Free CISSP Practice Exams: DOMAIN 8: Software Development Security + Anki Cards

Explanation: The Disposal phase involves activities such as archiving or transitioning data to a replacement system.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 726 in PDF)

Explanation: CWE™ (Common Weakness Enumeration) is best defined as a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. CWE is freely available and is integrated with security products such as scanning tools as a common way of identifying and reporting on potential weaknesses in information systems.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 798 in PDF)

Explanation: Organizations at level 5 of the CMMI, Optimizing, focus on process improvement. They have documented processes, proactively control them using lessons learned, and have a robust oversight function to gather metrics and manage activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 741 in PDF)

Explanation: The Waterfall methodology is not designed to be iterative, which presents difficulties when requirements change. To progress to the design phase, all requirements must be gathered, documented, and agreed upon; once the project moves on to the design phase, new requirements cannot be incorporated. This makes the Waterfall methodology inflexible and not suited for projects where changing requirements are expected.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 726 in PDF)

Explanation: Targets are a common component of maturity models in the software development security domain. A target describes the organizations desired maturity level, which can be used to perform a gap analysis and prioritize activities needed to close identified gaps. Different organizations will choose different levels of desired maturity for their software development security practices depending on their objectives and industry sector.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 740 in PDF)

Explanation: Dynamic code delivered via web browsers poses unique challenges as it cannot be verified ahead of time, making it difficult to secure.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 723 in PDF)

Explanation: Maturity models are useful for determining the level of competency and effectiveness that an organizations practices have achieved, as well charting a course to improvement.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 745 in PDF)

Explanation: The use of APIs is a critical requirement for data ingestion and automation of responses in SOAR platforms. APIs enable the exposure of functionality on the target systems and allow for stable, secure, and flexible data integration, manipulation, and correlation. SOAR platforms rely on APIs to integrate data from disparate systems and enable automation of responses to specific incidents, enhancing the efficiency and effectiveness of security operations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 768 in PDF)

Explanation: Frameworks like the Service Organization Controls (SOC), Cloud Security Alliance Security Trust Assurance and Risk (CSA STAR), and the ISO 27000 family (including ISO 27001, 27017, 27018, and 27034) all provide some assurance related to cloud services and applications.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 796 in PDF)

Explanation: The requirements stage of software development introduces risks such as new attack vectors or regulatory compliance burdens. Any new system features like exposing systems to access from the internet or adding new features like credit card processing, introduce risks such as new attack vectors or regulatory compliance burdens.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 786 in PDF)

Explanation: The initial purpose of the Capability Maturity Model was to evaluate the capabilities of government contractors to deliver projects on time and on budget.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 741 in PDF)

Explanation: The Cheat Sheet Series on the OWASP project contains a technology-neutral OWASP Secure Coding Practices Quick Reference Guide which provides recommendations and best practices across a set of common development activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 815 in PDF)

Explanation: The text states that the benefit of using standard web protocols in REST APIs is that they utilize HTTPS for encrypting data in transit with little developer effort.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 812 in PDF)

Explanation: The secure by design principle is largely a paradigm shift in which security is included at the outset of a system – in the design phase – and drives the design and implementation decisions that provide inherent security abilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 817 in PDF)

Explanation: When designing APIs, it is important to ensure that the same level of access management is applied to them as to user accounts, to ensure that the functionality exposed cannot be exploited by attackers to attack a systems confidentiality, integrity, or availability. APIs are often designed for system-to-system communication or for privileged access, which can make them particularly vulnerable to attack if they are not designed with the same level of rigor as user access management.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 811 in PDF)

Explanation: The purpose of maturity models in software development security is to provide a way of measuring an organization’s current state of ability and define a desired goal state for software development, as well as providing systemic recommendations for improving the capability of the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 738 in PDF)

Explanation: While some tasks during O&M are outside the purview of the security team, remediating vulnerabilities in third-party software is directly assigned to the security team as an ongoing security task. Scanning systems for flaws and remediating them is significant, and routine patch deployment for thirdparty software is the bulk of this work.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 746 in PDF)

Explanation: The purpose of Common Vulnerabilities and Exposures (CVE) ID is to provide a consistent way to identify and describe common cybersecurity vulnerabilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 801 in PDF)

Explanation: Proper security measures to control and monitor access to the repository must be in place, such as implementing protocols like HTTPS and Transport Layer Security (TLS), or secure access solutions like a VPN or proxy service. This is particularly important for remotely accessible and distributed systems.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 773 in PDF)

Explanation: The Spiral methodology is iterative and focuses on risk assessment, analysis, and evaluation. It is designed to be executed in a repetitive series through four phases: determining objectives, alternatives, and risks; evaluating alternatives and resolving risks; development and testing; and planning the next phase.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 736 in PDF)

Explanation: Maturity models usually structure with similar concepts, such as domains, levels, criteria, and targets. Domains are the processes or business aspects that the model is designed to help measure and are usually common activities such as measurement and analysis. Levels are arranged in a scale showing the organizations increasing capabilities and may describe individual process areas or the overall collection of processes described by the maturity model. Criteria is used to achieve a specific level of maturity, and the target describes the organizations desired maturity level.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 739 in PDF)

Explanation: The goal of IPT is to combine both product and process design to ensure a product, often an information system, has a holistic set of requirements used to design both systems and business processes. This holistic set of requirements should include security needs such as data encryption and access control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 752 in PDF)

Explanation: Branching allows users to make changes to a copy of the main code that is separate from the main code. This isolated code can be tested and modified without affecting the original code. Once changes are confirmed, they can be merged back into the main code.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 772 in PDF)

Explanation: Auditing is an official or systematic inspection of something to ensure it follows established standards or practices, while Logging is simply the recording of events. In the context of software environments, audits focus on the implementation and effectiveness of software security controls, while logs record all system events, such as users signing into an application, and should provide sufficient detail to identify critical information about the event, including what the event was, who/what initiated the action, when it occurred (often called a timestamp), and other metadata about the event like a criticality level, to help diagnose issues and remediate events that fise to the level of security incidents.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 778 in PDF)

Explanation: OWASP provides a number of resources on API security, including a cheat sheet for REST APIs, available at cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html. This document serves as a comprehensive guide for the secure use of RESTful APIs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 808 in PDF)

Explanation: Maturity models are structured with similar concepts, with the key difference being the process areas the model is designed for, such as software development or systems integration. Components that are similar across maturity models include the following: Domains, levels, criteria, and targets.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 740 in PDF)

Explanation: The text states that the complexity of OSS projects and the technical skills required to use the software can make them less attractive than COTS alternatives. This is a key concern when evaluating the use of OSS.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 791 in PDF)

Explanation: The correct answer is B because the passage mentions that the SSG is responsible or accountable for implementing and maturing the organizations chosen SSIs. This is crucial for successful implementation of BSIMM. The other options are incorrect because A is the opposite of what is stated in the text, C has the wrong number of activities and D reverses the definition of widely adopted practices.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 743 in PDF)

Explanation: When selecting security controls for software development, it is important to note that implementation of these controls must be integrated into existing SDLC processes for the systems they are designed to protect. Some costs to be measured when performing the analysis include direct costs like software or product purchases.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 788 in PDF)

Explanation: The Attack Surface factor of the Common Weakness Scoring System (CWSS) that provides an explanation of the factors needed to exploit a weakness in software development security is Authentication Strength (AS). AS metrics include the strength of authentication mechanisms required by the vulnerable software. This factor is important to help understand the extent of control an attacker would need over the system in order to leverage the weakness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 800 in PDF)

