1
Q
Business Function
A
Practice
2
Q
Governance
A
Strategy & Metrics
3
Q
Governance
A
Policy & Compliance
4
Q
Governance
A
Education & Guidance
5
Q
Design
A
Threat Assessment
6
Q
Design
A
Security Requirements
7
Q
Design
A
Secure Architecture
8
Q
Implementation
A
Secure Build
9
Q
Implementation
A
Secure Deployment
10
Q
Implementation
A
Defect Management
11
Q
Verification
A
Architecture Assessment
12
Q
Verification
A
Requirements Testing
13
Q
Verification
A
Security Testing
14
Q
Operations
A
Incident Management
15
Q
Operations
A
Environment Management
16
Q
Operations
A
Operational Management
17
Q
Governance
A
Strategy & Metrics
18
Q
Governance
A
Policy & Compliance
19
Q
Governance
A
Education & Guidance
20
Q
Design
A
Threat Assessment
21
Q
Design
A
Security Requirements
22
Q
Design
A
Secure Architecture
23
Q
Implementation
A
Secure Build
24
Q
Implementation
A
Secure Deployment
25
Implementation
Defect Management
26
Verification
Architecture Assessment
27
Verification
Requirements Testing
28
Verification
Security Testing
29
Operations
Incident Management
30
Operations
Environment Management
31
Operations
Operational Management
32
Governance
Strategy & Metrics
33
Governance
Policy & Compliance
34
Governance
Education & Guidance
35
Design
Threat Assessment
36
Design
Security Requirements
37
Design
Secure Architecture
38
Implementation
Secure Build
39
Implementation
Secure Deployment
40
Implementation
Defect Management
41
Verification
Architecture Assessment
42
Verification
Requirements Testing
43
Verification
Security Testing
44
Operations
Incident Management
45
Operations
Environment Management
46
Operations
Operational Management
47
Governance
Strategy & Metrics
48
Governance
Policy & Compliance
49
Governance
Education & Guidance
50
Design
Threat Assessment
51
Design
Security Requirements
52
Design
Secure Architecture
53
Implementation
Secure Build
54
Implementation
Secure Deployment
55
Implementation
Defect Management
56
Verification
Architecture Assessment
57
Verification
Requirements Testing
58
Verification
Security Testing
59
Operations
Incident Management
60
Operations
Environment Management
61
Operations
Operational Management
62
Governance
Strategy & Metrics
63
Governance
Policy & Compliance
64
Governance
Education & Guidance
65
Design
Threat Assessment
66
Design
Security Requirements
67
Design
Secure Architecture
68
Implementation
Secure Build
69
Implementation
Secure Deployment
70
Implementation
Defect Management
71
Verification
Architecture Assessment
72
Verification
Requirements Testing
73
Verification
Security Testing
74
Operations
Incident Management
75
Operations
Environment Management
76
Operations
Operational Management
77
Question
Model Answer
78
Explain briefly. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
79
Explain briefly. What is the purpose of threat modeling?
To identify and mitigate threats early in system design. (OWASP SAMM)
80
State. Define secure coding.
Writing software to prevent vulnerabilities like injection or overflow. (OWASP Top10)
81
State. Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
82
State. What is tokenization?
Replacing sensitive data with non-sensitive placeholders. (PCI DSS)
83
Explain briefly. What is baseline management?
Controlling and comparing configurations to approved standards. (ISO 12207)
84
In simple terms, Define mean time to recover (MTTR).
Average time to restore normal operations after an incident. (ITIL v4)
85
Describe. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
86
In simple terms, What is change control?
Formal process ensuring authorized, tested, and approved changes. (ITIL v4)
87
In simple terms, Explain 'complete mediation' principle.
Every access request is verified each time, preventing bypasses. (NIST 800-218)
88
In simple terms, What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
89
State. What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
90
Explain briefly. What is regression testing?
Retesting after changes to confirm no new issues were introduced. (ISTQB)
91
Describe. What is the purpose of threat modeling?
To identify and mitigate threats early in system design. (OWASP SAMM)
92
Explain briefly. Define 'attack surface'.
All possible points where an attacker can interact with a system. (NIST 800-154)
93
State. What are trust boundaries?
Interfaces where data moves between entities with differing trust levels. (ISC2 D3)
94
Describe. What is SSDLC?
A Secure SDLC integrates security into each phase of development. (NIST 800-218)
95
Describe. What is fuzz testing?
Submitting random or malformed inputs to find vulnerabilities. (NIST 800-115)
96
Describe. What is tokenization?
Replacing sensitive data with non-sensitive placeholders. (PCI DSS)
97
Describe. Why is patch management essential?
Reduces vulnerabilities by applying security updates promptly. (NIST 800-40)
98
State. Define 'attack surface'.
All possible points where an attacker can interact with a system. (NIST 800-154)
99
Explain briefly. What is the goal of security testing?
To verify software resists attacks and protects data. (ISC2 D5)
100
Explain briefly. Define 'attack surface'.
All possible points where an attacker can interact with a system. (NIST 800-154)
101
State. What is fuzz testing?
Submitting random or malformed inputs to find vulnerabilities. (NIST 800-115)
102
Describe. Explain 'complete mediation' principle.
Every access request is verified each time, preventing bypasses. (NIST 800-218)
103
State. Why are metrics important in lifecycle management?
They measure security effectiveness and drive improvement. (ISC2 D6)
104
In simple terms, Define SBOM.
Software Bill of Materials: inventory of all components used. (NIST 800-218)
105
Explain briefly. What is the purpose of threat modeling?
To identify and mitigate threats early in system design. (OWASP SAMM)
106
Describe. Explain 'complete mediation' principle.
Every access request is verified each time, preventing bypasses. (NIST 800-218)
107
Describe. What is supplier risk assessment?
Evaluating vendor security posture and compliance. (NIST 800-161)
108
Explain briefly. What is a software supply chain?
All processes and entities involved in software creation and delivery. (NIST 800-161)
109
Explain briefly. What is supplier risk assessment?
Evaluating vendor security posture and compliance. (NIST 800-161)
110
State. What is the Bell-LaPadula model used for?
To enforce confidentiality through 'no read up, no write down'. (ISC2 D1)
111
Explain briefly. Explain 'complete mediation' principle.
Every access request is verified each time, preventing bypasses. (NIST 800-218)
112
In simple terms, What does 'defense in depth' mean?
Layered security controls providing redundancy and resilience. (ISC2 D1)
113
Explain briefly. Why are metrics important in lifecycle management?
They measure security effectiveness and drive improvement. (ISC2 D6)
114
State. What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
115
Describe. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
116
Describe. What is SSDLC?
A Secure SDLC integrates security into each phase of development. (NIST 800-218)
117
State. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
118
State. Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
119
Describe. What is incident response?
Structured handling of security incidents to minimize impact. (NIST 800-61)
120
Describe. What is the main goal of defining security requirements?
To capture explicit security needs during requirement gathering. (ISC2 D2)
121
Explain briefly. Why is patch management essential?
Reduces vulnerabilities by applying security updates promptly. (NIST 800-40)
122
Explain briefly. What is SSDLC?
A Secure SDLC integrates security into each phase of development. (NIST 800-218)
123
Explain briefly. What is regression testing?
Retesting after changes to confirm no new issues were introduced. (ISTQB)
124
State. Name one threat modeling methodology.
STRIDE or PASTA can be used to identify and categorize threats. (Microsoft SDL)
125
In simple terms, What is supplier risk assessment?
Evaluating vendor security posture and compliance. (NIST 800-161)
126
In simple terms, Why is patch management essential?
Reduces vulnerabilities by applying security updates promptly. (NIST 800-40)
127
Explain briefly. What is change control?
Formal process ensuring authorized, tested, and approved changes. (ITIL v4)
128
Explain briefly. What is regression testing?
Retesting after changes to confirm no new issues were introduced. (ISTQB)
129
Explain briefly. Define secure coding.
Writing software to prevent vulnerabilities like injection or overflow. (OWASP Top10)
130
Explain briefly. Name one threat modeling methodology.
STRIDE or PASTA can be used to identify and categorize threats. (Microsoft SDL)
131
Describe. What is the main goal of defining security requirements?
To capture explicit security needs during requirement gathering. (ISC2 D2)
132
Explain briefly. Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
133
Describe. Define 'attack surface'.
All possible points where an attacker can interact with a system. (NIST 800-154)
134
Describe. What is a software supply chain?
All processes and entities involved in software creation and delivery. (NIST 800-161)
135
State. Define mean time to recover (MTTR).
Average time to restore normal operations after an incident. (ITIL v4)
136
In simple terms, Why is input validation important?
It prevents malicious data from triggering vulnerabilities. (ISC2 D4)
137
Describe. What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
138
In simple terms, What is the goal of security testing?
To verify software resists attacks and protects data. (ISC2 D5)
139
Explain briefly. Define SBOM.
Software Bill of Materials: inventory of all components used. (NIST 800-218)
140
Describe. What is the main goal of defining security requirements?
To capture explicit security needs during requirement gathering. (ISC2 D2)
141
State. Name one threat modeling methodology.
STRIDE or PASTA can be used to identify and categorize threats. (Microsoft SDL)
142
In simple terms, What is incident response?
Structured handling of security incidents to minimize impact. (NIST 800-61)
143
State. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
144
In simple terms, What is SSDLC?
A Secure SDLC integrates security into each phase of development. (NIST 800-218)
145
In simple terms, What is the goal of security testing?
To verify software resists attacks and protects data. (ISC2 D5)
146
State. What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
147
In simple terms, Define SBOM.
Software Bill of Materials: inventory of all components used. (NIST 800-218)
148
In simple terms, What is tokenization?
Replacing sensitive data with non-sensitive placeholders. (PCI DSS)
149
Describe. What is the goal of secure deployment?
Ensure software is securely installed and configured. (ISC2 D7)
150
State. What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
151
In simple terms, What is change control?
Formal process ensuring authorized, tested, and approved changes. (ITIL v4)
152
In simple terms, What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
153
Explain briefly. What does 'defense in depth' mean?
Layered security controls providing redundancy and resilience. (ISC2 D1)
154
Describe. What does 'defense in depth' mean?
Layered security controls providing redundancy and resilience. (ISC2 D1)
155
Describe. What is code signing?
Digitally verifying the authenticity and integrity of software. (ISO 27034)
156
In simple terms, What is a software supply chain?
All processes and entities involved in software creation and delivery. (NIST 800-161)
157
Describe. What is the primary goal of secure software concepts?
To ensure confidentiality, integrity, and availability throughout the SDLC. (ISC2 D1; ISO 27001)
158
State. Define SBOM.
Software Bill of Materials: inventory of all components used. (NIST 800-218)
159
In simple terms, Explain 'complete mediation' principle.
Every access request is verified each time, preventing bypasses. (NIST 800-218)
160
In simple terms, Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
161
In simple terms, Differentiate functional and non-functional requirements.
Functional: features; Non-functional: performance, security, reliability. (ISC2 D2)
162
State. What is SSDLC?
A Secure SDLC integrates security into each phase of development. (NIST 800-218)
163
In simple terms, What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
164
Describe. What is the main goal of defining security requirements?
To capture explicit security needs during requirement gathering. (ISC2 D2)
165
Describe. Define mean time to recover (MTTR).
Average time to restore normal operations after an incident. (ITIL v4)
166
In simple terms, What is penetration testing?
Simulated attack to evaluate the effectiveness of security defenses. (OSSTMM)
167
Describe. What was the SolarWinds attack an example of?
A supply chain compromise impacting downstream systems. (CISA 2020)
168
Describe. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
169
State. What is tokenization?
Replacing sensitive data with non-sensitive placeholders. (PCI DSS)
170
In simple terms, What is the Bell-LaPadula model used for?
To enforce confidentiality through 'no read up, no write down'. (ISC2 D1)
171
In simple terms, What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
172
State. What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
173
State. Define a security requirements traceability matrix (SRTM).
Links security requirements to implementation and testing. (NIST 800-64)
174
Explain briefly. What is a software supply chain?
All processes and entities involved in software creation and delivery. (NIST 800-161)
175
Describe. What does 'defense in depth' mean?
Layered security controls providing redundancy and resilience. (ISC2 D1)
176
State. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
177
State. What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
178
In simple terms, What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
179
Describe. Define secure coding.
Writing software to prevent vulnerabilities like injection or overflow. (OWASP Top10)
180
Describe. What is the goal of secure deployment?
Ensure software is securely installed and configured. (ISC2 D7)
181
In simple terms, Define secure coding.
Writing software to prevent vulnerabilities like injection or overflow. (OWASP Top10)
182
In simple terms, What is the goal of security testing?
To verify software resists attacks and protects data. (ISC2 D5)
183
Explain briefly. Define the principle of least privilege.
Grant users only the access required to perform their duties. (ISC2 D1)
184
Describe. What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
185
In simple terms, What is the goal of secure deployment?
Ensure software is securely installed and configured. (ISC2 D7)
186
In simple terms, What is penetration testing?
Simulated attack to evaluate the effectiveness of security defenses. (OSSTMM)
187
In simple terms, What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
188
Explain briefly. What is SSDLC?
A Secure SDLC integrates security into each phase of development. (NIST 800-218)
189
In simple terms, What is the main goal of defining security requirements?
To capture explicit security needs during requirement gathering. (ISC2 D2)
190
Explain briefly. Define SBOM.
Software Bill of Materials: inventory of all components used. (NIST 800-218)
191
Explain briefly. Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
192
State. What is tokenization?
Replacing sensitive data with non-sensitive placeholders. (PCI DSS)
193
State. Why is input validation important?
It prevents malicious data from triggering vulnerabilities. (ISC2 D4)
194
Describe. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
195
In simple terms, What is regression testing?
Retesting after changes to confirm no new issues were introduced. (ISTQB)
196
Explain briefly. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
197
In simple terms, What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
198
Explain briefly. What is regression testing?
Retesting after changes to confirm no new issues were introduced. (ISTQB)
199
State. What is a software supply chain?
All processes and entities involved in software creation and delivery. (NIST 800-161)
200
In simple terms, What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
201
Explain briefly. What is the Bell-LaPadula model used for?
To enforce confidentiality through 'no read up, no write down'. (ISC2 D1)
202
In simple terms, What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
203
State. Define SBOM.
Software Bill of Materials: inventory of all components used. (NIST 800-218)
204
In simple terms, What is the primary goal of secure software concepts?
To ensure confidentiality, integrity, and availability throughout the SDLC. (ISC2 D1; ISO 27001)
205
State. Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
206
State. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
207
In simple terms, Define 'attack surface'.
All possible points where an attacker can interact with a system. (NIST 800-154)
208
State. Define secure coding.
Writing software to prevent vulnerabilities like injection or overflow. (OWASP Top10)
209
In simple terms, What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
210
In simple terms, Define secure coding.
Writing software to prevent vulnerabilities like injection or overflow. (OWASP Top10)
211
Describe. Define mean time to recover (MTTR).
Average time to restore normal operations after an incident. (ITIL v4)
212
In simple terms, What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
213
State. What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
214
State. Why is patch management essential?
Reduces vulnerabilities by applying security updates promptly. (NIST 800-40)
215
In simple terms, What is incident response?
Structured handling of security incidents to minimize impact. (NIST 800-61)
216
State. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
217
Explain briefly. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
218
In simple terms, What does 'defense in depth' mean?
Layered security controls providing redundancy and resilience. (ISC2 D1)
219
State. What is a software supply chain?
All processes and entities involved in software creation and delivery. (NIST 800-161)
220
In simple terms, What is the main goal of defining security requirements?
To capture explicit security needs during requirement gathering. (ISC2 D2)
221
Describe. What is the purpose of threat modeling?
To identify and mitigate threats early in system design. (OWASP SAMM)
222
Describe. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
223
State. Name one threat modeling methodology.
STRIDE or PASTA can be used to identify and categorize threats. (Microsoft SDL)
224
Describe. What is supplier risk assessment?
Evaluating vendor security posture and compliance. (NIST 800-161)
225
Explain briefly. What is a software supply chain?
All processes and entities involved in software creation and delivery. (NIST 800-161)
226
Describe. Differentiate functional and non-functional requirements.
Functional: features; Non-functional: performance, security, reliability. (ISC2 D2)
227
State. Define mean time to recover (MTTR).
Average time to restore normal operations after an incident. (ITIL v4)
228
Describe. What is the primary goal of secure software concepts?
To ensure confidentiality, integrity, and availability throughout the SDLC. (ISC2 D1; ISO 27001)
229
Explain briefly. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
230
Describe. What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
231
Explain briefly. What are trust boundaries?
Interfaces where data moves between entities with differing trust levels. (ISC2 D3)
232
Explain briefly. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
233
Explain briefly. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
234
Explain briefly. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
235
Explain briefly. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
236
Describe. What is the goal of security testing?
To verify software resists attacks and protects data. (ISC2 D5)
237
State. What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
238
Explain briefly. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
239
Explain briefly. What are trust boundaries?
Interfaces where data moves between entities with differing trust levels. (ISC2 D3)
240
State. What are trust boundaries?
Interfaces where data moves between entities with differing trust levels. (ISC2 D3)
241
In simple terms, Differentiate functional and non-functional requirements.
Functional: features; Non-functional: performance, security, reliability. (ISC2 D2)
242
Describe. Define SBOM.
Software Bill of Materials: inventory of all components used. (NIST 800-218)
243
Describe. Define the principle of least privilege.
Grant users only the access required to perform their duties. (ISC2 D1)
244
State. What is incident response?
Structured handling of security incidents to minimize impact. (NIST 800-61)
245
Explain briefly. What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
246
Describe. What is the goal of security testing?
To verify software resists attacks and protects data. (ISC2 D5)
247
Describe. Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
248
State. Why are metrics important in lifecycle management?
They measure security effectiveness and drive improvement. (ISC2 D6)
249
State. What is a software supply chain?
All processes and entities involved in software creation and delivery. (NIST 800-161)
250
Describe. Why is patch management essential?
Reduces vulnerabilities by applying security updates promptly. (NIST 800-40)
251
In simple terms, Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
252
In simple terms, Name one threat modeling methodology.
STRIDE or PASTA can be used to identify and categorize threats. (Microsoft SDL)
253
Describe. Why is patch management essential?
Reduces vulnerabilities by applying security updates promptly. (NIST 800-40)
254
Describe. Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
255
Explain briefly. What is supplier risk assessment?
Evaluating vendor security posture and compliance. (NIST 800-161)
256
State. What does 'defense in depth' mean?
Layered security controls providing redundancy and resilience. (ISC2 D1)
257
In simple terms, What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
258
Explain briefly. Define mean time to recover (MTTR).
Average time to restore normal operations after an incident. (ITIL v4)
259
Describe. What does 'defense in depth' mean?
Layered security controls providing redundancy and resilience. (ISC2 D1)
260
State. What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
261
State. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
262
Explain briefly. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
263
Explain briefly. What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
264
Explain briefly. What is the purpose of threat modeling?
To identify and mitigate threats early in system design. (OWASP SAMM)
265
State. What is the main goal of defining security requirements?
To capture explicit security needs during requirement gathering. (ISC2 D2)
266
Explain briefly. Why is patch management essential?
Reduces vulnerabilities by applying security updates promptly. (NIST 800-40)
267
Describe. What is the goal of secure deployment?
Ensure software is securely installed and configured. (ISC2 D7)
268
Explain briefly. Differentiate functional and non-functional requirements.
Functional: features; Non-functional: performance, security, reliability. (ISC2 D2)
269
Describe. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
270
In simple terms, Define secure coding.
Writing software to prevent vulnerabilities like injection or overflow. (OWASP Top10)
271
Explain briefly. Explain 'complete mediation' principle.
Every access request is verified each time, preventing bypasses. (NIST 800-218)
272
Describe. Define 'attack surface'.
All possible points where an attacker can interact with a system. (NIST 800-154)
273
State. What is SSDLC?
A Secure SDLC integrates security into each phase of development. (NIST 800-218)
274
Describe. What is the main goal of defining security requirements?
To capture explicit security needs during requirement gathering. (ISC2 D2)
275
Describe. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
276
State. What is the goal of secure deployment?
Ensure software is securely installed and configured. (ISC2 D7)
277
Explain briefly. What is the goal of secure deployment?
Ensure software is securely installed and configured. (ISC2 D7)
278
State. What is regression testing?
Retesting after changes to confirm no new issues were introduced. (ISTQB)
279
State. Explain 'complete mediation' principle.
Every access request is verified each time, preventing bypasses. (NIST 800-218)
280
State. What is the goal of secure deployment?
Ensure software is securely installed and configured. (ISC2 D7)
281
State. Why are metrics important in lifecycle management?
They measure security effectiveness and drive improvement. (ISC2 D6)
282
In simple terms, Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
283
In simple terms, Differentiate functional and non-functional requirements.
Functional: features; Non-functional: performance, security, reliability. (ISC2 D2)
284
In simple terms, What is fuzz testing?
Submitting random or malformed inputs to find vulnerabilities. (NIST 800-115)
285
In simple terms, What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
286
State. What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
287
State. What are trust boundaries?
Interfaces where data moves between entities with differing trust levels. (ISC2 D3)
288
Describe. Define secure coding.
Writing software to prevent vulnerabilities like injection or overflow. (OWASP Top10)
289
Explain briefly. What does 'defense in depth' mean?
Layered security controls providing redundancy and resilience. (ISC2 D1)
290
In simple terms, What was the SolarWinds attack an example of?
A supply chain compromise impacting downstream systems. (CISA 2020)
291
State. What was the SolarWinds attack an example of?
A supply chain compromise impacting downstream systems. (CISA 2020)
292
Describe. What is regression testing?
Retesting after changes to confirm no new issues were introduced. (ISTQB)
293
State. What is privacy by design?
