EXIN Secure Programming Foundation Sample exam
Edition June 2016
Copyright © 2016 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing system or circulated in any form by print, photo print, microfilm or any other means without written permission by EXIN.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
2
Contents Introduction Sample Exam Answer Key Evaluation
4 5 18 38
Sample exam EXIN Secure Programming Foundation (SPF.EN)
3
Introduction This is the sample exam EXIN Secure Programming Foundation (SPF.EN). The EXIN exam rules and regulations apply to this exam. This exam consists of 40 multiple-choice questions. Each multiple-choice question has a number of possible answers, of which only one is the correct answer. The maximum number of points that can be obtained for this examination is 40. Each correct answer is worth one point. If you obtain 26 points or more you have passed. The time allowed for this examination is 60 minutes. Good luck!
Sample exam EXIN Secure Programming Foundation (SPF.EN)
4
Sample Exam 1 / 40 Attackers and defenders are two players within the field of security. Why is the attacker at an advantage? A. An attacker only needs to find one flaw; defenders need to consider all possible flaws. B. An attacker is more skilled and determined than a defender. C. An attacker abuses new technologies that a defender has to install. D. An attacker has more computing power that he can use for performing all kind of attacks. 2 / 40 Some well known security principles are used when designing secure systems. One of them is an application design that prevents single points of failure with security redundancies and layers of defense. What principle is used to accomplish this design? A. Defend in depth B. Fail securely C. Grant least privilege D. Separate privileges 3 / 40 The following authorization header is sent by the browser to the server in response to a "401 Authorization Required" response: Authorization: Basic bmFtZTpwYXNzd29yZA== Is it safe to send this header using the HTTP protocol? A. Yes, because the value is encrypted and cannot be reversed. B. Yes, because the value is used only once and changes with every request. C. No, because the value is encrypted using a weak algorithm. D. No, because the value can be sniffed and reversed to valid credentials.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
5
4 / 40 The term SOP most commonly refers to the mechanism that controls access for JavaScript and other scripting languages to the DOM properties and methods across domains. Which conditions have to be satisfied to grand access between two interacting pages that do NOT use the document.domain property? A. Protocol, IP number and - for browsers other than Microsoft Internet Explorer - port number. B. Protocol, domain name and - for browsers other than Microsoft Internet Explorer port number. C. Protocol, PTR record and - for browsers other than Microsoft Internet Explorer port number. D. Protocol, FQDN and - for browsers other than Microsoft Internet Explorer - port number. 5 / 40 An application allows a user who is logged in to change his/her password. This function is only available for authenticated users and uses the HTTPS protocol to send the data. What is considered BEST PRACTICE to perform the password change? A. Ask the user for the login name, old password, new password and confirmation of this password. B. Ask the user for the new password and confirmation of this password. C. Ask the user for the old password, new password and confirmation of this password. D. Use the session data to identify the user and ask for the new password and confirmation of this password. 6 / 40 When storing passwords in a file or a database, what is the BEST approach? A. Store the hashed value of the password that the user has chosen including a random salt. B. Store the hashed value of the password that the user has chosen including a fixed salt. C. Store the plain text value of the password that the user has chosen. D. Store the encrypted value of the password that the user has chosen including the initialization vector.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
6
7 / 40 HTTP sessions are used to keep state between several requests and use a session ID for identification. What is the MOST important practice in regard to the session ID? A. The session ID should be kept secret at all times. B. The session ID should change with every POST request. C. The session ID should be at least ten characters long. D. The session ID should be encrypted using a strong algorithm. 8 / 40 An application uses a single sign-on implementation that is specifically designed for web-based environments. The user logs in through the identity provider and uses two different applications that participate in the same single sign-on implementation. You are facing some challenges when implementing the logout feature. What is the BEST way to solve implementing the logout feature for these two applications? A. Implement a logout function that invalidates the session for the current application and not the single sign-on session. B. Implement a logout function that invalidates the single sign-on session and depend on the session-timeout for participating applications. C. Implement a logout function that invalidates the single sign-on session and the session for the current application. D. Implement two logout functions: one for the current application and one that in addition invalidates the single sign-on session. 9 / 40 Your web application uses sessions to maintain state. A user logs in but does not allow cookies to be set. You have to implement an alternative solution for keeping track of the session ID. The session ID is a random 96 bits value and all communication is based on HTTPS. Within this scenario, what is the BEST way to keep track of the session ID? A. Use a URL parameter that contains the session ID. B. Use a hidden parameter that contains the session ID. C. Use a URL parameter that contains the encrypted session ID. D. Use a combination of HTTP headers to generate the session ID. 10 / 40 What is the BEST solution to prevent CSRF attacks? A. Use the Referrer-header to check the origin of the previous request. B. Make requests unpredictable by adding a random value and check this value. C. Use HTTPS to protect all communication between the client and the server. D. Make sure that session fixation is not possible which also prevents CSRF attacks.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
7
11 / 40 Vulnerabilities exist in different contexts. Two identifiable contexts are the server side and client side contexts. It is important to understand whether a vulnerability is focussed on the server portion of the application (server context) or the client running it (client context). SQL injection and XSS are two different types of vulnerabilities. In which context do these two vulnerabilities exist? A. SQL injection vulnerabilities exist on the client side and XSS vulnerabilities exist on the server side. B. SQL injection vulnerabilities exist on the server side and XSS vulnerabilities exist on the client side. C. Both SQL injection and XSS vulnerabilities exist on the client side. D. Both SQL injection and XSS vulnerabilities exist on the server side. 12 / 40 Direct and parameterized queries are two techniques to execute queries that are partly based on user input. Which of the following statements in regard to direct and parameterized queries when used properly is correct? A. A direct query filters meta-characters more efficiently than parameterized queries. B. A direct query filters meta-characters less efficiently than parameterized queries. C. A direct query uses placeholders to process input and a parameterized query uses the supplied parameters. D. A direct query uses the supplied parameters for input and a parameterized query processes input through placeholders. 13 / 40 You are assigned the honorable task to prevent SQL injection in a small web application. You have listed all lines of code where user input ends up in a SQL query. You also want to make sure that future involvements do not introduce new SQL injection vulnerabilities. What is the BEST solution to accomplish this task? A. Write and use your own routines that escape all input for all database products and rewrite the necessary lines of code. B. Use a transparent layer provided through standard libraries that escapes all input and rewrite the necessary lines of code. C. Prevent the leakage of information about the database product that is used to make SQL injection impossible. D. Prevent the application from showing detailed error messages since these are needed to exploit a SQL vulnerability.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
8
14 / 40 Testing input against a list of known negative inputs which is implemented when you compile a listing of all the negative or bad conditions and then verify if the received input is not included in the list is a technique for filtering input. What is the name of this filtering technique? A. Implementing the Graylist method for input validation. B. Implementing the Blacklist method for input validation. C. Implementing the Whitelist method for input validation. D. Implementing Regular Expressions for input validation. 15 / 40 Validation of user input is possible at the client (browser) and at the server portion of the application. What is the BEST solution to perform validation of user input? A. Perform validation of user input at the client (browser). B. Perform validation of user input at the server portion of the application. C. Perform validation of user input both at the client (browser) and the server portion of the application. D. Perform validation of user input either at the client (browser) or the server portion of the application. 16 / 40 Your web server is set to use UTF-8 encoding for input and output. Some of your validation routines are based on legacy libraries that only accept ISO/IEC 8859 character sets. You have written conversion routines to be used for handling input and output to the validation routine. A user is allowed to enter his/her name in a web form. The input is validated by the validation routines and reflected to the user in the HTML body. What needs to be done with the input to display the output properly and safely? A. The input needs to be normalized, converted and HTML encoded. B. The input needs to be normalized, stripped and HTML encoded. C. The input needs to be converted, stripped and HTML encoded. D. The input needs to be normalized, stripped and converted.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
