Question $13$

$1.$ Match the items.

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ F$.$ Threat modeling

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ F$.$ attack surface

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ F$.$ debugger

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ F$.$ Fuzzer

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ F$.$ Proxy

$-$ A$.$ B$.$ C$.$ D$.$ E$.$ F$.$ Sniffer

A$.$ allow network and other system interfaces to be inspected

B$.$ allow data to be manipulated as it travels between a client and a server

C$.$ inputs to a program such as network sockets, APIs, open files, pipes, shared memory, etc.

D$.$ generate malformed inputs and send them to a network interface or store them in input files

E$.$ a process in which potential attacks are hypothesized

F$.$ lists the files, network ports, and other system resources a program is using

Question $16$

$1.$ Which of the following problems cause insecure systems?

a$.$ Limited budgets and schedule pressures

b$.$ Mistakes made by designers, developers and testers

c$.$ Business analysts and users are often clear about security requirements.

d$.$ Ensuring software security quality and testing for security.

Question $17$

$1.$ Which of the following attack pattern strategy should security testers use?

a$.$ Follow the Secure Software Development Lifecycle $($SSDL$)$

b$.$ Understand secure design and implementation standards.

c$.$ Insist on attack use cases and understand the attack patterns.

d$.$ Verify that functional requirements are implemented correctly.

Question $18$

$1.$ Which of the following is true about software security testing $?$

a$.$ Security testing can mirror actual attack scenarios.

b$.$ Security testing can demonstrate real exploitability.

c$.$ Security testing focuses mainly on verifying functional requirements.

d$.$ Negative testing verifies that the valid inputs result in expected outputs.

Question $19$

$1.$ Imagine a web application that's made up of $10$ forms with $10$ form fields. Each form field can take an input of $100$ alphanumeric characters $(62$ possibilities for uppercase and lower case plus the numbers$).$ What is the total number of input possibilities?

a$.10$x$10$x$62$x$100$

b$.10$x$10$x$62^100$

c$.10$x$10$x$100^62$

d$.$ None of the above

Question $20$

$1.$ Which of the following is not true about security?

a$.$ Security should be addressed from the beginning.

b$.$ Security should be built into a program during the design stage.

c$.$ Security should be coded by developers who are trained in secure programming.

d$.$ Inception with defined security policies, use cases, and so on should be avoided.

Question $21$

$1.$ Which of the following techniques should not be used to hunt Security flaws?

a$.$ Security testers must use attack use cases and security requirements.

b$.$ Security tester needs to have an understanding of how vulnerabilities get into all software.

c$.$ The security tester should merely focus on testing a program's security functions.

d$.$ Security tester needs to think like an attacker.

Question $22$

$1.$ The CardSystems security disaster could possibly have been prevented:

a$.$ If security testing had been part of the process.

b$.$ If CardSystems had learned how to detect this type of situation and could have taken mitigation steps.

c$.$ If CardSystems had handled sensitive data properly.

d$.$ If CardSystems had stored copies of the credit card data unencrypted.

Question $23$

$1.$ Security testing includes attack testing.

True

False

Question $24$

$1.$ If a program's security functions have been thoroughly tested, the program has passed security testing.

True

False