CISSP Prep- Application Security

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Cindymurray
C
Cindymurray
Community Contributor
Quizzes Created: 8 | Total Attempts: 15,150
| Attempts: 306
Quiz Flashcard
SettingsSettings
Please wait...
  • 1/22 Questions

    It is extremely important that as one follows a software development project, security activities are performed

    • Before release to production, so that the project is not delayed
    • If a vulnerability is detected in your software
    • In each stage of the life cycle
    • When management mandates it
Please wait...
About This Quiz

This CISSP Prep quiz focuses on Application Security, assessing key concepts like data confidentiality, integrity, and availability. It evaluates understanding of security policies, bytecode, covert channels, and common vulnerabilities such as XSS, enhancing readiness for CISSP certification.

CISSP Quizzes & Trivia

Quiz Preview

  • 2. 

    Audit logs are what type of control?

    • Preventive

    • Detective

    • Compensating

    • Corrective

    Correct Answer
    A. Detective
    Explanation
    Audit logs can be used to fi nd out who (identity) did what
    (action), when (timestamp), and where (objects or resources aff ected) and are therefore
    detective in nature. Page 245.

    Rate this question:

  • 3. 

    Your organization has a Web site with a guest book feature, where visitors to your Web site can input their names and comments about your Web site. You notice that each time the guest book web page loads, a message box is prompted with the message “You have been Crossed” followed by redirection to a diff erent Web site. Analysis reveals that the no input validation or output encoding is being performed in the web application. Th is is the basis for the following type of attack?

    • Denial of service

    • Cross-site scripting (XSS)

    • Malicious file execution

    • Injection flaws

    Correct Answer
    A. Cross-site scripting (XSS)
    Explanation
    A Web site that allows users to input information for later
    retrieval by other users, such as a guestbook comment page or blog, without
    proper input validation, may fail to detect when such input comes in is in the
    form of active scripting. Without appropriate output encoding, the script can
    be actively read and executed by the browser causing denial of service (Web
    site defacement) or other serious impacts. Th is is the basis of cross-site scripting
    attacks. Page 177.

    Rate this question:

  • 4. 

    Th e key objective of application security is to ensure

    • Th at the software is hacker proof

    • Th e confi dentiality, integrity, and availability of data

    • Accountability of software and user activity

    • Prevent data theft

    Correct Answer
    A. Th e confi dentiality, integrity, and availability of data
    Explanation
    Th e objective of application security is to make sure that the
    system and its resources are available when needed, that the integrity of the processing
    of the data and the data itself are ensured, and that the confi dentiality of
    the data is protected. All of these purposes rely upon secure, consistent, reliable,
    and properly operating software. Ensuring confi dentiality, integrity, and availability
    will mitigate the chances and impact of a hacking incident or data theft,
    but it must be recognized that total hacker proof software is utopian. Auditing
    (logging) functionality in software can help with detecting software and user
    activity, but this is not the key objective of application security. Software security
    controls can reduce the likelihood of data theft but they are not necessarily
    preventative. Page 164.

    Rate this question:

  • 5. 

    A plot to take insignificant pennies from a user’s bank account and move them to the attacker’s bank account is an example of

    • Social engineering

    • Salami scam

    • Pranks

    • Hoaxes

    Correct Answer
    A. Salami scam
    Explanation
    A variant on the concept of logic bombs involves what is known
    as the salami scam. Th e basic idea involves siphoning off small amounts of money
    (in some versions, fractions of a cent) credited to a specifi c account, over a large
    number of transactions. Pranks are very much a part of the computer culture, so
    much so that you can now buy commercially produced joke packages that allow
    you to perform “stupid Mac (or PC or Windows) tricks.” Hoaxes use an odd kind
    of social engineering, relying on people’s naturally gregarious nature and desire to
    communicate, and on a sense of urgency and importance, using the ambition that
    people have to be the fi rst to provide important new information. Page 224.

    Rate this question:

  • 6. 

    The art of infl uencing people to divulge sensitive information about themselves or their organization by either coercion or masquerading as a valid entity is known as

    • Dumpster diving

    • Shoulder surfing

    • Phishing

    • Social engineering

    Correct Answer
    A. Social engineering
    Explanation
    Social engineering is the art of getting people to divulge sensitive
    information to others either in a friendly manner, as an attempt to be “helpful,”
    or through intimidation. Phishing is the form of social engineering using electronic
    means such as e-mail. Shoulder surfi ng is a disclosure attack wherein, you stand
    over the shoulders of someone and read the sensitive information they are viewing.
    Masking of information (asterisking password) can mitigate shoulder surfi ng.
    Dumpster diving is another disclosure attack in which dumpsters are searched to
    glean sensitive information. Page 178.

    Rate this question:

  • 7. 

    Your audit logs indicate that an employee that you terminated in the morning was still able to access certain sensitive resources on his or his system, on your internal network, that afternoon. Th e logs indicate that the employee had logged on successfully before he or she was terminated but there is no record of him or her logging off before he was terminated. Th is is an example of this type of attack?

    • Time of check/Time of use (TOC/TOU)

    • Logic bomb

    • Remote-access trojans (RATS)

    • Phishing

    Correct Answer
    A. Time of check/Time of use (TOC/TOU)
    Explanation
    TOC/TOU is a common type of attack that occurs when
    some control changes between the time that the system security functions check
    the contents of variables and the time the variables actually are used during operations.
    For instance, a user logs on to a system in the morning and later is fi red. As a
    result of the termination, the security administrator removes the user from the user
    database. Because the user did not log off , he or she still has access to the system
    and might try to get even. Logic bombs are software modules set up to run in a
    quiescent state, but to monitor for a specifi c condition or set of conditions and to
    activate their payload under those conditions. Remote-access trojans are malicious
    programs designed to be installed, usually remotely, after systems are installed and
    working. Phishing attempts to get the user to provide information that will be useful
    for identity theft-type frauds. Pages 178–179.

    Rate this question:

  • 8. 

    A security protection mechanism in which untrusted code, which is not signed, is restricted from accessing system resources is known as

    • Sandboxing

    • Non-repudiation

    • Separation of duties

    • Obfuscation

    Correct Answer
    A. Sandboxing
    Explanation
    One of the control mechanisms for mobile code is the sandbox.
    Th e sandbox provides a protective area for program execution. Limits are placed on the
    amount of memory and processor resources the program can consume. If the program
    exceeds these limits, the Web browser terminates the process and logs an error code.
    Th is can ensure the safety of the browser’s performance. Non-repudiation is a security
    control mechanism in which the user or process cannot deny its action. Separation of
    duties is about ensuring that a security policy cannot be violated by a single user or
    process. Obfuscation is the process of rendering source code to be unreadable and
    unintelligible as a protection against reversing and IP issues. Pages 209–210.

    Rate this question:

  • 9. 

    A program that does not reproduce itself but pretends to be performing a legitimate action, while acting performing malicious operations in the background is the characteristic of which of the following?

    • Worms

    • Trapdoor

    • Virus

    • Trojan

    Correct Answer
    A. Trojan
    Explanation
    A Trojan is a program that pretends to do one thing while performing
    another, unwanted action. A Trojan does not reproduce itself as do worms
    and viruses in order to spread. A trapdoor or backdoor is a hidden mechanism
    that bypasses access control measures. It is an entry point into a program that is
    inserted in software by programmers during the program’s development to provide
    a method of gaining access into the program for modifi cation if the access control
    mechanism malfunctions and locks them out. Developers often refer to them as
    maintenance hooks. Page 217.

    Rate this question:

  • 10. 

    Role-based access control to protect confi dentiality of data in databases can be achieved by which of the following?

    • Views

    • Encryption

    • Hashing

    • Masking

    Correct Answer
    A. Views
    Explanation
    A view is a feature that allows for virtual tables in a database;
    these virtual tables are created from one or more real tables in the database. For
    example, a view can be set up for each user (or group of users) on the system so that
    the user can then only view those virtual tables (or views). Encryption, hashing,
    and masking can all provide confi dentiality as well, but for databases, views based
    access control which is a content dependent access control mechanism is the best
    answer. Page 236.

    Rate this question:

  • 11. 

    Th ere is no inherent diff erence between the representation of data and programming in computer memory can lead to injection attacks, characterized by executing data as instructions. Th is is the fundamental aspect of which of the following computer architecture?

    • Von Neumann

    • Linus’ law

    • Clark and Wilson

    • Bell–LaPadula

    Correct Answer
    A. Von Neumann
    Explanation
    A fundamental aspect of von Neumann architecture on which
    most computers today are based on is that there is no inherent diff erence between
    data and programming (instructions) representations in memory. Th erefore, we
    cannot tell whether the pattern 4Eh (00101110) is the letter N or a decrement operation
    code (commonly known as opcode). Similarly, the pattern 72h (01110010)
    may be the letter r or the fi rst byte of the “jump if below” opcode. Th erefore, without
    proper input validation, an attacker can provide input data that may actually
    be an instruction for the system to do something unintended. Linus’ law basically
    is based on the premise that with more people reviewing the source code (as in
    the case of open source), more security bugs can be detected and hence improve
    security. Clark and Wilson model is an integrity model from which entity and
    referential integrity (RDBMS integrity) rules are derived. Bell–LaPadula is a confi
    dentiality model. Page 168.

    Rate this question:

  • 12. 

    Technical evaluation of assurance to ensure that security requirements have been met is known as

    • Accreditation

    • Certification

    • Validation

    • Verification

    Correct Answer
    A. Certification
    Explanation
    Certifi cation is the process of evaluating the security stance of
    the software or system against a predetermined set of security standards or policies.
    Management, after reviewing the certifi cation, authorizes the software or system
    to be implemented in a production status, in a specifi c environment, for a specifi c
    period. Th ere are two types of accreditation: provisional and full. Management
    approval is known as accreditation. Pages 185–186.

    Rate this question:

  • 13. 

    A property that ensures only valid or legal transactions that do not violate any user-defined integrity constraints in DBMS technologies is known as

    • Atomicity

    • Consistency

    • Isolation

    • Durability

    Correct Answer
    A. Consistency
    Explanation
    ACID test, which stands for atomicity, consistency, isolation,
    and durability, is an important DBMS concept. Atomicity is when all the parts of
    a transaction’s execution are either all committed or all rolled back—do it all or
    not at all. Essentially, all changes take eff ect, or none do. Consistency occurs when
    the database is transformed from one valid state to another valid state. A transaction
    is allowed only if it follows user-defi ned integrity constraints. Illegal transactions
    are not allowed, and if an integrity constraint cannot be satisfi ed, the
    transaction is rolled back to its previously valid state and the user is informed
    that the transaction has failed. Isolation is the process guaranteeing the results of
    a transaction are invisible to other transactions until the transaction is complete.
    Durability ensures the results of a completed transaction are permanent and can
    survive future system and media failures, that is, once they are done, they cannot
    be undone. Th is is similar to transaction persistence. Page 249.

    Rate this question:

  • 14. 

    For an application security program to be eff ective within your organization, it is critical to

    • Identify regulatory and compliance requirements.

    • Educate the software development organization the impact of insecure programming.

    • Develop the security policy that can be enforced.

    • Properly test all the software that is developed by your organization for security vulnerabilities.