9
17 / 40 An attacker has found two input fields that result in a buffer overflow condition. This condition happens within a function that converts all upper case input into lower case and is then used to execute a search. Where does the buffer overflow reside and what does it allow for? A. This buffer overflow resides on the heap and allows for code execution. B. This buffer overflow resides on the heap and allows for data manipulation. C. This buffer overflow resides on the stack and allows for data manipulation. D. This buffer overflow resides on the stack and allows for code execution. 18 / 40 An attacker found a vulnerability within a web application. He discovered that one of the parameters in the URL can be used to add JavaScript code which is executed within the browser when he sends the request to the website. Which of the following statements BEST describes this vulnerability? A. This is a stored XSS vulnerability. The attacker needs to entice the victim to visit the URL. B. This is a stored XSS vulnerability. Exploitation occurs when someone uses the web application. C. This is a reflected XSS vulnerability. The attacker needs to entice the victim to visit the URL. D. This is a reflected XSS vulnerability. Exploitation occurs when someone uses the web application. 19 / 40 As the developer of a web application, you are assigned the task to implement a strong defense against server XSS. What is the easiest and strongest defense against Server XSS? A. Stripping all JavaScript from user input. B. Context-sensitive server side output encoding. C. Using safe JavaScript APIs. D. Using safe third-party JavaScript code.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
10
20 / 40 Members of the HR department within your company are responsible for maintaining your personal information that resides in the HR application. Information in regard to your working performance is also stored through the HR application but read/write access to this information is limited to the manager of your department. One of the HR members is allowed to read the working performance for monitoring purposes. Authorization for the HR application is implemented according to the desired access model. On what type of authorization is access to data within the HR application based? A. on horizontal authorization B. on vertical authorization C. on object and attribute authorization D. on horizontal and vertical authorization 21 / 40 An authenticated user is authorized to edit, view and delete records that describe all individual parts that belong explicitly to a product that is manufactured by the department he is working for. The company manufactures other products, but the user is not authorized to access parts that belong to these other products. The authenticated user discovers that he is able to get access to unauthorized parts by simply changing a form value that represents the part-number. What is the most likely reason for this authorization failure? A. The authorization is based on insecure direct object references. B. The authorization is based on insecure indirect object references. C. The authorization is based on incomplete indirect object references. D. The authorization is based on incomplete direct object references. 22 / 40 Suppose that two separate actions operate on the same resource and that checks are used to validate if the process is allowed to use the resource. What is the attack called that abuses the time window between the check (TOC) and use (TOU) of the resource? A. A session poisoning attack. B. A race condition attack. C. An atomic operation attack. D. An application flow attack.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
11
23 / 40 Why is hardening of systems a very important security control? A. Third party software is not always written with security in mind. B. Third party Firewalls do not protect the exposed services properly. C. Third party services are always on and insecure by default and need protection. D. Third party software is not both functional and secure out-of-the-box. 24 / 40 Hardening of a system consists of various adjustments. Which of the following is NOT considered hardening of a system? A. Applying the latest security patches. B. Disabling or removing debug features. C. Compiling code with ASLR and DEP protection. D. Changing default passwords. 25 / 40 A web application detects an error when handling a request. Instead of displaying full information about the error, a general page including a reference about the error is returned. All information about the error is logged locally, including the reference. What is most likely the primary reason for this solution? A. This prevents unnecessary leakage of internal information. B. This is more user friendly than displaying the full error message. C. This prevents unnecessary usage of bandwidth. D. This is the preferred way for developers to solve and administer errors. 26 / 40 A web application is designed with logging various types of information in mind. Which type of information is MOST important for logging information with regard to security? A. Version information of the modules that are started. B. Stack traces that are generated during an error. C. The entrance, duration and exit timestamps of procedure calls. D. Increase and decrease of privilege levels for logged-in users.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
12
27 / 40 As a developer you have coded to catch every potential error and you have provided a solution that ensures that the code will not be left in an insecure state. What application security principle is described above? A. complete mediation B. fail securely C. detect intrusion D. fail-safe defaults 28 / 40 As a developer you are concerned about performance and availability of your application. Instead of depending solely on the implementation of a large and extensible server farm, you also implement a solution that limits the amount of resources that can be allocated to a single user. Which purpose BEST describes the reason behind this solution? A. to speed up processing B. to prevent unexpected behavior C. to mitigate a DoS attack D. to reduce the server farm 29 / 40 When developing an application that uses cryptography, what is the BEST strategy to choose a cryptographic library? A. Develop it yourself: open source libraries can't be trusted. Proof is Heartbleed. B. Use an open source library and audit it yourself. C. Use a commercial library like RSA's Bsafe; they have been audited by professionals. D. Use either an open source or a commercial library and write a security assumption that they are out of scope for your security requirement. 30 / 40 What is the difference between symmetric cryptography and asymmetric cryptography? A. Symmetric cryptography is based on symmetric passwords. Asymmetric cryptography allows all passwords. B. Symmetric cryptography needs the same operating system for user and browser. Asymmetric cryptography does not. C. Symmetric cryptography is based on both user and software using the same key. Asymmetric cryptography uses a public key. D. Symmetric cryptography checks a password against a stored password. Asymmetric cryptography uses a randomly added string.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
13
31 / 40 Why is a website, of which the certificate is revoked, a risk? A. Because a website with a revoked certificate may not be the website you intended to visit. B. Because the certificate authority that gives out the certificate has been proven to be bad. C. Because the browser is not working correctly, you are shown this error. You need to update. D. It is not a risk, because the original certificate was given out by a trusted certificate authority. 32 / 40 You are assigned to set up a website that uses HTTPS. For this purpose you have requested and installed a certificate that is signed by a well-known CA (Certification Authority). What is NOT something that you have to do in order to implement the HTTPS server securely? A. Disable all protocols that are not supported by the server's OS. B. Configure the server to allow only strong protocols and ciphers. C. Implement HSTS to allow for browser based mitigation. D. Configure the server or application to add the 'secure' flag on session cookies. 33 / 40 A Swiss bank needs a non-repudiation requirement for the following functional requirement:
"As an account holder, I can transfer money from one account to another." You are asked to help them. What is an appropriate non-repudiation requirement? A. All login attempts should be logged. B. Transfers can only be done from one of the account holder's accounts. C. Every transfer must be logged. D. Negative amounts are not allowed.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
14
34 / 40 Given this requirement:
"When a user has forgotten his/her password, the user must be able to change it." What is the hidden assumption here? A. It is assumed that users should only be able to change their own password. B. It is assumed that passwords should have a minimum length. C. It is assumed that users do not write down their passwords. D. It is assumed that a user's identity can be established before changing the password. 35 / 40 What security principle states that access is denied and the security scheme identifies when access is permitted? A. Default deny B. Defense in depth C. Least privilege D. Input validation
Sample exam EXIN Secure Programming Foundation (SPF.EN)
15
36 / 40 A newspaper has deployed an editing platform. Its architecture is described below and illustrated with a Data Flow Diagram (DFD).
1. Photographers all over the globe can log in and upload photos using SFTP (Secure FTP). 2. The photos are placed in an upload-directory. 3. The system runs a regularly scheduled process to move the photos from the upload-directory into a SQL database. 4. Editors at the office use the web application to browse the photos and add some photos to articles for publication. (There is no photo-editing feature, photos are published as-is). A threat analysis identified this risk: Photographers can create malformed filenames
that trigger a shell injection attack. If an attacker uploads a file that contains shell commands, the code that should copy the file will execute those shell commands.
The architects replace the SFTP file-upload and the scheduled job with a web interface that inserts the photos directly into the database, hoping to get a more secure system. Choose the BEST answer.Will the system be more secure? A. Yes, this solves the problem completely. B. Yes, but only if the web interface is free of security problems. C. No, this fix does not deal with identity spoofing attacks. D. No, this does not fix the problem at all. 37 / 40 Which of the following is NOT a principle of secure design? A. Allow for future security enhancements. B. Design security through secrecy. C. Implement least privilege. D. Isolate security controls.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
16
38 / 40 Which definition BEST describes a vulnerability scan? A. A series of automated tests for known problems. B. A test performed by security experts. C. A stress test to make the application crash. D. A review of vulnerabilities in the design. 39 / 40 Which of the following things should effective security testing involve? A. Testing of people B. Testing of process C. Testing of technology D. All of the above 40 / 40 What is a significant disadvantage of MANUALLY inspecting code? A. The review is performed too quickly to be thorough, when done manually. B. Manual inspection cannot be applied to many situations. C. Manual inspection requires significant human thought and skill to be effective. D. The manual review requires the assistance of complex technologies.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
17
Answer Key 1 / 40 Attackers and defenders are two players within the field of security. Why is the attacker at an advantage? A. An attacker only needs to find one flaw; defenders need to consider all possible flaws. B. An attacker is more skilled and determined than a defender. C. An attacker abuses new technologies that a defender has to install. D. An attacker has more computing power that he can use for performing all kind of attacks. A. Correct. Compare to a building to secure: all entrances and windows etc. have to be secured. One open window is enough to enter the building. (WB chapter 1) B. Incorrect. The level of skill is based on the person, not on whose side he/she is acting. C. Incorrect. New technologies introduce new vulnerabilities but installing them is something else. D. Incorrect. More computing power could be helpful but is not the reason that defenders have a disadvantage. 2 / 40 Some well-known security principles are used when designing secure systems. One of them is an application design that prevents single points of failure with security redundancies and layers of defense. What principle is used to accomplish this design? A. Defend in depth B. Fail securely C. Grant least privilege D. Separate privileges A. Correct. From Building Secure Software, "The idea behind defense in depth is to manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach." (WB Chapter 1) B. Incorrect. From Building Secure Software, "Any sufficiently complex system will have failure modes. Failure is unavoidable and should be planned for. However, security problems related to failure are avoidable. The problem is that when many systems fail in any way, they exhibit insecure behavior." C. Incorrect. When you do have to grant permission for a user or a process to do something, grant as little permission as possible. D. Incorrect. Know that if an attacker is able to finagle one privilege but not a second, she may not be able to launch a successful attack.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
18
3 / 40 The following authorization header is sent by the browser to the server in response to a "401 Authorization Required" response: Authorization: Basic bmFtZTpwYXNzd29yZA== Is it safe to send this header using the HTTP protocol? A. Yes, because the value is encrypted and cannot be reversed. B. Yes, because the value is used only once and changes with every request. C. No, because the value is encrypted using a weak algorithm. D. No, because the value can be sniffed and reversed to valid credentials. A. Incorrect. The value is not encrypted. HTTP allows for plain text sniffing and the value can be decoded into a user password representation. B. Incorrect. The value is used with every request and stays the same. C. Incorrect. The value is encoded and not encrypted. D. Correct. The base64 encoded string in the header represents literally: name:password (WB Chapter 1) 4 / 40 The term SOP most commonly refers to the mechanism that controls access for JavaScript and other scripting languages to the DOM properties and methods across domains. Which conditions have to be satisfied to grand access between two interacting pages that do NOT use the document.domain property? A. Protocol, IP number and - for browsers other than Microsoft Internet Explorer - port number. B. Protocol, domain name and - for browsers other than Microsoft Internet Explorer port number. C. Protocol, PTR record and - for browsers other than Microsoft Internet Explorer port number. D. Protocol, FQDN and - for browsers other than Microsoft Internet Explorer - port number. A. Incorrect. The IP number is not part of the check. B. Incorrect. The FQDN is checked, not just the domain name part. C. Incorrect. The PTR record is not checked. D. Correct. These properties are checked and have to be satisfied. (WB Chapter 1)
