CCT 191: Practice CISSP Questions - SDLC, Agile, and DevSecOps (Domain 8.1)

Discover the hidden threats lurking in your kitchen appliances and learn why your next air fryer might be spying on you. On this episode of the CISSP Cyber Training Podcast, we unravel the alarming findings from Infosecurity Magazine about Chinese IoT devices and their potential to invade your privacy. We emphasize the critical importance of educating ourselves and others about the risks of IoT devices and the vast amounts of data they can collect. Additionally, we highlight new ICO regulations that aim to bolster data protection, especially for international companies, ensuring they uphold stringent privacy standards.

But that's not all! We shift gears to explore Agile development practices, diving into the adaptability and feedback loops of Scrum and the high-security approach of the spiral model. Discover how the Capability Maturity Model's pinnacle stage fosters continuous improvement and learn the essentials of integrating security into the DevSecOps CI/CD pipeline without sacrificing speed. We also delve into the nuances of pair programming for enhanced code quality and clarify the distinct approaches of Scrum's time-boxed sprints versus Kanban's work-in-progress limits. Tune in for a comprehensive look at modern software development practices and the indispensable role of security in our digital world.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go cybersecurity knowledge.

Speaker 2: 0:26 

All right, let's get started. Good morning everybody. This is Sean Gerber with CISSP Cyber Training, and hope you all are having a blessed day today. Today is an amazing day. Yes, today it was what CISSP question Thursday? So today we are excited to talk to you all about CISSP questions that are associated with the podcast that occurred on Monday, which was over domain eight. So we're going to get into some various aspects around that, but before we do, I had an article I thought was interesting and you know, on CISSP cyber training.

Speaker 2: 0:55 

We are a pretty big advocate of protecting the IoT space and how important that is for people to do. There was an article I just saw it was in Infosec or Infosecurity Magazine and it talks about Chinese air fryers might be spying on consumers. Now, the interesting part about all this is I've been doing a little bit of work for a friend of mine who's a little bit elderly. She's been having a computer challenge, so I picked up her computer to work on it and it weighs about as much as a small boat anchor and it runs about as fast as a boat anchor which, okay, obviously boat anchors don't run but it was struggling. So, needless to say, we were talking about some of the things that she has done to protect her and her stuff, and she's actually much more adroit to different security type things and she's very focused on protecting herself. However, she made comments to me about yeah, I just accept the app and I just do this and I just do that.

Speaker 2: 1:51 

And this article, which I kind of talked about you know, as we briefly went down that rabbit hole is about Chinese air fryers that are asking for device location. They're asking to record the mic, they're looking for different types of data that is able to get into and track you from a standpoint of where is this device located. So it's an interesting part, and this company talked about how they had justified the need, because no user data is used for marketing or advertising purposes. But, okay, what's the point of needing an air fryer to monitor you, which I think is very interesting, yeah, I mean. So that's the part of when we bring these devices into our homes and into our different locations, being very careful about what we allow them to do, and I know you all, as security professionals, get it. You understand it, but one of the areas that I think is important that the people that you have in your life that you influence. It's important for you to tell them about these things because they don't understand it, and therefore it's up to you to kind of help explain this to them.

Speaker 2: 2:54 

Now there are some new ICO rules that are coming out that are going to talk about, if code is being introduced into it, that it must have an effective enforcement, including companies who operate abroad, and this is an important part around this. Now they say that, compared to smartphones and a laptop, this is going to quote from them that excessive data collection from household connected devices carries an even greater risk of data breaches, which you all pretty much understand this, but most people are not even aware of the scale and volume of data collected by these devices, and I totally get it, because if you listen to the Alexas and everything else that is connected in your home, they are collecting data at very high amounts, and the question you have to ask yourself is where's all that data going? What is that data doing? So, again, the ultimate point of this is just to bring up the fact that another iot device which is entering the homes is collecting data on people, and therefore you need to help educate individuals that this is a bad idea and that if there's times in place when that might be necessary and needed, but it's educating people on when that might be. So that's that's all there is about that article. So so let's move on to what we're going to talk about today.

Speaker 2: 4:07 

Okay, so this is again. This is over domain 8.1 and we're going to be in the software development lifecycle, the various aspects of the models that are associated. We talked about spiral, we talked about waterfall. All of those pieces were on Monday, so now we're going to be going into those in depth and some of these questions.

Speaker 2: 4:26 

So question one which of the following describes a primary limitation of the waterfall model in software development? Again, which of the following best describes a primary limitation of the waterfall model in software development? A it lacks structures and phases. B it's difficult in managing large projects. C it's highly adaptable to changing requirements. Or, d it's limited flexibility once a phase is completed. Again, the primary limitation of a waterfall is D limited flexibility once that phase is completed. So again, we talked about this is that it's a sequential development process and that you have to have one phase done before you can move on to the next one and once you move on to the next one. Going back up to the phase previous or prior to it is extremely challenging and it does really can't do it without adding additional time and additional costs because of it. So that's the one limitation limited flexibility once the phase is completed. One limitation limited flexibility once the phase is completed.

Speaker 2: 5:26 

Question two in Agile development, which of the following practices emphasizes continuous feedback and adaptability to changing requirements? In Agile, which of the following practices emphasizes continuous feedback and adaptability to changing requirements? A incremental delivery, b pair programming? A incremental delivery, b pair programming, c Scrum sprints or D version control. Again in Agile development, which of the following practices emphasizes continuous feedback and adaptability to changing requirements? And the answer is C Scrum sprints. Scrum is a popular part of, obviously, with Agile, and the sprint typically will last anywhere from two to four weeks. We've done them as little as a week, but more likely they're two weeks and their increment allows for feedback and it makes it easier to adapt to changing requirements that you may have. So that is what the Scrum sprint is.

Speaker 2: 6:18 

Question three which software development model is most suitable for projects that require a high security and include incremental builds, iteration and extensive risk management? In which software development model is most suitable for products that require high security and include incremental builds, iterations and extensive risk management. And a is spiral, b waterfall model, c V model is in Victor and D is rad and the rapid application development model. Again, so which software development is most suitable for projects that require high security and include incremental builds, iterations, extensive risk management? And the answer is A, the spiral model. Again, this one is designed to incorporate risk assessments and iterative development, making it ideal where projects have security as a concern. Again, each phase of the spiral, like you saw my beautiful drawing, if you saw the video of this which allows for more secure and stable releases. So again, that's the spiral model.

Speaker 2: 7:17 

Question four in the capability maturity model, cmm, charlie, mike, mike, which level describes an organization that optimized processes for continuous improvement? In the CMM model, which level describes an organization that has optimized processes for continuous improvement? In the CMM model, which level describes an organization that has optimized processes for continuous improvement? Okay, we didn't really talk about this one too much on CMM. Well, we actually did, let me correct myself there, but we didn't get into as much detail maybe as we could have. But when it comes down to it, level three is defined. That's A down to is level three is defined, that's A, b. Level five is optimized C. Level four is quantitatively managed and level two is managed, again, the CMM model. Which one is optimized process for continuous improvement? And the answer is B I was going to say five, it's B, it is level five in optimizing. This represents an organization that's not only stable but predictable and the process also actively works on a continuous improvement through feedback. So it's level five.

Speaker 2: 8:17 

Question five in DevSecOps what is the primary purpose of implementing security practices in the CI CD pipeline? Okay, so the CI CD pipeline is continuous integration, continuous, continuous delivery. So the CI-CD pipeline is continuous integration, continuous delivery. So, the DevSecOps, what is the primary purpose of implementing security practices in the CI-CD pipeline? This is the automation piece of this A, to add multiple authentication checkpoints. B, to ensure compliance without compromising speed. C, to reduce the need for code reviews. Or D, to eliminate all security vulnerabilities. You know, as soon as you say eliminate all security vulnerabilities, yeah, that one you can just throw out the window. So again, what is the primary purpose of implementing security practices in the CICD pipeline? It is B, to ensure compliance without compromising speed. Again, the CICD maintains a high speed delivery, again, embedding security controls in it.

Speaker 2: 9:09 

Question six which of the following agile practices directly enhances this code quality through collaborative coding? Again, which, following agile practices, directly enhances code quality through collaborative coding? A pair programming, b daily stand-ups, c code reviews or D pair programming, b daily stand-ups, c code reviews or D retrospectives? And that answer is A pair programming. They're the ones that directly enhances code quality through collaborative coding. It is often used in Agile and involves two developers working together at one workstation. That's the pair programming piece of this. It does incorporate some oversight with the other programmer, which allows you to get some real time, and it leads to fewer errors. I've never dealt with it personally. All my developers have worked independently, but then they had a code review by their peers, which isn't as good, obviously, as pair programming, but it's effective.

Speaker 2: 10:08 

Question seven a project team wants to implement agileile methodology but struggles with project complexity and high security requirements. Which approach would best address these concerns? Again, a project team. It wants to implement Agile, but it struggles with project complexity and high security requirements. Which approach would best address these concerns? Would best address these concerns? A waterfall, b scrum, c Kanban or D spiral model. Okay, we didn't really talk about Kanban, but it's basically it's like a Kanban board. You have tasks that you go through on this board. But which approach would best address these concerns? From an agile methodology? Okay, and that would be D spiral model For complex projects, obviously with stringent security requirements. The spiral model is often more suitable for these types of agile approach.

Speaker 2: 10:57 

Question eight what is the key difference between Scrum and Kanban in agile methodologies and what is the difference between Scrum and Kanban in agile methodologies? A, scrum is more flexible in project timelines than Kanban Kanban. B Focuses on work-in-progress limits, while Scrum uses time box sprints. C, kanban mandates daily stand-ups, unlike Scrum. Or D, scrum lacks continuous delivery mechanisms, unlike Kanban. Again, what are the key differences between Scrum and Kanban in Agile and it's B, kanban focuses on work-in-progress limits, while Scrum uses time box sprints so that the improved flow and efficiency is occurring while you're using these work-in-progress limits with Kanban, and Scrum does rely on these time box sprints to deliver your product in increments. Both frameworks are Agile, but they differ in structure and approach to managing the tasks.

Speaker 2: 11:54 

Question nine which level of CMM focuses on establishing standardized and documented processes for across the organization? Which level of CMM focuses on establishing standardized and documented processes across the organization A B Level 3, defined. B level 1, initial. C level 2, managed. Or D level 4, quantitatively managed Again, which focuses on establishing standards and documented processes? And the answer is A level 3, defined. It involves standardizing and documenting processes across the organization and at this level, processes are well characterized and understood, helping ensure consistency and quality across the projects.

Speaker 2: 12:36 

Question 10, which of the following is not repeat not a typical activity in the DevSecOps model? Okay, so which one is not a typical activity in DevSecOps? A automated security testing. B security gates for compliance checks. C single security review at the end of development or D continuous monitoring, which is not a typical activity in DevSecOps? And the answer is C single security review at the end of development. Devsecops does integrate security throughout the entire lifecycle rather than relying on a single end thing that happens at the end. That was a really bad way of saying that, but single end of development review, automated security testing, compliance checks and continuous monitoring are all integral to DevSecOps.

Speaker 2: 13:22 

Question 11. In Agile development, what is the purpose of a retrospect meeting? So in Agile, what is the purpose of a retrospect meeting Retrospective, sorry, retrospective meeting? A to review code of a quality assurance. B to evaluate and improve team processes. C to create a product backlog. Or D to assign tasks for the next sprint. What is the purpose of a retrospective meeting? And the answer is B to evaluate and improve team processes. That's the ultimate goal of a retrospective meeting.

Speaker 2: 13:55 

Question 12. Which development model is best suited for products that require rapid prototyping and frequent user feedback? Rapid prototyping and frequent user feedback are what I think we know. This one A V model, b waterfall model, c incremental model or D the RAD model rapid application development it's kind of the name right. So at rapid prototyping would be D rapid application model. The RAD emphasizes rapid prototyping and quick iterations allowing for frequent user feedback throughout the entire development lifecycle. Again, this is an idea when user requirements are likely to be involved during the project.

Speaker 2: 14:36 

Question 13. Which of the following is a disadvantage of the spiral model? A Limited risk analysis capabilities. B Requires experienced project management. C Difficult in project monitoring or D Lacks flexibility for changing requirements. So what's a disadvantage of the spiral model? And the answer is B yes, most definitely. It does require experienced project management to ensure that the spiral model is working correctly. Again, it focuses on risk assessments, which can make it very complex to manage and you need a skilled project manager who can effectively handle both technically and risk management aspects for each specific phase.

Speaker 2: 15:17 

Question 14. What is the primary advantage of the V model over the waterfall model? So what is the primary advantage of the V Victor model over the waterfall model? A Testing is integrated with each development phase. B it allows for changes during any phase. C Is designed for rapid prototyping. Or D it eliminates the need for project documentation. What is the primary advantage of V model over waterfall model? And the answer is A, testing is integrated with each development phase. Again, this is where the phase is associated with corresponding testing phase. The integration enables for early detection of defects, leading to improved software quality and reduced cost late stage fixes.

Speaker 2: 15:58 

Question 15, which agile methodology uses continuous flow model instead of fixed iterations? Again, which agile model uses continuous flow models instead of a fixed iteration? Okay, a, kanban. B Scrum, c Crystal Never heard of Crystal. D Extreme Programming XP not the XP of your Windows computer. And the answer is A Kanban.

Speaker 2: 16:24 

Kanban is for continuous flow model, which tasks are pulled through the fork flow as a capacity becomes available. So again, it's like a backlog. They go grab them and bring them forward. Unlike Scrum, kanban does not use fixed-length sprints. It allows the teams to deliver features as they are completed. So if something happens, they grab something from the backlog. You then work on it. They don't have to actually have them all defined and done ahead of time. Okay, that is all I have for you guys today.

Speaker 2: 16:51 

Again, go to CISSP Cyber Training. Go check it out. There's some great stuff out there for you. Anything you purchase again on CISSP Cyber Training goes to the nonprofit that we have for adoptive families, so that's a big win. Also, go to Apple Tunes Apple Tunes, apple Tunes.

Speaker 2: 17:07 

Go to iTunes and the podcast and rate this podcast. Go ahead and get it out there. There's one gentleman rated it and said I'm too funny or I'm not too funny. I said I talked too much at the beginning. So it was good feedback. It really was. So we made changes to that. So give me feedback. I'm all for it. You can also send it to contact at CISSP Cyber Training and provide some feedback there if you feel necessary to do so. I'm happy to interact with you there and give you anything I can do to help. So, again, anything I can do to help. So, again, go to CISSP Cyber Training and check it out All right. Thank you so much for this time, guys. I hope you all have a wonderful day and I hope you're studying for the CISSP is going well, all right. We'll talk to you later. Catch you on the flip side, see ya.