Domain 4: Cloud Application Security Flashcards by Unknown Unknown

Mikayla wants to validate a component of her software that she has downloaded from GitHub. How can she validate that the underlying software does not have security flaws when it is downloaded and included in her environment as part of her integration process?

A. Validate the checksum of the file.
B. Validate the signature of the file.
C. Validate the hash of the file.
D. Mikayla cannot ensure that there are no security flaws via the options described.

**Answer: **

How well did you know this?

Not at all

Perfectly

Lin wants to allow her users to use existing credentials provided by a third-party identity provider when they access her service. What element will she have to provide from the following list?

A. User IDs
B. Authentication
C. Authorization
D. Identity proofing

**Answer: **

How well did you know this?

Not at all

Perfectly

Joanna’s software vendor does not provide source code to their clients. In the following list, what is her best option to test the security of the vendor’s software package?

A. C. Perform static analysis of the software.
B. Implement pair-programming techniques.
Review the software for hard-coded secrets.
D. Perform dynamic testing.

**Answer: **

How well did you know this?

Not at all

Perfectly

What SDLC model is most frequently associated with cloud development processes?

A. Agile
B. RAD
C. Spiral
D. Waterfall

**Answer: **

How well did you know this?

Not at all

Perfectly

Susan wants to avoid common pitfalls in cloud application development. Which of the following pitfalls is frequently associated with cloud environments?

A. Reliability of applications built in the cloud
B. Scalability of applications built in the cloud
C. Redundancy of applications built in the cloud
D. Security of applications built in the cloud

**Answer: **

How well did you know this?

Not at all

Perfectly

Susan wants to avoid issues with data integration. She is aware that the OWASP Cloud Top 10 includes service and data integration security issues, and is deploying a REST-based
API for her customers to use when accessing her service. She is using API keys, but she is concerned about third parties intercepting and accessing the data. What should she include in her implementation to address this concern?

A. Data tokenization
B. Ensure encryption at rest
C. Ensure encryption in transit
D. Data masking

**Answer: **

How well did you know this?

Not at all

Perfectly

Ben wants to gather business requirements for his software development effort and is using an Agile methodology. Which of the following is not a common means of gathering user requirements in an Agile process?

A. Brainstorming
B. Documentation review
C. User observation
D. Surveys

**Answer: **

How well did you know this?

Not at all

Perfectly

Encryption at rest is a protective design element included in SDLCs for cloud environments due to what common cloud design motif?

A. Rapid elasticity
B. Multitenancy
C. Measured services
D. Scalability

**Answer: **

How well did you know this?

Not at all

Perfectly

Nick wants to avoid common pitfalls in his CI/CD pipeline. Which of the following is a common CI/CD pitfall that can harm cloud development efforts?

A. Automation of processes
B. Use of metrics
C. Using multiple deployment paths
D. Reliance on a version control system

**Answer: **

How well did you know this?

Not at all

Perfectly

Maria wants to integrate her existing identity provider with her cloud provider’s services. What common standard is used for most cloud identity provider integration?

A. IDPL
B. OpenLDAP
C. SAML
D. ConnectID

**Answer: **

How well did you know this?

Not at all

Perfectly

Jack wants to enable his team to develop cloud- native applications. Which of the following is
not a common element in a cloud- native application design?
A. Optimized assembly code
B. Automated release pipelines
C. Containers
D. Microservices

**Answer: **

How well did you know this?

Not at all

Perfectly

At which phase of the software development life cycle (SDLC) is user involvement most
crucial?
A. Define
B. Design
C. Development
D. Test

**Answer: **

How well did you know this?

Not at all

Perfectly

Brian wants to ensure that he takes the OWASP Top 10 Cloud risks into account in his
development process. He knows that regulatory compliance is on the list, and he wants to
include it in the SDLC. During what phase of the SDLC would it make the most sense to
consider regulatory compliance?
A. Analysis and requirements definition
B. Design
C. Implementation
D. Testing

**Answer: **

How well did you know this?

Not at all

Perfectly

The testing process that Angie is using for her organization includes access to the design spec-
ifications, source code, and running applications. What type of security testing methodology
is she using?
A. White box
B. Gray box
C. Red box
D. Black box

**Answer: **

How well did you know this?

Not at all

Perfectly

The CWE/SANS Top 25 most dangerous software errors includes the use of hard- coded
credentials. What common cloud service component can be used to avoid this problem for
cloud- hosted software and applications?
A. An MFA token
B. A TPM
C. A KMS
D. An API key

**Answer: **

How well did you know this?

Not at all

Perfectly

Dana’s organization requires an SBOM for each application it deploys. What OWASP
Top 10 item does an SBOM help to avoid?
A. Vulnerable and outdated components
B. Broken access control
C. Injection
D. Security misconfiguration

**Answer: **

How well did you know this?

Not at all

Perfectly

The company that Yun works for provides API access to customers. Yun wants to rate- limit
API access and gather billing information while using a central authorization and access
management system. What type of tool should Yun put in place to meet these requirements?
A. An API gateway
B. An API proxy
C. An API firewall
D. A next- generation API manager

**Answer: **

How well did you know this?

Not at all

Perfectly

What phase of the SDLC is IAST typically associated with?
A. Design
B. Testing
C. Implementation
D. Deployment

**Answer: **

How well did you know this?

Not at all

Perfectly

Gary’s cloud service provides customers with access to APIs. Which of the following is a
common security flaw in APIs?
A. Use of unstructured data
B. Lack of authentication
C. Use of semi- structured data
D. Lack of encryption

**Answer: **

How well did you know this?

Not at all

Perfectly

Dan wants to encrypt data at rest in his cloud environment. What encryption standard
should he look for when encrypting data at rest?
A. TLS
B. AES- 256
C. SSL
D. Blowfish

**Answer: **

How well did you know this?

Not at all

Perfectly

Mark wants to ensure that his software vendor is using industry best practices as part of
their software validation process. He knows that NIST defines a number of recommended
minimums for verification of code by developers. Which of the following is not a NIST
recommended minimum standard for vendor or developer verification of code?
A. Use automated testing.
B. C. Perform code- based (static) analysis.
Only check internally developed software.
D. Conduct threat modeling.

**Answer: **

How well did you know this?

Not at all

Perfectly

Lori wants to ensure that the included software components provided by her vendor are
secure. What type of process should she use to conduct an assessment of those packages?
A. A web application vulnerability scan
B. A software composition analysis
C. A vulnerability scan
D. A version number validation process

**Answer: **

How well did you know this?

Not at all

Perfectly

Christine has documented a software testing user story that states: “As an attacker, I will
upload malicious software as part of my form submission which will exploit the parsing
software that reads user submissions.” What type of testing is Christine preparing for?
A. Abuse case testing
B. Static testing
C. QA testing
D. SCA testing

**Answer: **

How well did you know this?

Not at all

Perfectly

OWASP’S Application Security Verification Standard (ASVS) has three primary usage models.
Which of the following is not an intended usage model based on its design objectives?
A. To be used as a metric
B. To be used for auditing
C. To be used as guidance
D. To be used during procurement

**Answer: **

How well did you know this?

Not at all

Perfectly

Ian wants to use a cloud- specific list of application issues. Which of the following options should he choose? A. The OWASP Top 10 B. The NIST Dirty Dozen C. The SANS Top 25 D. The MITRE ATT&CK- RS

**Answer: **

Nick wants to use a common format for his team’s software versioning. What versioning format should he use if he wants to use a common industry practice? A. Codename.version B. Major.build.minor.patch C. RFC number.version.patch D. Major.minor.patch

**Answer: **

What term is used to describe the list of all of the software components of a product? A. Component index B. SBOM C. Version catalog D. SCCM

**Answer: **

Valerie’s company has recently experienced successful SQL injection attacks against a third- party application they use. The vendor has not yet provided a patch for the SQL injection flaw, but Valerie needs to keep the application in production due to business requirements. What type of tool could Valerie put in place to protect against the SQL injection attacks on her web application? A. A DAM B. A WAF C. An XML firewall D. An API gateway

**Answer: **

Charles logs in using his organization’s credentials and is able to use that login throughout a variety of systems and applications. What technology is Charles using? A. SAML B. SSO C. OpenID Connect D. OTP

**Answer: **

Jackie wants to allow applications to run using the libraries and other dependencies they need without having to have an independent operating system for each application. What technology should she use to allow her to easily move application packages between different operating systems? A. Packages B. Containers C. Virtual machines D. Hypervisors

**Answer: **

Henry wants to ensure that only authorized customers are able to use his organization’s public- facing APIs. What common security technique is for this purpose? A. API keys B. Single sign-on C. API federation D. Complex API passwords

**Answer: **

Nancy wants to ensure that her organization does not have an issue with licensing for her software, and she knows that the vendor controls access using a licensing server that each installation checks in with. Which of the following should she pay particular attention to in order to ensure that she does not have a service interruption at some point in the future? A. The license term B. Whether the terms of the license can be disclosed C. The license cost D. Third party sub- licenses included in the contract

**Answer: **

Isaac wants to ensure that his cloud service provider is using cryptographic systems that meet widely accepted standards. What U.S. government standard should he expect his provider to comply with their cryptographic systems? A. GDPR B. FIPS 140-2 C. SSL D. SHA- 2

**Answer: **

Megan wants to increase the auditability of the use of privileges in her infrastructure. Which of the following solutions will have the biggest positive impact on auditability? A. Use shared service accounts. B. Use multifactor authentication. C. Use dynamic secrets. D. Use API keys.

**Answer: **

In the testing phase of the software development life cycle (SDLC), software performance and ___________________ should both be reviewed. A. Version B. Complexity C. Size D. Security

**Answer: **

Chris wants to use a cloud provider–hosted mechanism to store and manage his organization’s secrets. What type of solution should he look for? A. KMS B. PKI C. CA D. KCS

**Answer: **

What entity provides authentication services in a federation? A. IdP B. RP C. SP D. SSO

**Answer: **

Docker is an example of what sort of tool? A. Microservices launcher B. Cloud application security broker C. A containerization platform D. A web application firewall

**Answer: **

Yasmine is working with a software as a service vendor. What part of the environment does Yasmine’s company have responsibility for? A. Applications and data storage. B. The OS, middleware, and runtime. C. Storage and networking. D. The vendor is responsible for the environment.

**Answer: **

Jason wants to use multifactor authentication. Which of the following lists a valid multi- factor set? A. A username, password, and PIN B. A username, password, and app- generated code on a phone C. A username, voiceprint, and fingerprint D. A username, app- generated code, and token- generated code

**Answer: **

Kim wants to use version control for her software. What common tool could her organiza- tion use to perform this function? A. Jenkins B. Chef C. Git D. Puppet

**Answer: **

Ramon’s organization uses Office 365 but relies on their own Active Directory credentials to log into O365. What is this type of configuration called? A. Federated identity B. Structured identity C. Shared identity D. Constrained identity

**Answer: **

Gretchen wants to ensure that her organization is in compliance with their software licenses. Which of the following is the most important step for most organizations in ensuring license compliance? A. Using only open source software B. Tracking all software versions C. Using only commercial software D. Software inventory

**Answer: **

Laura wants to use a threat modeling tool to assess threats in her environment. Which of the following models has been abandoned by Microsoft and replaced with a new model? A. DREAD B. PASTA C. STRIDE D. ATASM

**Answer: **

Aisha’s organization has deployed a cloud application security broker. Which of the following is not a typical purpose for a CASB to be deployed? A. To control usage- based costs B. To limit access based on service categories C. To help limit the potential for sensitive data loss D. To detect anomalous usage patterns

**Answer: **

Kathleen wants to test potentially malicious software in a secure way. What cloud application architecture concept can she apply to help her do so? A. An IPS B. A SIEM C. Sandboxing D. Antivirus

**Answer: **

Kieran’s team has deployed a CASB and wants to focus on data protection. Which of the fol- lowing capabilities will most effectively help protect against third parties accessing data while it travels between Kieran’s on- premises location and their cloud vendors? A. Encryption B. Tokenization C. Masking D. Upload prevention

**Answer: **

Selah is preparing a container to deploy her application to a cloud service provider’s contain- erization service. Which of the following components will not be included in the container? A. B. C. D. The host kernel for the operating system The libraries needed by the application The configuration files for the application The binaries belonging to the application

**Answer: **

Olivia is preparing to generate API keys and knows that they need to have certain char- acteristics to be secure. Which of the following best describes an API key that will be considered secure? A. Unique, random, and non- guessable B. Unique, sequential, and traceable C. Repeatable, sequential, and traceable D. Repeatable, logged, and traceable

