Quizack.

com

CSSLP: Certified Secure Software Lifecycle Professional Exam

Question No. 1

Safeguards

Risk based information security strategy assessment methodology - developed

by SEI in conjunction of US-CERT - Performed in 3 phases: Build asset based
threat profile - Identify infrastructure vulnerabilities - develop security strategy
and plans

om
Security controls applied to mitigate a threat before it materializes

Risk remains after the implementation of mitigating security controls

Successful completion of a critical task is dependent on 2 or more conditions

that need to be met

.c
ck
Question No. 2

Open design
za

Authentication

Microsoft SRMD (Security Risk Management Discipline) - Vulnerability oriented

ui

risk management - Charles Le Grand - Morana Risk Management Activities -

Cigital Risk Management Methods
Q

Implementation detail of the design is independent of the design itself.

Reviewing the design itself will not result in the compromise of the sageguards
of the software

Design to mitigate any single source of complete compromise

Question No. 3

Non Repudiation

Coding Standards (internal) - PCI DSS - NIST Standards - ISO Standards -

Page 1 of 14
 Quizack.com
Federal Information Processing Standards

Dependability - Trustworthiness : MInimum number or no vulnerabilities -

Resilience : Resistant or tolerant of attacks and able to recover quickly with as
little harm as possible

Secure applicatios running on secure hosts (systems) in a secure network

Addresses the deniability of actions taken by either a user or the software on

behalf of the user - Can be accomplished by auditing access information

om
Question No. 4

Properties of secure software

.c
Protection against improper data alteration. It is a measure of software
resiliency and pertains to the modification of data and the reliable function of
the software - Data is internally and externally consistent
ck
Support policies at a granular and specific level - Can be characterized as
internal and external
za

Dependability - Trustworthiness : MInimum number or no vulnerabilities -

Resilience : Resistant or tolerant of attacks and able to recover quickly with as
little harm as possible
ui

Support for accreditation and certification bodies that audit and certify ISMS
Q

Question No. 5

After identification step is...

Use directed graph to specify the rights that a subject can transfer to an
object or that a subject can take from another subject

Authentication

OWASP - ITIL

Page 2 of 14
 Quizack.com

Indicator of magnitude risk in a year ALE = SLE * ARO

Question No. 6

Risk management process

Preventive Controls: Detection Controls: e.g background checks - periodic

review of security controls - Recovery controls:

om
Balancing act between the protection of IT assets and the cost of
implementing software security controls so that the risk is handled
approprietely. It includes: Preliminary assessement for the need of security
controls - Identification of security c

.c
Supporting Controls: Identification - crptographic key management - security
administration - system protections - Preventive Controls: authentication -
authorization - access control enforcement - non repudiation - Detection and
recovering controls:
ck
Secure applicatios running on secure hosts (systems) in a secure network
za

Question No. 7

Least common mechanism

ui

Disallow the sharing of mechaniss that are common to more than one user or
Q

process with different levels of privilege

Still under development - aimsto address ISMS implementation guidance

A possibility that an unwanted - unintended - or harmful event may occur and

resulted in an incident. The source can be a vulnerability.

Successful completion of a critical task is dependent on 2 or more conditions

that need to be met

Question No. 8

Page 3 of 14
 Quizack.com
Categories of controls

Technical - Management - Operational

Provides a common glossary of terms and definitions - Overview and

introduction to the ISMS family of standards that covered: Requirement
definitions - Detailed guidance of PDCA process - Sector Specific guidelines
and conformity assessement for ISMS

Concept aims at ensuring that the appropriate levels of protection are

provided to secure configurable parameters that are needed for the software
to run

om
Uses comprehensive penetration testing to test the strength of the security
software in order to predict and analyze vulnerabilities

