Software-defined networking (SDN) abstracts the control over the flow of data by separating logical control rules from physical data forwarding into the control plane and the data plane. Logical control rules are programmable as software, while sophisticated data-plane functionality is virtualizable through Network function virtualization (NFV). Software-defined security (SDS) is a security model that exploits SDN/NFV to enforce network security by security software on generic servers abstracting security appliances, such as Firewall, IDS, etc. Which of the following is not true about SDN, NFV, or SDS?
A. Controllers can impose flow rules or policies on physical devices via OpenFlow.
B. Switches at the data-plane implement the spanning-tree algorithm to prevent loops.
C. Software switches through NFV can be implemented independently without SDN.
D. Firewalls on generic servers as SDN applications can communicate with controllers through APIs.

Continue reading →

Your company is developing a mobile app with the support of the RESTful backend API gateway which receives articles from the mobile app and posts them across social media on behalf of the author. The API gateway creates copies in the database server so that authors can manage them. As an architect, you are designing the system architecture. Which of the following is the most feasible design decision?
A. The mobile app shall invoke API through HTTP POST to create and share articles.
B. IP whitelisting on the API gateway shall be enabled to enforce the authenticity of origin.
C. Rate limits, such as throttling and quotas, shall be applied to prevent the race condition.
D. SAML shall be implemented for authentication.

Continue reading →

In the context of software, the runtime is an umbrella term that may refer to the runtime environment, runtime library, or the runtime phase in the program lifecycle. Which of the following is least related to the concept of runtime?
A. A web browser
B. A software component packaged in a DLL file
C. A cryptographic library linked by a linker
D. A process that hosts other dynamic components

Continue reading →

According to Gartner, cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. Which of the following is the least common CASB implementation?
A. Install a server that acts as an intermediary for requests from clients.
B. Install a server that retrieves resources on behalf of a client from one or more servers.
C. Install a server that accepts requests to establish a VPN connection from clients.
D. Install a  server that provides direct, secure access to cloud applications through API.

Continue reading →

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. Which of the following is not true?
A. SAMM defines five maturity levels as objectives.
B. SAMM supports the complete software lifecycle.
C. SAMM is a prescriptive model that is technology and process agnostic.
D. SAMM categorizes software development activities into five critical business functions.

Continue reading →

Security orchestration, automation, and response (SOAR) is a good practice of security operations that enables the integration, automation, and collaboration of people, processes, and technologies to respond to security incidents effectively. Which of the following is not true?
A. Security operations entail ongoing day-to-day execution of security activities to enforce the security policy.
B. Orchestration requires SOPs, playbooks, work instructions, and other process documents.
C. Playbooks provide procedures that can be executed manually or automatically.
D. A SOAR platform responds to security events through runbooks and requires no human intervention.

Continue reading →

OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. OIDC implements authentication as an extension to the OAuth 2.0 authorization process. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. Which of the following statements about OIDC and OAuth 2.0 is not true?
A. OAuth 2.0 Clients using OIDC are also referred to as Relying Parties (RPs).
B. OAuth 2.0 Authentication Servers implementing OIDC are also referred to as OpenID Providers (OPs).
C. OAuth 2.0 Clients obtain authorization from the resource server to request access tokens.
D. OAuth 2.0 Clients use different authorization grants or flow to request access tokens based on their types.

Continue reading →

Your company built many information systems to support various business functions. Each system implements its own access control mechanism to enforce security policies, so much so that they are frequently not enforced consistently. As a security professional, you suggest the authorization mechanism should be removed from individual systems and implemented per XACML on a central server. Which of the following is the best role of the server?
A. Relying party
B. Identity provider (IdP)
C. Policy decision point (PDP)
D. Policy enforcement point (PEP)

Continue reading →

People, processes, and technologies (PPT) are significant components of an information security strategy. An assurance system can remove doubts and render confidence in security to stakeholders. Which of the following is not true?
A. CISSP is accredited per the stringent requirements of ISO 17024
B. CMMI is applicable to procurement in terms of software engineering
C. TCSEC prescribes a computing system shall address covert channels
D. CC assures a product with EAL7 is more secure than one with EAL 4

Continue reading →

Your company sells toys online, supported by an E-Commerce system deployed to a PaaS. The EC system implemented and trusted federated identities from some well-known social media to streamline the order placing process. However, a new customer visiting your company’s web site still has to register for a new user account first to place orders. Which of the following is the best to address this problem?
A. Enforce Identity Assurance Level 3 (IAL3)
B. Implement LDAP to synchronize federated identities
C. Map attributes described in the SAML security assertion to a local identity
D. Create a new account just in time when a new customer logs in using a federated identity

Continue reading →