Siedel Chapter 6 Review Questions Flashcards
Which of the following is not a c omponent of the STRIDE model?
A. Spoofing
B. Repudiation
C. Information disclousre
D. Exploitation
D. Exploitation
Explanation:
STRIDE standards for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privileges, not exploitation
In a federated identity arrangement, which organization authorizes users to perform actions on systems or services?
A .The identity provider
B. The service provider
C. The token provider
D. All of the above
B. The service provider
Explanation:
Service providers manage authorization for their service and rely on the identity provider to authenticate users. Token provider is not a typical role in a federate identity arrangement
Henry knows the MFA consists of at least two items and that they have to be different types. Which of the following is a valid MFA option?
A. A complex password and a secret code
B. Complex passwords and an HSM
C. A hardware token and a magnetic strip card
D. A password and an application generated PIN on a smartphone
D. A password and an application generated PIN on a smartphone
Explanation:
MFA needs to be made up of different types of factors; something you know, something you have or something you are, like a biometric factor.
Amanda has been told the organization she is joining uses a sandbox as part of its CI/CD pipeline. With what SDLC phase is the sandbox most likely associated?
A. The design phase
B. The coding phase
C. The testing phase
D. The operations phase
C. The testing phase
Explanation:
Sandboxes are used to isolate code while it is running to allow it to be tested. Amanda is likely to encounter the sandbos as part of the testing phase when the organization wants to isolate its code while it undergoes QA and functional testing
Yarifs organization uses a secrets management tool to handle its secrets lifecycle. Yarif wants to explain a typicaly secrets lifecycle to one of his staff. What order is typical for a secret?
A. Creation, revocation, rotation, expiration
B. Expiration, creation, rotation, expiration
C. Creation, rotation, revocation, expiration
D. Creation, rotation, expiration, revocation
C. Creation, rotation, revocation, expiration
Explanation:
A typical secrets lifecycle starts with creation, moves on to rotation, may include revocation if needed and ends with expiration of secrets at the end of their lifecycle
Heikka has deployed a web application firewall and is preparing to write policies to analyze traffic. WHich of the following is not a typicaly filtering capability for WAFs?
A. Users
B. Privileged database use
C. Session information
D. Application specific context
B. Privileged database use
Explanation:
Web application firewalls typically provide the ability to filter based on users, sessions, data sent and received and application specific context. Database activity monitoring (DAM) tools are used to monitor for privileged database use, among other useful data points for database security
Lin wants to conduct nonfunctional testing of her organizations new application.
Which of the following items is not tested by nonfunctional testing?
A. User acceptance
B. Stability
C. Performance
D. Quality
A. User acceptance
Explanation:
User acceptance is part of functional testing, not nonfunctional testing. Software quality, including its stability and performance, is tested by nonfunctional testing
Software composition analysis tools are used to help protect against whcih of the following OWASP Top 10 Cloud Native Application Security issues?
A. CI/CD pipeline and software supply chain flaws
B. Injection flaws
C. Improper asset management
D. Insecure orchestration configurations
A. CI/CD pipeline and software supply chain flaws
Explanation:
CI/CD pipeline and software supply chain flaws cover somewhat different areas, but SCA tools are used to address software supply chain flaws. Software composition analysis checks to see which open source components are part of a software package and allows security professionals and developers to protect against issues in the software supply chain by knowing what components they are using and relying on
Joanna’s team of developers is reviewing source code to identify potential issues. What type of testing is Joanna’s team conducting?
A.Dynamic
B. Interactive
C. Black box
D. Static
D. Static
Explanation:
Static code review involves reviewing source code to identify issues. Dynamic testing is done with running code. Interactive testing is done by interacting with the code or application as a user would, and black box or zero knowledge testing involves testing as an attacker would, without any knowledge or detail of the environment or application
Geoff’s organization has designed its application to rely on Docker. What type of application virtualization model has Geoff’s organization adopted?
A. Sandboxing
B. Containers
C. Microservices
D. Multitenancy
B. Containers
Explanation:
Docker is a container engine. Sandboxing is used to provide a safe, secure environment for testing or isolation. Microservcies are small, independent services used to make up a larger service environment. Multitenancy is the concept of multiple users or organizations using the same infrastructure, typically through a virtualized management platform
Jim’s organization sues the Waterfall SDLC model. What occurs after testing and debugging has been finsihed in the Waterfall model?
A. Quality assurance testing
B. Interactive software testing
C. Operational activities
D. Business validation
C. Operational activities
Explanation:
The last stage of the Waterfall model is the operational phase, which includes support and maintenance. Testing occurs in Phase 5, and business rule analysis is in Phase 2
OWASP identifies cloud native application security risks. Which of the following should jean identify as the most critical issue to address to ensure security of her organizations SSH keys?
A. Injection flaws
B. Insecure secrets storage
C. Using components with known vulnerabilities
D. Ineffective logging and monitoring
B. Insecure secrets storage
Explanation:
SSH keys are a form of secrets, and Jen knows that keeping SSH keys secure is an important part of secure secrets sotrage.
The broad use of many small instances to allow applications to increase or decrease performance as needed is part of what cloud application development pitfall?
A. Scalability
B. Interoperability
C. Portability
D. API Security
A. Scalability
Explanation:
Scalability for cloud applications often relies on the ability to easily add or remove small instances to provide more resources as needed. Interoperability is the ability to work across platforms, services, or systems and doesnt use many small instances to function. Similarly, portability allows software to move between environments without requiring specific APIs
WHich of the following is not a c ommon threat to cloud applications that should be considered during threat modeling?
A. Firmware vulerabilities
B. Broken authentication
C. Sensitive data exposure
D. Using components with known vulnerabilities
A. Firmware vulerabilities
Explanation:
Since cloud applications run on virtualized infrastructure in most cases, firmware vulnerabilities are not considered a common threat to cloud applications. Broken authentication, sensitive data exposure issues and components with known vulnerabilities are all common threats to applications
Murali is using the Process for Attack Simulation and Threat Analysis (PASTA) framework as part of his organizations security processes. He has just completed Stage 3, factoring applications and identifying application controls. What will he do next in Stage 4?
A. He will analyze and model attacks
B. He will define business objectives
C. He will perform threat analysis based on threat intelligence
D. He will run vulnerability scans
C. He will perform threat analysis based on threat intelligence
Explanation:
Stage 4 in PASTA involves performing threat analysis based on threat intelligence after Stage 3s facotoring of applications and identification of application controls
