ISC2 CSSLP Exam Questions

Correct answer: Command injection

Injection is a major, common vulnerability that usually features highly on vulnerability lists.  Some common types of injection vulnerabilities include:

• SQL Injection: SQL injection attacks involve providing malicious input that is included in a database request. SQL injection can read, write, or delete data contained within a database accessible to a vulnerable application.
• Command Injection: Command injection vulnerabilities allow an attacker to run commands in the system terminal. For example, an application may run a command in the shell using user-provided input, which may be crafted to change the intent of the command or run additional commands.
• Integer Overflow: Integers have a fixed size in memory and are only able to store a certain range of values. If a value to be stored in a variable exceeds this range, it wraps around and is interpreted as a smaller value.
• Path Traversal: In a filepath, ../ indicates that the system should look in the next directory up in the file system. Path traversal vulnerabilities allow an attacker who can specify the name of a file to be read/written by an application to read/write files outside of the intended directory.
• Cross-Site Scripting (XSS): Modern webpages use scripts to add interactivity and other functionality to webpages. If user-provided input is used as part of a webpage's HTML code, a malicious user can have part of their input interpreted as a script, which will be run in the browser of anyone visiting the page. Injection vulnerabilities can be non-persistent/reflected, persistent/reflected, or DOM-based.
• Cross-Site Request Forgery (CSRF): Cross-site request forgery (CSRF) attacks involve tricking the browser of an authenticated user into performing an HTTP request without their knowledge/consent. For example, a user logged into social media could have their password changed if a malicious webpage tricked their browser into performing a password change request and the social media site lacked CSRF protections.

Correct answer: Discoverability

Characteristics of a Service Oriented Architecture (SOA) include:

• Abstracted Business Functionality: An SOA abstracts away the internal details of how a system works, providing logical views to the user.
• Contract-Based Interfaces: All communications between a provider and a consumer use an interface with a set message format, eliminating the need to understand the details of how the other side works.
• Platform Neutrality: All messages in SOA use a platform-neutral format, such as the Extensible Markup Language (XML).
• Modularity and Reusability: Services are created as modules with a particular purpose, and these "building blocks" can be combined to implement a desired function.
• Discoverability: A registry of available services is published using the Universal Description, Discovery, and Interface (UDDI) standard to allow clients to identify them.
• Interoperability: The abstraction of system internals enables various services on different platforms to interoperate.

Correct answer: Infinite loop

Infinite loops can occur when unhandled states occur in conditional logic. For example, code designed to read until it finds a particular letter could read forever if presented with all-numeric input.

Race condition vulnerabilities can occur if multiple threads of execution can read/write values at the same time. For example, two threads may update a value simultaneously, causing one update to overwrite the other.

Mutual exclusion occurs when race condition protections cause thread deadlock. If thread A is waiting for thread B to perform action X before it performs action Y and thread B will only perform X if thread A performs Y, then neither can execute.

Recursion is when a function within an application calls itself again.

Correct answer: White-box

White-box testing has access to documentation, which can be used to diagnose the root cause of an issue. Black-box and gray-box lack this internal visibility.

Red-box testing is a fabricated term.

Correct answer: Script kiddie

Software faces risk from various human threat sources, including:

• Ignorant Users: Legitimate users may unintentionally expose sensitive data or cause other harm via negligence or user error.
• Accidental Discoverer: A user who accidentally identifies a flaw in software that grants inappropriate access or permissions.
• Curious Attacker: Someone who identifies an oddity in the functionality of software and investigates it further to see why it occurs and what it lets them do.
• Script Kiddies: Unskilled but common attackers who use existing tools to attack organizations.
• Insider: A malicious, trusted user who leverages legitimate access and privileges to cause harm to the organization.
• Organized Cybercriminals: Professional threat actors who make money based on ransomware, data theft, and similar means
• Third-Parties: Vendors, partners, and suppliers can pose risk to an organization. This includes the development of insecure or malicious code or access to corporate systems that is abused or inadequately protected.
• Advanced Persistent Threat (APT): APTs are well-resourced cyber threat groups that have the ability to pose a persistent threat to an organization's security. They are often associated with organized crime or nation-state actors.

