Q.1 Identify the correct statement in the following:
A. Accountability is a process to prevent repudiation
B. Confidentiality is a process to prevent unauthorized alteration of information
C. Authorization validates user identity
D. None of the above options is correct
Ans : Authorization validates user identity
Q.2 Authentication and session management are security concerns of which of the following programming languages?
A. PHP
B. Java
C. C
D. .NET
E. All the above options
Ans : All the above options
Q.3 Which of the following is a best practice for Audit Trail and Logging?
A. Ensure server time is synchronized
B. Apply the principle of Secure Default
C. Restrict the access level of configuration and program-level resources
D. All the above options
Ans : Restrict the access level of configuration and program-level resources
Q.4 Which of the following is a security advantage of managed code over unmanaged code?
A. Number of lines of code
B. Size of the chroot jail
C. Number of roles
D. Size of the attack surface
Ans : Size of the chroot jail
Q.5 Temporarily files created by applications can expose confidential data if:
A. The existence of the file exceeds three seconds
B. File permissions are not set appropriately
C. Special characters are not used in the filename to hide the file
D. Special characters indicating a system file are not used in the filename
Ans : File permissions are not set appropriately
Q.6 Through a successful format-string attack against a web application, an attacker is able to execute which of the following actions?
A. Read and write to memory at will
B. Read certain memory areas using the %s token
C. Write only certain areas using tokens
D. All the above options
Ans : Read and write to memory at will
Q.7 Exception Handling refers to:
A. Commercial runtime environments that contain tools to record debugging information from memory at the time of the exception, to provide ‘root-cause’ analysis information later.
B. During application execution, if certain special conditions are met, a specific subroutine ‘exception handler’ is called
C. Identifying all possible erroneous inputs, and managing how an application responds to them
D. All the above options
Ans : All the above options
Q.8 If an attacker submits multiple input parameters (query string, post data, cookies, etc) of the same name, the application may react in unexpected ways and open up new avenues of server-side and client-side exploitation. This is the premise of which of the following?
A. Parameter Busting
B. Session Splitting
C. Distortion
D. HTTP Parameter Pollution
Ans : HTTP Parameter Pollution
Q.9 Which of the following is not an authentication method?
A. Cookie-based
B. Single Sign On
C. Form-based
D. Basic authentication
Ans : Cookie-based
Q.10 There are various HTTP authentication mechanisms to authenticate a user. Login credentials are sent to the web server in clear text, in which of the following authentication scheme?
A. Basic
B. Client Certificates
C. NTLM
D. None of the options
Ans : Basic
Q.11 Which of the followings are secure programming guidelines?
A. C)Avoid the usage of environment variables
B. B)Never use input data as input to a format string
C. A, B & C
D. A)Always validate input to public methods
E. D)Always call a shell to invoke another program from within a C/C++ program
F. None of Above
Ans : A, B & C
Q.12 Which of the following are secure programming guidelines?
A. E) A), B) and C)
B. A) Always validate input for public methods
C. D) Always call a shell to invoke another program from within a C/C++ program
D. B) Never use input data as input for a format string
E. C) Avoid the use of environment variables
F. F) None of the above options
Ans : E) A), B) and C)
Q.13 Secure practices for access control include which of the following?
A. Business workflow
B. Role-based access
C. Authorization on each request
D. All the above options
Ans : All the above options
Q.14 What is the purpose of Audit Trail and Logging?
A. Generate evidences for actions
B. Software troubleshooting
C. Generate a chronological sequence of actions
D. All the above options
Ans : All the above options
Q.15 It is a good programming practice to prevent caching of sensitive data at client or proxies, by implementing which of the following?
A. “Cache-Control: do not-save, do not store”
B. “Cache-Control: no cache”
C. “Cache-Control: no store”
D. “Cache-Control: do not-cache, do not save”
E. “Cache-Control: do not-cache, do not save”
Ans : “Cache-Control: no-cache, no store”
Q.16 Securing a database application with username/password access control should be considered sufficient:
A. If the passwords contain more than six characters
B. If none of the users have administrative access
C. Only when combined with other controls
D. To secure the application
Ans : Only when combined with other controls
Q.17 Identify the correct statement in the following:
A. A firewall is the best protection against application attacks
B. Development teams need not worry about rework due to security vulnerability
C. High vulnerability can be ignored, and software can be released to the customer
D. None of the above options
Ans : A firewall is the best protection against application attacks
Q.18 To improve the overall quality of web applications, developers should abide by which of the following rules?
A. Use GET instead of POST
B. Allow the use of HIDDEN form fields
C. Trust user-supplied data
D. Clean and validate all user input
Ans : Clean and validate all user input
Q.19 From application security perspective, why should a CAPTCHA be used in a web application?
A. To prevent scripted attacks
B. To provide biometric authentication
C. To check the color blindness of a user
D. To check the validity of a user session
Ans : To prevent scripted attacks
Q.20 Identify the correct statement in the following:
A. B) Customer trust, reputation, financial, compliance, and privacy are the major reasons to implement a software security program
B. D) All the above options
C. C) To secure online data, build secure software
D. E) A) and C)
E. A) Security is a technical problem and is the responsibility of the security manager
Ans : E) A) and C)
