CCSP Practice Questions – Penetration Testing & Application Security

You have a new application that is about to be put into production and used by customers. Management would like to undertake an exhaustive test of the system by assessing the known controls and configurations as well as reviewing the source code and components. Which type of testing would this represent?

Correct! Wrong!

An employee of your company submitted a security ticket claiming that he was able to access areas of an application by going through certainfunctions that he should not be able to. What type of security vulnerability does this best illustrate?

Correct! Wrong!

Where would be the most appropriate location for an XML firewall within a system architecture?

Correct! Wrong!

When you are changing to a different data center for a disaster recovery scenario, which of the following could pose a challenge to the authentication systems over a geographic distance?

Correct! Wrong!

Which type of testing involves externally attacking the security of a system but without actually attempting to alter systems or fully execute malicious actions?

Correct! Wrong!

A common strategy to mitigate costs when using a cloud solution for disaster recovery is to leave images offline at the DR provider and only turn them on when needed. Which of the following would be the least significant concern with this approach?

Correct! Wrong!

Which stage of the BCDR process takes into account the RPO and RTO requirements set forth by management and stakeholders?

Correct! Wrong!

Which of the following threats from the OWASP Top Ten is the most difficult for an organization to protect against?

Correct! Wrong!

You have been tasked by management to run security tests against an application using the same toolsets and methodologies that a legitimate attacker would use, including actually attempting to leverage successful exploits. Which type of testing would this entail?

Correct! Wrong!

Which of the following types of threats is focused on compromising the client rather than the server or application itself?

Correct! Wrong!

Which concept refers to the ability to validate and prove that a specific entity did not perform operations on a system?

Correct! Wrong!

Which of the following software applications is not a utility for managing code or system configurations?

Correct! Wrong!

During an incident investigation from a suspected breach, it was discovered that some application code contained the names of underlying databases and systems that were able to be read by the attacker. What type of vulnerability does this best represent?

Correct! Wrong!

What standard is used between different entities within a federated system to exchange information about authentication and user attributes?

Correct! Wrong!

Which concept is often used to isolate and separate information or processes within an environment for either security concerns or regulatory requirements?

Correct! Wrong!

Which type of threat is often used in conjunction with phishing attempts and is often viewed as greatly increasing the likeliness of success?

Correct! Wrong!

What is the primary security mechanism used to protect SOAP and REST APIs?

Correct! Wrong!

Which type of testing tends to produce the best and most comprehensive results for discovering system vulnerabilities?

Correct! Wrong!

Which of the following represents the R component of the DREAD threat risk modeling system?

Correct! Wrong!

During a periodic or specific testing of a BCDR plan, which of the following pairs of objectives is the main metric used for the overall evaluation of the plan?

Correct! Wrong!

Which of the following options would be possible, in conjunction with a USB drive, to fulfill an application’s multifactor authentication requirements?

Correct! Wrong!

Which of the following types of organizations is most likely to make use of open source software technologies?

Correct! Wrong!

Which component consumes assertions from identity providers and makes a determination as to whether to grant access, and at what level, if applicable to a user?

Correct! Wrong!

Which of the following choices represents the D component of the STRIDE threat model from OWASP?

Correct! Wrong!