Nadean H. Tanner - CASP+ CompTIA Advanced Security Practitioner Practice Tests

111 Tiffany runs an organization that is blending its development team with the operations team because of the speed applications are being rolled out. Applications change with new services required in production, so she has undertaken the challenge of eliminating those silos of development and operations. What is this called?IncrementalDevOpsAgileWaterfall

112 Shelby is working for a software developer developing web applications for an international financial enterprise. She has also been tasked with building the rule set that governs the interaction between an end user and the web application linking authentication and access. What type of rule set is this?Session managementSecure cookiesJava flagsStateless firewall

113 Your software developer has a custom ROM for Android and wants to further customize it for mobile device use in your healthcare network. Android is an open source operating system, but your developer experiences difficulties uploading the new ROM to a test device even using validated third-party libraries for development. What does he need to unlock before uploading the new ROM?BootloaderBIOSFIFOTPM

114 Angel needs to provide software code for users to download. You want the users to be able to verify that the software has not changed or become corrupted. How might you provide this verification?Code signing.Script signing.The user can attempt to install and run the program. If it installs and operates properly, it hasn't been altered.Have the user authenticate first. If the user is authenticated, the software they download must be genuine.

115 You are creating a web application security plan and need to do white-box security testing on source code to find vulnerabilities earlier in the SDLC. If you can find vulnerabilities earlier in the process, they are cheaper to fix. What type of testing do you need to do?SASTCASTDASTFAST

116 You are creating a web application security plan and need to do black-box security testing on a running application. What type of testing do you need to do?SASTCASTDASTIAST

117 You had your internal team do an analysis on compiled binaries to find errors in mobile and desktop applications. You would like an external agency to test them as well. Which of these tests best suits this need?DASTVASTIASTSAST

118 Craig's newly formed IT team is investigating cloud computing models. He wants to use a cloud computing model that is orchestrated as an integrated infrastructure environment. Apps and data can share resources based on business and technical policies. Which of the following is the best choice for this situation?PublicPrivateAgnosticHybrid

119 You have been newly hired as a CISO for a governmental contractor. One of your first conversations with the CEO is to review requirements for recovery time and recovery point objectives, and enterprise resource planning (ERP). Who should you bring to the round table to discuss metrics surrounding your RTO/RPO?Board of directorsChief financial officerData owners and custodiansBusiness unit managers and directors

120 Which of the following is a use case for configuration management software?Incident remediationContinuanceAsset managementCollaboration

121 You have been analyzing the backup schedule for a CMDB. Your CIO has said the company has an RPO of 48 hours. What is the minimum backup schedule for the CMDB?24 hours6 hours48 hours12 hours

122 Your company is looking at a new CRM model to reach customers that includes social media. The marketing director, Tucker, would like to share news, updates, and promotions on all social websites. What are the major security risks?Malware, phishing, and social engineeringDDOS, brute force, and SQLiMergers and data ownershipRegulatory requirements and environmental changes

123 In the last 5 years, your manufacturing group merged twice with competitors and acquired three startups, which led to more than 60 unique customer web applications. To reduce cost and improve workflows, you are put in charge of a project to implement centralized security. You need to ensure a model to enable integration and accurate identity information and authentication as well as repeatability. Which is the best solution?Implementation of web access control and relay proxiesAutomated provisioning of identity managementSelf-service single sign-on using KerberosBuilding an organizational wide granular access control model in a centralized location

124 You are tasked with creating a single sign-on solution for your security organization. Which of these would you not deploy in an enterprise environment?Directory servicesKerberosSAML 2.0Workgroup

125 The Domain Name System (DNS) maintains an index of every domain name and corresponding IP address. Before someone visits a website on your corporate network, DNS will resolve your domain name to its IP address. Which of the following is a weakness of DNS?SpoofingLatencyAuthenticationInconsistency

126 Your database team would like to use a service-oriented architecture (SOA). The CISO suggested you investigate the risk for adopting this type of architecture. What is the biggest security risk to adopting an SOA?SOA is available only over the enterprise network.Lack of understanding from stakeholders.Risk of legacy networks and system vulnerabilities.Source code.

127 A large enterprise social media organization underwent several mergers, divestitures, and acquisitions over the past three years. Because of this, the internal networks and software have extremely complex dependencies. Better integration is mandatory. Which of the following integration platforms is best for security and standards-based software architecture?IDEDNSSOAESB

128 The retail division of your organization purchased touchscreen tablets and wireless mice and keyboards for all their representatives to increase productivity. You communicated the risk of nonstandard devices and wireless devices, but the deployment continued. What is the best method for evaluating and presenting potential threats to upper management?Conducting a vulnerability assessmentDeveloping a standard image for these assetsMaking new recommendations for security policiesWorking with the management team to understand the processes these devices will interface with, and to classify the risk connected with the hardware/software deployment life cycle

129 You are selected to manage a software development and implementation project. Your manager suggests that you follow the phases in the SDLC. In which of these phases do you determine the controls needed to ensure that the system complies with standards?TestingInitiationAccreditationAcceptance

130 You were selected to manage a software development project. Your supervisor asked you to follow the proper phases in the systems development life cycle. Where does the SDLC begin?Requirement analysisSystem design specificationsInitiationImplementation

131 You have turned a software project over to the fielding phase, delivering the working system to the customer. Which phase is this otherwise known as?DeploymentLicensingDevelopmentEvaluation

132 Your vulnerability manager contacted you because of an operating system software issue. There are a few security-related issues due to patches and upgrades needed for an application on the systems in question. When is the best time to complete this task?As quickly as possible after testingAfter experiencing the issue that the vulnerability manager describedAfter other organizations have tested the patch or upgradeDuring the usual monthly maintenance

133 Arnold has developed an application and want to prevent the reuse of information in memory when a user quits the program. Which of these is his best option to accomplish this task?Garbage collectionData validationSDLCOOP

134 Simon is a security engineer. While testing an application during a regular assessment to make sure it is configured securely, he sees a REQUEST containing method, resources, and headers, and a RESPONSE containing status code and headers. What technique did he most likely use to generate that type of output?FingerprintingFuzzingVulnerability scanningHTTP intercepting