Embedding privacy principles such as data minimization early in development. (GDPR Art.25)
294
In simple terms, Differentiate white-box and black-box testing.
White-box tests internal logic; black-box tests functionality. (ISC2 D5)
295
Describe. Define 'attack surface'.
All possible points where an attacker can interact with a system. (NIST 800-154)
296
In simple terms, Define a security requirements traceability matrix (SRTM).
Links security requirements to implementation and testing. (NIST 800-64)
297
State. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
298
In simple terms, Why is input validation important?
It prevents malicious data from triggering vulnerabilities. (ISC2 D4)
299
Describe. What is defense in depth in architecture?
Layering of multiple security controls across architectural tiers. (NIST 800-160)
300
Explain briefly. What is regression testing?
Retesting after changes to confirm no new issues were introduced. (ISTQB)
301
Explain briefly. What was the SolarWinds attack an example of?
A supply chain compromise impacting downstream systems. (CISA 2020)
302
In simple terms, What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
303
In simple terms, Explain 'complete mediation' principle.
Every access request is verified each time, preventing bypasses. (NIST 800-218)
304
Explain briefly. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
305
In simple terms, Why are metrics important in lifecycle management?
They measure security effectiveness and drive improvement. (ISC2 D6)
306
State. What is the Bell-LaPadula model used for?
To enforce confidentiality through 'no read up, no write down'. (ISC2 D1)
307
Describe. What is SSDLC?
A Secure SDLC integrates security into each phase of development. (NIST 800-218)
308
Explain briefly. What is fuzz testing?
Submitting random or malformed inputs to find vulnerabilities. (NIST 800-115)
309
In simple terms, What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
310
Explain briefly. What is supplier risk assessment?
Evaluating vendor security posture and compliance. (NIST 800-161)
311
In simple terms, What was the SolarWinds attack an example of?
A supply chain compromise impacting downstream systems. (CISA 2020)
312
Explain briefly. Why is patch management essential?
Reduces vulnerabilities by applying security updates promptly. (NIST 800-40)
313
Explain briefly. What is penetration testing?
Simulated attack to evaluate the effectiveness of security defenses. (OSSTMM)
314
State. Define configuration management.
Tracking and controlling changes to maintain software integrity. (ISO 27034)
315
In simple terms, Why is input validation important?
It prevents malicious data from triggering vulnerabilities. (ISC2 D4)
316
Describe. What is a misuse case?
A scenario that describes undesired or malicious system behavior. (ISC2 D2)
317
Explain briefly. What is fuzz testing?
Submitting random or malformed inputs to find vulnerabilities. (NIST 800-115)
318
Explain briefly. What is incident response?
Structured handling of security incidents to minimize impact. (NIST 800-61)
319
Describe. What is the goal of security testing?
To verify software resists attacks and protects data. (ISC2 D5)
320
State. What is code signing?
Digitally verifying the authenticity and integrity of software. (ISO 27034)
321
State. What is the OWASP Top 10?
A list of the most critical web app vulnerabilities. (OWASP 2021)
322
Describe. What is the goal of security testing?
To verify software resists attacks and protects data. (ISC2 D5)
323
Describe. What is continuous improvement?
Regular enhancement of processes based on feedback and incidents. (PDCA Model)
324
Explain briefly. Define mean time to recover (MTTR).
Average time to restore normal operations after an incident. (ITIL v4)
325
State. What does SAST stand for?
Static Application Security Testing. (NIST 800-218)
326
State. What is the purpose of threat modeling?
To identify and mitigate threats early in system design. (OWASP SAMM)
327
Describe. What are trust boundaries?
Interfaces where data moves between entities with differing trust levels. (ISC2 D3)
CSSLP DC
flashcards
Decks in class (13)
# Cards
-
CSSLP General327
-
CSSLP Domain 1 – Secure Software Concepts50
-
CSSLP Domain 2 – Secure Software Requirements97
-
CSSLP Domain 3 – Secure Software Architecture and Design71
-
CSSLP Domain 4 – Secure Software Implementation98
-
CSSLP Domain 5 – Secure Software Testin26
-
CSSLP Domain 6 – Secure Software Lifecycle Management101
-
CSSLP Domain 7 – Secure Software Deployment, Operations, and Maintenance96
-
CSSLP Domain 8 – Secure Software Supply Chain96
-
NIST 800-218100
-
CSSLP Study Notes342
-
NIST-800-64r2 (Replaced By 800-218)36
-
SSDLC Gated Process90
