Static software security testing typically uses __________ as a measure of how thorough
the testing was.
Response:

A.

Number of testers

B.

Flaws detected

C.

Code coverage

D.

Malware hits

At which layer does the IPSec protocol operate to encrypt and protect communications
between two parties?
Response:

A.

Network

B.

Application

C.

Transport

D.

Data link

You are the security manager for a small application development company. Your company
is considering the use of the cloud for software testing purposes. Which cloud service
model is most likely to suit your needs?
Response:

A.

IaaS

B.

PaaS

C.

SaaS

D.

LaaS

Which of the following is not a factor an organization might use in the cost-benefit
analysis when deciding whether to migrate to a cloud environment?
Response:

A.

Pooled resources in the cloud

B.

Shifting from capital expenditures to support IT investment to operational expenditures

C.

The time savings and efficiencies offered by the cloud service

D.

Branding associated with which cloud provider might be selected

Which of the following storage types are used with an Infrastructure as a Service
(IaaS) solution?
Response:

A.

Volume and block

B.

Structured and object

C.

Unstructured and ephemeral

D.

Volume and object

You are the security manager for an online retail sales company with 100 employees
and a production environment hosted in a PaaS model with a major cloud provider.
Your company policies have allowed for a BYOD workforce that work equally from
the company offices and their own homes or other locations. The policies also allow
users to select which APIs they install and use on their own devices in order to
access and manipulate company data.
Of the following, what is a security control you’d like to implement to offset the
risk(s) incurred by this practice?

A.

Regular and widespread integrity checks on sampled data throughout the managed
environment

B.

More extensive and granular background checks on all employees, particularly new
hires

C.

Inclusion of references to all applicable regulations in the policy documents

D.

Increased enforcement of separation of duties for all workflows

When an organization implements an SIEM solution and begins aggregating event
data, the configured event sources are only valid at the time it was configured.
Application modifications, patching, and other upgrades will change the events
generated and how they are represented over time.
What process is necessary to ensure events are collected and processed with this in
mind?

A.

Continual review

B.

Continuous optimization

C.

Aggregation updates

D.

Event elasticity

You are the security manager of a small firm that has just purchased a DLP solution to
implement in your cloud-based production environment.
What should you not expect the tool to address?
Response:

A.

Sensitive data sent inadvertently in user emails

B.

Sensitive data captured by screen shots

C.

Sensitive data moved to external devices

D.

Sensitive data in the contents of files sent via FTP

You are the security manager for a software development firm. Your company is
interested in using a managed cloud service provider for hosting its testing
environment. Previous releases have shipped with major flaws that were not
detected in the testing phase; leadership wants to avoid repeating that problem.
What tool/technique/technology might you suggest to aid in identifying
programming errors?

A.

Vulnerability scans

B.

Open source review

C.

SOC audits

D.

Regulatory review

Which of the following types of organizations is most likely to make use of open
source software technologies?

A.

Government agencies

B.

Corporations

C.

Universities

D.

Military