一、每日知识点(以下知识点源自CISSP官方学习指南Flash CARD)
知识点1
Q:What modes of DES employ an IV?
问:DES的哪些模式使用IV?
A:CBC, CFB, OFB答:CBC,CFB,OFB
知识点2
Q:What is an API?
问:什么是API?
A:An application programming interface (API) allows application developers tobypass traditional web pages and interact directly with the underlying service through function calls.答:应用程序编程接口(API)允许应用程序开发人员绕过传统的网页,通过函数调用直接与底层服务交互。
知识点3
Q:What types of accounts are focused on during a user entitlement review?
问:在用户权限审查期间,重点关注哪些类型的帐户?
A:Privileged accounts such as administrator or root user accounts答:特权帐户,如管理员帐户或根用户帐户
---------------
可扫描以下二维码、添加小助手微信,申请加入 “2022年CISSP认证学习群” 交流和讨论。
二、CISSP认证常错题(源自CISSP认证官方习题集、CISSP认证官方综合测试题)【答案解析在题目之后】
题目1
Ryan正在考虑在他的Web应用程序测试程序中使用模糊测试。在做出决定时,Ryan应该考虑以下哪项关于模糊测试的描述?
Ryan is considering the use of fuzz testing in his web application testing program. Which one of the following statements about fuzz testing should Ryan consider when making his decision?
A、 Fuzzer只能发现复杂的故障
Fuzzers only find complex faults.
B、 测试人员必须手工生成输入
Testers must manually generate input.
C、 Fuzzer可能无法完全覆盖代码
Fuzzers may not fully cover the code.
D、 Fuzzer无法复现错误
Fuzzers can't reproduce errors.
题目2
Diana已经聘请了第三方审计师,并希望向第三方发布审计证明,但不包括审计的详细信息。她应该要求什么类型的SSAE 18 SOC报告?
Diana has engaged third-party auditors and wants to release an audit attestation to third parties without including details of the audit. What type of SSAE 18 SOC report should she request?
A、 SOC 1
SOC 1
B、 SOC 2
SOC 2
C、 SOC 3
SOC 3
D、 SOC 4
SOC 4
题目3
在查看组织的新应用程序的软件测试输出时,Madhuri注意到该应用程序产生了错误,其中包括向Web应用程序测试人员显示了目录和文件信息。她应该在关于应用程序的报告中包括什么问题?
While reviewing the software testing output for her organization’s new application, Madhuri notices that the application has produced errors that included directory and file information shown to the web application tester. What issue should she include in her report about the application?
A、 没有执行适当的异常处理
It does not perform proper exception handling.
B、 软件没有正确处理误用案例测试
The software does not handle misuse case testing properly.
C、 需要删除调试语句
Debugging statements need to be removed.
D、 由于错误,代码没有完全测试
The code was not fully tested due to errors.
---------------
题目1
答案:C
解析:Fuzz测试仪能够自动生成输入序列来测试应用程序。因此,测试人员不需要手工生成输入,尽管他们可以根据需要这样做。Fuzzer可以复现错误(因此“Fuzzer无法复现错误”不是问题),但通常不完全覆盖代码。代码覆盖率工具通常与模糊器配对,以验证覆盖率有多大。模糊程序通常仅限于简单的错误,因为它们不会处理需要应用程序用户了解的业务逻辑或攻击。
Fuzz testers are capable of automatically generating input sequences to test an application. Therefore, testers do not need to manually generate input, although they may do so if they want. Fuzzers can reproduce errors (and thus"fuzzers can't reproduce errors"is not an issue) but typically don't fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won't handle business logic or attacks that require knowledge from the application user.
题目2
答案:C
解析:Diana应要求提供一份SOC 3报告,该报告旨在分发给第三方。它们包括审计师的意见和管理层的主张,以及有关服务组织的信息。与 SOC 1(财务报告)和 SOC 2(机密安全和隐私)约定不同,SOC3报告专门用于外部发布。
Diana should request an SOC 3 report, which is intended for distribution to third parties. They include the auditor’s opinions and management assertions, along with information about the service organization. SOC3 reports are specifically intended for external release, unlike SOC 1 (financial reporting) and SOC 2 (confidential security and privacy) engagements.
题目3
答案:A
解析:向最终用户显示有关代码的错误信息,尤其是包含目录和文件信息的信息,意味着应用程序没有执行正确的异常处理。错误应该以管理员能够处理的方式被记录或通知,但最终用户(和攻击者!)不应看到这些信息。软件可能正在正确处理误用,因为问题没有说明这是由于正常测试还是误用测试造成的。没有关于导致输出的调试代码的信息,并且问题中没有注明测试覆盖率。
Showing end users error information about the code, particularly with directory and file information included, means that the application does not perform proper exception handling. Errors should be logged or noted in a way that the administrator can handle, but end users (and attackers!) should not see that information. The software may be handling misuse properly, as the problem does not note if this was due to normal testing or misuse testing. There is no information about debugging code causing the output, and test coverage was not noted in the question.
知识点1
Q:What modes of DES employ an IV?
问:DES的哪些模式使用IV?
A:CBC, CFB, OFB答:CBC,CFB,OFB
知识点2
Q:What is an API?
问:什么是API?
A:An application programming interface (API) allows application developers tobypass traditional web pages and interact directly with the underlying service through function calls.答:应用程序编程接口(API)允许应用程序开发人员绕过传统的网页,通过函数调用直接与底层服务交互。
知识点3
Q:What types of accounts are focused on during a user entitlement review?
问:在用户权限审查期间,重点关注哪些类型的帐户?
A:Privileged accounts such as administrator or root user accounts答:特权帐户,如管理员帐户或根用户帐户
---------------
可扫描以下二维码、添加小助手微信,申请加入 “2022年CISSP认证学习群” 交流和讨论。
二、CISSP认证常错题(源自CISSP认证官方习题集、CISSP认证官方综合测试题)【答案解析在题目之后】
题目1
Ryan正在考虑在他的Web应用程序测试程序中使用模糊测试。在做出决定时,Ryan应该考虑以下哪项关于模糊测试的描述?
Ryan is considering the use of fuzz testing in his web application testing program. Which one of the following statements about fuzz testing should Ryan consider when making his decision?
A、 Fuzzer只能发现复杂的故障
Fuzzers only find complex faults.
B、 测试人员必须手工生成输入
Testers must manually generate input.
C、 Fuzzer可能无法完全覆盖代码
Fuzzers may not fully cover the code.
D、 Fuzzer无法复现错误
Fuzzers can't reproduce errors.
题目2
Diana已经聘请了第三方审计师,并希望向第三方发布审计证明,但不包括审计的详细信息。她应该要求什么类型的SSAE 18 SOC报告?
Diana has engaged third-party auditors and wants to release an audit attestation to third parties without including details of the audit. What type of SSAE 18 SOC report should she request?
A、 SOC 1
SOC 1
B、 SOC 2
SOC 2
C、 SOC 3
SOC 3
D、 SOC 4
SOC 4
题目3
在查看组织的新应用程序的软件测试输出时,Madhuri注意到该应用程序产生了错误,其中包括向Web应用程序测试人员显示了目录和文件信息。她应该在关于应用程序的报告中包括什么问题?
While reviewing the software testing output for her organization’s new application, Madhuri notices that the application has produced errors that included directory and file information shown to the web application tester. What issue should she include in her report about the application?
A、 没有执行适当的异常处理
It does not perform proper exception handling.
B、 软件没有正确处理误用案例测试
The software does not handle misuse case testing properly.
C、 需要删除调试语句
Debugging statements need to be removed.
D、 由于错误,代码没有完全测试
The code was not fully tested due to errors.
---------------
题目1
答案:C
解析:Fuzz测试仪能够自动生成输入序列来测试应用程序。因此,测试人员不需要手工生成输入,尽管他们可以根据需要这样做。Fuzzer可以复现错误(因此“Fuzzer无法复现错误”不是问题),但通常不完全覆盖代码。代码覆盖率工具通常与模糊器配对,以验证覆盖率有多大。模糊程序通常仅限于简单的错误,因为它们不会处理需要应用程序用户了解的业务逻辑或攻击。
Fuzz testers are capable of automatically generating input sequences to test an application. Therefore, testers do not need to manually generate input, although they may do so if they want. Fuzzers can reproduce errors (and thus"fuzzers can't reproduce errors"is not an issue) but typically don't fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won't handle business logic or attacks that require knowledge from the application user.
题目2
答案:C
解析:Diana应要求提供一份SOC 3报告,该报告旨在分发给第三方。它们包括审计师的意见和管理层的主张,以及有关服务组织的信息。与 SOC 1(财务报告)和 SOC 2(机密安全和隐私)约定不同,SOC3报告专门用于外部发布。
Diana should request an SOC 3 report, which is intended for distribution to third parties. They include the auditor’s opinions and management assertions, along with information about the service organization. SOC3 reports are specifically intended for external release, unlike SOC 1 (financial reporting) and SOC 2 (confidential security and privacy) engagements.
题目3
答案:A
解析:向最终用户显示有关代码的错误信息,尤其是包含目录和文件信息的信息,意味着应用程序没有执行正确的异常处理。错误应该以管理员能够处理的方式被记录或通知,但最终用户(和攻击者!)不应看到这些信息。软件可能正在正确处理误用,因为问题没有说明这是由于正常测试还是误用测试造成的。没有关于导致输出的调试代码的信息,并且问题中没有注明测试覆盖率。
Showing end users error information about the code, particularly with directory and file information included, means that the application does not perform proper exception handling. Errors should be logged or noted in a way that the administrator can handle, but end users (and attackers!) should not see that information. The software may be handling misuse properly, as the problem does not note if this was due to normal testing or misuse testing. There is no information about debugging code causing the output, and test coverage was not noted in the question.