Software Security (4774)
SSA E1 Developer Assessment (67033)
Software Security SSA Developer Assessment Course Answers (67033)
Race, Ethnicity, Trade Union membership are: (Select the correct option(s) and click submit.)
a. PII data
b. SPI data
c. not part of privacy data
Answer: SPI data (Sensitive Personal Information)
JWT tokens should be invalidated on the server after logout. (Select the correct option(s) and click submit.)
a. True
b. False
Answer: True
What are basic security requirements of a typical SSO solution? (Select the correct option(s) and click submit.)
a. It should be written either in Java, .Net, PHP or Cobol since no other languages/platforms are secure enough to provide a SSO solution.
b. The "SSO token" used for SSO should be secured against theft, spoofing or forgery.
c. It should eliminate circulation of user password(s) to multiple applications/systems to gain access to them.
d. It should use "XML" to securely exchange the SSO token between multiple applications/systems.
e. B & C
f. All of the Above
Answer: B & C
Cyclomatic complexity = (Select the correct option(s) and click submit.)
a. Number of decisions
b. Number of decisions + 2
c. Number of decisions + 1
d. Number of decisions + 3
Answer: Number of decisions + 1
Which of the following type of testing is carried out based on the threat mitigation plan generated during threat modeling? (Select the correct option(s) and click submit.)
a. Integration Testing
b. Penetration Testing
c. Unit Testing
d. All of the above
Answer: Penetration Testing
Thresholds for stable code as per Cyclomatic complexity Select the correct option(s) and click submit.
a. 16-20
b. 44150
c. 0-10
Answer: 0-10
What is Single Sign-On (SSO)? Select the correct optionis) and click submit.
a. A mechanism of digitally "signing" the information exchanged between applications/systems.
b. A mechanism that enables a user to sign-in/login/authenticate to an application/system with his credentials only once and then seamlessly access other applications/systems available in the same domain of trust (e.g. intranet portal of an organization) without the need to re-login with the credentials again.
c. A mechanism which enables using single physical "signature" to do all banking transactions!
d. None of the above.
Answer: A mechanism that enables a user to sign-in/login/authenticate to an application/system with his credentials only once and then seamlessly access other applications/systems available in the same domain of trust (e.g. intranet portal of an organization) without the need to re-login with the credentials again.
Which of the following is the ability of users to deny that they performed specific actions or transactions? Select the correct option(s) and click submit.
a. Repudiation
b. Eavesdropping
c. Spoofing
d. Hijacking
Answer: Repudiation
Which of the following Threat models integrated with DevOps easily? Select the correct option(s) and click submit.
a. STRIDE
b. VAST
c. OCTAVE
d. None of the above
Answer: VAST
Process which assembles and analyzes several events, each attributable to a single originating entity, in order to gain information (especially patterns of activity) relating to the originating entity is known as: Select the correct option(s) and click submit.
a. Profiling
b. Tracking
c. Investigating
d. All of the above
e. Option 1 & 2 only
Answer: Option 1 & 2 only
Which of the following is true about improper error handling? Select the correct option(s) and click submit.
a. Attackers can use error messages to extract specific information from a system
b. Attackers can use unexpected errors to knock an application off line, creating a denial-of-service attack
c. Attackers can use exposed error messages to craft more advanced attacks to gain system access
d. All of the above
e. None of the Above
Answer: All of the above
Which option is correct about hash algorithm' s ability to avoid the same output from two guessed inputs? Select the correct option(s) and click submit.
a. Collision ability
b. Collision metric
c. Collision resistance
d. Collision strength
Answer: Collision resistance
We can allow client-side scripts to execute in the browsers for needed operations. Select the correct option(s) and click submit.
a. True
b. False
Answer: True
Exception Handling refers to: Select the correct option(s) and click submit.
a. Identifying all possible erroneous inputs and managing how the application responds to them
b. During application execution, if some special conditions are met, then a specific subroutine 'exception handler' is called.
c. Commercial runtime environments have tools that record debugging information from memory at the time of exception to provide 'root-cause' analysis information later.
