Effective CISSP Questions

You are a member of the software development team following the waterfall model. The customer has signed off the user requirements specification. Your team has finished and is reviewing the architectural and detailed designs. To identify security flaws, which of the following is the best vehicle?
A. Common Weakness Enumeration (CWE)
B. Security Content Automation Protocol (SCAP)
C. Common Vulnerabilities and Exposures (CVE)
D. Common Vulnerability Scoring System (CVSS)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Common Weakness Enumeration (CWE).

This question tests your knowledge about the Software Development Life Cycle (SDLC). When the design (architectural and detailed design) is done, we have to review it. Threat modeling is part of the design review to identify and mitigate security flaws of the design. (Some authors may distinguish design flaws from implementation bugs, but it’s not prescriptive.)


In the design phase, CWE, such as OWASP Top 10, is more suitable for threat modeling than CVE because a design may entail a relational database but without specifying its vendor or DBMS. At this time, SQL injection can be considered and reviewed without knowing whether MS-SQL or Oracle is used. However, CVE refers to a specific vulnerability to a vendor’s product.

Threat Modeling
Threat Modeling (Source: CSSLP CBK)

The Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) can be used in the development, test, or operations/maintenance phase to score a vulnerability.

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.

Source: Wikipedia

CVSS Metric Groups

Security Content Automation Protocol (SCAP)

The Security Content Automation Protocol (SCAP) is used in the operations/maintenance phase to automate the distribution of security contents, such as patches, checklists, etc.

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP.

Source: Wikipedia



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您是遵循瀑布模型的軟件開發團隊的成員。 客戶已簽署用戶需求規範(URS)。 您的團隊已經完成並正在審查軟體架構和詳細設計。 要識別安全漏洞,以下哪一項最佳工具?
A. 普通弱點枚舉 (CWE)
B. 安全內容自動化協議 (SCAP)
C. 常見漏洞和披露 (CVE)
D. 通用漏洞評分系統 (CVSS)

Leave a Reply