Defines interfaces and classes to help in internet communications authentication:
Java.security
Java SASL API
JCE
JAAS
None of the above
It is not part of the Java Cryptography Architecture:
RSA
Triple DES
Standard Algorithms
Class Loader
Sandbox
Java protects the user from hostile applications that hamper security through the concept:
Security Manager
Intermediate fikes
Java Complier
Is an open source program that uses static analysis to identify hundreds of different potential types of errores in Java programs:
FxCop
FindErrors
FxBugs
FindBugs
It is not a functionality of FindBugs:
Eliminate security mistakes found.
Find security mistakes.
Reduce development time.
All of the above
Which of the following stages of the life cycle, has the lowest relative cost to fix a software defect?
In service
Design
Requirements Definition
Customer Testing
Programming
It is a feature of a secured software:
Trustworthiness
Modularity
Reliability
Availability
Following questions help analyze and improve the security of a software
1) What area the various types od defects that cause security vulnerabilities?
2) Which tools can be used for measuring the defects?
3)How many lines to have the source code?
4) 1 and 2
5) 2 and 3
"This method helps to split the complex and large problems into smaller ones resulting in quick and effcicent problem solving rather than dealing with the whole". This concept belongs to:
Abstraction
Decomposition
Complexity
None of the above options
Threat modeling. Which of the following is not a security technique?
Threat Mitigation
Threat trees
Privilege boundaries
Entry point identification
Threat modeling. Which of the following is not a correct approach?
Hybrid Centric
Software/Design Centric
Attack Centric
Threat Centric
Asset Centric
What method is used to identify the following threats? spoofing, tampering, DoS, information disclosure and elevation of privileges
Attack Tree Structures
Stride
Information Gathering
ASF
Tool helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle:
ADSL Threat modeling
SDL Threat modeling
Analyze Model
Analyze and generate model
How will you implement secure file handling to prevent malicious file inclusion and DoS attacks?
Findbugs
SecureFilehandling
SecureFile
The SecureFilehandling application only accepts the following file extensions:
.xlsx
.class
.obj
.exe
Accepts all file extensions
What are the types of streams in Java?
Character and Byte Stream
Byte and Compact Stream
Character and Encode Stream
It is not a proper access privileges:
The owner grants permission to the users to access the content available in the systems
All the files are created with access permissions so that unauthorized access can be denied
Multi user systems are generally owned by a particular user for instance system admin etc.
There ara various classes in java that handle characters streams and byte streams separately
Which of the following instructions ensures proper File Cleanup when a program terminates?
Runtime.getRuntime().exit(1);
exit();
terminate();
out.exit();
out.close();
"It prevents untrusted code from modifying the class internal layout". In Security Manager Checks, this concept corresponds to:
Prevents extracting any data
Check Constructor
Prevents modification
Prevents handling
The project InputValidation not control one of the following statements?
User login
User Password
Size password
User size
On which side it is recommended to apply input validation?
client-side
server-side
both
Which of the following types of input parameters is the most used in SQL vulnerabilities?
Structured text
number
boolean
freetext
list of structured text
Which of the following types of input parameters is the least used in XSS vulnerabilities?
List of free text
structured text
enumeration
What is the exact description of the regular expression "(a-z A-Z)(a-z A-Z 0-9_$)"?
A valid java identifier consisting of alphanumeric characters, undercores and dolar signs with the first characer being an alphabet
A valid java identifier consisting of alphanumeric charecters and dollar signs with the first cgaracter bieng an alphabet
Any two-digit alphanumeric from 0-99 and a-z
Matches az, AZ and 9$
Which of the following is not a recommendation of struts validation and securitiy?
The absence of validation for a single field may allow attackers to exploit the application
Struts validation is done to prevent attacks caused through inchecked input
Each and every field included in the form should be validates in the correspondig validation form
Input validation through Servet filters in Java web applications is effecvtive due to minor modifications needed for input validation and servlet filets are centralized in nature
Indicate that statement does not belong to the class RuntimeException:
ArrayStoreException
NegativeArraySizeException
FileNotFoundException
NullPointerException
SecurityException
Which of the following is an exceptional behavior erroneous?
Never catch NullPointerException
Disclosing sensitive information
Never throw undeclared checked exceptions
Logging sensitive data
Examples of Java Logging Frameworks:
Apache Commons Logging
Log4J
Java Logging API
SLF4J
Which of the following is not a Secured Practices in Logging?
Log Debug messages inside isDebugEnabled()
Make use of good java logging frameworks like java.util.logging or log4j
Log messages consitently and the messages must be informative
Ensure to include the formar of the java loggind in the specified java logger
Ensure to remove temporary files before termination to avoid information leakage and resource exhaustion
HTTP Basic Authentication:
Request a protected resource - Request username password - Sends username password - returns requested resource
Request username password - Sends username password - returns requested resource
Request username password - Request a protected resource - Sends username password - returns requested resource
Sends username password - Request username password - Request a protected resource - returns requested resource
Which of the following is not a measure of prevention for attacks weak password?
Impose a password againg policy
Impose web application accepts only user id credentials that contain all valid characters including special characters like !, @, #, $, etc.
Incorrect authentication failure messages should be avoided
Implement account lockout policy
Which of the following statements does not describe RBAC?
It functions on the concept of user roles and information accessibility
This is the popular access control model
A user has access to resources based on the role assigned; roles are allocated depending on job function
The access control policies are imposed on policy, specific to the user
An organization has different departments, and roles are assigned based on requirements
Which of the following is not a feature of JAAS?
Is implemented usign pure JAVA
Supports single sig-on for login authentication in J2EE appplications
Provides centralized rol based control that includes hierarchical roles
Is implemented usign JAVA and JavaScript
Authentication of users is done through PAM Framework
JAAS Configuration. The configurations file format consists of the following entries:
LoginEntry
ModuleClass
Flag
Option="value"
All options are correct
In the architecture of a Java EE application. Which of the following is not a component of the Web level?
Web Services Client
Servlet
App Flow Processor
View Manager
Concurrency in Java. Which of the following is not a state of a thread?
Suspended
Resumed
Blocked
Dead
Reset
In ]ava, the following methods are vulnerable to race condition:
1) start()
2) stop()
3) init()
4) 1 and 3
5) 1, 2 and 3
It is a countermeasure to session hijacking:
See the session is not expired after users log out
Regularly clear the history and offline content
Prefer http than https in case of sensitive and confidential transactions
Make sure that cookies and sessions are stored from the browser
Which of the following statements does not include the Java Criptography Arquitecture engine?
Key Store
Key pair Generator
Key Tools
CertStore
Key Factories
javax.net and javax.net.ssl packages are the standard JSSE APIs that includes important classes such as:
1) SSLSocket
2) SocketFactory
3) ServerSocketFactory
4) All of the above
5) None of the above
It is not a tool Java Cryptography:
JCryption
Optimus Java
PrimeInk JAva
jdnssec
Cryptix
Which of the following is not a countermeasure CRSF?
Appropriately use GET and Post requests
Implement OWASP CRFGuard Library
Web applications should use weak authentications methods such as cookies, http authentication, etc
Check the referrer such as HTTP "referer"
