ISC2 CSSLP Exam Questions

Correct answer: SAST

A few different types of tools exist for software security analysis. These include:

• Static Application Security Testing (SAST): SAST or static analysis tools analyze the source code of an application for vulnerabilities. Since they use source code, they can be applied earlier in the SDLC than other tools that require a running application. Additionally, they provide better test coverage and can pinpoint an error within an application’s code. However, SAST tools are language-specific and cannot identify some types of vulnerabilities that are only detectable in running code.
• Dynamic Application Security Testing (DAST): DAST or dynamic analysis tools test a running application for vulnerabilities by sending it malicious or anomalous inputs and analyzing its behavior or responses. DAST can be cheaper than SAST, often has fewer false positives, and can identify issues that are only apparent at runtime. However, it has poorer code coverage, cannot pinpoint where an issue exists within the code (only that it does exist), and requires a running application (making it only usable later in the SDLC).
• Interactive Application Security Testing (IAST): IAST solutions use instrumentation to gain internal visibility of a running application while running tests against it. IAST solutions can pinpoint vulnerabilities in an application and are more easily integrated into CI/CD pipelines. However, IAST can be more expensive, slows code execution, and is a less mature solution.
• Runtime Application Self-Protection (RASP): RASP uses instrumentation to monitor and protect an application in production. Based on visibility into inputs, outputs, and application behavior, RASP can identify and block even zero-day attacks against an application. However, RASP does increase the size and complexity of the application that it protects.

Correct answer: Application configuration

Post-deployment testing can help to ensure that software continues to work after being delivered to the customer. Common examples include validating that updates are correct and properly installed and generating logs of significant events for debugging and regulatory compliance.

Correct answer: RASP

A few different types of tools exist for software security analysis. These include:

• Static Application Security Testing (SAST): SAST or static analysis tools analyze the source code of an application for vulnerabilities. Since they use source code, they can be applied earlier in the SDLC than other tools that require a running application. Additionally, they provide better test coverage and can pinpoint an error within an application’s code. However, SAST tools are language-specific and cannot identify some types of vulnerabilities that are only detectable in running code.
• Dynamic Application Security Testing (DAST): DAST or dynamic analysis tools test a running application for vulnerabilities by sending it malicious or anomalous inputs and analyzing its behavior or responses. DAST can be cheaper than SAST, often has fewer false positives, and can identify issues that are only apparent at runtime. However, it has poorer code coverage, cannot pinpoint where an issue exists within the code (only that it does exist), and requires a running application (making it only usable later in the SDLC).
• Interactive Application Security Testing (IAST): IAST solutions use instrumentation to gain internal visibility of a running application while running tests against it. IAST solutions can pinpoint vulnerabilities in an application and are more easily integrated into CI/CD pipelines. However, IAST can be more expensive, slows code execution, and is a less mature solution.
• Runtime Application Self-Protection (RASP): RASP uses instrumentation to monitor and protect an application in production. Based on visibility into inputs, outputs, and application behavior, RASP can identify and block even zero-day attacks against an application. However, RASP does increase the size and complexity of the application that it protects.

Correct answer: Black-box

White-box testing has access to documentation, driving down the false positive rate. Black-box starts out with the least knowledge and access, increasing the false positive rate.

Red-box testing is a fabricated term.

Correct answer: Rule-based access control

Several access control models exist, including:

• Mandatory Access Control (MAC): MAC centrally controls access to resources based on a combination of sensitivity labels and user clearances. The military Unclassified/Confidential/Secret/Top Secret model with compartments is an example of a MAC system.
• Discretionary Access Control (DAC): DAC uses the concepts of users and groups and allows users to define who can access their resources. DAC is commonly used by computers, such as Linux’s support for granting read/write/execute permissions to the owner, group, members, and others.
• Role-Based Access Control (RBAC): Role-based access control assigns each user with a role and a set of associated permissions, which are used to determine if a request is valid. For example, a software developer may have access to certain systems and tools, while a software manager may have access to HR information that the developer cannot access.
• Rule-Based Access Control (RBAC): Rule-based access control uses access control lists (ACLs) and Boolean logic to determine if a request is valid. For example, rules may restrict the times during which a system can be accessed or the devices permitted to access sensitive data.
• Attribute-Based Access Control (ABAC): ABAC assigns attributes to a user’s identity that are used to determine their access. For example, a developer may have a certain set of permissions on one system but a different set on another.
• Resource-Based Access Control (RBAC): Resource-based access control systems include the Impersonation and Delegation Model used by Kerberos and the Trusted Subsystem Model. Under the Impersonation and Delegation Model, one entity delegates its access and privileges to another, allowing the other entity to impersonate it to achieve some task. The Trusted Subsystem Model controls access based on a trusted device rather than a user’s identity.

Correct answer: GOTS

• Original Equipment Manufacturer (OEM): OEM is when a software license is bundled with the purchase of the hardware that runs it.
• Commercial off the Shelf (COTS): COTS software is available for sale to the general public and includes operating systems (OSes), Microsoft Office, and similar software.
• Government off the Shelf (GOTS): GOTS software is developed internally by a government agency, enabling them to control all aspects of it.
• Modifiable off the Shelf (MOTS): MOTS software is COTS software that allows customization of the source code.

Correct answer: Database

Databases are an example of structured data. The Extensible Markup Language (XML), JavaScript Object Notation (JSON), and similar formats are also structured.

Email, documents, and similar files are unstructured data. Unstructured data is more numerous but less searchable and manageable.

Correct answer: Vulnerability

A vulnerability is any feature of an asset that can be exploited by an attacker for a malicious purpose.

A threat is anything that can cause harm to an organization and its assets.

Flaws and bugs may be vulnerabilities, but they may also not be exploitable

Correct answer: Tokenization

Production data can be useful for testing but should be properly anonymized. Some anonymization techniques include:

• Aggregation: Aggregation combines data from multiple different subjects to remove any identifiable information.
• Sanitization: Sanitization involves removing potentially sensitive data from records.
• Tokenization: Tokenization replaces sensitive data with a non-sensitive token that represents it on untrusted systems.
• Minimization: Minimization involves collecting, storing, and processing as little sensitive data as possible.

Correct answer: Efficiency

Standard principles of system design include:

• Abstraction
• Modularity
• Information hiding

Correct answer: Exploiting

Vulnerability management is the process of addressing the various vulnerabilities that may exist in an organization’s systems. Key components of vulnerability management include:

• Scanning: Vulnerability scanning is a common way of identifying vulnerabilities. A vulnerability scanner identifies known vulnerabilities for running applications (based on CVEs) and common, unknown vulnerabilities (SQL injection, buffer overflow, etc.) in applications.
• Tracking: After a vulnerability has been identified, it should be added to a bug tracking system. This helps with prioritizing vulnerability remediation and ensuring that it is addressed.
• Triaging: Most organizations have more vulnerabilities than they can effectively remediate. Triage ensures that the most dangerous vulnerabilities are addressed first, reducing risk to the organization.
• Patching: Vulnerabilities are corrected by applying patches. This includes finding, testing, and applying updates based on the priority order.

Correct answer: Integration testing

Software testers may use various techniques to identify potential issues in an application, including:

• Failure Mode: Not all errors in an application will cause a crash. Failure testing involves ensuring that erroneous inputs cause a failure and that the fault is properly handled.
• Regression Testing: Changes to an application’s code can break functional or non-functional requirements. Regression testing is designed to ensure that code still meets requirements after an update.
• Integration Testing: Applications are deployed in environments alongside other applications and systems. Integration testing ensures that a system as a whole (including multiple different applications) achieves its intended purpose.
• Continuous Testing: Continuous testing processes build automated testing into development pipelines. This ensures that issues are identified and addressed as early as possible.

Correct answer: IAST

A few different types of tools exist for software security analysis. These include:

• Static Application Security Testing (SAST): SAST or static analysis tools analyze the source code of an application for vulnerabilities. Since they use source code, they can be applied earlier in the SDLC than other tools that require a running application. Additionally, they provide better test coverage and can pinpoint an error within an application’s code. However, SAST tools are language-specific and cannot identify some types of vulnerabilities that are only detectable in running code.
• Dynamic Application Security Testing (DAST): DAST or dynamic analysis tools test a running application for vulnerabilities by sending it malicious or anomalous inputs and analyzing its behavior or responses. DAST can be cheaper than SAST, often has fewer false positives, and can identify issues that are only apparent at runtime. However, it has poorer code coverage, cannot pinpoint where an issue exists within the code (only that it does exist), and requires a running application (making it only usable later in the SDLC).
• Interactive Application Security Testing (IAST): IAST solutions use instrumentation to gain internal visibility of a running application while running tests against it. IAST solutions can pinpoint vulnerabilities in an application and are more easily integrated into CI/CD pipelines. However, IAST can be more expensive, slows code execution, and is a less mature solution.
• Runtime Application Self-Protection (RASP): RASP uses instrumentation to monitor and protect an application in production. Based on visibility into inputs, outputs, and application behavior, RASP can identify and block even zero-day attacks against an application. However, RASP does increase the size and complexity of the application that it protects.

Correct answer: ASLR

Not all vulnerabilities are identified and fixed before applications reach production. Runtime protection systems help to mitigate this issue by protecting vulnerable applications against attempted exploitation or reducing the probability of a successful attack. Some examples include:

• Runtime Application Self-Protection (RASP): RASP solutions are integrated with a protected application and monitor its inputs, output, and behavior for anomalies that could indicate a potential attack.
• Web Application Firewall (WAF): A WAF sits between an application and the Internet and filters out traffic containing known exploits before it reaches the vulnerable application.
• Address Space Layout Randomization (ASLR): ASLR randomizes the location of certain functions in memory, making it more difficult for an attacker to use these functions when exploiting a vulnerability.

Dynamic Application Security Testing (DAST) is performed during the development process and involves sending malicious or malformed inputs to an application and monitoring its responses.

Correct answer: Copyleft

Third-party software may operate under various licensing models, including:

• Copyright: A copyright protects the intellectual property of the author, restricting how it can be used.
• Permissive: Permissive licenses (MIT, BSD, etc.) impose minimal requirements on software use and redistribution.
• Copyleft: Copyleft licenses (GPL, etc.) require that software using the original source code provides the same rights to the user.

Correct answer: Patent

Intellectual property (IP) can be protected in various ways, including:

• Patent: A patent provides exclusive rights to an invention for a specified period of time. Patents can be used to prevent others from using an invention even if they claimed to have invented it independently.
• Copyright: A copyright protects written works and artistic expression from being used or copied without the creator’s consent and proper attribution. They limit adaptations, performances, and who can profit from the work.
• Trademark: A trademark protects brand association and can be either registered or common-law. Images and company names are commonly trademarked items.
• Trade Secret: A trade secret is intellectual property that is protected only as long as it remains secret. The Cola-Cola secret recipe is probably the most famous example of a trade secret.

Correct answer: ARO

Annual Rate of Occurrence (ARO) estimates the number of times that a specific threat will materialize each year.

Single Loss Expectancy (SLE) estimates the loss caused by a threat and is calculated as the product of the asset value and the exposure factor.

Annual Loss Expectancy (ALE) estimates the loss caused by a threat across an entire year. It is calculated as the product of SLO and ARO.

Correct answer: SAMM

Some useful resources for software security information include:

• National Institute of Standards and Technology (NIST): NIST publishes various standards, including Special Publications (SPs) and Federal Information Processing Standards (FIPS).
• Software Assurance Forum for Excellence in Code (SAFECode): SAFECode offers a collaboration environment for organizations to discuss software security best practices.
• Software Assurance Maturity Model (SAMM): SAMM is a framework developed by OWASP to improve the security of the software development process.
• Building Security in Maturity Model (BSIMM): BSIMM quantifies the maturity and effectiveness of an organization’s application security (AppSec) program.

Correct answer: Flaws

Defects in software can be classified into five categories:

• Flaws: Design errors
• Bugs: Implementation errors
• Behavioral Anomalies: The application does not operate properly
• Errors and Faults: Outcome-based issues originating elsewhere
• Vulnerabilities: Issues that can be exploited by an attacker

Correct answer: Economy of Mechanism

Some of the key security design principles include:

• Economy of Mechanism: Economy of Mechanism or “Keep It Simple” states that the design and implementation of software should be as simple as possible. Complex systems have a larger attack surface and are more difficult to troubleshoot if something goes wrong.
• Least Privilege: Under the Principle of Least Privilege, users are granted the minimum set of permissions necessary to perform their role.
• Least Common Mechanism: Least common mechanism states that different processes with different privilege levels should not use the same function or mechanism because it is more difficult to keep these paths separate. Instead, each process should have its own mechanism.
• Component Reuse: Don’t reinvent the wheel. The use of secure, high-quality components rather than custom code can improve the efficiency and security of software and reduce the attack surface.