    Correct Answer
    A. Develop the security policy that can be enforced.
    Explanation
    Th e underlying foundation of software security controls
    is the organization’s security policy. Th e security policy refl ects the security
    requirements of the organization. Th e identifi cation of regulatory and compliance
    requirements such as Sarbanes–Oxley (SOX), payment card industry data
    security standard (PCIDSS) are essential and must be factored into the security
    policy. Without a clear understanding of what the security requirements are, as
    defi ned in the security policy, educating software development teams may potentially
    be still inadequate. Testing for security vulnerability can provide some
    degree of software assurance, but with newer kinds of attacks against software
    being discovered, security testing does not directly indicate the eff ectiveness of an
    application security program. Page 165.

    Rate this question:

  • 15. 

    An important characteristic of bytecode is that it

    • Has increased secure inherently due to sandboxing

    • Manages memory operations automatically

    • Is more diffi cult to reverse engineer

    • Is faster than interpreted languages

    Correct Answer
    A. Is faster than interpreted languages
    Explanation
    A programming language like Java compiles source code into
    a sort of pseudo-object code called bytecode. Th e bytecode is then processed by the
    interpreter (called the Java Virtual Machine, or JVM) for the CPU to run. Because
    the bytecode is already fairly close to object code, the interpretation process is much
    faster than for other interpreted languages. And because bytecode is still undergoing
    an interpretation, a given Java program will run on any machine that has a
    JVM. Memory management and sandboxing are important security aspects that
    apply to the programming language Java, but not to bytecode itself. Th e debate over
    whether a pseudo-object (bytecode) representation can be easily reverse engineered
    is debatable and inconclusive. Because bytecode is more pseudo-object representation
    of the source code, reversing to source code is in fact considered less diffi cult
    than from object or executable code. Page 171.

    Rate this question:

  • 16. 

    Two cooperating processes that simultaneously compete for a shared resource, in such a way that they violate the system’s security policy, is commonly known as

    • Covert channel

    • Denial of service

    • Overt channel

    • Object reuse

    Correct Answer
    A. Covert channel
    Explanation
    A covert channel or confi nement problem is an information
    fl ow issue. It is a communication channel allowing two cooperating processes to
    transfer information in such a way that it violates the system’s security policy. Th ere
    are two types of covert channels, viz. storage and timing. A covert storage channel
    involves the direct or indirect reading of a storage location by one process and a
    direct or indirect reading of the same storage location by another process. Typically,
    a covert storage channel involves a fi nite resource, such as a memory location or sector
    on a disk that is shared by two subjects at diff erent security levels. Th is scenario
    is a description of a covert storage channel. A covert timing channel depends upon
    being able to infl uence the rate that some other process is able to acquire resources,
    such as the CPU, memory, or I/O devices. Covert channels as opposed to what
    should be the case (overt channels) could lead to denial of service and object reuse
    has to do with disclosure protection when objects in memory are reused by diff erent
    processes. Pages 175–176.

    Rate this question:

  • 17. 

    Defect prevention rather than defect removal is characteristic of which of the following software development methodology?

    • Computer aided software engineering (CASE)

    • Spiral

    • Waterfall

    • Cleanroom

    Correct Answer
    A. Cleanroom
    Explanation
    In cleanroom software development methodology, the goal
    is to write code correctly the fi rst time, rather than trying to fi nd the problems
    once they are there. Essentially, it focuses on defect prevention rather than defect
    removal. Th e waterfall methodology is extremely structured and its key distinguishing
    characteristic is that each phase (stage) must be completed before moving
    on to the next, in order to prevent ad hoc scope creep. A distinguishing feature
    of the spiral model is that in each phase of the waterfall there are four substages,
    based on the common Deming PDCA (Plan-Do-Check-Act) model; in particular,
    a risk assessment review (Check). CASE is the technique of using computers and
    computer utilities to help with the systematic analysis, design, development, implementation,
    and maintenance of software. Page 188.

    Rate this question:

  • 18. 

