Certified Secure Software Lifecycle Professional (CSSLP) Sample Questions

Certified Secure Software Lifecycle Professional (CSSLP) has been worked to approve programming experts with the aptitude to integrate security rehearses – confirmation, approval, and inspecting – into each period of the product advancement lifecycle (SDLC), from programming plan and execution to testing and organization. CSSLP Common Body of Knowledge (CBK) guarantees significance across all disciplines in the field of data security.

1.) Sam functions as a Network Auditor for Net Perfect Inc. The organization has a Windows-based network. While evaluating the’s organization, he is dealing with issues in looking for the flaws and different substances that have a place within it. Which of the accompanying dangers might happen because of the presence of these issues?

A. Residual risk
B. Secondary gamble
C. Detection risk
D. Inherent risk

Right Answer: procedure or utilizing techniques conflicting with the review targets (location shortcomings). Reply: An is mistaken. Leftover gamble is the gamble or risk of an activity.
Identification gambles are the dangers that an evaluator can not find what they are hoping to identify. Subsequently, it becomes drawn-out to report adverse outcomes when material circumstances (deficiencies) really exist. Identification risk incorporates two kinds of a hazard: Sampling risk: This chance happens when an inspector dishonestly acknowledges or mistakenly dismisses a review test. Nonsampling risk: This chance happens when an evaluator neglects to recognize a condition as a result of not making a difference the proper occasion, a technique, or a (specialized) process that, in spite of the fact that is side by side with science, actually considers these risks, regardless of whether all hypothetically conceivable security measures would be applied (experimentally possible measures). The equation to ascertain leftover gamble is (innate gamble) x (control risk) whereas intrinsic gamble is (dangers evaluating, is the gamble that the record or segment being inspected is really misquoted disregarding inward controls because of mistake or extortion. The evaluation of erroneous. An optional gamble is a gamble that emerges as a straight outcome of executing a gamble reaction. The auxiliary gamble is a result of managing the first gamble. Auxiliary dangers are not quite so thorough or significant as essential dangers but rather can end up being so on the off chance that not assessed and arranged appropriately.

2.) The National Information Assurance Certification and Accreditation Process (NIACAP) is the base standard interaction for the certificate and authorization of PC and broadcast communications frameworks that handle U.S. public safety data. Which of the accompanying members are expected in a NIACAP security evaluation? Each right response addresses a piece of the arrangement. Pick all that apply.

A. Certification agent
B. Assigned Approving Authority
C. IS program manager
D. Data Assurance Manager
E. User representative

Right Answer: process. Reply: D is inaccurate. Data Assurance Manager (IAM) is one of the critical members of the DIACAP cycle.
The NIACAP jobs are almost equivalent to the DITSCAP jobs. Four least members (jobs) are expected to play out a NIACAP security evaluation: IS program chief: The IS program supervisor is the essential approval advocate. He is answerable for the Information Systems (IS) all through the existing pattern of the framework improvement. Assigned Approving Authority (DAA): The Designated Approving Authority (DAA), in the United States Department of Defense, is the authority with the power to take care of working a framework at a satisfactory degree of chance officially. Accreditation specialist: The certificate specialist is additionally alluded to as the certifier. He gives the specialized aptitude to direct the accreditation all through the framework life cycle. Client delegate: The client agent centers around framework accessibility, access, uprightness, usefulness, execution, and privacy in a Certification and Accreditation (C&A)

3.) Which of the accompanying entrance testing methods consequently tests each telephone line in trade and attempts to find modems that are connected to the organization in Secure Software Lifecycle Professional?

A. Demon dialing
B. Sniffing
C. Social engineering
D. Dumpster diving

Right Answer: Information about these modems can then be utilized to endeavor outside unapproved access. Reply: B is wrong. In sniffing, a convention analyzer is utilized for the evil spirit dialing method naturally tests each telephone line in trade and attempts to find modems that are joined to the organization. most usually utilized method of all, getting data (like passwords) by simply requesting them.

4.) Which of the accompanying jobs is otherwise called the accreditor in Secure Software Lifecycle Professional?

A. Data owner
B. The chief Risk Officer
C. Chief Information Officer
D. Assigned Approving Authority

Right Answer: Explanation: Designated Approving Authority (DAA) is otherwise called the accreditor. Reply: A is wrong. The information proprietor (data proprietor) is typically a B is incorrect. A Chief Risk Officer (CRO) is otherwise called Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief Risk Management Officer of an enterprise is the leader responsible for empowering the proficient and powerful administration of huge dangers, and related open doors, to a business and its different portions. Gambles are usually sorted as vital, reputational, functional, monetary, or consistency related. CROs are responsible to the
Leader Committee and The Board for empowering the business to adjust hazards and prizes. In additional complicated associations, they are by and large liable for Technology (IT) chief, which is a task title generally given to the most senior leader in an undertaking answerable for the data innovation and PC frameworks that help endeavor objectives. The CIO assumes the part of a pioneer and reports to the CEO, boss tasks official, or CFO.
In military associations, they report to the boss.

5.) DoD 8500.2 lays out IA controls for data frameworks as indicated by the Mission Assurance Categories (MAC) and classification levels. Which of the accompanying MAC levels requires high respectability and medium accessibility in Secure Software Lifecycle Professional?

A. Mac III
B. Mac IV
C. Mac I
D. Mac II

Right Answer: D
The different MAC levels are as per the following: MAC I: It expresses that the frameworks have high accessibility and high honesty. Macintosh II: It expresses that the frameworks have high honesty and medium accessibility. Macintosh III: It expresses that the frameworks have essential uprightness and accessibility.

6.) Microsoft programming security master Michael Howard characterizes a few heuristics for deciding code survey in “A Process for Performing Security Code Reviews”.
Which of the accompanying heuristics increment the application’s assault surface? Each right response addresses a total arrangement. Pick all that apply.

A. Code is written in C/C++/low level computing construct
B. Code tuning in on a universally open network interface
C. Code that changes often
D. Namelessly accessible code
E. Code running by default
F. Code that runs in an elevated setting

Right Answer: BDEF

7.) Which of the accompanying cryptographic framework administrations guarantees that data won’t be revealed to any unapproved individual in a neighborhood organization in Secure Software Lifecycle Professional?

A. Authentication
B. Integrity
C. Non-repudiation
D. Confidentiality

Right Answer: D
The classification administration of a cryptographic framework guarantees that data won’t be uncovered to any unapproved individual in a nearby organization.

8.) What are the different exercises acted in the arranging period of the Software Assurance Acquisition process? Each right response addresses a total arrangement in Secure Software Lifecycle Professional. Pick all that apply.

A. Foster software requirements.
B. Carry out change control techniques.
C. Foster evaluation criteria and evaluation plan.
D. Come up with an acquisition strategy.

Right Answer: Define advancement and utilization of SwA with a reasonable level of effort surveys. Reply: B is wrong. This action is acted during the observing and acknowledgment period of the different exercises acted in the arranging period of the Software Assurance Acquisition process are as per the following: Determine programming item or administration prerequisites. Recognize related chances. Foster programming prerequisites. Formulate obtaining technique. Foster assessment measures and assessment plan.
Programming Assurance obtaining process.

9.) You function as an undertaking supervisor for BlueWell Inc. You are dealing with an undertaking and the administration needs a fast and financially savvy implies for laying out needs for arranging risk reactions in your task. Which risk the board cycle can fulfill the executives’ level headed for your undertaking in Secure Software Lifecycle Professional?

A. Qualitative risk analysis
B. Historical information
C. Rolling wave planning
D. Analysis quantitatively

Right Answer: Project Scope Statement Risk Management Plan Risk Register Answer: B is inaccurate. Historical information can be useful in Qualitative risk analysis, however, it is qualitative risk analysis is the most intelligent response as it is a quick and minimal expense way to deal with breaking down the gamble influence and its impact. It can advance specific dangers onto risk reaction arranging. Subjective Risk Analysis involves the probability and effect of the distinguished dangers in a quick and practical way. Subjective Risk Examination lays out a reason for an engaged quantitative investigation or Risk Response Plan by assessing the priority of dangers with a worry to influence the undertaking’s degree, cost, timetable, and quality targets. The subjective gamble examination is directed anytime in a venture life cycle. The essential objective of subjective gamble investigation is to decide the extent of impact and hypothetical reaction. The contributions to the Qualitative Risk Analysis process are Organizational interaction resources.

10.) Which of the accompanying models utilizes a guided diagram to indicate the freedoms that a subject can move to an item or that a subject can take from another subject in Secure Software Lifecycle Professional?

A. Take-Grant Protection Model
B. Biba Integrity Model
C. Chime LaPadula Model
D. Access Matrix

Right Answer rules portray allowable changes in the chart. Reply: D is mistaken. The access network is a direct methodology that gives access privileges to subjects.
The take-award assurance model is a conventional model utilized in the field of PC security to lay out or discredit the wellbeing of a given PC framework that observes explicit guidelines. It shows that for explicit frameworks the topic of security is decidable in straight time, which is overall undecidable. The model addresses a framework as a coordinated chart, where vertices are either subjects or items. The edges between them are named and the mark shows the freedoms that the wellspring of the edge has over the objective. Two rights happen in each occurrence of the model: take and award. They assume a unique part in the chart revising address extra honesty prerequisites.

11.) You are the task supervisor for GHY Project and are attempting to make a gamble reaction to a negative gamble. You and the venture group have distinguished the gamble that the task may not finish on time, as expected by the administration, because of the making of the client guide for the product you’re making. You have chosen available an outside essayist to fulfill the prerequisites and to reduce the risk event. What kind of chance reaction have you chosen for use in this example in Secure Software Lifecycle Professional?

A. Transference
B. Exploiting
C. Aversion
D. Sharing

Right Answer: A

12.) Which of the accompanying associations helps the President in regulating the planning of the government spending plan and overseeing its organization in ExecutiveBranch offices?

A. OMB
B. NIST
C. NSA/CSS
D. DCAA

Right Answer: Answer: D is wrong. The DCAA intends to screen workers for hire costs and perform project worker reviews. Reply: C is inaccurate. The National Security Agency
The Office of Management and Budget (OMB) is a Cabinet-level office and is the biggest office inside the Executive Office of the President (EOP) of the United States. The ongoing OMB Director is Peter Orszag who was selected by President Barack Obama. The OMB’s overwhelming mission is to help the president in managing the planning of the government financial plan and to direct its organization in Executive Branch offices. In assisting with planning the president’s spending plans, the OMB assesses the viability of organization projects, strategies, and methodology, surveys contending financing requests among offices, and sets subsidizing boundaries. The OMB guarantees that organization reports, rules, declarations, and proposed regulations are reliable with the President’s Budget and with Administration approaches.
Focal Security Service (NSA/CSS) is a crypto-rational insight organization of the United States government. It is managed as a component of the United States
Division of Defense. NSA is answerable for the assortment and examination of unfamiliar interchanges and unfamiliar signs knowledge, which includes cryptanalysis. NSA is likewise answerable for safeguarding U.S. government interchanges and data frameworks from comparable organizations somewhere else, which includes cryptography. NSA is a critical part of the U.S. Knowledge Community, which is going by the Director of National Intelligence. The Central Security Service is a co-found organization made to facilitate insight exercises and co-activity among NSA and U.S. military cryptanalysis organizations. NSA’s work is restricted Innovation (NIST), referred to somewhere in the range of 1901 and 1988 as the National Bureau of Standards (NBS), is an estimation norms lab that is a non-administrative organization of the United States Department of Commerce. The foundation’s true mission is to advance U.S. development and modern seriousness by propelling estimation science, principles, and innovation in manners that upgrade financial security and work on personal satisfaction.

13.) As part of your change, the executives plan subtleties of what ought to occur in the change control framework for your task. Theresa, a lesser task chief, asks what the design the board exercises are for scope changes. You let her that know coming up next are all substantial design the board exercises with the exception of which one?

A. Design Identification
B. Design Verification and Auditing
C. Design Status Accounting
D. Design Item Costing

Right Answer: D
Setup thing cost is definitely not a legitimate movement for design the executives. Cost changes are overseen by the expense change control framework; an arrangement in the management is worried about changes to the elements and elements of the venture expectations.

14.) Which of the accompanying kinds of overt repetitiveness forestalls assaults in which an aggressor can deal with a machine, embed unapproved programming, and modify information?

