Question $1$

$1.$ If a software product has passed a functional test, it should be secure$.$

True

False

Question $2$

$1.$ Why is it important to conduct risk$-$based testing? $[$mark all correct answers$]$

a$.$ It causes minimum risks.

b$.$ It allows you to prioritize security testing.

c$.$ It allows you to test the interfaces and functionality that are most likely to be attacked.

d$.$ It allows you to uncover maximum number of security flaws with limited time and resources.

e$.$ It allows you to uncover the most severe security flaws.

Question $3$

$1.$ Consider an example application depicted in the following diagram: A financial application should accept a bank account number and display an account balance. The account number must contain exactly $12$ numeric character

Which of the following test cases are typically not conducted by traditional testing? $[$mark all correct answers$]$

a$.$ Enter exactly $12$ numeric characters into the Account Number field, press Enter, and evaluate the system behavior

b$.$ Enter $11$ numeric characters into the Account Number field, press Enter, and evaluate the system behavior

c$.$ Enter $13$ numeric characters into the Account Number field, press Enter, and evaluate the system behavior

d$.$ Enter a SQL injection string into the Account Number field, press Enter, and evaluate the system behavior

e$.$ Enter a Command injection string into the Account Number field, press Enter, and evaluate the system behavior

Question $4$

$1.$ The task is to match the numbered items with the correct lettered items listed.

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ SQL injection

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ cross$-$site scripting

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ Denial of service $($DoS$)$ attack

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ Attack testing

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ Negative testing

A$.$ script to execute in a victim$$s Web browser

B$.$ manipulate a back$-$end database

C$.$ Force a program to perform actions on invalid or malicious data

D$.$ checking for unexpected system behavior.

E$.$ poor buffer handling to crash a server.

Question $5$

$1.$ Which of the following is false $?$

a$.$ Most vulnerabilities are the result of side effects or extra functionality that the software should not have.

b$.$ Most vulnerabilities are the result of functions that should not be allowed.

c$.$ A program that correctly implements all its "shoulds" can still be insecure.

d$.$ Security testing doesn't require a different way of thinking about testing.

Question $6$

$1.15.$ Which of the following inspection should be used to find common security design errors in the system:

a$.$ Inspect the privacy of network traffic and protocols used.

b$.$ Inspect the privacy of data in storage and memory

c$.$ Inspect the strength of the authentication mechanism

d$.$ Inspect random numbers.

Question $7$

$1.$ What should software attackers do first?

a$.$ exploit a flaw

b$.$ perform reconnaissance

c$.$ conduct penetration testing

d$.$ develop test cases

Question $8$

$1.$ Which of the following is $($are$)$ true $?$

a$.$ Threat modeling is a process in which potential attacks are hypothesized.

b$.$ Threats are ranked according to the ease of attack and seriousness of the attack$$s impact.

c$.$ Threat modeling can be used to prioritize security testing

d$.$ Fuzzers allow data to be manipulated as it travels from a client to a server or vice versa.

Question $9$

$1.$ A company can$$t lose revenue or go out of business if its products are considered insecure.

True

False

Question $10$

$1.$ Which of the following could be the result of insecure product? $[$mark all correct answers$]$

a$.$ It would not affect the company's revenue

b$.$ The software company may lose its revenue

c$.$ Lawsuit against the software company due to exposure of sensitive data

d$.$ The company's reputation is damaged

Question $11$

$1.$ System debugging tools can list the files, network ports, and other system resources a program is using.

True

False

Question $12$

$1.$ Why is $100\%$ testing impossible?

a$.$ There aren$$t enough resources and time to cover all vulnerability scenarios.

b$.$ There are nearly infinite number of potential attacks.

c$.$ Because it is easy to conduct risk$-$based testing.

d$.$ Testers can maximize the quantity and severity of the security flaws uncovered.

Question $14$

$1.$ Traditional software testing focuses mainly on verifying functional requirements and it verifies that valid inputs result in expected outputs.

True

False

Question $15$

$1.\_\_\_\_\_\_\_\_\_\_\_$ is a system weakness that can be exploited by somebody to violate a system.

a$.$ Vulnerability

b$.$ Threat

c$.$ Countermeasure

d$.$ Payload