• Home
  • Articles
  • CSSLP Actual Questions Answers PDF 100% Cover Real Exam Questions [Q113-Q130]

CSSLP Actual Questions Answers PDF 100% Cover Real Exam Questions [Q113-Q130]

Share

CSSLP Actual Questions Answers PDF 100% Cover Real Exam Questions

CSSLP Exam questions and answers


ISC2 CSSLP Exam Certification Details:

Exam NameISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Duration180 mins
Exam Price$599 (USD)
Number of Questions125
Sample QuestionsISC2 CSSLP Sample Questions


The ISC2 CSSLP also known as Certified Secure Software Lifecycle Professional certification is necessary to help specialists gain validation of their authentication, auditing, and authorization skills during each of the phases included in the software development lifecycle.

 

NEW QUESTION # 113
Which of the following tools is used to attack the Digital Watermarking?

  • A. Active Attacks
  • B. Gifshuffle
  • C. Steg-Only Attack
  • D. 2Mosaic

Answer: D

Explanation:
Explanation/Reference:
Explanation: 2Mosaic is a tool used for watermark breaking. It is an attack against a digital watermarking system. In this type of attack, an image is chopped into small pieces and then placed together. When this image is embedded into a web page, the web browser renders the small pieces into one image. This image looks like a real image with no watermark in it. This attack is successful, as it is impossible to read watermark in very small pieces. Answer: D is incorrect. Gifshuffle is used to hide message or information inside GIF images. It is done by shuffling the colormap. This tool also provides compression and encryption. Answer: B and A are incorrect. Active Attacks and Steg-Only Attacks are used to attack Steganography.


NEW QUESTION # 114
You are responsible for network and information security at a large hospital. It is a significant concern that any change to any patient record can be easily traced back to the person who made that change. What is this called?

  • A. Non repudiation
  • B. Availability
  • C. Data Protection
  • D. Confidentiality

Answer: A

Explanation:
Explanation/Reference:
Explanation: Non repudiation refers to mechanisms that prevent a party from falsely denying involvement in some data transaction.


NEW QUESTION # 115
Which of the following are included in Technical Controls? Each correct answer represents a complete solution. Choose all that apply.

  • A. Password and resource management
  • B. Conducting security-awareness training
  • C. Implementing and maintaining access control mechanisms
  • D. Configuration of the infrastructure
  • E. Identification and authentication methods
  • F. Security devices

Answer: A,C,D,E,F

Explanation:
Technical Controls are also known as Logical Controls. These controls include the following: Implementing and maintaining access control mechanisms Password and resource management Identification and authentication methods Security devices Configuration of the infrastructure Answer F is incorrect. It is a part of Administrative Controls.


NEW QUESTION # 116
You have a storage media with some data and you make efforts to remove this data. After performing this, you analyze that the data remains present on the media. Which of the following refers to the above mentioned condition?

  • A. Object reuse
  • B. Residual
  • C. Degaussing
  • D. Data remanence

Answer: D

Explanation:
Data remanence refers to the data that remains even after the efforts have been made for removing or erasing the data. This event occurs because of data being left intact by an insignificant file deletion operation, by storage media reformatting, or through physical properties of the storage medium. Data remanence can make unintentional disclosure of sensitive information possible. So, it is required that the storage media is released into an uncontrolled environment. Answer C and B are incorrect. These are the made-up disasters. Answer A is incorrect. Object reuse refers to reassigning some other object of a storage media that has one or more objects.


NEW QUESTION # 117
The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply.

  • A. Risk Management Planning
  • B. Potential Risk Monitoring
  • C. Quantitative Risk Analysis
  • D. Risk Monitoring and Control

Answer: A,C,D

Explanation:
Explanation/Reference:
Explanation: The Project Risk Management knowledge area focuses on the following processes: Risk Management Planning Risk Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk Response Planning Risk Monitoring and Control AnswerD is incorrect. There is no such process in the Project Risk Management knowledge area.


NEW QUESTION # 118
What NIACAP certification levels are recommended by the certifier? Each correct answer represents a complete solution. Choose all that apply.

  • A. Maximum Analysis
  • B. Minimum Analysis
  • C. Comprehensive Analysis
  • D. Basic System Review
  • E. Basic Security Review
  • F. Detailed Analysis

Answer: B,C,E,F

Explanation:
Explanation/Reference:
Explanation: NIACAP has four levels of certification. These levels ensure that the appropriate C&A are performed for varying schedule and budget limitations. The certifier must analyze the system's business functions. The certifier determines the degree of confidentiality, integrity, availability, and accountability, and then recommends one of the following NIACAP certification levels: Level 1 - Basic Security Review Level 2 - Minimum Analysis Level 3 - Detailed Analysis Level 4 - Comprehensive Analysis AnswerB and F are incorrect. No such types of levels exist.


NEW QUESTION # 119
Which of the following types of signatures is used in an Intrusion Detection System to trigger on attacks that attempt to reduce the level of a resource or system, or to cause it to crash?

  • A. Reconnaissance
  • B. Benign
  • C. DoS
  • D. Access

Answer: C

Explanation:
Explanation/Reference:
Explanation: Following are the basic categories of signatures: Informational (benign): These types of signatures trigger on normal network activity. For example: ICMP echo requests The opening or closing of TCP or UDP connections Reconnaissance: These types of signatures trigger on attacks that uncover resources and hosts that are reachable, as well as any possible vulnerabilities that they might contain. For example: Reconnaissance attacks include ping sweeps DNS queries Port scanning Access: These types of signatures trigger on access attacks, which include unauthorized access, unauthorized escalation of privileges, and access to protected or sensitive data. For example:
Back Orifice A Unicode attack against the Microsoft IIS NetBus DoS: These types of signatures trigger on attacks that attempt to reduce the level of a resource or system, or to cause it to crash. For example: TCP SYN floods The Ping of Death Smurf Fraggle Trinoo Tribe Flood Network


NEW QUESTION # 120
The service-oriented modeling framework (SOMF) introduces five major life cycle modeling activities that drive a service evolution during design-time and run-time. Which of the following activities integrates SOA software assets and establishes SOA logical environment dependencies?

  • A. Service-oriented logical design modeling
  • B. Service-oriented business integration modeling
  • C. Service-oriented logical architecture modeling
  • D. Service-oriented discovery and analysis modeling

Answer: C

Explanation:
The service-oriented logical architecture modeling integrates SOA software assets and establishes SOA logical environment dependencies. It also offers foster service reuse, loose coupling and consolidation. Answer A is incorrect. The service-oriented discovery and analysis modeling discovers and analyzes services for granularity, reusability, interoperability, loose-coupling, and identifies consolidation opportunities. Answer B is incorrect. The service-oriented business integration modeling identifies service integration and alignment opportunities with business domains' processes. Answer D is incorrect. The service-oriented logical design modeling establishes service relationships and message exchange paths.


NEW QUESTION # 121
Software Development Life Cycle (SDLC) is a logical process used by programmers to develop software.
Which of the following SDLC phases meets the audit objectives defined below: System and data are validated. System meets all user requirements. System meets all control requirements.

  • A. Initiation
  • B. Programming and training
  • C. Evaluation and acceptance
  • D. Definition

Answer: C

Explanation:
Explanation/Reference:
Explanation: It is the evaluation and acceptance phase of the SDLC, which meets the following audit objectives: System and data are validated. System meets all user requirements. System meets all control requirements AnswerD is incorrect. During the initiation phase, the need for a system is expressed and the purpose of the system is documented. Answer: C is incorrect. During the definition phase, users' needs are defined and the needs are translated into requirements statements that incorporate appropriate controls. Answer: B is incorrect. During the programming and training phase, the software and other components of the system are faithfully incorporated into the design specifications. Proper documentation and training are provided in this phase.


NEW QUESTION # 122
Which of the following processes identifies the threats that can impact the business continuity of operations?

