70-483 Debug applications and implement security
You are debugging an application for a web shop and are inspecting a lot of Order classes. What can you do to make your debugging easier? 1.Use the DebuggerDisplayAttribute on the Order class. 2.Override ToString on the Order class. 3.Use the ConditionalAttribute on the Order class. 4.Use the #line compiler directive to make sure you can find the correct location when an exception occurs.
Correct answer: A 1.Correct: The DebuggerDisplayAttribute helps you in supplying a more helpful description when inspecting an item through the debugger. 2.Incorrect: Overriding ToString does help, but a better solution is to use the DebuggerDisplayAttribute because this won't influence your code in production. 3.Incorrect: The ConditionalAttribute can be used to remove code from your compiled application. Most of the time, it's used to remove certain calls when doing a release build. 4.Incorrect: The #line directive is used to change the line numbers of your code. Normally, this won't be necessary.
You are building an assembly that will be used by a couple of server applications. You want to make the update process of this assembly as smooth as possible. Which steps should you take? (Choose all that apply.) 1.Create a WinMD Metadata file. 2.Deploy the assembly to the GAC. 3.Add an assemblyBinding section to each client application that points to the location of the assembly. 4.Strongly name the assembly
Correct answer: B 1.Incorrect: A WinMD file is used by the WinRT in Windows 8. It shouldn't be used outside of this context. 2.Correct: A shared assembly can be deployed in the GAC. Other applications can reference it there. When you want to update it, you can do so by deploying the new version to the GAC. By using configuration files, you can then let other applications reference your new assembly. 3.Incorrect: You can use the assemblyBinding configuration element to add extra search locations for an assembly. This would ask for changes to each client application, however. The GAC is the location where a shared assembly needs to be deployed. 4.Incorrect: Strongly naming an assembly doesn't make it a shared assembly. Each application would still require its own copy.
You are ready to deploy your code to a production server. Which configuration do you deploy? 1.Debug configuration 2.Release configuration 3.Custom configuration with PDB files 4.Release configuration built with the /debug:full compiler flag
Correct answer: B 1.Incorrect: A debug configuration is not fully optimized and is not suitable for a production environment. 2.Correct: A release configuration is fully optimized and will give the best results in a production environment. 3.Incorrect: PDB files are necessary only when debugging an application. 4.Incorrect: The /debug:full flag adds extra information to your application for debugging purposes.
You are working on a globalized web application. You need to parse a text field where the user enters an amount of money. Which method do you use? 1.int.TryParse(value, NumberStyles.Currency, UICulture); 2.decimal.TryParse(value, NumberStyles.Currency, UICulture); 3.decimal.TryParse(value, ServerCulture); 4.decimal.TryParse(value)
Correct answer: B 1.Incorrect: Money should not be stored in an integer because it can't store decimal numbers. 2.Correct: You need to specify the NumberStyles.Currency and the culture that the user is using to parse the DateTime correctly. 3.Incorrect: Using the server culture doesn't account for the differences in user culture. You also need the NumberStyles.Currency parameter to make sure the user can enter a currency symbol. 4.Incorrect: Leaving off the culture defaults to the culture of the operating system. You also need the NumberStyles.Currency parameter to make sure the user can enter a currency symbol
A user needs to enter a DateTime in a text field. You need to parse the value in code. Which method do you use? 1.DateTime.Parse 2.DateTime.TryParse 3.Convert.ToDateTime 4.Regex.Match.
Correct answer: B 1.Incorrect: Parse will throw an exception when the user enters an invalid date,, which is not uncommon. 2.Correct: TryParse will see whether the entered value is a valid date. If not, it will return gracefully instead of throwing an exception. 3.Incorrect: Convert.ToDateTime uses Parse internally. This will throw an exception when entered data is in the wrong format. 4.Incorrect: RegEx.Match can be used to see whether the input is a valid date. It can't convert the input string to a DateTime object.
You are working on a global application with lots of users. The operation staff requests information on how many user logons per second are occurring. What should you do? 1.Add a TraceSource and write each logon to a text file. 2.Implement a performance counter using the RateOfCountsPerSecond64 type. 3.Instrument your application with the profiler so you can see exactly how many times the logon method is called. 4.Use the EventLog class to write an event to the event log for each logon.
Correct answer: B 1.Incorrect: Writing the events to a text file will still require a tool to parse the text file and give results to the operation staff. 2.Correct: This performance counter will help the operation staff to see exactly what happens every second. 3.Incorrect: Profiler instrumentation will really slow down the performance of your application. It's also something that's not easy readable by your operations staff. 4.Incorrect: Although the event log can be read by the operation staff, they will have to manually count all events to calculate the logons per second.
You are building a strong-named assembly and you want to reference a regular assembly to reuse some code you built. What do you have to do? 1.You first need to put the assembly in the GAC. 2.Nothing. Referencing another assembly to use some code is always possible. 3.You need to sign the other assembly before using it. 4.You need to use the public key token of the other assembly to reference it.
Correct answer: C 1.Incorrect: An assembly in the GAC needs to be strongly named. Your assembly still won't be able to reference the nonsigned assembly. 2.Incorrect: A strong-named assembly cannot reference a non-strong-named assembly. 3.Correct: You need to strongly name the other assembly before you can reference it. 4.Incorrect: The public key token is a part of the manifest of a strong-named assembly. The non-strong-named assembly doesn't have this key information. It needs to be strongly named first.
Bob and Alice are using an asymmetric algorithm to exchange data. Which key should they send to the other party to make this possible? 1.Bob sends Alice his private key, and Alice sends Bob her public key. 2.Bob sends Alice his private key, and Alice sends Bob her private key. 3.Bob sends Alice his public key, and Alice sends Bob her public key. 4.Bob sends Alice his public key, and Alice sends Bob her private key.
Correct answer: C 1.Incorrect: The private key should always be kept confidential. 2.Incorrect: The private key should always be kept confidential. 3.Correct: By sending each other their public key, they can then encrypt data with the other party's public key to send them data. 4.Incorrect: The private key should always be kept confidential.
You are using custom code generation to insert security checks into your classes. When an exception happens, you're having troubling finding the correct line in your source code. What should you do? 1.Use #error to signal the error from your code so that it's easier to find. 2.Use #line hidden to hide unnecessary lines from the debugger. 3.Use the ConditionalAttribute to remove the security checks from your debug build. 4.Use the #line directive with the correct line numbers in your generated code to restore the original line numbers.
Correct answer: D 1.Incorrect: #error will signal an error at compile time. 2.Incorrect: #line hidden will remove the extra generated lines from the debugger, but it won't restore your line numbers. 3.Incorrect: This is a dangerous solution because it creates different behavior between debug and release builds. You won't be able to test your security checks while working with a debug build. 4.Correct: The #line directive can be used to tell the compiler to change the line number of a line of code. This way, you can remove the line numbers for the generated code so that exceptions will match the original code.
You are using the TraceSource class to trace data for your application. You want to trace data when an order cannot be submitted to the database and you are going to perform a retry. Which TraceEventType should you use? 1.Information 2.Verbose 3.Critical 4.Error
Correct answer: D 1.Incorrect: A failing order is not something that should be seen as only an informative event. It should be treated as something critical. 2.Incorrect: Verbose should be used only for very detailed tracing messages. 3.Incorrect: You can still recover from the error, which makes it a severity of Error, not Critical. 4.Correct: You should let the operators know that something is wrong and that you are trying to recover. If recovery fails, you should log a Critical event.
Users are reporting errors in your application, and you want to configure your application to output more trace data. Which configuration setting should you change? 1.NumberOfItems32 2.Listener 3.Filter 4.Switch
Correct answer: D 1.Incorrect: NumberOfItems32 is an option for creating a performance counter. 2.Incorrect: A listener determines what is done with the tracing events. It doesn't influence which events are traced. 3.Incorrect: A filter is used to filter the message that a listener processes. It doesn't influence which events are traced. 4.Correct: The switch value determines which trace events should be handled. By lowering the severity for the switch, you will see more trace events in your output.
You need to encrypt a large amount of data. Which algorithm do you use? 1.SHA256 2.RSACryptoServiceProvider 3.MD5CryptoServiceProvider 4.AesManaged
Correct answer: D 1.Incorrect: SHA256 is a hashing algorithm. It can't be used to encrypt data. 2.Incorrect: RSACryptoServiceProvider is an asymmetric encryption algorithm. Asymmetric algorithms are not suited for encrypting large amounts of data. 3.Incorrect: MD5CryptoServiceProvider is a hashing algorithm. It can't be used to encrypt data. 4.Correct: AesManaged is a symmetric algorithm that can be used to encrypt large amounts of data.
You want to deploy an assembly to a shared location on the intranet. Which steps should you take? (Choose all that apply.) 1.Strongly name the assembly. 2.Use the codebase configuration element in the applications that use the assembly. 3.Deploy the assembly to the GAC. 4.Use the assemblyBinding configuration element with the probing option
Correct answers: A, B 1.Correct: Strongly naming the assembly is required to be able to reference it on the intranet. 2.Correct: The codebase configuration element can be used to have local client applications know they can find an assembly on another location such as the intranet. 3.Incorrect: Deploying it to the GAC won't put the assembly on the intranet. 4.Incorrect: The probing option can be used only to give additional locations relative to the application path. It can't be used to point to the intranet.
You need to send sensitive data to another party and you want to make sure that no one tampers with the data. Which method do you use? 1.X509Certificate2.SignHash 2.RSACryptoServiceProvider.Encrypt 3.UnicodeEncoding.GetBytes 4.Marshal.ZeroFreeBSTR
Correct answers: A, C 1.Correct: Using the digital certificate X509 can be used to sign hashed data. If the other party uses the Verify method, it can check that the hash hasn't changed. 2.Incorrect: This method encrypts the data with an asymmetric algorithm. It doesn't ensure that the data hasn't been tampered with. 3.Correct: UnicodeEncoding.GetBytes converts a string to a byte sequence. It doesn't protect the data in any way. 4.Incorrect: The Marshal class should be used when working with System.SecureString. The ZeroFreeBSTR method can be used to zero out an area of memory that contained an insecure string.