The best answer is C. Dynamic testing involves testing or evaluating software during runtime by executing various inputs and scenarios. This is most common with a black box test, which is conducted from the user’s point of view. A software user will not have access to the source code, but rather a functioning software application. This allows for an evaluation of how the software functions while it is compiled and operating in real time. This will provide different insights into potential vulnerabilities, security weaknesses, and other functional issues. Static testing focuses on analyzing the software's structure and code without executing it. While that does provide insight into potential flaws and vulnerabilities, it may not provide a comprehensive assessment of the software's behavior and security during runtime. It is also normally conducted as part of a white box test. White box testing requires access to the internal workings, components, and source code of the software. This is not typically available in a black box test. A code review involves examining the software's source code to identify flaws and vulnerabilities. Code reviews do not fully assess the software application from a user’s point of view (black box), which is required for the assessment in the question. Domain: Domain 8. Software Development Security Source Reference: (ISC)2® CISSP® Certified Information Systems Security Professional Official Study Guide (9th ed.). John Wiley & Sons, Inc.

The best answer is A. A Smurf attack is a type of Distributed Reflection Denial-of-Service (DRDoS) attack where attackers send ICMP echo requests (pings) to a network address, with the source IP address spoofed to be the victim's IP address. This causes a flood of traffic that overwhelms the victim's network resources. This attack leverages the broadcast nature of networks to amplify the impact of the attack. As for the other answers, a SYN flood attacks target the TCP handshake by overwhelming the targeted system's resources with connection requests. A Ping of Death attack involves manipulating ICMP packets to exploit vulnerabilities and potentially crash systems. Fraggle attacks are similar to Smurf attacks but use UDP (User Datagram Protocol) packets instead of ICMP packets for amplification. Domain: Domain 4. Communication and Network Security Source Reference: https://www.fortinet.com/resources/cyberglossary/smurf-attack

The best answer is D. The best answer is selection. During this step, the initial security controls are determined that provide the necessary levels of protection to the information system and organization. Here are the NIST RMF steps in order: 1. Prepare: Identify the different roles, strategies, and control providers. 2. Categorize: Identify all of the organizational assets and categorize them in terms of risk, value, and document them. 3. Select: Choose the initial security controls necessary to protect the information system and organization. 4. Implement: Deploy security control implementations and document how they meet the intent of the controls. 5. Assess: Test the effectiveness of the controls and comply with governance. 6. Authorize: Require a senior management official to take accountability for the residual risk. Domain: Domain 1. Security and Risk Management Source Reference: The Official (ISC)2® CISSP® CBK Reference, 6th Edition. John Wiley & Sons, Inc.

The best answer is A. The most likely REST API vulnerability to be exploited is a lack of input validation. When APIs do not properly validate input data, malicious actors can inject arbitrary code, conduct SQL injection attacks, or exploit buffer overflows. This can lead to data breaches, unauthorized access, and various other security risks. Proper input validation ensures that data being processed by the API meets the expected criteria and helps prevent a wide range of attacks. What You May Have Missed: While the overuse of GET requests can sometimes expose sensitive data through URLs, it is not as severe as the lack of input validation in terms of potential exploitation. Although excessive data exposure can be a concern, especially in the context of APIs, lack of input validation poses a more direct threat to the security of the API. While essential for detecting and responding to security incidents, insufficient logging and monitoring are not directly related to the exploitation of REST API vulnerabilities through a lack of input validation.

@Vidya Shankaran Master the CISSP Challenge with Our Self-Paced Training Course! (beinfosec.com) It's a 10 week self paced study course, you can go as fast or slow as you want. Very good primary study source in my opinion