A. Information overt repetitiveness
B. Equipment overt repetitiveness
C. Process overt repetitiveness
D. Application of overt repetitiveness

Right Answer: C
Process overt repetitiveness grants programming to run all the while on various geologically conveyed areas, with deciding on results. It forestalls assaults in which an assailant can oversee a machine, embed unapproved programming, and change information.

15.) Which of the accompanying people assesses whether the security arrangements, principles, rules, and systems are proficiently acted as per the organization’s expressed security targets?

A. Data framework security proficient
B. Information proprietor
C. Senior administration
D. Data framework evaluator

Right, Answer: by performing normal and autonomous reviews. Reply: B is wrong. An information proprietor decides the responsiveness or grouping levels of information. Reply: A is right

16.) Which of the accompanying system regions do the SSE-CMM characterize in the ‘Venture and Organizational Practices’ classification? Each right response addresses a total arrangement. Pick all that apply.

A. Give Ongoing Skills and Knowledge
B. Check and Validate Security
C. Oversee Project Risk
D. Further develop Organization’s System Engineering Process

Right Answer: ACD
Project and Organizational Practices incorporate the accompanying system regions: PA12: Ensure Quality PA13: Manage Configuration PA14: Manage Project
Risk PA15: Monitor and Control Technical Effort PA16: Plan Technical Effort PA17: Define Organization’s System Engineering Process PA18: Improve
Association’s System Engineering Process PA19: Manage Product Line Evolution PA20: Manage Systems Engineering Support Environment PA21: Provide
Continuous Skills and Knowledge PA22: Coordinate with Suppliers

17.) The LeGrand Vulnerability-Oriented Risk Management strategy depends on weakness investigation and comprises of four standard advances. Which of the accompanying cycles does the gamble evaluation step incorporate? Each right response addresses a piece of the arrangement. Pick all that apply.

A. Remediation of a specific weakness
B. Money saving advantage assessment of countermeasures
C. Recognizable proof of weaknesses
D. Evaluation of assaults

Right Answer: countermeasures, and evaluation of assaults. Reply: An is inaccurate. This cycle is remembered for the weakness of the executives.
Risk evaluation incorporates recognizable proof of weaknesses, appraisal of misfortunes brought about by dangers that appeared, and money-saving advantages.

18.) You fill in as a Security Manager for Tech Perfect Inc. You have set up a SIEM server for the accompanying purposes: Analyze the information from various log sources. Connect the occasions among the log sections Identify and focus on huge occasions Initiate reactions to occasions if required One of your log observing staff needs to know the highlights of SIEM items that will help them in these reasons. What elements will you suggest? Each right response addresses a total arrangement.
Pick all that apply.

A. Resource data capacity and connection
B. Transmission classification insurance
C. Episode following and announcing
D. Security information base
E. Graphical UI

Right, Answer: to an assault that influences a weak OS or the fundamental host. Reply: B is inaccurate. SIEM item doesn’t have this component.
The highlights of SIEM items are as per the following: Graphical UI (GUI): It is utilized in the examination for recognizing likely issues and checking on all suitable information that is related to the issues. Security information base: It remembers data for known weaknesses, log messages, and other specialized information. Occurrence following and hacking: It has vigorous work process highlights to track and report episodes. Resource data capacity and connection: It gives a higher need.

19.) As indicated by U.S. Branch of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) regions, and the controls are alluded to as IA controls. Which of coming up next is among the eight areas of IA characterized by DoD? Each right response addresses a total arrangement. Pick all that apply.

A. VI Vulnerability and Incident Management
B. Data frameworks procurement, improvement, and upkeep
C. DC Security Design and Configuration
D. EC Enclave and Computing Environment

Right Answer: Vulnerability and Incident Management Answer: B is erroneous. Business progression the board is a worldwide data security standard.

20.) Fill in the blank with a suitable expression. models address specifications, prerequisites, design, confirmation and approval, and maintenance activities in Secure Software Lifecycle Professional.

Right Answer: Life cycle

A daily existence cycle model assists with giving knowledge into the improvement cycle and underlines the connections among the various exercises in this cycle. This model portrays an organized way to deal with the turn of events and change process engaged with delivering and keeping up with frameworks. The existence cycle model tends to details, plan, prerequisites, check and approval, and maintenance activities.