ME2 CSSLP-EXAM PRACTICE TEST- QUESTIONS AND
VERIFIED ANSWERS
Question Number: 401 Question: Which of the following models uses a directed graph
to specify the rights that a subject can transfer to an object or that a subject can take
from another subject?
Option 1: Biba model
Option 2: Bell-LaPadula model
Option 3: Clark-Wilson model
Option 4: Lattice-based model - Answers - Correct Response: 1 Explanation: The
correct option is "Biba model." The Biba model uses a directed graph to specify the
rights that a subject can transfer to an object or that a subject can take from another
subject. The model focuses on preserving data integrity and preventing unauthorized
modification or corruption of data. It ensures that subjects with lower integrity levels
cannot modify or write to objects with higher integrity levels, preventing the spread of
inaccurate or malicious data modifications.
Question: Which Software Project & Org process is least relevant?
Option 1: Software configuration management
Option 2: Software quality assurance
Option 3: Facility, site, physical security
Option 4: Budget, schedule, reporting - Answers - Correct Response: 3
Explanation: Physical security is less relevant to software practices.
Question: Scenario: As a software developer working on a project for a client who
follows U.S. Department of Defense (DoD) Instruction 8500.2, you are required to
implement the Information Assurance (IA) controls defined by the DoD. What is the
primary area of IA you should focus on according to DoD Instruction 8500.2?
Option 1: Software Development Security
Option 2: Network Infrastructure Security
Option 3: Physical and Environmental Security
Option 4: Personnel Security - Answers - Correct Response: 1 Explanation: As a
software developer, your primary focus according to DoD Instruction 8500.2 would be
Software Development Security (A). This area involves ensuring the application of
security principles and practices in the development of systems and software. It's a
critical part of the eight areas of IA defined by the DoD, particularly for your role.
Question Number: 404 Question: Which statement about ISSO and ISSE is false?
Option 1: ISSO is CNSS 4011 certified
,Option 2: ISSE advises on engineering
Option 3: ISSO performs IA operations
Option 4: ISSE supports IA engineering - Answers - Correct Response: 1 Explanation:
ISSOs are not required to be 4011 certified.
Question Number: 405 Question: Which of the following security design patterns
provides an alternative by requiring that a user's authentication credentials be verified
by the database before providing access to that user's data?Option 1: Role-Based
Access Control (RBAC) Option 2: Attribute-Based Access Control (ABAC) Option 3:
Mandatory Access Control (MAC) Option 4: Database Authentication - Answers -
Correct Response: 4 Explanation: The correct option is "Database Authentication."
Database Authentication is a security design pattern that verifies a user's authentication
credentials against the database before granting access to that user's data. This pattern
ensures that the user's credentials are valid and authenticated by the database,
providing an additional layer of security for data access.
Question Number: 406 Question: Scenario: You are a software developer working on a
project that requires a high level of security. The project is nearing completion, and your
team is working on a process that concludes with an agreement that the system
provides adequate protection controls in its current configuration. Which process is your
team currently focusing on?
Option 1: Risk Assessment
Option 2: System Certification
Option 3: Security Audit
Option 4: Vulnerability Scanning - Answers - Correct Response: 2 Explanation: The
process your team is currently working on is System Certification (B). This process
involves a comprehensive evaluation of the technical and non-technical security
controls of the system to ensure they provide adequate protection. It culminates in an
agreement, often documented as a Certification Statement, stating that the system
meets a certain set of security standards.
Question Number: 407 Question: You are designing an e-commerce website that will
handle sensitive customer data. Which of the following is not useful to ensure secure
transactions?
Option 1: Implementing SSL for data in transit
Option 2: Storing user passwords in plaintext for easy recovery
Option 3: Encrypting credit card data at rest
Option 4: Using secure, vetted payment processing services - Answers - Correct
Response: 2 Explanation: Explanation: Storing user passwords in plaintext is a major
security risk, as it makes them easily readable if the data is breached, which can lead to
unauthorized access. Knowledge Area: Mock Exam 2
,Question Number: 408 Question: In which of the following testing methodologies do
assessors use all available documentation and work under no constraints, and attempt
to circumvent the security features of an information system?
