CASP+ CompTIA Advanced Security Practitioner Practice Tests. Nadean H. Tanner
have turned a software project over to the fielding phase, delivering the working system to the customer. Which phase is this otherwise known as?DeploymentLicensingDevelopmentEvaluation
132 Your vulnerability manager contacted you because of an operating system software issue. There are a few security-related issues due to patches and upgrades needed for an application on the systems in question. When is the best time to complete this task?As quickly as possible after testingAfter experiencing the issue that the vulnerability manager describedAfter other organizations have tested the patch or upgradeDuring the usual monthly maintenance
133 Arnold has developed an application and want to prevent the reuse of information in memory when a user quits the program. Which of these is his best option to accomplish this task?Garbage collectionData validationSDLCOOP
134 Simon is a security engineer. While testing an application during a regular assessment to make sure it is configured securely, he sees a REQUEST containing method, resources, and headers, and a RESPONSE containing status code and headers. What technique did he most likely use to generate that type of output?FingerprintingFuzzingVulnerability scanningHTTP intercepting
135 You have been asked to make a change to software code. What type of testing do you complete to make sure program inputs and outputs are correct and everything functions as it's supposed to?White boxBlack hatCode reviewRegression
136 You are conducting a unit test on a new piece of software. By looking at an individual program, how do you ensure that each module behaves as it should?Input/outputBIOSProcesses runningServices running
137 Christopher is a software developer, and as part of the testing phase in the SDLC, he will need to ensure that an application is handling errors correctly. What is the best tool for him to use in this situation?FuzzerComplianceAccess controlIntegration testing
138 Your IT group is modernizing and adopting a DevSecOps approach, making everyone responsible for security. Traditionally, storage and security were separate disciplines inside IT as a whole. As a security analyst, what is your primary concern of data at rest?EncryptionAuthenticationInfrastructureAuthorization
139 As a software developer, Brian is extremely frustrated with a customer who keeps calling him on the phone and leaving messages to make changes to the software. What approach should Brian take with this customer to make the development process easier?Change controlIncrease securityAppraise senior managementProvide detailed documentation
140 Jackie is a software engineer and inherently prefers to use a flexible framework that enables software development to evolve with teamwork and feedback. What type of software development model would this be called?PrototypingCeremonyAgileRadical
141 You are working on a high-risk software development project that is large, the releases are to be frequent, and the requirements are complex. The waterfall and agile models are too simple. What software development model would you opt for?FunctionalCost estimationContinuous deliverySpiral
142 You are a software engineer and need to use a software development process that follows an extremely strict predetermined path through a set of phases. What type of method is this called?AgileWaterfallAdaptableVerifiable
143 The SDLC phases are part of a bigger process known as the system life cycle (SLC). The SLC has two phases after the implementation phase of the SDLC that address postinstallation and future changes. What are they called?Operations, maintenance, revisions, and replacementReplacement, crepitation, evaluation, and versioningValidation, verification, authentication, and monitoringRevisions, discovery, compliance, and functionality
144 You are using continuous integration/continuous delivery methodology involving different members of your team while developing a new application. You meet every day after lunch to review, which can mean multiple integrations every day. What are the security implications of using CI/CD?There are no security issues.Errors will not need to be fixed because the next integration will fix them.Encryption will be impossible because of timing.Errors can be handled as soon as possible.
145 IT security is a rapidly evolving field. As a software engineer, you need to stay current on industry trends and potential impact on an enterprise. Many of these changes will lead to you adopting which of the following?Best practicesDigital threatsAntivirus programsNIST
146 You perform a security audit to find out whether any IoT devices on your network are publicly accessible. What website would you use to find this type of information?ShodanOWASPVirusTotalMaltego
147 During a web application security assessment, Kevin needs to grab the basic architecture to identify the framework used. He grabbed the HTTP header banner using Netcat, which gives you the application name, software version, and web server information. What activity did he just perform?FingerprintingAuthenticationAuthorizationCode review
148 Many of your corporate users are using mobile laptop computers to perform their work remotely. Security is concerned that confidential data residing on these laptops may be disclosed and leaked to the public. What methodology best helps prevent the loss of such data?DLPHIPSNIDSNIPS
149 Your CISO, Karen, is concerned that all employees can use personal USB storage devices on the company's computers. She is concerned about malware introduction to the corporate environment and that data loss is possible if this practice continues. She wants to manage who can use USB storage devices on the company's computers. Which of the following actions should be used to implement this constraint?Replacing all computers with those that do not have USB portsPlacing glue in the computers' USB portsCutting the computers' USB cablesConfiguring a Group Policy within Microsoft Active Directory to manage USB storage device use on those computers
150 Many organizations prepare for highly technical attacks and forget about the simple low-tech means of gathering information. Dumpster diving can be useful in gaining access to unauthorized information. Which of these is the easiest to implement for reducing your company's dumpster-diving risk?Data classification and printer restrictions of intellectual property.Purchase shredders for the copy rooms.Create policies and procedures for document shredding.Employ an intern to shred all printed documentation.
151 Your organization decided to move away from dedicated computers on the desktop and move to a virtual desktop environment. The desktop image resides on a server within a virtual machine and is accessed via a desktop client over the network. Which of the following is being described?VPNVDIVNCRDP
152 Using Microsoft Network Monitor, you have captured traffic on TCP port 3389. Your security policy states that port 3389 is not to be used. What client-server protocol is probably running over this port?SNMPRDPPuTTYFTP
153 Your organization is pressured by both the company board and employees to allow personal devices on the network. They asked for email and calendar items to be synced between the company ecosystem and their BYOD. Which of the following best balances security and usability?Allowing access for the management team only because they have a need for convenient accessNot allowing any access between a BYOD device and the corporate network, only cloud applicationsOnly allowing certain types of devices that can be centrally managedReviewing security policy and performing a risk evaluation focused on central management, including the remote wipe and encryption of sensitive data and training users on privacy
154 Nathan is tasked with writing the security viewpoint of a new program that his organization is starting. Which of the following techniques make this a repeatable process and can be used for creating the best security architecture?Data classification, CIA triad, minimum security required, and risk analysisHistorical documentation, continuous monitoring, and mitigation of high risksImplementation of proper controls, performance of qualitative analysis, and continuous monitoringRisk analysis; avoidance of critical risks, threats, and vulnerabilities; and the transference of medium risk
155 You deployed more than half of your enterprise into the cloud, but you still have concerns about data loss, unauthorized access, and encryption. What continues to be the vulnerability in cloud infrastructure that leads to the most breaches?MisconfigurationSIEMSaaSMachine learning
156 Your company generates documents intended for public viewing. While your company wants to make these document public, it stills wants to prove the documents originated from the company. How can these documents