CSSLP UPDATED A Exam Questions and
CORRECT Answers
____ is an architecture that can mimic desktop applications in usability and function.
A. RIA
B. NFC
C. REST
D. SOAP - CORRECT ANSWER - A. Rich Internet applications (RIAs) are a form of
architecture using the Web as a transfer mechanism and the client as a processing device,
typically for display formatting control functions.
_____ is a selected collection of elements into a designed solution stack for a specific problem.
A. Infrastructure as a Service
B. Platform as a Service
C. Software as a Service
D. Architecture as a Service - CORRECT ANSWER - B. PaaS can exist as a selected
collection of elements into a designed solution stack for a specific problem. This may include
apps, databases, web services, storage, and other items that are offered as a service.
_____ is a type of cloud computing where the software runs in the cloud on external hardware,
and the user derives the benefit through a browser or browser-like interface.
A. Infrastructure as a Service
B. Platform as a Service
C. Software as a Service
D. Architecture as a Service - CORRECT ANSWER - C. SaaS is a type of cloud
computing where the software runs in the cloud on external hardware, and the user derives the
benefit through a browser or browser-like interface.
______ is a protocol and set of standards for communication via radio frequency energy over
very short distances.
A. Wi-Fi
,B. NFC
C. Wireless
D. Zigbee - CORRECT ANSWER - B. NFC (near-field communication), which is over
very short distances.
_______ is a series of standards associated with the manipulation of certificates used to transfer
asymmetric keys between parties in a verifiable manner.
A. X.509
B. PKIX
C. OSCP
D. CRL - CORRECT ANSWER - A. X.509 describes the infrastructure of using
certificates for key transfer.
________ is the major reason due to which an application can be susceptible to a Man-in-the-
Middle Attack.
a. Lack of encryption
b. Improper archiving
c. Lack of auditing
d. Improper session management - CORRECT ANSWER - Correct Answer is D - Man-in-
the-Middle Attack also known as Janus attack is a situation in
which the hacker secretly changes and relays the communication channel between two parties
who are unaware of being attacked. Anyone can compromise the system if sessions are not
managed properly. Session identifiers should not be easily guessable.
"As is" clauses and disclaimers transfer the risk of using the software from the software
publisher to the
-Developers
-End users
-Testers
-Business owners - CORRECT ANSWER - Answer is B
Disclaimers, or "as is" clauses, transfer the risk from the software provider to the end user.
,A brute force method of addressing input validation issues and vulnerabilities is:
A. Fuzzing
B. Regression
C. Scanning
D. Penetration - CORRECT ANSWER - Hint: Brute force testing of input validation.
Answer: A . Fuzz testing is a brute force method of addressing input validation issues and
vulnerabilities.
B, C, and D are incorrect. Scanning is the automated enumeration of specific characteristics of an
application or network. The testing of various versions of software is referred to as regression
testing. Penetration testing is an active form of examining the system for weaknesses and
vulnerabilities.
A common language to describe and exchange information about the causes of software
vulnerabilities is:
A. CVS
B. CVE
C. CSSLP
D. CNSS - CORRECT ANSWER - B. The CVE is a list of standard identifiers for known
software vulnerabilities that have been found in software.
A common manner of keeping track of changes in a configuration management system is through
a:
A. CMS
B. CMDB
C. SCM
D. CCB - CORRECT ANSWER - Hint: Collection and tracking of data is done with a
what?
Answer: B . A common manner of keeping track of changes is through a configuration
management database (CMDB).
, A , C , and D are incorrect. The software configuration management (SCM), configuration
management system (CMS), and change control board (CCB) are not principal data-tracking
mechanisms.
A device that moderates traffic and includes caching of content is a(n):
A. Proxy
B. Application firewall
C. Firewall
D. DLP - CORRECT ANSWER - A. Proxies can cache content for multiple systems in an
environment to improve performance.
A document that describes an input, action, or event that is expected to produce a predictable
response is a(n):
A. Test case
B. Use-case
C. Misuse case
D. Formal analysis - CORRECT ANSWER - Hint: Input and response.
Answer: A . A test case is a document that describes an input, action, or event that is expected to
produce a predictable response.
B , C , and D are incorrect. Use-cases and misuse cases are built around the processes a system is
designed to implement.
A grid to assist the development team in tracking and managing requirements and
implementation details is known as a:
A. Functional requirements matrix
B. Subject-object-activity matrix
C. Use case
D. Requirements traceability matrix - CORRECT ANSWER - D. The requirements
traceability matrix (RTM) is a grid that allows users to track and manage requirements and
implementation details.
