CISSP Exam Questions for Self-Study (Domain 6)

Note:  Pardon the messiness of the questions.  These questions come from my podcast and will be cleaning the questions up over the coming weeks.

 

Question:

When looking at the Common Vulnerability Scoring System (CVSS), when a vulnerability is ranked at "10" what does that mean?

  1. Most open for patching
  2. Most severe
  3. Least severe
  4. Easily managed

 

Answer:  Most Severe

 

Question

What tool is commonly used as scan engine to find vulnerabilities within an environment

  1. Nessus
  2. NMAP
  3. Ping
  4. DNS

 

Explanation: [a] Nessus is commonly used to look for vulnerabilities within an network to determine if an exploit can be used against the system.

 

Link:  https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=1&q1=1&x=78&y=3

 

QUESTION 1

Abstract episodes of interaction between a system and its environment:

  • Misuse case
  • Web proxies
  • Use cases
  • Negative testing

 

CORRECT ANSWER - Use cases 

 

QUESTION 2

A list of the most widespread and critical errors that can lead to serious vulnerabilities in software:

  • Information security continuous monitoring (ISCM)
  • CWE/SANS Top 25 most dangerous software errors
  • Automated vulnerability scanners
  • Real user monitoring (RUM)

 

CORRECT ANSWER - Information security continuous monitoring (ISCM) 

 

QUESTION 3

This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior:

  • Statement coverage
  • Data flow coverage
  • Condition coverage
  • Path coverage

 

CORRECT ANSWER - Statement coverage 

 

QUESTION 1

A process by which developers can understand security threats to a system, determine risks from those threats and establish appropriate mitigations.

  • Threat modeling
  • White-box testing
  • Path coverage
  • Negative testing

 

CORRECT ANSWER - Threat modeling 

 

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=0&x=77&y=7>

 

 

QUESTION 2

This criteria requires sufficient test cases for each feasible data flow to be executed at least once.

  • Statement coverage
  • Path coverage
  • Data flow coverage
  • Condition coverage

 

CORRECT ANSWER - Data flow coverage 

 

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=0&x=77&y=7>

 

 

 

QUESTION 3

Tests an application for the use of system components or configurations that are known to be insecure.

  • Synthetic performance monitoring
  • Automated vulnerability scanners
  • Multi-condition coverage
  • Architecture security reviews

 

CORRECT ANSWER - Automated vulnerability scanners 

 

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=0&x=77&y=7>

 

QUESTION 1

The determination of the impact of a change based on review of the relevant documentation.

  • Validation
  • Regression analysis
  • Data flow coverage
  • Security log management

 

CORRECT ANSWER - Regression analysis 

 

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=0&x=77&y=7>

 

 

QUESTION 2

Analysis of the application source code for finding vulnerabilities in software without actually executing the application.

  • System events
  • Architecture security reviews
  • Static source code analysis (SAST)
  • Audit records

 

CORRECT ANSWER - Static source code analysis (SAST) 

 

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=0&x=77&y=7>

 

 

QUESTION 3

Contain security event information such as successful and failed authentication attempts, file access, security policy changes, account changes and use of privileges.

  • System events
  • Static source code analysis (SAST)
  • Path coverage
  • Audit records

 

CORRECT ANSWER - Audit records  

 

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=0&x=77&y=7>

 

QUESTION 4

A design that allows one to peek inside the "box" and focuses specifically on using internal knowledge of the software to guide the selection of test data.

  • Positive testing
  • White-box testing
  • Statement coverage
  • Negative testing

 

CORRECT ANSWER - White-box testing  

 

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=0&x=77&y=7>

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .