Managing Security Risks in Web Applications

Questions and Answers

Which of the following is the MOST important consideration when selecting a vendor for your application?

The vendor's pricing is the most competitive

The vendor is located in the same geographic region as your company

The vendor's security stance is at least equal to your own (correct)

The vendor has the largest market share in their industry

What is the main risk of integrating a vendor-supplied library into your application?

The library may require you to pay ongoing licensing fees

The library may contain vulnerabilities that can be exploited to compromise your systems (correct)

The library may be too complex and difficult to maintain

The library may not be compatible with your existing codebase

Which of the following strategies can help mitigate the risk of vulnerabilities in a vendor-supplied library?

Thoroughly reviewing the library's source code for security issues

Sandboxing the library to isolate it from the rest of your application (correct)

Requiring the vendor to provide a warranty against any vulnerabilities

Storing the library's files on a separate server from the rest of your application

Which of the following is the BEST way to integrate with a vendor's service while avoiding the risk of linking a proprietary library?

Use the vendor's API that exposes an open protocol like REST+JSON or gRPC (C)

What is the main benefit of including a JavaScript library from a vendor in your web application client?

It allows you to avoid passing payment data through your own systems (A)

Which of the following is the MOST important factor to consider when evaluating a vendor on an ongoing basis?

The vendor's track record of responding quickly to security vulnerabilities (D)

What is the primary goal of the Google-internal framework for microservices and web applications?

To streamline the development and operation of applications and services for large organizations (D)

Which of the following conformance checks does the Google-internal framework apply to ensure application code adheres to best practices?

Enforcing isolation constraints between components to prevent changes in one component from causing bugs in another (C)

What is the key benefit of the conformance check that verifies all values passed between concurrent execution contexts are of immutable types?

It reduces the likelihood of concurrency bugs (A)

Which of the following is NOT a key goal that the Google-internal framework aims to achieve?

Improving the overall user experience of the applications and services (B)

What is the purpose of the conformance checks that enforce isolation constraints between components in the Google-internal framework?

To prevent changes in one component from causing bugs in another component (D)

How does the Google-internal framework's approach to security and reliability align with general software quality attributes?

The framework's security and reliability goals are very much aligned with general software quality attributes (C)

What is a potential risk associated with integrating a server-side library into your web application?

Risk of compromise if the library has vulnerabilities (B)

How can you mitigate the risk of compromising your application due to a vulnerable server-side library?

Running the library in a separate web origin or sandboxed iframe (D)

What can introducing sandboxed iframes for payment-related functionality lead to?

Increased failure modes in the application (B)

Why might a payment vendor offer an integration based on HTTP redirects?

For a smoother user experience (C)

What implications can design choices related to nonfunctional requirements have?

Implications in areas of web platform security (B)

What is a consideration that can arise when thinking about handling payment data?

Introduction of contractual and regulatory concerns (A)

What is one of the key benefits of using this framework?

It automates many common development and deployment tasks. (A)

How did the framework development team ensure security and reliability were addressed?

They collaborated with SRE and security teams throughout the design and implementation phases. (A)

How does the framework's web application support help prevent vulnerabilities?

Through API design and code conformance checks, it effectively prevents developers from accidentally introducing common web vulnerabilities. (C)

What is one way the framework helps ensure reliability?

It automatically sets up monitoring for operational metrics and incorporates reliability features like health checking and SLA compliance. (A)

What is one potential drawback of the framework's rigid and well-defined structure?

It can make it difficult to customize the framework to meet specific application needs. (D)

How does the framework's approach to security and reliability differ from a traditional approach?

The framework integrates security and reliability best practices into its core design, rather than just adding them on later. (D)

Which of the following is a key challenge in understanding and modifying existing code?

Lack of test coverage (C)

What is the primary factor that determines deployment velocity?

The ease of understanding and modifying existing code (D)

When dealing with feature requirements, what is the typical relationship between the requirements, the code, and the tests?

Straightforward and well-defined (D)

What is the purpose of the integration test described in the text?

To test the overall user story step by step (B)

What type of tests are likely present in addition to the integration test described?

Unit tests (C)

What is the main challenge highlighted in the text regarding understanding and modifying existing code?

Insufficient testing (B)