ISSAP - Information Systems Security Architecture Professional Application and System Security Questions and Answers

Question 1

A security architect wants to implement a testing methodology that can identify insecure coding practices, such as potential SQL injection or buffer overflow vulnerabilities, by analyzing the application's source code without executing it.
Which testing methodology should be chosen?

Accepted Answer

Static Application Security Testing (SAST)

Answer

Dynamic Application Security Testing (DAST)

Answer

Interactive Application Security Testing (IAST)

Answer

Fuzz Testing

Question 2

To be most effective and least costly, a security architect should recommend that threat modeling be performed during which phase of the Secure Software Development Lifecycle (SSDLC)?

Accepted Answer

Design

Answer

Testing

Answer

Deployment

Answer

Maintenance

Question 3

A security architect is designing a multi-level secure (MLS) database for a government agency. The primary requirement is to prevent an inference attack where a user with a low clearance could deduce the existence of high-level data by observing an error or a null result. Which database security mechanism is specifically designed to mitigate this type of attack?

Accepted Answer

Polyinstantiation

Answer

Data Masking

Answer

Homomorphic Encryption

Answer

Database Activity Monitoring (DAM)

Question 4

A company is deploying microservices using Docker containers. The security architect is concerned about vulnerabilities within the third-party and open-source libraries included in the container images. Which of the following is the MOST effective control to implement early in the CI/CD pipeline to mitigate this specific risk?

Accepted Answer

Software Composition Analysis (SCA)

Answer

Runtime container security monitoring

Answer

Implementing strict Kubernetes Network Policies

Answer

Enforcing mandatory access control (MAC) on host nodes

Question 5

When architecting a baseline security configuration for new servers, the primary goal is to reduce the attack surface. Which of the following actions is the MOST fundamental and effective first step in achieving this goal?

Accepted Answer

Removing all non-essential services, software, and ports

Answer

Implementing a host-based intrusion prevention system (HIPS)

Answer

Enforcing a complex password policy

Answer

Enabling full-disk encryption

Question 6

A security architect is defining the security verification requirements for a new web application that will handle sensitive medical data (PHI). The application requires the highest level of security assurance. According to the OWASP Application Security Verification Standard (ASVS), which level should be specified?

Accepted Answer

Level 3

Answer

Level 2

Answer

Level 4

Answer

Level 1

A security architect wants to implement a testing methodology that can identify insecure coding practices, such as potential SQL injection or buffer overflow vulnerabilities, by analyzing the application's source code without executing it.Which testing methodology should be chosen?

A security architect wants to implement a testing methodology that can identify insecure coding practices, such as potential SQL injection or buffer overflow vulnerabilities, by analyzing the application's source code without executing it.
Which testing methodology should be chosen?