26.
The primary reason for designing Single Sign On (SSO) capabilities is to
- A.increase the security of authentication mechanisms.
- B.simplify user authentication.
- C.have the ability to check each access request.
- D.allow for interoperability between wireless and wired networks.
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| The design principle of economy of mechanism states that one must keep the design as simple and small as possible. This well known principle deserves emphasis for protection mechanisms because design and implementation errors that result in unwanted access paths will not be noticed during normaluse. As a result, techniques such as line-by-line inspection of software that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential. SSO support this principle by simplifying the authentication process. |
27.
Database triggers are PRIMARILY useful for providing which of the
following detective software assurance capability?
- A.Availability.
- B.Authorization.
- C.Auditing.
- D.Archiving.
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| All stored procedures could be updated to incorporate auditing logic; however a better solution is to use database triggers. You can use triggers to monitor actions performed on the database tables and automatically log auditing information. |
28.
During a threat modeling exercise, the software architecture is reviewed
to identify
- A.attackers.
- B.business impact.
- C.critical assets.
- D.entry points.
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| During threat modeling, the application is dissected into its functional components. The development team analyzes the components at every entry point and traces data flow through all functionality to identify security weaknesses. |
29.
A Man-in-the-Middle (MITM) attack is PRIMARILY an expression
of which type of the following threats?
- A.Spoofing
- B.Tampering
- C.Repudiation
- D.Information disclosure
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
|
Although it may seem that a MITM attack is an expression of the threat of
repudiation, and it very well could be, it is PRIMARILY a spoofing threat. In
a spoofing attack, an attacker impersonates a different person and pretends
to be a legitimate user of the system. Spoofing attack is mitigated through
authentication so that adversaries cannot become any other user or assume
the attributes of another user. When undertaking a threat modeling exercise, it is important to list all possible threats, regardless of whether they have been mitigated so that you can later generate test cases where necessary. If the threat is not documented, there is a high likelihood that the software will not be tested for those threats. Using a categorized list of threats (such as STRIDE which is an acronym of Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) is useful to list all possible threats. |
30.
IPSec technology which helps in the secure transmission of information
operates in which layer of the Open Systems Interconnect (OSI) model?
- A.Transport.
- B.Network.
- C.Session.
- D.Application.
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| Although software security has specific implications on layer 7, the application of the OSI stack, the security at other levels of the OSI stack is also important and should be leveraged to provide defense in depth. The seven layers of the OSI stack are Physical (layer 1), Data Link (layer 2), Network (layer 3), Transport (layer 4), Session (layer 5), Presentation (layer 6) and Application (layer 7). SSL and IPSec can be used to assure confidentiality for data in motion. SSL operates at the Transport Layer (layer 4) and IPSec operates at the Network Layer (layer 3) of the OSI model. |
|
|
||||||||||||||||||||||||||||
