CSSLP Secure Software Prep Practice Test Video
Watch the CSSLP Secure Software Prep practice test video walkthrough, review the questions, download the free PDF and start an online mock exam.
CSSLP Secure Software Prep exam — full Q&A walkthrough
Every question read aloud with the answer explained. Play it on your commute, then test yourself.
Try CSSLP Secure Software Prep questions now
Q1During software deployment, which category includes sensitive information like database connection strings and API tokens that need to be secured through encryption and strict access controls?
Show answer
✓ Correct answer: Secrets
Answer: Secrets During the deployment and maintenance phases of software development, it is crucial to securely store and manage various types of sensitive information. Examples include: Credentials: These control access to different environments and tools. Each environment and account should have dedicated credentials following the principle of least privilege. Secrets: This category includes data such as database connection strings, API tokens, and other sensitive information which should be protected with encryption and access controls. Keys/Certificates: Proper management of encryption keys and digital certificates is necessary. They should not be embedded directly into the code and should be validated before usage. Configurations: The security configuration of an application must be preserved through access control measures and ensuring the integrity and authenticity of the configuration data.
Q2The terms Transactions, Constrained Transactions, and Well-formed Transactions relate to which of the following security models?
Show answer
✓ Correct answer: Clark-Wilson
Answer: Clark-Wilson The Clark-Wilson security model emphasizes the concept of data integrity by defining Constrained Data Items (CDIs), and Unconstrained Data Items (UDIs). Transactions refer to processes that change the state of CDIs while ensuring compliance with integrity policies. Well-formed Transactions are sequences of operations that transition CDIs from one consistent state to another. Bell-LaPadula is a confidentiality protection model that combines attributes of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). Its Simple Security Rule prevents reading data at a higher level of classification, while its * property prevents writing data to a system with a lower classification level. Biba is an integrity model designed to protect higher-level, more trustworthy data from being corrupted by lower-level data. Its no-write-up rule blocks systems from writing data to a system with a higher classification level. Its second rule states that a system reading/processing data from a lower-level system will have its integrity level lowered as a result. Brewer-Nash or the Chinese Wall is a confidentiality model for enterprises. It addresses the case where one group within an organization may have information that cannot be shared with another.
Q3Which of the following security principles is LEAST related to the concept of confidentiality?
Show answer
✓ Correct answer: Availability
Answer: Availability Availability is a principle that ensures systems and data are accessible when needed, but it is not directly related to confidentiality. Confidentiality is more concerned with preventing unauthorized access to information. Here are the definitions of the other principles: Encryption: A technique to secure information by transforming it into a coded format that is unreadable without a decryption key. Access Controls: Mechanisms that restrict access to information and resources to only authorized users. Data Hiding: Techniques used to conceal information within other data to prevent unauthorized access or detection.
Q4Which of the following is MOST critical when ensuring the proper actions are taken after discovering a software vulnerability?
Show answer
✓ Correct answer: Responsibility
Answer: Responsibility Responsibility: Assigning ownership for ensuring the software vulnerability is assessed, documented, and resolved. This includes determining who is accountable for each action step in the remediation process. Authentication: Verifying the identity of users and administrators who access the systems. Common factors include passwords, tokens, and biometrics. Authorization: Confirming that authenticated users have appropriate permissions to perform certain actions. Typically managed through access controls. Accessibility: Ensuring that the software and data are available to users when needed. This might involve implementing redundant systems, backups, and ensuring minimal downtime.
Q5In a hardware security module (HSM), a random number generator and key generator are part of which of the following?
Show answer
✓ Correct answer: Cryptographic Processor
Answer: Cryptographic Processor A hardware security module (HSM) provides hardware protection for cryptographic keys on a system. Key elements include: Cryptographic Processor: The cryptographic processor includes a random number generator, key generators, encryption algorithms, and digital signature algorithms. Secure Memory: Secure memory includes storage for sensitive keys and certificates. Root of Trust: The root of trust ensures that the identity and integrity of the module can be verified. Network Interface: The network interface handles communication between the HSM and other systems but is not involved in cryptographic processing.
Q6Which of the following types of certificates would be most useful in ensuring the integrity and authenticity of a distributed mobile application?
Show answer
✓ Correct answer: Software Publisher Certificate
Answer: Software Publisher Certificate Digital certificates have several uses, including: Type of Certificate Purpose Usage Scenario Personal Certificate Uniquely identify a person Secure email or similar functions Server Certificate Prove the identity of a server Enable encryption for SSL/TLS traffic (such as HTTPS) Extended Validation Certificate Provide extra validation of domain ownership by a company Largely deprecated due to vulnerability to attackers registering companies with the same name in different jurisdictions Software Publisher Certificate Digitally sign software Prove the authenticity and integrity of the code
Full CSSLP Secure Software Prep bank + unlimited mocks
Try 30 questions free. Unlock the complete CSSLP Secure Software Prep question bank, every explanation, and unlimited timed mock exams. Practice on any device.
Unlock CSSLP Secure Software Prep →