The organization is concerned about vulnerabilities in commercial off-the-shelf (COTS) software. Which of the following might be the only means of reviewing the security quality of the program?
a. Fuzzing
b. Cross-Site Scripting
c. Input validation
d. Cross-site request forgery
Answer: A
In some closed application instances, fuzzing might be the only means of reviewing the security quality of the program. Answer B is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer C is incorrect because input validation tests whether an application properly handles input from a source outside the application destined for internal processing. Answer D, Cross-site request forgery (XSRF), is an attack in which the end user executes unwanted actions on a web application while she is currently authenticated.
Learn More :
Security-Related Policies and Procedures
- An organization is partnering with another organization which requires shared systems. Which of the following documents would outline how the shared systems interface?
- Which rule of evidence within the United States involves Fourth Amendment protections?
- Which of the following is not a principal concern for first responders to a hacking incident within a corporation operating in the United States?
- An organization is looking for a filtering solution that will help eliminate some of the recent problems it has had with viruses and worms. Which of the following best meets this requirement?
- Which policy defines what constitutes sensitive data and applies protection to it?
- Which of the following is the basic premise of least privilege?
- On a Linux-based system, which account is equivalent to the administrator account in Windows?
- A policy of mandatory vacations should be implemented in order to assist in:
- Which policies define how individuals are brought into an organization?
- The process of establishing boundaries for information sharing is called:
- People in an organization can withhold classified or sensitive information from others in the company when governed by what type of policy?
- Which of the following is one of the most common certificates in use today?
- Most CAs require what to define certificate issue processes, record keeping, and subscribers' legal acceptance of terms?
- Which audits help ensure that procedures and communications methods are working properly in the event of a problem or issue?
- Which Windows Firewall events are logged by default in Windows 7?
- A periodic security audit of which of the following can help determine whether privilege-granting processes are appropriate and whether computer usage and escalation processes are in place and working?
- Which of the following occurs under the security policy administered by a trusted security domain?
- Which type of policy would govern whether employees can engage in practices such as taking gifts from vendors?
- On a NetWare-based system, which account is equivalent to the administrator account in Windows?
- Which ISO standard states: "Privileges should be allocated to individuals on a need-to-use basis and on an event-by-event basis, i.e. the minimum requirement for their functional role when needed"?
- Which process inspects procedures and verifies that they're working?
- MTS is in the process of increasing all security for all resources. No longer will the legacy method of assigning rights to users as they're needed be accepted. From now on, all rights must be obtained for the network or system through group membership. Which of the following groups is used to manage access in a network?
- You're giving hypothetical examples during a required security training session when the subject of certificates comes up. A member of the audience wants to know how a party is verified as genuine. Which party in a transaction is responsible for verifying the identity of a certificate holder?
- Which policy dictates how an organization manages certificates and certificate acceptance?