d. All of the above
e. None of the Above
Answer: All of the above
To prevent against Insufficient Logging & Monitoring we should: Select the correct option(s) and click submit.
a. Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context
b. Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.
c. Establish or adopt an incident response and recovery plan
d. All of the above
e. None of above
Answer: All of the above
Which of the following is a disadvantage of single sign-on? Select the correct option(s) and click submit.
a. Consistent time-out enforcement across platforms
b. A compromised password which exposes all authorized resources
c. Use of multiple passwords
d. Password change control
Answer: A compromised password which exposes all authorized resources
Which of the following is a digital signature algorithm? Select the correct option(s) and click submit.
a. RSA-based signature schemes
b. AES-based signature algorithm
c. DES-based signature algorithm
d. All of the above
e. None of the above
Answer: RSA-based signature schemes
Which of the following is Major challenge in Symmetric key cryptography? Select the correct option(s) and click submit.
a. Finding Best Algorithm
b. Communication Errors
c. Secure Key Exchange
d. Arithmetic Calculations
e. None of the above
Answer: Secure Key Exchange
Which mechanism will make sure that data transmission is secure? Select the correct option(s) and click submit.
a. HTTPS + Encrypting sensitive data
b. HTTPS
c. Encryption of sensitive data
d. None of the Above
Answer: HTTPS + Encrypting sensitive data
The only way to break a secure hashing function is: Select the correct option(s) and click submit.
a. Reverse hashing
b. Brute force
c. Hash inversion
d. Preimage collision
e. None of the above
Answer: Brute force
Which of these is not an application of cryptographic hashing? Select the correct option(s) and click submit.
a. Verifying the integrity of files or messages
b. File or data identifier
c. Digital Signature
d. Encryption
e. None of the above
Answer: Encryption
The process by which different equivalent forms of a name can be resolved to a single standard name. Select the correct option(s) and click submit.
a. Canonicalization
b. Encryption
c. Hashing
Answer: Canonicalization
What activities are part of Software Requirement Analysis? Select the correct option(s) and click submit.
a. Listing of Security, Privacy & Compliance Requirements
b. Listing of Security, Privacy & Compliance Requirements; Analyzing Functional Requirements and NFRs
c. Listing of Security, Privacy & Compliance Requirements; Analyzing Functional Requirements and NFRs; Getting Sign-off from Customer for requirements
d. Listing of Security, Privacy & Compliance Requirements; Analyzing Functional Requirements and NFRs; Getting Sign-off from Customer for requirements; Establishing Bug Reporting & Tracking System
Answer: Listing of Security, Privacy & Compliance Requirements; Analyzing Functional Requirements and NFRs; Getting Sign-off from Customer for requirements
Which of the following are threats of cross site scripting on the authentication page? Select the correct option(s) and click submit.
a. Session hijacking attacks
b. Identity theft
c. Phishing
d. All of these
Answer: All of these
Which one of the following is an advantage of Threat Modeling performed for application design review? Select the correct option(s) and click submit.
a. Help analyze and assess design level security
b. Helps in formulation of security test plan and test cases
c. Reduction of ongoing software support costs
d. All of the above
Answer: All of the above
Since a SSO "token" is a "master key" to get access to multiple systems/applications with a "single" login, it is extremely important to protect this master key from theft, spoofing or forgery. What are typical ways to protect the SSO taken from various threats? Select the correct option(s) and click submit.
a. Invalidate the SSO token on server side for subsequent use after the user logs off from any of the SSO enabled applications/systems i.e. after Single Sign-Off.
b. If the SSO token is being exchanged using a HTTP cookie, set the "HttpOnly" attribute of the cookie to prevent cookie access via client side javascript.
c. Define a server-side "timeout" for SSO token. The token should be invalid for use after the timeout period.
d. Digitally sign the SSO token to protect against man-in-the-middle manipulations and also encrypt the token with a time variant encryption key/algorithm. Exchange the token over SSL.
e. Implement a "source IP check" i.e. The source IP of the end client device which was used to provide the user credentials to generate the SSO token for the first time, should match the source IP of the end client device for all subsequent requests containing the same SSO token.
f. All of the Above
Answer: All of the Above
In context of SSO, claims refers to Select the correct option(s) and click submit.
a. Information about the Identity. generally presented as key-value pairs
b. Relationship between Service Provider (SP) & Identity Provider (IdP)
c. Relationship between Identity & Identity Provider
d. None of the Above
Answer: Information about the Identity, generally presented as key-value pairs
In context of SSO, claims refers to Select the correct option(s) and click submit.
a. Information about the Identity. generally presented as key-value pairs
b. Relationship between Service Provider (SP) & Identity Provider (IdP)
c. Relationship between Identity & Identity Provider
d. None of the Above
Answer: Information about the Identity, generally presented as key-value pairs
Input validations must be based on Select the correct option(s) and click submit.
a. blacklisting
b. whitelisting
c. encoding
d. encryption
Answer: Whitelisting
The following tools are used for .... ? versions, DependencyCheck, retire.js, Select the correct option(s) and click submit.
a. Code Analysis
b. Software Dependency Analysis
c. Dynamic Analysis
Answer: Software Dependency Analysis
Which of the following is simplest form of Block Cipher? Select the correct option(s) and click submit.
a. Counter Mode
b. Cipher Block Chaining
c. Cipher Feedback Mode
d. Output Feedback Mode
e. Electronic Code Book
Answer: Electronic Code Book
Which of the following is indicative of Information Leakage vulnerability? Select the correct option(s) and click submit.
a. When the user logs in successfully -"Hello username! " is displayed.
b. The exception call stack is displayed.
c. The message "Incorrect username or password! " is displayed.
d. The message script error: "Please contact the Web site administrator! " is displayed
Answer: The exception call stack is displayed.
What are the solution for Broken Authentication? Select the correct option(s) and click submit.
a. Use HTTPOnly, secure Flag for cookies
b. Expire session quickly.
c. Use the standard session id provided by your container.
d. All of the above
Answer: All of the above
34 any freely given specific and informed indication of his/her wishes, by which the data subject signifies his/her agreement to personal data, relating to him/her being processed Select the correct option(s) and click submit.
a. Notic
b. Order
c. Consent
d. Privacy policy
Answer: Consent
In a typical SSO solution, what is an "Identity Provider"? Select the correct option(s) and click submit.
a. A person who identifies him/herself.
b. A system or entity which can verify and prove identity of a user to other systems/entities involved in the SSO mechanism. Typically this is also the entity which generates and verifies the SSO token.
c. A system or entity which encrypts and provides password of a user to other systems/entities involved in the SSO mechanism so that they can re-authenticate the user.
d. All of the above
e. None of the above
Answer: A system or entity which can verify and prove the identity of a user to other systems/entities involved in the SSO mechanism. Typically this is also the entity which generates and verifies the SSO token.
DES & 3DES are? Select the correct option(s) and click submit.
a. Asymmetric Cipher
b. Hashing Algorithm
c. Symmetric Cipher
d. All of the above
e. None of the above
Answer: Symmetric Cipher
Default exceptions should not be shown to the user. Select the correct option(s) and click submit.
a. True
b. False
Answer: True
From the following, which is not a common file permission? Select the correct option(s) and click submit.
a. Read
b. Stop
c. Write
d. Execute
Answer: Stop
Identify correct statement from the following: Select the correct option(s) and click submit.
a. Confidentiality is a process to prevent unauthorized alteration of information Authorization validates users' identity
b. Accountability is a process to prevent repudiation
c. None of the above options is correct
Answer: Answer: Accountability is a process to prevent repudiation
Threat modeling process can: a) Identify threats b) Provide countermeasures c) Stop threats from happening (Real Time) d)Help in flawless coding Select the correct option(s) and click submit.
a. a, b only
b. b, d only
c. a, b, d only
d. All of the above
Answer: a, b only
To prevent malicious sub class from a parent class, which keyword should be used? Select the correct option(s) and click submit.
a. Public
b. Private
c. Final
d. None of these
Answer: Final
A deployment is happening, and Varlam encounters a critical bug. Which feature that emphasizes collaboration and automation for bug resolution will Varlam use?
a. DevOps
b. waterfall
c. traditional QA
Answer: DevOps
What is the importance of integrity in software security?
a. to provide protection against unintended changes
b. to prevent unauthorized access
c. to ensure timely access when needed
Answer: to provide protection against unintended changes
The term "defects" is most relatable to which of the following?
a. coding errors that can harm the program
b. design errors within a system
c. any errors introducing vulnerabilities
Answer: any errors introducing vulnerabilities
Which website contains information about the top 10 web application software risks?
a. CERT Division of the Software Engineering Institute
b. IEEE Security & Privacy
c. Cybersecurity and Infrastructure Security Agency
d. Open Web Application Security Project
Answer: Open Web Application Security Project
How can risk manifestation appear in the category Probability?
a. by exposing a software vulnerability that can be exploited into a threat
b. by exposing damages associated with denial-of-service and phishing attacks
c. by exposing how a software security incident can be damaging
Answer: by exposing a software vulnerability that can be exploited into a threat
At a security workshop, Helga encounters a code-level vulnerability. What does this vulnerability likely involve?
a. a secure method for handling input data
b. a technique for injecting malicious SQL queries
c. an unauthorized access gateway that evades detection
Answer: a technique for injecting malicious SQL queries
Development teams are typically faced with threats to security. What usually causes these security vulnerabilities?
a. unclear or ambiguous security requirements
b. excessive documentation of features unrelated to security
c. inadequate user interface customization options
Answer: unclear or ambiguous security requirements
Which architectural-level threat poses the greatest risk to developing secure software?
a. lack of input validation
b. inconsistent coding style
c. excessive use of comments in code
Answer: lack of input validation
How do design patterns commonly exhibit limitations?
a. They can introduce unnecessary complexity and overhead.
b. They often lead to syntax errors in code.
c. They automatically optimize code performance.
Answer: They can introduce unnecessary complexity and overhead.
Why should an uninterruptible power supply be linked to a countermeasure?
a. to avoid a single point of failure
b. to allow energy to be saved for use in essential systems
c. to help stabilize system services
Answer: to help stabilize system services
How does the Trusted Platform Module serve its purpose?
a. It protects hardware through secure wired cables.
b. It allows trusted people such as software engineers into systems.
c. It prevents breaches resulting from hardware vulnerabilities.
Answer: It prevents breaches resulting from hardware vulnerabilities.
Which step in threat modeling for developing secure software involves assessing the potential impact and likelihood of identified threats?
a. analysis
b. identification
c. categorization for prioritization
d. mitigation
Answer: categorization for prioritization
Which statement is true regarding message integrity verification in open EMR?
a. Message integrity is not used in open EMR but is effective in other programming areas.
b. Message integrity is ensured through manual verification by users.
c. Message integrity is ensured through standardized library functions.
d. Message integrity relies solely on user input.
Answer: Message integrity is ensured through standardized library functions.
How does the Architectural Analysis for Security (AAFS) process utilize security tactics and patterns?
a. It identifies vulnerabilities in the software architecture.
b. It conducts an inspection of software security using security patterns during the VoAA phase.
c. It examines the source code for evidence of security design decisions.
d. It refines security tactics into specific design decisions during the PoAA phase.
Answer: It refines security tactics into specific design decisions during the PoAA phase.
Which resource is described as an exceptional tool for software security practitioners to identify design flaws?
a. Common Vulnerabilities and Exposures (CVE) database
b. Common Weakness Enumeration (CWE) database
c. Mitre's repository of reported security vulnerabilities
Answer: Common Weakness Enumeration (CWE) database
Trina is evaluating a website at a security assessment. Which practice should she avoid to enhance security?
a. Embed passwords in code in plain text.
b. Regularly update software versions.
c. Implement strong encryption methods.
d. Allow file uploads without specifying allowed file types.
Answer: Allow file uploads without specifying allowed file types.
During the vulnerability-oriented architecture analysis phase, what common vulnerability can occur when the intercepting validator pattern is misused or not used?
a. clickjacking
b. SQL injection
c. cross-site scripting (XSS)
d. cross-site request forgery (CSRF)
Answer: SQL injection
Alex is conducting a security training session with several employees. Letitia asks, "What is the most effective approach for utilizing security patterns?" How should Alex respond?
a. "Ad hoc adoption by individual developers without architectural vision."
b. "Architectural implementation with supervision by a software architect.""Implementation of design patterns without communication among developers."
Answer: "Architectural implementation with supervision by a software architect."
How can developers effectively employ security tactics when creating secure software?
a. by using robust input validation and sanitization processes
b. by adhering to agile development practices
c. by implementing encryption protocols
d. by leveraging different techniques
Answer: by using robust input validation and sanitization processes
Christian is speaking at a seminar for secure design. A participant asks, "What is the best way to foster secure design in software development?" Which approach should Christian recommend?
a. "Use post-deployment security patches."
b. "Test for potential vulnerabilities."
c. "Implement ad hoc security considerations."
d. "Incorporate security throughout the development lifecycle."
Answer: "Incorporate security throughout the development lifecycle."
How do software developers commonly err in safeguarding sensitive information?
a. They fail to implement multi-factor authentication procedures.
b. They do not ensure that regular data backups are occurring.
c. They rely solely on firewalls for security defense.
d. They do not provide adequate protection such as access control and encryption.
Answer: They do not provide adequate protection such as access control and encryption.
Alena is trying to determine the best way to minimize the possibility of introducing the direct object reference vulnerability. Which option will benefit her most?
a. automated testing using specialized tools
b. enhanced encryption algorithms for data protection
c. routine code review focusing on access control mechanisms
d. stricter user authentication protocols
Answer: routine code review focusing on access control mechanisms
What risk is associated with uncontrolled direct access to system resources?
a. system performance degradation
b. loss of encryption keys
c. potential data or information leakage
d. increased vulnerability to phishing attacks
Answer: potential data or information leakage
Attila is tasked with selecting a security framework for authentication and session management. Which criterion is essential for choosing the best framework?
a. implementation of custom code from scratch
b. caution regarding unknown security vulnerabilities
c. reputation and acceptance in the developer community
d. lack of technical support for maintenance
Answer: reputation and acceptance in the developer community
Why is building a custom authentication and session management scheme considered risky for software developers?
a. It is more efficient than using standardized authentication methods.
b. It reduces the risk of insider threats and social engineering attacks.
c. It provides better control over access control mechanisms.
d. It is prone to error and can lead to security vulnerabilities.
Answer: It is prone to error and can lead to security vulnerabilities.
What is the surefire way of stopping buffer overflow attacks at the software developer level?
a. Employ code-scanning tools to detect vulnerabilities.
b. Use a programming language with automatic bounds checking.
c. Implement architectural solutions with language-specific library modules.
d. Follow secure coding practices.
Answer: Follow secure coding practices.
Hyeon is discussing buffer overflow vulnerabilities in software security. Which practice helps prevent such attacks?
a. allowing unrestricted user input
b. implementing strict input validation
c. adding user input validation
d. using coding practices that have worked in the past
Answer: allowing unrestricted user input implementing strict input validation adding user input validation using coding practices that have worked in the past
What is emphasized as a fundamental aspect of secure coding practices?
a. comprehensive security testing
b. immediate vulnerability detection
c. architectural and design-oriented decision-making
d. high return on investment (ROI)
Answer: high return on investment (ROI)
Which type of architectural solution is used to address input validation vulnerabilities?
a. quick-fix solutions
b. framework-based solutions
c. overarching and lasting solutions
d. application-specific solutions
Answer: overarching and lasting solutions
What is the most significant difference between criminal hacking and penetration testing?
a. Criminal hacking focuses on identifying vulnerabilities, while penetration testing launches attacks.
b. Criminal hacking is done in isolation, while penetration testing is conducted in the wild.
c. Criminal hacking is done without permission, while penetration testing requires formal authorization.
d. Criminal hacking relies solely on automated tools, while penetration testing involves manual testing techniques.
Answer: Criminal hacking is done without permission, while penetration testing requires formal authorization.
During a software security training session, Micha is tasked with selecting a tool for analyzing web applications dynamically. Which tool should Micha choose?
a. Nikto
b. Qualys
c. HCL AppScan
d. IBM AppScan
Answer: Nikto
Which industry standard does Nessus use to assess the seriousness of cybersecurity vulnerabilities?
a. Common Attack Pattern Enumeration and Classification (CAPEC)
b. Common Vulnerability Scoring System (CVSS)
c. Common Weakness Enumeration (CWE)
d. Common Vulnerabilities and Exposures (CVE)
Answer: Common Vulnerability Scoring System (CVSS)
During a cybersecurity briefing, Marina is asked to identify the initial step in a vulnerability management process. What is the first step?
a. Analyze vulnerabilities.
b. Discover vulnerabilities.
c. Develop vulnerability management policies.
d. Prioritize vulnerabilities based on their risks.
Answer: Develop vulnerability management policies.
The Linux distribution that is specifically focused on penetration testing is _____.
a. BackTrack
b. Ubuntu
c. Kali
Answer: Kali
What is a requirement for conducting effective white-box testing?
a. knowledge of software vulnerabilities
b. extensive testing documentation
c. access to source code
d. knowledge of user requirements
Answer: access to source code
How can you identify the limitations of static analysis for software security?
a. by requiring the execution of the source code during testing
b. by detecting bugs in only fully functional code
c. by seeing if the output releases false positives and false negatives
d. by being effective in detecting design flaws
Answer: by seeing if the output releases false positives and false negatives
What are the three conventional testing techniques for software security?
a. static analysis, dynamic analysis, and penetration testing
b. functional analysis, regression testing, and usability testing
c. black-box testing, white-box testing, and gray-box testing
d. unit testing, integration testing, and system testing
Answer: static analysis, dynamic analysis, and penetration testing
How does the European Union initiative affect organizations globally, even if they are outside of Europe?
a. through the Computer Fraud and Abuse Act (CFAA)
b. through the Health Insurance Portability and Accountability Act (HIPAA)
c. through the Payment Card Industry Data Security Standard (PCI DSS)
d. through the General Data Protection Regulation (GDPR)
Answer: through the General Data Protection Regulation (GDPR)
Which certification program addresses software security in the context of web applications?
a. Certified Secure Software Lifecycle Professional (CSSLP)
b. Certified Information Systems Security Professional (CISSP)
c. Certified Application Security Engineer (CASE)
d. Certified Web Application Defender (CWAD)
Answer: Certified Web Application Defender (CWAD)
One of the cybersecurity threats manifests in IoT devices through _____.
a. physical tampering of devices
b. data loss prevention
c. privacy violations
d. network bandwidth issues
Answer: privacy violations
How can organizations support software engineers in building security into the software they produce?
a. Encourage developers to create custom encryption algorithms.
b. Limit access to commercial and open-source encryption libraries.
c. Provide additional, extensive cybersecurity training.
d. Invest in developer-friendly software security environments and automation.
Answer: Invest in developer-friendly software security environments and automation.
What is a potential security concern related to cloud computing?
a. lack of access to physical servers
b. vulnerabilities in hypervisors
c. local storage of code repositories
d. limited computing resources for virtual machines
Answer: vulnerabilities in hypervisors
DREAD model is used for? Select the correct option(s) and click submit.
a. Identifying Threats
b. Rating Architecture complexity
c. Identifying mitigation
d. Rating Threats
Answer: Rating Threats
How can an attacker use the information gained by an SQL debug message from an application to cause harm to it? Select the correct option(s) and click submit.
a. Steal sensitive information from other users
b. Run scripts on other users' browsers
c. Alter the communication protocol used by the site
d. Can potentially understand the query's structure and then script attack vectors
Answer: Can potentially understand the query's structure and then script attack vectors
Which of the following options is not an appropriate way to make authentication mechanism secure? Select the correct option(s) and click submit.
a. Using encryption to store the authentication token
b. Setting an expiry date for the authentication token
c. Provide default access
d. Re-authenticate in case of sensitive transaction
e. All options are secure
Answer: Provide default access
As per PCI DSS standards, which of the following Card Holder Data should not be stored (even if encrypted)? Select the correct option(s) and click submit.
a. Cardholder Name
b. Expiration Date
c. CAV2/CVC2/CVV2/CID
d. PIN/PIN Block
e. All of the above
f. Option 3 & 4
Answer: Option 3 & 4 (CAV2/CVC2/CVV2/CID and PIN/PIN Block)
Which of the following is the best option when a user needs to ensure message integrity? Select the correct option(s) and click submit.
a. Send a digital signature of the message to the recipient
b. Encrypt the message with a symmetric algorithm and send it
c. Encrypt the message with a private key so the recipient can decrypt with the corresponding public key
d. Send an encrypted hash of the message along with the message to the recipient
Answer: Send an encrypted hash of the message along with the message to the recipient
Development, QA, and production environments should all be configured identically, with each environment. credentials used in Select the correct option(s) and click submit.
a. Similar
b. Different
Answer: Different
State True or False: Maintenance (Operational) Security is not required if software is developed securely. Select the correct option(s) and click submit.
a. True: because software if developed securely would not require any maintenance or operational security
b. True: because security is required either during development or in maintenance phase
c. False: because only Maintenance or Operational Security is required to make the software secure.
d. False: because log analysis, incident response, security patches, upgradation are ongoing requirements and can not be address software development
Answer: False: because log analysis, incident response, security patches, upgradation are ongoing requirements and can not be addressed solely by software development
Which amongst the following data validation strategy models listed below is the weakest one? Select the correct option(s) and click submit.
a. Exact Match (Constrain)
b. Encode Known bad (Sanitize)
c. Known Good (Accept)
d. Reject Known bad (Reject)
e. All of the above
Answer: Reject Known bad (Reject)
Which of the following Ensures that information has not been altered in any unauthorized ways by any means? Select the correct option(s) and click submit.
a. Integrity
b. Confidentiality
c. Authentication
d. Non-Repudiation
Answer: Integrity
When contemplating the use of covert video surveillance, which factor is not a valid consideration: Select the correct option(s) and click submit.
a. The use of covert video surveillance is supported by suspicion.
b. The personal information being collected is clearly related to a legitimate business purpose and objective.
c. The loss of privacy is proportional to benefit gained.
d. Other less privacy-invasive measures have been considered.
Answer: The use of covert video surveillance is supported by suspicion.
Don't store sensitive data unnecessarily. Select the correct option(s) and click submit.
a. True
b. False
Answer: True
Secure coding practices must be incorporated in the entire development life cycle of an application. Select the correct option(s) and click submit.
a. True
b. False
Answer: True
A Perfect hash function would only have one possible input to get a certain output. When two different inputs give the same output, it is known as: Select the correct option(s) and click submit.
a. Cryptographic Hash
b. One way function
c. Hash collision
d. Data Integrity
e. None of the above
Answer: Hash collision
Defining the context helps in understanding- Select the correct option(s) and click submit.
a. The importance of application
b. The boundaries of application context
c. Trust relationship between entities
d. Potential threats and possible controls
e. All of the above
Answer: All of the above
Which of the following are forms of malicious attack? Select the correct option(s) and click submit.
a. Theft of information
b. Modification of data
c. Wiping of data
d. All of these
Answer: All of these
State True or False: Customers evaluate the vendor capability to deliver secure software and it is one of the key criteria before granting the business. Select the correct option(s) and click submit.
a. True
b. False
Answer: True
CAPTCHA is used as remediation for which of the following attacks? Select the correct option(s) and click submit.
a. CSS
b. Cross Site Request Forgery
c. Brute Force Attack
d. Direct object reference.
Answer: Brute Force Attack
From application security perspective, when do we need to use CAPTCHA in a web application? Select the correct option(s) and click submit.
a. To prevent scripted attacks
b. To provide biometric authentication
c. To check the color blindness of user
d. To check validity of user session
e. All of the above
Answer: To prevent scripted attacks
What are types of customer data? Select the correct option(s) and click submit.
a. Data collected directly from a customer thru application
b. Data gathered indirectly (thru documents)
c. Data about a customer's usage behavior (logs, history etc)
d. Data relating to a customer's system (IP, configuration etc)
e. All of above
f. None of above
Answer: All of above
What are the qualities of a secure software? Select the correct option(s) and click submit.
a. It can not be hacked or attacked
b. It resist most attacks and tolerate attacks which can not be resisted
c. It resist most attacks and tolerate attacks which can not be resisted & recover within a specified time with minimum damage
d. It resist most attacks and tolerate attacks which can not be resisted & recover within a specified time with minimum damage and generate a trail for the attack
Answer: It resist most attacks and tolerate attacks which can not be resisted & recover within a specified time with minimum damage and generate a trail for the attack
Error handling reveal stack traces or other overly informative error messages to users. This will be categorized under Security Misconfiguration? Select the correct option(s) and click submit.
a. True
b. False
Answer: True
Which one is not a part of Microsoft STRIDE method for rating risk while creating threat model for an application? Select the correct option(s) and click submit.
a. Security
b. Tampering
c. Repudiation
d. Denial of Service
Answer: Security
Which of the following is a hacker's attempt to redirect traffic from a legitimate website to a completely different internet address by changing the host's file on a victim's computer or by exploiting a vulnerability on the DNS server? Select the correct option(s) and click submit.
a. Harvesting
b. Phishing
c. Pharming
d. All of the above
e. None of the above
Answer: Pharming
State True or False: The cost of fixing the security defect decreases if it is ignored, identified late or in the later phases of the life cycle. Select the correct option(s) and click submit.
a. True
b. False
Answer: False
Why is "non repudiation" a very desirable trait? Select the correct option(s) and click submit.
a. It establishes traceability of every action done by the user
b. It is impossible to deny an action in some critical situations
c. It is a forensic analysis mechanism
d. All of the above
Answer: All of the above
The acronym CVE stands for? Select the correct option(s) and click submit.
a. Common Vulnerability and Exposures "
b. Critical Vulnerability Enumeration
c. Critical Vulnerability and Exposures
d. Common Vulnerability Enumeration
Answer: Common Vulnerability and Exposures
Spoofing hampers which one of the following Security foundations? Select the correct option(s) and click submit.
a. Integrity
b. Non-repudiation
c. Authorization
d. Authentication
Answer: Authentication
On logout, how should the application deal with session cookies? Select the correct option(s) and click submit.
a. Update the time
b. Clear them
c. Update the header
d. Store IP
Answer: Clear them
Which one of the following is not a part of DREAD method for rating risk? Select the correct option(s) and click submit.
a. Damage potential
b. Risk Analysis
c. Exploitability
d. Affected Users
e. Discoverability
Answer: Risk Analysis
Which of the following is an advantage of using SSO? Select the correct option(s) and click submit.
a. "User experience" is improved as the user does not have to enter credentials for every new application access.
b. Reduces the number of "passwords" to remember, secure and manage. With SSO, a single login with user id and password enables "secure" access to multiple applications.
c. Simplifies "identity & access management". This is because single/same identity can now be centrally managed and securely propagated to all target applications or service providers.
d. A and B
e. All of the above
Answer: All of the above
Which of the following cipher, rearranges bits, characters, or character blocks in plaintext to produce ciphertext? Select the correct option(s) and click submit.
a. Venam ciphers
b. Substitution cipher
c. Block cipher
d. Permutation cipher
Answer: Permutation cipher
Phishing is essentially another form of: Select the correct option(s) and click submit.
a. Denial of service
b. Social engineering
c. Malware
d. Spyware
Answer: Social engineering
Note: This MCQ aims to achieve a 90% accuracy rate. If you notice any errors in the answers, please comment below and contribute to reaching 100% accuracy.
----------------------
TAGS: Software Security Answers, 4774 Course Answers, IEvolve 4774, iEvolve Answers, SSA E1 Developer Assessment, 67033 Course Answers, SSA Developer, SSA E1 Developer Course Answers, iEvolve 67033 Course Answers, Software Security SSA Developer Answers, Software Security E1 Answers, Course Answers, IEvolve Course Answers.