HE Module 01 Post-Test | Qussion2 |. screen 03 of 05 2 | If an application has a Resource Injection flaw, what can an attacker do to exploit it? nsert dby the © Harvest a port number from an HTTP request and create a socket to bypass all validation, v Correct! ‘That's correct! Goadjob. Click Nexe to continue. A Modute 01 post-test Questions | Sereen 05 of 05 Most data sources can be an injection vector. Based on this knowledge, what is the best means for determining if your application is vulnerable? Search the source code for all calls to external resources and HTTP requests and review © them. Complete automated testing ofall data inputs tothe application and review res. Request and review the code for al externalinterpretersthe application might acces Y Correct! ‘That's correct! Good job. Click Next to continue.A mosuteorros-test | usion! screen oto 05 Why do attackers frequently target administrative accounts Broken Authentication fla nore access to date and m: 2 ipulate date and Y corrects That's correct! Good jo. Click Next to continue. chases a cache of usernames and passwords from the Dark Web he wirites a simple script to try various combinations of these quickly and finds @ match on a popular eCommerce site. What type of attack dd the attacker ex Y Correct! ‘Thats correct Good job Clidc Next to continue.HE Module 2 posttest Questor mat is the biggest challenge in creating Authentication and Session Management for Internet of Thins (IoT) devices? for multiple users ofa device needs to include secure and robust authentication hiding biometrics, digital certificates, and multifactor authentication, Y correct! ‘hats correct Good ab, Click Next to continue A wodeozrosetest uso Sereon 0 of 05 2 | Why is it important place encoding © Restriction can lead to exposing your passwords to easier brute force attacks. Y correct! That's correct! Good job. Click Next to continue.He Modute 03 rose-Test | Ovesx0n 1 screen 01 of 5 What are the three main categories of sensitive information that require protection from unauthorized access? © Personally Identifiable, Business, Classified Y correct! That's correct! Good job, Click Next to continue Hi module os rox-test cussion Serson02 605 Which of these isa privacy standard for citizens of the European Union that includes a strict set of standard data protection laws with significant monetary fines for © General Data Protection Regulations (GDPR) Y correct! Thats correct Good jb. Click Next to continue,Ff Modute03 Pou-est | Quesion? Which of these activities increases the risk of Sensitive Data Exposure? Select all that apply. ‘Y Backups of sensitive data stored in clear text \Y Old or weak cryptographic algorithms for encrypting sensitive Y Correct! ‘Thats correct! Good job, Click Next to continue, A wodute 0s poscrest | Questions Screen 04 of 05 Data Minimization, Data Classification, and Data Protection are components of what security practice? © data management Y correct! That's correct! Good job. Click Next to continue.A module os pon-Test | Queions Serean 05 of 5 The permanent disconnection of a person's identification from personal data that is Irreversible is the definition of what process © Anonymization Y Correct! That's correct! Good job. Click Nexe to continue.questen2 screen 02 0 05 Y Correct! “That's corect! Goadiob Click Next to continue. A mosuleoaposeTest | Qussion « Ian appuation rate port iplondii L External Entities (XXE) are a risk that must be @ Use ote Y Correct! That’ correct! Good job. Click Next to continue.A Module os ros-test Ovssions Screen 05 of 05 The ClO has read the OWASP Top 10 and is now interested in developing additional policy documents for the IT team. He asks you to join him in presenting to the Board and requesting funding for the project. One of the board members asks you what main security risk is introduced with the XXE flaw. What do you tell her? XML can be forced to execute code that has been inserted remotely, allowing a hacker to take over the company computer system, Y Correct! ‘Thats correct! Good job. Click Next to continueA Modules Posetest | Quesion? When designing and implementing access controls for emerging technologies developers should remember what key design requirements? Select all that apply “g An organization always bears primary responsibility for the protection of data that is red, transmitted, or processed by its application(s). J All data is always at rick for attack, ne matter the application, mechanism, or environment. standard access control mechanisms must be reviewed carefully and evaluated when being applied to new technologies Y correct! That's correct! Good job. Click Next to continue, A Medes Pst Text | Oven’ screen 08 of 05 What is the access control issue with the following line of code! httpi//mycompany.com/user app?id=232: © The User ID identifies the user and could be manipulated easily by an attacker. Y Correct! ‘That's correct! Good job, Click Next to continue.A Modute 05 Pose-test | ovesvon | Sereen 04 of 05 Which of che following are challenges when designing and developing access control ‘mechanisms for Internet of Things (loT) devices? Select all that apply The use of ad-hoc networks with loT devices ‘J The possible physical restrictions of loT devices J) The need for authentication support for users, loT devices, and servers Y Correct! That's correct! Good ja. A modules poste | cueons sereen 0 of 05 Developers need to be concerned with access controls for APIs, even though they do not have a user interface, What are the specific vulnerabilities in relation to APIs and access controls? Ccross-Origin Resource Sharing (CORS) misconfiguration opening a sie to all requests hen using cookies for authentication Y correct! That's correct! Good job. Click Next to continue.A module osrosetest | ove:xon your develo ment. Which of these is not a recommended a Secure installation and upgrade processes are important in securing components of Disable the latest security features during an upgrade until you are sure they will not impact the use of your application. Y Correct! = ‘Thats correct! Good jo. Click Next to continue.A Modulos roseTest | Quesion2 A Mle 06 Post-Test Question 9 Screen 02 of 05 Third-party libraries are one of the most insecure aspects of an application Configuration Management (CM) can help to mitigate these risks. Which of the following are recommended CM protocols in relation to the use of third-party libraries? Select allthat apply. ‘J) Use controlled internal repositories to provision open-source components ‘J) Use a Configuration Management System for tracking versions. Y Block the ability to download components dire Y Correct! ‘Thats correct! Good job. Click Nexe to continue. | screen 03 oF 05 Anew application willbe cloud-based. To address the Security Configuration Inerabilty highlighted in the OWASP 2017 standard, what should your team do prior Ply \Y Review the security layers that are in place in the environment "J Request information on reguler risk assessments done forthe environment Y correct! “Thats correct Good job lick Next to continueA woduleospox-test cueicns Screen05 of 5 2 | Why is a repeatable hardening process a crucial aspect of a secure installation process? Htonsuresa fast and easy deployment of a properly lecked-own environment and can © be automated Y Correct! =a “Thats correct! Good ob Click Next to continue.FA Moduteo7 post-test | Quesion 2 | What type of XSS attack does the follow ‘The application or API output © Reflected Sereen 01 of 05 ing statement describe? lated and unescaped user input as part of HTML Y Correct! ‘That's correct! Good job. Click Next to continue,Hh Moduteo7 rourest | Quesion2 Screen 02 of 05 2 | Why does using XSS with a Phishing attack place an organiz: jonal risk? While a Phishing attack targets single user, adding XSS targets the organization's backend aswell Y Correct! ‘Thats correct! Good job, Click Next to continue, A Meduleoy pos-test | ouesions sereen03 of 05 Fileless Malware" is a new type of attack that can be leveraged by using XxS. How does it differ from traditional malware-based attacks? ‘The malware resides in areas of the computer that are harder to access, such as the kernel or random-access memory (RAM), Y correct! That's correct! Good job, Click Next to continue.HE module 07 voxrexe | Question 4 Screen 04 of 05 What are the best means of separating untrusted data from active b to prevent xss? @ Encoding and Escaping Y correct! ‘Thats correct! Good job. Click Nexe to continue.HE Module Poste | vesion? Screen 62005 es serialization/deserialization play in Object-Oriented Programming, When @ program is executed, messages exchanged between objects require that the object be transmitted and that the state of the object is known, Y correct! That's correct! Good jab Click Next to continue, A Woduteos post-test | Quesion |, screen 03 of05 |? | What is the most effective means of preventing insecure deserialization attacks? @© Not accepting serialized objects from untrusted sources, Y Correct! That's correct! Good job, Click Nexe to continue.FH moduie oe pos-test Overton Screen 04 f 05 Which of the following scenarios is most susceptible to an insecure deserialization ttack? © Accepting unknown user input to a web form Y Correct! That's correct! Good jo. Click Next to continue. A motile 8 Port.tes: | oomon 9 insecure deserialization attacks can take different forms. Which of these is not a primary type of deserialization attack? @ Man-in-the-middle attack Y Correct! ‘That's correct! Good job Click Next to continue.HA wadateos reste | Quesion Screen of 05 a Wy are third-party libraries an area of risk for application development? © Libraries run with the full privileges of the application. Y correct! Ea ‘That's correct! Good job. Click Nexe to continue, A module 09 pos-test | veto 3 |, screen 03 ofos is patch management a critical aspect of mitigating the risks associated with using third-party components: New vulnerabilities for existing components surface continually, so the security of frameworks and libraries cleared during initial inspection and research must be Y Correct! Thats correct! Good job Click Next to continue,FA Module os posttest | Question Screen 04 of 05 hich of the following is a standard Security Verification Requirement that dresses the risks of using third-party components? Components are segregated from each other win aata wine network segmentation. firewallrules.orcloul Correct! That's correct! Good job. Click Next co continue. A Motil 09 Poreest Oven Screen 05 of 5 nponents with known vulnerabilities scenarios? Select all that apply. ‘You do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk based, timely fashion, Y You do nottest the compatibility of updated, ynavadad nr natehad th Y Correct! That's correct! Good job. Click Next to continue.A module wposeTest | ovssisn | a What role does data classification playin logging and monitoring? © Alert thresholds and response escalation should align with the security level required for the date's classification Y Correct! That's correct! Good jb. Click Next to continue. A woduie 0 ror-texe | ovsnion2 screen 02 0f 05 What is the risk of the mentality, “log everything you can, whenever you can,” in relation to sensitive d all chat apply. Capturing sensitive data without a use in mind increases the cost of security and ~ increases the risk if a breach does happen. Logging all ata makes it too challenging to find the information on sensitive dataifa breach occurs, Y Correct! ‘Thats correct Goodjob, Click Next to continue.HE Mode 10 Post-Test | Ons | Screen o¢ of 05 When creating log messages for an application, what should you consider? Select all that apply. Y The wording should be clear and concise. ‘Assume entries are being reviewed in an emergency situation and are the only means of determining what has happened. Y Correct! ‘That's correct Good eb. Click Next to continue. A module 10 Pose-Test | uesion 5 | Sereenas of 05 Which of these common actions does not need to be monitored in audit logs? @® successful logins Y correct! Thats correct! Good job. Click Next to continue,