  • A. Requirement analysis
  • B. Function analysis
  • C. Risk analysis
  • D. Business impact analysis

Answer: D

Explanation:
A business impact analysis (BIA) is a crisis management and business impact analysis technique that identifies those threats that can impact the business continuity of operations. Such threats can be either natural or man-made. The BIA team should have a clear understanding of the organization, key business processes, and IT resources for assessing the risks associated with continuity. In the BIA team, there should be senior management, IT personnel, and end users to identify all resources that are to be used during normal operations. Answer B is incorrect. Risk analysis is the science of risks and their probability and evaluation in a business or a process. It is an important factor in security enhancement and prevention in a system. Risk analysis should be performed as part of the risk management process for each project. The outcome of the risk analysis would be the creation or review of the risk register to identify and quantify risk elements to the project and their potential impact. Answer A is incorrect. The functional analysis process is used for converting system requirements into a comprehensive function standard. Verification is the result of the functional analysis process, in which the fundamentals of a system level functional architecture are defined adequately to allow for synthesis in the design phase. The functional analysis breaks down the higher-level functions into the lower level functions. Answer D is incorrect. Requirements analysis encompasses the tasks that go into determining the needs or conditions to meet for a new or altered product, taking account of the possibly conflicting requirements of the various stakeholders.


NEW QUESTION # 123
You work as a project manager for BlueWell Inc. You with your team are using a method or a (technical) process that conceives the risks even if all theoretically possible safety measures would be applied. One of your team member wants to know that what is a residual risk. What will you reply to your team member?

  • A. It is a risk that remains after planned risk responses are taken.
  • B. It is a risk that can not be addressed by a risk response.
  • C. It is a risk that remains because no risk response is taken.
  • D. It is a risk that will remain no matter what type of risk response is offered.

Answer: A

Explanation:
Explanation/Reference:
Explanation: Residual risks are generally smaller risks that remain in the project after larger risks have been addressed. The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability). Answer: B is incorrect. This is not a valid statement about residual risks. Answer: C is incorrect. This is not a valid statement about residual risks. Answer: A is incorrect. This is not a valid statement about residual risks.


NEW QUESTION # 124
Adrian is the project manager of the NHP Project. In her project there are several work packages that deal with electrical wiring. Rather than to manage the risk internally she has decided to hire a vendor to complete all work packages that deal with the electrical wiring. By removing the risk internally to a licensed electrician Adrian feels more comfortable with project team being safe. What type of risk response has Adrian used in this example?

  • A. Mitigation
  • B. Transference
  • C. Avoidance
  • D. Acceptance

Answer: B

Explanation:
Explanation/Reference:
Explanation: This is an example of transference. When the risk is transferred to a third party, usually for a fee, it creates a contractual-relationship for the third party to manage the risk on behalf of the performing organization. Risk response planning is a method of developing options to decrease the amount of threats and make the most of opportunities. The risk response should be aligned with the consequence of the risk and cost-effectiveness. This planning documents the processes for managing risk events. It addresses the owners and their responsibilities, risk identification, results from qualification and quantification processes, budgets and times for responses, and contingency plans. The various risk response planning techniques are as follows: Risk acceptance: It indicates that the project team has decided not to change the project management plan to deal with a risk, or is unable to identify any other suitable response strategy. Risk avoidance: It is a technique for a threat, which creates changes to the project management plan that are meant to either eliminate the risk or to protect the project objectives from this impact. Risk mitigation: It is a list of specific actions being taken to deal with specific risks associated with the threats and seeks to reduce the probability of occurrence or impact of risk below an acceptable threshold. Risk transference: It is used to shift the impact of a threat to a third party, together with the ownership of the response.


NEW QUESTION # 125
You work as a Security Manager for Tech Perfect Inc. The company has a Windows based network. It is required to determine compatibility of the systems with custom applications. Which of the following techniques will you use to accomplish the task?

  • A. Antivirus management
  • B. Safe software storage
  • C. Backup control
  • D. Software testing

Answer: D

Explanation:
Explanation/Reference:
Explanation: In order to accomplish the task, you should use the software testing technique. By using this technique you can determine compatibility of systems with custom applications or you can identify other unforeseen interactions. You can also use the software testing technique while you are upgrading software. AnswerB is incorrect. You can use the antivirus management to save the systems from viruses, unexpected software interactions, and the subversion of security controls. Answer: A is incorrect. You can use the safe software storage technique to ensure that the software and backup copies have not been modified without authorization. Answer: C is incorrect. You can use the backup control to perform back up of software and data.


