单选题 The following scenario applies to questions 26 and 27.Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities.

单选题 Which of the following best describes the standard Charlie's team needs to comply with?

A、 International standard on system design to allow for better quality, interoperability, extensibility, portability, and security
B、 International standard on system security to allow for better threat modeling
C、 International standard on system architecture to allow for better quality, interoperability, extensibility, portability, and security
D、 International standard on system architecture to allow for better quality, extensibility, portability, and security

【正确答案】 C

【答案解析】解析：C正确。ISO／IEC 420lO的目标是将系统体系结构的使用进行国际标准化，而不是让产品开发人员提供他们各自的方法。系统体系结构的规范性方法有助于带来更好的质量、互操作性、扩展性、可移植性和安全性。 A不正确。因为这个答案故意说的是“设计”而不是“体系结构”。有些人错误地认为它们是相同的东西，但是体系结构在设计之前就已经出现。与设计相比，体系结构工作在一个更高、更战略化水平。软件开发逐渐变成一个更有纪律的行业，它正朝着正式的体系结构需求发展。 B不正确。因为问题中描述的标准并不是处理线程模型。ISO／IEC 42010解决了系统体系结构需求和指南。 D不正确。与C相比，D不算是最佳答案。这个标准还解决了互操作问题，而这个选项没有列出来。

单选题 Which of the following is Charlie most likely concerned with in this situation?

A、 Injection attacks
B、 Memory block
C、 Buffer overflows
D、 Browsing attacks

【正确答案】 C

【答案解析】解析：C正确。C编程语言很容易受到缓冲区溢出攻击，因为它的某些命令可以直接进行指针操作。特定的命令可以在不执行边界检查的情况下，直接访问低级别的内存地址。 A不正确。因为C编程语言不比其他语言更容易受到注入攻击。注入攻击通常不是发生在代码级别，而是由于接口接受了没有合理过滤和验证的数据而发生。 B不正确。因为这是一个干扰项。并不存在叫做“内存块”的官方编程语言漏洞。 D不正确。因为当某人审核敏感数据的各种资产时，就会发生浏览攻击。这个与编程语言无关，而是与访问控制的实施方式有关。