• ホーム
  • ブログ
  • 手に入れよう!は2024年最新の有効な実践問題であなたのCSSLP試験を合格させる(本日更新された349問) [Q202-Q227]

手に入れよう!は2024年最新の有効な実践問題であなたのCSSLP試験を合格させる(本日更新された349問) [Q202-Q227]

Share

手に入れよう!は2024年最新の有効な実践問題であなたのCSSLP試験を合格させる(本日更新された349問)

ISC Certification CSSLP試験実践テスト問題集解答豪華セットを使おう!


ISC CSSLP 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Manage Security Within a Software Development Methodology
  • Define Software Security Requirements
トピック 2
  • Define and Develop Security Documentation
  • Identify and Analyze Privacy Requirements
トピック 3
  • Incorporate Integrated Risk Management (IRM)
  • Develop Security Requirement Traceability Matrix (STRM)
トピック 4
  • Apply Security During the Build Process
  • Define Secure Operational Architecture
トピック 5
  • Develop Security Testing Strategy and Plan
  • Evaluate and Select Reusable Secure Design

 

質問 # 202
You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you're creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event. What type of risk response have you elected to use in this instance?

  • A. Avoidance
  • B. Transference
  • C. Sharing
  • D. Exploiting

正解:B

解説:
This is an example of transference as you have transferred the risk to a third party.
Transference almost always is done with a negative risk event and it usually requires a contractual
relationship.


質問 # 203
Continuous Monitoring is the fourth phase of the security certification and accreditation process. What activities are performed in the Continuous Monitoring process? Each correct answer represents a complete solution. Choose all that apply.

  • A. Security accreditation decision
  • B. Security control monitoring and impact analyses of changes to the information system
  • C. Configuration management and control
  • D. Status reporting and documentation
  • E. Security accreditation documentation

正解:B、C、D

解説:
Explanation/Reference:
Explanation: Continuous Monitoring is the fourth phase of the security certification and accreditation process. The Continuous Monitoring process consists of the following three main activities: Configuration management and control Security control monitoring and impact analyses of changes to the information system Status reporting and documentation The objective of these tasks is to observe and evaluate the information system security controls during the system life cycle. These tasks determine whether the changes that have occurred will negatively impact the system security. Answer: A and C are incorrect.
Security accreditation decision and security accreditation documentation are the two tasks of the security accreditation phase.


質問 # 204
In which of the following deployment models of cloud is the cloud infrastructure administered by the organizations or a third party? Each correct answer represents a complete solution. Choose two.

  • A. Public cloud
  • B. Community cloud
  • C. Hybrid cloud
  • D. Private cloud

正解:B、D

解説:
Explanation/Reference:
Explanation: In private cloud, the cloud infrastructure is operated exclusively for an organization. The private cloud infrastructure is administered by the organization or a third party, and exists on premise and off premise. In community cloud, the cloud infrastructure is shared by a number of organizations and supports a particular community. The community cloud infrastructure is administered by the organizations or a third party and exists on premise or off premise. AnswerB is incorrect. In public cloud, the cloud infrastructure is administered by an organization that sells cloud services. AnswerC is incorrect. In hybrid cloud, the cloud infrastructure is administered by both, i.e., an organization and a third party.


質問 # 205
Martha works as a Project Leader for BlueWell Inc. She and her team have developed accounting software. The software was performing well. Recently, the software has been modified. The users of this software are now complaining about the software not working properly. Which of the following actions will she take to test the software?

  • A. Perform acceptance testing
  • B. Perform regression testing
  • C. Perform unit testing
  • D. Perform integration testing

正解:B

解説:
Regression testing can be performed any time when a program needs to be modified either to add a feature or to fix an error. It is a process of repeating Unit testing and Integration testing whenever existing tests need to be performed again along with the new tests. Regression testing is performed to ensure that no existing errors reappear, and no new errors are introduced. Answer D is incorrect. The acceptance testing is performed on the application before its implementation into the production environment. It is done either by a client or an application specialist to ensure that the software meets the requirement for which it was made. Answer A is incorrect. Integration testing is a logical extension of unit testing. It is performed to identify the problems that occur when two or more units are combined into a component. During integration testing, a developer combines two units that have already been tested into a component, and tests the interface between the two units. Although integration testing can be performed in various ways, the following three approaches are generally used: The top-down approach The bottom-up approach The umbrella approach Answer C is incorrect. Unit testing is a type of testing in which each independent unit of an application is tested separately. During unit testing, a developer takes the smallest unit of an application, isolates it from the rest of the application code, and tests it to determine whether it works as expected. Unit testing is performed before integrating these independent units into modules. The most common approach to unit testing requires drivers and stubs to be written. Drivers and stubs are programs. A driver simulates a calling unit, and a stub simulates a called unit.


質問 # 206
Which of the following is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known, but by which a business can obtain an economic advantage over its competitors?

  • A. Cookie
  • B. Copyright
  • C. Utility model
  • D. Trade secret

正解:D

解説:
Explanation/Reference:
Explanation:
A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known. It helps a business to obtain an economic advantage over its competitors or customers. In some jurisdictions, such secrets are referred to as confidential information or classified information. AnswerA is incorrect. A copyright is a form of intellectual property, which secures to its holder the exclusive right to produce copies of his or her works of original expression, such as a literary work, movie, musical work or sound recording, painting, photograph, computer program, or industrial design, for a defined, yet extendable, period of time. It does not cover ideas or facts. Copyright laws protect intellectual property from misuse by other individuals. AnswerB is incorrect. A utility model is an intellectual property right to protect inventions. AnswerD is incorrect. A cookie is a small bit of text that accompanies requests and pages as they move between Web servers and browsers. It contains information that is read by a Web application, whenever a user visits a site. Cookies are stored in the memory or hard disk of client computers. A Web site stores information, such as user preferences and settings in a cookie. This information helps in providing customized services to users. There is absolutely no way a Web server can access any private information about a user or his computer through cookies, unless a user provides the information. A Web server cannot access cookies created by other Web servers.


質問 # 207
Which of the following are the basic characteristics of declarative security? Each correct answer represents a complete solution. Choose all that apply.

  • A. All security constraints are stated in the configuration files.
  • B. It has a runtime environment.
  • C. It is a container-managed security.
  • D. The security policies are applied at the deployment time.

正解:A、B、C

解説:
The following are the basic characteristics of declarative security: In declarative security, programming is not required. All security constraints are stated in the configuration files. It is a container-managed security. The application server manages the enforcing process of security constraints. It has a runtime environment. The security policies for runtime environment are represented by the deployment descriptor. It can support different environments, such as development, testing, and production. Answer D is incorrect. It is the characteristic of programmatic security.


質問 # 208
John works as a systems engineer for BlueWell Inc. He has modified the software, and wants to retest the application to ensure that bugs have been fixed or not. Which of the following tests should John use to accomplish the task?

  • A. Reliability test
  • B. Functional test
  • C. Performance test
  • D. Regression test

正解:D

解説:
John should use the regression tests to retest the application to guarantee that bugs have been fixed. This test will help him to check that the earlier working functions have not failed as a result of the changes, and newly added features have not created problems with the previous versions. The various types of internal tests performed on builds are as follows: Regression tests: It is also known as the verification testing. These tests are developed to confirm that capabilities in earlier builds continue to work correctly in the subsequent builds. Functional test: These tests emphasizes on verifying that the build meets its functional and data requirements and correctly generates each expected display and report. Performance tests: These tests are used to identify the performance thresholds of each build. Reliability tests: These tests are used to identify the reliability thresholds of each build.


質問 # 209
You work as a Security Manager for Tech Perfect Inc. You find that some applications have failed to encrypt network traffic while ensuring secure communications in the organization. Which of the following will you use to resolve the issue?

  • A. TLS
  • B. IPSec
  • C. HTTPS
  • D. SCP

正解:A

解説:
In order to resolve the issue, you should use TLS (Transport Layer Security). Transport Layer Security (TLS) is a cryptographic protocol that provides security and data integrity for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP). The TLS protocol, an application layer protocol, allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. Answer C is incorrect. Internet Protocol Security (IPSec) is a method of securing data. It secures traffic by using encryption and digital signing. It enhances the security of data as if an IPSec packet is captured, its contents cannot be read. IPSec also provides sender verification that ensures the certainty of the datagram's origin to the receiver. Answer D is incorrect. Hypertext Transfer Protocol Secure (HTTPS) protocol is a protocol used in the Universal Resource Locater (URL) address line to connect to a secure site. If a site has been made secure by using the Secure Sockets Layer (SSL) then HTTPS, instead of HTTP protocol, should be used as a protocol type in the URL. Answer A is incorrect. The SCP (secure copy) protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port 22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. SCP might not even be considered a protocol itself, but merely a combination of RCP and SSH. The RCP protocol performs the file transfer and the SSH protocol performs authentication and encryption. SCP protects the authenticity and confidentiality of the data in transit. It hinders the ability for packet sniffers to extract usable information from the data packets.


質問 # 210
Which of the following DoD policies establishes policies and assigns responsibilities to achieve DoD IA through a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network-centric warfare?

  • A. DoD 8500.1 Information Assurance (IA)
  • B. DoDI 5200.40
  • C. DoD 8510.1-M DITSCAP
  • D. DoD 8500.2 Information Assurance Implementation

正解:A

解説:
DoD 8500.1 Information Assurance (IA) sets up policies and allots responsibilities to achieve DoD IA through a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network-centric warfare. DoD 8500.1 also summarizes the roles and responsibilities for the persons responsible for carrying out the IA policies. Answer D is incorrect. The DoD 8500.2 Information Assurance Implementation pursues 8500.1. It provides assistance on how to implement policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DoD information systems and networks. DoD Instruction 8500.2 allots tasks and sets procedures for applying integrated layered protection of the DOD information systems and networks in accordance with the DoD 8500.1 policy. It also provides some important guidelines on how to implement an IA program. Answer A is incorrect. DoDI 5200.40 executes the policy, assigns responsibilities, and recommends procedures under reference for Certification and Accreditation(C&A) of information technology (IT). Answer C is incorrect. DoD 8510.1-M DITSCAP provides standardized activities leading to accreditation, and establishes a process and management baseline.


質問 # 211
Which of the following features of SIEM products is used in analysis for identifying potential problems and reviewing all available data that are associated with the problems?

  • A. Graphical user interface
  • B. Security knowledge base
  • C. Asset information storage and correlation
  • D. Incident tracking and reporting

正解:A

解説:
SIEM product has a graphical user interface (GUI) which is used in analysis for identifying potential problems and reviewing all available data that are associated with the problems. A graphical user interface (GUI) is a type of user interface that allows people to interact with programs in more ways than typing commands on computers. The term came into existence because the first interactive user interfaces to computers were not graphical; they were text- and-keyboard oriented and usually consisted of commands a user had to remember and computer responses that were infamously brief. A GUI offers graphical icons, and visual indicators, as opposed to text-based interfaces, typed command labels or text navigation to fully represent the information and actions available to a user. The actions are usually performed through direct manipulation of the graphical elements.


質問 # 212
Which of the following are Service Level Agreement (SLA) structures as defined by ITIL? Each correct answer represents a complete solution. Choose all that apply.

  • A. Customer Based
  • B. Service Based
  • C. Component Based
  • D. Segment Based
  • E. Multi-Level

正解:A、B、E

解説:
Explanation/Reference:
Explanation: ITIL defines 3 types of Service Level Agreement (SLA) structures, which are as follows:
1.Customer Based: It covers all services used by an individual customer group. 2.Service Based: It is one service for all customers. 3.Multi-Level: Some examples of Multi-Level SLA are 3 Tier SLA encompassing Corporate and Customer & Service Layers. AnswerC and A are incorrect. There are no such SLA structures as Segment Based and Component Based.


質問 # 213
Which of the following are the responsibilities of the owner with regard to data in an information classification program? Each correct answer represents a complete solution. Choose three.

  • A. Delegating the responsibility of the data protection duties to a custodian.
  • B. Running regular backups and routinely testing the validity of the backup data.
  • C. Determining what level of classification the information requires.
  • D. Reviewing the classification assignments at regular time intervals and making changes as the business needs change.

正解:A、C、D

解説:
The following are the responsibilities of the owner with regard to data in an information classification program: Determining what level of classification the information requires. Reviewing the classification assignments at regular time intervals and making changes as the business needs change. Delegating the responsibility of the data protection duties to a custodian. An information owner can be an executive or a manager of an organization. He will be responsible for the asset of information that must be protected. Answer B is incorrect. Running regular backups and routinely testing the validity of the backup data is the responsibility of a custodian.


質問 # 214
Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?

  • A. Lanham Act
  • B. FISMA
  • C. Computer Misuse Act
  • D. Computer Fraud and Abuse Act

正解:B

解説:
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a 'risk-based policy for cost-effective security'. FISMA requires agency program officials, chief information officers, and Inspectors Generals (IGs) to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. Answer B is incorrect. The Lanham Act is a piece of legislation that contains the federal statutes of trademark law in the United States. The Act prohibits a number of activities, including trademark infringement, trademark dilution, and false advertising. It is also called Lanham Trademark Act. Answer A is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament which states the following statement: Unauthorized access to the computer material is punishable by 6 months imprisonment or a fine "not exceeding level 5 on the standard scale" (currently 5000). Unauthorized access with the intent to commit or facilitate commission of further offences is punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment. Unauthorized modification of computer material is subject to the same sentences as section 2 offences. Answer C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1984 intended to reduce cracking of computer systems and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as 18 U.S.C. 1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or computers used in interstate and foreign commerce. It was amended in 1986, 1994, 1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and Restitution Act. Section (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Computer Fraud and Abuse Act but also those who conspire to do so.


質問 # 215
The build environment of secure coding consists of some tools that actively support secure specification, design, and implementation. Which of the following features do these tools have? Each correct answer represents a complete solution. Choose all that apply.

  • A. They employ software security constraints, protections, and services.
  • B. They decrease the attack surface.
  • C. They reduce and restrain the propagation, extent, and damage that have occurred by insecure software behavior.
  • D. They decrease the level of type checking and program analysis.
  • E. They decrease the exploitable flaws and weaknesses.

正解:A、B、C、E

解説:
Explanation/Reference:
Explanation: The tools that produce secure software have the following features: They decrease the exploitable flaws and weaknesses. They decrease the attack surface. They employ software security constraints, protections, and services. They reduce and restrain the propagation, extent, and damage that are caused by the behavior of insecure software. AnswerE is incorrect. This feature is not required for these tools.


質問 # 216
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed?

  • A. Level 2
  • B. Level 3
  • C. Level 5
  • D. Level 4
  • E. Level 1

正解:D

解説:
Explanation/Reference:
Explanation: The following are the five levels of FITSAF based on SEI's Capability Maturity Model (CMM):
Level 1: The first level reflects that an asset has documented a security policy. Level 2: The second level shows that the asset has documented procedures and controls to implement the policy. Level 3: The third level indicates that these procedures and controls have been implemented. Level 4: The fourth level shows that the procedures and controls are tested and reviewed. Level 5: The fifth level is the final level and shows that the asset has procedures and controls fully integrated into a comprehensive program.


質問 # 217
Which of the following security models dictates that subjects can only access objects through applications?

  • A. Biba-Clark model
  • B. Clark-Wilson
  • C. Biba model
  • D. Bell-LaPadula

正解:B

解説:
Explanation/Reference:
Explanation: The Clark-Wilson security model dictates that subjects can only access objects through applications. AnswerA is incorrect. The Biba model does not let subjects write to objects at a higher integrity level. Answer: B is incorrect. The Bell-LaPadula model has a simple security rule, which means a subject cannot read data from a higher level. Answer: D is incorrect. There is no such model as Biba-Clark model.


質問 # 218
Which of the following are the principle duties performed by the BIOS during POST (power-on-self-test)?
Each correct answer represents a part of the solution. Choose all that apply.

  • A. It delegates control to other BIOS, if it is required.
  • B. It discovers size and verifies system memory.
  • C. It interrupts the execution of all running programs.
  • D. It provides a user interface for system's configuration.
  • E. It identifies, organizes, and selects boot devices.
  • F. It verifies the integrity of the BIOS code itself.

正解:A、B、D、E、F

解説:
Explanation/Reference:
Explanation: The principle duties performed by the BIOS during POST (power-on-self-test) are as follows:
It verifies the integrity of the BIOS code itself. It discovers size and verifies system memory. It discovers, initializes, and catalogs all system hardware. It delegates control to other BIOS if it is required. It provides a user interface for system's configuration. It identifies, organizes, and selects boot devices. It executes the bootstrap program. AnswerF is incorrect. The BIOS does not interrupt the execution of all running programs.


質問 # 219
Which of the following models manages the software development process if the developers are limited to go back only one stage to rework?

