Podcast
Questions and Answers
Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?
Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?
- Static code analysis (correct)
- Dynamic code analysis
- Fuzzing
- Mutation testing
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
- Performing user input validation (correct)
- Implementing TLS
- Using secure session management
- Enabling logging on the database
Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
- Encoding data
- Input validation
- Parameterized queries (correct)
- Appropriate access controls
During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?
During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?
The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?
The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?
Every time Susan checks code into her organization's code repository, it is tested and validated, and then if accepted, it is immediately put into production. What is the term for this?
Every time Susan checks code into her organization's code repository, it is tested and validated, and then if accepted, it is immediately put into production. What is the term for this?
Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?
Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?
Ricky is concerned that developers in his organization make use of third-party code in their applications, which may introduce unknown vulnerabilities. He is concerned about the risk of the organization running code that it is not aware it is using. Which one of the following activities would best address this risk?
Ricky is concerned that developers in his organization make use of third-party code in their applications, which may introduce unknown vulnerabilities. He is concerned about the risk of the organization running code that it is not aware it is using. Which one of the following activities would best address this risk?
Which one of the following is not an advantage of automation in cybersecurity operations?
Which one of the following is not an advantage of automation in cybersecurity operations?
Chris is creating a script that will automatically screen any user requests and flag those that exceed normal thresholds for manual review. What term best describes this automation use case?
Chris is creating a script that will automatically screen any user requests and flag those that exceed normal thresholds for manual review. What term best describes this automation use case?
Which one of the following is not a common drawback of automating cybersecurity operations?
Which one of the following is not a common drawback of automating cybersecurity operations?
Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place?
Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place?
What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?
What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?
Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?
Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?
Chris is reviewing evidence of a cross-site scripting attack where the attacker embedded JavaScript in a URL that a user clicked. The web page then sent the JavaScript to the user in the displayed page. What term best describes this attack?
Chris is reviewing evidence of a cross-site scripting attack where the attacker embedded JavaScript in a URL that a user clicked. The web page then sent the JavaScript to the user in the displayed page. What term best describes this attack?
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server:
www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892’%20;DROP%20TABLE%20Services;--
What type of attack was most likely attempted?
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892’%20;DROP%20TABLE%20Services;--
What type of attack was most likely attempted?
Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:
www.mycompany.com/servicestatus.php?serviceID=1
www.mycompany.com/servicestatus.php?serviceID=2
www.mycompany.com/servicestatus.php?serviceID=3
www.mycompany.com/servicestatus.php?serviceID=4
www.mycompany.com/servicestatus.php?serviceID=5
www.mycompany.com/servicestatus.php?serviceID=6
What type of vulnerability was the attacker likely trying to exploit?
Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples: www.mycompany.com/servicestatus.php?serviceID=1 www.mycompany.com/servicestatus.php?serviceID=2 www.mycompany.com/servicestatus.php?serviceID=3 www.mycompany.com/servicestatus.php?serviceID=4 www.mycompany.com/servicestatus.php?serviceID=5 www.mycompany.com/servicestatus.php?serviceID=6
What type of vulnerability was the attacker likely trying to exploit?
Joe's adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request:
www.mycompany.com/../../../etc/passwd
What type of attack was most likely attempted?
Joe's adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request: www.mycompany.com/../../../etc/passwd
What type of attack was most likely attempted?
Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful?
Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful?
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
Flashcards
Static Code Analysis
Static Code Analysis
Analyzing application source code to identify vulnerabilities without executing the code.
User Input Validation
User Input Validation
Verifying that user-supplied data meets expected criteria before processing it.
Parameterized Queries
Parameterized Queries
SQL statements with placeholders for variables, preventing direct SQL code insertion by users.
Improper Error Handling
Improper Error Handling
Signup and view all the flashcards
Race Condition
Race Condition
Signup and view all the flashcards
Continuous Delivery
Continuous Delivery
Signup and view all the flashcards
Development Environment
Development Environment
Signup and view all the flashcards
Package Monitoring
Package Monitoring
Signup and view all the flashcards
Guard Rails
Guard Rails
Signup and view all the flashcards
Buffer Overflow
Buffer Overflow
Signup and view all the flashcards
On-Path Attack
On-Path Attack
Signup and view all the flashcards
Code Signing
Code Signing
Signup and view all the flashcards
Reflected XSS
Reflected XSS
Signup and view all the flashcards
Parameter Pollution
Parameter Pollution
Signup and view all the flashcards
Insecure Direct Object Reference
Insecure Direct Object Reference
Signup and view all the flashcards
Directory Traversal
Directory Traversal
Signup and view all the flashcards
Session Hijacking
Session Hijacking
Signup and view all the flashcards
Timing-Based SQL Injection
Timing-Based SQL Injection
Signup and view all the flashcards
Technical Debt
Technical Debt
Signup and view all the flashcards
Cost of entry
Cost of entry
Signup and view all the flashcards
