activities into segments that are small enough that individual pieces are easily understood and facilitate testing. Answers a, b, and c are incorrect since each relates to various techniques used in software development, and in the case of separation of duties, to computer operations.

Question 17

In the system development life cycle when should security requirements be developed:

a. During the initiation phase.
b. At the same time that other requirements for the system are developed
c. During system testing.
d. As part of the sensitivity assessment.

Answer 17

b. At the same time that other requirements for the system are developed

Answer b is the correct answer. The identification of security requirements should be integrated into the overall process for identifying system requirements in general. Answer a is incorrect since security requirements are defined during the development/acquisition phase. Answer c is incorrect because system testing occurs after requirements definition, during the implementation phase. Answer d is incorrect since security requirements are developed after the sensitivity assessment is conducted, not as part of the sensitivity assessment.

Question 18

The formal authorization by a management official for a system to operate and an explicit acceptance of risk is know as:

a. Certification.
b. Acceptance.
c. Quality control statement.
d. Accreditation

Answer 18

d. Accreditation

Answer d is the correct answer. Accreditation is the process in which an accrediting management authority formally authorizes a system to operate in a particular environment based on an explicit acceptance of risks. Answer a is incorrect since certification is the process for formally testing the security safeguards implemented in a computer system and is a preliminary step to accreditation. Answer b is incorrect because acceptance is a phase in the system development life cycle. Answer c is a distracter.

Question 19

The formal testing of the security safeguards implemented in a computer system to determine whether they meet applicable requirements and specifications is know as:

a. Certification
b. Accreditation.
c. Security testing.
d. Acceptance.

Answer 19

a. Certification

Answer a is the correct answer. Certification is the process for producing a statement that specifies the extent to which security measures meet specifications. Answer b is incorrect since accreditation is the process in which an accrediting management authority formally authorizes a system to operate in a particular environment based on an explicit acceptance of risks. Although generically correct, answer c is not correct since it is less precise than answer a. Answer d is incorrect because acceptance is a phase in the system development life cycle.

Question 20

Salami attacks are effective because:

a. The amount of funds diverted is so small it is not easily noticed.
b. The number of affected transactions is so limited they are not noticeable.
c. They involve electronic funds transfers.
d. They are committed by individuals with detailed knowledge of the system.

Answer 20

a. The amount of funds diverted is so small it is not easily noticed.

Answer a is the correct answer. In a salami attack, small amounts of money are shaved from each computation through rounding or truncation, and the amount shaved is so small that it may fall within the acceptable range.

Question 21

Information hiding is a design principle whereby:

a. The program module operates as if surrounded by a shield.
b. A program module is isolated from the negative effects of other modules.
c. How a program module does its task is concealed.
d. The data processed by a program module is concealed.

Answer 21

c. How a program module does its task is concealed.

Answer c is the correct answer. Data hiding is a method used to conceal the manner in which a program module does its task. Answers a and b are incorrect because they describes encapsulation. Answer d is incorrect because information hiding does not result in the concealment of data input or output from the module.

Question 22

The process applied when transactions fail to complete after making some updates to an on-line file is known as a:

a. Checkpoint
b. Recovery
c. Restart
d. Back-out

Answer 22

d. Back-out

Answer d is the correct answer. Back-out is the process that uses a transaction log file to correct the results of incomplete updates when transactions fail to complete after making some updates to an on-line file. Answer a is incorrect since a checkpoint is the process for writing a program’s results to secondary storage to minimize the risk of work loss. Answer b is incorrect because recovery is the process for reconstituting a database following a processing error or failure. Answer c is incorrect since a restart is the resumption of program execution using data recorded at a checkpoint.

Question 23

The goal of the System Security Engineering Capability Maturity Model (SSE CMM) is to lead to the development of software that performs computing tasks as well as:

a. Follows a structured system development lifecycle.
b. Employs modularity and encapsulation.
c. Meets ISO 9000 standards.
d. Enforces security requirements.

Answer 23

d. Enforces security requirements.

Answer d is the correct answer. The purpose of the SSE CMM is to provide a structure for developing software that not only performs computing tasks it is designed to do, but that also enforces security specifications while doing so. Answer a is incorrect because the SSE CMM does not prescribe a system development lifecycle. Answer b is incorrect because it does not specifically require the use of modularity and encapsulation. Answer c is incorrect because ISO 9000 standards are not a part of the SSE CMM.

Question 24

Protecting the integrity of programs and documentation is the main security motivation for using:

a. Configuration management.
b. Separation of duties.
c. Modular programming.
d. System development controls.

Answer 24

a. Configuration management.

Answer a is the correct answer, because configuration management is concerned with applying controls to maintain software and documentation integrity. Answers b and c are incorrect since separation of duties and modular programming do not fully address program/documentation integrity. Answer d is incorrect since the main security motivation for using system development controls is much broader than maintaining the integrity of programs and documentation.

Question 25

The technique in which an operating system strictly limits what system resources a program can access is known as:

a. Segmentation
b. Segregation
c. Confinement
d. Isolation

Answer 25

c. Confinement

Answer c is the correct answer. Confinement is the technique that is used to strictly limit what system resources an untrusted program can use. Answers a, b, and d are terms that express similar security concepts but are incorrect since they are not a function of an operating system.

Question 26

A virus scanner works on all of the following principles except for:

a. Viruses must be in memory to execute.
b. Viruses can be completely invisible.
c. Viruses execute in a particular way.
d. Viruses use certain methods to spread.

Answer 26

b. Viruses can be completely invisible.

Answer b is the correct answer. Since code must be stored somewhere and must be in memory to execute, it cannot be completely invisible. Answers a, c and d are incorrect since they each express a principle for how a virus scanner functions.