CISSP Software Development Security • Complete Question Bank
Complete CISSP Software Development Security question bank — all 0 questions with answers and detailed explanations.
During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users:
String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'";
Which of the following is the MOST effective remediation?
A financial services company uses a custom web application for online banking. The application is developed in-house using Java and deployed on Apache Tomcat servers. Recently, the security team discovered that the application is vulnerable to a critical remote code execution (RCE) vulnerability due to insecure deserialization of untrusted data. The vulnerability exists in a module that processes session objects. The development team has been assigned to fix this issue. They propose the following options:
A. Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes. B. Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default. C. Encrypt all serialized objects using AES-256 before sending them to the client. D. Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads.
The application must maintain high availability and minimal latency. Which option provides the MOST effective and sustainable remediation?
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
No read up, no write down
No read down, no write up
Well-formed transactions and separation of duties
Prevents conflict of interest among clients
Rules for granting and taking permissions
Drag a concept onto its matching description — or click a concept then click the description.
Frames and MAC addressing
Routing and logical addressing
End-to-end reliability and segmentation
User interface and application services
FROM ubuntu:latest RUN apt-get update && apt-get install -y python COPY . /app WORKDIR /app CMD ["python", "app.py"]
{
"scopes": [
{"name": "read", "permissions": ["file:read"]},
{"name": "write", "permissions": ["file:write"]}
],
"default_permissions": ["file:read"]
}import sqlite3
conn = sqlite3.connect('database.db')
cursor = conn.cursor()
user_input = request.GET.get('username')
query = "SELECT * FROM users WHERE username = '" + user_input + "'"
cursor.execute(query)Refer to the exhibit.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/Developer"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myapp-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "Stmt2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/Developer"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myapp-bucket/*"
}
]
}
```Refer to the exhibit.
```
# Git log output
commit 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b
Author: Developer A <dev.a@company.com>
Date: Mon Jan 15 14:30:00 2024 -0500
Revert "Fix authentication bypass vulnerability"
This reverts commit 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b.
commit 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b
Author: Developer B <dev.b@company.com>
Date: Sun Jan 14 10:15:00 2024 -0500
Fix authentication bypass vulnerability
```