Module 26 - Application Hardening - Q&A Flashcards

1
Q

Which of the following are valid considerations in secure coding practices? (Choose two.)
A. Error handling
B. Input validation checking
C. Host OS authentication
D. Network device encryption algorithm negotiation

A

A, B. Both error handling and input validation are valid considerations in secure coding practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
Which of the following is an important aspect of standardizing the final operational, secure build of an application?
A. Input validation
B. Boundary checking
C. Baselining
D. Secure coding
A

C. Baselining is the process of standardizing the final operational, secure build of an application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following should be accomplished before installing a patch on a production application?
A. Patches should be tested on applications in a nonproduction environment.
B. End-users should be asked for approval.
C. Encryption support for network-based applications should be checked.
D. Application fuzzing should occur.

A

A. Patches should be tested on applications in a nonproduction environment before installing them in production.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your manager wants you to grant administrative-level permissions for a particular application to a group of users in the organization. This application is network-enabled and processes very sensitive data. The users in the group are not all technically knowledgeable, and you are often called to clean malware infections from their systems. When you explain to the manager why this is not a good security practice, which of the following alternatives could you give her? (Choose two.)
A. Assign administrative perm1ss10ns to the application only to a few needed technically knowledgeable users.
B. Assign all users administrative permissions to the application.
C. Assign the manager administrative permissions to the application.
D. Assign all non-technical users only the permissions needed to perform their job functions in the application.

A

A, D. In this scenario, you do not want to assign all users administrative level permissions, nor does the manager need those permissions. You should consider assigning a few select technically knowledgeable users appropriate administrative-level permissions to assist with administering the application, and assign all other users, particularly the non-technical ones, only the perm1ss10ns needed to perform their authorized job functions, so that the risk of exposing sensitive data to the network or through a malware infection is reduced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
Which of the following does an application-aware security device focus on when examining network traffic?
A. Protocol
B. Port
C. Source IP address
D. Content
A

D. An application-aware security device focuses on traffic content when examining network traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
Which of the following is a vulnerability testing method that is specifically used on applications?
A.Humping
B. Fuzzing
C. Poking
D. Jabbing
A

B. Fuzzing is a vulnerability testing method that is specifically used on applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

All of the following would be considerations in implementing a NoSQL database, except.
A. Maturity level of NoSQL database systems
B. Lack of common interfaces with NoSQL systems
C. Robust security measures built into NoSQL systems
D. Database performance

A

C. Robust security measures are not built into NoSQL systems; that is a significant difference between them and traditional SQL-based systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
Which of the following would be considered a more secure way of input validation?
A. Add-on validation
B. Server-side validation
C. Client-side validation
D. Browser validation
A

B. Server-side validation would be considered a more secure way of input validation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following are common ways to prevent XSS attacks? (Choose two.)
A. Restrict the creation and use of session cookies during secure sessions.
B. Encrypt all browser sessions.
C. All input data from user forms is processed as data, rather than as executable code.
D. Use XSS filters to check for different types of attacks.

A

C, D. Writing application code that treats all input as text versus executable code and using XSS filters are common ways to prevent XSS attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Which of the following attacks is an attempt to steal authentication information from session cookies during the user's current browsing session?
A. Cross-site request forgery
B. SQL injection
C. NoSQL injection
D. Cross-site scripting
A

A. Cross-site request forgery is an attempt to steal authentication information from session cookies during the user’s current browsing session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly