ISC2 CSSLP Exam Questions

Correct answer: Functional

The two types of software requirements are:

• Functional: Functional requirements describe how the software is supposed to do its job. These include business requirements, IT requirements (deployment environment, database, infrastructure, etc.), corporate coding, and security requirements. Functional requirements are often described in use cases or user stories.
• Non-Functional: Non-functional requirements include operational and deployment requirements. These describe how the software will fit into an organization’s IT infrastructure and interact with other software and systems.

User-driven requirements and environmental requirements are not types of software requirements.

Correct answer: Delphi

Methods of risk ranking include:

• Delphi Ranking: In Delphi ranking, each team member independently and privately provides a ranking (Minimal, Severe, or Critical) for each threat. This provides insight into the consensus on the severity of various risks.
• Average Ranking: Average ranking assigns numeric values to each risk category and averages the results. One common risk ranking methodology is DREAD.
• Probability x Impact (PxI): PxI ranking multiplies the probability that a risk will materialize with the impact if it does.

STRIDE is an acronym describing various types of security risks.

Correct answer: Test plans and metrics

A verification and validation (V&V) plan should include administrative requirements for:

• Anomaly resolution and reporting
• Exception/deviation policy
• Baseline and configuration control procedures
• Standards practices and conventions adopted for guidance
• Form of the relevant documentation including plans, procedures, cases, and results

Correct answer: Generation-based

Fuzzing involves sending malformed and invalid inputs to an application in an attempt to trigger an error. Fuzz testing can be classified in a few different ways, including:

• Smart: Smart fuzzing algorithms identify what can go wrong with an application and creates inputs designed to trigger these issues.
• Dumb: Dumb fuzzers randomly generate inputs to an application, hoping to stumble upon an issue.
• Generation-Based: Generation-based fuzzers use specifications for inputs to an algorithm to develop test inputs.
• Mutation-Based: Mutation-based fuzzing algorithms take known-good inputs and mutate them to create test cases.

Correct answer: Dirty Read

Database management system (DBMS) concurrency controls protect against:

• Lost Updates: Multiple concurrent threads change the same data in different ways, causing only one change to be recorded.
• Dirty Read: One transaction selects a row in a table that has been updated but not committed by another transaction.
• Nonrepeatable Reads: A transaction reads the same row multiple times and gets different results.
• Incorrect Summary: One transaction summarizes the values of a repeated data item while another transaction modifies some of these instances, making the summary incorrect.

Correct answer: Cryptographic Implementation

Cryptography can be fragile and broken in several ways. Some forms of cryptographic validation testing include:

• Standards Conformance: Verifies that cryptographic code complies with FIPS 140-2 or other regulatory requirements. Examples include the use of approved algorithms, settings, etc.
• Environment Validation: Verifies that cryptographic code meets requirements for the deployment environment such as those included in the ISO/IEC Common Criteria.
• Data Validation: Verifies that sensitive data requiring confidentiality protections is appropriately secured using approved and validated cryptography.
• Cryptographic Implementation: Verifies that cryptographic code correctly generates random values and ensures proper key management.

Correct answer: Business Requirements

A requirements traceability matrix (RTM) helps to track the state of requirements for software. An RTM commonly contains columns for:

• Business Requirements: Describes the initial business need
• Functional Requirements: Describes the functional requirement developed to meet the business need
• Test Requirements: Describes how the functional requirement will be tested

The RTM may also contain requirement ID numbers, use cases, or other information linked to the requirement.

Correct answer: SAFECode

Some useful resources for software security information include:

• International Organization for Standardization (ISO): ISO publishes a variety of different standards, including some that address software security.
• National Institute of Standards and Technology (NIST): NIST publishes various standards, including Special Publications (SPs) and Federal Information Processing Standards (FIPS).
• Software Assurance Forum for Excellence in Code (SAFECode): SAFECode offers a collaboration environment for organizations to discuss software security best practices.
• Building Security in Maturity Model (BSIMM): BSIMM quantifies the maturity and effectiveness of an organization’s application security (AppSec) program.