Option 1: White-box testing
Option 2: Gray-box testing
Option 3: Black-box testing
Option 4: Penetration testing - Answers - Correct Response: 3 Explanation: The correct
option is "Black-box testing." In black-box testing, assessors work with no prior
knowledge or access to internal details of the system. They use all available
documentation and work under no constraints to simulate real-world attacks and
attempt to circumvent the security features of the information system. This methodology
helps identify vulnerabilities and weaknesses from an external perspective. Knowledge
Area: Mock Exam 2
Question Number: 409 Question: Scenario: Your company is going through the Initiate
and Plan Information Assurance Certification and Accreditation (IA C&A) phase of the
Department of Defense Information Assurance Certification and Accreditation Process
(DIACAP). As a software developer, what is the primary subordinate task you should
focus on during this phase?
Option 1: Develop a System Identification Profile
Option 2: Perform a vulnerability assessment
Option 3: Implement security controls
Option 4: Conduct a security audit - Answers - Correct Response: 1 Explanation: During
the Initiate and Plan IA C&A phase of the DIACAP process, the primary subordinate
task is to Develop a System Identification Profile (A). This profile provides an overview
of the system and its components, which is critical for identifying potential vulnerabilities
and planning appropriate security controls. Knowledge Area: Mock Exam 2
Question Number: 410 Question: Which is NOT an access control type?
Option 1: Mandatory
Option 2: Discretionary
Option 3: Advisory
Option 4: Non-discretionary - Answers - Correct Response: 3 Explanation: Advisory
controls are recommendations, not access enforcement. Knowledge Area: Mock Exam
2
Question Number: 411 Question: Which of the following methods determines the
principle name of the current user and returns the java.security.Principal object in the
HttpServletRequest interface?
Option 1: getUserPrincipal()
Option 2: getPrincipal() term-11
Option 3: getCurrentPrincipal()
, Option 4: getAuthenticatedUser() - Answers - Correct Response: 1 Explanation: The
correct option is "getUserPrincipal()". This method is used in the HttpServletRequest
interface to determine the principle name of the current user and returns the
java.security.Principal object representing the user. The Principal object provides
information about the user's identity and can be used for authentication and
authorization purposes. Knowledge Area: Mock Exam 2
Question Number: 412 Question: Which attack does NOT cause software failure?
Option 1: Buffer overflow
Option 2: SQL injection
Option 3: Cross-site scripting
Option 4: Blind DoS - Answers - Correct Response: 4 Explanation: Blind DoS prevents
access but not software failure. Knowledge Area: Mock Exam 2
Question Number: 413 Question: Scenario: As a software developer, you are tasked
with writing efficient and maintainable code for a new project. What is the primary
coding practice you should adopt to simplify your code?
Option 1: Use of nested conditionals for robustness
Option 2: Frequent use of recursion for complex problems
Option 3: Use of comments and meaningful variable names
Option 4: Use of global variables for ease of access - Answers - Correct Response: 3
Explanation: Simplifying code is critical for maintainability and ease of understanding.
This can be achieved primarily through the use of comments and meaningful variable
names (C). Comments provide additional information or clarify complex parts, while
meaningful variable names make code self-explanatory. The use of nested conditionals
or recursion may increase complexity, and global variables can lead to unexpected side
effects, making the code harder to understand and maintain. Knowledge Area: Mock
Exam 2
Question Number: 414 Question: Which of the following coding practices are helpful in
simplifying code?
Option 1: Modularity, abstraction, encapsulation
Option 2: Code obfuscation, spaghetti code, code duplication
Option 3: Hard coding, insecure coding, global variables
Option 4: Code comments, self-explanatory variable names, code repetition - Answers -
Correct Response: 1 Explanation: The correct option is "Modularity, abstraction,
encapsulation." Modularity, abstraction, and encapsulation are coding practices that are
helpful in simplifying code. Modularity involves breaking down complex systems into
smaller, manageable modules. Abstraction focuses on hiding unnecessary details and
exposing only relevant information. Encapsulation involves bundling data and related
functions functions together to form a self-contained unit. These practices improve code
readability, maintainability, and reusability. Knowledge Area: Mock Exam 2
VERIFIED ANSWERS
Question Number: 401 Question: Which of the following models uses a directed graph
to specify the rights that a subject can transfer to an object or that a subject can take
from another subject?
Option 1: Biba model
Option 2: Bell-LaPadula model
Option 3: Clark-Wilson model
Option 4: Lattice-based model - Answers - Correct Response: 1 Explanation: The
correct option is "Biba model." The Biba model uses a directed graph to specify the
rights that a subject can transfer to an object or that a subject can take from another
subject. The model focuses on preserving data integrity and preventing unauthorized
modification or corruption of data. It ensures that subjects with lower integrity levels
cannot modify or write to objects with higher integrity levels, preventing the spread of
inaccurate or malicious data modifications.
Question: Which Software Project & Org process is least relevant?
Option 1: Software configuration management
Option 2: Software quality assurance
Option 3: Facility, site, physical security
Option 4: Budget, schedule, reporting - Answers - Correct Response: 3
Explanation: Physical security is less relevant to software practices.
Question: Scenario: As a software developer working on a project for a client who
follows U.S. Department of Defense (DoD) Instruction 8500.2, you are required to
implement the Information Assurance (IA) controls defined by the DoD. What is the
primary area of IA you should focus on according to DoD Instruction 8500.2?
Option 1: Software Development Security
Option 2: Network Infrastructure Security
Option 3: Physical and Environmental Security
Option 4: Personnel Security - Answers - Correct Response: 1 Explanation: As a
software developer, your primary focus according to DoD Instruction 8500.2 would be
Software Development Security (A). This area involves ensuring the application of
security principles and practices in the development of systems and software. It's a
critical part of the eight areas of IA defined by the DoD, particularly for your role.
Question Number: 404 Question: Which statement about ISSO and ISSE is false?
Option 1: ISSO is CNSS 4011 certified
,Option 2: ISSE advises on engineering
Option 3: ISSO performs IA operations
Option 4: ISSE supports IA engineering - Answers - Correct Response: 1 Explanation:
ISSOs are not required to be 4011 certified.
Question Number: 405 Question: Which of the following security design patterns
provides an alternative by requiring that a user's authentication credentials be verified
by the database before providing access to that user's data?Option 1: Role-Based
Access Control (RBAC) Option 2: Attribute-Based Access Control (ABAC) Option 3:
Mandatory Access Control (MAC) Option 4: Database Authentication - Answers -
Correct Response: 4 Explanation: The correct option is "Database Authentication."
Database Authentication is a security design pattern that verifies a user's authentication
credentials against the database before granting access to that user's data. This pattern
ensures that the user's credentials are valid and authenticated by the database,
providing an additional layer of security for data access.
Question Number: 406 Question: Scenario: You are a software developer working on a
project that requires a high level of security. The project is nearing completion, and your
team is working on a process that concludes with an agreement that the system
provides adequate protection controls in its current configuration. Which process is your
team currently focusing on?
Option 1: Risk Assessment
Option 2: System Certification
Option 3: Security Audit
Option 4: Vulnerability Scanning - Answers - Correct Response: 2 Explanation: The
process your team is currently working on is System Certification (B). This process
involves a comprehensive evaluation of the technical and non-technical security
controls of the system to ensure they provide adequate protection. It culminates in an
agreement, often documented as a Certification Statement, stating that the system
meets a certain set of security standards.
Question Number: 407 Question: You are designing an e-commerce website that will
handle sensitive customer data. Which of the following is not useful to ensure secure
transactions?
Option 1: Implementing SSL for data in transit
Option 2: Storing user passwords in plaintext for easy recovery
Option 3: Encrypting credit card data at rest
Option 4: Using secure, vetted payment processing services - Answers - Correct
Response: 2 Explanation: Explanation: Storing user passwords in plaintext is a major
security risk, as it makes them easily readable if the data is breached, which can lead to
unauthorized access. Knowledge Area: Mock Exam 2
,Question Number: 408 Question: In which of the following testing methodologies do
assessors use all available documentation and work under no constraints, and attempt
to circumvent the security features of an information system?
