Code Analysis And Security Assessment
-
The Keywords that define Security Development Life Cycle (SDL) are: ___ and ___ (Select TWO):
-
Design
-
Build
-
Analysis
-
Respond
-
This quiz is designed to assess the understanding of code analysis and security development life cycle.
Quiz Preview
- 2.
Which of following vulnerability is considered “Critical”:
-
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
-
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
-
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
-
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Correct Answer
A. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExplanation
The given CVSS vector represents a vulnerability with a high impact on confidentiality and integrity. The access vector is network-based, access complexity is low, and privileges required are none. The scope is unchanged, and the impact on confidentiality and integrity is high. The impact on availability is none. Therefore, this vulnerability is considered "Critical".Rate this question:
-
- 3.
The SLO of a “Critical” product code vulnerability is ___ days.
-
3
-
30
-
60
-
90
Correct Answer
A. 90Explanation
The SLO (Service Level Objective) of a "Critical" product code vulnerability is 90 days. This means that the organization or team responsible for addressing and fixing the vulnerability has set a target of resolving it within 90 days. This timeframe allows for appropriate investigation, analysis, and remediation of the vulnerability to ensure the security and stability of the product.Rate this question:
-
- 4.
Which of follow activity is NOT part of “Web Interface” SDL 4.1 control:
-
Use HTTPS Only
-
No Sensitive data send via GET query
-
Terminate session after inactivity
-
Use cookies securely
Correct Answer
A. Terminate session after inactivityExplanation
The activity "Terminate session after inactivity" is not part of the "Web Interface" SDL 4.1 control. This control focuses on ensuring secure practices for web interfaces, such as using HTTPS only, not sending sensitive data via GET query, and using cookies securely. Terminating a session after inactivity is not specifically mentioned as part of this control.Rate this question:
-
- 5.
Which of following control category is required in SDL 5.0 but not required in SDL 4.x:
-
Vulnerability Response
-
Security Documentation
-
Process Governance
-
Injection Protection
Correct Answer
A. Vulnerability ResponseExplanation
Rate this question:
-
- 6.
Which of follow documents is NOT part of SDL “Security Documentation” requirement:
-
Security Configuration Guide (SCG)
-
False Positives Knowledge Base (KB)
-
Product Requirement Document (PRD)
-
Security Advisory (DSA)
Correct Answer
A. Security Advisory (DSA)Explanation
Security Advisory is not part of SDL requirementRate this question:
-
- 7.
A new 3rd part vulnerability is reported and vendor provided assessment vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, which of following statement is TRUE:
-
This vulnerability can be exploited over Intranet
-
This vulnerability can cause a service unavailability when exploited
-
This vulnerability can be exploit by privileged user only (e.g. root, admin)
-
Attacker need condition beyond his control to perform exploit
Correct Answer
A. Attacker need condition beyond his control to perform exploitExplanation
The given assessment vector includes the following values: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N. These values indicate that the vulnerability can be exploited locally (AV:L), requires high attack complexity (AC:H), does not require any privileges (PR:N), does not require user interaction (UI:R), can cause service unavailability (S:U), can result in high confidentiality impact (C:H), can result in high integrity impact (I:H), and does not result in any availability impact (A:N). Based on this information, the statement "Attacker needs a condition beyond his control to perform exploit" is true, as the vulnerability does not require any specific conditions beyond the attacker's control to be exploited.Rate this question:
-
- 8.
The SLO of a “Critical” severity 3rd party vulnerability is ___ days.
-
3
-
30
-
60
-
90
Correct Answer
A. 60Explanation
The SLO (Service Level Objective) of a "Critical" severity 3rd party vulnerability is 60 days. This means that the organization or service provider has set a target of resolving or mitigating the vulnerability within 60 days. This timeframe allows for appropriate attention and resources to be allocated to address the vulnerability while minimizing the potential impact on the system or software.Rate this question:
-
- 9.
Following snippet is referring to which attack method: alert(“You’ve been attacked!”);
-
Cross-site scripting
-
Cross-site request forgery
-
Open redirect
-
Forced browsing
Correct Answer
A. Cross-site scriptingExplanation
The given snippet is an example of a cross-site scripting (XSS) attack method. XSS occurs when an attacker injects malicious code into a website, which is then executed by the victim's browser. In this case, the code is an alert message saying "You've been attacked!" This type of attack can be used to steal sensitive information, manipulate website content, or redirect users to malicious websites.Rate this question:
-
- 10.
Which of following are BEST protection to protect against brute force password cracking:
-
Use Long/Strong password
-
Lock account after number of failed attempts
-
Use 2nd factor (2FA) authentication
-
Allow not more than 5 login attempt every hour
Correct Answer
A. Use 2nd factor (2FA) authenticationExplanation
Using 2nd factor (2FA) authentication is the best protection against brute force password cracking. This method adds an additional layer of security by requiring users to provide a second form of verification, such as a fingerprint, a code sent to their mobile device, or a security token, in addition to their password. This makes it much more difficult for attackers to gain unauthorized access, even if they manage to guess or crack the password.Rate this question:
-
- 11.
Which Cipher below is “Allowed” in Product usage?
-
TLS_RSA_WITH_AES_128_CBC_SHA256
-
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Correct Answer
A. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 -
- 12.
Which algorithm MUST be offered by product when hashing?
-
Any SHA2
-
Any SHA3
-
SHA1
-
MD5
Correct Answer
A. Any SHA2Explanation
The product must offer any SHA2 algorithm when hashing because SHA2 is a more secure and widely used hashing algorithm compared to SHA1 and MD5. SHA2 provides stronger cryptographic security and is less vulnerable to attacks. Additionally, SHA3 is also mentioned as a valid option, but it is not mandatory as the question states "MUST" offer, not "MUST ONLY" offer.Rate this question:
-
- 13.
Which of following product artifact should be digitally signed (Select ALL Applicable):
-
PRM files
-
OVA files
-
MSI installer
-
WAR files
Correct Answer(s)
A. PRM files
A. OVA files
A. MSI installer
A. WAR filesExplanation
All of the mentioned product artifacts should be digitally signed. PRM files, OVA files, MSI installers, and WAR files are all types of software packages or installation files that are distributed to users. Digitally signing these artifacts helps to ensure their authenticity and integrity, as well as provide a level of trust for the end users. By digitally signing these files, it becomes easier to detect any tampering or unauthorized modifications, and also verify the identity of the signer.Rate this question:
-
- 14.
Following snippet is vulnerable to ___:
-
Path traversal
-
Injection
-
Secret disclosure
-
Insecure deserialization
Correct Answer
A. InjectionExplanation
The given snippet is vulnerable to injection attacks. Injection attacks occur when untrusted data is inserted into a command or query, allowing an attacker to manipulate the intended behavior of the code. This can lead to unauthorized access, data breaches, or the execution of malicious commands. It is important to properly validate and sanitize user input to prevent injection vulnerabilities.Rate this question:
-
- 15.
Following snippet is attempting ____ attack:
-
Cross-site scripting
-
Cross-site request forgery
-
Open redirect
-
Forced browsing
Correct Answer
A. Cross-site request forgeryExplanation
The given snippet is attempting a Cross-site request forgery (CSRF) attack. CSRF is a type of attack where an attacker tricks a victim into performing an unwanted action on a website in which the victim is authenticated. The attacker crafts a malicious request and tricks the victim into unknowingly sending that request, leading to unauthorized actions being performed on the victim's behalf. This attack is often used to perform actions like changing passwords, making purchases, or modifying settings without the victim's knowledge or consent.Rate this question:
-
- 16.
Which of following scan cover “Network Vulnerability Scan” activity (Select TWO):
-
Qualys Scan
-
Nessus Scan
-
MacAfee Scan
-
Blackduck Scan
Correct Answer(s)
A. Qualys Scan
A. Nessus ScanExplanation
The Qualys Scan and Nessus Scan are both capable of performing a "Network Vulnerability Scan" activity. These scans are designed to identify vulnerabilities within a network infrastructure, such as open ports, outdated software, and misconfigurations. By conducting these scans, organizations can proactively identify and address potential security weaknesses, ultimately reducing the risk of a successful cyberattack.Rate this question:
-
- 17.
What is the programming language with the most lines of code in Avamar?
-
C++
-
Java
-
Python
-
Go
Correct Answer
A. C++Explanation
C++ is the correct answer because it is a widely used programming language known for its efficiency and performance. Many large-scale software projects, including Avamar, may utilize C++ due to its ability to handle complex tasks and its extensive libraries. C++ allows developers to write low-level code and optimize performance, making it suitable for projects that require a significant number of lines of code. Therefore, it is plausible that Avamar, being a sophisticated software, would have the most lines of code written in C++.Rate this question:
-
- 18.
In Avamar build, per every ? builds, there is a test package for code coverage testing.
-
1
-
2
-
5
-
10
Correct Answer
A. 5Explanation
In Avamar build, for every 5 builds, there is a test package for code coverage testing.Rate this question:
-
- 19.
Which static analysis tool Avamar uses now?
-
Cpplint
-
Coverity
-
Eclipse
-
None
Correct Answer
A. CoverityExplanation
Avamar uses the static analysis tool Coverity. This tool helps to identify and prevent software defects and vulnerabilities in the code. It performs static code analysis by analyzing the code without executing it, thereby finding potential issues such as memory leaks, buffer overflows, and null pointer dereferences. By using Coverity, Avamar can ensure that their code is of high quality and free from common programming errors, ultimately leading to more reliable and secure software.Rate this question:
-
- 20.
