1、CISSP认证考试(软件开发安全)模拟试卷 1及答案与解析 1 Data marts, databases, and data warehouses have distinct characteristics. Which of the following does not correctly describe a data warehouse? ( A) It could increase the risk of privacy violations. ( B) It is developed to carry out analysis. ( C) It contains data from
2、 several different sources. ( D) It is created and used for project-based tactical reasons. 2 Database software should meet the requirements of what is known as the ACID test. Why should database software carry out atomic transactions, which is one requirement of the ACID test, when OLTP is used? (
3、A) So that the rules for database integrity can be established ( B) So that the database performs transactions as a single unit without interruption ( C) To ensure that rollbacks cannot take place ( D) To prevent concurrent processes from interacting with each other 3 Lisa has learned that most data
4、bases implement concurrency controls. What is concurrency, and why must it be controlled? ( A) Processes running at different levels, which can negatively affect the integrity of the database if not properly controlled. ( B) The ability to deduce new information from reviewing accessible data, which
5、 can allow an inference attack to take place. ( C) Processes running simultaneously, which can negatively affect the integrity of the database if not properly controlled. ( D) Storing data in more than one place within a database, which can negatively affect the integrity of the database if not prop
6、erly controlled. 4 Robert has been asked to increase the overall efficiency of the sales database by implementing a procedure that structures data to minimize duplication and inconsistencies. What procedure is this? ( A) Polymorphism ( B) Normalization ( C) Implementation of database views ( D) Cons
7、tructing schema 5 Which of the following correctly best describes an object-oriented database? ( A) When an application queries for data, it receives both the data and the procedure. ( B) It is structured similarly to a mesh network for redundancy and fast data retrieval. ( C) Subject must have know
8、ledge of the well-defined access path in order to access data. ( D) The relationships between data entities provide the framework for organizing data. 6 Fred has been told he needs to test a component of the new content management application under development to validate its data structure, logic,
9、and boundary conditions. What type of testing should he carry out? ( A) Acceptance testing ( B) Regression testing ( C) Integration testing ( D) Unit testing 7 Which of the following is the best description of a component-based system development method? ( A) Components periodically revisit previous
10、 stages to update and verify design requirements ( B) Minimizes the use of arbitrary transfer control statements between components ( C) Uses independent and standardized modules that are assembled into serviceable programs ( D) Implemented in module-based scenarios requiring rapid adaptations to ch
11、anging client requirements 8 There are many types of viruses that hackers can use to damage systems. Which of the following is not a correct description of a polymorphic virus? ( A) Intercepts antiviruss call to the operating system for file and system information ( B) Varies the sequence of its ins
12、tructions using noise, a mutation engine, or random-number generator ( C) Can use different encryption schemes requiring different decryption routines ( D) Produces multiple, varied copies of itself 9 Which of the following best describes the role of the Java Virtual Machine in the execution of Java
