Software Security (4774) : SSA E1 Developer (13256) - Digital : Secure Code Review_FP (60349) Answers

0

Digital : Secure Code Review_FP (60349)

Software Security (4774) : SSA E1 Developer (13256)


Digital : Secure Code Review_FP (60349)


Digital : Secure Code Review_FP Assessment Answers (60349)


The information gathered should be organized into a _________ that can be used to prioritize the review.

a. SRS document

b. Threat Model .

c. Design document

d. Test report

Answer: Threat Model

Inviting a friend to help look for a hard-to-find vulnerability is a method of security code review.

a. True

b. False

Answer: True

The estimation of software size by measuring functionality.

a. Function Points

b. Path complexity

c. Lines of code

d. Cyclomatic complexity

Answer: Function Points

The process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places is known as ______________.

a. Penetration Testing

b. Secure Code Review

c. Black Box Testing

d. Vulnerability Testing

Answer: Secure Code Review

Complexity increases with the decision count.

a. False

b. True

Answer: True

Which of the following are threats of cross site scripting on the authentication page?

a. Session hijacking attacks

b. Phishing

c. Identity theft

d. All of these

Answer: All of these

The process by which different equivalent forms of a name can be resolved to a single standard name,

a. Name resolution

b. Aliasing

c. Input resolution

d. Canonicalization

Answer: Canonicalization

It is easy to develop secure sessions with sufficient entropy.

a. False

b. True

Answer: False

In a multi user multi-threaded environment, thread safety is important as one may erroneously gain access to another individuals session by exploiting ___________ .

a. OS commands

b. Session Integrity

c. Race conditions

Answer: Race conditions

The _______ approach to validation only permits characters/ASCII ranges defined within a white-list.

a. Known bad

b. Known good

c. Encode good

Answer: Known good

The process that gives a person permission to perform a functionality is known as -----------

a. Identity Management

b. Repudiation

c. Authorization

d. Authentication

Answer: Authorization

A solution to enhance security of passwords stored as hashes.

a. Salting

b. Encryption

c. Using digital signatures

d. Noncing

Answer: Salting

Which of the following can be used to prevent end users from entering malicious scripts?

a. Authentication

b. Server side encoding

c. Input validation

d. Dynamic encoding

Answer: Input validation

A function in which scripting tags in all dynamic content can be replaced with codes in a chosen character set.

a. Server side encoding

b. Dynamic encoding

c. Client side encoding

d. Script encoding

Answer: Server side encoding

__________ attempts to quantify the size of the code.

a. Cyclomatic complexity

b. Path complexity

c. Lines of Code

Answer: Lines of Code

A representation of an attribute that cannot be measured directly, and are subjective and dependent on the context of where the metric was derived.

a. Relative Metrics

b. Absolute Metrics

Answer: Relative Metrics

The account used to make the database connection must have ______ privilege.

a. Admin

b. Least

c. Highest

Answer: Least

The average occurrance of programming faults per Lines of Code (LOC) is known as _______.

a. Error density

b. Defect Density

c. Complexity density

d. Risk Density

Answer: Defect Density

The approach to input validation that simply encodes characters considered "bad" to a format which should not affect the functionality of the application and hence is very weak

a. Encode bad

b. Backlisting

c. Encrypt bad

Answer: Encode bad

Defect density alone can be used to judge the security of code accurately.

a. True

b. False

Answer: False

________ can be used to establish risk and stability estimations on an item of code, such as a class or method or even a complete system.

a. Cyclomatic complextiy

b. Lines of code

c. Risk density

d. Defect density

Answer: Cyclomatic complextiy

Which of the following type of metrics do not involve subjective context but are material facts?

a. Absolute Metrics

b. Relative Metrics

Answer: Absolute Metrics

___________ can be exploited to completely ignore authorization constraints.

a. Cross site Scripting

b. OS command injection

c. Race conditions

d. SQL Injection

Answer: OS command injection

The dimension of authorization that ensures that different users/entities do not access other users'/entities' data.

a. Vertical Authorization

b. Horizontal Authorization

Answer: Horizontal Authorization

Which of the following is more resistant to SQL injection attacks?

