Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Let's go . Cybersecurity knowledge . All right , let's get started . Hey , all , it's Sean Gerber with CISSP Cyber Training and we are going to be doing CISSP exam questions for software development . Yeah , baby , domain eight of the CISSP exam . So it's exciting , super exciting . Yeah , yeah , I just did .
I'm remote right now and I made a mistake of not recording my podcast . I just talked for an hour . So , yeah , shoot me now . I'm like , oh my gosh , that was such a waste of time . But you know what . You'll be ready for it when you get it . It's awesome , all right , so you guys don't care about that , you want to learn about CISSP exam questions .
So let's get into question numero uno , number one which of the following is the most critical phase for integrating security in the software development lifecycle ? Okay , so we're talking domain eight and we're talking software development .
So which of the following is the most critical phase for integrating security in the software development lifecycle , sdlc A requirements gathering , b design and architecture , c coding and implementation , or D testing and quality assurance .
Okay , so which of the following is most critical Requirements gathering , design and architecture , coding and implementation , or D testing and quality assurance ? The answer is B Right , I was almost going to say the wrong one , I don't know what I was thinking or D testing and quality assurance ?
The answer is B right , I was almost going to say the wrong one , I don't know what I was thinking . It's B design and architecture . So design and architecture is the most critical for integrating security into the SDLC environment . It does lay the foundation for the entire software system and allows for security controls to be built into the design .
Again , ensuring security is always considered from the beginning . Okay , question number two which of the following is an example of a static application security testing technique or SAST ? A penetration testing . B code review . C fuzz testing . D web application scanning ?
Again , which of the following is an example of a static application security testing technique S-A-S-T A penetration testing . B code review . C fuzz testing . Or D web application scanning ? And the answer is B code review . Okay , so SAS testing does involve reviewing the code source and the compile application without executing it .
So code review is a common SAST technique and , again , it's very important for identifying vulnerabilities , coding errors and adherence to coding guidelines and policies which we talked about in the podcast earlier , to coding guidelines and policies which we talked about in the podcast earlier .
Question three in context with software security , what does the term OWASP stand for ? Organization for Web Application Security Protocols , open Web Application Security Project Operating System , web Application Security Procedures or Online Web Application Security Platform . So what does the term OWASP stand for ?
I'm not going to read all those again , but you can see the video of it online . It is B Open Web Application Security Project . Owasp is an open source project that was focused on improving security within software applications . Okay , so it provides resources , tools , guidelines all of that defined for specifically secure applications and finding security vulnerabilities .
Question four which of the following is an example of a dynamic application security testing technique ? Dast , which is a common example of DAST . So again , that's Delta , alpha , sierra , tango . Which of the following is a dynamic application security testing technique ? A threat modeling . B security code review , c vulnerability scanning . Or D secure code guidelines .
Okay , which is an example of DAST ? And the answer is C vulnerability scanning . So dynamic application security testing . Dast involves testing the application while it's running , okay , to find vulnerabilities . So vulnerability scanning is a common technique that searches out for known vulnerabilities of the application code , configurations and network interactions .
And so therefore , dast and vulnerability scanning work hand in hand . Question five which of the following is a key objective of the threat modeling in software security ? Identify security vulnerabilities in software code . Assess the effectiveness of security controls . C evaluating the impact of the acquired software and security .
And D identifying potential threats and their associated risks . So which of the following is a key objective of threat modeling in software security ? The answer is D identifying potential threats and their associated risks .
So threat modeling is a process for identifying potential threats and their associated risks in software applications , and it does help you understand the attack vectors , potential vulnerabilities and what are the potential impacts in the event that the threat was successful . Again , the answer is D identifying potential threats and the associated risks .
Question six which of the following is a characteristic of secure coding guidelines and standards ? A they focus on preventing external attacks . That's A . B they're implementing during the testing phase of SDLC . C they're generic and not specific to programming languages or frameworks . Or D they provide recommendations for writing secure and robust code .
Okay , so which of the following is a characteristic of secure coding guidelines and standards ? Okay , so , that one can seem a little nebulous , so you have to kind of think about that a little bit . But A they focus on preventing external attacks . No , they don't do that . They are implemented during the testing phase of the SDLC .
You'd want them more than on the testing phase . They are generic and not specific to programming . You don't want them necessarily to be generic . And D is they provide recommendations of writing secure and robust code . That would be your security coding guidelines and standards would be .
Answer would be D and they provide recommendations as for providing or for writing secure and robust code . They provide input validation , authentication , access controls . All of those pieces are tied into that .
Now the cool part is is , if you have that already defined , you can have that set up in a , potentially in a CICV pipeline , and so you are good to go , all right . Another question which of the following activities is an integral part of integrating security into the software development lifecycle ? A backup and recovery . B change management process .
C user acceptance testing . Or D incident response planning . So which of the following is an integral part of integrating security into the software development lifecycle ? Okay , so , again , all of these can be valuable , but which one is an integral part of integrating security into software development ?
User acceptance testing C is a crucial activity in sdlc and it does ensure that the software meets the user's requirements and is functionally as expected . Okay , it allows stakeholders to validate the security controls and assess the effectiveness of the software security features . Again , that's an important factor .
So , depending on how you're answering the question , what is the most integral part ? So , when you're saying integral of integrating , you're dealing with user acceptance testing , uat . Okay , so those are where the users actually go out and test and play with it . All right , hope you have a wonderful day . That's all I've got for today .
Go check me out at CISSP Cyber Training and you can check all these wonderful things and see if it meets your needs to pass the CISSP the first time , all right .