Web Security Concerns with Server-Side Libraries

Questions and Answers

Which of the following is a key idea that was incorporated into the Google-internal framework for microservices and web applications?

• Implementing a centralized logging and monitoring system for all applications
• Enforcing strict version control policies for all dependencies
• Applying static and dynamic conformance checks to ensure adherence to coding guidelines and best practices (correct)
• Mandating the use of only in-house developed libraries and components

What is the primary purpose of the conformance checks implemented in the Google-internal framework?

• To ensure that all values passed between concurrent execution contexts are of mutable types
• To enforce strict access control policies for all application components
• To verify that all application code adheres to a specific coding style guide
• To make it less likely that a change in one component/module of the application results in a bug in another component (correct)

How does the Google-internal framework for microservices and web applications address the goal of ensuring reliability?

• By enforcing strict version control policies and automatic dependency updates
• By implementing a comprehensive monitoring and alerting system for all applications
• By applying static and dynamic conformance checks to ensure adherence to coding best practices (correct)
• By requiring the use of only well-established and widely-used libraries

What is the primary goal of the team that created the Google-internal framework for microservices and web applications?

To streamline the development and operation of applications and services for large organizations (B)

Which of the following is NOT a key feature of the Google-internal framework for microservices and web applications?

Cross-origin communication and integration between components (C)

How does the Google-internal framework for microservices and web applications address the goal of ensuring security?

By applying static and dynamic conformance checks to ensure adherence to secure coding practices (C)

Which of the following is a concern raised by integrating a vendor's library code into a web application?

All of the above. (D)

What is one potential mitigation strategy mentioned for the risks associated with including a vendor's library?

Both A and B. (D)

Which of the following is a potential drawback of using an HTTP redirect-based integration with a payment vendor?

It may result in a less smooth user experience. (D)

What is an example of a domain-specific technical expertise area that can be impacted by design choices related to non-functional requirements?

All of the above. (D)

What is the purpose of sandboxing payment-related functionality in a separate web origin or sandboxed iframe?

To mitigate the risks associated with handling payment data. (D)

Which of the following statements is true about the implications of design choices related to non-functional requirements?

They can have far-reaching implications in areas of domain-specific technical expertise. (C)

What is the primary risk associated with integrating a vendor-supplied library into your application?

The library may contain vulnerabilities that can be exploited to compromise your systems. (C)

Which strategy can be used to mitigate the risk of vulnerabilities in a vendor-supplied library?

Sandboxing the library to isolate it from the rest of your application. (A)

What is the primary benefit of using a vendor that exposes its API using an open protocol like REST+JSON, XML, SOAP, or gRPC?

It allows you to avoid the need to include a proprietary library in your application. (C)

What is the primary benefit of including a JavaScript library in your web application client to integrate with a vendor's service?

It allows you to avoid passing payment data through your own systems, even temporarily. (C)

What is the primary consideration when selecting a vendor for your application?

The vendor's security stance and how it compares to your own. (B)

Which of the following is NOT a potential issue when integrating with a vendor's service?

The need to include a JavaScript library in your web application client. (B)

What is one potential issue with using a third-party message queue implementation?

It may introduce complexity by requiring distributed storage across multiple locations (B)

What is a potential security risk associated with storing data on disk?

All of the above (D)

Which of the following is NOT mentioned as a potential issue with using a third-party service?

Potential for cross-site scripting (XSS) attacks (A)

What is the main dilemma described in the text?

Attempting to mitigate a reliability risk by introducing a security risk (C)

Which of the following is a potential concern when integrating with a payment provider's API?

All of the above (D)

What is a potential issue with using persistent disk storage for queueing transaction data?

Some payment data is never allowed to be stored on disk due to compliance requirements (C)

What is the primary risk associated with using a third-party payment provider in the user story described?

The user may be unable to complete the purchase if the payment provider's service is unavailable. (B)

What is one way to mitigate the reliability risk associated with using a third-party payment provider?

Introduce redundancy by adding an alternate payment provider to the system. (A)

What is a potential drawback of introducing redundancy by adding an alternate payment provider to the system?

It increases the cost and complexity of the system, as the two payment providers likely have different APIs. (A)

What is the main benefit of implementing a message queueing mechanism to buffer transaction data during a payment service outage?

It allows the 'purchase flow' user story to proceed during a payment service outage. (D)

What is a potential risk associated with implementing a message queueing mechanism to buffer transaction data?

The message queue may introduce its own failure modes, such as losing transactions if it is not designed to be reliable. (C)

What is the key factor in determining the significance of the risk associated with a third-party payment provider's service being unavailable?

The payment provider's adherence to the SLAs that you have with that provider. (D)