9-Software and Hardware Development Security
An XML-based web services protocol that is used to exchange messages. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)
Simple Object Access Protocol (SOAP)
Which of the following is a chip built into a system to secure hardware through integrated cryptographic keys? A)Trusted foundry B)Trusted Platform Module C)Hardware security model D)Self-encrypting drive
Trusted Platform Module
A type of software testing to ensure that changes that have been made do not create new issues. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)
regression testing
Prevents the reverse-engineering or modification of software or an application and is used successfully with licensing platforms to harden the licensing against strong attacks A)Bus encryption B)SED (self-encrypting drive) C)Anti-temper
Anti-temper
Focuses on making resources available and doesn't rely on any planning or process A)Waterfall B)Spiral C)RAD (Rapid Application Development) D)Big Bang
Big Bang
Which of the following Open Web Application Security Project (OWASP) best practices is satisfied using TLS to protect application traffic? A)Validate all inputs B)Protect data C)Parameterize queries D)Encode data
Protect data
Ensures that a system breach does not result in broader issues A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability
Securing sensitive information
SOA (service-oriented architecture) includes service providers, service registries, or service brokers, which provide listings and information about service providers and consumers, who access services. A)True B)False
True
SOA (service-oriented architecture) provides services to components of a system or service via communication protocols on a network. A)True B)False
True
Refers to a sequential model in which each phase is followed by the next phase of the software development process A)Waterfall B)Spiral C)RAD (Rapid Application Development) D)Big Bang
Waterfall
A hard drive that encrypts the content held within a drive using encryption keys maintained independently from the CPU of a housing computer. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)
self-encrypting drive (SED)
A framework defining tasks performed at each step in the software development process. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)
software development life cycle (SDLC)
Requires two full-time developers in which one developer writes the code and explains it to the other developer A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code
Over-the-shoulder
Relies on functional components of the code being developed in parallel and then integrated to produce a finished product A)Waterfall B)Spiral C)RAD (Rapid Application Development) D)Big Bang
RAD (Rapid Application Development)
Which of the following flaw types is an application that needs to take action on an object that may be sensitive to what is occurring or has occurred to that object? A)Dereferencing B)Race condition C)Insecure function D)Improper error handling
Race condition
A methodology that focuses on developing applications rapidly through frequent iterations and continuous feedback. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)
Rapid Application Development (RAD)
During a web application test, Ben, an application developer, prepares a report for the issues reported during the testing of the application. He discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report in the given scenario? A)SQL injection B)Code exposure C)Improper error handling D)A default configuration issue
Improper error handling
Kathleen works as a project manager in an organization. She wants to build a public API for modern service-oriented architecture. Which of the following models is likely Kathleen's best choice to build this architect in the given scenario? A)Simple Object Access Protocol (SOAP) B)Representational State Transfer (REST) C)Rapid Application Development (RAD) D)Security assertion markup language (SAML)
Representational State Transfer (REST)
Every time Susan checks code into her organization's code repository, it is tested, validated, then if accepted it is immediately put into production. In which of the following methodologies is Susan operating? A)Agile development B)Security nightmare C)Continuous delivery D)Continuous integration
Continuous delivery
Which type of attack is typically associated with the strcpy function? A)Race condition B)Pointer dereferencing C)Buffer overflow D)SQL injection
Buffer overflow
Matt works as a security analyst in an organization. He is building a device and wants to prevent attackers from capturing data by directly connecting to the hardware communications components of the device. Which technique should Matt use to make sure that communications between the processor and other chips are not vulnerable? A)Bus encryption B)Self-encrypting drive C)Trusted Platform Module D)Hardware security module
Bus encryption
Protects data traveling inside a system or a device and relies on built-in cryptographic processing capabilities to secure information as it flows from one component to another A)Bus encryption B)SED (self-encrypting drive) C)Anti-temper
Bus encryption
Prevents outages and limits the impact of denial-of-service attacks A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability
Ensuring availability
A form of structured and formal code review intended to find a variety of problems during the development process of a product. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)
Fagan inspection
SOA (service-oriented architecture) does not allow loosely coupled components to communicate in a standardized way by not allowing them to consume and provide data to other components. A)True B)False
False
SOA (service-oriented architecture) includes various protocols, such as PPTP (Point-to-Point Tunneling Protocol), RDP (Remote Desktop Protocol), and REST (Representational State Transfer). A)True B)False
False
Inserts defects into error handling mechanisms that are rarely used A)Fuzzing B)Regression testing C)Mutation testing D)Fault injection
Fault injection
Which type of testing focuses on inserting errors into the error handling process and path in an application? A)Dynamic code analysis B)Fault injection C)Fuzzing D)Stress testing
Fault injection
Uses a team of experts to fully review the code in-depth A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code
Formal code
Sends invalid or random data to an application to test its ability to handle unexpected data A)Fuzzing B)Regression testing C)Mutation testing D)Fault injection
Fuzzing
Gabby works as a software tester in an organization. She wants to insert the data into the response received from her web browser to a web application. She wants to easily make manual changes into the data sent from the web browser when she interacts with the website. Which type of tool should Gabby use to make these changes in the given scenario? A)WAF B)Fuzzer C)Interception proxy D)Sniffer
Interception proxy
Which process is used to ensure that an application can handle very high numbers of concurrent users or sessions? A)Mutation testing B)Fault injection C)Fuzzing D)Load testing
Load testing
Limits the impact of credential compromises A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability
Multifactor authentication
Identifies problems with test data and scripts by finding areas where scripts do not fully test for possible issues A)Fuzzing B)Regression testing C)Mutation testing D)Fault injection
Mutation testing
Needs two full-time developers at one workstation in which one developer writes the code and the other developer reviews it A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code
Pair programming
Precompiled SQL statements that only require variables for the input are an example of which type of application security control? A)Parameterized queries B)Encoding data C)Input validation D)Appropriate access controls
Parameterized queries
Kristen works as a software tester in an organization. She wants to implement a code review but has a distributed team that works in different shifts during the day. She also does not want to create any additional support load for her team with new development environment applications. Which type of review process will work best for Kristen's needs in the given scenario? A)Pair programming B)Pass-around C)Over-the-shoulder D)Tool-assisted
Pass-around
Involves multiple reviewers who have different expertise and experience, contributing their knowledge A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code
Pass-around code
Charles works as a security analyst in an organization. He is worried about users conducting SQL injection attacks. Which of the following solutions will best address Charles's concerns in the given scenario? A)Performing user input validation B)Implementing Transport Layer Security C)Using secure session management D)Enabling logging on the database
Performing user input validation
What are the phases of the SDLC in order? A)Validate and release the project. B)Plan a project and gather requirements. C)Accredit the project. D)Perform change management and configuration management. E)Design and develop the project.
Plan a project and gather requirements. Design and develop the project. Validate and release the project. Accredit the project. Perform change management and configuration management.
Ensures that no new vulnerabilities, misconfigurations, or other issues have been introduced A)Fuzzing B)Regression testing C)Mutation testing D)Fault injection
Regression testing
Sam works as a software developer in an organization. He is working on a web application for its improvement. For the improvement of the web application, a major patch is released. After the release of the patch, Sam proceeds to run the security scanner against the web application to verify that it is still secure. Which of the following processes is Sam conducting in the given scenario? A)Whiffing B)Stress testing C)Regression testing D)Code review
Regression testing
During the Fagan code inspection, which stage can redirect to the planning stage? A)Rework B)Meeting C)Preparation D)Overview
Rework
Performs the data encryption and decryption operations on a dedicated crypto processor and stores an encryption key on a disk itself, which makes it less exposed to theft A)Bus encryption B)SED (self-encrypting drive) C)Anti-temper
SED (self-encrypting drive)
Susan works as a senior software developer in an organization. Her team has been writing code for a major project for a year and recently released its third version of this code. During a post-implementation regression test, an issue that was originally seen in version 1 reappeared. Which of the following should Susan implement to avoid this issue in the future? A)Source control management B)Pair programming C)Web application firewall D)Stress testing
Source control management
Reviews risks multiple times during the software development process A)Waterfall B)Spiral C)RAD (Rapid Application Development) D)Big Bang
Spiral
A user is conducting software testing by reviewing the source code of an application. What type of software testing is the user conducting in the given scenario? A)Mutation B)Fuzzing C)Dynamic code analysis D)Static code analysis
Static code analysis
During a testing process, Tiffany, a network administrator, slowly increases the number of connections to an application until it fails. Which of the following testing processes is Tiffany performing? A)Stress B)Unit C)Regression D)Fagan
Stress
Relies on formal or informal software-based equipment that reflects the multitude of the software development life cycle A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code
Tool-assisted
A dedicated microcontroller designed to secure hardware through integrated cryptographic keys, which include passwords, certificates, and encryption keys. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)
Trusted Platform Module (TPM)
Which of the following processes checks to ensure that the functionality of an application or software meets customer needs? A)UAT B)Stress testing C)Regression testing D)Unit testing
UAT
Prevents a wide range of problems from cross-site scripting to SQL injection attacks A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability
User input validation
A sequential model in which each phase is followed by the next phase. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)
Waterfall software development life cycle (SDLC)
Prevents attacks against vulnerable programs A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability
Web application firewall
An automated testing technique in which a range of inputs is provided to software to look for problems such as buffer overflows, crashes, unexpected behavior, and so forth. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)
fuzzing
A tool for estimation and planning used in Agile development processes. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)
planning poker