    Th e two most common forms of attacks against databases are

    • Injection and scripting

    • Session hijacking and cookie poisoning

    • Aggregation and inference

    • Bypassing authentication and insecure cryptography

    Correct Answer
    A. Aggregation and inference
    Explanation
    Aggregation is the ability to combine nonsensitive data from
    separate sources to create sensitive information. For example, a user takes two
    or more unclassifi ed pieces of data and combines them to form a classifi ed piece
    of data that then becomes unauthorized for that user. Th us, the combined data
    sensitivity can be greater than the classifi cation of individual parts. Inference
    is the ability to deduce (infer) sensitive or restricted information from observing
    available information. Essentially, users may be able to determine unauthorized
    information from what information they can access and may never need to
    directly access unauthorized data. For example, if a user is reviewing authorized
    information about patients, such as the medications they have been prescribed,
    the user may be able to determine the illness. Inference is one of the hardest
    threats to control. All of the other attacks are primarily attacks on Web applications.
    Pages 245–246.

    Rate this question:

  • 19. 

    Expert systems are comprised of a knowledge base comprising modeled human experience and which of the following?

    • Inference engine

    • Statistical models

    • Neural networks

    • Roles

    Correct Answer
    A. Inference engine
    Explanation
    Th e expert system uses a knowledge base (a collection of
    all the data, or knowledge, on a particular matter) and a set of algorithms or
    rules that infer new facts from knowledge and incoming data. Th e knowledge
    base could be the human experience that is available in an organization. Because
    the system reacts to a set of rules, if the rules are faulty, the response will also
    be faulty. Also, because human decision is removed from the point of action, if
    an error were to occur, the reaction time from a human would be longer. Pages
    253–254.

    Rate this question:

  • 20. 

    Who can ensure and enforce the separation of duties by ensuring that programmers do not have access to production code?

    • Operations personnel

    • Software librarian

    • Management

    • Quality assurance personnel

    Correct Answer
    A. Software librarian
    Explanation
    A software librarian ensures program or data library is controlled
    in accordance with policy and procedures. Page 184.

    Rate this question:

  • 21. 

    Th e best defense against session hijacking and man-in-the-middle (MITM) attacks is to use the following in the development of your software?

    • Unique and random identification

    • Use prepared statements and procedures

    • Database views

    • Encryption

    Correct Answer
    A. Unique and random identification
    Explanation
    Th e use on non-predictable (randomized) and unique identifi
    ers to identify sessions between two communicating parties is the best defense
    against session hijacking and man-in-the-middle attacks. Encryption provides disclosure
    protection. Prepared statements or procedures at the database layer, reduces
    the likelihood of injection attacks. A database view is a preventive security control
    measure against disclosure attacks. Page 256.

    Rate this question:

  • 22. 

    The most effective defense against a buffer overflow attack is

    • Disallow dynamic construction of queries

    • Bounds checking

    • Encode the output

    • Forced garbage collection

    Correct Answer
    A. Encode the output
    Explanation
    Buff er overfl ows can result when a program fi lls up the assigned
    buff er of memory with more data than its buff er can hold. When the program
    begins to write beyond the end of the buff er, the program’s execution path can be
    changed, or data can be written into areas used by the operating system itself. A
    buff er overfl ow is caused by improper (or lacking) bounds checking on input to a
    program. By checking for the bounds (boundaries) of allowable input size, buff er
    overfl ow can be mitigated. Disallowing dynamic construction of queries is a defense
    against injection attacks and encoding the output mitigates scripting attacks. Th e
    collection of dangling objects in memory (garbage) can be requested but not necessarily
    forced and proper memory management can help mitigate buff er overfl ow
    attacks, but the most eff ective defenses against buff er overfl ow is bounds checking
    and proper error checking. Pages 174–175.

    Rate this question:

Quiz Review Timeline (Updated): Mar 20, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 20, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Dec 21, 2012
    Quiz Created by
    Cindymurray
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.