Procedures/Methodology

Question 1

What is the widely-adopted, peer-reviewed manual for operational security testing and analysis?

Answer 1

OSSTMM (Open Source Security Testing Methodology Manual)

Question 2

In what type of attack does the attacker craft an XML message with very large payloads, recursive content, excessive nesting, malicious external entities, or with malicious DTDs (Data Type Documents)?

Answer 2

XML denial of service

Question 3

Which attacks can be mitigated by time stamps and nonce?

Answer 3

Replay attacks

Question 4

What organization has as its official mission to promote U.S. innovation and industrial competitiveness?

Answer 4

National Institute of Standards and Technology (NIST)

Question 5

In which phase of Software Assurance Maturity Model do you execute a formal contract that guarantees non-disclosure of the client’s data and legal protection for the tester?

Answer 5

Preparation

Question 6

What is the CERT?

Answer 6

The Computer emergency response teams (CERT) are expert groups that handle computer security incidents.

Question 7

Other than Preparation and Conclusion, what is the third phase of the Software Assurance Maturity Model?

Answer 7

Conduct

Question 8

What are the two functions of key escrow?

Answer 8

To recover keys in the event the original keys are lost or deleted, and to provide access to the data to other third parties, such as law enforcement investigations

Question 9

What is the term for placing copies of private keys used to encrypt data in the safekeeping of a third party organization?

Answer 9

Key escrow

Question 10

What is the purpose of integrity hashes?

Answer 10

To verify that files have not been changed or altered

Question 11

What is the term for any method used to bypass multi-level security solutions?

Answer 11

Covert channel

Question 12

What is the name of the online community dedicated to web application security, known for their top 10 list of web vulnerabilities?

Answer 12

Open Web Application Security Project (OWASP)

Question 13

What is the term for hiding messages or information within other non-secret text or data?

Answer 13

Steganography

Question 14

Why should you reduce the amount of information provided in error messages?

Answer 14

To prevent information leakage

Question 15

Which type of penetration test requires the tester to have only limited knowledge of the target system(s)

Answer 15

Gray box

Question 16

What organization acts as a single point of contact for reporting security incidents in the US?

Answer 16

U.S. Computer Security Incident Response Team (CSIRT)

Question 17

In what scenarios should end-to-end security mechanisms like XMLEncryption, XMLSignature, and SAML assertions be used?

Answer 17

Where messages are routed through multiple intermediaries

Question 18

Which type of penetration test requires the test to have no knowledge of the target system(s)?

Answer 18

Black box

Question 19

In which phase of Software Assurance Maturity Model do you advise corrective action?

Answer 19

Conclusion

Question 20

Which type of penetration test requires the test to have complete knowledge of the target system(s)?

Answer 20

White box

Question 21

What is the term for a design with a front-end server, an application server, and a database server that as a group perform a single and unique role?

Answer 21

N-tier

Question 22

What are three mitigations to a XML DoS attack?

Answer 22

XML filters, XML gateways, and ensuring a robust XML parser

Question 23

In which phase of Software Assurance Maturity Model does the tester look for potential vulnerabilities?

Answer 23

Conduct

Question 24

What class of vulnerability is an XML denial of service attack?

Answer 24

Service oriented architecture (SOA) vulnerability