Secure Programming Exam 3
Use singleton objects when a common object or task will be used across multiple use cases for the same reason. (T/F)
true
Web 2.0 is a term used to describe the transitional status of today's Web applications. (T/F)
true
What you choose to tell the user in error messages is up to you, but it should specifically benefit them. (T/F)
true
What type of list defines only accepted input values?
whitelist
What type of report is reactive?
Application guide?
What is the best way to turn off DEBUG statements in the code?
Automate a script
Which program language is vulnerable to a buffer overflow attack?
C/C++
What type of errors does integration testing find?
Class/method errors
What is it called when existing bodies of logic are broken up and moved into many smaller bodies of code?
Code refactoring
What are people-intensive verification techniques that are conducted either formally or informally that allow peers to read code statements and look for common security vulnerabilities, such as hard-coded IDs or passwords,and general quality features?
Code reviews
What type of errors are found in syntax?
Compile-time errors
What is the grouping and storing of data inside a single object?
Encapsulation
When should an incident report be released?
Immediately
What test is when two or more modules or platforms are linked together and tested?
Integration testing
What type of errors does unit testing find?
Logic errors
What is the best way to be proactive in solving application errors?
Monitoring error logs
If someone were to ask you to prove that your application is secure, what would the Misuse cases prove?
Proves that threat analysis and investigation was done looking for ways to break the software
What is the Holodeck tool used for?
Reliability testing
How can an application alert stakeholders of invasion?
SMS
What design pattern forces the server to create only one object in its heap, thus making the server run very efficiently while using minimum RAM?
Singleton design pattern
What defines how effective security is tested and implemented within the software?
Software assurance
What type of errors does compilers find?
Syntax errors
What type of test involves a complete front-to-back execution of the entire application?
System test
Software assurance means?
That you have a process in place and a plan of action to ensure that the software that is written is secure
What do sensing activities include?
Tools to monitor, test, and review code
Why is it important to network with peers in this field?
You never know where your next project will come from
What type of list defines bad input values?
blacklist
A system test involves only a portion of the application. (T/F)
false
Ajax does not have any security vulnerabilities. (T/F)
false
Internal threats don't pose any real problems and do not need to be considered. (T/F)
false
Not every request that comes into the application should be treated as a potential attack. (T/F)
false
Once the project is in maintenance mode, the developer can relax a little with the details of the requirement process. (T/F)
false
Penetration testing is a very rare practice in the security field. (T/F)
false
Software assurance means that your code is secure. (T/F)
false
Spaghetti code is rather inexpensive to maintain. (T/F)
false
The more complexity that is added to the system, the more secure it becomes. (T/F)
false
There is only one type of error in application development: compile-time errors. (T/F)
false
What is tested when the application produces correct results despite being under attack?
idk
Where do most attacks to software come from?
idk
Manually going into the source code and forcing an error or attack is called?
source-based fault injections
A testing script needs to be created for every possible situation and attack that the program could encounter. (T/F)
true
After the debug methods are built into the program, they can be called anywhere at anytime within the program you need to test. (T/F)
true
Application errors expose a lot of information about the code and its environment. (T/F)
true
Code refactoring occurs when existing bodies of logic are broken up and moved into many smaller bodies of code. (T/F)
true
Code reviews, if conducted right can have a very positive effect on the team. (T/F)
true
Coding for resiliency means accepting the fact that something bad will happen and that when it does, you will be ready. (T/F)
true
Exception handling is the cornerstone for all secure code. (T/F)
true
Fuzz testing and reliability testing are conducted during system testing. (T/F)
true
It is best to wait to add debugging techniques to the code when the code is broken. (T/F)
true
Keeping a daily journal is a waste of time and has no place on your project. (T/F)
true
Learning new technologies and networking with your peers are two ways to show initiative. (T/F)
true
Logging user traffic, events and data flow is one of the best analysis techniques you can do for an application. (T/F)
true
Making something bad happen actually tests the dependencies and resiliency of the software. (T/F)
true
Monitoring error logs and responding to immediate issues is a great way to stay proactive in the secure software process. (T/F)
true
Parameter-driven software is software that looks up values stored in a database and determines what to display, allow, or execute based on those values. (T/F)
true
Reactive measures are plans and polices that outline the proper response to an incident. (T/F)
true
Security code scanners also report a number of false positives. (T/F)
true
Software assurance can be proven, validated, and substantiated only by the process in place and the artifacts produced from each process. (T/F)
true
Some popular programming languages that deal with security include the following: -Java -PHP -C/C++ (T/F)
true
Testing software consists of running a battery of test cases using multiple techniques against a specific use case and evaluating the results for pass or fail marks. (T/F)
true
The application will never be 100% secure. (T/F)
true
The benefits to a CCB are twofold: -Provide a known and methodical decision process -Sustain security and quality in the software artifacts (T/F)
true
The most notable security flaw with the C/C++ language is the buffer overflow attack. (T/F)
true
Unit testing catches errors that compilers won't find. (T/F)
true
Unit testing is the lowest level of testing a developer can conduct. (T/F)
true
Use cases are a great starting point for functional test scripts. (T/F)
true