Ben Malisow - (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests

48 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is a good method for reducing the risk of broken authentication and session management?Do not use custom authentication schemes.Implement widespread training programs.Ensure that strong input validation is in place.Use X.400 protocol standards.

49 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management?Session identification exposed in URLsUnprotected stored credentialsLack of session timeoutFailure to follow Health Insurance Portability and Accountability Act (HIPAA) guidance

50 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management?Failure to rotate session IDs after a successful loginEasily guessed authentication credentialsWeak physical entry points in the data centerCredentials sent over unencrypted lines

51 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “cross-site scripting (XSS).” Which of the following is not a method for reducing the risk of XSS attacks?Put untrusted data in only allowed slots of HTML documents.HTML escape when including untrusted data in any HTML elements.Use the attribute escape when including untrusted data in attribute elements.Encrypt all HTML documents.

52 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “cross-site scripting (XSS).” Which of the following is not a method for reducing the risk of XSS attacks?Use an auto-escaping template system.Use XML escape for all identity assertions.Sanitize HTML markup with a library designed for the purpose.HTML escape JSON values in an HTML context and read the data with JSON.parse.

53 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “insecure direct object references.” Which of these is an example of an insecure direct object reference? www.sybex.com/authoraccounts/benmalisow10 ? "sybex accounts"; 20 goto 10mysql -u [bmalisow] -p [database1]; bmalisow@sybex.com

54 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “insecure direct object references.” Which of these is a method to counter the risks of insecure direct object references?Perform user security training.Check access each time a direct object reference is called by an untrusted source.Install high-luminosity interior lighting throughout the facility.Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity.

55 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is an example of a security misconfiguration?Not providing encryption keys to untrusted usersHaving a public-facing websiteLeaving default accounts unchangedUsing turnstiles instead of mantraps

56 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is an example of a security misconfiguration?Having unpatched software in the production environmentLeaving unprotected portable media in the workplaceLetting data owners determine the classifications/categorizations of their dataPreventing users from accessing untrusted networks

57 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?Enforce strong user access control processes.Have a repeatable hardening process for all systems/software.Use encryption for all remote access.Use encryption for all stored data.

58 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?Broad user training that includes initial, recurring, and refresher sessionsDeeper personnel screening procedures for privileged users than is used for regular usersA repeatable patching process that includes updating libraries as well as softwareRandomly auditing all user activity, with additional focus on privileged users

59 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?Purchase only trusted devices/components.Follow a published, known industry standard for baseline configurations.Hire only screened, vetted candidates for all positions.Update policy on a regular basis, according to a proven process.

60 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “security misconfiguration.” Which of these is a technique to reduce the potential for a security misconfiguration?Get regulatory approval for major configuration modifications.Update the business continuity and disaster recovery (BC/DR) plan on a timely basis.Train all users on proper security procedures.Perform periodic scans and audits of the environment.