Correct answer: Firewalls

Flow control manages the movement of data between various systems, applications, etc. Important flow control tools include:

• Firewalls: Firewalls enforce corporate policy by inspecting network traffic and permitting or blocking it based on rules. Firewalls come in various forms, including packet-filtering, stateful, and next-generation.
• Proxies: Proxies act as a middleman in traffic flows, protecting the privacy and security of the source or destination of the traffic.
• Queues: Queuing protects against network congestion and overloading legacy clients by creating a backlog when sending rates are faster than the recipient can handle it.

Load balancers are not a common flow control mechanism.

Correct answer: RASP

A few different types of tools exist for software security analysis. These include:

• Static Application Security Testing (SAST): SAST or static analysis tools analyze the source code of an application for vulnerabilities. Since they use source code, they can be applied earlier in the SDLC than other tools that require a running application. Additionally, they provide better test coverage and can pinpoint an error within an application’s code. However, SAST tools are language-specific and cannot identify some types of vulnerabilities that are only detectable in running code.
• Dynamic Application Security Testing (DAST): DAST or dynamic analysis tools test a running application for vulnerabilities by sending it malicious or anomalous inputs and analyzing its behavior or responses. DAST can be cheaper than SAST, often has fewer false positives, and can identify issues that are only apparent at runtime. However, it has poorer code coverage, cannot pinpoint where an issue exists within the code (only that it does exist), and requires a running application (making it only usable later in the SDLC).
• Interactive Application Security Testing (IAST): IAST solutions use instrumentation to gain internal visibility of a running application while running tests against it. IAST solutions can pinpoint vulnerabilities in an application and are more easily integrated into CI/CD pipelines. However, IAST can be more expensive, slows code execution, and is a less mature solution.
• Runtime Application Self-Protection (RASP): RASP uses instrumentation to monitor and protect an application in production. Based on visibility into inputs, outputs, and application behavior, RASP can identify and block even zero-day attacks against an application. However, RASP does increase the size and complexity of the application that it protects.

Correct answer: Test case

A test case describes a particular requirement to be tested and how an application will be tested against that requirement.

A test script automates the process of implementing a test case, providing repeatability and speeding the testing process. A test harness documents all aspects of a testing process including the systems under test and the tools, data, and configurations used during testing. Test suites are groups of tests. For example, multiple tests focused on performance may be collected into a test suite.

Correct answer: Proving compliance to regulators

It is not enough to achieve compliance with regulations; companies must also be able to demonstrate their compliance. With extensive reporting requirements and complex supply chains, demonstrating compliance is often the biggest challenge of compliance.

Correct answer: OWASP

The OWASP Top Ten is a list of some of the most common and impactful vulnerabilities in web applications.

The SANS Top 25 Software errors lists some of the most common errors that affect software in general.

The Common Weaknesses Enumeration (CWE), maintained by MITRE, classifies the various types of errors that can occur in software.

The Common Vulnerabilities and Exposures (CVE) list, also maintained by MITRE, describes specific vulnerabilities that have been identified in a particular application.

Correct answer: OOB interface

Some of the interfaces related to secure software development include:

• User Interface (UI): According to the Clark and Wilson security model, an interface should exist between every subject and the object that they act upon. This enables the enforcement of access controls, supports abstractions, simplifies the creation of an audit trail, and can permit confidentiality protections such as masking sensitive data.
• Application Programming Interface (API): APIs allow one program to access the functionality of another. APIs are ideal targets of automated attacks and must be properly secured as well as UIs.
• Security Management Interface (SMI): SMIs are tools such as web portals that are used to configure a system (such as a router), including defining security settings. SMIs commonly provide very privileged functionality and are a common security weak link due to weak login credentials, privileged access, and a failure to implement security best practices such as data encryption, logging and monitoring, and allowing only local access.
• Out-of-Band (OOB) Interface: An OOB interface permits the administration of a device that is idle or shut off. These interfaces are designed for remote access, making access control essential.
• Log Interface: Logging is key to auditing, threat detection, and regulatory compliance. Central management of logs helps with scalability and effective monitoring.

Correct answer: Preventative

The five types of security controls are:

• Detective: Build a log of system or user actions that can be used to identify anomalies and potential threats.
• Preventative: Actively or proactively work to block an attack.
• Deterrent: Attempt to dissuade an attacker from carrying out an attack.
• Corrective: Help to recover back to normal operations after an attack.
• Compensating: Provide an alternative to a security requirement when the recommended control cannot be implemented for some reason.

Correct answer: Dumb

Fuzzing involves sending malformed and invalid inputs to an application in an attempt to trigger an error. Fuzz testing can be classified in a few different ways, including:

• Smart: Smart fuzzing algorithms identify what can go wrong with an application and creates inputs designed to trigger these issues.
• Dumb: Dumb fuzzers randomly generate inputs to an application, hoping to stumble upon an issue.
• Generation-Based: Generation-based fuzzers use specifications for inputs to an algorithm to develop test inputs.
• Mutation-Based: Mutation-based fuzzing algorithms take known-good inputs and mutate them to create test cases.

Correct answer: Retention

The General Data Protection Regulation (GDPR) is an EU data privacy law that went into effect in May 2018. It protects the personally identifiable information (PII) of EU citizens. The GDPR and laws based on it provide various rights to data subjects, including:

• Consent: Under the GDPR, data subjects must be informed of how their data will be used and provide affirmative consent (opt in) before data collection begins.
• Access: The GDPR allows users to request a copy of the data that a company has stored about them in a usable format.
• Correction: EU subjects can require organizations to correct inaccuracies in their records.
• Disposition: The GDPR includes the “right to be forgotten” or to have their data erased by companies that have collected it.
• Retention: Under the GDPR, organizations must delete collected data after the original purpose for collecting and processing it no longer exists.
• Data Residency: The data of EU citizens cannot be transferred to countries or companies without privacy protections equivalent to those provided by the GDPR.

Correct answer: Disaster recovery

When a business is maintaining continuity of operations, it has suffered a business-disrupting event and is attempting to continue functioning until it restores to normal operations. Business continuity planning includes identifying the criticality of applications to the business to prioritize their restoration. Some concepts related to business continuity/disaster recovery include:

• Backup, Archiving, and Retention: If data is corrupted or destroyed during a security incident, backups are essential to restoring operations. These backups should be appropriately protected with encryption and access controls.
• Disaster Recovery (DR): Disaster recovery is the process of moving from continuity operations during an incident back to normal operations. This requires careful planning and full knowledge of system dependencies to ensure that applications are brought back online only when they have the resources needed to operate.
• Resiliency: Resiliency measures how well a system can survive a disruptive incident. Redundant systems and additional copies of vital data are examples of measures to boost resiliency.

Correct answer: Identify

Supply chain risk management is designed to bring the risk posed to an organization by its supply chain to within manageable levels. The four main steps of supply chain risk management are:

• Identify: All products and items that pose a potential risk to the organization are identified
• Assess: Each product is assessed for the potential risks that it might pose
• Respond: The organization develops a strategy for managing each identified risk, including vulnerability patching, agreements with suppliers, etc.
• Monitor: Ongoing monitoring ensures that mitigations are effectively managing the risk

Correct answer: Number of Seats

Software licenses may restrict usage based on various factors, including:

• Number of Seats: How many systems or users can use the application
• Time: Whether the license has a fixed or unlimited term
• Functionality: Software may be distributed as shareware/demoware with limited functionality and a price for full functionality
• Territory: Limit where an application can be used
• Source Code Access: Defines the level of access to source code and how it can be used