INTRODUCTION – Application Security and Testing

SECURITY ARCHITECTURE CONSIDERATIONS KNOWLEDGE CHECK

1. True or False. A security architect’s job is to make sure that security considerations dominate other design aspects such as usability, resilience and cost.

2. Which of these is an aspect of an Enterprise Architecture?

3. Which of these is an aspect of a Solution Architecture?

4. Which three (3) of these are general features of Building Blocks? (Select 3)

5. Which three (3) of these are Architecture Building Blocks (ABBs)? (Select 3)

6. Which three (3) of these are Solution Building Blocks (SBBs)? (Select 3)

7. The diagram below shows which type of architecture?

8. Solution architectures often contain diagrams like the one below. What does this diagram show?

9. In security architecture, a reusable solution to a commonly recurring problem is known as what?

APPLICATION SECURITY TECHNIQUES AND RISKS KNOWLEDGE CHECK

1. Which of these is an application security threat?

2. Failure to use input validation in your application introduces what?

3. Which software development lifecycle is characterized as a top-down approach where one stage of the project is completed before the next stage begins?

4. Which form of penetration testing allows the testers complete knowledge of the systems they are trying to penetrate in advance of their attack to simulate an internal attack from a knowledgeable insider?

5. Which application testing method requires access to the original application source code?

6. Which three (3) steps are part of a Supplier Risk Assessment? (Select 3)

7. What type of firewall should you install to protect applications used by your organization from hacking?

8. Which type of application attack would include elevation of privilege, data tampering and luring attacks?

9. Which type of application attack would include information disclosure and denial of service?

10. Which one of the OWASP Top 10 Application Security Risks would be occur when untrusted data is sent to an interpreter as part of a command or query?

11. Which one of the OWASP Top 10 Application Security Risks would be occur when a poorly configured XML processor evaluates an external entity reference within an XML document allowing the external entity to expose internal files?

12. Which of these threat modeling methodologies was introduced in 1999 at Microsoft to provide their developer’s a mnemonic that would help them find security vulnerabilities in their products?

13. Security standards do not have the force of law but security regulations do. Which one of these is a security regulation?

DEVSECOPS & SECURITY AUTOMATION KNOWLEDGE CHECK

1. Which phase of DevSecOps would contain the activities Threat modeling & risk analysis, Security backlog and Architecture & design?

2. Which phase of DevSecOps would contain the activities Continuous component control, Application and infrastructure orchestration, and Data cleansing & retention?

3. The Release step in the DevSecOps Release, Deploy & Decommission phase contains which of these activities?

4. The Detect & Visualize step in the DevSecOps Operate & Monitor phase contains which of these activities?

DEEP DIVE INTO CROSS-SCRIPTING KNOWLEDGE CHECK

1. True or False. Finding a bug in a software product from a major vendor can be very profitable for a security researcher.

2. Which is the top vulnerability found in common security products?

3. True or False. Building software defenses into your software includes: input validation, output sensitization, strong encryption, strong authentication and authorization.

4. Complete the following statement. Cross-site scripting ____

5. True or False. A Stored XSS attack is potentially far more dangerous than a Reflected XSS attack.

6. Cross-site scripting attacks can be minimized by using HTML and URL Encoding. How would a browser display this string?: <b>Test</b>

7. Which is the most effective means of validating user input?

APPLICATION TESTING GRADED ASSESSMENT

1. True or False. A security architect’s job is to make sure that security considerations are balanced against other design aspects such as usability, resilience and cost.

2. Which of these is an aspect of an Enterprise Architecture?

3. Which of these is an aspect of a Solution Architecture?

4. Which three (3) of these are features of Architecture Building Blocks (ABBs)? (Select 3)

5. Which three (3) of these are Architecture Building Blocks (ABBs)? (Select 3)

6. Which three (3) of these are Solution Building Blocks (SBBs)? (Select 3)

7. The diagram below shows which level of architecture?

8. Solution architectures often contain diagrams like the one below. What does this diagram show?

9. Solution architectures often contain diagrams like the one below. What does this diagram show?

10. What is lacking in a security architecture pattern that prevents it from being used as a finished design?

11. What are the possible consequences if a bug in your application becomes known?

12. What was the ultimate consequence to Target Stores in the United States from their 2013 data breach in which over 100M records were stolen?

13. Select the two (2) top vulnerabilities found in common security products. (Select 2)

14. True or False. If you can isolate your product from the Internet, it is safe from being hacked.

15. Which three (3) things can Cross-site scripting be used for? (Select 3)

16. True or False. Commonly a Reflect XSS attack is sent as part of an Email or a malicious link and affects only the the user who receives the Email or link.

17. Cross-site scripting attacks can be minimized by using HTML and URL Encoding. How would a browser display this string?: 

<b>Password</b>

18. Which three (3) statements about whitelisting user input are true? (Select 3)

19. Which two (2) statements are considered good practice for avoiding XSS attacks (Select 2)

20. How would you classify a hactivist group who thinks that your company’s stance on climate change threatens the survival of the planet?

21. Which software development lifecycle is characterized by short bursts of analysis, design, coding and testing during a series of 1 to 4 week sprints?

22. Which software development lifecycle is characterized by a series of cycles and an emphasis on security?

23. Which form of penetration testing allows the testers no knowledge of the systems they are trying to penetrate in advance of their attack to simulate an external attack by hackers with no knowledge of an organizations systems?

24. Which application testing method requires a URL to the application, is quick and cheap but also produces the most false-positive results?

25. Which type of application attack would include buffer overflow, cross-site scripting, and SQL injection?

26. Which type of application attack would include unauthorized access to configuration stores, unauthorized access to administration interfaces and over-privileged process and service accounts?

27. Which one of the OWASP Top 10 Application Security Risks would occur when authentication and session management functions are implemented incorrectly allowing attackers to compromise passwords, keys or session tokens.

28. Which one of the OWASP Top 10 Application Security Risks would occur when restrictions on what a user is allowed to do is not properly enforced?.

29. Which of these threat modeling methodologies is integrated seamlessly into an Agile development methodology?

30. Security standards do not have the force of law but security regulations do. Which one of these is a security regulation?

31. Which phase of DevSecOps would contain the activities Secure application code, Secure infrastructure configuration, and OSS/COTS validation?

32. Which phase of DevSecOps would contain the activities Detect & Visualize, Respond, and Recover?

33. The Deploy step in the DevSecOps Release, Deploy & Decommission phase contains which of these activities?

34. The Respond step in the DevSecOps Operate & Monitor phase contains which of these activities?

CONCLUSION – Application Security and Testing