Certificationmonitor shares the latest ISC Certification CSSLP exam dumps for free exam practice tests and online downloads! “Certified Secure Software Lifecycle Professional Practice Test” CSSLP exam. Ready to pass the CSSLP exam please click https://www.pass4itsure.com/csslp.html (full exam dump)
Share a free ISC CSSLP video tutorial
ISC CSSLP Exam pdf
[Oct PDF] Free ISC CSSLP pdf dumps download from Google Drive: https://drive.google.com/open?id=1ppl-Knn4xA_LhUsdjB6mraWo762FH9ku
CSSLP – The Industry’s Premier Secure Software Development Certification: https://www.isc2.org/Certifications/CSSLP
ISC CSSLP Online Exam Practice Questions
Mark works as a Network Administrator for NetTech Inc. The company has a Windows 2000 domain-based network.
Users report that they are unable to log on to the network. Mark finds that accounts are locked out due to multiple
incorrect log on attempts. What is the most likely cause of the account lockouts?
B. Brute force attack
C. SYN attack
D. PING attack
Correct Answer: B
Brute force attack is the most likely cause of the account lockouts. In a brute force attack, unauthorized users attempt to
log on to a network or a computer by using multiple possible user names and passwords. Windows 2000 and other
network operating systems have a security feature that locks a user account if the number of failed logon attempts occur
within a specified period of time, based on the security policy lockout settings. Answer: A is incorrect. Spoofing is a
technique that makes a transmission appear to have come from an authentic source by forging the IP address, email
address, caller ID, etc. In IP spoofing, a hacker modifies packet headers by using someone else\\’s IP address to hide
his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging the
source IP address causes the responses to be misdirected. Answer: C is incorrect. A SYN attack affects computers
running on the TCP/IP protocol. It is a protocol-level attack that can render a computer\\’s network services unavailable.
A SYN attack is also known as SYN flooding. Answer: D is incorrect. When a computer repeatedly sends ICMP echo
requests to another computer, it is known as a PING attack.
There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both
positive and negative risk events?
Correct Answer: A
Only acceptance is appropriate for both positive and negative risk events. Often sharing is used for low probability and
low impact risk events regardless of the positive or negative effects the risk event may bring the project. Acceptance
response is a part of Risk Response planning process. Acceptance response delineates that the project plan will not be
changed to deal with the risk. Management may develop a contingency plan if the risk does occur. Acceptance
response to a risk event is a strategy that can be used for risks that pose either threats or opportunities. Acceptance
response can be of two types: Passive acceptance: It is a strategy in which no plans are made to try or avoid or mitigate
the risk. Active acceptance: Such responses include developing contingency reserves to deal with risks, in case they
occur. Acceptance is the only response for both threats and opportunities. Answer: C is incorrect. Sharing is a positive
risk response that shares an opportunity for all parties involved in the risk event. Answer: B is incorrect. Transference is
a negative risk event that transfers the risk ownership to a third party, such as vendor, through a contractual
relationship. Answer: D is incorrect. Mitigation is a negative risk event that seeks to lower the probability and/or impact
of a risk event.
Fill in the blank with the appropriate security mechanism. is a computer hardware mechanism or programming language
construct which handles the occurrence of exceptional events.
A. Exception handling
Correct Answer: A
Exception handling is a computer hardware mechanism or programming language construct that handles the
occurrence of events. These events occur during the software execution process and interrupt the instruction flow.
Exception handling performs the specific activities for managing the exceptional events.
Which of the following security design patterns provides an alternative by requiring that a user\\’s authentication
credentials be verified by the database before providing access to that user\\’s data?
A. Secure assertion
B. Authenticated session
C. Password propagation
D. Account lockout
Correct Answer: C
Password propagation provides an alternative by requiring that a user\\’s authentication credentials be verified by the
database before providing access to that user\\’s data. Answer: D is incorrect. Account lockout implements a limit on the
incorrect password attempts to protect an account from automated password-guessing attacks. Answer: B is incorrect.
