At ValidExamDumps, we consistently monitor updates to the ISC2 CSSLP exam questions by ISC2. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the ISC2 Certified Secure Software Lifecycle Professional exam on their first attempt without needing additional materials or study guides.
Other certification materials providers often include outdated or removed questions by ISC2 in their ISC2 CSSLP exam. These outdated questions lead to customers failing their ISC2 Certified Secure Software Lifecycle Professional exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the ISC2 CSSLP exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.
Which of the following components of configuration management involves periodic checks to determine the consistency and completeness of accounting information and to verify that all configuration management policies are being followed?
Configuration auditing is a component of configuration management, which involves periodic checks to establish the consistency and
completeness of accounting information and to confirm that all configuration management policies are being followed. Configuration audits are
broken into functional and physical configuration audits. They occur either at delivery or at the moment of effecting the change. A functional
configuration audit ensures that functional and performance attributes of a configuration item are achieved, while a physical configuration
audit ensures that a configuration item is installed in accordance with the requirements of its detailed design documentation.
Answer D is incorrect. The configuration status accounting procedure is the ability to record and report on the configuration baselines
associated with each configuration item at any moment of time. It supports the functional and physical attributes of software at various points
in time, and performs systematic control of accounting to the identified attributes for the purpose of maintaining software integrity and
traceability throughout the software development life cycle.
Answer C is incorrect. Configuration control is a procedure of the Configuration management. Configuration control is a set of
processes and approval stages required to change a configuration item's attributes and to re-baseline them. It supports the change of the
functional and physical attributes of software at various points in time, and performs systematic control of changes to the identified attributes.
Answer A is incorrect. Configuration identification is the process of identifying the attributes that define every aspect of a configuration
item. A configuration item is a product (hardware and/or software) that has an end-user purpose. These attributes are recorded in
configuration documentation and baselined. Baselining an attribute forces formal configuration change control processes to be effected in the
event that these attributes are changed.
Which of the following techniques is used when a system performs the penetration testing with the objective of accessing unauthorized information residing inside a computer?
Port scanning identifies open doors to a computer. Hackers and crackers use this technique to obtain unauthorized information.
Port scanning is the first basic step to get the details of open ports on the target system. Port scanning is used to find a hackable server with
a hole or vulnerability. A port is a medium of communication between two computers. Every service on a host is identified by a unique 16-bit
number called a port.
A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the
security of their networks and by hackers to identify running services on a host with the view to compromising it. Port scanning is used to find
the open ports, so that it is possible to search exploits related to that service and application.
Answer D is incorrect. Phreaking is a process used to crack the phone system. The main aim of phreaking is to avoid paying for long-
distance calls. As telephone networks have become computerized, phreaking has become closely linked with computer hacking. This is
sometimes called the H/P culture (with H standing for Hacking and P standing for Phreaking).
Answer A is incorrect. It is defined as a system using a physical attribute for authenticating. Only authorized users are provided access
to network or application.
Answer B is incorrect. It is described as a form of eavesdropping in which special equipments are used to pick up the telecommunication
signals or data within a computer device.
Which of the following types of attacks is targeting a Web server with multiple compromised computers that are simultaneously sending hundreds of FIN packets with spoofed IP source IP addresses?
A distributed denial of service (DDoS) attack targets a Web server with multiple compromised computers that are simultaneously sending
hundreds of FIN packets with spoofed IP source IP addresses.
DDoS attack occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually one or more Web
servers. These systems are compromised by attackers using a variety of methods. It is an attempt to make a computer resource unavailable
to its intended users. This type of attack can cause the following to occur:
Saturate network resources.
Disrupt connections between two computers, thereby preventing communications between services.
Disrupt services on a specific computer.
Answer D is incorrect. Dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to
find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs
available on the Internet to automate and execute dictionary attacks.
Answer C is incorrect. In an insertion attack, an IDS accepts a packet and assumes that the host computer will also accept it. But in
reality, when a host system rejects the packet, the IDS accepts the attacking string that will exploit vulnerabilities in the IDS. Such attacks can
badly infect IDS signatures and IDS signature analysis.
Answer B is incorrect. An evasion attack is one in which an IDS rejects a malicious packet but the host computer accepts it. Since an IDS
has rejected it, it does not check the contents of the packet. Hence, using this technique, an attacker can exploit the host computer. In many
cases, it is quite simple for an attacker to send such data packets that can easily perform evasion attacks on an IDSs.
What are the various activities performed in the planning phase of the Software Assurance Acquisition process? Each correct answer represents a complete solution. Choose all that apply.
The various activities performed in the planning phase of the Software Assurance Acquisition process are as follows:
Determine software product or service requirements.
Identify associated risks.
Develop software requirements.
Create acquisition strategy.
Develop evaluation criteria and evaluation plan.
Define development and use of SwA due diligence questionnaires.
Answer B is incorrect. This activity is performed in the monitoring and acceptance phase of the Software Assurance acquisition process.
What are the security advantages of virtualization, as described in the NIST Information Security and Privacy Advisory Board (ISPAB) paper "Perspectives on Cloud Computing and Standards"?
Each correct answer represents a complete solution. Choose three.
The security advantages of virtualization are as follows:
It adds a layer of security for defense-in-depth.
It provides strong encapsulation of errors.
It increases intrusion detection through introspection.
It decreases exposure of weak software.
It increases the flexibility for discovery.
It increases capabilities for fault tolerant computing using rollback and snapshot features.
Answer D is incorrect. Virtualization increases configuration effort because of complexity of the virtualization layer and composite
system.
