exam questions

Exam CSSLP All Questions

View all questions & answers for the CSSLP exam

Exam CSSLP topic 1 question 7 discussion

Actual exam question from ISC's CSSLP
Question #: 7
Topic #: 1
[All CSSLP Questions]

Microsoft software security expert Michael Howard defines some heuristics for determining code review in "A Process for Performing Security Code Reviews".
Which of the following heuristics increase the application's attack surface? Each correct answer represents a complete solution. Choose all that apply.

  • A. Code written in C/C++/assembly language
  • B. Code listening on a globally accessible network interface
  • C. Code that changes frequently
  • D. Anonymously accessible code
  • E. Code that runs by default
  • F. Code that runs in elevated context
Show Suggested Answer Hide Answer
Suggested Answer: BDEF 🗳️
Microsoft software security expert Michael Howard defines the following heuristics for determining code review in "A Process for Performing Security
Code Reviews": Old code: Newer code provides better understanding of software security and has lesser number of vulnerabilities. Older code must be checked deeply. Code that runs by default: It must have high quality, and must be checked deeply than code that does not execute by default. Code that runs by default increases the application's attack surface.
Code that runs in elevated context: It must have higher quality. Code that runs in elevated privileges must be checked deeply and increases the application's attack surface. Anonymously accessible code: It must be checked deeply than code that only authorized users and administrators can access, and it increases the application's attack surface. Code listening on a globally accessible network interface: It must be checked deeply for security vulnerabilities and increases the application's attack surface. Code written in C/C++/assembly language: It is prone to security vulnerabilities, for example, buffer overruns. Code with a history of security vulnerabilities: It includes additional vulnerabilities except concerted efforts that are required for removing them. Code that handles sensitive data: It must be checked deeply to ensure that data is protected from unintentional disclosure. Complex code: It includes undiscovered errors because it is more difficult to analyze complex code manually and programmatically. Code that changes frequently: It has more security vulnerabilities than code that does not change frequently.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
74gjd_37
5 months, 3 weeks ago
The article by Michael Howard lists the following heuristics to determine code review priority: Old code Code that runs by default Code that runs in elevated context Anonymously accessible code Code listening on a globally accessible network interface Code written in C/C++/assembly language Code with a history of vulnerabilities Code that handles sensitive data Complex code Code that changes frequently Therefore, all options have to be checked (ABCDEF). The option BDEF is incorrect as it does not include A and C mentioned in the article.
upvoted 1 times
...
4e3rv21rq3vq2q
1 year, 8 months ago
Selected Answer: BDEF
seems to be correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago