1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 135
Выбрать главу

165. A security evaluation report and an accreditation statement are produced in which of the following phases of the system development life cycle (SDLC)?

a. Initiation

b. Development/acquisition

c. Operation/maintenance

d. Implementation

165. d. The major outputs from the implementation (testing) phase include the security evaluation report and accreditation statement. The purpose of the testing phase is to perform various tests (unit, integration, system, and acceptance). Security features are tested to see if they work and are then certified.

166. Which of the following phases of a system development life cycle (SDLC) should not be compressed so much for the proper development of a prototype?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operation/maintenance

166. c. System testing, which is a part of implementation, is important to determine whether internal controls and security controls are operating as designed and are in accordance with established policies and procedures.

In the prototyping environment, there is a tendency to compress system initiation, definition, design, programming, and training phases. However, the testing phase should not be compressed so much for quality reasons. By definition, prototyping requires some compression of activities and time due to the speedy nature of the prototyping development methodology without loss of the main features, functions, and quality.

167. The activity that would be different between a prototype development approach and the traditional system development approach is:

a. How are activities to be accomplished?

b. What do users need from the system?

c. What should a project plan contain?

d. How are individual responsibilities defined?

167. a. Managers still need to define what they want from the system, some assessment of costs/benefits is still needed, and a plan to proceed with individual responsibilities is still required. The difference may be in the way activities are accomplished. The tools, techniques, methods, and approaches used in the prototype development project and traditional system development project are different.

168. A general testing strategy for conducting an application software regression testing includes which of the following sequence of tasks?

a. Read, insert, and delete

b. Precompile, link, and compile

c. Prepare, execute, and delete

d. Test, debug, and log

168. c. Each test program involves preparing the executable program, executing it, and deleting it. This saves space on mass storage and generates a complete log. This approach is recommended for debugging and validating purposes. Read, insert, and delete include the transfer of all rows from Table A to Table B in that a table is read, inserted, and deleted. A source program is precompiled, linked, and compiled to become an object or executable program. A source program is tested (errors discovered), debugged (errors removed), and logged for review and further action.

169. Which of the following tests would be conducted when an application system in an organization exchanges data with external application systems?

a. Unit test

b. Integration test

c. End-to-end test

d. System acceptance test

169. c. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment. These interrelated systems include not only those owned and managed by the organization, but also the external systems with which they interface.

Unit test is incorrect because its purpose is to verify that the smallest defined module of software (i.e., individual subprograms, subroutines, or procedures) works as intended. These modules are internal to an organization. Integration test is incorrect because its purpose is to verify that units of software, when combined, work together as intended. Typically, a number of software units are integrated or linked together to form an application. Again, this test is performed internally in an organization. System acceptance test is incorrect because its purpose is to verify that the complete system satisfies specified requirements and is acceptable to end users.

170. Which of the following can give a false sense of security?

a. A test tool that requires planning.

b. A test tool that produces error-free software.

c. A test tool that requires time and effort.

d. A test tool that requires experience to use

170. b. A test tool cannot guarantee error-free software; it is neither a cure-all nor a silver bullet. For some, it may give a false sense of security. The test tool still requires careful planning, time, effort, and experience from which it can use and benefit.

171. Which of the following software configuration-management capabilities available for client/server systems can help to detect and correct errors?

a. Install check-in/check-out modules.

b. Archive source code.

c. Allow backtracking.

d. Assemble new builds.

171. c. Errors are made in several places and times: (i) when source code is developed, (ii) when modules are initially written, (iii) when an enhancement is being added to a module, (iv) when another error is fixed, and (v) when code is being moved from one module to another. Software configuration management products have a backtracking feature to correct these types of errors. The product should list the exact source code changes that make up each build. Then, these changes are examined to identify which one can create the new error. The concept of check-in/check-out software enables multiple developers to work on a project without overwriting one another’s work. It is a fundamental method of preventing errors from being included or reintroduced into software modules.

172. Which of the following requires a higher level of security protection in terms of security controls?

a. Test procedures

b. Test cases

c. Test repository

d. Test plans

172. c. The test repository consists of test plans, test cases, test procedures, test requirements, and test objectives maintained by the software test manager. Because of the concentrated work products, the test repository needs a higher level of security protection from unauthorized changes. Test procedures, test cases, and test plans are part of test repository.

173. From a security viewpoint, which of the following pose a severe security problem?

a. Unattended computer operations

b. Unattended computer terminal

c. Unattended software testing

d. Unattended facsimile machine

173. b. An unattended computer terminal represents a severe security violation. An unauthorized user could seize the opportunity to access sensitive data. The data could be copied, deleted, added to, or modified. An intruder can also use this occasion to modify executable files. A virus, Trojan horse, or a password-sniffing program could easily be slipped onto the system in no time. Security logic that detects an idle terminal is needed.

~ 135 ~