Q.1 The estimation of software size by measuring functionality.
A. Lines of code
B. Function Points
C. Cyclomatic complexity
D. Path complexity
Ans : Function Points
Q.2 It is easy to distinguish good code from insecure code.
A. True
B. False
Ans : False
Q.3 Complexity increases with the decision count.
A. True
B. False
Ans : True
Q.4 It is easy to develop secure sessions with sufficient entropy.
A. True
B. False
Ans : False
Q.5 Inviting a friend to help look for a hard-to-find vulnerability is a method of security code review.
A. True
B. False
Ans : True
Q.6 The process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places is known as ______________.
A. Black Box Testing
B. Vulnerability Testing
C. Secure Code Review
D. Penetration Testing
Ans : Secure Code Review
Q.7 The _______ approach to validation only permits characters/ASCII ranges defined within a white-list.
A. Known good
B. Encode good
C. Known bad
Ans : Known good
Q.8 The process by which different equivalent forms of a name can be resolved to a single standard name.
A. Input resolution
B. Aliasing
C. Canonicalization
D. Name resolution
Ans : Canonicalization
Q.9 In a multi user multi-threaded environment, thread safety is important as one may erroneously gain access to another individuals session by exploiting ___________ .
A. OS commands
B. Race conditions
C. Session Integrity
Ans : Race conditions
Q.10 A function in which scripting tags in all dynamic content can be replaced with codes in a chosen character set.
A. Client side encoding
B. Server side encoding
C. Dynamic encoding
D. Script encoding
Ans : Server side encoding
Q.11 The account used to make the database connection must have ______ privilege.
A. Least
B. Admin
C. Highest
Ans : Least
Q.12 Authorization that restricts the functionality of a subset of users.
A. Horizontal Authorization
B. Vertical Authorization
Ans : Vertical Authorization
Q.13 The dimension of authorization that ensures that different users/entities do not access other users’/entities’ data.
A. Vertical Authorization
B. Horizontal Authorization
Ans : Horizontal Authorization
Q.14 The average occurrance of programming faults per Lines of Code (LOC) is known as _______.
A. Risk Density
B. Complexity density
C. Defect Density
D. Error density
Ans : Defect Density
Q.15 Which of the following is an efficient way to securely store passwords?
A. Abstraction
B. Hashing
C. Encryption
Ans : Hashing
Q.16 The first step in analyzing the attack surface is ________.
A. Identifying all input to the code
B. Creating a threat model
C. Information gathering
D. Understanding the context
Ans : Identifying all input to the code
Q.17 ________ can be used to establish risk and stability estimations on an item of code, such as a class or method or even a complete system.
A. Cyclomatic complextiy
B. Risk density
C. Lines of code
D. Defect density
Ans : Cyclomatic complextiy
Q.18 Attacks that occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
A. Birthday attacks
B. SQL injection attacks
C. XSS Attacks
Ans : XSS Attacks
Q.19 The process that gives a person permission to perform a functionality is known as ———–.
A. Repudiation
B. Authentication
C. Identity Management
D. Authorization
Ans : Authorization
Q.20 Parameterized stored procedures are compiled after the user input is added.
A. True
B. False
Ans : False
Q.21 Defect density alone can be used to judge the security of code accurately.
A. True
B. False
Ans : False
Q.22 Which of the following type of metrics do not involve subjective context but are material facts?
A. Relative Metrics
B. Absolute Metrics
Ans : Absolute Metrics
Q.23 A solution to enhance security of passwords stored as hashes..
A. Using digital signatures
B. Noncing
C. Encryption
D. Salting
Ans : Salting
Q.24 Which of the following can be used to prevent end users from entering malicious scripts?
A. Input validation
B. Dynamic encoding
C. Server side encoding
D. Authentication
Ans : Input validation
Q.25 The approach to input validation that simply encodes characters considered “bad” to a format which should not affect the functionality of the application and hence is very weak.
A. Encode bad
B. Encrypt bad
C. Backlisting
Ans : Encode bad
