Chapter 7 - Quiz
In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party? A. A contracted third party/the various member organizations of the federation B. The users of the various organizations within the federation/a CASB C. Each member organization/a trusted third party D. Each member organization/each member organization
A. In a trusted third-party model of federation, each member organization outsources the review and approval task to a third party they all trust. This makes the third party the identifier (it issues and manages identities for all users in all organizations in the federation), and the various member organizations are the relying parties (the resource providers that share resources based on approval from the third party).
Which of the following best describes SAST? A. White-box testing B. Black-box testing C. Gray-box testing D. Red-team testing
A. SAST involves source code review, often referred to as white-box testing.
Database activity monitoring (DAM) can be _______________. A. Host-based or network-based B. Reactive or imperative C. Used in the place of encryption D. Used in place of data masking
A. We don't use DAM in place of encryption or masking; DAM augments these options without replacing them. "Reactive or imperative" has no meaning in this context, and is only a distractor.
Which of the following best describes the Organizational Normative Framework (ONF)? A. A container for components of an application's security controls and best practices catalogued and leveraged by the organization B. A framework of containers for all components of application security controls and best practices catalogued and leveraged by the organization C. A subset of application security controls and best practices catalogued and leveraged by the organization D. A framework of containers for some of the components of application security controls and best practices catalogued and leveraged by the organization
B. Option A is incorrect because it refers to a specific application's security elements, meaning it is about an ANF, not the ONF. C is true, but not as complete as B, making B the better choice. D suggests that the framework contains only "some" of the components, which is why B (which describes "all" components) is better.
Which of the following best describes the purpose and scope of ISO/IEC 27034-1? A. Describes international privacy standards for cloud computing B. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security C. Serves as a newer replacement for NIST 800-53 r4 D. Provides an overview of network and infrastructure security designed to secure cloud applications
B. Option B is a description of the standard; the others are not.
Which of the following best describes SAML? A. A standard for developing secure application management logistics B. A standard for exchanging authentication and authorization data between security domains C. A standard for exchanging usernames and passwords across devices D. A standard used for directory synchronization
B. Option C is also true, but not as comprehensive as B. A and D are simply not true.
Identity and access management (IAM) is a security discipline intended to ensure _______________________. A. All users are properly authorized B. The right individual gets access to the right resources at the right time for the right reasons C. All users are properly authenticated D. Unauthorized users will get access to the right resources at the right time for the right reasons
B. Options A and C are also correct, but included in B, making B the best choice. D is incorrect because we don't want unauthorized users gaining access.
Physical sandboxing provides which of the following? A. The production environment B. An airgapped test environment that isolates untrusted code for testing in a nonproduction environment C. Emulation D. Virtualization
B. Physical sandboxing creates a test environment completely isolated from the production environment.
The ANF is best described as which of the following? A. A stand-alone framework for storing security practices for the ONF B. A subset of the ONF C. A superset of the ONF D. The complete ONF
B. Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization). Therefore, the ANF is a subset of the ONF.
Which of the following best represents the REST approach to APIs? A. Built on protocol standards B. Lightweight and scalable C. Relies heavily on XML D. Only supports XML output
B. The other answers all list aspects of SOAP.
Which of the following is not commonly included in the phases of SDLC? A. Define B. Reject C. Design D. Test
B. The other answers are all possible stages used in software development.
Which of the following confirms that the identity assertion belongs to the entity presenting it? A. Identification B. Authentication C. Authorization D. Inflammation
B. This is the definition of authentication.
DAST requires ______________. A. Money B. Compartmentalization C. A runtime environment D. Recurring inflation
C. DAST requires a runtime environment. All tests require money, so A is incorrect. Compartmentalization and inflation have no meaning in this context and are just distractors.
Which of the following best describes a sandbox? A. An isolated space where transactions are protected from malicious software B. A space where you can safely execute malicious code to see what it does C. An isolated space where untested code and experimentation can safely occur separate from the production environment D. An isolated space where untested code and experimentation can safely occur within the production environment
C. Options A and B are also correct, but C is more general and incorporates them both. D is incorrect because sandboxing does not take place in the production environment.
APIs typically are built with REST or ________________________. A. XML B. SSL C. SOAP D. TEMPEST
C. REST and SOAP are two common ways to build APIs. Although SOAP is based on XML, SOAP is more accurate. The other two answers are not used for making APIs.
SOAP is a protocol specification providing for the exchange of structured information or data in web services. Which of the following is not true of SOAP? A. Standards-based B. Reliant on XML C. Extremely fast D. Works over numerous protocols
C. The other answers are true of SOAP.
Multifactor authentication consists of at least two items. Which of the following best represents this concept? A. A complex password and a secret code B. Complex passwords and an HSM C. A hardware token and a magnetic strip card D. Something you know and something you have
D. Option D is the best, most general, and most accurate answer.
Which of the following is not a component of the of the STRIDE model? A. Spoofing B. Repudiation C. Information disclosure D. External pen testing
D. The other answers all include aspects of the STRIDE model.
Which of the following terms means "to perceive software from the perspective of the attacker in order to locate/detect potential vulnerabilities"? A. Rendering B. Galloping C. Agile D. Threat modeling
D. This is the definition of threat modeling.
WAFs operate at OSI Layer _____________. A. 1 B. 3 C. 5 D. 7
D. WAFs operate at Layer 7 of the OSI model.