Performing Software Integration Flashcards
A security architect for a university wants to set up a federation method commonplace in their industry. What is routinely known for being used by universities?
Shibboleth
Shibboleth is a federated identity method based on SAML and often used by universities and public service organizations.
A security code reviewer is setting up an environment for an organization that can analyze third-party libraries. Which type of environment should the reviewer set up?
Sandbox
While the security code reviewer should sandbox the environments from each other, a true sandbox environment is the perfect description for testing unknown third-party code. These sandboxes are also known as malware analysis servers.
A security manager is looking for a solution that contains software to monitor and report the day-to-day operations of an enterprise and the status of various resources and activities. What should the security manager consider?
ERP
An enterprise resource planning (ERP) solution contains software that monitors the daily operations of an enterprise. The ERP also reports on the status of various resources and activities.
A security architect is reviewing password compliance within the organization. Which NIST standard can the security architect refer to for password compliance?
NIST 800-63
The NIST SP 800-63 is the most recent guidance issued by NIST. It also deprecates some of the “traditional” elements of password policy and is worth review and consideration.
A systems administrator is working with a developer to upgrade to the latest version of Java, but first, the sysadmin wants to see whether changes in code have caused previously existing functionality to fail. What is this called?
Regression test
A regression test evaluates whether changes in code have caused previously existing functionality to fail.
A site developer has recently experienced issues with Cross-Site Script Inclusion attacks. Which of the following response headers could the site developer use to mitigate this attack?
CORP
A developer can set security options in the response header returned by a web server to a client. Such is the case with Cross-Origin-Resource-Policy (CORP), which protects against speculative execution (such as Spectre) and Cross-Site Script (XSS) Inclusion attacks.
A penetration tester is attempting to target core mechanisms that enable integration and orchestration of the entire information systems and technology landscape. Which of the following should the pen tester pursue?
APIs
Application Programming Interfaces (APIs) provide the core mechanisms that enable integration and orchestration of the entire information systems and technology landscape.
A systems engineer is working in conjunction with security and has set up a data loss prevention solution. The engineer wants to set a remediation action that will quarantine and replace files with a file describing the policy violation and how the user can release it. What should the systems engineer choose?
Tombstone
Tombstone quarantines the original file and replaces it with a file describing the policy violation and how the user can release it again.
A security architect is setting up various security mechanisms for a retail company that handles a considerable amount of credit card processing. What industry-standard data masking technique should the security architect recommend?
Tokenization
Tokenization is the industry standard to use in credit card processing scenarios. Tokenization describes using a token to represent sensitive data records, such as a credit card number.
A software development manager wants to integrate a development model for a company that will allow them to release small blocks of well-tested code to bring functionality to the business as soon as possible. What is this method called?
Agile
The more recent agile model uses iterative processes to release well-tested code in smaller blocks or units. In this model, development and provisioning tasks are conceived as continuous.
The vulnerability management lead has been enhancing the security posture year after year and is looking at security coding standards. What are some sources the management lead could recommend to the organization?
Carnegie-Mellon Software Engineering Institute and OWASP
The Carnegie-Mellon Software Engineering Institute is one source of secure coding standards for languages, such as C, C++, Android, Java, and Perl.
OWASP has a vast library of guidance and information regarding secure coding practices. It covers several key areas such as input validation, output encoding, authentication management, and more.
A security architect is setting up access control and needs the most fine-grained type of access control model. Which one should the security architect use?
ABAC
Attribute-based Access Control (ABAC) is the most fine-grained type of access control model. ABAC systems are capable of making access decisions based on subject and object attributes plus any context-sensitive or system-wide attributes.