Explanation: One of the key principles of Agile development is to release software quickly with basic functionality and then iterate to include additional functionality, avoiding large all-at-once releases in favor of smaller, more frequent releases. This not only helps to achieve the security goal of availability by making functional software available more quickly, but it also means the software project can evolve to meet changing confidentiality and integrity needs, such as more robust encryption or data validation controls that were not initially identified as requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 728 in PDF)

Explanation: Logs in software development security are not designed to prevent risks from occurring, but rather to provide support to monitoring activities that detect when something has gone wrong. Logs are generated after an action has occurred and are useful for audit and monitoring processes when they are read and used. Log data presents a record of system activity over a period of time, which confirms if an organization is functioning in accordance with documented governance. Therefore, logs are used for audit and monitoring purposes and to demonstrate compliance with legal, regulatory, or other compliance requirements (Reference: NIST SP 800-92, OWASP Logging Cheat Sheet).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 780 in PDF)

Explanation: Syntax refers to the way instructions are written in programming languages. It includes things like spelling, grammar, and punctuation, and is important because computers interpret instructions very literally. If programming instructions contain errors in syntax, this will result in software errors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 754 in PDF)

Explanation: NIST SP 800-160, Systems Security Engineering, replaced NIST SP 800-64 to align security considerations with the SLC processes identified in ISO 15288.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 725 in PDF)

Explanation: The combination of financial drivers and indirect incentives like secure remote accessibility have combined to push many organizations to consume information systems as managed services. These services are billed via metered consumption, which is often a pay-as-you-use model.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 794 in PDF)

Explanation: The primary goal of an IDE is to reduce the overhead of managing multiple tools, thereby increasing productivity for developers. An IDE combines several development tools in one program or web application, reducing the need for developers to switch between different applications. This results in a more streamlined development process, as well as enhanced productivity.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 763 in PDF)

Explanation: Proactive risk mitigations available in the software development domain include documenting secure coding standards and guidelines, implementing maturity models to increase the organizations secure development capabilities, and implementing practices like DevSecOps and SOAR to provide automation and efficiency gains.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 823 in PDF)

Explanation: Integrating security activities throughout each phase of the SDLC is crucial to effectively implement software security. This means identifying security requirements for the system before development begins and providing adequate resources to support the design, development, and testing of security features or controls implemented to meet those requirements. It is important to note that the system lifecycle (SLC) covers additional phases of the information system after its development (SDLC) is completed. This includes operations and maintenance as well as decommissioning and disposal, during which key security controls such as vulnerability management and media sanitization must be addressed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 724 in PDF)

Explanation: During design, alternatives will be evaluated against requirements, such as cloud versus on-premises hosting for a system. Key activities to be audited include the formal risk assessment and decision processes utilized to determine which of the proposed solution alternatives adequately meet the stated requirements, and formal acceptance of the residual risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 782 in PDF)

Explanation: Static code analysis tools review the underlying code of a program without actually running the program itself; the goal is to identify problems like improper coding that could lead to buffer overflow conditions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 762 in PDF)

Explanation: Code escrow is a contractual arrangement in which a software development organization deposits a copy of the source code with a trusted third party, called an escrow agent, so that the contracting organization can get access to the code under limited circumstances, such as the developer going out of business or breaching the contract, which enables continued support and development of the system.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 793 in PDF)

Explanation: The Software Assurance Maturity Model (SAMM) is a prescriptive framework for implementing a software security program and focuses on integrating security activities into an existing SDLC.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 742 in PDF)

Explanation: The distinction between weaknesses and vulnerabilities is that vulnerabilities are the exploitation of weaknesses, while weaknesses may exist without being exploitable. Vulnerabilities are the security risk that a CISSP is responsible for, while weaknesses can affect non-security aspects of a system as well.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 798 in PDF)

Explanation: In Agile methodologies, testing activities are integrated closer to development activities, so that fixes are generally easier, and delivered functionality has fewer bugs, flaws, or vulnerabilities. The use of automated testing tools allows for security tests to be conducted closer to the time of development and against smaller targets. These support a goal of preventing defects from reaching production environments, as well as making test results easier to manage due to their smaller size.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 729 in PDF)

Explanation: The ultimate goal of DevSecOps is to favor iteration over perfection, where a workable security solution delivered today and improved tomorrow is preferred over a perfect solution delivered years from now. The aim is to ensure that security is built into the process an organization uses to develop and operate its information systems, rather than being an add-on to the SDLC. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 735 in PDF)

Explanation: The purpose of change management in software development security is to allow changes to adapt to changing requirements or circumstances while addressing security concerns. Change management processes enable the flexibility of systems to adapt to changing requirements or circumstances while also sufficiently addressing security concerns to prevent changes from adversely affecting the security posture of the system. Change management ensures that the security implications of changes are considered and addressed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 748 in PDF)

Explanation: The purpose of a REST API is to expose functions using URLs similar to web applications and accept commands using common HTTP verbs like GET and POST for retrieving or sending data to the API.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 807 in PDF)

Explanation: According to the text, using SOAR in incident response can handle repetitive tasks like identifying malicious emails, initiating malware scans, and instituting firewall blocks. This frees up human time and attention to focus on novel threats, which reduces their impact on the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 769 in PDF)

Explanation: Object-oriented programming (OOP) is a paradigm that treats both data and functions as objects, known as classes, which can be linked together through defined interactions. Instead of writing specific commands to gather input data and perform procedures on it, OOP treats both data and functions as objects, which can be reused as building blocks for faster development. There are a number of security concepts related to OOP, such as encapsulation, inheritance, polymorphism, and polyinstantiation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 757 in PDF)

Explanation: DAST tools are not tightly integrated with an IDE so non-developers can easily access them. They can be run against any application with an interface or API regardless of the underlying language used. However, using DAST tools in a production environment can cause performance issues and allows software with flaws to enter production environments where it could be exploited until discovered.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 776 in PDF)

Explanation: Standardized secure coding practices increase the quality of development projects and promote software and system development processes that seek to minimize flaws and bugs. It also results in testing and monitoring processes designed to catch and fix vulnerabilities as soon as possible. This ensures that the software systems are secure and free from vulnerabilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 814 in PDF)

Explanation: JavaScript may require access to privileged functions on user machines such as local file access, which is a major security concern since the code comes from an untrusted party across the internet.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 759 in PDF)

Explanation: CVSS scores range from 0 to 10, with higher numbers denoting a more critical vulnerability that should be prioritized for fixing. A score of 0 is categorized None and is mainly informational. A score between 0.1 and 3.9 is Low severity, between 4.0 and 6.9 is Medium severity, between 7.0 and 8.9 is High severity, and a score between 9.0 and 10 is Critical.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 802 in PDF)

Explanation: The text states that risk analysis and mitigation are important practices for software security to ensure adequate treatment of softwares unique risks. Therefore, conducting risk analysis and mitigation for software security is an important practice for measuring software security effectiveness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 778 in PDF)

Explanation: In all service models, it is the responsibility of the consumer to verify the CSPs suitability for particular uses, like processing highly sensitive data. However, in IaaS, the consumer is responsible for applying software patches to any software they deploy.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 794 in PDF)

Explanation: Standards are usually mandatory while guidelines provide direction for specific tasks and activities but are recommendations designed to provide guidance on how to achieve a specific goal or task.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 797 in PDF)

Explanation: Static application security testing (SAST) evaluates source code and other nonrunning application elements like compiled binaries. It can be easily incorporated in an IDE and the developer workflow, with automated testing performed when developers check code in and immediate feedback to developers in a format that is easy for them to understand. Testing is performed in development or testing environments, which means there is no impact to live production environments.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 775 in PDF)