13、 applets? ( A) Converts the source code into bytecode and blocks the sandbox ( B) Converts the bytecode into machine-level code ( C) Operates only on specific processors within specific operating systems ( D) Develops the applets, which run in a users browser 10 What type of database software integr
14、ity service guarantees that tuples are uniquely identified by primary key values? ( A) Concurrent integrity ( B) Referential integrity ( C) Entity integrity ( D) Semantic integrity 11 In computer programming, cohesion and coupling are used to describe modules of code. Which of the following is a fav
15、orable combination of cohesion and coupling? ( A) Low cohesion, low coupling ( B) High cohesion, high coupling ( C) Low cohesion, high coupling ( D) High cohesion, low coupling 12 When an organization is unsure of the final nature of the product, what type of system development method is most approp
16、riate for them? ( A) Cleanroom ( B) Exploratory Model ( C) Modified Prototype Method ( D) Iterative Development 13 Which of the following statements does not correctly describe SOAP and Remote Procedure Calls? ( A) SOAP was designed to overcome the compatibility and security issues associated with R
17、emote Procedure Calls. ( B) Both SOAP and Remote Procedure Calls were created to enable applicationlayer communication. ( C) SOAP enables the use of Remote Procedure Calls for information exchange between applications over the Internet. ( D) HTTP was not designed to work with Remote Procedure Calls,
18、 but SOAP was designed to work with HTTP. 14 Computer programs that are based on human logic by using “if/then“ statements and inference engines are called_. ( A) Expert systems ( B) Artificial neural networks ( C) Distributed Computing Environment ( D) Enterprise JavaBeans 15 Which of the following
19、 is a correct description of the pros and cons associated with third-generation programming languages? ( A) The use of heuristics reduced programming effort, but the amount of manual coding for a specific task is usually more than the preceding generation. ( B) The use of syntax similar to human lan
20、guage reduced development time, but the language is resource intensive. ( C) The use of binary was extremely time consuming but resulted in fewer errors. ( D) The use of symbols reduced programming time, but the language required knowledge of machine architecture. 16 Which of the following is consid
21、ered the second generation of programming languages? ( A) Machine ( B) Very high-level ( C) High-level ( D) Assembly 17 Mary is creating malicious code that will steal a users cookies by modifying the original client-side Java script. What type of cross-site scripting vulnerability is she exploiting
22、? ( A) Second order ( B) DOM-based ( C) Persistent ( D) Nonpersistent 18 Of the following steps that describe the development of a botnet, which best describes the step that comes first? ( A) Infected server sends attack commands to the botnet. ( B) Spammer pays a hacker for use of a botnet. ( C) Co
23、ntroller server instructs infected systems to send spam to mail servers. ( D) Malicious code is sent out that has bot software as its payload. 19 Which of the following antivirus detection methods is the most recent to the industry and monitors suspicious code as it executes within the operating sys
24、tem? ( A) Behavior blocking ( B) Fingerprint detection ( C) Signature-based detection ( D) Heuristic detection 20 Which of the following describes object-oriented programming deferred commitment? ( A) Autonomous objects, with cooperate through exchanges of messages ( B) The internal components of an
25、 object can be refined without changing other parts of the system ( C) Object-oriented analysis, design, and modeling maps to business needs and solutions ( D) Other programs using same objects 21 What object-oriented programming term, or concept, is illustrated in the graphic that follows? ( A) Met
26、hods ( B) Messages ( C) Abstraction ( D) Data hiding 22 Protection methods can be integrated into software programs. What type of protection method is illustrated in the graphic that follows? ( A) Polymorphism ( B) Polyinstantiation ( C) Cohesiveness ( D) Object classes 23 There are several types of
27、 attacks that programmers need to be aware of. What attack does the graphic that follows illustrate?( A) Traffic analysis ( B) Race condition ( C) Covert storage ( D) Buffer overflow 24 Databases and applications commonly carry out the function that is illustrated in the graphic that follows. Which
28、of the following best describes the concept that this graphic is showing? ( A) Checkpoint ( B) Commit ( C) Two-phase commit ( D) Data dictionary 25 There are several different types of databases. Which type does the graphic that follows illustrate? ( A) Relational ( B) Hierarchical ( C) Network ( D)
29、 Object-oriented 25 The following scenario will be used for questions 26, 27, and 28. Trent is the new manager of his companys internal software development department. He has been told by his management that the group needs to be compliant with the international standard that provides guidance to o
30、rganizations in integrating security into the processes used for managing their applications. His new boss told him that he should join and get familiar with the Web Application Security Consortium, and Trent just received an e-mail stating that one of the companys currently deployed applications ha
31、s a zero day vulnerability. 26 Which of the following is most likely the standard Trents company wants to comply with? ( A) ISO/IEC 27005 ( B) ISO/IEC 27001 ( C) ISO/IEC 27034 ( D) BS 7799 27 Which of the following best describes the consortium Trents boss wants him to join? ( A) Nonprofit organizat
32、ion that produces open-source software and follows widely agreed upon best-practice security standards for the World Wide Web. ( B) U.S. DHS group that provides best practices, tools, guidelines, rules, principles, and other resources for software developers, architects, and security practitioners t
33、o use. ( C) Group of experts who create proprietary software tools used to help improve the security of software worldwide. ( D) Group of experts and organizations who certify products based on an agreed-upon security criteria. 28 Which of the following best describes the type of vulnerability menti
34、oned in this scenario? ( A) Dynamic vulnerability that is polymorphic ( B) Static vulnerability that is exploited by server-side injection parameters ( C) Vulnerability that does not currently have an associated solution ( D) Database vulnerability that directly affects concurrency 29 _ provides a m
35、achine-readable description of the specific operations provided by a specific Web service. _provides a method for Web services to be registered by service providers and located by service consumers. ( A) Web Services Description Language, Universal Description, Discovery and Integration ( B) Univers
36、al Description, Discovery and Integration, Web Services Description Language ( C) Web Services Description Language, Simple Object Access Protocol ( D) Simple Object Access Protocol, Universal Description, Discovery and Integration 30 Sally has found out that software programmers in her company are
37、making changes to software components and uploading them to the main software repository without following version control or documenting their changes. This is causing a lot of confusion and has caused several teams to use the older versions. Which of the following would be the best solution for th
38、is situation? ( A) Software change control management ( B) Software escrow ( C) Software configuration management ( D) Software configuration management escrow CISSP认证考试(软件开发安全)模拟试卷 1答案与解析 1 【正确答案】 D 【试题解析】 D正确。数据仓库 (data warehouse)的创建和使用通常并不是因为基于项目的战术原因。它描述的是数据集市 (data mart)的特点,数据集市是短时间内项目为确定解决问题的战
39、术方法的数据库 (database)的一部分。而创建数据仓库的目的是基于战略原因进行数据挖掘 (data mining)和分析。 A不正确。因为数据仓库可能会增加隐私侵犯的风险,这是由于数据是从几个不同的来源进行收集并存储在一个中央位置 (仓库 )。尽管这种做法可以提供更加便捷的访问和控制方法 因为数据仓库位于同一个地方 但它也要求更加严格的安全防范。如果某个入侵者进入了这个数据仓库,她便立刻能访问这个公司的所有信息。 B不正确。因为这个说法是正确的。创建 数据仓库的目的通常是为了分析。分析有助于战略决策的制定,例如,那些与业务趋势、欺骗活动或者营销效果相关的战略决策。分析工作通常是通过数据挖
40、掘活动进行的。 C不正确。因为数据仓库的确包含若干个不同来源的信息。数据从不同的数据库和其他数据点被提取出来,再传输到一个叫做数据仓库的中央数据存储位置,然后再进行归一化。这样使得用户只需要查询一个单一的实体而不是访问和查询不同的数据源,并且这样也可以提高信息检索和数据分析的效率。 【知识模块】 软件开发安全 2 【正确答案】 B 【试题解析】 B正确。在 把数据库群集起来以提供高容错性和高性能时,便会用到联机事务处理 (Online Transaction Processing, OLTP)。联机事务处理提供了监测问题并在问题出现时处理问题的机制。例如,如果某个进程停止运作, OLTP内的监
41、控机制能够监测到这个问题并尝试重新启动这个进程。如果这个进程无法重新启动,那么正在进行的这个事务将被回滚,以确保没有数据遭到破坏,或者仅有部分事务发生了。 OLTP(实时地 )记录所发生的事务,在分布式环境中这通常意味着需要更新多个数据库。这种复杂性可能引入许多完整性威胁,因此,这 个数据库软件应该具有被称为 ACID测试的特点。 原子性 (atomicity):把事务分成多个工作单元,并确保所有的修改要么全生效,要么全不生效。要么变更被提交,要么数据库被回滚。 一致性 (consistency):事务必须遵循专为该数据库制定的完整性规则,确保不同数据库中的所有数据都是一致的。 隔离性 (is
42、olation):事务孤立地执行直至完成,这个过程不会与其他事务进行交互。修改的结果直到事务完成时才可用。 持久性 (durability):一旦事务被证实在所有系统上都是精确的,那么它便会被提交,并且数据 库不能被回滚。 “原子 ”这个术语指的是事务单元要么一起发生,要么一个都不执行,即 “要么全有,要么全无 ”。这样能够保证如果一个操作失败,其他操作也不会进行 (从而破坏数据库中的数据 )。 A不正确。因为 OLTP和 ACID是执行而不是建立数据库安全策略中所规定的完整性规则。一致性 (consistency)代表的是 ACID中的字母 C,它与完整性规则的执行和可执行性有关。具有一致性
43、特点的数据库软件在执行事务时都遵循一个特定的完整性策略,从而确保不同数据库中的所有数据都是相同的。 C不正确。因为原子性把事务分成多个工作单 元,并确保所有的修改要么全生效,要么全不生效。要么变更被提交,要么该数据库被回滚。这意味着如果有什么地方运行地不对,该数据库会返回 (回滚 )到它最初的状态。一旦事务正常运行之后,回滚便不可能发生,这就是 ACID测试的持久性特点。这个问题专门针对的是原子事务方法,而不是持久性。 D不正确。因为原子事务无法解决正在执行数据库事务的进程的隔离问题,这是ACID测试的 “隔离 ”组件。保证一个正在进行事务的进程不能被另一进程中断或者修改是至关重要的。这样是为
44、了确保事务过程中被处理的数据的完整性、精确性和保密性。 【 知识模块】 软件开发安全 3 【正确答案】 C 【试题解析】 C正确。数据库通常被许多不同的应用程序同时使用,并且许多用户会同时与数据库进行交互。并发 (concurrency)指不同进程 (应用程序和用户 )同时访问这个数据库。如果对此不进行适当控制,这些进程可能会覆盖彼此的数据或者导致死锁。并发问题的负面结果就是降低了数据库内数据的完整性。数据库的完整性可以通过并发保护机制米提供。一个并发控制被锁住,就可以防止用户访问和修改别人正在使用的数据。 A不正确。因为并发指的是进程同时运行,而不是在不同的层 级上运行。当数据库被不同用户和
45、 (或 )应用程序同时访问时,便会出现并发问题。如果不进行正确地控制,两个用户则可以同时访问和修改同一数据,这会给动态环境带来不利影响。 B不正确。因为当处于较低安全级别的一个主体间接猜测出或推断出较高安全级别的数据时,通过审查可访问数据而推断新信息的能力就产生了。这可以导致推理攻击 (inference attack)。它与并发无关。并发涉及数据的完整性,而推理涉及数据的保密性。 D不正确。因为将数据存储在多个地方不是并发问题。当两个主体或应用程序尝试同时修改相同的数据时便会出现并 发问题。 【知识模块】 软件开发安全 4 【正确答案】 B 【试题解析】 B正确。归一化 (normaliza
46、tion)是一个消除冗余、有效组织数据、降低数据操作过程中出现异常的可能性和提高数据库内数据一致性的过程。它是一种确保数据库结构设计合理、避免一些损害数据完整性的不良特征 (插入、更新和删除异常 )的系统方法。 A不正确。因为多态性 (polymorphism)指的是不同的对象在给予相同输入时作出不同的反应。以下是一个最简单的多态性例子:假设 3个不同的对象都收到输入“Bob”一词,对象 A处理 这个输入后输出 “43岁,白人,男性 ”;对象 B输出 “Sally的丈夫 ”;而对象 C输出 “用户组成员 ”。每个对象收到相同的输入,但却会产生不同的输出。 C不正确。因为数据库视图 (datab
47、ase view)是逻辑访问控制,它的实现是为了允许一个组或者一个特定用户查看特定的信息,并同时限制另一个组查看该信息。例如,数据库视图可以实现:允许中层经理查看他们部门的利润和费用,但无法查看整个公司的利润。数据库视图并没有减少重复数据,相反。它们操控着特定用户或组查看数据的方式。 D不正确。因为数据库系统的模式 (schema)是指用正式语言描述的数据库的结构。在关系数据库中,模式定义了表、字段、关系、视图、索引、过程、队列、数据库链接、目录等。模式描述的是数据库和其结构,但并不描述将要进入该数据库内的数据。这类似于一座房子的蓝图。蓝图可以说明这座房子将会有 4个房间、 6扇门、 12个窗
48、口等,但无法描述将住在这个房子里的人。 【知识模块】 软件开发安全 5 【正确答案】 A 【试题解析】 A正确。在面向对象的数据库中,对象在需要时会被实例化,数据和程序 (被调用的方式 )则会在被请求时跟随对象。这不同于关系数据库。在关系 数据库中,当从数据库中检索到数据时,应用程序将使用它自己的程序获取数据和处理数据。 B不正确。因为网状网 (mesh network)是一种物理拓扑结构,它与数据库没有任何关系。网状网是由相互连接的、为所有网络上的节点提供多条路径的路由器和交换机组成的网络。在全网状拓扑结构中,每个节点都直接与其他各个节点相连,这提供了很大程度的冗余。在部分网状拓扑结构中,每
49、个节点并不直接相连。Internet便是一个部分网状拓扑结构的例子。 C不正确。为了访问数据,就要访问分层数据库 不是面向对象的数据库 的主体必须知道 访问路径。在分层数据库模型中,记录 (record)和字段 (field)以逻辑树结构相互关联。父母可以有一个孩子、多个孩子或者没孩子。树形结构包含分支,每个分支包含大量数据字段。为了访问数据,应用程序必须知道从哪个分支开始、须要穿越哪个层级的哪个路由才能获得数据。 D不正确。因为数据实体之间的关系为关系数据库中数据的组织提供了框架。关系数据库由一个二维表组成,每个表都含有独一无二的行、列和单元格。每个单元格都包含一个代表给定行内一个特定属性的数值。这些数据实体通过关联连在一起,而这种关系也为这些数据的组织提供 了框架。 【知识模块】 软件开发安全 6 【正确答案】 D 【试题解析】 D正确。单元测试 (unit testing)指的是在一个受控的环境里对单一组件进行测试以验证数据结构、逻辑和边界条件。在程序员开发了一个组件之后,会使用若干不同的值、在许多不同的情形中进行测试。单元测试可以在开发的早期阶段开始,通常会贯穿整个开发阶段。单元测试的优点之一就是能在开发周期的早期阶段发现问题,在哪个时候改变个体单元要更加容易,成本也更低。 A不正确。因为接受测试 (accepta
