1.
The Keywords that define Security Development Life Cycle (SDL) are: ___ and ___ (Select TWO):
Correct Answer(s)
B. Build
D. Respond
Explanation
2.
Which of following vulnerability is considered “Critical”:
Correct Answer
A. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Explanation
The given CVSS vector represents a vulnerability with a high impact on confidentiality and integrity. The access vector is network-based, access complexity is low, and privileges required are none. The scope is unchanged, and the impact on confidentiality and integrity is high. The impact on availability is none. Therefore, this vulnerability is considered "Critical".
3.
The SLO of a “Critical” product code vulnerability is ___ days.
Correct Answer
D. 90
Explanation
The SLO (Service Level Objective) of a "Critical" product code vulnerability is 90 days. This means that the organization or team responsible for addressing and fixing the vulnerability has set a target of resolving it within 90 days. This timeframe allows for appropriate investigation, analysis, and remediation of the vulnerability to ensure the security and stability of the product.
4.
Which of follow activity is NOT part of “Web Interface” SDL 4.1 control:
Correct Answer
C. Terminate session after inactivity
Explanation
The activity "Terminate session after inactivity" is not part of the "Web Interface" SDL 4.1 control. This control focuses on ensuring secure practices for web interfaces, such as using HTTPS only, not sending sensitive data via GET query, and using cookies securely. Terminating a session after inactivity is not specifically mentioned as part of this control.
5.
Which of following control category is required in SDL 5.0 but not required in SDL 4.x:
Correct Answer
A. Vulnerability Response
Explanation
6.
Which of follow documents is NOT part of SDL “Security Documentation” requirement:
Correct Answer
D. Security Advisory (DSA)
Explanation
Security Advisory is not part of SDL requirement
7.
A new 3rd part vulnerability is reported and vendor provided assessment vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, which of following statement is TRUE:
Correct Answer
D. Attacker need condition beyond his control to perform exploit
Explanation
The given assessment vector includes the following values: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N. These values indicate that the vulnerability can be exploited locally (AV:L), requires high attack complexity (AC:H), does not require any privileges (PR:N), does not require user interaction (UI:R), can cause service unavailability (S:U), can result in high confidentiality impact (C:H), can result in high integrity impact (I:H), and does not result in any availability impact (A:N). Based on this information, the statement "Attacker needs a condition beyond his control to perform exploit" is true, as the vulnerability does not require any specific conditions beyond the attacker's control to be exploited.
8.
The SLO of a “Critical” severity 3rd party vulnerability is ___ days.
Correct Answer
C. 60
Explanation
The SLO (Service Level Objective) of a "Critical" severity 3rd party vulnerability is 60 days. This means that the organization or service provider has set a target of resolving or mitigating the vulnerability within 60 days. This timeframe allows for appropriate attention and resources to be allocated to address the vulnerability while minimizing the potential impact on the system or software.
9.
Following snippet is referring to which attack method:
alert(“You’ve been attacked!”);
Correct Answer
A. Cross-site scripting
Explanation
The given snippet is an example of a cross-site scripting (XSS) attack method. XSS occurs when an attacker injects malicious code into a website, which is then executed by the victim's browser. In this case, the code is an alert message saying "You've been attacked!" This type of attack can be used to steal sensitive information, manipulate website content, or redirect users to malicious websites.
10.
Which of following are BEST protection to protect against brute force password cracking:
Correct Answer
C. Use 2nd factor (2FA) authentication
Explanation
Using 2nd factor (2FA) authentication is the best protection against brute force password cracking. This method adds an additional layer of security by requiring users to provide a second form of verification, such as a fingerprint, a code sent to their mobile device, or a security token, in addition to their password. This makes it much more difficult for attackers to gain unauthorized access, even if they manage to guess or crack the password.
11.
Which Cipher below is “Allowed” in Product usage?
Correct Answer
C. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
12.
Which algorithm MUST be offered by product when hashing?
Correct Answer
A. Any SHA2
Explanation
The product must offer any SHA2 algorithm when hashing because SHA2 is a more secure and widely used hashing algorithm compared to SHA1 and MD5. SHA2 provides stronger cryptographic security and is less vulnerable to attacks. Additionally, SHA3 is also mentioned as a valid option, but it is not mandatory as the question states "MUST" offer, not "MUST ONLY" offer.
13.
Which of following product artifact should be digitally signed (Select ALL Applicable):
Correct Answer(s)
A. PRM files
B. OVA files
C. MSI installer
D. WAR files
Explanation
All of the mentioned product artifacts should be digitally signed. PRM files, OVA files, MSI installers, and WAR files are all types of software packages or installation files that are distributed to users. Digitally signing these artifacts helps to ensure their authenticity and integrity, as well as provide a level of trust for the end users. By digitally signing these files, it becomes easier to detect any tampering or unauthorized modifications, and also verify the identity of the signer.
14.
