ISSAP - Information Systems Security Architecture Professional Application and System Security Questions and Answers

Question 1

A security architect wants to implement a testing methodology that can identify insecure coding practices, such as potential SQL injection or buffer overflow vulnerabilities, by analyzing the application's source code without executing it. Which testing methodology should be chosen?

Accepted Answer

Static Application Security Testing (SAST)

Answer

Static Application Security Testing (SAST), also known as 'white-box' testing, analyzes an application's source code, byte code, or binary code for security vulnerabilities without executing the program. It is effective at finding issues like SQL injection, buffer overflows, and other insecure coding patterns early in the SDLC. DAST, or 'black-box' testing, analyzes a running application from the outside, while IAST combines elements of both. Fuzz testing involves providing invalid or random data to an application to see how it responds.

Question 2

To be most effective and least costly, a security architect should recommend that threat modeling be performed during which phase of the Secure Software Development Lifecycle (SSDLC)?

Accepted Answer

Design

Answer

Threat modeling is most effective and cost-efficient when performed during the Design phase of the SSDLC. Identifying potential threats and architectural flaws at this early stage allows for security controls to be built into the system's blueprint, preventing expensive and time-consuming remediation that would be required if these issues were found later during testing or after deployment.

Question 3

A security architect is designing a multi-level secure (MLS) database for a government agency. The primary requirement is to prevent an inference attack where a user with a low clearance could deduce the existence of high-level data by observing an error or a null result. Which database security mechanism is specifically designed to mitigate this type of attack?

Accepted Answer

Polyinstantiation

Answer

Polyinstantiation is a database security technique used in multi-level secure systems to prevent inference attacks. It allows multiple records with the same primary key to exist in the database, but with different security classifications. A user with a low clearance level would see a different, less-sensitive version of the record instead of an error, preventing them from inferring that a higher-classification record exists.

Question 4

A company is deploying microservices using Docker containers. The security architect is concerned about vulnerabilities within the third-party and open-source libraries included in the container images. Which of the following is the MOST effective control to implement early in the CI/CD pipeline to mitigate this specific risk?

Accepted Answer

Software Composition Analysis (SCA)

Answer

Software Composition Analysis (SCA) tools are specifically designed to scan an application's dependencies, including container images, to identify all third-party and open-source components and their known vulnerabilities (CVEs). Integrating an SCA scanner into the CI/CD pipeline allows for early detection of vulnerable libraries before the container image is even stored in a registry or deployed.

Question 5

When architecting a baseline security configuration for new servers, the primary goal is to reduce the attack surface. Which of the following actions is the MOST fundamental and effective first step in achieving this goal?

Accepted Answer

Removing all non-essential services, software, and ports

Answer

The most fundamental principle of system hardening and reducing the attack surface is to remove or disable all functionality that is not strictly necessary for the system's business purpose. This includes uninstalling unused software packages, disabling unneeded services, and closing unnecessary network ports, which directly eliminates potential vectors an attacker could exploit. The other options are important security controls but are applied to protect the remaining services, not to reduce the number of services themselves.

ISSAP - Information Systems Security Architecture Professional Practice Test

ISSAP - Information Systems Security Architecture Professional Practice Test

ISSAP - Information Systems Security Architecture Professional Application and System Security Questions and Answers