Authenticated session allows a user to access more than one access-restricted Web page without re- authenticating
every page. It also integrates user authentication into the basic session model. Answer: A is incorrect. Secure assertion
distributes application-specific sanity checks throughout
An assistant from the HR Department calls you to ask the Service Hours and Maintenance Slots for your ERP system.
In which document will you most probably find this information?
A. Service Level Agreement
B. Release Policy
C. Service Level Requirements
D. Underpinning Contract
Correct Answer: A
You will most probably find this information in the Service Level Agreement document. Amongst other information, SLA
contains information about the agreed Service Hours and maintenance slots for any particular Service. Service Level
Agreement (frequently abbreviated as SLA) is a part of a service contract where the level of service is formally defined.
In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service) or performance.
Service Level Agreement (SLA) is a negotiated agreement between two parties where one is the customer and the
other is the service provider. This can be a legally binding formal or informal \\’contract\\’. Contracts between the Service
Provider and other third parties are often (incorrectly) called SLAs, as the level of service has been set by the (principal)
customer there can be no \\’agreement\\’ between third parties (these agreements are simply a \\’contract\\’). Operating
Level Agreements or OLA(s) however, may be used by internal groups to support SLA(s). Answer: B is incorrect.
Release Policy is a set of rules for deploying releases into the live operational environment, defining different
approaches for releases depending on their urgency and impact. Answer: C is incorrect. The Service Level
Requirements document contains the requirements for a service from the client viewpoint, defining detailed service level
targets, mutual responsibilities, and other requirements specific to a certain group of customers. Answer: D is incorrect.
Underpinning Contract (UC) is a contract between an IT service provider and a third party. In another way, it is an
agreement between the IT organization and an external provider about the delivery of one or more services. The third
party provides services that support the delivery of a service to a customer. The Underpinning Contract defines targets
and responsibilities that are required to meet agreed Service Level targets in an SLA.
You work as a system engineer for BlueWell Inc. You want to verify that the build meets its data requirements, and
correctly generates each expected display and report. Which of the following tests will help you to perform the above
A. Performance test
B. Functional test
C. Reliability test
D. Regression test
Correct Answer: B
The various types of internal tests performed on builds are as follows: Regression tests: It is also known as the
verification testing. These tests are developed to confirm that capabilities in earlier builds continue to work correctly in
subsequent builds. Functional test:
These tests emphasizes on verifying that the build meets its functional and data requirements and correctly generates
each expected display and report. Performance tests: These tests are used to identify the performance thresholds of
build. Reliability tests: These tests are used to identify the reliability thresholds of each build.
Which of the following coding practices are helpful in simplifying code? Each correct answer represents a complete
solution. Choose all that apply.
A. Programmers should use multiple small and simple functions rather than a single complex function.
B. Software should avoid ambiguities and hidden assumptions, recursions, and GoTo statements.
C. Programmers should implement high-consequence functions in minimum required lines of code and follow proper
D. Processes should have multiple entry and exit points.
Correct Answer: ABC
The various coding practices that are helpful in simplifying the code are as follows: Programmers should implement high-
consequence functions in minimum required lines of code and follow the proper coding standards. Software should
implement the functions that are defined in the software specification. Software should avoid ambiguities and hidden
assumptions, recursion, and GoTo statements. Programmers should use multiple small and simple functions rather than
a complex function. The processes should have only one entry point and minimum exit points. Interdependencies
should be minimum so that a process module or component can be disabled when it is not needed, or replaced when it
is found insecure or a better alternative is available, without disturbing the software operations. Programmers should
use object-oriented techniques to keep the code simple and small. Some of the object-oriented techniques are object
inheritance, encapsulation, and polymorphism. Answer: D is incorrect. Processes should have only one entry point and
the minimum number of exit points.
