4.4 Security Architecture and Tool Sets

Question 1

what is the purpose of filters on a web server?

Answer 1

they limit the traffic that is allowed through

Question 2

what is the purpose of sandbox in a java applet?

Answer 2

it prevents java applets from accessing unauthorized areas on a user’s computer

Question 3

which error condition arises because data is not checked before input to ensure that it has an appropriate length?

Answer 3

buffer overflow errors

Question 4

when does fuzzing occur?

Answer 4

when unexpected values are provided as input to an application to make the application crash

Question 5

what are the FIVE phases of the system development life cycle (SDLC)?

Answer 5

1. initiation
2. development and acquisition
3. implementation and assessment
4. operations and maintenance
5. disposal

Question 6

what is the purpose of a decompiler?

Answer 6

to re-create the source code in some high-level language

Question 7

which type of attack runs code within another process’s address space by making it load a dynamic link library?

Answer 7

a DLL injection attack

Question 8

what is the purpose of fuzz testing?

Answer 8

to identify bugs and security flaws within an application

Question 9

what are alternate terms for cross-site request forgery (XSRF)?

Answer 9

session riding or one-click attack

Question 10

which application hardening method requires that your organization periodically checks with the application vendor?

Answer 10

patch management

Question 11

what is the most significant misuse of cookies?

Answer 11

misuse of personal data

Question 12

when does fuzzing occur?

Answer 12

when unexpected values are provided as input to an application in an effort to make the application crash

Question 13

what does a race condition typically attack?

Answer 13

the delay between time of check (TOC) and time of use (TOU)

Question 14

when does a cross-site scripting (XSS) attack occur?

Answer 14

it occurs when an attacker locates a vulnerability on a web site that allows the attacker to inject malicious code into a web application

Question 15

what is the name for a small piece of information that is saved on a client machine on the hard disk to enable tracking of user information on future web visits?

Answer 15

a cookie

Question 16

what is the purpose of an application disassembler?

Answer 16

to read and understand the raw language of the program

Question 17

what is the purpose of a fail-safe error handler?

Answer 17

to ensure that the application stops working, reports the error, and closes down

Question 18

what is an application backdoor?

Answer 18

lines of code that are inserted into an application to allow developers to enter the application and bypass the security mechanisms

Question 19

what is cross-site request forgery (XSRF)?

Answer 19

unauthorized commands coming from a trusted user to a user or web site, usually through social networking

Question 20

what should application developers do to prevent race condition attack?

Answer 20

create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order

Question 21

what is the best protection against cross-site scripting? (XSS)?

Answer 21

disable the running of scripts

Question 22

what is the purpose of secure code review?

Answer 22

it examines all written code for any security holes that may exist

Question 23

what is a cookie?

Answer 23

a web client test file that stores persistent settings for a web server

Question 24

what is the purpose of input validation?

Answer 24

to ensure that data being entered into a database follows certain parameters

Question 25

what is the purpose of application hardening?

Answer 25

it ensures that an application is secure and unnecessary services are disabled

Question 26

which error occurs when the length of the input data is more than the length that processor buffers can handle?

Answer 26

buffer overflow

Question 27

which type of attack is characterized by an attacker who takes over the session of an already authenticated user?

Answer 27

hijacking

Question 28

what is a zero-day exploit?

Answer 28

an attack that exploits a security vulnerability on the day the vulnerability becomes generally known

Question 29

when does a persistent XSS attack occur?

Answer 29

when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the Web client

Question 30

which type of attack intercepts an established TCP session?

Answer 30

TCP hijacking or session hijacking

Question 31

which type of attack enables an intruder to capture and modify data traffic by rerouting the traffic from a network device to the intruder’s computer?

Answer 31

network address hijacking