**Answer: **

Ian is using a CASB to control usage of cloud services. He wants to ensure that users in his organization only use cloud services that are approved for their role. What two elements should he define in his rules to most effectively accomplish this? A. Identity and activity B. Activity and data C. Identity and service D. Service and data

**Answer: **

Jack wants to use the ATASM model. Which of the following is not one of the key elements of an ATASM assessment? A. Attacks B. Threats C. Architecture D. Mitigations

**Answer: **

Testing done on running code is known as what type of testing? A. Dynamic B. Automatic C. Structured D. Static

**Answer: **

A web application firewall (WAF) can understand and act on what type of traffic? A. Border Gateway Protocol (BGP) B. C. Simple Mail Transfer Protocol (SMTP) Internet Control Message Protocol (ICMP) D. Hypertext Transfer Protocol (HTTP)

**Answer: **

Henry wants to design his SDLC to help prevent the most common application security issues. Where in the SDLC should he insert controls to ensure that his application architecture is secure? A. Analysis and requirements definition B. Design C. Deployment D. Operations and maintenance

**Answer: **

Jacinda’s manager has asked her to set up a sandbox environment to help validate third- party software before it is run. What should Jacinda prepare an environment to handle? A. Optimizing the production environment by moving processes that are not frequently used into the sandbox B. C. D. Allowing secure remote access for users who need resources in the cloud environment Running malware for analysis purposes Creating secure subnets of the production environment

**Answer: **

Valerie wants to decouple her application infrastructure from her underlying operating system platforms to allow her to more easily migrate between cloud service providers. What type of solution will best fit her needs? A. B. C. D. Use custom configured Linux virtual machines to host the application. Use containers configured for the application to host the application. Use the cloud provider’s native serverless infrastructures to host the applications. Use default Linux systems with default configurations to host the application.

**Answer: **

Gary wants to monitor privileged credential use in his Microsoft SQL Server environment, which he hosts with an IaaS provider. What type of tool should Gary select to help with this need? A. A WAF B. A database SIEM C. A DB- IPS D. A DAM

**Answer: **

Paula wants to avoid denial- of- service attacks against her APIs. What controls should she select to most effectively provide this type of security? A. Use an IPS and a scalable architecture. B. Use a scalable architecture and set throttling limits and quotas. C. Require authentication and use an IPS. D. Require authentication and set throttling limits and quotas.

**Answer: **

Sandboxing can often be used for ___________________. A. Testing user awareness and training B. Testing API security C. Testing software before putting it into production D. Testing software to validate its compliance with regulatory requirements

**Answer: **

Jen wants to ensure that the encryption modules she is using in her application design are secure. What type of validation or certification should she look for? A. PCI compliant B. AES- cert C. FIPS 140- 2 D. GLBA validated

**Answer: **

Kwame wants to limit the impact of potentially compromised secrets in his environment. What should he do to most effectively limit the issues compromised secrets can cause? A. Extend secrets lifecycle. B. Rotate secrets. C. Replace secrets with tokens. D. Implement a secret expiration list.

**Answer: **

As part of her organization’s SDLC, Olivia is testing whether the business logic in a new application generates correct output. What type of testing is Olivia conducting? A. Stress testing B. Functional testing C. Load testing D. Nonfunctional testing

**Answer: **

Olivia’s organization wants to adopt multifactor authentication. Which of the following MFA models is considered less secure than the others? A. Hardware tokens B. Mobile applications C. SMS factors D. USB tokens

**Answer: **

Ben wants to validate open source software packages used in his environment. Which of the following is not a valid dynamic testing option? A. B. C. D. Use manual security testing of the live application. Use an application vulnerability scanner. Use manual security testing of the source code. Conduct unit and integration testing of the application.

**Answer: **

Yariv’s abuse case testing has identified an issue with their web application that allows bots to conduct automated attacks. What type of protection could he implement to limit the impact of bots performing actions like this? A. B. C. D. Filter known SQL injection attacks from web queries. Use a CAPTCHA before allowing user actions. Require users to log in before performing actions. Prevent XSS by limiting special characters in form submissions.

**Answer: **

Emily logs in to a third- party website using her Google credentials. What role is Google playing in the authentication process? A. B. C. D. Google is the service provider. Google is the storage provider. Google is the authorization provider. Google is the identity provider.

**Answer: **

Software developers designing applications that allow access to protected customer information for the cloud should expect to include options to ensure all of the following capabilities except ___________________. A. Encryption of data at rest B. Encryption of data in transit C. Data masking D. Randomizing customer data

**Answer: **

Kristen wants to filter her SAML traffic for potential attacks, including rate-limiting requests and validating content. Which of the following solutions is purpose-built for this type of security design? A. A DAM with OpenID support B. A SAML compliant IDS C. An XML firewall D. A WAF

**Answer: **

Which of the following is not true about single sign-on (SSO)? A. Reduction in password fatigue B. Reduces password reuse C. Prevents the use of multifactor authentication D. Makes end-user credential management easier

**Answer: **

What does static application security testing (SAST) examine? A. Software outcomes B. User performance C. System durability D. Source code

**Answer: **

Angela wants to deploy multifactor authentication (MFA) for her organization and wants to integrate with her cloud provider. Which of the following MFA options is least likely to be easily supported by a cloud provider? A. Hardware tokens B. Biometric readers C. Mobile applications D. SMS factors

**Answer: **

Christina is following a typical SDLC process and has completed the planning phase. What phase typically follows the Planning phase in most SDLCs? A. Design B. Deployment C. Maintenance D. Requirements Gathering

**Answer: **

Annie’s organization uses a waterfall methodology for its SDLC. What description best fits a waterfall methodology? A. Development efforts can move easily between phases to meet organizational needs. B. The outcome of each phase serves as the input to the next phase. C. Development efforts repeat in cycles until the development is complete. D. The outcome of each phase determines whether the process moves forward or backward in the SDLC process.

**Answer: **

During what phase of the SDLC are business requirements most likely to be mapped to how the software will be built? A. Requirements Definition B. Design C. Testing D. Secure Operations

**Answer: **

Stress testing is a form of what type of testing? A. Black box B. Functional testing C. White box D. Nonfunctional testing

**Answer: **

Gabriel’s organization wants to ensure that their open source software is properly licensed. What should they were do? A. Contact the authors of each component to request permission to use them. B. Engage a third-party license management vendor to ensure compliance with the licenses. C. Pay appropriate licensing fees to the licensing organization for each software component. D. Review the licenses for each component to ensure they are in compliance.

**Answer: **

Sofia is preparing a list of the likely attacks against her APIs. Which of the following is not a common attack against APIs? A. Injection B. Malware C. Distributed denial- of- service D. Credential stuffing

**Answer: **

The SAFECode Fundamental Practices for Secure Software Development includes a section on handling errors. What common development best practice does it reference? A. Providing too much information in errors. B. Handling errors in a secure and graceful way. C. Ensuring unanticipated errors are provided only to administrators. D. Ensuring unanticipated errors are provided only to users.

**Answer: **

Jason wants to use TLS to protect his organization’s production web traffic. Who should generate the x.509 certificate for his website? A. Jason should generate it on the web servers. B. Jason should use his company’s internal certificate authority. C. Jason should use a commercial certificate authority. D. Jason should generate the certificate on a separate administrative workstation used only for that purpose.

**Answer: **

Lisa wants to ensure that the open source software package she has downloaded is legiti- mate. The software download site provides an SHA2 hash, a cryptographic signature, a file size, and a version number. Which of these options provides the greatest level of certainty? A. The SHA2 hash B. The cryptographic signature C. The file size D. The version number

**Answer: **

James has created monitoring instrumentation for his application and uses the instrumenta- tion to assess performance as well as function during the QA stage of his SDLC. What type of software validation methodology is he using? A. IAST B. Interactive DST C. SCA D. Structured DST

**Answer: **

Michelle is using the SAFECode Fundamental Practices for Secure Software Development as an underlying foundation for her organization’s development practices. She wants to develop an encryption strategy and knows that SAFECode describes how to do so. Which of the fol- lowing is not a best practice for developing an encryption strategy for applications according to SAFECode? A. C. D. Ensuring encryption algorithms cannot be changed easily B. Defining what to protect Assessing what encryption mechanisms meet the organization's requirements Deciding on a key management solution

**Answer: **

In a platform as a service (PaaS) model, who should most likely be responsible for the secu- rity of the applications in the production environment? A. Cloud customer B. Cloud provider C. Regulator D. Programmers

