108 Mitchell wants to enhance his overall security and compliance to protect his company more carefully. He engages his security team to examine enterprise application integration, data integration, message-oriented middleware (MOM), object request brokers (ORBs), and the enterprise service bus (ESB). He also wants to prioritize which web applications should be secured first and how they will be tested. What do you need to sit down with your IT security team and build?Web application security planWeb application–level attack listBusiness logic justificationsContainer security
109 Edwin's board of directors want to perform quarterly security testing. As CISO of a financial institution, he must form a plan specifically for the development of this test that includes software assurance. This test must have a low risk of impacting system stability because the company is in production. The suggestion was made to outsource this to a third party. The board of directors argue that a third party will not be as knowledgeable as the development team. What will satisfy the board of directors?Gray-box testing by a major consulting firmBlack-box testing by a major external consulting firmGray-box testing by the development and security assurance teamsWhite-box testing by the development and security assurance teams
110 Trent is a security analyst for a financial organization and conducting a review of data management policies. After a complete review, he found settings disabled permitting developers to download supporting but trusted software. You submitted the recommendation that developers have a separate process to manually download software that should be vetted before its use. What process will support this recommendation?NIPSDigitally signed applicationsSandboxingPCI compliance
111 Tiffany runs an organization that is blending its development team with the operations team because of the speed applications are being rolled out. Applications change with new services required in production, so she has undertaken the challenge of eliminating those silos of development and operations. What is this called?IncrementalDevOpsAgileWaterfall
112 Shelby is working for a software developer developing web applications for an international financial enterprise. She has also been tasked with building the rule set that governs the interaction between an end user and the web application linking authentication and access. What type of rule set is this?Session managementSecure cookiesJava flagsStateless firewall
113 Your software developer has a custom ROM for Android and wants to further customize it for mobile device use in your healthcare network. Android is an open source operating system, but your developer experiences difficulties uploading the new ROM to a test device even using validated third-party libraries for development. What does he need to unlock before uploading the new ROM?BootloaderBIOSFIFOTPM
114 Angel needs to provide software code for users to download. You want the users to be able to verify that the software has not changed or become corrupted. How might you provide this verification?Code signing.Script signing.The user can attempt to install and run the program. If it installs and operates properly, it hasn't been altered.Have the user authenticate first. If the user is authenticated, the software they download must be genuine.
115 You are creating a web application security plan and need to do white-box security testing on source code to find vulnerabilities earlier in the SDLC. If you can find vulnerabilities earlier in the process, they are cheaper to fix. What type of testing do you need to do?SASTCASTDASTFAST
116 You are creating a web application security plan and need to do black-box security testing on a running application. What type of testing do you need to do?SASTCASTDASTIAST
117 You had your internal team do an analysis on compiled binaries to find errors in mobile and desktop applications. You would like an external agency to test them as well. Which of these tests best suits this need?DASTVASTIASTSAST
118 Craig's newly formed IT team is investigating cloud computing models. He wants to use a cloud computing model that is orchestrated as an integrated infrastructure environment. Apps and data can share resources based on business and technical policies. Which of the following is the best choice for this situation?PublicPrivateAgnosticHybrid
119 You have been newly hired as a CISO for a governmental contractor. One of your first conversations with the CEO is to review requirements for recovery time and recovery point objectives, and enterprise resource planning (ERP). Who should you bring to the round table to discuss metrics surrounding your RTO/RPO?Board of directorsChief financial officerData owners and custodiansBusiness unit managers and directors
120 Which of the following is a use case for configuration management software?Incident remediationContinuanceAsset managementCollaboration
121 You have been analyzing the backup schedule for a CMDB. Your CIO has said the company has an RPO of 48 hours. What is the minimum backup schedule for the CMDB?24 hours6 hours48 hours12 hours
122 Your company is looking at a new CRM model to reach customers that includes social media. The marketing director, Tucker, would like to share news, updates, and promotions on all social websites. What are the major security risks?Malware, phishing, and social engineeringDDOS, brute force, and SQLiMergers and data ownershipRegulatory requirements and environmental changes
123 In the last 5 years, your manufacturing group merged twice with competitors and acquired three startups, which led to more than 60 unique customer web applications. To reduce cost and improve workflows, you are put in charge of a project to implement centralized security. You need to ensure a model to enable integration and accurate identity information and authentication as well as repeatability. Which is the best solution?Implementation of web access control and relay proxiesAutomated provisioning of identity managementSelf-service single sign-on using KerberosBuilding an organizational wide granular access control model in a centralized location
124 You are tasked with creating a single sign-on solution for your security organization. Which of these would you not deploy in an enterprise environment?Directory servicesKerberosSAML 2.0Workgroup
125 The Domain Name System (DNS) maintains an index of every domain name and corresponding IP address. Before someone visits a website on your corporate network, DNS will resolve your domain name to its IP address. Which of the following is a weakness of DNS?SpoofingLatencyAuthenticationInconsistency
126 Your database team would like to use a service-oriented architecture (SOA). The CISO suggested you investigate the risk for adopting this type of architecture. What is the biggest security risk to adopting an SOA?SOA is available only over the enterprise network.Lack of understanding from stakeholders.Risk of legacy networks and system vulnerabilities.Source code.
127 A large enterprise social media organization underwent several mergers, divestitures, and acquisitions over the past three years. Because of this, the internal networks and software have extremely complex dependencies. Better integration is mandatory. Which of the following integration platforms is best for security and standards-based software architecture?IDEDNSSOAESB
128 The retail division of your organization purchased touchscreen tablets and wireless mice and keyboards for all their representatives to increase productivity. You communicated the risk of nonstandard devices and wireless devices, but the deployment continued. What is the best method for evaluating and presenting potential threats to upper management?Conducting a vulnerability assessmentDeveloping a standard image for these assetsMaking new recommendations for security policiesWorking with the management team to understand the processes these devices will interface with, and to classify the risk connected with the hardware/software deployment life cycle
129 You are selected to manage a software development and implementation project. Your manager suggests that you follow the phases in the SDLC. In which of these phases do you determine the controls needed to ensure that the system complies with standards?TestingInitiationAccreditationAcceptance
130 You were selected to manage a software development project. Your supervisor asked you to follow the proper phases in the systems development life cycle. Where does the SDLC begin?Requirement analysisSystem design specificationsInitiationImplementation
131 You