NEW QUESTION # 126
In which of the following deployment models of cloud is the cloud infrastructure operated exclusively for an organization?

  • A. Hybrid cloud
  • B. Community cloud
  • C. Public cloud
  • D. Private cloud

Answer: D

Explanation:
In private cloud, the cloud infrastructure is operated exclusively for an organization.
The private cloud infrastructure is administered by the organization or a third party, and exists on premise and off premise.


NEW QUESTION # 127
Which of the following terms refers to a mechanism which proves that the sender really sent a particular message?

  • A. Non-repudiation
  • B. Authentication
  • C. Integrity
  • D. Confidentiality

Answer: A

Explanation:
Non-repudiation is a mechanism which proves that the sender really sent a message. It provides an evidence of the identity of the senderand message integrity. It also prevents a person from denying the submission or delivery of the message and the integrity of its contents. Answer C is incorrect. Authentication is a process of verifying the identity of a person or network host. Answer A is incorrect. Confidentiality ensures that no one can read a message except the intended receiver. Answer D is incorrect. Integrity assures the receiver that the received message has not been altered in any way from the original.


NEW QUESTION # 128
Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

  • A. FIPS
  • B. FITSAF
  • C. TCSEC
  • D. SSAA

Answer: C

Explanation:
Explanation/Reference:
Explanation: Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information. It was replaced with the development of the Common Criteria international standard originally published in 2005. The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. AnswerD is incorrect. System Security Authorization Agreement (SSAA) is an information security document used in the United States Department of Defense (DoD) to describe and accredit networks and systems. The SSAA is part of the Department of Defense Information Technology Security Certification and Accreditation Process, or DITSCAP (superseded by DIACAP). The DoD instruction (issues in December 1997, that describes DITSCAP and provides an outline for the SSAA document is DODI 5200.40. The DITSCAP application manual (DoD 8510.1- M), published in July 2000, provides additional details. Answer: A is incorrect. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. It provides an approach for federal agencies. It determines how federal agencies are meeting existing policy and establish goals. The main advantage of FITSAF is that it addresses the requirements of Office of Management and Budget (OMB). It also addresses the guidelines provided by the National Institute of Standards and Technology (NIsT). Answer: B is incorrect. The Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States federal government for use by all non-military government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, ISO, etc.). Some FIPS standards were originally developed by the U.S. government. For instance, standards for encoding data (e.g., country codes), but more significantly some encryption standards, such as the Data Encryption Standard (FIPS 46-
3) and the Advanced Encryption Standard (FIPS 197). In 1994, NOAA (Noaa) began broadcasting coded signals called FIPS (Federal Information Processing System) codes along with their standard weather broadcasts from local stations. These codes identify the type of emergency and the specific geographic area (such as a county) affected by the emergency.


NEW QUESTION # 129
Which of the following types of obfuscation transformation increases the difficulty for a de-obfuscation tool so that it cannot extract the true application from the obfuscated version?

  • A. Data obfuscation
  • B. Preventive transformation
  • C. Control obfuscation
  • D. Layout obfuscation

Answer: B

Explanation:
Preventive transformation increases the difficulty for a de-obfuscation tool so that it cannot extract the true application from the obfuscated version.


NEW QUESTION # 130
......


Exam Details

The CSSLP certification exam is a 3-hour test containing 125 questions. The format of the exam questions includes multiple-choice items, and the students can take this test in English only. The candidates must gain 700 or more points to complete this exam and earn the certificate. Pearson VUE is the official administrator of the (ISC)2 certification tests, which means that you will sit for this one at one of its centers across the world.

 

LatestCram CSSLP Exam Practice Test Questions: https://www.latestcram.com/CSSLP-exam-cram-questions.html

Related Articles

more
ISC CSSLP Certification Practice Exam

LatestCram is an excellent team of professionals that provide all of best Reliable Exam Braindumps & Valid Latest Questions that will help you magnificently prepare for certification examinations. Right Exam Cram has 96% pass rate.

Latest practice material

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 LatestCram. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy