uCertify Chapter 9

Which type of attack is typically associated with the strcpy function?

Buffer overflow

Which of the following security activities is not normally a component of the operations and maintenance phase of the software development life cycle (SDLC)?

Disposition

During the analysis of a malware sample, John reviews malware files and binaries by executing them. Which type of analysis process did John perform in the given scenario?

Dynamic

Which of the following approaches is an example of a formal code review process?

Fagan inspection

Which process is used to ensure that an application can handle very high numbers of concurrent users or sessions?

Load testing

Eric leads a team of software developers and wants to help them in understanding the most important security issues in web application development. Which of the following sources would provide Eric with the most useful resource?

OWASP

Jim is helping a software development team to integrate security reviews into their code review process. He would like to implement a real-time review technique. Which of the following approaches will help Jim to accomplish the given task in the given scenario?

Pair programming

Precompiled SQL statements that only require variables for the input are an example of which type of application security control?

Parameterized queries

Which of the following Open Web Application Security Project (OWASP) best practices is satisfied using TLS to protect application traffic?

Protect data

Which of the following is a chip built into a system to secure hardware through integrated cryptographic keys?

Trusted Platform Module

Mark is a cybersecurity analyst for a nonprofit company. He wants to begin a vulnerability scanning program for the company but does not have any available funds to purchase a tool. Which open source tool can he use at no cost in the given scenario?

OpenVAS

Which of the following flaw types is an application that needs to take action on an object that may be sensitive to what is occurring or has occurred to that object?

Race condition

Matt works as a security analyst in an organization. He is building a device and wants to prevent attackers from capturing data by directly connecting to the hardware communications components of the device. Which technique should Matt use to make sure that communications between the processor and other chips are not vulnerable?

Bus encryption

During a web application test, Ben, an application developer, prepares a report for the issues reported during the testing of the application. He discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report in the given scenario?

Improper error handling

Gabby works as a software tester in an organization. She wants to insert the data into the response received from her web browser to a web application. She wants to easily make manual changes into the data sent from the web browser when she interacts with the website. Which type of tool should Gabby use to make these changes in the given scenario?

Interception proxy

Kristen works as a software tester in an organization. She wants to implement a code review but has a distributed team that works in different shifts during the day. She also does not want to create any additional support load for her team with new development environment applications. Which type of review process will work best for Kristen's needs in the given scenario?

Pass-around

Susan works as a senior software developer in an organization. Her team has been writing code for a major project for a year and recently released its third version of this code. During a post-implementation regression test, an issue that was originally seen in version 1 reappeared. Which of the following should Susan implement to avoid this issue in the future?

Source control management

Sam works as a software developer at an XYZ company. For his current project, he wants to work in iterations of phases for the quality of the project with each iteration producing specific deliverable. Which of the following models will he use to accomplish this task?

Agile development

Every time Susan checks code into her organization's code repository, it is tested, validated, then if accepted it is immediately put into production. In which of the following methodologies is Susan operating?

Continuous delivery

Carla is performing a penetration test of a web application and wants to use a software package that allows her to modify requests being sent from her system to a remote web server. Which of the following tools would meet Carla's needs? Each correct answer represents a complete solution. Choose all that apply.

Burp ZAP Tamper Data

Jordan works as a network analyst in a company. His company follows the systems development life cycle (SDLC). He works with a network systems team on various features, wiring diagrams, and the layout of a new network to support the expansion of the headquarters building. Which phase of the SDLC is Jordan working on in the given scenario?

Design

Which type of testing focuses on inserting errors into the error handling process and path in an application?

Fault injection

Patricia is evaluating the security of an application developed within her organization. She would like to assess the application's security by supplying it with invalid inputs. Which technique is Patricia planning to use in the given scenario?

Fuzz testing

You have implemented a security technique where an automated system generates random input data to test an application. Which of the following techniques have you implemented in the given scenario?

Fuzzing

Ryan is concerned about the possibility of a distributed denial-of-service attack against his organization's web portal. Which one of the following types of testing would best evaluate the portal's susceptibility to this type of attack in the given scenario?

Load

Which phase of the Fagan inspection process identifies defects based on notes from the preparation phase?

Meeting

Ashley is working with software developers to evaluate the security of an application they are upgrading. She is performing testing that slightly modifies the application code to help in identifying errors in code segments that might be infrequently used. Which type of testing is she performing in the given scenario?

Mutation testing

Sia and Maria work as a software developer on a project in an ABC organization. Both are working on the same workstation. For the quality of the project, Sia writes the code and Maria reviews the code written by Sia so that multiple developers are familiar with the code. Which of the following techniques Sia and Maria are pursuing in the given scenario?

Pair programming

Charles works as a security analyst in an organization. He is worried about users conducting SQL injection attacks. Which of the following solutions will best address Charles's concerns in the given scenario?

Performing user input validation

A company has developed an application that is undergoing the testing process. According to the results of the testing process, some changes have been made to the application. The company now wishes to check whether or not the changes made in the application have caused a failure in the previously existing functionality. Which test should the company perform in the given scenario?

Regression

Haley, a security administrator, is planning to deploy a security update to an application provided by a third-party vendor. She installed a patch in a test environment and would like to determine whether applying the patch creates other issues. Which type of test can Haley run to best determine the impact of applying the patch in the given scenario?

Regression

Sam works as a software developer in an organization. He is working on a web application for its improvement. For the improvement of the web application, a major patch is released. After the release of the patch, Sam proceeds to run the security scanner against the web application to verify that it is still secure. Which of the following processes is Sam conducting in the given scenario? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Code review

Regression testing

Kathleen works as a project manager in an organization. She wants to build a public API for modern service-oriented architecture. Which of the following models is likely Kathleen's best choice to build this architect in the given scenario?

Representational State Transfer (REST)

During the Fagan code inspection, which stage can redirect to the planning stage?

Rework

A company wants to implement security during the software development lifecycle (SDLC) process. To achieve this task, the company wants to employ a method that detects weaknesses in an application before execution. Which code analysis method provides the feature mentioned in the given scenario?

Static

Bruce is considering the acquisition of a software testing package that allows programmers to provide their source code as input. The package analyzes the code and identifies potential security issues without executing it. What type of analysis is Bruce performing in the given scenario?

Static analysis

A user is conducting software testing by reviewing the source code of an application. What type of software testing is the user conducting in the given scenario?

Static code analysis

The Open Web Application Security Project (OWASP) maintains an application called Orizon. This application reviews Java classes and identifies potential security flaws. What type of tool describes the referred application?

Static code analyzer

During a testing process, Tiffany, a network administrator, slowly increases the number of connections to an application until it fails. Which of the following testing processes is Tiffany performing?

Stress

During which phase of the software development life cycle (SDLC) model does UAT occur?

Testing and integration

Which phase of the Rapid Application Development (RAD) model focuses on the dataflow and interfaces between components?

Testing and turnover

Which of the following processes checks to ensure that the functionality of an application or software meets customer needs?

UAT

Which of the following test types involves an evaluation of an application by end users?

UAT

Which of the following issues is the fuzz testing methodology most likely to detect?

Unvalidated inputs

Ryan is a security tester in an XYZ organization. He needs to perform a web application vulnerability scanning. To achieve this scanning he requires some tools. Which tools will he use to accomplish the task? Each correct answer represents a complete solution. Choose all that apply.

W3AF Burp Suite