1、CISSP认证考试(软件开发安全)-试卷 1及答案解析(总分:60.00,做题时间:90 分钟)1.Data marts, databases, and data warehouses have distinct characteristics. Which of the following does not correctly describe a data warehouse?(分数:2.00)A.It could increase the risk of privacy violations.B.It is developed to carry out analysis.C.It con
2、tains data from several different sources.D.It is created and used for project-based tactical reasons.2.Database software should meet the requirements of what is known as the ACID test. Why should database software carry out atomic transactions, which is one requirement of the ACID test, when OLTP i
3、s used?(分数:2.00)A.So that the rules for database integrity can be establishedB.So that the database performs transactions as a single unit without interruptionC.To ensure that rollbacks cannot take placeD.To prevent concurrent processes from interacting with each other3.Lisa has learned that most da
4、tabases implement concurrency controls. What is concurrency, and why must it be controlled?(分数:2.00)A.Processes running at different levels, which can negatively affect the integrity of the database if not properly controlled.B.The ability to deduce new information from reviewing accessible data, wh
5、ich can allow an inference attack to take place.C.Processes running simultaneously, which can negatively affect the integrity of the database if not properly controlled.D.Storing data in more than one place within a database, which can negatively affect the integrity of the database if not properly
6、controlled.4.Robert has been asked to increase the overall efficiency of the sales database by implementing a procedure that structures data to minimize duplication and inconsistencies. What procedure is this?(分数:2.00)A.PolymorphismB.NormalizationC.Implementation of database viewsD.Constructing sche
7、ma5.Which of the following correctly best describes an object-oriented database?(分数:2.00)A.When an application queries for data, it receives both the data and the procedure.B.It is structured similarly to a mesh network for redundancy and fast data retrieval.C.Subject must have knowledge of the well
8、-defined access path in order to access data.D.The relationships between data entities provide the framework for organizing data.6.Fred has been told he needs to test a component of the new content management application under development to validate its data structure, logic, and boundary condition
9、s. What type of testing should he carry out?(分数:2.00)A.Acceptance testingB.Regression testingC.Integration testingD.Unit testing7.Which of the following is the best description of a component-based system development method?(分数:2.00)A.Components periodically revisit previous stages to update and ver
10、ify design requirementsB.Minimizes the use of arbitrary transfer control statements between componentsC.Uses independent and standardized modules that are assembled into serviceable programsD.Implemented in module-based scenarios requiring rapid adaptations to changing client requirements8.There are
11、 many types of viruses that hackers can use to damage systems. Which of the following is not a correct description of a polymorphic virus?(分数:2.00)A.Intercepts antiviruss call to the operating system for file and system informationB.Varies the sequence of its instructions using noise, a mutation eng
12、ine, or random-number generatorC.Can use different encryption schemes requiring different decryption routinesD.Produces multiple, varied copies of itself9.Which of the following best describes the role of the Java Virtual Machine in the execution of Java applets?(分数:2.00)A.Converts the source code i