Option 1: White-box testing
Option 2: Gray-box testing
Option 3: Black-box testing
Option 4: Penetration testing - Answers - Correct Response: 3 Explanation: The correct
option is "Black-box testing." In black-box testing, assessors work with no prior
knowledge or access to internal details of the system. They use all available
documentation and work under no constraints to simulate real-world attacks and
attempt to circumvent the security features of the information system. This methodology
helps identify vulnerabilities and weaknesses from an external perspective. Knowledge
Area: Mock Exam 2
Question Number: 409 Question: Scenario: Your company is going through the Initiate
and Plan Information Assurance Certification and Accreditation (IA C&A) phase of the
Department of Defense Information Assurance Certification and Accreditation Process
(DIACAP). As a software developer, what is the primary subordinate task you should
focus on during this phase?
Option 1: Develop a System Identification Profile
Option 2: Perform a vulnerability assessment
Option 3: Implement security controls
Option 4: Conduct a security audit - Answers - Correct Response: 1 Explanation: During
the Initiate and Plan IA C&A phase of the DIACAP process, the primary subordinate
task is to Develop a System Identification Profile (A). This profile provides an overview
of the system and its components, which is critical for identifying potential vulnerabilities
and planning appropriate security controls. Knowledge Area: Mock Exam 2
Question Number: 410 Question: Which is NOT an access control type?
Option 1: Mandatory
Option 2: Discretionary
Option 3: Advisory
Option 4: Non-discretionary - Answers - Correct Response: 3 Explanation: Advisory
controls are recommendations, not access enforcement. Knowledge Area: Mock Exam
2
Question Number: 411 Question: Which of the following methods determines the
principle name of the current user and returns the java.security.Principal object in the
HttpServletRequest interface?
Option 1: getUserPrincipal()
Option 2: getPrincipal() term-11
Option 3: getCurrentPrincipal()
, Option 4: getAuthenticatedUser() - Answers - Correct Response: 1 Explanation: The
correct option is "getUserPrincipal()". This method is used in the HttpServletRequest
interface to determine the principle name of the current user and returns the
java.security.Principal object representing the user. The Principal object provides
information about the user's identity and can be used for authentication and
authorization purposes. Knowledge Area: Mock Exam 2
Question Number: 412 Question: Which attack does NOT cause software failure?
Option 1: Buffer overflow
Option 2: SQL injection
Option 3: Cross-site scripting
Option 4: Blind DoS - Answers - Correct Response: 4 Explanation: Blind DoS prevents
access but not software failure. Knowledge Area: Mock Exam 2
Question Number: 413 Question: Scenario: As a software developer, you are tasked
with writing efficient and maintainable code for a new project. What is the primary
coding practice you should adopt to simplify your code?
Option 1: Use of nested conditionals for robustness
Option 2: Frequent use of recursion for complex problems
Option 3: Use of comments and meaningful variable names
Option 4: Use of global variables for ease of access - Answers - Correct Response: 3
Explanation: Simplifying code is critical for maintainability and ease of understanding.
This can be achieved primarily through the use of comments and meaningful variable
names (C). Comments provide additional information or clarify complex parts, while
meaningful variable names make code self-explanatory. The use of nested conditionals
or recursion may increase complexity, and global variables can lead to unexpected side
effects, making the code harder to understand and maintain. Knowledge Area: Mock
Exam 2
Question Number: 414 Question: Which of the following coding practices are helpful in
simplifying code?
Option 1: Modularity, abstraction, encapsulation
Option 2: Code obfuscation, spaghetti code, code duplication
Option 3: Hard coding, insecure coding, global variables
Option 4: Code comments, self-explanatory variable names, code repetition - Answers -
Correct Response: 1 Explanation: The correct option is "Modularity, abstraction,
encapsulation." Modularity, abstraction, and encapsulation are coding practices that are
helpful in simplifying code. Modularity involves breaking down complex systems into
smaller, manageable modules. Abstraction focuses on hiding unnecessary details and
exposing only relevant information. Encapsulation involves bundling data and related
functions functions together to form a self-contained unit. These practices improve code
readability, maintainability, and reusability. Knowledge Area: Mock Exam 2
