Chapter 9: Software and Hardware Development Security

The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have? A. Dereferencing B. A race condition C. An insecure function D. Improper error handling

A race condition

Matt wants to prevent attackers from capturing data by directly connecting to the hardware communications components of a device he is building. What should he use to make sure that communications between the processor and other chips are not vulnerable? A. Bus encryption B. A HSM C. A TPM module D. LAMP encryption

Bus encryption

Every time Susan checks code into her organization's code repository it is tested, validated, then if accepted it is immediately put into production. What is the term for this? A. Continuous integration B. Continuous delivery C. A security nightmare D. Agile development

Continuous delivery

What type of testing focuses on inserting problems into the error handling processes and paths in an application? A. Fuzzing B. Stress testing C. Dynamic code analysis D. Fault injection

Fault injection

During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report? A. Improper error handling B. Code exposure C. SQL injection D. A default configuration issue

Improper error handling

Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns? A. Using secure session management B. Enabling logging on the database C. Performing user input validation D. Implementing TLS

Performing user input validation

Kathleen wants to build a public API for a modern service-oriented architecture. What model is likely her best choice? A. REST B. SOAP C. SAML D. RAD

REST

After a major patch is released for the web application that he is responsible for, Sam proceeds to run his web application security scanner against the web application to verify that it is still secure. What is the term for the process Sam is conducting? A. Code review B. Regression testing C. Stress testing D. Whiffing

Regression testing

During a Fagan code inspection, which process can redirect to the planning stage? A. Overview B. Preparation C. Meeting D. Rework

Rework

Susan's team has been writing code for a major project for a year and recently released their third version of the code. During a postimplementation regression test, an issue that was originally seen in version 1 reappeared. What type of tool should Susan implement to help avoid this issue in the future? A. Stress testing B. A WAF C. Pair programming D. Source control management

Source control management

Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting? A. Mutation testing B. Static code analysis C. Dynamic code analysis D. Fuzzing

Static code analysis

What type of attack is typically associated with the strcpy function? A. Pointer dereferencing B. A race condition C. SQL injection D. Buffer overflow

Buffer overflow

Gabby wants to insert data into the response from her browser to a web application. What type of tool should she use if she wants to easily make manual changes in what her browser sends out as she interacts with the website? A. An interception proxy B. A fuzzer C. A WAF D. A sniffer

An interception proxy

What process is used to ensure that an application can handle very high numbers of concurrent users or sessions? A. Fuzzing B. Fault injection C. Mutation testing D. Load testing

Load testing

Precompiled SQL statements that only require variables to be input are an example of what type of application security control? A. Parameterized queries B. Encoding data C. Input validation D. Appropriate access controls

Parameterized queries

Kristen wants to implement a code review but has a distributed team that works at various times during the day. She also does not want to create any additional support load for her team with new development environment applications. What type of review process will work best for her needs? A. Pair programming B. Pass-around C. Over-the-shoulder D. Tool-assisted

Pass-around

Using TLS to protect application traffic helps satisfy which of the OWASP best practices? A. Parameterize queries B. Encode data C. Validate all inputs D. Protect data

Protect data

During testing, Tiffany slowly increases the number of connections to an application until it fails. What is she doing? A. Regression testing B. Unit testing C. Stress testing D. Fagan testing

Stress Testing

What term describes a chip that is built into a computer that stores encryption keys specific to the system that is used for hardware authentication? A. Trusted foundry B. TPM C. HSM D. SED

TPM

What process checks to ensure that functionality meets customer needs? A. CNA B. Stress testing C. UAT D. Unit testing

UAT