Correct answer: XP

XP is a people-centric approach to development that iteratively storyboards and implements user requirements.

Scrum is an Agile development method in which participants are classified as pigs or chickens and have defined roles in project development. Development is broken into sprints designed to implement specific features.

Waterfall is a predictive development methodology with a linear, sequential process through stages with no backtracking. In Waterfall, identifying issues early is critical, as it is difficult to fix problems after the face. 

The Spiral model combines elements of Waterfall and prototyping models. It incorporates risk assessments at each of its phases, enabling a team to minimize sunk costs on a failed project.

Correct answer: Privilege Levels

Code review is a process by which other developers inspect code for security or efficiency issues. Some of the common checks performed during code review include:

• Inefficient Code: Complex or obfuscated code may need to be simplified to improve analysis or execution.
• Known Vulnerabilities: Code should be checked against the OWASP Top 10, SANS Top 25, and errors that have previously been found within an organization's code.
• Errors and Exception Handling: Code should fully test for error cases and handle all possible exceptions.
• Injection Flaws: Code should include input validation to protect against injection attacks.
• Cryptographic Strength: Cryptography should be implemented using trusted algorithms and libraries and use strong random number generation.
• Unsafe and Deprecated Function Calls: Code should only use approved functions and APIs, and unneeded functions should be removed.
• Privilege Levels: Code should be implemented in accordance with the principle of least privilege.
• Logging: Code should properly log errors without revealing unnecessary information.
• Secure Key Information: Cryptographic keys, passwords, and other authentication information should be properly used and protected.

Correct answer: Server Certificate

Digital certificates have several uses, including:

• Personal Certificates: Uniquely identify a person for secure email or similar functions
• Server Certificates: Prove the identity of a server and enable encryption for SSL/TLS traffic (such as HTTPS)
• Extended Validation (EV) Certificates: Intended to provide extra validation that a domain is owned by a particular company. Largely deprecated because they are vulnerable to attackers who register companies with the same name in different jurisdictions.
• Software Publisher Certificates: Used to digitally sign software to prove the authenticity and integrity of the code

Correct answer: OWASP

Commonly used security architecture frameworks include SABSA, Open Group Library, and Open Security Architecture (OSA).

OWASP Security Design Principles are designed to help developers put security principles into action.

Correct answer: RASP

Not all vulnerabilities are identified and fixed before applications reach production. Runtime protection systems help to mitigate this issue by protecting vulnerable applications against attempted exploitation or reducing the probability of a successful attack. Some examples include:

• Runtime Application Self-Protection (RASP): RASP solutions are integrated with a protected application and monitor its inputs, output, and behavior for anomalies that could indicate a potential attack.
• Web Application Firewall (WAF): A WAF sits between an application and the Internet and filters out traffic containing known exploits before it reaches the vulnerable application.
• Address Space Layout Randomization (ASLR): ASLR randomizes the location of certain functions in memory, making it more difficult for an attacker to use these functions when exploiting a vulnerability.

Dynamic Application Security Testing (DAST) is performed during the development process and involves sending malicious or malformed inputs to an application and monitoring its responses.

Correct answer: Watchdogs

Watchdogs check for a specific issue in an application. For example, time to live (TTL) values in packets protect against traffic endlessly looping through the network.

Correct answer: Standards Conformance

Cryptography can be fragile and broken in several ways. Some forms of cryptographic validation testing include:

• Standards Conformance: Verifies that cryptographic code complies with FIPS 140-2 or other regulatory requirements. Examples include the use of approved algorithms, settings, etc.
• Environment Validation: Verifies that cryptographic code meets requirements for the deployment environment such as those included in the ISO/IEC Common Criteria.
• Data Validation: Verifies that sensitive data requiring confidentiality protections is appropriately secured using approved and validated cryptography.
• Cryptographic Implementation: Verifies that cryptographic code correctly generates random values and ensures proper key management.

Correct answer: Interpreter

Interpreters use a program to directly execute source code without a compilation step.

