ISC CSSLP Certified Secure Software Lifecycle Professional Online Training

Question #81

Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual?

A . DoD 8910.1
B . DoD 7950.1-M
C . DoDD 8000.1
D . DoD 5200.22-M
E . DoD 5200.1-R

Question #82

Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose two.

A . Biba model
B . Clark-Biba model
C . Clark-Wilson model
D . Bell-LaPadula model

Reveal Solution Hide Solution

Question #83

Which of the following testing methods verifies the interfaces between components against a software design?

A . Regression testing
B . Integration testing
C . Black-box testing
D . Unit testing

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Integration testing is a software testing that seeks to verify the interfaces between components against a software design. Software components may be integrated in an iterative way or all together ("big bang"). Normally the former is considered a better practice since it allows interface issues to be localized more quickly and fixed. Integration testing works to expose defects in the interfaces and interaction between the integrated components (modules). Progressively larger groups of tested software components corresponding to elements of the architectural design are integrated and tested until the software works as a system.

ANS: A is incorrect. Regression testing focuses on finding defects after a major code change has occurred. Specifically, it seeks to uncover software regressions, or old bugs that have come back. Such regressions occur whenever software functionality that was previously working correctly stops working as intended. Typically, regressions occur as an unintended consequence of program changes, when the newly developed part of the software collides with the previously existing code.

ANS: D is incorrect. Unit testing refers to tests that verify the functionality of a specific section of code, usually at the function level. In an object-oriented environment, this is usually at the class level, and the minimal unit tests include the constructors and destructors. These types of tests are usually written by developers as they work on code (white-box style), to ensure that the specific function is working as expected. One function might have multiple tests, to catch corner cases or other branches in the code. Unit testing alone cannot verify the functionality of a piece of software, but rather is used to assure that the building blocks the software uses work independently of each other.

ANS: C is incorrect. The black-box testing uses external descriptions of the software, including specifications, requirements, and design to derive test cases. These tests can be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs and determines the correct output. There is no knowledge of the test object’s internal structure. This method of test design is applicable to all levels of software testing: unit, integration, functional testing, system and acceptance. The higher the level, and hence the bigger and more complex the box, the more one is forced to use black box testing to simplify. While this method can uncover unimplemented parts of the specification, one cannot be sure that all existent paths are tested.

Question #84

Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?

A . The custodian makes the initial information classification assignments, and the operations manager implements the scheme.
B . The data owner implements the information classification scheme after the initial assignment by the custodian.
C . The custodian implements the information classification scheme after the initial assignment by the operations manager.
D . The data custodian implements the information classification scheme after the initial assignment by the data owner.

Reveal Solution Hide Solution

Question #85

Della works as a security engineer for BlueWell Inc. She wants to establish configuration management and control procedures that will document proposed or actual changes to the information system.

Which of the following phases of NIST SP 800-37 C&A methodology will define the above task?

A . Initiation
B . Security Certification
C . Continuous Monitoring
D . Security Accreditation

Reveal Solution Hide Solution

Question #86

Which of the following secure coding principles and practices defines the appearance of code listing so that a code reviewer and maintainer who have not written that code can easily understand it?

A . Make code forward and backward traceable
B . Review code during and after coding
C . Use a consistent coding style
D . Keep code simple and small

Reveal Solution Hide Solution