Cartes mémoires CCAK

Cartes-fiches	45
Langue	English
Catégorie	Technique
Niveau	Autres
Crée / Actualisé	29.11.2023 / 30.11.2023
Lien de web	https://card2brain.ch/box/20231129_ccak
Intégrer	<iframe src="https://card2brain.ch/box/20231129_ccak/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>

What domain is AAC?

Audit, Assurance and Compliance

What Domain is BCR?

Business Continuity and Operational Resilience

Which Domain is CCC?

Change control and configuration management

Which Domain is DSI?

Data Security and Information Lifecycle Management

Which domain is DCS

Data Center Security

Which domain is EKM

Encryption and Key Management

HRS?

Human Resources Security

IAM

Identity and Access Management

IVS

Infrastructure and Virtualization

GRM?

Governance and Risk Management

IPY

Interoperability and Portability

MOS

Mobile Security

SEF

Security Incident Management, E-Disc and Cloud Forensics

STA

Supply Chain Management, Transparency and Accountability

TVM

Threat and Vulnerability Management

Some of the reasons to integrate security in the early stages of the systems development life cycle include (select all that apply):

It can help reduce costs, as security vulnerabilities can be identified before code is deployed in production, reducing the possibility of potential issues and costly fixes.

It helps remediate security vulnerabilities in the infrastructure layers.

It is difficult to understand application requests in order to detect and block attacks outside the application. It is more effective to fix vulnerable code and close off attack vectors.

It helps reduce time for development and deployment of code.

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

It can help reduce costs, as security vulnerabilities can be identified before code is deployed in production, reducing the possibility of potential issues and costly fixes.

It helps remediate security vulnerabilities in the infrastructure layers.

It is difficult to understand application requests in order to detect and block attacks outside the application. It is more effective to fix vulnerable code and close off attack vectors.

It helps reduce time for development and deployment of code.

What are example benefits of including dynamic application security testing (DAST) in software security testing? (Select all that apply.)

DAST can simulate the actions of a malicious user trying to exploit undetected infrastructure vulnerabilities or low patch levels.

DAST can create an open source code inventory and a list of associated vulnerabilities.

DAST has a low rate of false positives.

DAST can simulate how an application reacts to various inputs.

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

DAST can simulate the actions of a malicious user trying to exploit undetected infrastructure vulnerabilities or low patch levels.

DAST can create an open source code inventory and a list of associated vulnerabilities.

DAST has a low rate of false positives.

DAST can simulate how an application reacts to various inputs.

Which of the following is not a primary function of a version control repository? (Select the BEST answer.)

IAM and approval processes

Source code management

Identifying vulnerabilities and exposures (CVEs) in code

Creating digital fingerprints of known good versions of code

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

IAM and approval processes

Source code management

Identifying vulnerabilities and exposures (CVEs) in code

Creating digital fingerprints of known good versions of code

What technology should be considered and assessed to manage the extensive credentials typically embedded and used by CI/CD pipelines?

A. Federated identity brokers to manage user connectivity.

B. Data encryption for the credential files

C. Secrets managers

D. Password managers

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

A. Federated identity brokers to manage user connectivity.

B. Data encryption for the credential files

C. Secrets managers

D. Password managers

5. On what elements should the auditor rely for auditability and accountability in a DevSecOps approach? (Select all that apply.)

A. Major architectural decisions and changes being reflected in the version control system or the issue tracker

B. Logs of structural changes in the integration pipeline and logs of changes in the build jobs.

C. Logs of the continuous integration and continuous delivery servers.

D. Logs of modifications to the application once registry of the organization.

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

A. Major architectural decisions and changes being reflected in the version control system or the issue tracker

B. Logs of structural changes in the integration pipeline and logs of changes in the build jobs.

C. Logs of the continuous integration and continuous delivery servers.

D. Logs of modifications to the application once registry of the organization.

In continuous integration pipelines, pull requests refer to what type of operations?

Making changes to code and submitting for approval before deployment

Requesting sections of code for testing in development

Changing files that contain configurations or infrastructure templates

Committing changes to code bypassing the review and approval process

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

Making changes to code and submitting for approval before deployment

Requesting sections of code for testing in development

Changing files that contain configurations or infrastructure templates

Committing changes to code bypassing the review and approval process

Which of the following is not primarily a security-specific type of test?

Fuzzing

Regression testing

Dynamic application security testing

Static application security testing

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

Fuzzing

Regression testing

Dynamic application security testing

Static application security testing

Which of the following is a key concept for auditors regarding testing in a continuous integration/continuous deployment (CI/CD) pipeline?

Verifying that required security gates exist

Verifying that security gates are located properly

Finding ways to speed up security testing

Ensuring that security testing is running in parallel

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

Verifying that required security gates exist

Verifying that security gates are located properly

Finding ways to speed up security testing

Ensuring that security testing is running in parallel

Which of the following is true when assessing a function as a service (serverless) functions in a public cloud provider environment?

Static application security testing is no longer possible.

Software composition analysis testing is no longer possible.

Dynamic application security testing is no longer possible.

Vulnerability scanning is no longer possible.

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

Static application security testing is no longer possible.

Software composition analysis testing is no longer possible.

Dynamic application security testing is no longer possible.

Vulnerability scanning is no longer possible.

A technical control is one part of a broader set of mitigations. An organization should consider how a specific control mitigates the risk. Which of the following describes another consideration that will help determine whether a specific control is needed?

What is the life cycle of the control?

Can conformance testing be done on the control?

Is there a compensating control?

Can the risk be accepted to avoid the control?

Commandes clavier:

= tourner,

= avant/arrière,

= faire défiler

What is the life cycle of the control?

Can conformance testing be done on the control?

Is there a compensating control?

Can the risk be accepted to avoid the control?

Which of these elements are part of cloud policy?

Mandatory controls

Ability to perform service catalog

Relevant stakeholders

Types of data that are allowed to migrate to cloud

Mandatory controls

Ability to perform service catalog

Relevant stakeholders

Types of data that are allowed to migrate to cloud

When evaluating a cloud provider’s maturity and ability to execute, the customer should consider which of the following?

Number of mergers and acquisitions

Transparency

Board involvement in security strategy

Fiscal performance

Number of mergers and acquisitions

Transparency

Board involvement in security strategy

Fiscal performance

For cloud trust and transparency, what are some key considerations that the cloud customer needs to be aware of? (two)

CSP service contracts address all client security risk in an IaaS model

Loss of governance based on distributed services

Lack of adequate cloud services and resource testing

Inadequate transparency and auditability by CSPs

CSP service contracts address all client security risk in an IaaS model

Loss of governance based on distributed services

Lack of adequate cloud services and resource testing

Inadequate transparency and auditability by CSPs

Considering that cloud security is based on the shared responsibility model, select the controls that are usually the responsibility of the cloud consumer:

Producing security scanning reports

Security of the hosts and hypervisor layers

External cloud backups

Granting or removing application user access

Producing security scanning reports

Security of the hosts and hypervisor layers

External cloud backups

Granting or removing application user access

In SaaS, which risk has shared responsibility by both the cloud customer and CSP?

Identity and access

Data Classification

Application

Infrastructure

Identity and access

Data Classification

Application

Infrastructure

CCAK

Créer ou copier des fichiers d'apprentissage

Créer ou copier des fichiers d'apprentissage

Connecte-toi pour voir toutes les cartes.

SWITCHaai

Office 365

Edulog

Apple ID

Google