Compilers convert source code into processor-specific machine code. Static linking copies required dependencies into an executable during compilation, creating a faster, easily-distributed, and bloated file. Dynamic linking stores the names and locations of dependencies to be resolved at runtime. It creates smaller files at risk of hijacked dependencies.

Correct answer: Modular programming

The principle of least privilege states that users, software, etc. should only have the access and permissions needed to do their jobs. Some means of enforcing least privilege include:

• Modular Programming: Modular programming involves breaking an application into many pieces, each with a unique, simple purpose. Modularity makes software easier to troubleshoot and maintain and can enforce least privilege since each module has limited access and permissions.
• Non-Admin Accounts: Some users will need to perform privileged actions, which require privileged accounts. However, these privileged accounts should only be used when needed, with less privileged accounts used for all other actions.

Split keys and role separation are security controls for separation of duties. Account logouts help software to fail to a secure state.

Correct answer: Black-box

White-box testing assesses an application's structure, while black-box testing assesses its behavior. Gray-box falls in between.

Red-box testing is a fabricated term.

Correct answer: PaaS

Common cloud architectures include:

• Software as a Service (SaaS): The customers access a solution fully developed and managed by the cloud provider.
• Platform as a Service (PaaS): The cloud provider hosts and manages an environment where the customer can create and deploy applications.
• Infrastructure as a Service (IaaS): The cloud provider manages underlying infrastructure, and the customer can deploy and manage their own virtual machines (VMs).

AaaS is not a cloud service infrastructure.

Correct answer: Cryptographic Processor

The trusted platform module (TPM) provides hardware protection for cryptographic keys on a system. Key elements include:

• Cryptographic Processor: The cryptographic processor includes a random number generator, key generators, hash generators, and encryption and digital signature algorithms.
• Versatile Memory: Versatile memory includes platform configuration registers, attestation identity keys, and storage keys.
• Persistent Memory: Persistent memory includes the storage root key and endorsement key.

Graphics processing units (GPUs) are not part of a TPM.

Correct answer: Sequence

A Subject/Object/Activity matrix is used to describe what activities users (subjects) are permitted to take on objects. Actions/activities are defined for a particular object, and then access controls are used to restrict the actions that a particular user can take.

Sequencing deals with the possibility that the order in which certain operations are performed could vary on a multi-threaded computer. If this can impact the functionality or security of the software, it is referred to as a race condition.

Correct answer: SAST

A few different types of tools exist for software security analysis. These include:

• Static Application Security Testing (SAST): SAST or static analysis tools analyze the source code of an application for vulnerabilities. Since they use source code, they can be applied earlier in the SDLC than other tools that require a running application. Additionally, they provide better test coverage and can pinpoint an error within an application’s code. However, SAST tools are language-specific and cannot identify some types of vulnerabilities that are only detectable in running code.
• Dynamic Application Security Testing (DAST): DAST or dynamic analysis tools test a running application for vulnerabilities by sending it malicious or anomalous inputs and analyzing its behavior or responses. DAST can be cheaper than SAST, often has fewer false positives, and can identify issues that are only apparent at runtime. However, it has poorer code coverage, cannot pinpoint where an issue exists within the code (only that it does exist), and requires a running application (making it only usable later in the SDLC).
• Interactive Application Security Testing (IAST): IAST solutions use instrumentation to gain internal visibility of a running application while running tests against it. IAST solutions can pinpoint vulnerabilities in an application and are more easily integrated into CI/CD pipelines. However, IAST can be more expensive, slows code execution, and is a less mature solution.
• Runtime Application Self-Protection (RASP): RASP uses instrumentation to monitor and protect an application in production. Based on visibility into inputs, outputs, and application behavior, RASP can identify and block even zero-day attacks against an application. However, RASP does increase the size and complexity of the application that it protects.

Correct answer: Permissive

Third-party software may operate under various licensing models, including:

• Copyright: A copyright protects the intellectual property of the author, restricting how it can be used.
• Permissive: Permissive licenses (MIT, BSD, etc.) impose minimal requirements on software use and redistribution.
• Copyleft: Copyleft licenses (GPL, etc.) require that software using the original source code provides the same rights to the user.

Permissive licenses have the least impact because they don't create legal issues or force the organization to use a particular type of license.