You work as a systems engineer for BlueWell Inc. Which of the following tools will you use to look outside your own
organization to examine how others achieve their performance levels, and what processes they use to reach those
B. Six Sigma
C. ISO 9001:2000
Correct Answer: A
Benchmarking is the tool used by system assessment process to provide a point of reference by which performance
measurements can be reviewed with respect to other organizations. Benchmarking is also recognized as Best Practice
Benchmarking or Process Benchmarking. It is a process used in management and mostly useful for strategic
management. It is the process of comparing the business processes and performance metrics including cost, cycle time,
productivity, or quality to another that is widely considered to be an industry standard benchmark or best practice. It
allows organizations to develop plans on how to implement best practice with the aim of increasing some aspect of
performance. Benchmarking might be a onetime event, although it is frequently treated as a continual process in which
organizations continually seek out to challenge their practices. It allows organizations to develop plans on how to make
improvements or adapt specific best practices, usually with the aim of increasing some aspect of performance. Answer:
C is incorrect. The ISO 9001:2000 standard combines the three standards 9001, 9002, and 9003 into one, called 9001.
Design and development procedures are required only if a company does in fact engage in the creation of new
products. The 2000 version sought to make a radical change in thinking by actually placing the concept of process
management front and center (“Process management” was the monitoring and optimizing of a company\\’s tasks and
activities, instead of just inspecting the final product). The ISO 9001:2000 version also demands involvement by upper
executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior
administrators. Another goal is to improve effectiveness via process performance metrics numerical measurement of the
effectiveness of tasks and activities. Expectations of continual process improvement and tracking customer satisfaction
were made explicit. Answer: B is incorrect. Six Sigma is a business management strategy, initially implemented by
Motorola. As of 2009 it enjoys widespread application in many sectors of industry, although its application is not without
controversy. Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of
defects and variability in manufacturing and business processes. It uses a set of quality management methods,
including statistical methods, and creates a special infrastructure of people within the organization (“Black Belts”, “Green
Belts”, etc.) who are experts in these methods. Each Six Sigma project carried out within an organization follows a
defined sequence of steps and has quantified financial targets (cost reduction or profit increase). The often used Six
Sigma symbol is as follows:
Answer: D is incorrect. Capability Maturity Model Integration (CMMI) was created by Software Engineering Institute
(SEI). CMMI in software engineering and organizational development is a process improvement approach that provides
organizations with the essential elements for effective process improvement. It can be used to guide process
improvement across a project, a division, or an entire organization. CMMI can help integrate traditionally separate
organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and
provide a point of reference for appraising current processes. CMMI is now the de facto standard for measuring the
maturity of any process. Organizations can be assessed against the CMMI model using Standard CMMI Appraisal
Method for Process Improvement (SCAMPI).
Which of the following test methods has the objective to test the IT system from the viewpoint of a threat-source and to
identify potential failures in the IT system protection schemes?
A. Security Test and Evaluation (STandE)
B. Penetration testing
C. Automated vulnerability scanning tool
D. On-site interviews
Correct Answer: B
The goal of penetration testing is to examine the IT system from the perspective of a threat-source, and to identify
potential failures in the IT system protection schemes. Penetration testing, when performed in the risk assessment
process, is used to assess an IT system\\’s capability to survive with the intended attempts to thwart system security.
Answer: A is incorrect. The objective of STandE is to ensure that the applied controls meet the approved security
specification for the software and hardware and implement the organization\\’s security policy or meet industry
Which of the following types of obfuscation transformation increases the difficulty for a de- obfuscation tool so that it
cannot extract the true application from the obfuscated version?
A. Preventive transformation
B. Data obfuscation
C. Control obfuscation
D. Layout obfuscation
Correct Answer: A
Preventive transformation increases the difficulty for a de-obfuscation tool so that it cannot
The DARPA paper defines various procedural patterns to perform secure system development practices. Which of the
following patterns does it include? Each correct answer represents a complete solution. Choose three.
