Stress testing can detect design errors related to full-service requirements of system and errors in planning defaults when system is overstressed.

Conversion testing is incorrect because it determines whether old data files and record balances are carried forward accurately, completely, and properly to the new system. Performance testing is incorrect because it measures resources required such as memory and disk and determines system response time. Regression testing is incorrect because it verifies that changes do not introduce new errors.

200. In which of the following system development life cycle (SDLC) models has the concept of application software reuse been incorporated?

a. Waterfall model

b. Object-oriented model

c. Prototype model

d. Spiral model

200. b. The notion of software component reuse has been developed with the invention of object-oriented development approach. After the design model has been created, the software developer browses a library, or repository, that contains existing program components to determine if any of the components can be used in the design at hand. If reusable components are found, they are used as building blocks to construct a prototype of the software.

The waterfall model is incorrect because it takes a linear, sequential view of the software engineering process. The waterfall method is another name for the classic software development life cycle.

The prototype model is incorrect because it is a process that enables the developer to create a model of the software built in an evolutionary manner.

The spiral model is incorrect because it is another type of evolutionary model. It has been developed to provide the best feature of both the classic life cycle approach and prototyping. None of these three choices provide for software reuse.

201. Security categorization is performed in which of the following phases of an application system development life cycle (SDLC)?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

201. a. Security categorization standards provide a common framework for expressing security needs. Categorization is based on an assessment of the potential impact (i.e., low, moderate, or high) that a loss of confidentiality, integrity, or availability of information systems would have on organizational operations, organizational assets, or individuals. It is a task performed in the initiation phase.

202. Configuration management and control is performed in which of the following phases of a system development life cycle (SDLC)?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

202. d. Configuration management and control ensures adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. It is a task performed in the operation/maintenance phase.

203. Continuous monitoring is performed in which of the following phases of a system development life cycle (SDLC)?

a. Initiation

b. Development/acquisition

c. Implementation

d. Operations/maintenance

203. d. Continuous monitoring ensures that controls continue to be effective in their application through periodic testing and evaluation. It is a task performed in the operation/maintenance phase.

204. Which of the following are examples of local threats in Windows Extreme Programming (XP) systems?

a. Unauthorized local access and malicious payloads

b. Boot process and privilege escalation

c. Network services and data disclosure

d. Boot process and data disclosure

204. b. Local threats in Windows XP systems include boot process, unauthorized local access, and privilege escalation. A boot process threat results when an unauthorized individual boots a computer from third-party media (for example, removable drives and universal serial bus [USB] token storage devices), which permits the attacker to circumvent operating system security measures. An unauthorized local-access threat results when an individual who is not permitted to access a computer system gains local access. A privilege escalation threat results when an authorized user with normal user-level rights escalates the account’s privileges to gain administrator-level access.

Remote threats in Windows XP systems include network services, data disclosure, and malicious payloads. A network service threat results when remote attackers exploit vulnerable network services on a computer system. This includes gaining unauthorized access to services and data, and causing a denial-of-service (DoS) condition. A data disclosure threat results when a third party intercepts confidential data sent over a network. A malicious payload threat results when malicious payloads (for example, viruses, worms, Trojan horses, and active content) attack computer systems through many vectors. System end users may accidentally trigger malicious payloads.

205. Attackers can use which of the following flaws to attack back-end components through a Web application?

a. Broken access control

b. Invalidated input

c. Broken authentication

d. Cross-site scripting flaws

205. b. According to the open Web application security project, information from Web requests is not validated before being used by a Web application leading to vulnerability from invalidated input.

206. What do you call it when attacks consume Web application resources to a point where other legitimate users can no longer access or use the application?

a. Buffer overflows

b. Injection flaws

c. Denial-of-service

d. Improper error handling

206. c. In denial-of-service attacks, attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

207. What do you call it when an attack can cause errors to occur, which the Web application does not handle?

a. Buffer overflows

b. Injection flaws

c. Denial-of-service

d. Improper error handling

207. d. Improper error handling means error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

208. The information systems security analyst’s participation in which of the following system development life cycle (SDLC) phases provides maximum benefit to the organization?

a. System requirements definition

b. System design

c. Program development

d. Program testing