Which is NOT a static code checking issue?
-
Null pointer dereferences
-
Resource leaks
-
Control flow issues
-
Wrong comments
Correct Answer
A. Wrong commentsExplanation
Wrong comments are not a static code checking issue because they do not affect the functionality or correctness of the code. While wrong comments may lead to confusion or misunderstandings for developers reading the code, they do not cause any runtime errors or bugs. Static code checking typically focuses on identifying issues that can impact the code's behavior, such as null pointer dereferences, resource leaks, and control flow problems.Rate this question:
-
- 21.
Which software phase is better for static code checking?
-
Design.
-
Coding implementation done.
-
Testing.
-
Maintenance.
Correct Answer
A. Coding implementation done.Explanation
The correct answer is "Coding implementation done." This phase is better for static code checking because it involves the actual writing of the code. During this phase, developers can use static code analysis tools to identify potential issues and vulnerabilities in the code before it is executed. This helps in improving the overall quality of the code and reduces the chances of introducing bugs or security vulnerabilities. The design phase focuses on high-level planning and the testing phase is more focused on validating the functionality, while maintenance is concerned with fixing issues in the deployed software.Rate this question:
-
- 22.
What's the false positives rate of static code analysis?
-
15%
-
25%
-
35%
-
45%
Correct Answer
A. 15%Explanation
The false positives rate refers to the percentage of times that a static code analysis tool incorrectly identifies code as having a problem when it actually does not. In this case, the correct answer is 15%, indicating that the static code analysis tool has a relatively low rate of false positives, meaning it is more accurate in identifying actual issues in the code.Rate this question:
-
- 23.
Which tools is NOT for static code analysis?
-
Coverity
-
Eclipse
-
Visual Studio
-
Source Insight
Correct Answer
A. Source InsightExplanation
Source Insight is not a tool for static code analysis. It is actually a code editor and project analyzer that helps developers navigate through their codebase and understand the relationships between different code elements. It provides features like code browsing, symbol lookup, and code visualization. However, it does not have the capability to perform static code analysis, which involves analyzing the source code without actually executing it to find potential issues or vulnerabilities.Rate this question:
-
- 24.
i) Static code analysis can't cover all bugs in code. ii) Any code change is risk of regressions
-
Only (i) is true
-
Only (ii) is true
-
Both are true
-
Both are false
Correct Answer
A. Both are trueExplanation
Static code analysis is a method of analyzing code without executing it, and it can help identify certain types of bugs or issues in the code. However, it is not capable of covering all possible bugs in the code, as some bugs may only be evident during runtime or in specific scenarios. Therefore, statement (i) is true. Additionally, any code change, no matter how small, carries the risk of introducing regressions or unintended side effects. This is because even a small change can have unforeseen consequences in the overall system. Hence, statement (ii) is also true.Rate this question:
-
- 25.
Which issue is NOT from static code testing?
-
Dead code
-
Race conditions
-
Coded by humans issue
-
Performance bottle neck
Correct Answer
A. Performance bottle neckExplanation
Static code testing is a technique used to identify issues in code without executing it. Dead code and race conditions are common issues that can be detected through static code testing. The term "coded by humans issue" is not clear, but it can be assumed that it refers to issues caused by human error, which can also be identified through static code testing. On the other hand, performance bottlenecks are not typically detected through static code testing, as they involve analyzing the runtime behavior of the code. Therefore, performance bottlenecks are not considered as an issue from static code testing.Rate this question:
-
- 26.
Which one is true for static code analysis?
-
Run slow
-
False positives
-
Cover all bugs in code
-
No need compile before test.
Correct Answer
A. Run slowExplanation
Static code analysis is a method of analyzing code without actually executing it. It involves examining the code for potential errors, bugs, and vulnerabilities. One drawback of static code analysis is that it can be time-consuming and slow, especially for large codebases. Therefore, the statement "Run slow" is true for static code analysis.Rate this question:
-
- 27.
Which tools is NOT for dynamic code analysis?
-
CPU sampling
-
Instrumentation
-
Memory profiling
-
Enhanced type checking
Correct Answer
A. Enhanced type checkingExplanation
Enhanced type checking is not a tool for dynamic code analysis because it is primarily used to detect type errors and inconsistencies at compile-time rather than analyzing code behavior at runtime. Dynamic code analysis tools, on the other hand, focus on analyzing code behavior during runtime to identify issues such as performance bottlenecks, memory leaks, and security vulnerabilities. Examples of dynamic code analysis tools include CPU sampling, instrumentation, and memory profiling, which are all designed to analyze code behavior during program execution.Rate this question:
-
- 28.
Which one is NOT dynamic code analysis tool?
-
Valgrind
-
Visual studio
-
IBM Rational
-
P4V
Correct Answer
A. P4VExplanation
P4V is a graphical user interface for the Perforce version control system and is not a dynamic code analysis tool. Valgrind is a dynamic code analysis tool used for memory debugging, profiling, and memory leak detection. Visual Studio is an integrated development environment that includes dynamic code analysis features. IBM Rational offers various dynamic code analysis tools such as Rational AppScan and Rational Purify.Rate this question:
-
- 29.
Which code coverage type is with the lowest coverage rate?
-
Function coverage
-
Statement coverage
-
Decision coverage
-
Condition coverage
Correct Answer
A. Condition coverageExplanation
Condition coverage is the code coverage type with the lowest coverage rate. Condition coverage focuses on testing all possible combinations of conditions within a decision point. It requires that each condition within a decision point evaluates to both true and false at least once. This level of testing ensures that all possible outcomes of a decision are considered. However, because it requires testing all possible combinations, condition coverage typically has a lower coverage rate compared to other types of code coverage such as statement coverage or decision coverage.Rate this question:
-
- 30.
Which software phase is better for dynamic code checking?
-
Design.
-
Coding implementation done.
-
Testing.
-
Maintenance.
Correct Answer
A. Testing.Explanation
Testing is the software phase that is better for dynamic code checking. During testing, the software is executed with various inputs to identify any errors or bugs in the code. Dynamic code checking involves analyzing the code while it is running, allowing for the detection of issues that may not be apparent during design or coding implementation. This phase helps ensure that the software functions correctly and meets the desired requirements. Maintenance, on the other hand, involves making changes to the software after it has been deployed and is not specifically focused on code checking.Rate this question:
-
- 31.
Which one is NOT an orient-object design principle?
-
Consistent name style.
-
Interface segregation. (接口隔离)
-
Dependency Inversion. (依赖反转)
-
Single responsibility.
Correct Answer
A. Consistent name style.Explanation
The orient-object design principles are a set of guidelines that help in designing and developing object-oriented software. Consistent name style is not one of these principles. The other options, interface segregation, dependency inversion, and single responsibility, are all well-known orient-object design principles.Rate this question:
-
- 32.
Which one is not good coding habit?
-
Consistency naming.
-
Write short function.
-
More comments as possible as we can.
-
Check input parameters in public function.
Correct Answer
A. More comments as possible as we can.Explanation
The correct answer is "More comments as possible as we can." This is because while comments can be helpful in explaining the code's functionality, having too many comments can make the code cluttered and difficult to read. It is generally recommended to have concise and meaningful comments that provide necessary information without overwhelming the code.Rate this question:
-
- 33.
Which name style of code file is not suggested in Linux?
-
NtSecurity. cpp
-
My_useful_class. cc
-
Dns_look_up. h
-
Ascii. py
Correct Answer
A. NtSecurity. cppExplanation
The name style "NtSecurity.cpp" is not suggested in Linux because it uses a naming convention commonly associated with Windows operating systems. In Linux, it is generally recommended to use lowercase letters and separate words with underscores or hyphens for better readability and compatibility with other systems.Rate this question:
-
- 34.
What is the output of the following program?
-
Done
-
Compile error
-
Runtime error
-
None of the above
Correct Answer
A. Runtime errorExplanation
The given program does not have any code or logic written in it. Therefore, when the program is executed, it will result in a runtime error because there is no executable code to run.Rate this question:
-
- 35.
What's the issue type for this fixing?
-
Boundary checks
-
Memory safety checks
-
dead code checks
-
race conditions / synchronization checks
Correct Answer
A. Memory safety checksExplanation
Memory safety checks refer to the type of issue that is being addressed in this fixing. These checks are performed to ensure that a program does not access or manipulate memory in an unsafe or unintended way. This can include preventing buffer overflows, null pointer dereferences, and other memory-related vulnerabilities. By conducting memory safety checks, developers can identify and fix potential issues that could lead to security vulnerabilities or program crashes.Rate this question:
-
- 36.
What's the issue type for this fixing?
-
Memory Safety
-
Dead Code Checking
-
Uninitialized/Unused Variables
-
Boundary checks
Correct Answer
A. Memory SafetyExplanation
Memory safety refers to the practice of ensuring that a program does not have any memory-related errors, such as accessing invalid memory locations or using uninitialized variables. This includes preventing buffer overflows, use-after-free errors, and other memory vulnerabilities. Therefore, if the issue being fixed is related to memory safety, it means that the problem was causing potential memory-related errors and the fix aims to address those issues.Rate this question:
-
.png "Following snippet is referring to which attack method:
alert(“You’ve been attacked!”);")
.png "What's the issue type for this fixing?")
Quiz Review Timeline (Updated): Mar 20, 2023 +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Mar 20, 2023Quiz Edited by
ProProfs Editorial Team -
Sep 13, 2018Quiz Created by
Sammi
Back to top