CISSP Practice полностью

65. a. When restrictions on what authenticated users are allowed to do are not properly enforced, it leads to broken access control vulnerability in Web applications. The other three choices do not deal with accessing user accounts, viewing sensitive files, or using unauthorized functions.

66. What do you call an attacker who can embed malicious commands in application parameters resulting in an external system executing those commands on behalf of the Web application?

a. Buffer overflows

b. Injection flaws

c. Denial-of-service

d. Improper error handling

66. b. Web applications pass parameters when they access external systems or the local operating system. Injection flaws occur when an attacker can embed malicious commands in these parameters; the external system may execute those commands on behalf of the Web application. The other three choices do not apply here because they do not embed malicious commands.

67. Both black-box and white-box testing are performed during which of the following?

a. Unit testing

b. Integration testing

c. System testing

d. Acceptance testing

67. a. A unit test is a test of software elements at the lowest level of development. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed. Because the unit test is the first test conducted, its scope should be comprehensive enough to include both types of testing, that is, black box and white box.

Integration testing is incorrect because it comes after completion of unit tests. An integration test is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests. Software integration tests check how the units interact with other software libraries and hardware.

System testing is incorrect because it comes after completion of the integration tests. It tests the completely integrated system and validates that the software meets its requirements.

Acceptance testing is incorrect because it comes after completion of integration tests. It is testing of user requirements in an operational mode conducted by end users and computer operations staff.

68. If manual controls over program changes were weak, which of the following would be effective?

a. Automated controls

b. Written policies

c. Written procedures

d. Written standards

68. a. In general, automated controls compensate for the weaknesses in or lack of manual controls or vice versa (i.e., a compensating control). For example, an automated software management system can help in strengthening controls by moving programs from production to test libraries and back. It minimizes human errors in moving wrong programs or forgetting to move the right ones. Written policies, procedures, and standards are equally necessary in manual and automated environments.

69. Which of the following defines a management’s formal acceptance of the adequacy of an application system’s security?

a. System certification

b. Security certification

c. System accreditation

d. Security accreditation

69. c. System accreditation is a management’s formal acceptance of the adequacy of an application system’s security. The accreditors are responsible for evaluating the certification evidence, deciding on the acceptability of application security safeguards, approving corrective actions, ensuring that corrective actions are accomplished, and issuing the accreditation statement.

System certification is the technical evaluation of compliance with security requirements for the purpose of accreditation. The technical evaluation uses a combination of security evaluation techniques (for example, risk analysis, security plans, validation, verification, testing, security safeguard evaluation, and audit) and culminates in a technical judgment of the extent to which safeguards meet security requirements.

Security certification is a formal testing of the security controls (safeguards) implemented in the computer system to determine whether they meet applicable requirements and specifications.