c. Too much attention is paid to cosmetic details.
d. The model is iterated too many times.
213. a. The application software prototype becoming the finished system is a major risk in prototyping unless this is a conscious decision, as in evolutionary prototyping where a pilot system is built, thrown away, another system is built, and so on. Inflated user expectations is a risk that can be managed with proper education and training. Paying attention to cosmetic details is not bad except that it wastes valuable time. The prototype model is supposed to be iterated many times because that is the best way to define and redefine user requirements and security features until satisfied.
214. Security planning is performed in which of the following phases of a system development life cycle (SDLC)?
a. Initiation
b. Development/acquisition
c. Implementation
d. Operations/maintenance
214. b. Security planning ensures that agreed-upon security controls, whether planned or in place, are fully documented. It is a task performed in the development/acquisition phase.
215. Security certification and accreditation is performed in which of the following phases of a system development life cycle (SDLC)?
a. Initiation
b. Development/acquisition
c. Implementation
d. Operations/maintenance
215. c. Security certification ensures that the controls are effectively implemented through established verification techniques and procedures and gives an organization confidence that the appropriate safeguards and countermeasures are in place to protect the organization’s information systems. Security accreditation provides the necessary security authorization of an information system to process, store, or transmit information that is required. Both security certification and accreditation tasks are performed in the implementation phase.
216. Which of the following actions is performed in the detailed design phase of a system development life cycle (SDLC) project?
a. Defining control, security, and audit requirements
b. Developing screen flows with specifications
c. Identifying major purpose(s) of the system
d. Developing system justification
216. b. A detailed design occurs after the general design is completed where known tasks are described and identified in a much more detailed fashion and are ready for program design and coding. This includes developing screen/program flows with specifications, input and output file specifications, and report specifications.
The other three choices are incorrect because, by definition, they are examples of activities taking place in the general design phase. System requirements are the input to the general design where the system is viewed from top-down and where higher-level design issues are addressed. This includes (i) identifying the purpose and major functions of the system and its subsystems, (ii) defining control, security, and audit requirements, and (iii) developing system justification for the approval of analysis of alternative design choices.
217. When attackers compromise passwords, keys, and session cookies, it can lead to which of the following flaws?
a. Broken access control
b. Invalidated input
c. Broken authentication
d. Cross-site scripting flaws
217. c. Broken authentication means account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other user’s identities.
218. Attackers use which of the following to corrupt a Web application execution stack?
a. Buffer overflows
b. Injection flaws
c. Denial-of-service
d. Improper error handling
218. a. Buffer overflows occur when web application components (for example, common gateway interface, libraries, drivers, and Web application servers) that do not properly validate input can be crashed and, in some cases, used to take control of a process.
219. When Web applications use cryptographic factors that were proven difficult to code properly, it can lead to which of the following?
a. Insecure storage
b. Improper error handling
c. Injection flaws
d. Insecure configuration management
