Quiz: Systems Lifecycle Management (Part 02) [D2]


Systems Lifecycle Management (Part 02) [D2]Online version Systems Lifecycle Management (Part 02) [D2] by Jorge Carrillo. PhD 1 In ISO 15288, what is the purpose of Agreement Processes (Acquisition/Supply)? a Define technical architecture. b Test software for bugs. c Establish security obligations and requirements with suppliers. d Dispose of the system at end-of-life. 2 Using prod data in a test env requires which security control? a Encrypt test data at rest. b Data masking or tokenization to de-identify sensitive info. c NDA for developers. d Encrypt test data in transit. 3 Difference between Due Care and Due Diligence? a Due Care: signing contracts; Due Diligence: patching systems. b Due Care: prudent action; Due Diligence: proof via audits/reviews. c Both mean the same. d Due Care: audits; Due Diligence: action. 4 Why is RoE (Rules of Engagement) for pentest critical? a Defines scope and timing to prevent DoS or legal issues. b Lists test passwords. c Guarantees vulnerabilities found. d Ensures testers are paid. 5 Which scan gives the least network traffic and best patch detail? a Credentialed (authenticated) scan. b DDoS simulation c Passive sniffing d Non-credentialed external scan 6 Why is the waterfall model criticised for security? a It ignores documentation. b It only suits large projects. c It cannot use firewalls. d Security is treated as a late phase, costly to fix flaws. 7 Primary risk of Configuration Drift? a System becomes faster. b Documentation becomes too detailed. c Increases software licenses cost. d System diverges from secure baseline, creating unknown vulnerabilities. 8 What is the goal of fuzzing? a Verify passwords. b Check code style. c Decrypt database. d Input massive random data to crash app and reveal flaws. 9 SaaS security flaw: vendor uses AWS. What is the flaw? a Shared Responsibility Model: vendor and customer both bear security duties. b AWS isn’t secure. c AWS only secures hardware. d SaaS cannot be secured. 10 DevSecOps, who is responsible for security? a Only Developers. b Everyone (Shared Responsibility) with guardrails by security. c Only Security team. d Only QA. 11 Prerequisite for a Bug Bounty program? a Zero known vulnerabilities. b $1 million budget. c Mature vulnerability intake and remediation process. d Firing internal security team. 12 Why seek FIPS 140-2/3 validation for crypto modules? a It speeds up encryption. b It guarantees unbreakable algorithms. c Independent assurance of correct, tamper-resistant implementation. d Required for all sites. 13 Best detection for Race Condition vulnerabilities? a Antivirus signatures. b SAST is useless. c Firewall logs. d Static Analysis or manual code review. 14 What does File Integrity Monitoring (FIM) primarily detect? a Phishing emails. b Unauthorized changes to critical system files. c Network intrusions. d Weak passwords. 15 Why is Code Signing critical for software supply chain? a Speeds up encryption. b Prevents Linux execution. c Encrypts code to hide it. d Ensures integrity and publisher authenticity. 16 Encrypt data at rest in requirements: Functional or Non-Functional? a Functional requirement. b Business constraint. c Non-Functional (attributes like security posture). d Process requirement. 17 You are using "Containerization" (e.g., Docker). What is a specific security risk introduced by this technology? a Containers slower than VMs. b Shared Kernel means compromise can affect all containers. c Require hardware keys. d Cannot be scanned for vulns. 18 Defining characteristic of a Sandbox environment? a Connected to internet with no firewall. b For children learning code. c Isolated environment to safely run code. d Production backup. 19 MTTR metric usefulness? a Counts bugs. b Measures efficiency of fixing identified vulnerabilities. c Measures attacker skill. d Identifies who caused the vulnerability. 20 When to conduct Security Impact Analysis (SIA)? a Before significant change is approved. b After deployment. c Once a year. d Only after breach. 21 Printer disposal security concern? a Not a concern; printers are dumb. b Printers may retain sensitive documents in memory/storage. c Printers are expensive to replace. d Printers contain toxic chemicals. 22 Why are Logic Bombs hard to detect? a Reside in hardware. b They are viruses. c Trigger-based execution makes them dormant until conditions hit. d Always encrypted. 23 Why SoD (Separation of Duties) matters in deployment? a Prevents one person from deploying without review or approval. b Slows process c Reduces documentation needs d Ensures coding skills 24 When is an Interconnection Security Agreement (ISA) required? a Installing a firewall. b Hiring a new employee. c When two orgs/systems directly connect to exchange data. d Connecting a mouse to a computer. Feedback 1 Focuses on contractual security obligations. 2 To protect PII while allowing realistic testing. 3 Care = action; Diligence = verification. 4 Prevents out-of-scope activity and liability. 5 Authenticated access reveals installed software and patches. 6 Early security integration is expensive if late. 7 Drift undermines defined security controls. 8 Finds memory errors and robustness issues. 9 Cloud provider shares security duties with customer. 10 Security is a team effort with tooling. 11 Need triage/w remediation process. 12 Validation validates implementation and key handling. 13 Timing/logic issues are hard to detect dynamically. 14 Alerts on file hash changes and integrity. 15 Verifies origin and unaltered code. 16 Encryption is a system attribute, not a behavior. 17 Kernel compromise can impact all containers. 18 Isolation protects production network. 19 Lower MTTR means faster remediation. 20 Assess risks prior to change approval. 21 Data remanence risk in devices. 22 Difficult for automated scanners to trigger. 23 Prevents fraud and errors via checks. 24 Defines secure data exchange requirements.

