Architecture and Design
Architecture and Design
Architecture, Design, Implementation
Implementation
Implementation
100

Which of the following describes the purpose of threat modeling?

  1. Enumerate threats to the software

  2. Define the correct and secure data flows in a program

  3. Communicate testing requirements to the test team

  4. Communicate threat and mitigation information across the development team

D. Threat modeling is a tool used to communicate information about threats and the mitigation procedures to all members of the development team.

100

The term STRIDE stands for what?

  1. Spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege

  2. Spoofing, tampering, reproducibility, information disclosure, denial of service, and elevation of privilege

  3. Spoofing, tampering, reproducibility, information disclosure, discoverability, and elevation of privilege

  4. Spoofing, tampering, repudiation, information disclosure, discoverability, and elevation of privilege

A. The term STRIDE refers to sources of threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

100

Reusing components to reduce risk is an example of what?

  1. Leverage existing components

  2. Separation of duties

  3. Weakest link

  4. Least common mechanism

A. Leveraging existing components reduces risk by using proven elements.

100

Race conditions can be determined and controlled via what?

  1. Multithreading

  2. Mutual exclusion

  3. Race windows

  4. Atomic actions

C. Race conditions are defined by race windows, a period of opportunity when concurrent threads can compete in attempting to alter the same object. They are caused by multithreading and are resolved through atomic actions under mutual exclusion conditions. The key is in detecting when they occur.

100

Verifying that code can perform in a particular manner under production conditions is a task managed by what?

  1. Static analysis

  2. Dynamic analysis

  3. Production testing

  4. Code walk-throughs

B. Testing of code while executing in a production-like environment is referred to as dynamic analysis.

200

On which platform can a customer deploy and operate arbitrary software across a cloud-based platform without worrying about the specifics of the environment?

  1. Infrastructure as a service

  2. Platform as a service

  3. Software as a service

  4. Architecture as a service

A. IaaS is a form of cloud computing that offers a complete platform as a provisioning solution to a computing need.

Bonus Points: define PaaS (+50) and Saas (+50)

200

Platform-neutral, interoperable, and modular with contract-based interfaces describes what?

  1. SOA

  2. XML

  3. WSDL

  4. ESB

A. SOA characteristics include platform neutrality, interoperability, modularity and reusability, abstracted business functionality, contract-based interfaces, and discoverability.

Bonus points: Define XML (+50), WSDL (+50), ESB (+50)

200

What is the advantage of unmanaged code?

  1. Performance

  2. Security

  3. Library functions

  4. Portability

A. Unmanaged code can have a performance advantage over unmanaged code.

Bonus Point: What is managed code and provide an example (+50)?

200

Elements of defensive coding include all of the following except what?

  1. Custom cryptographic functions to avoid algorithm disclosure

  2. Exception handling to avoid program termination

  3. Interface coding efforts to avoid API-facing attacks

  4. Cryptographic agility to make cryptographic functions stronger


A. Custom cryptographic functions are always a bad idea and frequently lead to failure.

200

RASP does not perform which of the following functions?

  1. Connect to instrumentation during program operation

  2. Monitor environmental condition under which the application operates

  3. Examine code for race conditions

  4. Alert operators when code has malfunctions

C. RASP does not examine the code base.

300

__________ is an architecture that can mimic desktop applications in usability and function.

  1. RIA

  2. NFC

  3. REST

  4. SOAP

A. Rich Internet applications (RIAs) are a form of architecture using the Web as a transfer mechanism and the client as a processing device, typically for display formatting control functions.

Bonus points for defining NFC (+50), REST (+50), SOAP (+50)

300

Which of the following are not elements associated with certificates?

  1. RA

  2. OSCP

  3. CA

  4. CLR

D. The common language (CLR) runtime is a Microsoft-specific hybrid language environment.

Bonus Points: Define RA, OSCP, CA, and CRL

+50 for each


300

Out-of-band management interfaces solve which of the following problems?

  1. Require separate communication channel

  2. Require less bandwidth

  3. Reduce development risks

  4. Reduce operational risks

D. Out-of-band management interfaces are less prone to interference from denial-of-service attacks against an application, reducing operational risk from loss of management control.

300

What mechanism can be employed to handle data issues that lead to out-of-range calculations?

  1. Regular expressions

  2. Vetted functions

  3. Library calls

  4. Exception handling


D. Exception handling can use business logic when elements are out of bounds, forcing overflow-type exceptions, for instance.

300

Static analysis can be used to check for what?

  1. Approved function/library calls, examining rules and semantics associated with logic, and thread performance management

  2. Syntax, approved function/library calls, and race conditions

  3. Syntax, approved function/library calls, and memory management

  4. Syntax, approved function/library calls, and examining rules and semantics associated with logic and calls


D. Static code analysis cannot test runtime issues such as thread performance, memory management, or race conditions.


400

Which of these statements accurately describes attack surface? (More than 1 answer)

Number of vulnerable lines of code 

A good indicator of code quality 

Number of elements available to attack 

Not an indicator code quality 

Number of elements available to attack 

Not an indicator code quality

400

Which of these are types of common malware? (more than 1 answer)

Procreateware 

Stealthware 

Proliferative  

Ransomware

Replicaware

Stealthware 

Proliferative  

Ransomware

400

What can be done in relation to services in order to harden the system configuration? (More than 1 answer)

Use default accounts 

Use default folder locations 

Encrypt connection strings 

Eliminate unused services

Encrypt connection strings 

Eliminate unused services

400

To deal with international distribution issues associated with cryptography, a clean method is via what?

  1. Versioning

  2. Use of international cryptography for all versions

  3. Use of approved cryptographic libraries only

  4. Use of cryptographic agility

D. Cryptographic agility can also assist in the international problem of approved cryptography. In some cases, certain cryptographic algorithms are not permitted to be exported to or used in a particular country. Rather than creating different source-code versions for each country, agility can allow the code to be managed via configurations.

400

Elements of defensive coding include all of the following except what?

  1. Custom cryptographic functions to avoid algorithm disclosure

  2. Exception handling to avoid program termination

  3. Interface coding efforts to avoid API-facing attacks

  4. Cryptographic agility to make cryptographic functions stronger

A. Custom cryptographic functions are always a bad idea and frequently lead to failure.

500

DREAD

A risk ranking (rating) methodology. Frequently used with STRIDE, the acronym stands for damage potential, reproducibility, exploitability, affected users, and discoverability.

500

Pervasive Computing

Also referred to as ubiquitous computing. It is about embedding capabilities (through microcontrollers) into everyday objects in our environment and providing them with storage, processing, and transmission capabilities. With all these objects connected to the internet, the basis for Internet of Things (IoT) was established.

500

Which of these are well-known legitimate types of session attacks that should be modeled and mitigated?

Token generated attack

Hijack attack

Burnt cookie attack  

Man in the middle attack

Token generated attack

Man in the middle attack

500

Buffer Overflow

A reference to a situation where a process tries to place more data in a buffer than it has the capacity to hold. Buffer overflow can be caused by various conditions and in various ways, both on the stack and on the heap.

500

Obfuscation

A reference to the deliberate act of obscuring the code in various forms (e.g., source code, bytecode, object code). The objective is to either make the code difficult for humans to understand or to protect against decompiling and reverse-engineering. Ultimately, it is about the protection of intellectual properties.

M
e
n
u