Question No. 9 .c
ck
OWASP testing guide

Guidelines for quality software products - Six external quality characteristics

za

to measure quality of software: functionality - reliability - usability - efficiency -

maintainability - portability

Covers the necessary procedures and tools to validate software assurance

ui

Design to mitigate any single source of complete compromise

Risk based information security strategy assessment methodology - developed

Q

by SEI in conjunction of US-CERT - Performed in 3 phases: Build asset based

threat profile - Identify infrastructure vulnerabilities - develop security strategy
and plans

Question No. 10

ISO/IEC 21827:2008

SSE - CMM De-facto standard metric for evaluating security engineering

practices for the organization or customer

Page 4 of 14
 Quizack.com

Disallow the sharing of mechaniss that are common to more than one user or
process with different levels of privilege

Risk based information security strategy assessment methodology - developed

by SEI in conjunction of US-CERT - Performed in 3 phases: Build asset based
threat profile - Identify infrastructure vulnerabilities - develop security strategy
and plans

Likely to be replaced by ISO/IEC 30001 under development - Provides

standards for IS risk Management

om
Question No. 11

Exposure factor (EF)

.c
Risk remains after the implementation of mitigating security controls
ck
Concept aims at ensuring that the appropriate levels of protection are
provided to secure configurable parameters that are needed for the software
to run

Opportunity for a threat to cause loss. It plays an important role in the

za

computation of risk.

Implementation detail of the design is independent of the design itself.

Reviewing the design itself will not result in the compromise of the sageguards
ui

of the software
Q

Question No. 12

ISO /IEC 27000:2009

Support for accreditation and certification bodies that audit and certify ISMS

Design to mitigate any single source of complete compromise

Access Control Models - Access Matrix - Take-Grant - BLP (Bell La-Padula) -

State machine - Integrity Models - Biba Model - Clark-Wilson Model -
Information Flow Models - Non-Interference - Chinese Wall (Brewer and Nash)

Page 5 of 14
 Quizack.com
model

Provides a common glossary of terms and definitions - Overview and

introduction to the ISMS family of standards that covered: Requirement
definitions - Detailed guidance of PDCA process - Sector Specific guidelines
and conformity assessement for ISMS

Question No. 13

Security design principles

om
Security Concepts that need to be considered when designing and architecting
software: Least privilege - Compartmentalization (separation of duties) -
Defense in depth - Fail Secure - Keep it simple - Complete mediation - Open
Design - Least common m

.c
Security controls applied to mitigate a threat before it materializes
ck
Guidelines for quality software products - Six external quality characteristics
to measure quality of software: functionality - reliability - usability - efficiency -
maintainability - portability
za

Preventive Controls: Detection Controls: e.g background checks - periodic

review of security controls - Recovery controls:
ui

Question No. 14

Examples of Security Standards

Q

Coding Standards (internal) - PCI DSS - NIST Standards - ISO Standards -

Federal Information Processing Standards

Concept aims at ensuring that unintended and unreliable behavior of the

software is explicitly handled - while maintaining a secure state and protection
against CIA threats - Errors and exception messages should be non verbose
and explicit - Software

The likelihood that a threat can result into an incident. This is the overall risk
of a system

Supporting Controls: Identification - crptographic key management - security

Page 6 of 14
 Quizack.com
administration - system protections - Preventive Controls: authentication -
authorization - access control enforcement - non repudiation - Detection and
recovering controls:

Question No. 15

Vulnerability

The likelihood that a threat can result into an incident. This is the overall risk

om
of a system

Aims at mitigating session hijacking (MITM attack). Requires that session

token is unique and that user session is tracked to detect and prevent session
hijacking

.c
Risk calculation and rating methodology that are often used with STRIDE -
Rating performed accross 5 dimensions: Damage potential - Reproducibility -
Exploitability - Affected users - Discoverability
ck
A weakness or flaw that could be accidentally triggered or intentionally
exploited by an attacker - resulting in the breach or breakdown of the security
policy
za

Question No. 16
ui

Security Controls
Q

Specifies at a high level the 'what' and 'why' for security - Provides the
framework and point of reference that can be used to measure an
organization's posture - requires support of executive management to be
effective and enforceable

Mechanisms by which threats to software and systems can be mitigated.

