CSSLP Exam 2024 Questions & Answers
| 100% Correct | Verified
Your project involves streaming web conference content from your web servers to multiple endpoints.
Because of the sensitive nature of the content, encryption is mandated. What would be the preferred
algorithm?
A. 3DES
B. AES
C. RC4
D. MD5 - ✔✔Answer: C.
RC4 is a stream-based cipher, and the web conference traffic requires a stream cipher for performance
reasons.
A, B, and D are incorrect. 3DES and AES are symmetric block ciphers, but are poor choices for streaming
media channels. MD5 is a hash algorithm, not an encryption method.
Hint: What type of material is being encrypted and does it have any specific characteristics that are
important to consider?
Reference: Chapter 13: Defensive Coding PracticesObjective: 13.3 Cryptography
WS-Security is:
A. A method of providing confidentiality for SOAP
B. A method of providing authentication, integrity, confidentiality, and non-repudiation for web services
C. The encryption of SOAP messages
D. A method of authenticating SOAP messages - ✔✔Answer: B.
WS-Security is just a collection of security mechanisms for signing, encrypting, and authenticating SOAP
messages. Merely using WS-Security does not guarantee security; it must be properly configured to
provide protection.
A, C, and D are incorrect. WS-Security is a mechanism for providing a wide range of security functionality
with SOAP, not just confidentiality, authentication, and encryption services.
Hint: WS-Security can provide a range of security-related functions.
,Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.2 Service-oriented architecture
Passwords and sensitive elements such as keys are sought after by hackers—what is the best way to
store these in application programs?
A. In a config file in a protected directory
B. Hard-coded in the executable where they are protected
C. Encrypted and stored in a file
D. On a protected server - ✔✔Answer: C.
All sensitive data should be encrypted and stored in an appropriate place. Storing elements in the
executable file makes them difficult to change, so other files are recommended.
A, B, and D are incorrect. A protected directory can be bypassed, and for some secrets, a demo of the
code can give away the secret. Hard-coding in the executable makes them accessible. Remote storage
does not solve the confidentiality problem.
Hint: What protects the confidentiality of data?
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.1.3 Handling configuration parameters
Which of the following functions should never be relied upon with client-side processing? Choose all that
apply.
A. Input errors
B. Missing values
C. State management
D. Input validation - ✔✔Answer: C and D.
Because inputs can be changed by proxies between the client and the server, all security checks should
only be done on the server side, including all state management and input validations.
A and B are incorrect. Input errors and missing values can be checked for and validated on the client side
for the purpose of improving user experience (preventing unnecessary round trips to the server).
Hint: At what stages can input be changed?
,Reference: Chapter 13: Defensive Coding Practices
Objective: 13.6 Input validation
Your development group programs in C, creating high-speed financial applications for processing stock
trade events from a wide customer base. Which is the most important control to employ?
A. Buffer overflow checks
B. Input validation
C. Fuzz testing
D. Bug bar - ✔✔Answer: B.
Because customer input is implied, input validation is paramount.
A, C, and D are incorrect. Buffer overflow checks are important, but proper use of compiler directives
and static code checking can alleviate most of these. Fuzz testing and bug bar are process elements, not
specific controls.
Hint: Consider what would be related to blocking the most damaging error category.
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.6 Input validation
Penetration tests done with no a priori system knowledge are called:
A. Black-box testing
B. Code reviews
C. White-box testing
D. Acceptance testing - ✔✔Answer: A.
When there is no knowledge of the inner workings of a system, it is referred to as black-box testing.
B, C, and D are incorrect. White-box testing assumes full knowledge of the system, as do code reviews.
Acceptance testing is functional testing to requirements and not directly related to this topic.
Hint: No a priori knowledge indicates what state?
Reference: Chapter 15: Secure Software Testing
Objective: 15.2.3 Security testing
, The first step for general risk management is:
A. Enumerate risks
B. Security control selection
C. Threat assessment
D. Asset identification - ✔✔Answer: D.
Risks are associated with assets, or things that have value in an enterprise.
A, B, and C are incorrect. Risks cannot be enumerated until the target (asset) is identified. Security
controls cannot be selected until a specific threat assessment is performed. All of the steps follow asset
identification.
Hint: Risk is associated with something of value.
Reference: Chapter 2: Risk Management
Objective: 2.2 Governance, risk, and compliance
What are the two primary components associated with measuring the loss due to risk? Choose two.
A. Likelihood of impact
B. Magnitude of impact
C. Scale of threat
D. Likelihood of threat - ✔✔Answer: B and D.
Risk is measured in terms of the likelihood of the threat and the magnitude of the impact.
A and C are incorrect. The likelihood of impact is messy because it includes not just the likelihood of the
threat, but the likelihood of bypassing mitigations; this makes it difficult to use consistently. The scale of
the threat is again complicated by external factors, making it less useful.
Hint: What are the elements of qualitative risk assessment?
Reference: Chapter 2: Risk Management
Objective: 2.5 Qualitative risk management
PHI is affiliated with:
| 100% Correct | Verified
Your project involves streaming web conference content from your web servers to multiple endpoints.