A. Hidden implementation
B. Document the server configuration
C. Patch proactively
D. Red team the design
E. Password propagation
Correct Answer: BCD
The following procedural patterns are defined by the DARPA paper in order to perform secure software development
practices: Build the server from the ground up: It includes the following features: Build the server from the ground up.
Identify the default installation of the operating system and applications. Support hardening procedures to remove
unnecessary services. Identify a vulnerable service for ongoing risk management. Choose the right stuff: It defines
guidelines to select right commercial off-the-shelf (COTS) components and decide whether to use and build custom
components. Document the server configuration: It supports the creation of an initial configuration baseline and tracks
all modifications made to servers and application configurations. Patch proactively: It supports in applying patches as
soon as they are available rather than waiting until the systems cooperate. Red team the design: It supports an
independent security assessment from the perspective of an attacker in the quality assurance or testing stage. An
independent security assessment is helpful in addressing a security issue before it occurs. Answer: A is incorrect.
Hidden implementation pattern is not defined in the DARPA paper. This pattern is applicable to software assurance in
general. Hidden implementation limits the ability of an attacker to distinguish the internal workings of an application.
Answer: E is incorrect. Password propagation is not defined in the DARPA paper. This pattern is applicable to aspects
of authentication in a Web application. Password propagation provides an alternative by requiring that a user\\’s
authentication credentials be verified by the database before providing access to that user\\’s data.
You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that
conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants
to know that what is a residual risk. What will you reply to your team member?
A. It is a risk that remains because no risk response is taken.
B. It is a risk that can not be addressed by a risk response.
C. It is a risk that will remain no matter what type of risk response is offered.
D. It is a risk that remains after planned risk responses are taken.
Correct Answer: D
Residual risks are generally smaller risks that remain in the project after larger risks have been addressed. The residual
risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers
even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent
risk) x (control risk) where inherent risk is (threats vulnerability). Answer: B is incorrect. This is not a valid statement
about residual risks. Answer: C is incorrect. This is not a valid statement about residual risks. Answer: A is incorrect.
This is not a valid statement about residual risks.
Which of the following processes describes the elements such as quantity, quality, coverage, timelines, and availability,
and categorizes the different functions that the system will need to perform in order to gather the documented mission/
A. Human factors
B. Functional requirements
C. Performance requirements
D. Operational scenarios
Correct Answer: B
The functional requirements categorize the different functions that the system will need to perform in order to gather the
documented mission/business needs. The functional requirements describe the elements such as quantity, quality,
coverage, timelines, and availability. Answer: C is incorrect. The performance requirements comprise of speed,
throughput, accuracy, humidity tolerances, mechanical stresses such as vibrations or noises. Answer: A is incorrect.
Human factor consists of factors, which affect the operation of the system or component, such as design space, eye
movement, or ergonomics. Answer: D is incorrect. The operational scenarios provide assistance to the system
designers and form the basis of major events in the acquisition phases, such as testing the products for system
integration. The customer classifies and defines the operational scenarios, which indicate the range of anticipated uses
of system products.
Share Pass4itsure discount codes for free
Pass4itsure offers the latest exam practice questions and answers free of charge! Update all exam questions throughout the year,
with a number of professional exam experts! To make sure it works! Maximum pass rate, best value for money! It helps you pass the exam easily on your first attempt.
How do I pass the ISC CSSLP exam? You need to be prepared for it!
You need the latest and most effective learning materials and proper practices to pass the CSSLP exam. “CSSLP certification recognizes leading application security skills. It shows employers and peers you have the advanced technical skills and knowledge necessary for authentication, authorization, and auditing throughout the SDLC using best practices, policies, and procedures established by the cybersecurity experts at (ISC)²”. Pass4itsure offers you the latest exam materials! You can use the materials to prepare to help you achieve excellent results!