13、nto bytecode and blocks the sandboxB.Converts the bytecode into machine-level codeC.Operates only on specific processors within specific operating systemsD.Develops the applets, which run in a users browser10.What type of database software integrity service guarantees that tuples are uniquely identi
14、fied by primary key values?(分数:2.00)A.Concurrent integrityB.Referential integrityC.Entity integrityD.Semantic integrity11.In computer programming, cohesion and coupling are used to describe modules of code. Which of the following is a favorable combination of cohesion and coupling?(分数:2.00)A.Low coh
15、esion, low couplingB.High cohesion, high couplingC.Low cohesion, high couplingD.High cohesion, low coupling12.When an organization is unsure of the final nature of the product, what type of system development method is most appropriate for them?(分数:2.00)A.CleanroomB.Exploratory ModelC.Modified Proto
16、type MethodD.Iterative Development13.Which of the following statements does not correctly describe SOAP and Remote Procedure Calls?(分数:2.00)A.SOAP was designed to overcome the compatibility and security issues associated with Remote Procedure Calls.B.Both SOAP and Remote Procedure Calls were created
17、 to enable applicationlayer communication.C.SOAP enables the use of Remote Procedure Calls for information exchange between applications over the Internet.D.HTTP was not designed to work with Remote Procedure Calls, but SOAP was designed to work with HTTP.14.Computer programs that are based on human
18、 logic by using “if/then“ statements and inference engines are called_.(分数:2.00)A.Expert systemsB.Artificial neural networksC.Distributed Computing EnvironmentD.Enterprise JavaBeans15.Which of the following is a correct description of the pros and cons associated with third-generation programming la
19、nguages?(分数:2.00)A.The use of heuristics reduced programming effort, but the amount of manual coding for a specific task is usually more than the preceding generation.B.The use of syntax similar to human language reduced development time, but the language is resource intensive.C.The use of binary wa
20、s extremely time consuming but resulted in fewer errors.D.The use of symbols reduced programming time, but the language required knowledge of machine architecture.16.Which of the following is considered the second generation of programming languages?(分数:2.00)A.MachineB.Very high-levelC.High-levelD.A
21、ssembly17.Mary is creating malicious code that will steal a users cookies by modifying the original client-side Java script. What type of cross-site scripting vulnerability is she exploiting?(分数:2.00)A.Second orderB.DOM-basedC.PersistentD.Nonpersistent18.Of the following steps that describe the deve
22、lopment of a botnet, which best describes the step that comes first?(分数:2.00)A.Infected server sends attack commands to the botnet.B.Spammer pays a hacker for use of a botnet.C.Controller server instructs infected systems to send spam to mail servers.D.Malicious code is sent out that has bot softwar
23、e as its payload.19.Which of the following antivirus detection methods is the most recent to the industry and monitors suspicious code as it executes within the operating system?(分数:2.00)A.Behavior blockingB.Fingerprint detectionC.Signature-based detectionD.Heuristic detection20.Which of the followi
24、ng describes object-oriented programming deferred commitment?(分数:2.00)A.Autonomous objects, with cooperate through exchanges of messagesB.The internal components of an object can be refined without changing other parts of the systemC.Object-oriented analysis, design, and modeling maps to business ne
25、eds and solutionsD.Other programs using same objects21.What object-oriented programming term, or concept, is illustrated in the graphic that follows? (分数:2.00)A.MethodsB.MessagesC.AbstractionD.Data hiding22.Protection methods can be integrated into software programs. What type of protection method i
