Matt, a developer, recently attended a workshop on a new application. The developer installs the new application on a production system to test the functionality. Which of the following is MOST likely affected?
A. Application design B. Application security C. Initial baseline configuration D. Management of interfaces
Answer: C
Explanation: The initial baseline configuration of a computer system is an agreed configuration for the computer. For example, the initial baseline configuration will list what operating system he computer will run, what software applications and patches will be installed and what configuration settings should be applied to the system. In this question, we are installing a new software application on a server. After the installation of the software, the “configuration” of the server (installed software, settings etc) is now different from the initial baseline configuration.
Which of the following application security principles involves inputting random data into a program?
A. Brute force attack B. Sniffing C. Fuzzing D. Buffer overflow
Answer: C
Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following is an application security coding problem?
A. Error and exception handling B. Patch management C. Application hardening D. Application fuzzing
Answer: A
Explanation: Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture errors and exceptions so that they could be handled by the application.
An IT security technician is actively involved in identifying coding issues for her company. Which of the following is an application security technique that can be used to identify unknown weaknesses within the code?
A. Vulnerability scanning B. Denial of service C. Fuzzing D. Port scanning
Answer: C
Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
Which of the following would prevent a user from installing a program on a company-owned mobile device?
A. White-listing B. Access control lists C. Geotagging D. Remote wipe
Answer: A
Explanation: Application whitelisting is a form of application security which prevents any software from running on a system unless it is included on a preapproved exception list.
Which of the following application security testing techniques is implemented when an automated system generates random input data?
A. Fuzzing B. XSRF C. Hardening D. Input validation
Answer: A
Explanation: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.
The call center supervisor has reported that many employees have been playing preinstalled games on company computers and this is reducing productivity. Which of the following would be MOST effective for preventing this behavior?
A. Acceptable use policies B. Host-based firewalls C. Content inspection D. Application whitelisting
Answer: D
Explanation: Application whitelisting is a form of application security which prevents any software from running on a system unless it is included on a preapproved exception list.
A security engineer is given new application extensions each month that need to be secured prior to implementation. They do not want the new extensions to invalidate or interfere with existing application security. Additionally, the engineer wants to ensure that the new requirements are approved by the appropriate personnel. Which of the following should be in place to meet these two goals? (Select TWO).
A. Patch Audit Policy B. Change Control Policy C. Incident Management Policy D. Regression Testing Policy E. Escalation Policy F. Application Audit Policy
Answer: B,D
Explanation: A backout (regression testing) is a reversion from a change that had negative consequences. It could be, for example, that everything was working fi ne until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state that it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfi xes, and patches, but they can also include reversing a migration and using previous firmware. A key component to creating such a plan is identifying what events will trigger your implementing the backout. A change control policy refers to the structured approach that is followed to secure a company’s assets in the event of changes occurring.