  • A. Waterfall model
  • B. Prototyping model
  • C. RAD model
  • D. Spiral model

正解:A

解説:
Explanation/Reference:
Explanation: In the waterfall model, software development can be managed if the developers are limited to go back only one stage to rework. If this limitation is not imposed mainly on a large project with several team members, then any developer can be working on any phase at any time, and the required rework might be accomplished several times. AnswerB is incorrect. The spiral model is a software development process combining elements of both design and prototyping-in- stages, in an effort to combine advantages of top-down and bottom-up concepts. The basic principles of the spiral model are as follows: The focus is on risk assessment and minimizing project risks by breaking a project into smaller segments and providing more ease-of- change during the development process, as well as providing the opportunity to evaluate risks and weigh consideration of project continuation throughout the life cycle. Each cycle involves a progression through the same sequence of steps, for each portion of the product and for each of its levels of elaboration, from an overall concept-of-operation document down to the coding of each individual program. Each trip around the spiral traverses the following four basic quadrants: Determine objectives, alternatives, and constraints of the iteration. Evaluate alternatives, and identify and resolve risks. Develop and verify deliverables from the iteration. Plan the next iteration.
Begin each cycle with an identification of stakeholders and their win conditions, and end each cycle with review and commitment. AnswerD is incorrect. The Prototyping model is a systems development method (SDM). In this model, a prototype is created, tested, and then reworked as necessary until an adequate prototype is finally achieved from which the complete system or product can now be developed. Answer C is incorrect. Rapid Application Development (RAD) refers to a type of software development methodology that uses minimal planning in favor of rapid prototyping.


質問 # 220
Which of the following policies can explain how the company interacts with partners, the company's goals and mission, and a general reporting structure in different situations?

  • A. Regulatory
  • B. Selective
  • C. Advisory
  • D. Informative

正解:D

解説:
Explanation/Reference:
Explanation: An informative policy informs employees about certain topics. It is not an enforceable policy, but rather one to teach individuals about specific issues relevant to the company. The informative policy can explain how the company interacts with partners, the company's goals and mission, and a general reporting structure in different situations. AnswerD is incorrect. A regulatory policy ensures that an organization follows the standards set by specific industry regulations. This type of policy is very detailed and specific to a type of industry. The regulatory policy is used in financial institutions, health care facilities, public utilities, and other government-regulated industries, e.g., TRAI. Answer: B is incorrect. An advisory policy strongly advises employees regarding which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. The advisory policy can be used to describe how to handle medical information, handle financial transactions, and process confidential information. Answer: C is incorrect. It is not a valid type of policy.


質問 # 221
Audit trail or audit log is a chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function. Under which of the following controls does audit control come?

  • A. Protective controls
  • B. Reactive controls
  • C. Detective controls
  • D. Preventive controls

正解:C

解説:
Explanation/Reference:
Explanation: Audit trail or audit log comes under detective controls. Detective controls are the audit controls that are not needed to be restricted. Any control that performs a monitoring activity can likely be defined as a Detective Control. For example, it is possible that mistakes, either intentional or unintentional, can be made. Therefore, an additional Protective control is that these companies must have their financial results audited by an independent Certified Public Accountant. The role of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control. If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency which indicates that some control somewhere has failed. AnswerA is incorrect. Reactive or corrective controls typically work in response to a detective control, responding in such a way as to alert or otherwise correct an unacceptable condition. Using the example of account rules, either the internal Audit Committee or the SEC itself, based on the report generated by the external auditor, will take some corrective action. In this way, they are acting as a Corrective or Reactive control. AnswerC and D are incorrect. Protective or preventative controls serve to proactively define and possibly enforce acceptable behaviors. As an example, a set of common accounting rules are defined and must be followed by any publicly traded company. Each quarter, any particular company must publicly state its current financial standing and accounting as reflected by an application of these rules. These accounting rules and the SEC requirements serve as protective or preventative controls.


質問 # 222
The mission and business process level is the Tier 2. What are the various Tier 2 activities? Each correct answer represents a complete solution. Choose all that apply.

  • A. Defining the core missions and business processes for the organization
  • B. Defining the types of information that the organization needs, to successfully execute the stated missions and business processes
  • C. Specifying the degree of autonomy for the subordinate organizations
  • D. Prioritizing missions and business processes with respect to the goals and objectives of the organization
  • E. Developing an organization-wide information protection strategy and incorporating high-level information security requirements

正解:A、B、C、D、E

解説:
Explanation/Reference:
Explanation: The mission and business process level is the Tier 2. It addresses risks from the mission and business process perspective. It is guided by the risk decisions at Tier 1. The various Tier 2 activities are as follows: It defines the core missions and business processes for the organization. It also prioritizes missions and business processes, with respect to the goals and objectives of the organization. It defines the types of information that an organization requires, to successfully execute the stated missions and business processes. It helps in developing an organization-wide information protection strategy and incorporating high-level information security requirements. It specifies the degree of autonomy for the subordinate organizations.


質問 # 223
Which of the following are examples of passive attacks? Each correct answer represents a complete solution. Choose all that apply.

  • A. Eavesdropping
  • B. Shoulder surfing
  • C. Placing a backdoor
  • D. Dumpster diving

正解:A、B、D

解説:
In eavesdropping, dumpster diving, and shoulder surfing, the attacker violates the confidentiality of a system without affecting its state. Hence, they are considered passive attacks.


質問 # 224
"Enhancing the Development Life Cycle to Produce Secure Software" summarizes the tools and practices that are helpful in producing secure software. What are these tools and practices? Each correct answer represents a complete solution. Choose three.

  • A. Leverage attack patterns
  • B. Compiler security checking and enforcement
  • C. Tools to detect memory violations
  • D. Safe software libraries
  • E. Code for reuse and maintainability

正解:B、C、D

解説:
The tools and practices that are helpful in producing secure software are summarized in the report "Enhancing the Development Life Cycle to Produce Secure Software". The tools and practices are as follows: Compiler security checking and enforcement Safe software libraries Runtime error checking and safety enforcement Tools to detect memory violations Code obfuscation Answer A and E are incorrect. These are secure coding principles and practices of defensive coding.


質問 # 225
Which of the following technologies is used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices?

  • A. Code signing
  • B. Hypervisor
  • C. Digital rights management
  • D. Grid computing

正解:C

解説:
Explanation/Reference:
Explanation: Digital rights management (DRM) is an access control technology used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices. It describes the technology that prevents the uses of digital content that were not desired or foreseen by the content provider. DRM does not refer to other forms of copy protection which can be circumvented without modifying the file or device, such as serial numbers or keyfiles. It can also refer to restrictions associated with specific instances of digital works or devices. Answer C is incorrect.
Code signing is the process of digitally signing executables and scripts in order to confirm the software author, and guarantee that the code has not been altered or corrupted since it is signed by use of a cryptographic hash. Answer A is incorrect. A hypervisor is a virtualization technique that allows multiple operating systems (guests) to run concurrently on a host computer. It is also called the virtual machine monitor (VMM). The hypervisor provides a virtual operating platform to the guest operating systems and checks their execution process. It provides isolation to the host's resources. The hypervisor is installed on server hardware. Answer: B is incorrect. Grid computing refers to the combination of computer resources from multiple administrative domains to achieve a common goal.


質問 # 226
Copyright holders, content providers, and manufacturers use digital rights management (DRM) in order to limit usage of digital media and devices. Which of the following security challenges does DRM include? Each correct answer represents a complete solution. Choose all that apply.

  • A. Device fingerprinting
  • B. Access control
  • C. OTA provisioning
  • D. Key hiding

正解:A、C、D

解説:
The security challenges for DRM are as follows: Key hiding: It prevents tampering attacks that target the secret keys. In the key hiding process, secret keys are used for authentication, encryption, and node-locking. Device fingerprinting: It prevents fraud and provides secure authentication. Device fingerprinting includes the summary of hardware and software characteristics in order to uniquely identify a device. OTA provisioning: It provides end-to-end encryption or other secure ways for delivery of copyrighted software to mobile devices. Answer B is incorrect. Access control is not a security challenge for DRM.


質問 # 227
......

完全版最新の問題集PDFで最新CSSLP試験問題と解答:https://www.goshiken.com/ISC/CSSLP-mondaishu.html

本日更新された最新のCSSLPのPDFはCSSLP無料お試し可能です:https://drive.google.com/open?id=1giM2KiS8cnAGwEXh8i14aAFYFQtxKM0g

関するブログ

もっと
CSSLP無料問題集