26、s illustrated in the graphic that follows? (分数:2.00)A.PolymorphismB.PolyinstantiationC.CohesivenessD.Object classes23.There are several types of attacks that programmers need to be aware of. What attack does the graphic that follows illustrate? (分数:2.00)A.Traffic analysisB.Race conditionC.Covert sto
27、rageD.Buffer overflow24.Databases and applications commonly carry out the function that is illustrated in the graphic that follows. Which of the following best describes the concept that this graphic is showing? (分数:2.00)A.CheckpointB.CommitC.Two-phase commitD.Data dictionary25.There are several dif
28、ferent types of databases. Which type does the graphic that follows illustrate? (分数:2.00)A.RelationalB.HierarchicalC.NetworkD.Object-orientedThe following scenario will be used for questions 26, 27, and 28.Trent is the new manager of his companys internal software development department. He has been
29、 told by his management that the group needs to be compliant with the international standard that provides guidance to organizations in integrating security into the processes used for managing their applications. His new boss told him that he should join and get familiar with the Web Application Se
30、curity Consortium, and Trent just received an e-mail stating that one of the companys currently deployed applications has a zero day vulnerability.(分数:6.00)(1).Which of the following is most likely the standard Trents company wants to comply with?(分数:2.00)A.ISO/IEC 27005B.ISO/IEC 27001C.ISO/IEC 2703
31、4D.BS 7799(2).Which of the following best describes the consortium Trents boss wants him to join?(分数:2.00)A.Nonprofit organization that produces open-source software and follows widely agreed upon best-practice security standards for the World Wide Web.B.U.S. DHS group that provides best practices,
32、tools, guidelines, rules, principles, and other resources for software developers, architects, and security practitioners to use.C.Group of experts who create proprietary software tools used to help improve the security of software worldwide.D.Group of experts and organizations who certify products
33、based on an agreed-upon security criteria.(3).Which of the following best describes the type of vulnerability mentioned in this scenario?(分数:2.00)A.Dynamic vulnerability that is polymorphicB.Static vulnerability that is exploited by server-side injection parametersC.Vulnerability that does not curre
34、ntly have an associated solutionD.Database vulnerability that directly affects concurrency26._ provides a machine-readable description of the specific operations provided by a specific Web service. _provides a method for Web services to be registered by service providers and located by service consu
35、mers.(分数:2.00)A.Web Services Description Language, Universal Description, Discovery and IntegrationB.Universal Description, Discovery and Integration, Web Services Description LanguageC.Web Services Description Language, Simple Object Access ProtocolD.Simple Object Access Protocol, Universal Descrip
36、tion, Discovery and Integration27.Sally has found out that software programmers in her company are making changes to software components and uploading them to the main software repository without following version control or documenting their changes. This is causing a lot of confusion and has cause
37、d several teams to use the older versions. Which of the following would be the best solution for this situation?(分数:2.00)A.Software change control managementB.Software escrowC.Software configuration managementD.Software configuration management escrowCISSP认证考试(软件开发安全)-试卷 1答案解析(总分:60.00,做题时间:90 分钟)1.