a. Parameterized queries

b. Dynamic SQL statements

Answer: Parameterized queries

__________ attempts to quantify the size of the code. Choose the correct option from below list

a. Lines of Code

b. Path complexity

c. Cyclomatic complexity

Answer: Lines of Code

___________ can be exploited to completely ignore authorization constraints. Choose the correct option from below list

a. Cross site Scripting

b. Race conditions

c. OS command injection

d. SQL Injection

Answer: OS command injection

Defect density alone can be used to judge the security of code accurately. Choose the correct option from below list

a. False

b. True

Answer: False

Which of the following are threats of cross site scripting on the authentication page?

a. Session hijacking attacks

b. Phishing

c. All of these

d. Identity theft

Answer: All of these

The process through which the identity of an entity is established to be genuine. Choose the correct option from below list

a. Identity Management

b. Access controls

c. Authorization

d. Authentication

Answer: Authentication

The process by which different equivalent forms of a name can be resolved to a single standard name, Choose the correct option from below list

a. Canonicalization

b. Aliasing

c. Name resolution

d. Input resolution

Answer: Canonicalization

Numerical values that describe a trait of the code such as the Lines of Code come under ________. Choose the correct option from below list

a. Relative Metrics

b. Absolute Metrics

Answer: Absolute Metrics

The information gathered should be organized into a _________ that can be used to prioritize the review. Choose the correct option from below list

a. Design document

b. Threat Model

c. SRS document

d. Test report

Answer: Threat Model

The estimation of software size by measuring functionality. Choose the correct option from below list

a. Lines of code

b. Cyclomatic complexity

c. Function Points

d. Path complexity

Answer: Function Points

The first step in analyzing the attack surface is ________. Choose the correct option from below list

a. Understanding the context

b. Information gathering

c. Creating a threat model

d. Identifying all input to the code

Answer: Identifying all input to the code

The average occurrance of programming faults per Lines of Code (LOC) is known as _______.

a. Complexity density

b. Error density

c. Risk Density

d. Defect Density

Answer: Defect Density

Inviting a friend to help look for a hard to find vulnerability is a method of security code review. Choose the correct option from below list

a. True

b. False

Answer: True

The approach to input validation that simply encodes characters considered "bad" to a format which should not affect the functionality of the application and hence is very weak Choose the correct option from below list

a. Encrypt bad

b. Backlisting

c. Encode bad

Answer: Encode bad

It is easy to distinguish good code from insecure code. Choose the correct option from below list

a. False

b. True

Answer: False

Complexity increases with the decision count. Choose the correct option from below list

a. False

b. True

Answer: True

To build SQL statements it is more secure to user PreparedStatement than Statement. Choose the correct option from below list

a. True

b. False

Answer: True

________ can be used to establish risk and stability estimations on an item of code, such as a class or method or even a complete system. Choose the correct option from below list

a. Lines of code

b. Defect density

c. Risk density

d. Cyclomatic complextiy

Answer: Cyclomatic complextiy

It is easy to develop secure sessions with sufficient entropy. Choose the correct option from below list

a. False

b. True

Answer: False

Which of the following is an efficient way to securely store passwords? Choose the correct option from below list

a. Abstraction

b. Hashing

c. Encryption

Answer: Hashing

Parameterized stored procedures are compiled after the user input is added. Choose the correct option from below list

a. True

b. False

Answer: False

Which of the following can be used to prevent end users from entering malicious scripts? Choose the correct option from below list

a. Input validation

b. Server side encoding

c. Authentication

d. Dynamic encoding

Answer: Input validation

In a multi user multi-threaded environment, thread safety is important as one may erroneously gain access to another individuals session by exploiting ___________ . Choose the correct option from below list

a. OS commands

b. Race conditions

c. Session Integrity

Answer: Race conditions

The _______ approach to validation only permits characters/ASCII ranges defined within a white-list. Choose the correct option from below list

a. Encode good

b. Known bad

c. Known good

Answer: Known good



Note: This MCQ aims to achieve a 90% accuracy rate. If you notice any errors in the answers, please comment below and contribute to reaching 100% accuracy.
----------------------

TAGSSoftware Security Answers4774 Course AnswersIEvolve 4774iEvolve AnswersSSA E1 Developer Assessment60349 Course AnswersSSA DeveloperSSA E1 Developer Course AnswersiEvolve 60349 Course AnswersSoftware Security SSA Developer AnswersSoftware Security E1 AnswersCourse AnswersIEvolve Course Answers.
Tags:

Post a Comment