Chapter 4: Domain 4: Cloud Application Security (Ben Malisow) Flashcards

Question

It is very likely that your organization’s users will use unapproved application programming interfaces (APIs), especially in a bring your own device (BYOD) environment, because _______________. A. Users are constantly trying to break the security of your environment B. APIs can’t ever be secure C. Hackers are constantly infiltrating all APIs D. Users enhance their productivity however they can

Answer 1

D. Users enhance their productivity however they can Explanation: Users in the production environment will leverage whatever tools and techniques they can in order to get their job done in a better, faster way, often regardless of whether this complies with security policies All the other options are untrue and therefore cannot be the correct answer

Answer 2

B. Some current programmers don’t write code line by line and instead use code component libraries Explanation: Because many programs are currently constructed from building block components found in code libraries, any security issues within specific components may not be understood or identified by coders who dont know the code inside the component Option A is an unfair generalization Option C is another broad generalization that may or may not be true. Option D does not relate to the question about the SDLC and is therefore a poor choice for an answer

Answer 3

D. Combination of open source and proprietary Explanation: Obviously, using multiple forms of code review will produce more secure results than any one form of review, in the same way that having multiple forms of security controls (logical, physical, administrative etc) will provide better security than just one type The question is which is the most secure form of code testing and review. That would be the most extensive. Since the correct answer is a combination of open source and proprietary, the least secure would be least extensive. Option A is strictly open source so that is incorrect. Option C is neither open source nor proprietary, which is even less extensive Option C is incorrect. Proprietary/internal is also less extensive than option D So option B is incorrect

Answer 4

B. Identity validation/access permission Explanation: This is the textbook definition of these terms. All the other options are incorrect

Answer 5

B. Business needs and acceptable risk Explanation: Business needs and risk acceptable to senior management should drive all organizational decisions, including access. Specific user or object access will, of course, be delegated down from senior management to a manageable layer of the organization, but the principle applies. This decision, however, should be information by pertinent externalities, which include regulatory mandates (option A), user requirements and management requests (option C), and, to some degree, the trade-off of performance and security (option D, and both characteristics should also be dictated by senior management as an aspect of acceptable risk). While these externalities and options all play a part in determining appropriate access, they are all subordinate to business needs and acceptable risk, which are paramount; B is still the best answer to this question

Answer 6

C. Data Owners Explanation: The data owner is responsible for the disposition of the data under their control; this includes access decisions. The cloud provider is not typically the data owner; option A is incorrect. Ostensibly, senior management is the data owner (the organization, as a whole, is the legal owner of the data, and the senior managers are the legal representatives of the organization). However, in practice, this responsibility can be (and usually is) delegated down to a manageable level, where the data owner for a given data set understands it best and can provide a sufficiently granular control of that data set. This is rarely senior management and is more likely department heads, branch managers, or some other form of middle management. Option C is preferable to B. System administrators will usually be the literal granters of access, insofar as admins will modify access control systems that allow or disallow access for specific individuals or roles. However, the sysadmin does not make the decision of who is granted access and instead responds to direction from data owners (middle management); again, option C is preferable to D.

Answer 7

D. Pretty Good Privacy (PGP) Explanation: PGP is an email encryption tool, not an identity federation standard. All other options are federation standards.

Answer 8

B. OpenID Connect Explanation: OpenID Connect is a federation protocol that uses representational state transfer (REST) and JavaScript Object Notation (JSON); it was specifically designed with mobile apps in mind, instead of only web-based federation. WS-Federation is a federation protocol that is part of the WS-Security family of standards and reliant on Simple Object Access Protocol (SOAP), so option A is incorrect. Option C is incorrect; SOC 2 is a type of Statement on Standards for Attestation Engagements (SSAE) 18 audit report, not a federation standard. OWASP is a volunteer group of and for web app developers, not a federation standard or protocol, so option D is incorrect

Answer 9

B. Someone you know Explanation: Because there is no transitive property of identification and authentication, knowing a trusted entity is not sufficient for validating an identity assertion. All the other options are typical authentication mechanisms and so are incorrect.

Answer 10

A. Using an automated teller machine (ATM) to get cash with your credit or debit card Explanation: At the ATM, the customer will use the card (something you have) and enter a PIN (something you know). This is true multifactor authentication. A password and PIN are both something you know, so option B is incorrect. Using a voice sample and fingerprint are two forms of something you are, so option C is incorrect. A birth certificate and credit card are both something you have, so option D is incorrect.

Answer 11

B. For high-risk operations and data that is particularly sensitive Explanation: Multifactor authentication should be considered for operations that have a significant risk or that deal with highly sensitive data (for instance, privileged user logins or when handling financial transactions). Requiring multifactor authentication for every transaction is an undue burden on both the users and the systems and is a needless addition of extra overhead, so option A is incorrect. All cloud access will entail remote login; this is a common operation, so adding multifactor authentication is an unnecessary burden in most cases. Option C is incorrect. The decision to use multifactor authentication should be based on the risk of the operation and the sensitivity of the data, not on whether it takes place in the traditional or online environment, so option D is incorrect.

Answer 12

C. 7 Explanation: A WAF is a Layer 7 tool All the other options are incorrect

Answer 13

D.Hypertext Transfer Protocol (HTTP) Explanation: WAFs recognize HTTP traffic and can respond to traffic that matches prohibited rulesets or conditions Option A is technically correct; a WAF can be given a ruleset that recognizes certain forms of attack traffic. However, this answer is too general, and D is a much better response for this question Options B and C are protocols not usually inspected by WAFs and are therefore incorrect

Answer 14

D. Cross-site scripting Explanation: WAFs can be used to attenuate the possibility that cross-site scripting attacks will be successful. WAFs do not protect against social engineering or physical attacks in any way, so options A and B are incorrect. Option C is a nonsense term and is therefore incorrect

Answer 15

C. 7 Explanation: A DAM is a Layer 7 tool. All the other options are incorrect.

Answer 16

A.SQL injection Explanation: DAMs can be used to reduce the possibility that SQL injection attacks will be successful. DAMs do not protect against cross-site scripting, insecure direct-object reference, or social engineering attacks in any way, so options B, C, and D are incorrect.

Answer 17

C. Extensible Markup Language (XML) gateway Explanation: The XML gateway can provide this functionality; it acts as a reverse proxy and can perform content inspection on many traffic protocols. The WAF and DAM are also security tools that inspect traffic but do not usually handle SFTP content, so options A and B are incorrect. Option D, single sign-on, concerns authentication functions, not communications traffic, and is only a distractor in this context

Answer 18

B. Application programming interface (API) gateway Explanation: An API gateway translates requests from clients into multiple requests to many microservices and delivers the content as a whole via an API it assigns to that client/session. XML gateways, WAFs, and DAMs are also tools used frequently in cloud-based enterprises, but they do not handle microservice requests in a meaningful way.

Answer 19

B. Identity of the malicious user Explanation: While it would be wonderful, for security purposes, to know the identity of attackers before or while they’re making an attack, this is information the attacker doesn’t usually share. All the other options are methods firewalls can use to recognize attacks

Answer 20

C. Privacy, integrity Explanation: TLS maintains the confidentiality and integrity of communications, often between a web browser and a server. In this context, privacy and security mean much the same thing; privacy is synonymous with confidentiality, which is a subset of the overall topic of security. Therefore, option A is repetitive and not correct. TLS does not optimize performance or add any sort of enhancement, so options B and D are incorrect

Answer 21

A. Symmetric key Explanation:TLS uses symmetric key crypto for each communications session in order to secure the connection; the session key is uniquely generated each time a new connection is made. Options B and C are names for another type of encryption. Asymmetric encryption is also used in establishing a secure TLS connection; however, the keys used in this portion of the process will not change from session to session, and therefore these options are incorrect.

Answer 22

B. Creating an encrypted tunnel between two endpoints Explanation: A VPN is a temporary, synthetic encrypted tunnel between two endpoints (often a client and a server). Option A is subtly misleading; the VPN secures the connection between two endpoints, not the ends of the connection. This option is incorrect. Option C is not correct; VPN is not used for encrypting databases—it is used for encrypting communications. Option D is incorrect; the symmetric key used in VPN is shared only between two parties (the endpoints), and the elements of the asymmetric key pair are either held by only one party (the owner of each private key) or by anyone at all (public key).