Explanation: The vulnerability related to improper handling of usersupplied XML is XML External Entities (XXE). This vulnerability may cause the application to execute unwanted remote code or load malicious data from the external storage location. This is due to the vulnerable functioning of the XML processor, which must accept and process untrusted data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 803 in PDF)

Explanation: Access controls provide authorization and establish permissions to control who can access source code in a repository. This helps to prevent unauthorized access and protect the confidentiality of the source code. Preventing changes to the code without proper authorization is not a primary benefit of implementing access controls to ensure the confidentiality of the source code.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 772 in PDF)

Explanation: Continuous Integration (CI) is the practice of continuously merging developers code to a shared main location, often known as a repository. Integrating code more frequently reduces the cost and time required to do large-scale reconciliation and integration activities like debugging any issues caused by the newly written or modified code.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 765 in PDF)

Explanation: The text states that the advantage of SOAR over legacy methods is the speed with which it executes, allowing for faster automated response to an incident. This is critical in reducing the duration and impact of the incident.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 769 in PDF)

Explanation: Domains, or the processes or business aspects that the model is designed to measure, are a common component of maturity models.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 739 in PDF)

Explanation: The QA teams role is to provide feedback to developers when a test fails. This feedback allows the developers to remediate flaws before the code is delivered to production. QA is responsible for testing, defining criteria for success, and ensuring that the system meets those requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 733 in PDF)

Explanation: Application security testing tools provide near-continuous feedback to improve the security of software during development. These tools are designed to be integrated with and provide data to developers, as well as automated, to improve the efficiency and effectiveness of software development while also ensuring security.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 754 in PDF)

Explanation: Input sanitization is used to escape content and render supplied data harmless, guarding against injection attacks. This should be implemented at the API layer to be most effective. Syntactic and semantic validation can also be used to detect unwanted content, but semantic validation is more difficult to perform accurately.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 810 in PDF)

Explanation: An organizations choice of development methodology is guided by a number of factors, including the time available, tolerance for errors or bugs in the software, and complexity of the project. Therefore, all of the above options are correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 725 in PDF)

Explanation: The Initiation phase is where the business need and case for a system is expressed, requirements are documented, and resources are allocated. This is the first phase of the SDLC and is crucial as it sets the foundation for the entire project.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 726 in PDF)

Explanation: During the deployment and delivery phase of the SDLC, the system is placed into the operating environment and made ready for use, which includes testing to ensure the system is fit for purpose and meets requirements. This phase involves the actual implementation of the system into production.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 726 in PDF)

Explanation: In order to assess and control the security of acquired software, an organization must rely on the security expertise and policies of the third-party service provider that developed the software. This can be more challenging than controlling security when the software is developed in-house, where security controls can be implemented and monitored throughout the SDLC.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 790 in PDF)

Explanation: When performing a risk assessment for software development environments, it is important to consider all aspects, including data risks, new technology risks, system changes, and code risks. Security practitioners should prioritize based on classification levels but always keep in mind the possibility of an adversary compromising a lower-classified system and pivoting to a higher one. The SDLC activities should be designed to detect and correct these risks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 785 in PDF)

Explanation: The most immediate security drawback of COTS software is the lack of visibility into the source code and development practices, and organizations using it have no ability to make direct changes — they may be able to request changes, but the vendor is not obliged to make them. This makes it difficult for organizations to customize the software to address their specific security needs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 790 in PDF)

Explanation: Automated testing can be integrated into the Integrated Development Environment (IDE), which allows testing results to be communicated directly to developers. This can help to break down the barrier between the security team and developers and ensures that security vulnerabilities are fixed quickly.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 766 in PDF)

Explanation: Although this text specifically mentions DOMAIN 8 – Software Development Security, the question asks you to identify a domain that is NOT included in the Cybersecurity Maturity Model Certification (CMMC). Therefore, the correct answer is C. Software Development Security, which is not listed as one of the domains included in the model.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 744 in PDF)