These mechanisms may be technical - administrative or physical. Improper
implementation of these mechanism may become a threat to the system

Specifies the requirements for establishing - implementing - operating -

monitoring - reviewing - maintaining and improving a documented ISMS

Provides Common Criteria to evaluate IT security product

Page 7 of 14
 Quizack.com

Question No. 17

Challenges in implementing auditing/logging

Performance impact - Information Overload - Capacity impact - Configuration

Interfaces protection - Audit log protection

Protection against improper data alteration. It is a measure of software

resiliency and pertains to the modification of data and the reliable function of

om
the software - Data is internally and externally consistent

Is recommended for validating access to system containing sensitive or critical

information (FFIEC guidance on authentication)

.c
Secure applicatios running on secure hosts (systems) in a secure network
ck
Question No. 18

FIPS 197 (Advance Cryptographic standards - AES)

za

Microsoft Methodologies of Risk Management and it comprised the following

steps: Assessment of assets - security risks
ui

Specified requirements for a cryptographic module for 4 increasing qualitative

level (1-4) intended to cover a wide range of potential application and
environment
Q

Specifies an approved cryptographic algorithm to ensure the confidentiality of

electronic data

Software or data it processed must be accessible by only those who are

authorized - It must be accessible only at the time that it is required.

Question No. 19

ISO/IEC 27001:2005

Page 8 of 14
 Quizack.com

A weakness or flaw that could be accidentally triggered or intentionally

exploited by an attacker - resulting in the breach or breakdown of the security
policy

Specifies the requirements for establishing - implementing - operating -

monitoring - reviewing - maintaining and improving a documented ISMS

SP800-12 : Introduction to computer security handbook - SP800-14: Generally

accepted principles and practices for securing IT systems - SP800-30: Risk
Management Guide for IT - SP800-64: Security Considerations in the
information systems development

om
Security controls applied after a threat has been materialized

Question No. 20

Flaw Hypothesis Method (FHM)

.c
ck
Uses comprehensive penetration testing to test the strength of the security
software in order to predict and analyze vulnerabilities

Concept aims at ensuring that the appropriate levels of protection are

za

provided to secure configurable parameters that are needed for the software
to run

Iron triangle constraint (schedule - scope - budget) - Security as an

ui

afterthought - Security versus usability

Coding Standards (internal) - PCI DSS - NIST Standards - ISO Standards -

Q

Federal Information Processing Standards

Question No. 21

Least privilege

Aims at mitigating session hijacking (MITM attack). Requires that session

token is unique and that user session is tracked to detect and prevent session
hijacking

Disallow the sharing of mechaniss that are common to more than one user or

Page 9 of 14
 Quizack.com
process with different levels of privilege

Entity should have the minimum access level access right to do the jo- The
right is given for a minimum amount of time necessary to complete the job

Supporting Controls: Identification - crptographic key management - security

administration - system protections - Preventive Controls: authentication -
authorization - access control enforcement - non repudiation - Detection and
recovering controls:

om
Question No. 22

Multifactor authentication

Provides Common Criteria to evaluate IT security product

.c
Addresses the deniability of actions taken by either a user or the software on
behalf of the user - Can be accomplished by auditing access information
ck
Is recommended for validating access to system containing sensitive or critical
information (FFIEC guidance on authentication)
za

Software or data it processed must be accessible by only those who are

authorized - It must be accessible only at the time that it is required.
ui

Question No. 23
Q

ISO/IEC 9216

Aims at mitigating session hijacking (MITM attack). Requires that session

token is unique and that user session is tracked to detect and prevent session
hijacking

Still under development - aimsto address ISMS implementation guidance

Guidelines for quality software products - Six external quality characteristics

to measure quality of software: functionality - reliability - usability - efficiency -
maintainability - portability

