Home
16.
Which of the following policies is MOST likely to include the following requirement? “All software processing financial transactions need to use more than one factor to verify the identity of the entity requesting access""
  • A.
    Authorization.
  • B.
    Authentication.
  • C.
    Auditing.
  • D.
    Availability
  • Answer & Explanation
  • Report
Answer : [B]
Explanation :
When two factors are used to validate an entity’s claim and/or credentials, it is referred to as two-factor authentication and when more than two factors are used for authentication purposes, it is referred to as multi-factor authentication. It is important to determine first, if there exists a need for two- or multi-factor authentication.
Report
Name Email  
17.
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong, as mandated by the requested resource owner is the definition of
  • A.
    Non-discretionary Access Control (NDAC).
  • B.
    Discretionary Access Control (DAC).
  • C.
    Mandatory Access Control (MAC).
  • D.
    Role based Access Control.
  • Answer & Explanation
  • Report
Answer : [B]
Explanation :
Discretionary access control (DAC) is defined as “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.” The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject. DAC restricts access to objects based on the identity of the subject and is distinctly characterized by the owner of the resource deciding who has access and their level of privileges or rights.
Report
Name Email  
18.
Requirements which when implemented can help to build a history of events that occurred in the software are known as
  • A.
    authentication requirements.
  • B.
    archiving requirements.
  • C.
    accountability requirements.
  • D.
    authorization requirements.
  • Answer & Explanation
  • Report
Answer : [C]
Explanation :
Accountability requirements are those that assist in building a historical record of user actions. Audit trails can help detect when an unauthorized user makes a change or an authorized user makes an unauthorized change, both of which are cases of integrity violations. Auditing requirements not only help with forensic investigations as a detective control but can also be used for troubleshooting errors and exceptions, if the actions of the software are tracked appropriately. When auditing is combined with identification, it provides for accountability.
Report
Name Email  
19.
Which of the following is the PRIMARY reason for an application to be susceptible to a Man-in-the-Middle (MITM) attack?
  • A.
    Improper session management
  • B.
    Lack of auditing
  • C.
    Improper archiving
  • D.
    Lack of encryption
  • Answer & Explanation
  • Report
Answer : [A]
Explanation :
Easily guessable and non-random session identifiers can be hijacked and replayed if not managed appropriately and this can lead to MITM attacks.
Report
Name Email  
20.
The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates in the requirements phase of the SDLC is also known as
  • A.
    threat modeling
  • B.
    policy decomposition.
  • C.
    subject-object modeling.
  • D.
    misuse case generation.
  • Answer & Explanation
  • Report
Answer : [B]
Explanation :
The process of eliciting concrete software security requirements from high level regulatory and organizational directives and mandates is referred to as policy decomposition. When the policy decomposition process completes, all the gleaned requirements must be measurable components.
Report
Name Email