Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Hey , all of you , sean Gerber , with CISSP Cyber Training and we are going to be doing CISSP exam questions for software development . Yeah , baby , domain eight of the CISSP exam . So it's exciting , super exciting . Yeah , i just did . I'm remote right now and I've made the mistake of not recording my podcast .
I just talked for an hour . So , yeah , shoot me now . I'm like , oh my gosh , that was such a waste of time , but you know what It will be . You'll be ready for it when you get it . It's awesome . All right , so you guys don't care about that . You want to learn about CISSP exam questions .
So let's get into question numero uno , number one which of the following is the most critical phase for integrating security in the software development lifecycle ? Okay , so we're talking domain eight and we're talking software development .
So which of the following is the most critical phase for integrating security in the software development lifecycle SDLC A requirements gathering , b design and architecture , c coding and implementation or D testing and quality assurance ?
Okay , so which of the following is most critical requirements gathering , design and architecture , coding and implementation , or D testing and quality assurance ? The answer is B Right , i was almost going to say the wrong one , i just was , i don't know what I was thinking . It's B design and architecture .
So design and architecture is the most critical for integrating security into the SDLC environment . It does lay the foundation for the entire software system and allows for security controls to be built into the design . Again , ensuring security is always considered from the beginning .
Okay , question number two which of the following is an example of a static application security testing technique , or SAST ? a penetration testing . B code review , c fuzz testing . D web application scanning ? Again , which of the following is an example of a static application security testing technique SAST a penetration testing .
B code review , c fuzz testing or D web application scan ? And the answer is B code review . Okay , so SAST testing does involve reviewing the code source and the compile application without executing it .
So code review is a common SAST technique And , again , it's very important for identifying vulnerabilities , coding errors and adherence to coding guidelines and policies , which we talked about in the podcast earlier . Question three in context with software security , what does the term OWASP stand for ?
Organization for web application security protocols , open web application security project , operating system , web application security procedures or online web application security platform . So what does the term OWASP stand for ? I'm not going to read all those again , but you can see the video of it online . It is B open web application security project .
Owasp is an open source project that was focused on improving security within software applications . Okay , so it provides resources , tools , guidelines all of that defined for specifically secure applications and finding security vulnerabilities . Question four which of the following is an example of a dynamic application security testing technique ?
DAST , which is a common example of DAST , so , again as Delta Alpha , sierra Tango , which is the following is a dynamic application security testing technique A threat modeling , b security code review , c vulnerability scanning . Or D secure code guidelines ? Okay , which is an example of DAST ? And the answer is C vulnerability scanning .
So dynamic application security testing . Dast involves testing the application while it's running , okay , to find vulnerabilities . So vulnerability scanning is a common technique that searches out for no vulnerabilities of the application code , configurations and network interactions , and so , therefore , dast and vulnerability scanning work hand in hand .
Question five which of the following is a key objective of the threat modeling in software security ? DAST security vulnerabilities and software code assess the effectiveness of security controls . C evaluating the impact of the acquired software and security . And D identifying potential threats and their associated risks .
So which is the following is the key objective of threat modeling in software security ? The answer is D identifying potential threats and their associated risks .
So threat modeling is a process for identifying potential threats and their associated risks in software applications , and it does help you understand the attack vectors , potential vulnerabilities and what are the potential impacts in the event that the threat was successful . Again , the answer is D identifying potential threats and the associated risks .
Question six , which are the following is the characteristic of secure coding guidelines and standards ? okay , a , they focus on preventing external attacks , that's A . B they're implementing during the testing phase of SDLC . C they're generic and not specific to programming languages or frameworks . Or D they provide recommendations for writing secure and robust code .
Okay , so which of the following is a characteristic of secure coding guidelines and standards ? Okay , so , that one can seem a little nebulous . So you have to kind of think about that a little bit . But A they focus on preventing external attacks , though they don't do that . They implement during . They are implemented during the testing phase of the SDLC .
You'd want them more than on the testing phase . They are generic and not specific to programming . Okay , you don't want them necessarily to be generic . And D is they provide recommendations of writing secure and robust code . That would be your security coding guidelines and standards would be . Answer would be D .
And they provide recommendations as for providing or for writing secure and robust code . They provide input , validation , authentication , access controls . All of those pieces are tied into that . Now . Now the cool part is is , if you have that already defined , you can have that set up in a , potentially in a CICV pipeline , and so you are good to go All right .
Another question Which of the following activities is an integral part of integrating security into the software development lifecycle ? A backup and recovery , b change management process , c user acceptance testing or D incident response planning . So which of the following is an integral part of integrating security into the software development lifecycle ?
Okay , so again , all of these can be valuable , but which one is an integral part of integrating security into software development . User acceptance testing C is a crucial activity in SDLC And it does ensure that the software meets the user's requirements and is functionally as expected .
Okay , it allows stakeholders to validate the security controls and assess the effectiveness of the software security features Again , that's an important factor . So , depending on how you're answering the question , what is the most integral part ?
So when you're saying integral of integrating , you're dealing with user acceptance testing , uat , okay , so those are where the users actually go out and test and play with it . All right , hope you have a wonderful day . That's all I've got for today .
Go check out at CISSP , stiver Training and you can check all these wonderful things and see if it meets your needs to pass the CISSP the first time . All right , have a great day . We'll catch you on the flip side , see ya .