38、Data marts, databases, and data warehouses have distinct characteristics. Which of the following does not correctly describe a data warehouse?(分数:2.00)A.It could increase the risk of privacy violations.B.It is developed to carry out analysis.C.It contains data from several different sources.D.It is
39、created and used for project-based tactical reasons. 解析:解析:D 正确。数据仓库(data warehouse)的创建和使用通常并不是因为基于项目的战术原因。它描述的是数据集市(data mart)的特点,数据集市是短时间内项目为确定解决问题的战术方法的数据库(database)的一部分。而创建数据仓库的目的是基于战略原因进行数据挖掘(data mining)和分析。 A 不正确。因为数据仓库可能会增加隐私侵犯的风险,这是由于数据是从几个不同的来源进行收集并存储在一个中央位置(仓库)。尽管这种做法可以提供更加便捷的访问和控制方法因为数据仓
40、库位于同一个地方但它也要求更加严格的安全防范。如果某个入侵者进入了这个数据仓库,她便立刻能访问这个公司的所有信息。 B 不正确。因为这个说法是正确的。创建数据仓库的目的通常是为了分析。分析有助于战略决策的制定,例如,那些与业务趋势、欺骗活动或者营销效果相关的战略决策。分析工作通常是通过数据挖掘活动进行的。 C 不正确。因为数据仓库的确包含若干个不同来源的信息。数据从不同的数据库和其他数据点被提取出来,再传输到一个叫做数据仓库的中央数据存储位置,然后再进行归一化。这样使得用户只需要查询一个单一的实体而不是访问和查询不同的数据源,并且这样也可以提高信息检索和数据分析的效率。2.Database s
41、oftware should meet the requirements of what is known as the ACID test. Why should database software carry out atomic transactions, which is one requirement of the ACID test, when OLTP is used?(分数:2.00)A.So that the rules for database integrity can be establishedB.So that the database performs trans
42、actions as a single unit without interruption C.To ensure that rollbacks cannot take placeD.To prevent concurrent processes from interacting with each other解析:解析:B 正确。在把数据库群集起来以提供高容错性和高性能时,便会用到联机事务处理(Online Transaction Processing,OLTP)。联机事务处理提供了监测问题并在问题出现时处理问题的机制。例如,如果某个进程停止运作,OLTP 内的监控机制能够监测到这个问题并尝
43、试重新启动这个进程。如果这个进程无法重新启动,那么正在进行的这个事务将被回滚,以确保没有数据遭到破坏,或者仅有部分事务发生了。OLTP(实时地)记录所发生的事务,在分布式环境中这通常意味着需要更新多个数据库。这种复杂性可能引入许多完整性威胁,因此,这个数据库软件应该具有被称为 ACID测试的特点。 原子性(atomicity):把事务分成多个工作单元,并确保所有的修改要么全生效,要么全不生效。要么变更被提交,要么数据库被回滚。 一致性(consistency):事务必须遵循专为该数据库制定的完整性规则,确保不同数据库中的所有数据都是一致的。 隔离性(isolation):事务孤立地执行直至完成
44、,这个过程不会与其他事务进行交互。修改的结果直到事务完成时才可用。 持久性(durability):一旦事务被证实在所有系统上都是精确的,那么它便会被提交,并且数据库不能被回滚。 “原子”这个术语指的是事务单元要么一起发生,要么一个都不执行,即“要么全有,要么全无”。这样能够保证如果一个操作失败,其他操作也不会进行(从而破坏数据库中的数据)。 A 不正确。因为 OLTP和 ACID是执行而不是建立数据库安全策略中所规定的完整性规则。一致性(consistency)代表的是 ACID中的字母 C,它与完整性规则的执行和可执行性有关。具有一致性特点的数据库软件在执行事务时都遵循一个特定的完整性策略
45、,从而确保不同数据库中的所有数据都是相同的。 C 不正确。因为原子性把事务分成多个工作单元,并确保所有的修改要么全生效,要么全不生效。要么变更被提交,要么该数据库被回滚。这意味着如果有什么地方运行地不对,该数据库会返回(回滚)到它最初的状态。一旦事务正常运行之后,回滚便不可能发生,这就是 ACID测试的持久性特点。这个问题专门针对的是原子事务方法,而不是持久性。 D 不正确。因为原子事务无法解决正在执行数据库事务的进程的隔离问题,这是 ACID测试的“隔离”组件。保证一个正在进行事务的进程不能被另一进程中断或者修改是至关重要的。这样是为了确保事务过程中被处理的数据的完整性、精确性和保密性。3.
46、Lisa has learned that most databases implement concurrency controls. What is concurrency, and why must it be controlled?(分数:2.00)A.Processes running at different levels, which can negatively affect the integrity of the database if not properly controlled.B.The ability to deduce new information from
47、reviewing accessible data, which can allow an inference attack to take place.C.Processes running simultaneously, which can negatively affect the integrity of the database if not properly controlled. D.Storing data in more than one place within a database, which can negatively affect the integrity of
48、 the database if not properly controlled.解析:解析:C 正确。数据库通常被许多不同的应用程序同时使用,并且许多用户会同时与数据库进行交互。并发(concurrency)指不同进程(应用程序和用户)同时访问这个数据库。如果对此不进行适当控制,这些进程可能会覆盖彼此的数据或者导致死锁。并发问题的负面结果就是降低了数据库内数据的完整性。数据库的完整性可以通过并发保护机制米提供。一个并发控制被锁住,就可以防止用户访问和修改别人正在使用的数据。 A 不正确。因为并发指的是进程同时运行,而不是在不同的层级上运行。当数据库被不同用户和(或)应用程序同时访问时,便会出
49、现并发问题。如果不进行正确地控制,两个用户则可以同时访问和修改同一数据,这会给动态环境带来不利影响。 B 不正确。因为当处于较低安全级别的一个主体间接猜测出或推断出较高安全级别的数据时,通过审查可访问数据而推断新信息的能力就产生了。这可以导致推理攻击(inference attack)。它与并发无关。并发涉及数据的完整性,而推理涉及数据的保密性。 D不正确。因为将数据存储在多个地方不是并发问题。当两个主体或应用程序尝试同时修改相同的数据时便会出现并发问题。4.Robert has been asked to increase the overall efficiency of the sales database by implementing a procedure that structures data to minimize duplication and inconsistencies. What procedure is this?(分数:2.00)A.PolymorphismB.Normalization C.Implementation of database viewsD.Constructing schema解析:解析:B 正确。归一化(normalization)是一个消除冗余、有效组织数据、降低数据
