Secure Code Review Interview Question-Answer

Q.1 The estimation of software size by measuring functionality.

       A. Lines of code

       B. Function Points

       C. Cyclomatic complexity

       D. Path complexity

Ans : Function Points

Q.2 It is easy to distinguish good code from insecure code.

       A. True

       B. False

Ans : False

Q.3 Complexity increases with the decision count.

       A. True

       B. False

Ans : True

Q.4 It is easy to develop secure sessions with sufficient entropy.

       A. True

       B. False

Ans : False

Q.5 Inviting a friend to help look for a hard-to-find vulnerability is a method of security code review.

       A. True

       B. False

Ans : True

Q.6 The process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places is known as ______________.

       A. Black Box Testing

       B. Vulnerability Testing

       C. Secure Code Review

       D. Penetration Testing

Ans : Secure Code Review

Q.7 The _______ approach to validation only permits characters/ASCII ranges defined within a white-list.

       A. Known good

       B. Encode good

       C. Known bad

Ans : Known good

Q.8 The process by which different equivalent forms of a name can be resolved to a single standard name.

       A. Input resolution

       B. Aliasing

       C. Canonicalization

       D. Name resolution

Ans : Canonicalization

Q.9 In a multi user multi-threaded environment, thread safety is important as one may erroneously gain access to another individuals session by exploiting ___________ .

       A. OS commands

       B. Race conditions

       C. Session Integrity

Ans : Race conditions

Q.10 A function in which scripting tags in all dynamic content can be replaced with codes in a chosen character set.

       A. Client side encoding

       B. Server side encoding

       C. Dynamic encoding

       D. Script encoding

Ans : Server side encoding

Q.11 The account used to make the database connection must have ______ privilege.

       A. Least

       B. Admin

       C. Highest

Ans : Least

Q.12 Authorization that restricts the functionality of a subset of users.

       A. Horizontal Authorization

       B. Vertical Authorization

Ans : Vertical Authorization

Q.13 The dimension of authorization that ensures that different users/entities do not access other users’/entities’ data.

       A. Vertical Authorization

       B. Horizontal Authorization

Ans : Horizontal Authorization

Q.14 The average occurrance of programming faults per Lines of Code (LOC) is known as _______.

       A. Risk Density

       B. Complexity density

       C. Defect Density

       D. Error density

Ans : Defect Density

Q.15 Which of the following is an efficient way to securely store passwords?

       A. Abstraction

       B. Hashing

       C. Encryption

Ans : Hashing

Q.16 The first step in analyzing the attack surface is ________.

       A. Identifying all input to the code

       B. Creating a threat model

       C. Information gathering

       D. Understanding the context

Ans : Identifying all input to the code

Q.17 ________ can be used to establish risk and stability estimations on an item of code, such as a class or method or even a complete system.

       A. Cyclomatic complextiy

       B. Risk density

       C. Lines of code

       D. Defect density

Ans : Cyclomatic complextiy

Q.18 Attacks that occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

       A. Birthday attacks

       B. SQL injection attacks

       C. XSS Attacks

Ans : XSS Attacks

Q.19 The process that gives a person permission to perform a functionality is known as ———–.

       A. Repudiation

       B. Authentication

       C. Identity Management

       D. Authorization

Ans : Authorization

Q.20 Parameterized stored procedures are compiled after the user input is added.

       A. True

       B. False

Ans : False

Q.21 Defect density alone can be used to judge the security of code accurately.

       A. True

       B. False

Ans : False

Q.22 Which of the following type of metrics do not involve subjective context but are material facts?

       A. Relative Metrics

       B. Absolute Metrics

Ans : Absolute Metrics

Q.23 A solution to enhance security of passwords stored as hashes..

       A. Using digital signatures

       B. Noncing

       C. Encryption

       D. Salting

Ans : Salting

Q.24 Which of the following can be used to prevent end users from entering malicious scripts?

       A. Input validation

       B. Dynamic encoding

       C. Server side encoding

       D. Authentication

Ans : Input validation

Q.25 The approach to input validation that simply encodes characters considered “bad” to a format which should not affect the functionality of the application and hence is very weak.

       A. Encode bad

       B. Encrypt bad

       C. Backlisting

Ans : Encode bad

Leave a Comment