Code Analysis And Security Assessment

36 Questions | Total Attempts: 182

SettingsSettingsSettings
Please wait...
Code Analysis And Security Assessment

This quiz is designed to assess the understanding of code analysis and security development life cycle.


Questions and Answers
  • 1. 
    The Keywords that define Security Development Life Cycle (SDL) are: ___ and ___ (Select TWO):
    • A. 

      Design

    • B. 

      Build

    • C. 

      Analysis

    • D. 

      Respond

  • 2. 
    Which of following vulnerability is considered “Critical”:
    • A. 

      CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

    • B. 

      CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

    • C. 

      CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

    • D. 

      CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  • 3. 
    The SLO of a “Critical” product code vulnerability is ___ days.
    • A. 

      3

    • B. 

      30

    • C. 

      60

    • D. 

      90

  • 4. 
    Which of follow activity is NOT part of “Web Interface” SDL 4.1 control:
    • A. 

      Use HTTPS Only

    • B. 

      No Sensitive data send via GET query

    • C. 

      Terminate session after inactivity

    • D. 

      Use cookies securely

  • 5. 
    Which of following control category is required in SDL 5.0 but not required in SDL 4.x:
    • A. 

      Vulnerability Response

    • B. 

      Security Documentation

    • C. 

      Process Governance

    • D. 

      Injection Protection

  • 6. 
    Which of follow documents is NOT part of SDL “Security Documentation” requirement:
    • A. 

      Security Configuration Guide (SCG)

    • B. 

      False Positives Knowledge Base (KB)

    • C. 

      Product Requirement Document (PRD)

    • D. 

      Security Advisory (DSA)

  • 7. 
    A new 3rd part vulnerability is reported and vendor provided assessment vector:   CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, which of following statement is TRUE:
    • A. 

      This vulnerability can be exploited over Intranet

    • B. 

      This vulnerability can cause a service unavailability when exploited

    • C. 

      This vulnerability can be exploit by privileged user only (e.g. root, admin)

    • D. 

      Attacker need condition beyond his control to perform exploit

  • 8. 
    The SLO of a “Critical” severity 3rd party vulnerability is ___ days.
    • A. 

      3

    • B. 

      30

    • C. 

      60

    • D. 

      90

  • 9. 
    Following snippet is referring to which attack method: alert(“You’ve been attacked!”);
    • A. 

      Cross-site scripting

    • B. 

      Cross-site request forgery

    • C. 

      Open redirect

    • D. 

      Forced browsing

  • 10. 
    Which of following are BEST protection to protect against brute force password cracking:
    • A. 

      Use Long/Strong password

    • B. 

      Lock account after number of failed attempts

    • C. 

      Use 2nd factor (2FA) authentication

    • D. 

       Allow not more than 5 login attempt every hour

  • 11. 
    Which Cipher below is “Allowed” in Product usage?
    • A. 

      TLS_RSA_WITH_AES_128_CBC_SHA256

    • B. 

      TLS_DHE_RSA_WITH_AES_128_CBC_SHA

    • C. 

      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    • D. 

      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • 12. 
    Which algorithm MUST be offered by product when hashing?
    • A. 

      Any SHA2

    • B. 

      Any SHA3

    • C. 

      SHA1

    • D. 

      MD5

  • 13. 
    Which of following product artifact should be digitally signed (Select ALL Applicable):
    • A. 

       PRM files

    • B. 

      OVA files

    • C. 

      MSI installer

    • D. 

      WAR files

  • 14. 
    Following snippet is vulnerable to ___:
    • A. 

      Path traversal

    • B. 

      Injection

    • C. 

      Secret disclosure

    • D. 

      Insecure deserialization

  • 15. 
    Following snippet is attempting ____ attack:
    • A. 

      Cross-site scripting

    • B. 

      Cross-site request forgery

    • C. 

      Open redirect

    • D. 

      Forced browsing

  • 16. 
    Which of following scan cover “Network Vulnerability Scan” activity (Select TWO):
    • A. 

      Qualys Scan

    • B. 

      Nessus Scan

    • C. 

       MacAfee Scan

    • D. 

      Blackduck Scan

  • 17. 
    What is the programming language with the most lines of code in Avamar?
    • A. 

      C++

    • B. 

      Java

    • C. 

      Python

    • D. 

      Go

  • 18. 
    In Avamar build, per every ? builds, there is a test package for code coverage testing.
    • A. 

       1

    • B. 

       2

    • C. 

      5

    • D. 

      10

  • 19. 
    Which static analysis tool Avamar uses now?
    • A. 

      Cpplint

    • B. 

      Coverity

    • C. 

      Eclipse

    • D. 

       None

  • 20. 
    Which is NOT a static code checking issue?
    • A. 

      Null pointer dereferences

    • B. 

      Resource leaks

    • C. 

      Control flow issues

    • D. 

      Wrong comments

  • 21. 
    Which software phase is better for static code checking?
    • A. 

      Design.

    • B. 

      Coding implementation done.

    • C. 

      Testing.

    • D. 

      Maintenance.

  • 22. 
    What's the false positives rate of static code analysis?
    • A. 

      15%

    • B. 

      25%

    • C. 

       35%

    • D. 

      45%

  • 23. 
    Which tools is NOT for static code analysis?
    • A. 

      Coverity

    • B. 

      Eclipse

    • C. 

      Visual Studio

    • D. 

      Source Insight

  • 24. 
     i) Static code analysis can't cover all bugs in code.  ii) Any code change is risk of regressions
    • A. 

      Only (i) is true

    • B. 

      Only (ii) is true

    • C. 

       Both are true

    • D. 

      Both are false

  • 25. 
    Which issue is NOT from static code testing?
    • A. 

      Dead code

    • B. 

      Race conditions

    • C. 

       Coded by humans issue

    • D. 

       Performance bottle neck

Back to Top Back to top