Following snippet is vulnerable to ___:
Correct Answer
B. Injection
Explanation
The given snippet is vulnerable to injection attacks. Injection attacks occur when untrusted data is inserted into a command or query, allowing an attacker to manipulate the intended behavior of the code. This can lead to unauthorized access, data breaches, or the execution of malicious commands. It is important to properly validate and sanitize user input to prevent injection vulnerabilities.
15.
Following snippet is attempting ____ attack:
Correct Answer
B. Cross-site request forgery
Explanation
The given snippet is attempting a Cross-site request forgery (CSRF) attack. CSRF is a type of attack where an attacker tricks a victim into performing an unwanted action on a website in which the victim is authenticated. The attacker crafts a malicious request and tricks the victim into unknowingly sending that request, leading to unauthorized actions being performed on the victim's behalf. This attack is often used to perform actions like changing passwords, making purchases, or modifying settings without the victim's knowledge or consent.
16.
Which of following scan cover “Network Vulnerability Scan” activity (Select TWO):
Correct Answer(s)
A. Qualys Scan
B. Nessus Scan
Explanation
The Qualys Scan and Nessus Scan are both capable of performing a "Network Vulnerability Scan" activity. These scans are designed to identify vulnerabilities within a network infrastructure, such as open ports, outdated software, and misconfigurations. By conducting these scans, organizations can proactively identify and address potential security weaknesses, ultimately reducing the risk of a successful cyberattack.
17.
What is the programming language with the most lines of code in Avamar?
Correct Answer
A. C++
Explanation
C++ is the correct answer because it is a widely used programming language known for its efficiency and performance. Many large-scale software projects, including Avamar, may utilize C++ due to its ability to handle complex tasks and its extensive libraries. C++ allows developers to write low-level code and optimize performance, making it suitable for projects that require a significant number of lines of code. Therefore, it is plausible that Avamar, being a sophisticated software, would have the most lines of code written in C++.
18.
In Avamar build, per every ? builds, there is a test package for code coverage testing.
Correct Answer
C. 5
Explanation
In Avamar build, for every 5 builds, there is a test package for code coverage testing.
19.
Which static analysis tool Avamar uses now?
Correct Answer
B. Coverity
Explanation
Avamar uses the static analysis tool Coverity. This tool helps to identify and prevent software defects and vulnerabilities in the code. It performs static code analysis by analyzing the code without executing it, thereby finding potential issues such as memory leaks, buffer overflows, and null pointer dereferences. By using Coverity, Avamar can ensure that their code is of high quality and free from common programming errors, ultimately leading to more reliable and secure software.
20.
Which is NOT a static code checking issue?
Correct Answer
D. Wrong comments
Explanation
Wrong comments are not a static code checking issue because they do not affect the functionality or correctness of the code. While wrong comments may lead to confusion or misunderstandings for developers reading the code, they do not cause any runtime errors or bugs. Static code checking typically focuses on identifying issues that can impact the code's behavior, such as null pointer dereferences, resource leaks, and control flow problems.
21.
Which software phase is better for static code checking?
Correct Answer
B. Coding implementation done.
Explanation
The correct answer is "Coding implementation done." This phase is better for static code checking because it involves the actual writing of the code. During this phase, developers can use static code analysis tools to identify potential issues and vulnerabilities in the code before it is executed. This helps in improving the overall quality of the code and reduces the chances of introducing bugs or security vulnerabilities. The design phase focuses on high-level planning and the testing phase is more focused on validating the functionality, while maintenance is concerned with fixing issues in the deployed software.
22.
What's the false positives rate of static code analysis?
Correct Answer
A. 15%
Explanation
The false positives rate refers to the percentage of times that a static code analysis tool incorrectly identifies code as having a problem when it actually does not. In this case, the correct answer is 15%, indicating that the static code analysis tool has a relatively low rate of false positives, meaning it is more accurate in identifying actual issues in the code.
23.
Which tools is NOT for static code analysis?
Correct Answer
D. Source Insight
Explanation
Source Insight is not a tool for static code analysis. It is actually a code editor and project analyzer that helps developers navigate through their codebase and understand the relationships between different code elements. It provides features like code browsing, symbol lookup, and code visualization. However, it does not have the capability to perform static code analysis, which involves analyzing the source code without actually executing it to find potential issues or vulnerabilities.
24.
i) Static code analysis can't cover all bugs in code. ii) Any code change is risk of regressions
Correct Answer
C. Both are true
Explanation
Static code analysis is a method of analyzing code without executing it, and it can help identify certain types of bugs or issues in the code. However, it is not capable of covering all possible bugs in the code, as some bugs may only be evident during runtime or in specific scenarios. Therefore, statement (i) is true. Additionally, any code change, no matter how small, carries the risk of introducing regressions or unintended side effects. This is because even a small change can have unforeseen consequences in the overall system. Hence, statement (ii) is also true.
25.
Which issue is NOT from static code testing?
Correct Answer
D. Performance bottle neck
Explanation
Static code testing is a technique used to identify issues in code without executing it. Dead code and race conditions are common issues that can be detected through static code testing. The term "coded by humans issue" is not clear, but it can be assumed that it refers to issues caused by human error, which can also be identified through static code testing. On the other hand, performance bottlenecks are not typically detected through static code testing, as they involve analyzing the runtime behavior of the code. Therefore, performance bottlenecks are not considered as an issue from static code testing.
26.
Which one is true for static code analysis?
Correct Answer
A. Run slow
Explanation
Static code analysis is a method of analyzing code without actually executing it. It involves examining the code for potential errors, bugs, and vulnerabilities. One drawback of static code analysis is that it can be time-consuming and slow, especially for large codebases. Therefore, the statement "Run slow" is true for static code analysis.
27.
Which tools is NOT for dynamic code analysis?
Correct Answer
D. Enhanced type checking
Explanation
Enhanced type checking is not a tool for dynamic code analysis because it is primarily used to detect type errors and inconsistencies at compile-time rather than analyzing code behavior at runtime. Dynamic code analysis tools, on the other hand, focus on analyzing code behavior during runtime to identify issues such as performance bottlenecks, memory leaks, and security vulnerabilities. Examples of dynamic code analysis tools include CPU sampling, instrumentation, and memory profiling, which are all designed to analyze code behavior during program execution.
28.
Which one is NOT dynamic code analysis tool?
Correct Answer
D. P4V
Explanation
P4V is a graphical user interface for the Perforce version control system and is not a dynamic code analysis tool. Valgrind is a dynamic code analysis tool used for memory debugging, profiling, and memory leak detection. Visual Studio is an integrated development environment that includes dynamic code analysis features. IBM Rational offers various dynamic code analysis tools such as Rational AppScan and Rational Purify.
29.
Which code coverage type is with the lowest coverage rate?
Correct Answer
D. Condition coverage
Explanation
Condition coverage is the code coverage type with the lowest coverage rate. Condition coverage focuses on testing all possible combinations of conditions within a decision point. It requires that each condition within a decision point evaluates to both true and false at least once. This level of testing ensures that all possible outcomes of a decision are considered. However, because it requires testing all possible combinations, condition coverage typically has a lower coverage rate compared to other types of code coverage such as statement coverage or decision coverage.
30.
Which software phase is better for dynamic code checking?
Correct Answer
C. Testing.
Explanation
Testing is the software phase that is better for dynamic code checking. During testing, the software is executed with various inputs to identify any errors or bugs in the code. Dynamic code checking involves analyzing the code while it is running, allowing for the detection of issues that may not be apparent during design or coding implementation. This phase helps ensure that the software functions correctly and meets the desired requirements. Maintenance, on the other hand, involves making changes to the software after it has been deployed and is not specifically focused on code checking.
31.
Which one is NOT an orient-object design principle?
Correct Answer
A. Consistent name style.
Explanation
The orient-object design principles are a set of guidelines that help in designing and developing object-oriented software. Consistent name style is not one of these principles. The other options, interface segregation, dependency inversion, and single responsibility, are all well-known orient-object design principles.
32.
Which one is not good coding habit?
Correct Answer
C. More comments as possible as we can.
Explanation
The correct answer is "More comments as possible as we can." This is because while comments can be helpful in explaining the code's functionality, having too many comments can make the code cluttered and difficult to read. It is generally recommended to have concise and meaningful comments that provide necessary information without overwhelming the code.
33.
Which name style of code file is not suggested in Linux?
Correct Answer
A. NtSecurity. cpp
Explanation
The name style "NtSecurity.cpp" is not suggested in Linux because it uses a naming convention commonly associated with Windows operating systems. In Linux, it is generally recommended to use lowercase letters and separate words with underscores or hyphens for better readability and compatibility with other systems.
34.
What is the output of the following program?
Correct Answer
C. Runtime error
Explanation
The given program does not have any code or logic written in it. Therefore, when the program is executed, it will result in a runtime error because there is no executable code to run.
35.
What's the issue type for this fixing?
Correct Answer
B. Memory safety checks
Explanation
Memory safety checks refer to the type of issue that is being addressed in this fixing. These checks are performed to ensure that a program does not access or manipulate memory in an unsafe or unintended way. This can include preventing buffer overflows, null pointer dereferences, and other memory-related vulnerabilities. By conducting memory safety checks, developers can identify and fix potential issues that could lead to security vulnerabilities or program crashes.
36.
What's the issue type for this fixing?
Correct Answer
A. Memory Safety
Explanation
Memory safety refers to the practice of ensuring that a program does not have any memory-related errors, such as accessing invalid memory locations or using uninitialized variables. This includes preventing buffer overflows, use-after-free errors, and other memory vulnerabilities. Therefore, if the issue being fixed is related to memory safety, it means that the problem was causing potential memory-related errors and the fix aims to address those issues.