The elements of security are as follows:

1.Confidentiality: It is the concealment of information or resources.

2.Authenticity: It is the identification and assurance of the origin of information.

3.Integrity: It refers to the trustworthiness of data or resources in terms of preventing improper and

unauthorized changes.

4.Availability: It refers to the ability to use the information or resources as desired.

The various phases of NIST SP 800-37 C&A are as follows:

Phase 1: Initiation- This phase includes preparation, notification and resource identification. It

performs the security plan analysis,

update, and acceptance.

Phase 2: Security Certification- The Security certification phase evaluates the controls and

documentation.

Phase 3: Security Accreditation- The security accreditation phase examines the residual risk for

acceptability, and prepares the final

security accreditation package.

Phase 4: Continuous Monitoring-This phase monitors the configuration management and control,

ongoing security control verification,

and status reporting and documentation.

Graybox testing is a combination of whitebox testing and blackbox testing. In graybox testing, the

test engineer is equipped with the

knowledge of system and designs test cases or test data based on system knowledge. The security

tester typically performs graybox testing

to find vulnerabilities in software and network system.

Answer C is incorrect. Whitebox testing is a testing technique in which an organization provides full

knowledge about the infrastructure

to the testing team. The information, provided by the organization, often includes network diagrams,

source codes, and IP addressing

information of the infrastructure to be tested.

Answer A is incorrect. Integration testing is a logical extension of unit testing. It is performed to

identify the problems that occur when

two or more units are combined into a component. During integration testing, a developer combines

two units that have already been tested

into a component, and tests the interface between the two units. Although integration testing can be

performed in various ways, the

following three approaches are generally used:

The top-down approach

The bottom-up approach

The umbrella approach

Answer B is incorrect. Regression testing can be performed any time when a program needs to be

modified either to add a feature or

to fix an error. It is a process of repeating Unit testing and Integration testing whenever existing tests

need to be performed again along with

the new tests. Regression testing is performed to ensure that no existing errors reappear, and no new

errors are introduced.

The Project Risk Management knowledge area focuses on the following processes:

Risk Management Planning

Risk Identification

Qualitative Risk Analysis

Quantitative Risk Analysis

Risk Response Planning

Risk Monitoring and Control

Answer D is incorrect. There is no such process in the Project Risk Management knowledge area.

According to the NIST SAMATE, dynamic analysis tools operate by generating runtime vulnerability

scenario using the following functions:

Resource fault injection

Network fault injection

System fault injection

User interface fault injection

Design attack

Implementation attack

File corruption

Answer B is incorrect. This function is summarized for static analysis tools.

Assessment, monitoring, and assurance determines the necessary compliance that are offered by

risk management practices and assessment

of risk levels.

The various security code review checks performed on the stained calls of servlet are as

follows:

getParameter(): It is used to check the unvalidated sources of input from URL parameters in

javax.servlet.HttpServletRequest class.

getQueryString(): It is used to check the unvalidated sources of input from Form fields in

javax.servlet.HttpServletRequest class.

getCookies():

It

is

used

to

check

the

unvalidated

sources

of

input

from

Cookies

javax.servlet.HttpServletRequest class.

getHeaders(): It is used to check the unvalidated sources of input from HTTP headers

javax.servlet.HttpServletRequest class.

In eavesdropping, dumpster diving, and shoulder surfing, the attacker violates the confidentiality of

a system without affecting its state.

Hence, they are considered passive attacks.

The annualized loss expectancy will be $360,000.

Annualized loss expectancy (ALE) is the annually expected financial loss to an organization from a

threat. The annualized loss expectancy

(ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is

mathematically expressed as follows:

ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

Here, it is as follows:

SLE = Asset value * EF (Exposure factor)

= 600,000 * (30/100)

= 600,000 * 0.30

= 180,000

ALE = SLE * ARO

= 180,000 * 2

= 360,000

Answer C, B, and D are incorrect. These are not valid answers.

A host-based intrusion prevention system (HIPS) is an application usually employed on a single

computer. It complements traditional finger-

print-based and heuristic antivirus detection methods, since it does not need continuous updates to

stay ahead of new malware. When a

malicious code needs to modify the system or other software residing on the machine, a HIPS system

will notice some of the resulting changes

and prevent the action by default or notify the user for permission. It can handle encrypted and

unencrypted traffic equally and cannot detect

events scattered over the network.

Answer B is incorrect. Network address translation (NAT) is a technique that allows multiple

computers to share one or more IP

addresses. NAT is configured at the server between a private network and the Internet. It allows the

computers in a private network to share

a global, ISP assigned address. NAT modifies the headers of packets traversing the server. For packets

outbound to the Internet, it translates

the source addresses from private to public, whereas for packets inbound from the Internet, it

translates the destination addresses from

public to private.

Answer A is incorrect. Network intrusion prevention system (NIPS) is a hardware/software platform

that is designed to analyze, detect,

and report on security related events. NIPS is designed to inspect traffic and based on its

configuration or security policy, it can drop malicious

traffic. NIPS is able to detect events scattered over the network and can react.