CSLLP Secure Software Testing 2

Question 1

What does IAST (Interactive Application Security Testing) combine?

Accepted Answer

Elements of SAST and DAST by instrumenting the application and monitoring it during runtime testing

Answer

IAST uses agents or instrumentation within the running application to detect vulnerabilities in real time as the application is exercised, combining the context of SAST with the runtime behavior of DAST.

Question 2

A test that verifies the application correctly enforces access restrictions (e.g., a regular user cannot access admin functions) is called:

Accepted Answer

Authorization testing

Answer

Authorization testing specifically checks that the application enforces proper access controls, ensuring users can only access resources and perform actions they are permitted to.

Question 3

Which document formally authorizes a system to operate in a production environment after security testing and risk acceptance?

Accepted Answer

Authorization to Operate (ATO)

Answer

An ATO is the formal management decision granting authority for a federal information system to operate, based on assessment of implemented security controls and residual risk.

Question 4

What type of security test deliberately overloads a system with requests to determine its breaking point?

Accepted Answer

Stress test / DoS resilience test

Answer

Stress testing pushes the system beyond normal operational capacity to find the point of failure, helping identify DoS vulnerabilities and ensuring graceful degradation under overload.

Question 5

Which methodology would a security tester use to verify that a web application properly validates session tokens and prevents session hijacking?

Accepted Answer

Session management testing

Answer

Session management testing evaluates the strength and handling of session tokens, checking for predictable IDs, improper expiration, missing secure and HttpOnly cookie flags, and hijacking vulnerabilities.

CSLLP - Certified Secure Software Lifecycle Professional Practice Test

CSLLP - Certified Secure Software Lifecycle Professional Practice Test

CSLLP Secure Software Testing 2