Explanation: Certificate-based authentication can be one-way, meaning only one party provides a certificate asserting an identity, or mutual authentication, meaning both parties exchange certificates and validate them. One-way certificate authentication relies on authenticating an identity using digital certificates provided by one party.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 809 in PDF)

Explanation: Using validated libraries in an organization increases the dependability of software. Shared functions are likely to be extensively tested and improved by the community of developers and systems implementing the library. Therefore, using validated libraries ensures that the software is reliable and performs well.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 760 in PDF)

Explanation: The Operations and Maintenance phase signals the end of the Development phase and marks the start of production activities. During operations and maintenance activities, SDLC can be iterated as user needs evolve, so crucial processes such as change management may kick off another round of development activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 726 in PDF)

Explanation: The main difference between compiled and interpreted languages is that compiled programs are translated into machine-readable form before being run and can only be run on the system type for which they were compiled, while interpreted programs are translated into machine-readable format when they are run, making them more portable across system types. Thus, compiled programs are system-specific and not portable, while interpreted programs can run on any system type with an interpreter installed. This is stated in the text: Compiled programs can be run only by the system type for which they were compiled and are often optimized for that specific system type… Interpreted code more portable across system types, as users on various platforms can install an interpreter specific to their system so the developer does not need to compile system-specific versions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 755 in PDF)

Explanation: A trusted computing base (TCB) is a collection of all hardware, software, and firmware responsible for enforcing security and serves the function of a reference monitor to control access and enforce security policies within the system.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 764 in PDF)

Explanation: Maturity models usually include four common components, which are domains, levels, criteria, and targets. Domains are the processes or business aspects the model is designed to help measure, levels organize sets of practices into a series of increasing levels, criteria are used to achieve a specific level of maturity, and targets describe the organizations desired maturity level.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 740 in PDF)

Explanation: IAST combines elements of both SAST and DAST along with penetration testing to detect vulnerabilities in real-time. Using complex algorithms and machine learning, it can detect complex vulnerabilities. IAST also offers integrations with developer tools and security platforms, ensuring better visibility into testing efforts and results.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 777 in PDF)

Explanation: Source code is a common CI in SCM as it is a key resource for software development. SCM provides integrity for source code through version control and rigorous change processes to ensure changes are coordinated and do not introduce flaws or break functionality.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 771 in PDF)

Explanation: Software-Defined Security allows enhanced availability, increased security tool flexibility, and micro-targeting. However, it does not reduce complexity in traditional security tools.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 819 in PDF)

Explanation: When selecting an API security testing tool, the choice of a tool and associated testing strategy should be driven by the technologies in use, the sensitivity level of data being handled by the API, and the features exposed by the API.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 814 in PDF)

Explanation: Cryptography can provide confidentiality, integrity, authenticity, nonrepudiation, and access control when applied to APIs. Availability, however, is not a security function that cryptography can provide.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 812 in PDF)

Explanation: In a strongly typed language, the verification that the programs functionality matches type constraints is done entirely at compilation time when the code is built. The type constraints are enforced at compile time, and any violation of these constraints are caught before the code is executed. With loosely typed languages, variable types are checked at runtime while the program is running, and types can be coerced between one another.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 756 in PDF)

Explanation: DAST tools may cause performance issues in production environments as they execute the application and look for flaws. This may lead to delays in application processing, causing performance issues that may lead to downtime. Therefore, it is important to carefully evaluate the potential impact of DAST tools on production environments before deploying them.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 776 in PDF)

Explanation: SP 800-160, Systems Security Engineering replaces SP 800-64 which described security in the SDLC.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 726 in PDF)

Explanation: Runtime application self-protection (RASP) is a security tool that executes alongside the application as it is run. It analyzes the programs execution to spot unusual or unexpected behavior and takes corrective action. This can include blocking specific requests or functions to shut down an active attack and also implementing preventative measures like virtually patching an application to prevent the same attack vector from being used in the future.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 777 in PDF)