CORRECT Answers
____ is an architecture that can mimic desktop applications in usability and function.
A. RIA
B. NFC
C. REST
D. SOAP - CORRECT ANSWER - A. Rich Internet applications (RIAs) are a form of
architecture using the Web as a transfer mechanism and the client as a processing device,
typically for display formatting control functions.
_____ is a selected collection of elements into a designed solution stack for a specific problem.
A. Infrastructure as a Service
B. Platform as a Service
C. Software as a Service
D. Architecture as a Service - CORRECT ANSWER - B. PaaS can exist as a selected
collection of elements into a designed solution stack for a specific problem. This may include
apps, databases, web services, storage, and other items that are offered as a service.
_____ is a type of cloud computing where the software runs in the cloud on external hardware,
and the user derives the benefit through a browser or browser-like interface.
A. Infrastructure as a Service
B. Platform as a Service
C. Software as a Service
D. Architecture as a Service - CORRECT ANSWER - C. SaaS is a type of cloud
computing where the software runs in the cloud on external hardware, and the user derives the
benefit through a browser or browser-like interface.
______ is a protocol and set of standards for communication via radio frequency energy over
very short distances.
A. Wi-Fi
,B. NFC
C. Wireless
D. Zigbee - CORRECT ANSWER - B. NFC (near-field communication), which is over
very short distances.
_______ is a series of standards associated with the manipulation of certificates used to transfer
asymmetric keys between parties in a verifiable manner.
A. X.509
B. PKIX
C. OSCP
D. CRL - CORRECT ANSWER - A. X.509 describes the infrastructure of using
certificates for key transfer.
________ is the major reason due to which an application can be susceptible to a Man-in-the-
Middle Attack.
a. Lack of encryption
b. Improper archiving
c. Lack of auditing
d. Improper session management - CORRECT ANSWER - Correct Answer is D - Man-in-
the-Middle Attack also known as Janus attack is a situation in
which the hacker secretly changes and relays the communication channel between two parties
who are unaware of being attacked. Anyone can compromise the system if sessions are not
managed properly. Session identifiers should not be easily guessable.
"As is" clauses and disclaimers transfer the risk of using the software from the software
publisher to the
-Developers
-End users
-Testers
-Business owners - CORRECT ANSWER - Answer is B
Disclaimers, or "as is" clauses, transfer the risk from the software provider to the end user.
,A brute force method of addressing input validation issues and vulnerabilities is:
A. Fuzzing
B. Regression
C. Scanning
D. Penetration - CORRECT ANSWER - Hint: Brute force testing of input validation.
Answer: A . Fuzz testing is a brute force method of addressing input validation issues and
vulnerabilities.
B, C, and D are incorrect. Scanning is the automated enumeration of specific characteristics of an
application or network. The testing of various versions of software is referred to as regression
testing. Penetration testing is an active form of examining the system for weaknesses and
vulnerabilities.
A common language to describe and exchange information about the causes of software
vulnerabilities is:
A. CVS
B. CVE
C. CSSLP
D. CNSS - CORRECT ANSWER - B. The CVE is a list of standard identifiers for known
software vulnerabilities that have been found in software.
A common manner of keeping track of changes in a configuration management system is through
a:
A. CMS
B. CMDB
C. SCM
D. CCB - CORRECT ANSWER - Hint: Collection and tracking of data is done with a
what?
Answer: B . A common manner of keeping track of changes is through a configuration
management database (CMDB).
, A , C , and D are incorrect. The software configuration management (SCM), configuration
management system (CMS), and change control board (CCB) are not principal data-tracking
mechanisms.
A device that moderates traffic and includes caching of content is a(n):
A. Proxy
B. Application firewall
C. Firewall
D. DLP - CORRECT ANSWER - A. Proxies can cache content for multiple systems in an
environment to improve performance.
A document that describes an input, action, or event that is expected to produce a predictable
response is a(n):
A. Test case
B. Use-case
C. Misuse case
D. Formal analysis - CORRECT ANSWER - Hint: Input and response.
Answer: A . A test case is a document that describes an input, action, or event that is expected to
produce a predictable response.
B , C , and D are incorrect. Use-cases and misuse cases are built around the processes a system is
designed to implement.
A grid to assist the development team in tracking and managing requirements and
implementation details is known as a:
A. Functional requirements matrix
B. Subject-object-activity matrix
C. Use case
D. Requirements traceability matrix - CORRECT ANSWER - D. The requirements
traceability matrix (RTM) is a grid that allows users to track and manage requirements and
implementation details.