Answer 23

C. Using automated agents to perform dynamic testing Explanation: Users may not offer enough coverage for larger software products that have a great deal of functionality; it can be useful to also use automated agents to checks paths that users might not often attempt or utilize. The developers should not be involved in any form of testing the software as they have an inherent conflict of interest, so options A and B are incorrect. Dynamic testing does not involve social engineering; option D is incorrect.

Answer 24

C. They have a vested interest in having the software perform well. Explanation: This is the definition of “conflict of interest.” All the other answers are incorrect

Answer 25

C. Running malware for analysis purposes Explanation: A sandbox can be used to run malware for analysis purposes as it won’t affect (or infect) the production environment; it’s worth noting, though, that some malware is sandbox-aware, so additional anti-malware measures are advisable. Options A, B, and D are not correct because the sandbox should be completely disconnected (air-gapped) from the production environment so that users can’t perform productive activity there

Answer 26

C. Testing software before putting it into production Explanation: Software that has either been purchased from a vendor or developed internally can be tested in a sandboxed environment that mimics the production environment in order to determine whether there will be any interoperability problems when it is installed into actual production All the other options arent uses for sandboxes and are incorrect

Answer 27

A. Running an application in a non-native environment Explanation: Virtualized applications can run on platforms that wouldn’t otherwise allow them to function, such as running Microsoft apps on a Linux box. Because the virtualization engine encapsulates the application from the native runtime environment, patches can’t be applied through virtualized programs; option B is incorrect. Virtualization really doesn’t have anything to do with access control; option C is incorrect. The overhead of running a software virtualization engine will actually add to system overhead, not decrease it, so option D is incorrect.

Answer 28

D. Running an application on an endpoint without installing it Explanation: Application virtualization allows the software to run on a simulated environment on the device without the need to install it on the device. Virtualization really doesn’t have anything to do with access control; option A is incorrect. Virtualization neither detects nor responds to DDoS; option B is incorrect. Virtualization does not replace encryption; if data needs to be secure within the virtualization environment, encryption may still have to be utilized. Option C is incorrect.

Answer 29

B. 1 Explanation: ISO 27034 dictates that an organization will have a collection of security controls used for all software within that organization; this collection is called the ONF. All the other options are distractors and incorrect.

Answer 30

B. ANF Explanation: Each application in an organization compliant with ISO 27034 will be assigned an Application Normative Framework (ANF), which lists all the controls assigned to that application. Technically, the controls for each application within an organization compliant with ISO 27034 will be listed in the Organizational Normative Framework (ONF), because the ONF is the list of all controls for all applications; however, for a given application, only the controls used for that application are listed in an ANF, so option B is a preferable answer to A. TTF (time to failure) has no meaning in this context, so option C is incorrect. FTP (File Transfer Protocol) is a protocol for transferring files and not applicable here; option D is incorrect.

Answer 31

A. White-box Explanation: SAST is often referred to as white-box testing. Black-box testing does not include access to source code, which is required for SAST. Option B is therefore incorrect. Option C is a combination of black-box and white-box testing so option C is an incorrect answer for this question. Option D has no meaning in this context.

Answer 32

D. Source Code Explanation: In SAST, testers review the source code of an application in order to determine security flaws and operational errors. While determining “software outcomes” may be considered a possible goal of SAST, “source code” is a much better answer as it is more specific and applicable to the question. Option D is still preferable. SAST does not check user performance or system durability; options B and C are incorrect.

Answer 33

B. Black-box Explanation: DAST is often referred to as black-box testing. White-box testing requires the tester to have access to source code, which is not provided in DAST. Option A is therefore incorrect. Option C is a combination of black-box and white-box testing so option C is an incorrect answer for this question. Option D has no meaning in this context

Answer 34

B. A runtime state Explanation: DAST is performed while the application is running. Software testing should not take place in the production environment; option A is incorrect. DAST, like other forms of testing, may or may not take place in the cloud and is not confined to any particular service model (although it is unlikely to occur in software as a service [SaaS] environments); options C and D are incorrect.