1

In ISO 15288, what is the purpose of Agreement Processes (Acquisition/Supply)?

a

Define technical architecture.

b

Test software for bugs.

c

Establish security obligations and requirements with suppliers.

d

Dispose of the system at end-of-life.

2

Using prod data in a test env requires which security control?

a

Encrypt test data at rest.

b

Data masking or tokenization to de-identify sensitive info.

c

NDA for developers.

d

Encrypt test data in transit.

3

Difference between Due Care and Due Diligence?

a

Due Care: signing contracts; Due Diligence: patching systems.

b

Due Care: prudent action; Due Diligence: proof via audits/reviews.

c

Both mean the same.

d

Due Care: audits; Due Diligence: action.

4

Why is RoE (Rules of Engagement) for pentest critical?

a

Defines scope and timing to prevent DoS or legal issues.

b

Lists test passwords.

c

Guarantees vulnerabilities found.

d

Ensures testers are paid.

5

Which scan gives the least network traffic and best patch detail?

a

Credentialed (authenticated) scan.

b

DDoS simulation

c

Passive sniffing

d

Non-credentialed external scan

6

Why is the waterfall model criticised for security?

a

It ignores documentation.

b

It only suits large projects.

c

It cannot use firewalls.

d

Security is treated as a late phase, costly to fix flaws.

7

Primary risk of Configuration Drift?

a

System becomes faster.

b

Documentation becomes too detailed.

c

Increases software licenses cost.

d

System diverges from secure baseline, creating unknown vulnerabilities.

8

What is the goal of fuzzing?

a

Verify passwords.

b

Check code style.

c

Decrypt database.

d

Input massive random data to crash app and reveal flaws.

9

SaaS security flaw: vendor uses AWS. What is the flaw?

a

Shared Responsibility Model: vendor and customer both bear security duties.

b

AWS isn’t secure.

c

AWS only secures hardware.

d

SaaS cannot be secured.

10

DevSecOps, who is responsible for security?

a

Only Developers.

b

Everyone (Shared Responsibility) with guardrails by security.

c

Only Security team.

d

Only QA.

11

Prerequisite for a Bug Bounty program?

a

Zero known vulnerabilities.

b

$1 million budget.

c

Mature vulnerability intake and remediation process.

d

Firing internal security team.

