Effective CISSP Questions

An online store as a web application is protected by automated technical solutions that detect and prevent web-based attacks. As a security professional, you are hired to help them understand the Payment Card Industry Data Security Standard (PCI DSS) requirements and best practices. Which of the following is not true?
A. Web application assessments shall be conducted at least annually and after any changes.
B. A web application firewall is typically implemented in front of public-facing web applications.
C. Testing improper access control such as insecure direct object references must apply to all applications.
D. SQL injection is the most concern among injection flaws such as OS Command, LDAP, and XPath injection.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Testing improper access control such as insecure direct object references must apply to all applications.

Entities process credit card data have to comply with the requirements of PCI-DSS. PCI-DSS has general requirements applied to all applications and specific requirements imposed upon web applications and application interfaces. Improper access control belongs to the requirements of web applications and application interfaces, while SQL injection, particularly specified in PCI-DSS, applies to all applications.

The following diagrams are excerpts from PCI-DSS V3.2.1.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

在線商店作為Web應用程序受到自動技術解決方案的保護,該技術解決方案可以檢測和阻止基於Web的攻擊。 作為安全專家,您被雇用來幫助他們了解支付卡行業數據安全標準(PCI DSS)的要求和最佳實踐。 以下哪一項是不正確的?
A. Web應用程序評估應至少每年進行一次,且在任何更改後進行。
B. Web應用程序防火牆通常建置在面向公眾的Web應用程序之前。
C. 所有應用程序都必須進行不正確的訪問控制(例如不安全的直接對象引用)的測試。
D. SQL注入是注入缺陷(例如OS Command,LDAP和XPath注入)中最受關注的問題。


Leave a Reply