Video walkthrough · CSSLP Secure Software Prep

CSSLP Secure Software Prep Practice Test Video

Watch the CSSLP Secure Software Prep practice test video walkthrough, review the questions, download the free PDF and start an online mock exam.

Free sample · CSSLP Secure Software PrepQ1
During software deployment, which category includes sensitive information like database connection strings and API tokens that need to be secured through encryption and strict access controls?
Correct — D. Answer: Secrets During the deployment and maintenance phases of software development, it is crucial to securely store and manage various types of sensitive information. Examples include: Credentials: These control access to different environments and tools. Each environment and account should have dedicated credentials following the principle of least privilege. Secrets: This category includes data such as database connection strings, API tokens, and other sensitive information which should be protected with encryption and access controls. Keys/Certificates: Proper management of encryption keys and digital certificates is necessary. They should not be embedded directly into the code and should be validated before usage. Configurations: The security configuration of an application must be preserved through access control measures and ensuring the integrity and authenticity of the configuration data.
↑ Tap an answer to check it
Watch & learn

CSSLP Secure Software Prep exam — full Q&A walkthrough

Every question read aloud with the answer explained. Play it on your commute, then test yourself.

Sample questions

Try CSSLP Secure Software Prep questions now

  1. Q1During software deployment, which category includes sensitive information like database connection strings and API tokens that need to be secured through encryption and strict access controls?

    Show answer

    ✓ Correct answer: Secrets

    Answer: Secrets During the deployment and maintenance phases of software development, it is crucial to securely store and manage various types of sensitive information. Examples include: Credentials: These control access to different environments and tools. Each environment and account should have dedicated credentials following the principle of least privilege. Secrets: This category includes data such as database connection strings, API tokens, and other sensitive information which should be protected with encryption and access controls. Keys/Certificates: Proper management of encryption keys and digital certificates is necessary. They should not be embedded directly into the code and should be validated before usage. Configurations: The security configuration of an application must be preserved through access control measures and ensuring the integrity and authenticity of the configuration data.

    Open the full explanation page →

  2. Q2The terms Transactions, Constrained Transactions, and Well-formed Transactions relate to which of the following security models?

    Show answer

    ✓ Correct answer: Clark-Wilson

    Answer: Clark-Wilson The Clark-Wilson security model emphasizes the concept of data integrity by defining Constrained Data Items (CDIs), and Unconstrained Data Items (UDIs). Transactions refer to processes that change the state of CDIs while ensuring compliance with integrity policies. Well-formed Transactions are sequences of operations that transition CDIs from one consistent state to another. Bell-LaPadula is a confidentiality protection model that combines attributes of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). Its Simple Security Rule prevents reading data at a higher level of classification, while its * property prevents writing data to a system with a lower classification level. Biba is an integrity model designed to protect higher-level, more trustworthy data from being corrupted by lower-level data. Its no-write-up rule blocks systems from writing data to a system with a higher classification level. Its second rule states that a system reading/processing data from a lower-level system will have its integrity level lowered as a result. Brewer-Nash or the Chinese Wall is a confidentiality model for enterprises. It addresses the case where one group within an organization may have information that cannot be shared with another.

    Open the full explanation page →

  3. Q3Which of the following security principles is LEAST related to the concept of confidentiality?

    Show answer

    ✓ Correct answer: Availability

    Answer: Availability Availability is a principle that ensures systems and data are accessible when needed, but it is not directly related to confidentiality. Confidentiality is more concerned with preventing unauthorized access to information. Here are the definitions of the other principles: Encryption: A technique to secure information by transforming it into a coded format that is unreadable without a decryption key. Access Controls: Mechanisms that restrict access to information and resources to only authorized users. Data Hiding: Techniques used to conceal information within other data to prevent unauthorized access or detection.

    Open the full explanation page →

  4. Q4Which of the following is MOST critical when ensuring the proper actions are taken after discovering a software vulnerability?

    Show answer

    ✓ Correct answer: Responsibility

    Answer: Responsibility Responsibility: Assigning ownership for ensuring the software vulnerability is assessed, documented, and resolved. This includes determining who is accountable for each action step in the remediation process. Authentication: Verifying the identity of users and administrators who access the systems. Common factors include passwords, tokens, and biometrics. Authorization: Confirming that authenticated users have appropriate permissions to perform certain actions. Typically managed through access controls. Accessibility: Ensuring that the software and data are available to users when needed. This might involve implementing redundant systems, backups, and ensuring minimal downtime.

    Open the full explanation page →

  5. Q5In a hardware security module (HSM), a random number generator and key generator are part of which of the following?

    Show answer

    ✓ Correct answer: Cryptographic Processor

    Answer: Cryptographic Processor A hardware security module (HSM) provides hardware protection for cryptographic keys on a system. Key elements include: Cryptographic Processor: The cryptographic processor includes a random number generator, key generators, encryption algorithms, and digital signature algorithms. Secure Memory: Secure memory includes storage for sensitive keys and certificates. Root of Trust: The root of trust ensures that the identity and integrity of the module can be verified. Network Interface: The network interface handles communication between the HSM and other systems but is not involved in cryptographic processing.

    Open the full explanation page →

  6. Q6Which of the following types of certificates would be most useful in ensuring the integrity and authenticity of a distributed mobile application?

    Show answer

    ✓ Correct answer: Software Publisher Certificate

    Answer: Software Publisher Certificate Digital certificates have several uses, including: Type of Certificate Purpose Usage Scenario Personal Certificate Uniquely identify a person Secure email or similar functions Server Certificate Prove the identity of a server Enable encryption for SSL/TLS traffic (such as HTTPS) Extended Validation Certificate Provide extra validation of domain ownership by a company Largely deprecated due to vulnerability to attackers registering companies with the same name in different jurisdictions Software Publisher Certificate Digitally sign software Prove the authenticity and integrity of the code

    Open the full explanation page →

Unlock everything

Full CSSLP Secure Software Prep bank + unlimited mocks

Try 30 questions free. Unlock the complete CSSLP Secure Software Prep question bank, every explanation, and unlimited timed mock exams. Practice on any device.

Unlock CSSLP Secure Software Prep →
Cramming?
$2.99
/ week · per exam
Best value
$6.99
/ month · per exam