Code Analysis And Security Assessment
This quiz is designed to assess the understanding of code analysis and security development life cycle.
- 1.The Keywords that define Security Development Life Cycle (SDL) are: ___ and ___ (Select TWO):
- A.
Design
- B.
Build
- C.
Analysis
- D.
Respond
- 2.Which of following vulnerability is considered “Critical”:
- A.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- B.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- C.
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
- D.
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- 3.The SLO of a “Critical” product code vulnerability is ___ days.
- A.
3
- B.
30
- C.
60
- D.
90
- 4.Which of follow activity is NOT part of “Web Interface” SDL 4.1 control:
- A.
Use HTTPS Only
- B.
No Sensitive data send via GET query
- C.
Terminate session after inactivity
- D.
Use cookies securely
- 5.Which of following control category is required in SDL 5.0 but not required in SDL 4.x:
- A.
Vulnerability Response
- B.
Security Documentation
- C.
Process Governance
- D.
Injection Protection
- 6.Which of follow documents is NOT part of SDL “Security Documentation” requirement:
- A.
Security Configuration Guide (SCG)
- B.
False Positives Knowledge Base (KB)
- C.
Product Requirement Document (PRD)
- D.
Security Advisory (DSA)
- 7.A new 3rd part vulnerability is reported and vendor provided assessment vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, which of following statement is TRUE:
- A.
This vulnerability can be exploited over Intranet
- B.
This vulnerability can cause a service unavailability when exploited
- C.
This vulnerability can be exploit by privileged user only (e.g. root, admin)
- D.
Attacker need condition beyond his control to perform exploit
- 8.The SLO of a “Critical” severity 3rd party vulnerability is ___ days.
- A.
3
- B.
30
- C.
60
- D.
90
- 9.
![Following snippet is referring to which attack method:
alert(“You’ve been attacked!”); - ProProfs]( "Following snippet is referring to which attack method:
alert(“You’ve been attacked!”);")
Following snippet is referring to which attack method: alert(“You’ve been attacked!”);- A.
Cross-site scripting
- B.
Cross-site request forgery
- C.
Open redirect
- D.
Forced browsing
- 10.Which of following are BEST protection to protect against brute force password cracking:
- A.
Use Long/Strong password
- B.
Lock account after number of failed attempts
- C.
Use 2nd factor (2FA) authentication
- D.
Allow not more than 5 login attempt every hour
- 11.Which Cipher below is “Allowed” in Product usage?
- A.
TLS_RSA_WITH_AES_128_CBC_SHA256
- B.
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- C.
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- D.
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- 12.Which algorithm MUST be offered by product when hashing?
- A.
Any SHA2
- B.
Any SHA3
- C.
SHA1
- D.
MD5
- 13.Which of following product artifact should be digitally signed (Select ALL Applicable):
- A.
PRM files
- B.
OVA files
- C.
MSI installer
- D.
WAR files
- 14.
![Following snippet is vulnerable to ___:
- ProProfs]( "Following snippet is vulnerable to ___:")
Following snippet is vulnerable to ___:- A.
Path traversal
- B.
Injection
- C.
Secret disclosure
- D.
Insecure deserialization
- 15.
![Following snippet is attempting ____ attack:
- ProProfs]( "Following snippet is attempting ____ attack:")
Following snippet is attempting ____ attack:- A.
Cross-site scripting
- B.
Cross-site request forgery
- C.
Open redirect
- D.
Forced browsing
- 16.Which of following scan cover “Network Vulnerability Scan” activity (Select TWO):
- A.
Qualys Scan
- B.
Nessus Scan
- C.
MacAfee Scan
- D.
Blackduck Scan
- 17.What is the programming language with the most lines of code in Avamar?
- A.
C++
- B.
Java
- C.
Python
- D.
Go
- 18.In Avamar build, per every ? builds, there is a test package for code coverage testing.
- A.
1
- B.
2
- C.
5
- D.
10
- 19.Which static analysis tool Avamar uses now?
- A.
Cpplint
- B.
Coverity
- C.
Eclipse
- D.
None
- 20.Which is NOT a static code checking issue?
- A.
Null pointer dereferences
- B.
Resource leaks
- C.
Control flow issues
- D.
Wrong comments
- 21.Which software phase is better for static code checking?
- A.
Design.
- B.
Coding implementation done.
- C.
Testing.
- D.
Maintenance.
- 22.What's the false positives rate of static code analysis?
- A.
15%
- B.
25%
- C.
35%
- D.
45%
- 23.Which tools is NOT for static code analysis?
- A.
Coverity
- B.
Eclipse
- C.
Visual Studio
- D.
Source Insight
- 24.i) Static code analysis can't cover all bugs in code. ii) Any code change is risk of regressions
- A.
Only (i) is true
- B.
Only (ii) is true
- C.
Both are true
- D.
Both are false
- 25.Which issue is NOT from static code testing?
- A.
Dead code
- B.
Race conditions
- C.
Coded by humans issue
- D.
Performance bottle neck
.png "Following snippet is referring to which attack method:
alert(“You’ve been attacked!”);")
Questions: 10 | Attempts: 54 | Last updated: Dec 14, 2012
Questions: 86 | Attempts: 128 | Last updated: Jan 14, 2021
-
Sample QuestionType of water-based fire-suppression system & equipment designed to control, contain, or extinguish fires in the incipient stage?
Questions: 130 | Attempts: 150 | Last updated: Nov 21, 2017
-
Sample QuestionWhich type of maintenance ensures that equipment is ready and available at the time of need?
Back to top