CISSP PRACTICE QUESTIONS – 20191008

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The development team is evaluating the source code repository with concerns such as source code security, integration, and deployment support. Which of the following is the least appropriate?
A. Use common file systems, e.g. NTFS or ext4 to support the code repository
B. Connect to the central code repository using SSH
C. Push or upload code to the central code repository with basic authentication or unencrypted credential over HTTPS
D. Conduct integration tests before the new code are pushed or uploaded to the central code repository to ensure code quality

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Conduct integration tests before the new code are pushed or uploaded to the central code repository to ensure code quality.

 

A code repository is storage where the source code is persistently stored. It is typically managed by a version (source/revision) control system (VCS) so that the historical revisions to the source code can be tracked by version. There are two types of version control systems: centralized VCS (CVCS) and distributed VCS (DVCS); e.g. Microsoft TFS and Apache Subversion (SVN) are CVCS; Git and Mercurial are DVCS.

File Systems

It’s common to use common file systems, e.g. NTFS or ext4 to support the code repository. Git is the most well-known CVS that uses file systems supported by the operating system, while Microsoft TFS uses a relational database with proprietary structure.

Secure Channels

It’s a good practice to connect to the central code repository using SSH.

It’s common to push or upload code to the central code repository over HTTPS. RFC 2617 defines two HTTP authentication schemes: Basic Authentication and Digest Access Authentication.  The Basic Authentication Scheme uses the unencrypted credential. As the capabilities of web browsers are quite limited and the client scripts at the client side are transparent, it’s ineffective or in vain to encrypt the user credential in the web browsers. So, it’s common to conduct HTTP authentication over HTTPS.

Integration Test

The central code repository is where source code is aggregated. Modern CVSs support continuous integration and deployment. Once a developer checks in a version of source code and pushes to the central code repository, a CVS can automatically conduct an integration test and deploy the software to another software environment, e.g. testing environment for the QA team.

A developer typically controls his or her source code only. It’s uncommon for a developer to conduct an integration test before the new code is pushed or uploaded to the central code repository.

One thought on “CISSP PRACTICE QUESTIONS – 20191008

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s