9-Software and Hardware Development Security

An XML-based web services protocol that is used to exchange messages. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)

Simple Object Access Protocol (SOAP)

Which of the following is a chip built into a system to secure hardware through integrated cryptographic keys? A)Trusted foundry B)Trusted Platform Module C)Hardware security model D)Self-encrypting drive

Trusted Platform Module

A type of software testing to ensure that changes that have been made do not create new issues. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)

regression testing

Prevents the reverse-engineering or modification of software or an application and is used successfully with licensing platforms to harden the licensing against strong attacks A)Bus encryption B)SED (self-encrypting drive) C)Anti-temper

Anti-temper

Focuses on making resources available and doesn't rely on any planning or process A)Waterfall B)Spiral C)RAD (Rapid Application Development) D)Big Bang

Big Bang

Which of the following Open Web Application Security Project (OWASP) best practices is satisfied using TLS to protect application traffic? A)Validate all inputs B)Protect data C)Parameterize queries D)Encode data

Protect data

Ensures that a system breach does not result in broader issues A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability

Securing sensitive information

SOA (service-oriented architecture) includes service providers, service registries, or service brokers, which provide listings and information about service providers and consumers, who access services. A)True B)False

True

SOA (service-oriented architecture) provides services to components of a system or service via communication protocols on a network. A)True B)False

True

Refers to a sequential model in which each phase is followed by the next phase of the software development process A)Waterfall B)Spiral C)RAD (Rapid Application Development) D)Big Bang

Waterfall

A hard drive that encrypts the content held within a drive using encryption keys maintained independently from the CPU of a housing computer. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)

self-encrypting drive (SED)

A framework defining tasks performed at each step in the software development process. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)

software development life cycle (SDLC)

Requires two full-time developers in which one developer writes the code and explains it to the other developer A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code

Over-the-shoulder

Relies on functional components of the code being developed in parallel and then integrated to produce a finished product A)Waterfall B)Spiral C)RAD (Rapid Application Development) D)Big Bang

RAD (Rapid Application Development)

Which of the following flaw types is an application that needs to take action on an object that may be sensitive to what is occurring or has occurred to that object? A)Dereferencing B)Race condition C)Insecure function D)Improper error handling

Race condition

A methodology that focuses on developing applications rapidly through frequent iterations and continuous feedback. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)

Rapid Application Development (RAD)

During a web application test, Ben, an application developer, prepares a report for the issues reported during the testing of the application. He discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report in the given scenario? A)SQL injection B)Code exposure C)Improper error handling D)A default configuration issue

Improper error handling

Kathleen works as a project manager in an organization. She wants to build a public API for modern service-oriented architecture. Which of the following models is likely Kathleen's best choice to build this architect in the given scenario? A)Simple Object Access Protocol (SOAP) B)Representational State Transfer (REST) C)Rapid Application Development (RAD) D)Security assertion markup language (SAML)

Representational State Transfer (REST)

Every time Susan checks code into her organization's code repository, it is tested, validated, then if accepted it is immediately put into production. In which of the following methodologies is Susan operating? A)Agile development B)Security nightmare C)Continuous delivery D)Continuous integration

Continuous delivery

Which type of attack is typically associated with the strcpy function? A)Race condition B)Pointer dereferencing C)Buffer overflow D)SQL injection

Buffer overflow

Matt works as a security analyst in an organization. He is building a device and wants to prevent attackers from capturing data by directly connecting to the hardware communications components of the device. Which technique should Matt use to make sure that communications between the processor and other chips are not vulnerable? A)Bus encryption B)Self-encrypting drive C)Trusted Platform Module D)Hardware security module

Bus encryption

Protects data traveling inside a system or a device and relies on built-in cryptographic processing capabilities to secure information as it flows from one component to another A)Bus encryption B)SED (self-encrypting drive) C)Anti-temper

Bus encryption

Prevents outages and limits the impact of denial-of-service attacks A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability

Ensuring availability

A form of structured and formal code review intended to find a variety of problems during the development process of a product. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)

Fagan inspection

SOA (service-oriented architecture) does not allow loosely coupled components to communicate in a standardized way by not allowing them to consume and provide data to other components. A)True B)False

False

SOA (service-oriented architecture) includes various protocols, such as PPTP (Point-to-Point Tunneling Protocol), RDP (Remote Desktop Protocol), and REST (Representational State Transfer). A)True B)False

False

Inserts defects into error handling mechanisms that are rarely used A)Fuzzing B)Regression testing C)Mutation testing D)Fault injection

Fault injection

Which type of testing focuses on inserting errors into the error handling process and path in an application? A)Dynamic code analysis B)Fault injection C)Fuzzing D)Stress testing

Fault injection

Uses a team of experts to fully review the code in-depth A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code

Formal code

Sends invalid or random data to an application to test its ability to handle unexpected data A)Fuzzing B)Regression testing C)Mutation testing D)Fault injection

Fuzzing

Gabby works as a software tester in an organization. She wants to insert the data into the response received from her web browser to a web application. She wants to easily make manual changes into the data sent from the web browser when she interacts with the website. Which type of tool should Gabby use to make these changes in the given scenario? A)WAF B)Fuzzer C)Interception proxy D)Sniffer

Interception proxy

Which process is used to ensure that an application can handle very high numbers of concurrent users or sessions? A)Mutation testing B)Fault injection C)Fuzzing D)Load testing

Load testing

Limits the impact of credential compromises A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability

Multifactor authentication

Identifies problems with test data and scripts by finding areas where scripts do not fully test for possible issues A)Fuzzing B)Regression testing C)Mutation testing D)Fault injection

Mutation testing

Needs two full-time developers at one workstation in which one developer writes the code and the other developer reviews it A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code

Pair programming

Precompiled SQL statements that only require variables for the input are an example of which type of application security control? A)Parameterized queries B)Encoding data C)Input validation D)Appropriate access controls

Parameterized queries

Kristen works as a software tester in an organization. She wants to implement a code review but has a distributed team that works in different shifts during the day. She also does not want to create any additional support load for her team with new development environment applications. Which type of review process will work best for Kristen's needs in the given scenario? A)Pair programming B)Pass-around C)Over-the-shoulder D)Tool-assisted

Pass-around

Involves multiple reviewers who have different expertise and experience, contributing their knowledge A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code

Pass-around code

Charles works as a security analyst in an organization. He is worried about users conducting SQL injection attacks. Which of the following solutions will best address Charles's concerns in the given scenario? A)Performing user input validation B)Implementing Transport Layer Security C)Using secure session management D)Enabling logging on the database

Performing user input validation

What are the phases of the SDLC in order? A)Validate and release the project. B)Plan a project and gather requirements. C)Accredit the project. D)Perform change management and configuration management. E)Design and develop the project.

Plan a project and gather requirements. Design and develop the project. Validate and release the project. Accredit the project. Perform change management and configuration management.

Ensures that no new vulnerabilities, misconfigurations, or other issues have been introduced A)Fuzzing B)Regression testing C)Mutation testing D)Fault injection

Regression testing

Sam works as a software developer in an organization. He is working on a web application for its improvement. For the improvement of the web application, a major patch is released. After the release of the patch, Sam proceeds to run the security scanner against the web application to verify that it is still secure. Which of the following processes is Sam conducting in the given scenario? A)Whiffing B)Stress testing C)Regression testing D)Code review

Regression testing

During the Fagan code inspection, which stage can redirect to the planning stage? A)Rework B)Meeting C)Preparation D)Overview

Rework

Performs the data encryption and decryption operations on a dedicated crypto processor and stores an encryption key on a disk itself, which makes it less exposed to theft A)Bus encryption B)SED (self-encrypting drive) C)Anti-temper

SED (self-encrypting drive)

Susan works as a senior software developer in an organization. Her team has been writing code for a major project for a year and recently released its third version of this code. During a post-implementation regression test, an issue that was originally seen in version 1 reappeared. Which of the following should Susan implement to avoid this issue in the future? A)Source control management B)Pair programming C)Web application firewall D)Stress testing

Source control management

Reviews risks multiple times during the software development process A)Waterfall B)Spiral C)RAD (Rapid Application Development) D)Big Bang

Spiral

A user is conducting software testing by reviewing the source code of an application. What type of software testing is the user conducting in the given scenario? A)Mutation B)Fuzzing C)Dynamic code analysis D)Static code analysis

Static code analysis

During a testing process, Tiffany, a network administrator, slowly increases the number of connections to an application until it fails. Which of the following testing processes is Tiffany performing? A)Stress B)Unit C)Regression D)Fagan

Stress

Relies on formal or informal software-based equipment that reflects the multitude of the software development life cycle A)Over-the-shoulder B)Tool-assisted C)Pass-around code D)Pair programming E)Formal code

Tool-assisted

A dedicated microcontroller designed to secure hardware through integrated cryptographic keys, which include passwords, certificates, and encryption keys. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)

Trusted Platform Module (TPM)

Which of the following processes checks to ensure that the functionality of an application or software meets customer needs? A)UAT B)Stress testing C)Regression testing D)Unit testing

UAT

Prevents a wide range of problems from cross-site scripting to SQL injection attacks A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability

User input validation

A sequential model in which each phase is followed by the next phase. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)

Waterfall software development life cycle (SDLC)

Prevents attacks against vulnerable programs A)User input validation B)Web application firewall C)Multifactor authentication D)Securing sensitive information E)Ensuring availability

Web application firewall

An automated testing technique in which a range of inputs is provided to software to look for problems such as buffer overflows, crashes, unexpected behavior, and so forth. A)Simple Object Access Protocol (SOAP) B)Trusted Platform Module (TPM) C)self-encrypting drive (SED) D)fuzzing E)Rapid Application Development (RAD)

fuzzing

A tool for estimation and planning used in Agile development processes. A)planning poker B)Waterfall software development life cycle (SDLC) C)regression testing D)Fagan inspection E)software development life cycle (SDLC)

planning poker