Functionally tested - Structurally tested - Methodically tested and checked -

Page 10 of 14
 Quizack.com
Methodically designed - tested and reviewed - Semiformally designed - and
tested - Semiformally verified design and tested - Formally verified designed
and tested

Question No. 24

Implementation challenges

Functionally tested - Structurally tested - Methodically tested and checked -

om
Methodically designed - tested and reviewed - Semiformally designed - and
tested - Semiformally verified design and tested - Formally verified designed
and tested

Iron triangle constraint (schedule - scope - budget) - Security as an

afterthought - Security versus usability

.c
Disallow the sharing of mechaniss that are common to more than one user or
process with different levels of privilege
ck
Support policies at a granular and specific level - Can be characterized as
internal and external
za

Question No. 25
ui

ISO/IEC 27005:2008

SSE - CMM De-facto standard metric for evaluating security engineering

Q

practices for the organization or customer

Security concept aims at: identity of an entity (person or resource) is specified

in the format that the software is expecting it - Validates or verifies the
identity information that has been supplied

Likely to be replaced by ISO/IEC 30001 under development - Provides

standards for IS risk Management

Periodic publication by OWASP for top 10 Web application security

vulnerabilites

Page 11 of 14
 Quizack.com

Question No. 26

Access Matrix model

27. DREAD

Development guide - Code Review Guide - Testing Guide

om
Risk calculation and rating methodology that are often used with STRIDE -
Rating performed accross 5 dimensions: Damage potential - Reproducibility -
Exploitability - Affected users - Discoverability

Specifies the architecture and technical requirements for a common identified

standard for federal employee and contractors

.c
Coding Standards (internal) - PCI DSS - NIST Standards - ISO Standards -
Federal Information Processing Standards
ck
Question No. 27
za

Phsychological acceptability
ui

Security functionality is easy to use and transparent

Concepts aim at mitigating disclosure - alteration - and destruction threats.

Q

These are supporting concepts to the core security objectives of CIA

Support policies at a granular and specific level - Can be characterized as

internal and external

A possibility that an unwanted - unintended - or harmful event may occur and

resulted in an incident. The source can be a vulnerability.

Question No. 28

OCTAVE

Page 12 of 14
 Quizack.com

Technical - Management - Operational

Security controls applied to mitigate a threat before it materializes

Risk based information security strategy assessment methodology - developed

by SEI in conjunction of US-CERT - Performed in 3 phases: Build asset based
threat profile - Identify infrastructure vulnerabilities - develop security strategy
and plans

A set of comprehensive requirements aimed at protecting payment account

data security - 12 foundational requirements mapped into 6 control objectives
- Requirement 6 and its subrequirements are directly related to software

om
security - develop and main

Question No. 29

Vulnerabilities repositories
.c
ck
Software or data it processed must be accessible by only those who are
authorized - It must be accessible only at the time that it is required.

Provides Common Criteria to evaluate IT security product

za

US-CERT Vulnerability Notes - Common Vulnerability Scoring System (CVSS) -

Open Source Vulnerability Database - Common Vulnerabilities and exposure
(CVE) - Common Weakness Enumeration (CWE)
ui

Replacement of ISO 17799 standards - Provide guidelines for effective security

management practices - Outlines control objectives and controls in diverse
Q

areas of ISMS

Question No. 30

Integrity

The incorporation of security concept in the requirements - design - code -

release - and disposal phases of the SDLC - include: - Confidentiality - integrity
- availability - authentication - authorization - auditing - Session management -
Error/exc

Page 13 of 14
 Quizack.com

Protection against improper data alteration. It is a measure of software

resiliency and pertains to the modification of data and the reliable function of
the software - Data is internally and externally consistent

Implementation detail of the design is independent of the design itself.

Reviewing the design itself will not result in the compromise of the sageguards
of the software

Entity should have the minimum access level access right to do the jo- The
right is given for a minimum amount of time necessary to complete the job

om
.c
ck
za
ui
Q

Page 14 of 14