12

Why seek FIPS 140-2/3 validation for crypto modules?

a

It speeds up encryption.

b

It guarantees unbreakable algorithms.

c

Independent assurance of correct, tamper-resistant implementation.

d

Required for all sites.

13

Best detection for Race Condition vulnerabilities?

a

Antivirus signatures.

b

SAST is useless.

c

Firewall logs.

d

Static Analysis or manual code review.

14

What does File Integrity Monitoring (FIM) primarily detect?

a

Phishing emails.

b

Unauthorized changes to critical system files.

c

Network intrusions.

d

Weak passwords.

15

Why is Code Signing critical for software supply chain?

a

Speeds up encryption.

b

Prevents Linux execution.

c

Encrypts code to hide it.

d

Ensures integrity and publisher authenticity.

16

Encrypt data at rest in requirements: Functional or Non-Functional?

a

Functional requirement.

b

Business constraint.

c

Non-Functional (attributes like security posture).

d

Process requirement.

17

You are using "Containerization" (e.g., Docker). What is a specific security risk introduced by this technology?

a

Containers slower than VMs.

b

Shared Kernel means compromise can affect all containers.

c

Require hardware keys.

d

Cannot be scanned for vulns.

18

Defining characteristic of a Sandbox environment?

a

Connected to internet with no firewall.

b

For children learning code.

c

Isolated environment to safely run code.

d

Production backup.

19

MTTR metric usefulness?

a

Counts bugs.

b

Measures efficiency of fixing identified vulnerabilities.

c

Measures attacker skill.

d

Identifies who caused the vulnerability.

20

When to conduct Security Impact Analysis (SIA)?

a

Before significant change is approved.

b

After deployment.

c

Once a year.

d

Only after breach.

21

Printer disposal security concern?

a

Not a concern; printers are dumb.

b

Printers may retain sensitive documents in memory/storage.

c

Printers are expensive to replace.

d

Printers contain toxic chemicals.

22

Why are Logic Bombs hard to detect?

a

Reside in hardware.

b

They are viruses.

c

Trigger-based execution makes them dormant until conditions hit.

d

Always encrypted.

23

Why SoD (Separation of Duties) matters in deployment?

a

Prevents one person from deploying without review or approval.

b

Slows process

c

Reduces documentation needs

d

Ensures coding skills

24

When is an Interconnection Security Agreement (ISA) required?

a

Installing a firewall.

b

Hiring a new employee.

c

When two orgs/systems directly connect to exchange data.

d

Connecting a mouse to a computer.

Feedback

1

Focuses on contractual security obligations.

2

To protect PII while allowing realistic testing.

3

Care = action; Diligence = verification.

4

Prevents out-of-scope activity and liability.

5

Authenticated access reveals installed software and patches.

6

Early security integration is expensive if late.

7

Drift undermines defined security controls.

8

Finds memory errors and robustness issues.

9

Cloud provider shares security duties with customer.

10

Security is a team effort with tooling.

11

Need triage/w remediation process.

12

Validation validates implementation and key handling.

13

Timing/logic issues are hard to detect dynamically.

14

Alerts on file hash changes and integrity.

15

Verifies origin and unaltered code.

16

Encryption is a system attribute, not a behavior.

17

Kernel compromise can impact all containers.

18

Isolation protects production network.

19

Lower MTTR means faster remediation.

20

Assess risks prior to change approval.

21

Data remanence risk in devices.

22

Difficult for automated scanners to trigger.

23

Prevents fraud and errors via checks.

24

Defines secure data exchange requirements.

Systems Lifecycle Management (Part 02) [D2]

Quiz

Download the paper version to play

Created by

Top 10 results

Top Games

Quiz

Spanish Alphabet Listening

Quiz

Tissues - Practice Quiz

Quiz

Photosynthesis vs Cellular Respiration - Practice Quiz

Quiz

UPS 5 Seeing Habits Quiz

Quiz

Practice Quiz - Punnett Square, Variation, and Mutations