Application Security Exam Solutions 2024, Exams of Nursing

Download Application Security Exam Solutions 2024 and more Exams Nursing in PDF only on Docsity! Application SecurityExam Solution 2024 True or False: By the year 2020, there will be more devices than people in use worldwide - correct answers✅True True or False: API security can provide access to monitoring and transformation applications through JSON, REST, and SOAP. - correct answers✅True True or False: Companies that perform monthly penetration tests should be confident their web applications are secure 24/7. - correct answers✅False Which of the following is not considered a typical development environment problem? - correct answers✅platform vulnerabilities Which of the following represents the greatest impact to developer security habits and mindset? - correct answers✅developers rarely receive formal security training in school or on the job Which of the following web application components represents optional functionality in a typical end-to-end solution? - correct answers✅firewall Securing a Host includes the following areas EXCEPT: - correct answers✅input validation Which of the following challenges represents the greatest security threat to the internet? - correct answers✅internet of things Application SecurityExam Solution 2024 Which of the following components is most secure based on proximity to the "trusted" core? - correct answers✅servers True or False: Software security assurance is not practical in an agile development model. - correct answers✅False True or False: OWASP is a commercial company focused application security. - correct answers✅False A comprehensive data classification taxonomy represents a core requirement in defending against this vulnerability. - correct answers✅sensitive data exposure This component is required to use an intercepting proxy successfully when interacting with secure (HTTPS) websites. - correct answers✅X.509 Certificate Which intercepting proxy functionalty is not available within the Burb Community edition? (Functionality is grouped by tab in the burp user interface) - correct answers✅scanner Extending Burp functionality is possible through the use of extensions. Which extension type is not supported in Burp? - correct answers✅.NET True or False: Using an intercepting proxy to index a web application produces a site map. - correct answers✅True Application SecurityExam Solution 2024 Injected SQL queries run under the context of which account? - correct answers✅application account In order to assess current vulnerabilities, the following resources would be used EXCPET: - correct answers✅exploit-db.com website This type of query is resilient to SQL Injection. - correct answers✅parameterized query True or False: Parameterized Queries perform data type checking on parameter values and limits scope of user input. - correct answers✅True The parameterized query statement SqlCommand() is used to bind variables in which language? - correct answers✅.NET In addition to implementing the principle of least privilege on the database, the following can serve as a checklis to secure application server. - correct answers✅implement ASVS controls Which SQL Injection impact is difficult to ddetect and posssess the greatest integrity risk to the business? - correct answers✅data modification True or False: More privileges can be revoked through the Dynamic SQL DB Query Method than the Stored Proccedure DB Query Method. - correct answers✅False Application SecurityExam Solution 2024 In the airprot example given in class, the TSA checkpoint provides which type of control? - correct answers✅authentication An attack on private data at the same level or using the same role is which type of access control attack? - correct answers✅horizontal The following all represent an Access Control Anti-Pattern EXCEPT: - correct answers✅centralized access control logic Access control decision should never be made int he following: - correct answers✅Javascript True or False: One best practice for access control is to fail open - correct answers✅False True or False: The principle of least privilege should be applied only to systems that use database authentication not Windows authentication - correct answers✅False True or False: Having your seat verified at the gate as you board the plane is an example of authorization. - correct answers✅True True or False: Claim based access control is more secure than role based access control. - correct answers✅True Application SecurityExam Solution 2024 True or False: Role based access control will prevent a horizaontal access control attack. - correct answers✅False What does TLS stand for? - correct answers✅Transport Layer Security Where should TLS be used? Select the most correct answer. - correct answers✅Everywhere What does TLS provide the user? Select three. - correct answers✅Integrity Confidentiality Authenticity What does SSL stand for? - correct answers✅Secure Sockets Layer Which of the following represents a true statement about the TLS Protocol? - correct answers✅Both symmetric and asymmetric encryption are used SQL integrated access control can include an AND statement that should reference data such as _______ to make a trusted access control decision. - correct answers✅userID from current session What does HTTP Strict Transport Security provide to the user? - correct answers✅it forces the browser to only make HTTPS connections to the serv Application SecurityExam Solution 2024 True or False: Insecure Direct Access References can disclose private data. - correct answers✅True The following Common Weakness Enumeration (CWE) listings provides the basis for broken access - correct answers✅CWE- 284 Improper Access Control Which control type do applications rely on to obfuscate or hide information from the end user? - correct answers✅client-side controls Which of the following is NOT an authentication guideline for email addresses? - correct answers✅Requires SMTP/TLS connection True or False: User IDs are case sensitive according to authentication guidelines. - correct answers✅False True or False: Insecure Direct Object References represents a horizontal or lateral access control vulnerability. - correct answers✅True True or False: Two behaviors that can introduce access control weaknesses are Specification and Enforcement - correct answers✅True True or False: A user with administrative privileges should always use a single account for both user and administrative tasks to reduce the amount of accounts and account management tasks. - correct answers✅False Application SecurityExam Solution 2024 What are the current parts for the development of threat models? Choose three. - correct answers✅STRIDE Data Flow Diagrams Threats Which attack types make up STRIDE? - correct answers✅Tampering Spoofing Denial of Service Elevation of Privilege Repudiation Information disclosure What types of questions should be asked? Choose four. - correct answers✅process questions External Entity Questions Data flow questions Data store questions List two STRIDE attack types that are applicable to a TLS connection between an end user and web server. - correct answers✅Information Disclosure Tampering Name a STRIDE attack that takes place at the user endpoint - correct answers✅Spoofing Application SecurityExam Solution 2024 Why is an accurate data flow diagram important for threat modeling? - correct answers✅It shows the input and output to everything that can be attacked Select all the valid threat modeling question categories - correct answers✅Data flow Data stores Processes Information in a database should be protected according to content. Which item is key to this process? - correct answers✅Data Classification Which of the following data flows would represent the highest risk for the contents of the data store? - correct answers✅User <> firewall <> Web Server <> firewall <>database Order the threat modeling process. - correct answers✅1. Draw your picture 2. List all elements 3. Ask specific questions Open source XSS attack tools include which of the following? - correct answers✅pineapple Application SecurityExam Solution 2024 True or False: Known vulnerabilities and corresponding fixes can be found at cve.mitre.org - correct answers✅False According to the PCI-DSS survey in the reading material, which of the following activities put cardholder data at the highest risk? - correct answers✅storage of payment card numbers Which compliance standard involves the removal of personal data and is quite challenging to implement? - correct answers✅GDPR Which two of the listed backend systems are potentially vulnerable to injection? - correct answers✅Database Web Server This scanner detects vulnerable javascript libraries as a command line tool or browser plug-in? - correct answers✅retire.js True or False: When remediating source sode is not an immediate option a virtual patch can be deployed to protact an application. - correct answers✅True True or False: Known vulnerabilities and corresponding fixes can be found at nvd.nist.gov - correct answers✅True Which of the OWASP Top 10 categories would the following fit into? Software is unsupported or out of date - correct answers✅using components with known vulnerabilities Application SecurityExam Solution 2024 These two activities are essential to assessing current applications for vulnerabilities (SELECT TWO) - correct answers✅scan for vulnerabilities regularly subscribe to security bulletins When assessing a newly released vulnerability it is most important to... - correct answers✅determine if the vulnerability applies to components in your environment (i.e. Apache, MySQL, etc.) True or False: Shodan is a tool for scanning Internet of Things (IoT) devices worldwide. - correct answers✅True True or False: When patching a development stack like LAMP it is NOT important to consider the interdependences between the operating system, database, web server, and application platform. - correct answers✅False True or False: Components typically run with the same privileges as the application itself - correct answers✅True Select the two options available within AWS to provide logging and monitroing. - correct answers✅Lamda Cloudwatch Identify the proper order for the centralized logging example given in the presentation: - correct answers✅ELB S3 Lambda CLoudWatch Logs Application SecurityExam Solution 2024 The dynamic applicationtrend includes the following components EXCPET: - correct answers✅customer behavior is very predictable Identify the 2nd step in integrated management - correct answers✅Configuration management The increasing complexity trend includes the following components EXCEPT - correct answers✅generalization in the persistencee tier Identify all the components from which CloudWatch can consume log information - correct answers✅AWS Lambda Amazon ECS Amazon EC2 Logging without monitoring is: - correct answers✅is an ineffective control due to the lack of processing and classification AWS Lambda is defined as the following: - correct answers✅a serverless, event-driven, computing platform that runs code in response to events The following are all examples of Insufficient Logging and Monitoring. - correct answers✅Logs are only stored locally Auditable events, such as failed logins, are not logged Vulnerability scanning tools do not trigger alerts