**Answer: **

James wants to test his software for business logic issues that knowledgeable users could use to take advantage of his software. What type of testing should he invest in? A. Abuse case testing B. Black box testing C. Use case testing D. White box testing

**Answer: **

Frankie wants to implement single sign-on for her organization. Which of the following options is not commonly supported for SSO in cloud environments? A. Cloud provider native SSO B. Active Directory C. SAML D. LDAP

**Answer: **

Regardless of which model the organization uses for system development, in which phase of the software development life cycle (SDLC) will user input be requested and considered? A. Define B. Design C. Development D. Detect

**Answer: **

Pete is reviewing his environment based on the OWASP Cloud Native Application Security Top 10. He knows that container configuration is a top concern and has identified that his containers currently run as root. How can he remediate this issue? A. Set the operating system to prevent root logins. B. Set a non-privileged user as the container owner. C. Set a non-privileged user as the process owner. D. Use multifactor authentication for the root user.

**Answer: **

Jessica’s quality assurance testing process involves identifying software flaws, including business logic flaws and other coding mistakes. What type of testing should she perform to most effectively identify underlying code quality issues? A. Static testing B. Black box testing C. Dynamic testing D. Software composition analysis

**Answer: **

Which of the following is not checked when using the STRIDE threat model? A. B. C. The ability of users to gain administrative access rights without proper permission The ability of internal personnel to trigger business continuity/disaster recovery activities The ability of a participant in a transaction to refute that they’ve taken part in the transaction D. The ability of an unauthorized user to pretend to be an authorized user

**Answer: **

Kathleen’s organization uses a microservices architecture to deliver its major applications. What type of security tool is best suited to providing security for microservices that rely on APIs and service discovery? A. CASB B. XML firewall C. RPC gateway D. API gateway

**Answer: **

At which phase of the software development life cycle (SDLC) should security personnel first be involved? A. Define B. Design C. Develop D. Test

**Answer: **

Tahir configures his organization’s QA environment to simulate logins for 25% more users than typically log in at the maximum usage for their major web application. Which term best describes the type of testing Tahir is conducting? A. Dynamic, nonfunctional testing B. Dynamic, functional testing C. Static, functional testing D. Static testing, nonfunctional testing

**Answer: **

When Joanna logs into a service provider that her organization works with, the service provider sends a request to her organization’s identity provider to determine if she is already authenticated. If she is, the identity provider sends a token to the service provider confirming that she is authenticated, and her browser will pass a token to the service provider that is validated based on the trust relationship the service provider has with the identity provider. What type of infrastructure is Joanna using? A. RDP B. SSO C. OTP D. MFA

**Answer: **

Ben’s team uses the STRIDE model to identify security threats. What security property does tampering impact in the STRIDE model? A. Integrity B. Confidentiality C. Availability D. Authorization

**Answer: **

Carmen’s organization wants to provide awareness training using a community-based web application security guide. What community standard is best suited to this type of training? A. ASVS B. CVE C. OWASP D. NIST

**Answer: **

Henry uses an IAST process as part of his SLDC. What SDLC phase is IAST most likely to occur in? A. Planning B. Building C. Deployment D. Testing

**Answer: **

Malika wants to ensure that human error doesn’t influence the security of secrets in her organization. Which of the following practices will most effectively prevent human-related issues from influencing her secrets security? A. Use a common passphrase word list in an automated CI/CD pipeline. B. Require password complexity. C. Generate passphrases randomly. D. Exclusively use shared passphrases.

**Answer: **

Frank knows that his organization intends to use federated identities as part of its cloud services environment. What standard should he ensure that his existing on-site identity management system supports to help with this? A. SAML B. FIPS 140- 2 C. XML D. FIM

**Answer: **

James uses a CI/CD pipeline at the core of his development process. What design pattern should he use to ensure his QA process doesn’t impact production? A. Add software going through QA to his production environment to allow live testing. B. Create a new environment for QA testing, then promote to production after testing. C. Replicate the production environment for QA testing, then promote to production after testing. D. Add software to the QA environment for testing, then allow production users to access QA with instrumentation in place.

**Answer: **

Tara’s organization uses a three-level application security verification standard, and requires that their most secure applications reach level 3 with in-depth validation and testing. What application security standard are they using? A. ASVS B. SAFECode C. OWASP D. SANS/CWE

**Answer: **