Answer 35

B. Vulnerability signatures Explanation: Vulnerability scans use signatures of known vulnerabilities to detect and report those vulnerabilities. Vulnerability scans do not typically require administrative access to function; option A is incorrect. Both malware libraries and forensic analysis of existing vulnerabilities may be used to create the signatures that vulnerability scanning tools utilize to detect and report vulnerabilities; however, these answers are too specific (limiting the answer), making option B a better answer than either C or D.

Answer 36

D. Unknown vulnerabilities Explanation: Because vulnerability scanning tools require vulnerability signatures to operate effectively, unknown vulnerabilities that might exist in the scanned system won’t be detected (no signature has been created by vendors until a vulnerability is known). User errors are not detected by vulnerability scans; option A is incorrect. Scans can’t tell you whether you’ve picked the optimum security controls for your environment; option B is incorrect. Vulnerability scanning tools may or may not detect cloud-based vulnerabilities, depending on the tool used, the level of access to the target environment, and the settings applied to the scanner; option C is less accurate than option D.

Answer 37

A. Active Explanation: A penetration test requires the tester to analyze the security of an environment from the perspective of an attacker; this also includes actually taking action that would result in breaching that environment. Penetration tests may or may not be comprehensive, depending on the intended scope and area of analysis. Option B is incorrect. While it’s nice to think of any security assessment as total, that is an extreme term, like all or never; such terms can rarely be used in security because there are no absolutes when dealing with risk, and it has no meaning in this context. Option C is not correct. Although the cost of a penetration test will vary according to a vast range of variables, it will rarely be considered inexpensive, especially relative to other forms of security testing. Option D is not correct.

Answer 38

D. Known bad data Explanation: Also called fuzz testing, dynamic testing methods should include known bad inputs in order to determine how the program will handle the “wrong” data (will it fail into a state that is less secure than normal operations, etc.). Source code review is not part of dynamic testing; option A is incorrect. For accurate quality testing, user familiarity with the target software should be minimal and should not be assessed; option B is not correct. Penetration includes active steps to overcome security measures; this is rarely the purpose of software testing; option C is not the best answer.

Answer 39

B. User surveys Explanation: User surveys are not an element of active security testing, although they might be used in acceptance testing. All of the other options are included in the OWASP guide to active security testing.

Answer 40

D. Privacy review testing Explanation: Privacy review testing is not included in the OWASP guide to active security testing, although it might be included as an aspect of compliance testing (for organizations in highly regulated industries). All of the other options are included in the OWASP guide to active security testing.

Answer 41

A. Session initiation testing Explanation: While session management testing is included in the OWASP guide to active software security testing, session initiation is not. All of the other options are included in the OWASP guide to active security testing.

Answer 42

C. Intuition testing Explanation: Intuition testing is not part of the OWASP guide to active security testing. All of the other options are included in the OWASP guide to active security testing.

Answer 43

C. Code coverage Explanation: This metric is usually expressed as a percentage of lines of code. For example, “SAST covered 90% of the source code.” The number of testers involved means very little when discussing testing coverage; this is a distractor and not correct. In some cases, testing reports might include a statistic representing the number of flaws discovered in the code; however, this is usually not a pertinent metric (undetected flaws can’t be measured, so counting the ones that have doesn’t add to your surety the code is secure), and code coverage is used more often. Option C is preferable to option B. Testing should first occur in an environment where the software has not even been exposed to the possibility of malware infection. Option D is incorrect.

Answer 44

C. Path Coverage Explanation: In dynamic software security testing, the objective is to test a significant sample of the possible logical paths from data input to output. User coverage is a distractor and has no real meaning in this context; option A is incorrect. Code coverage is the metric used in static testing, making option B incorrect. While it would be nice to test each and every data pathway through an application, with both known good and known bad data, that could be unrealistic, depending on the number of possible branches in the application; this goes up exponentially every time another option/choice is added to the program. Total coverage is not a metric—it’s a hope. Option D is incorrect.

Answer 45

D. Users, attackers Explanation: Known good data is used to determine if the software fulfills the business requirements for which it was acquired. Known bad data tests the ability of the software to handle inputs and conditions that might put it into a fail state; these inputs and conditions can be invoked either purposefully (by attackers) or inadvertently (by users who make mistakes). Testing does not attempt to mimic managers, regulators, or vendors, so the other answers are incorrect.

Answer 46

B. Regulatory, legal Explanation: This is not a simple question, and more than one answer could be construed as correct, but option B is the best answer. Tracking and monitoring personnel training is absolutely vital in order to demonstrate regulatory requirements (and many, if not all, organizations are obligated to comply with some regulation that mandates user training) and legal requirements (as an element of due diligence in the modern workplace). Option A is the other answer that could be perceived as accurate, but there is a bit of nuance that makes it less preferable than B. Security is a business requirement—it may not be a functional requirement, but it is a requirement nonetheless. Therefore, these two terms are repetitive; security requirements are just a subset of business requirements. Option B is still the better answer. Options C and D do not make sense in this context.

Answer 47

B. Specific personnel Explanation: Training is usually a formal process involving detailed information. This is for those personnel who are involved with the specific topic or task for which the training is intended (for example, personnel involved in business continuity and disaster recovery [BC/DR] activities should get specific, detailed training on how to perform those actions). Option A incorrect because not all personnel require task-centric training. Training required for all personnel in an organization cannot be task-centric training, by definition (not all personnel perform the same tasks). Options C and D are incorrect because they would only answer a subset of the question. Management personnel would receive management training and HR personnel would receive HR training. The correct answer is task-centric training is for specific personnel

Answer 48

A. All personnel Explanation: Awareness efforts are usually intended to reach as wide an audience as possible within the organization, for generalized information. For instance, fire drills are awareness exercises; everyone in the facility needs to know how to get out and where to go. Specific personnel, management personnel, and HR personnel would all receive task-centric training in addition to the awareness instruction that all personnel receive. Options B, C, and D are incorrect

Answer 49

D. Many modern software developers don’t understand how the code underlying the libraries they use actually works. Explanation: Modern developers usually aren’t writing code—they are recombining library components in novel ways to create new functionality. They may not understand the security risks associated with their work, especially for the cloud environment, which entails a different set of challenges from the traditional environment, which the developers might be more familiar with. Options A and B are actually the same concept, reworded, which is patently untrue: depending on the cloud deployment and service models the organization chooses to use, software developers may or may not be crucial (for instance, in a software as a service [SaaS] public cloud, many organizations won’t even need internal development teams). Option C is just wrong: security controls can be added to software after it has been fielded. This is just not a best practice, as it is usually less effective and more expensive (in terms of both money and overhead).

Answer 50

B. The prevalent use of encryption in all data life-cycle phases Explanation: Because cloud operations are so dependent on encryption protections in all data life-cycle phases, developers will have to accommodate the additional overhead and interoperability encryption requires. The hacking threat (foreign or otherwise) does not change whether the target is the cloud or the (connected) traditional environment; option A is incorrect. Likewise, the threat of DDoS attacks does not increase; if anything, it may decrease, because the cloud provider may be more resistant to such attacks than individual organizations would be. Option C is not correct. Regulatory requirements may or may not change when moving into the cloud. Moreover, developers are not likely to be the ones interpreting and responding to these new mandates; that is a level of abstraction above developer insight into software requirements. Option D is not preferable to B

Answer 51

D. The need for process isolation Explanation: Because shared resources in the cloud may mean increased opportunity for side-channel attacks, developers will have to design programs to function in a way that ensures process isolation. Management oversight should not change from a policy perspective, regardless of where the processing is taking place; option A is incorrect. There is no additional workload resulting from cloud migration; in fact, the load should decrease, because the cloud customer cannot impose governance on the cloud provider. Option B is wrong. Malware threat does not increase or decrease in the cloud environment; option C is incorrect

Answer 52

B. Masking Explanation: Masking allows customer service representatives to review clients’ sales and account information without revealing the entirety of those records (for instance, obscuring credit card numbers except for the last four digits). Anonymization strips out identifying information from a record. This would not aid in limiting customer service personnel from viewing sensitive data, but it would make it impossible for customer service personnel to know who they were communicating with and leave them unable to identify customers, which would defeat the purpose of their existence. Option A is incorrect. Encryption of sales/account records would not limit customer service personnel in their review of account records. It would either disallow them to see the records at all or allow them to see the entirety of the records (depending on whether the representatives were given keys to that encrypted data). Option C is incorrect. Training does not limit access; option D is incorrect

Answer 53

A. Define Explanation: While some development models allow for user involvement in the entirety of the process, user input is most necessary in the Define phase, where developers can understand the business/user requirements—what the system/software is actually supposed to produce, in terms of function and performance. All the other options are beneficial phases to gauge user input, but not as crucial as option A

Answer 54

A. Define Explanation: The earlier security inputs are included in the project, the more efficient and less costly security controls are overall. The Define phase is the earliest part of the SDLC. All the other options are later phases and incorrect.

Answer 55

D. Test Explanation: During testing, getting outside perspective is invaluable, for both performance and security purposes; internal development and review capabilities are enhanced by augmentation from external parties. All the other phases are not normally appropriate for external participation

Answer 56

A. Vulnerability assessments and penetration testing Explanation: Once the system is deployed operationally, continuous security monitoring, including periodic vulnerability assessments and penetration testing, is recommended. All the other options are security functions that should take place in phases prior to the system’s deployment.

Answer 57

C. Will affect quality of service Explanation: Security and operations are always inversely related; excessive controls necessarily degrade performance. Excessive use of controls should not lead to more data breaches; if anything, it may reduce their occurrence. However, it is more likely that there will be no effect. Option A is incorrect. Many controls don’t affect the electromagnetic spectrum in any way. Option B is incorrect. Regulations don’t usually mandate a maximum set of controls but rather a minimum. Option D is incorrect.

Answer 58

D. Is an unnecessary expense Explanation: From a simple financial perspective (which is often the managerial perspective), money spent on excessive anything is money wasted; spending to no good effect is detrimental. Overuse of controls should not result in greater risks of DDoS, malware, or environmental threats in any way. Options A, B, and C are incorrect.

Answer 59

A. Can lead to customer dissatisfaction Explanation: If excessive controls impact the user/customer experience to the extent that system response speeds and results are delayed significantly, and performance is degraded to the point where competitors’ systems are far superior, customer dissatisfaction can be a severe problem. Some security controls (particularly physical controls) can affect health and human safety, such as if extraneous fencing/walls/barriers are put in place to control access/egress, and this hinders emergency escape from facilities. However, not all security controls pose this risk, so option B is a bit too specific; option A is still preferable. Security controls should not affect stock price or, in and of themselves, negate insurance needs (risk mitigation does not automatically offset the benefits of risk trransference) Options C and D are incorrect

Answer 60

D. Notify whomever you report to in the company hierarchy, and suggest bringing the matter to the attention of senior management immediately Explanation: The problem in this case is not so much that policies have been violated or that, in a more literal sense, the unapproved APIs are being used to access the data, the problem is that the violations are so pervasive and extensive that taking any immediate direct action (such as the responses in options A, B, and C) might interfere with business activity in a drastic and potentially harmful way. Because of this, the matter needs to be dealt with as a business decision and requires that senior management make a determination before action is taken

Answer 61

A. Gather more data about how users are utilizing the APIs and for what purposes Explanation: Again, before taking any action that might impact operations, it would probably be best to figure out the actual user needs being met by the unapproved APIs, and the severity of impact if they were removed from service, before performing the actions described in options B, C, and D

Answer 62

D. Change the policy Explanation: It’s hard to argue with success; operational capability and security are always a trade-off, but this kind of productivity increase with little attendant cost is probably too good to pass up. It also seems evident that the existing policy is far too restrictive and limiting and that it is not being accepted by a significant number of users; trying to mandate its acceptance, and enforcing it with punitive measures, especially in the face of the overwhelming success of the violations, is most likely counter to the company’s overall interests. It is best to revisit the policy itself, determine why it didn’t meet user needs originally, and modify it so as to meet the demands of both the users and senior management (as well as whatever other externalities may have been the foundation of the policy). Options A, B, and C may be attractive, but they are all less preferable than D

Answer 63

D. Augment the current set of security controls used by the company in order to offset risks posed by the anticipated use of even more APIs from unknown sources Explanation: APIs chosen by users may or may not have integral security and probably weren’t chosen according to how secure they are; because the company will continue to be exposed to additional risks from these (and future) APIs, additional security controls are absolutely necessary. However, personnel actions and draconian enforcement efforts at this point would be pointless and vindictive, and probably counter to the company’s interests. Options A, B, and C are incorrect.

Answer 64

B. Use additional anti-malware detection capabilities on both user devices and the environment to which they connect Explanation: Because untrusted APIs may not be secured sufficiently, increased vigilance for the possibility of introducing malware into the production environment is essential. It is impossible to encrypt devices that don’t belong to the organization. Option A is incorrect. Securing access to user-owned devices is admirable, but it has no effect at all on securing the device (or production environment) from risks due to installed APIs; option C is incorrect. This is a security question, and option D addresses performance; this is incorrect.

Answer 65

A. Regular and widespread integrity checks on sampled data throughout the managed environment Explanation: In order to detect possible erroneous or malicious modifications of the organizations data by unauthorized or security-deficient APIs, it is important to take representative samples of the production data on a continual basis and perform integrity checks Additional personnel security measures will not, in this case, yield any relevant security benefit; options B and D are not correct It is always good to refer to regulations in policies; this isn’t something to be performed in response to the policy change but should have been included when the policy was created. Option C is incorrect.

Answer 66

C. Employ additional user training Explanation: Additional user training would be helpful in this situation, particularly any information that helps users understand the reasons APIs from unknown sources might be less secure and the potential impacts from using them. All the other answers are incorrect; securing the connection between endpoints and the cloud is irrelevant in protecting against risks caused by software installed on the client devices

Answer 67

B. Transport Layer Security (TLS) and message level encryption Explanation: Cryptography for the two main types of APIs is required; this is TLS for representational state transfer (REST) and message-level encryption for Simple Object Access Protocol (SOAP). SSL has been deprecated because of severe vulnerabilities; this eliminates options A and C. Whole drive encryption protects against loss or theft of a device but does not secure API access to the data, which eliminates option D.

Answer 68

D. Accountability. Be able to reconstruct a narrative of who accessed what Explanation: Accountability is the end purpose of all IAM efforts; all the other options are the elements of IAM that support this effort.

Answer 69

A. Regulation Explanation: Regulatory compliance has historically driven IAM efforts. All the other options can to some extent drive IAM efforts, however, they do not have as much influence as regulatory factors. Therefore options B, C, and D are incorrect answers.

Answer 70

C. Physical and Logical Explanation: Both physical and logical controls are possible (and necessary) to implement in both environments. Options A and B are really only feasible if the organization is using a cloud service (or other managed service); the terms managed and provider suggest this. This makes these options less desirable for a question that also includes the traditional environment. It is not reasonable to expect that the organization can impose administrative controls in a cloud environment (for the provider environment), so option D is not correct.

Answer 71

B. The data owners Explanation: The data owner is most familiar with the risks and impacts associated with the data sets under their control The data subject may grant permission for a data owner to have the subject’s data but will not govern the granular assignment of access rights. Option A is incorrect. The data processor does not have the right to grant data access and must only act at the direction of the data owner. Option C is incorrect. Regulators dictate how data must be secured, and possibly in what manner, but do not supervise explicit access to that data. Option D is incorrect

Answer 72

C. Performance Explanation: Performance should not determine who gets access to which data; all the other options are the factors for making this determination.

Answer 73

D. Access Explanation: Federation allows users from multiple member organizations to access resources owned by various members. All the other answers are simply not correct.

Answer 74

C. Transparent Explanation: Federation allows ease of use for access to multiple resource providers; this provides a transparent user mechanism The goal of federation is to enhance the user experience, the exact opposite of making the environment more hostile to them.Option A is incorrect. Option B is incorrect because it is meaningless in this context. Option D is incorrect. Users typically do not pay for the organization’s IT environment.

Answer 75

C. Hypertext Transfer Protocol (HTTP) Explanation: WAFs apply rulesets to web traffic, which uses HTTP. All the other answers are incorrect.

Answer 76

C. 7 and 7 Explanation: These are both Layer 7 tools. All the other answers are incorrect.

Answer 77

B. Compliance with the PCI DSS Explanation: Aside from encryption, PCI DSS allows for tokenization as a means to protect account and cardholder data at rest. Tokenization is not encryption; there is no encryption engine and no key involved in the process. Option A is incorrect. Tokenization does not necessarily enhance or detract from the user experience; option C is incorrect. Management is not allowed any additional oversight into any particular function by tokenization; option D is incorrect

Answer 78

A. A third party Explanation: By offloading privacy data to a tokenizing third party, merchants can free themselves of the contractual burdens for protecting cardholder data at rest. The data owner is the merchants themselves, and the data subject is the person to whom the privacy data applies, so privacy data cannot be outsourced to either of these, and options B and C are incorrect. The PCI Council is the body that promulgates and enforces the PCI DSS; they will not process data on behalf of any merchant. Option D is incorrect.

Answer 79

C. TtLp Explanation: This answer requires some thought about how the original data is displayed and its properties. Option A masks only one letter in a four-letter string; this is not sufficient because the original string could be identified with a very low-work factor, brute-force attack of only 26 possible combinations. Option B is likewise easy to break; it only reverses the content of the string, which is very simple to determine, and would allow easy recovery of any other similar strings in the data set. Option D mixes numeric characters into what was originally only an alphabetic string; this may detract from the utility of the string if the masked version is to be used for software testing. Option C completely obscures the original content but retains the qualities of the original (all alphabetic characters). It may affect the use of the string by mixing uppercase and lowercase, but this is still the best choice of the four possible answers

Answer 80

D. Repurposing of any newly developed components Explanation: Installing malware on systems owned by someone else may be illegal in many jurisdictions. While on-premises sandboxes are fine for this purpose, it may be a felony if performed in the cloud. All the other options are good uses of cloud-based sandboxes

Answer 81

C. Verification and validation Explanation: It is important to verify and validate the program at each stage of the SDLC. Adding functionality at each stage of the SDLC is the definition of scope creep, which is what we’d like to avoid. Option A is incorrect. Management should not have to shepherd software through the development process; this is the process of the development team. Option B is incorrect. Option D is a distractor and makes no actual sense.

Answer 82

A. More secure in deployment Explanation: It is important to verify and validate the program at each stage of the SDLC. Adding functionality at each stage of the SDLC is the definition of scope creep, which is what we’d like to avoid. Option A is incorrect. Management should not have to shepherd software through the development process; this is the process of the development team. Option B is incorrect. Option D makes no sense: you can’t repurpose something that has just been developed.

Answer 83

A. Be less expensive to operate securely in the production environment Explanation: When security is created as an aspect of the software itself, there is less need to acquire and apply additional security controls to mitigate risks after deployment. Option B is also wrong for this same reason. Options C and D are incorrect because the inclusion of security aspects in software design should not affect interoperability in any significant way.

Answer 84

C. ISO 27034 Explanation: ISO 27034 addresses the sets of controls used in software throughout the environment. 800-37 is the Risk Management Framework, which is about the organization’s overall security, not software development, so option A is incorrect. The AICPA is a standards-making body, not a standard itself, so option B is incorrect. HIPAA deals with health care privacy, so option D is incorrect.

Answer 85

D. A lifecycle Explanation: It is important to consider software development as having a defined process and an eventual endpoint for the useful life of the product. Not every organization is a software development company. Even in software development companies, not everyone participates in development (there are other departments/offices, such as sales, accounting, etc.). Option A is a poor choice. Option B is only a correct answer if the organization is a software development company. Otherwise, it is not a correct answer. Option B is incorrect. If software development poses the most significant risk to your organization, you probably shouldn’t be doing software development. Option C is incorrect.

Answer 86

A. Simulating negative test cases Explanation: Running the software and allowing users to operate it is a great form of dynamic testing, which simulates both known good and known bad inputs. Dynamic testing does not involve source code review or social engineering; options B and C are incorrect. Penetration tests occur in the production environment, not on pre-deployment software; option D is incorrect.