Because of the sensitive nature of the content, encryption is mandated. What would be the preferred
algorithm?
A. 3DES
B. AES
C. RC4
D. MD5 - ✔✔Answer: C.
RC4 is a stream-based cipher, and the web conference traffic requires a stream cipher for performance
reasons.
A, B, and D are incorrect. 3DES and AES are symmetric block ciphers, but are poor choices for streaming
media channels. MD5 is a hash algorithm, not an encryption method.
Hint: What type of material is being encrypted and does it have any specific characteristics that are
important to consider?
Reference: Chapter 13: Defensive Coding PracticesObjective: 13.3 Cryptography
WS-Security is:
A. A method of providing confidentiality for SOAP
B. A method of providing authentication, integrity, confidentiality, and non-repudiation for web services
C. The encryption of SOAP messages
D. A method of authenticating SOAP messages - ✔✔Answer: B.
WS-Security is just a collection of security mechanisms for signing, encrypting, and authenticating SOAP
messages. Merely using WS-Security does not guarantee security; it must be properly configured to
provide protection.
A, C, and D are incorrect. WS-Security is a mechanism for providing a wide range of security functionality
with SOAP, not just confidentiality, authentication, and encryption services.
Hint: WS-Security can provide a range of security-related functions.
,Reference: Chapter 10: Securing Commonly Used Architecture
Objective: 10.2 Service-oriented architecture
Passwords and sensitive elements such as keys are sought after by hackers—what is the best way to
store these in application programs?
A. In a config file in a protected directory
B. Hard-coded in the executable where they are protected
C. Encrypted and stored in a file
D. On a protected server - ✔✔Answer: C.
All sensitive data should be encrypted and stored in an appropriate place. Storing elements in the
executable file makes them difficult to change, so other files are recommended.
A, B, and D are incorrect. A protected directory can be bypassed, and for some secrets, a demo of the
code can give away the secret. Hard-coding in the executable makes them accessible. Remote storage
does not solve the confidentiality problem.
Hint: What protects the confidentiality of data?
Reference: Chapter 12: Common Software Vulnerabilities and Countermeasures
Objective: 12.1.3 Handling configuration parameters
Which of the following functions should never be relied upon with client-side processing? Choose all that
apply.
A. Input errors
B. Missing values
C. State management
D. Input validation - ✔✔Answer: C and D.
Because inputs can be changed by proxies between the client and the server, all security checks should
only be done on the server side, including all state management and input validations.
A and B are incorrect. Input errors and missing values can be checked for and validated on the client side
for the purpose of improving user experience (preventing unnecessary round trips to the server).
Hint: At what stages can input be changed?
,Reference: Chapter 13: Defensive Coding Practices
Objective: 13.6 Input validation
Your development group programs in C, creating high-speed financial applications for processing stock
trade events from a wide customer base. Which is the most important control to employ?
A. Buffer overflow checks
B. Input validation
C. Fuzz testing
D. Bug bar - ✔✔Answer: B.
Because customer input is implied, input validation is paramount.
A, C, and D are incorrect. Buffer overflow checks are important, but proper use of compiler directives
and static code checking can alleviate most of these. Fuzz testing and bug bar are process elements, not
specific controls.
Hint: Consider what would be related to blocking the most damaging error category.
Reference: Chapter 13: Defensive Coding Practices
Objective: 13.6 Input validation
Penetration tests done with no a priori system knowledge are called:
A. Black-box testing
B. Code reviews
C. White-box testing
D. Acceptance testing - ✔✔Answer: A.
When there is no knowledge of the inner workings of a system, it is referred to as black-box testing.
B, C, and D are incorrect. White-box testing assumes full knowledge of the system, as do code reviews.
Acceptance testing is functional testing to requirements and not directly related to this topic.
Hint: No a priori knowledge indicates what state?
Reference: Chapter 15: Secure Software Testing
Objective: 15.2.3 Security testing
, The first step for general risk management is:
A. Enumerate risks
B. Security control selection
C. Threat assessment
D. Asset identification - ✔✔Answer: D.
Risks are associated with assets, or things that have value in an enterprise.
A, B, and C are incorrect. Risks cannot be enumerated until the target (asset) is identified. Security
controls cannot be selected until a specific threat assessment is performed. All of the steps follow asset
identification.
Hint: Risk is associated with something of value.
Reference: Chapter 2: Risk Management
Objective: 2.2 Governance, risk, and compliance
What are the two primary components associated with measuring the loss due to risk? Choose two.
A. Likelihood of impact
B. Magnitude of impact
C. Scale of threat
D. Likelihood of threat - ✔✔Answer: B and D.
Risk is measured in terms of the likelihood of the threat and the magnitude of the impact.
A and C are incorrect. The likelihood of impact is messy because it includes not just the likelihood of the
threat, but the likelihood of bypassing mitigations; this makes it difficult to use consistently. The scale of
the threat is again complicated by external factors, making it less useful.
Hint: What are the elements of qualitative risk assessment?
Reference: Chapter 2: Risk Management
Objective: 2.5 Qualitative risk management
PHI is affiliated with:
