Free ISC2 CSSLP Exam Actual Questions

The questions for CSSLP were last updated On Mar 26, 2025

At ValidExamDumps, we consistently monitor updates to the ISC2 CSSLP exam questions by ISC2. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the ISC2 Certified Secure Software Lifecycle Professional exam on their first attempt without needing additional materials or study guides.

Other certification materials providers often include outdated or removed questions by ISC2 in their ISC2 CSSLP exam. These outdated questions lead to customers failing their ISC2 Certified Secure Software Lifecycle Professional exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the ISC2 CSSLP exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.

 

Question No. 1

Which of the following components of configuration management involves periodic checks to determine the consistency and completeness of accounting information and to verify that all configuration management policies are being followed?

Show Answer Hide Answer
Correct Answer: B

Configuration auditing is a component of configuration management, which involves periodic checks to establish the consistency and

completeness of accounting information and to confirm that all configuration management policies are being followed. Configuration audits are

broken into functional and physical configuration audits. They occur either at delivery or at the moment of effecting the change. A functional

configuration audit ensures that functional and performance attributes of a configuration item are achieved, while a physical configuration

audit ensures that a configuration item is installed in accordance with the requirements of its detailed design documentation.

Answer D is incorrect. The configuration status accounting procedure is the ability to record and report on the configuration baselines

associated with each configuration item at any moment of time. It supports the functional and physical attributes of software at various points

in time, and performs systematic control of accounting to the identified attributes for the purpose of maintaining software integrity and

traceability throughout the software development life cycle.

Answer C is incorrect. Configuration control is a procedure of the Configuration management. Configuration control is a set of

processes and approval stages required to change a configuration item's attributes and to re-baseline them. It supports the change of the

functional and physical attributes of software at various points in time, and performs systematic control of changes to the identified attributes.

Answer A is incorrect. Configuration identification is the process of identifying the attributes that define every aspect of a configuration

item. A configuration item is a product (hardware and/or software) that has an end-user purpose. These attributes are recorded in

configuration documentation and baselined. Baselining an attribute forces formal configuration change control processes to be effected in the

event that these attributes are changed.


Question No. 2

Which of the following techniques is used when a system performs the penetration testing with the objective of accessing unauthorized information residing inside a computer?

Show Answer Hide Answer
Correct Answer: C

Port scanning identifies open doors to a computer. Hackers and crackers use this technique to obtain unauthorized information.

Port scanning is the first basic step to get the details of open ports on the target system. Port scanning is used to find a hackable server with

a hole or vulnerability. A port is a medium of communication between two computers. Every service on a host is identified by a unique 16-bit

number called a port.

A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the

security of their networks and by hackers to identify running services on a host with the view to compromising it. Port scanning is used to find

the open ports, so that it is possible to search exploits related to that service and application.

Answer D is incorrect. Phreaking is a process used to crack the phone system. The main aim of phreaking is to avoid paying for long-

distance calls. As telephone networks have become computerized, phreaking has become closely linked with computer hacking. This is

sometimes called the H/P culture (with H standing for Hacking and P standing for Phreaking).

Answer A is incorrect. It is defined as a system using a physical attribute for authenticating. Only authorized users are provided access

to network or application.

Answer B is incorrect. It is described as a form of eavesdropping in which special equipments are used to pick up the telecommunication

signals or data within a computer device.


Question No. 3

Which of the following types of attacks is targeting a Web server with multiple compromised computers that are simultaneously sending hundreds of FIN packets with spoofed IP source IP addresses?

Show Answer Hide Answer
Correct Answer: A

A distributed denial of service (DDoS) attack targets a Web server with multiple compromised computers that are simultaneously sending

hundreds of FIN packets with spoofed IP source IP addresses.

DDoS attack occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually one or more Web

servers. These systems are compromised by attackers using a variety of methods. It is an attempt to make a computer resource unavailable

to its intended users. This type of attack can cause the following to occur:

Saturate network resources.

Disrupt connections between two computers, thereby preventing communications between services.

Disrupt services on a specific computer.

Answer D is incorrect. Dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to

find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs

available on the Internet to automate and execute dictionary attacks.

Answer C is incorrect. In an insertion attack, an IDS accepts a packet and assumes that the host computer will also accept it. But in

reality, when a host system rejects the packet, the IDS accepts the attacking string that will exploit vulnerabilities in the IDS. Such attacks can

badly infect IDS signatures and IDS signature analysis.

Answer B is incorrect. An evasion attack is one in which an IDS rejects a malicious packet but the host computer accepts it. Since an IDS

has rejected it, it does not check the contents of the packet. Hence, using this technique, an attacker can exploit the host computer. In many

cases, it is quite simple for an attacker to send such data packets that can easily perform evasion attacks on an IDSs.


Question No. 4

What are the various activities performed in the planning phase of the Software Assurance Acquisition process? Each correct answer represents a complete solution. Choose all that apply.

Show Answer Hide Answer
Correct Answer: A, C, D

The various activities performed in the planning phase of the Software Assurance Acquisition process are as follows:

Determine software product or service requirements.

Identify associated risks.

Develop software requirements.

Create acquisition strategy.

Develop evaluation criteria and evaluation plan.

Define development and use of SwA due diligence questionnaires.

Answer B is incorrect. This activity is performed in the monitoring and acceptance phase of the Software Assurance acquisition process.


Question No. 5

What are the security advantages of virtualization, as described in the NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards"?

Each correct answer represents a complete solution. Choose three.

Show Answer Hide Answer
Correct Answer: A, B, C

The security advantages of virtualization are as follows:

It adds a layer of security for defense-in-depth.

It provides strong encapsulation of errors.

It increases intrusion detection through introspection.

It decreases exposure of weak software.

It increases the flexibility for discovery.

It increases capabilities for fault tolerant computing using rollback and snapshot features.

Answer D is incorrect. Virtualization increases configuration effort because of complexity of the virtualization layer and composite

system.