Sample exam EXIN Secure Programming Foundation (SPF.EN)
19
5 / 40 An application allows a user who is logged in to change his/her password. This function is only available for authenticated users and uses the HTTPS protocol to send the data. What is considered BEST PRACTICE to perform the password change? A. Ask the user for the login name, old password, new password and confirmation of this password. B. Ask the user for the new password and confirmation of this password. C. Ask the user for the old password, new password and confirmation of this password. D. Use the session data to identify the user and ask for the new password and confirmation of this password. A. Incorrect. Do not use the login name as input since this information is already available in the session. Depending on different error messages and/or timing, an adversary is able to detect user names. B. Incorrect. The user sitting behind the desk does not have to be the user who was logged in. C. Correct. The old password is used to identify the current user. (WB Chapter 2) D. Incorrect. The user sitting behind the desk does not have to be the user who was logged in. The session is bound to the user who logged in originally. 6 / 40 When storing passwords in a file or a database, what is the BEST approach? A. Store the hashed value of the password that the user has chosen including a random salt. B. Store the hashed value of the password that the user has chosen including a fixed salt. C. Store the plain text value of the password that the user has chosen. D. Store the encrypted value of the password that the user has chosen including the initialization vector. A. Correct. A random salt should be used to compute the hash of the chosen value. (WB Chapter 2) B. Incorrect. Two users with the same password have the same resulting hashed value. Furthermore it is easier to generate a Rainbow Table to reverse password from a file that uses fixed salts. C. Incorrect. When storing passwords as plain text, anyone with access to the file has access to the real passwords. D. Incorrect. Encryption requires both parties having the same encryption/decryption key-pair and algorithm which should be stored which is not the best method. An initialization vector is used for other purposes.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
20
7 / 40 HTTP sessions are used to keep state between several requests and use a session ID for identification. What is the MOST important practice in regard to the session ID? A. The session ID should be kept secret at all times. B. The session ID should change with every POST request. C. The session ID should be at least ten characters long. D. The session ID should be encrypted using a strong algorithm. A. Correct. If an ID leaks, someone else can take over the session. (WB Chapter 2) B. Incorrect. A session ID identifies the session. A CSRF-token is used to make POSTrequest unpredictable. C. Incorrect. A session ID should not be predictable. D. Incorrect. Encryption requires both parties to have access to the necessary keys. 8 / 40 An application uses a single sign-on implementation that is specifically designed for web-based environments. The user logs in through the identity provider and uses two different applications that participate in the same single sign-on implementation. You are facing some challenges when implementing the logout feature. What is the BEST way to solve implementing the logout feature for these two applications? Implement a logout function that invalidates the session for the current application A. and not the single sign-on session. B. Implement a logout function that invalidates the single sign-on session and depend on the session-timeout for participating applications. C. Implement a logout function that invalidates the single sign-on session and the session for the current application. D. Implement two logout functions: one for the current application and one that in addition invalidates the single sign-on session. A. Incorrect. The problem is that when you start the application, the single sign-on implementation makes sure that you are able to login. B. Incorrect. When a user hits the logout button, he/she wants to logout immediately. C. Incorrect. One of the purposes of single sign-on is to use different application without having to login for each application separately. The second application might be timed-out and the user has to provide the credentials. D. Correct. The user decides where to logout. At least in the current application and possibly in the single sign-on application. Detection of the current (active) sessions and acting different on this information would be a more sophisticated solution (prone to errors). (WB Chapter 2)
Sample exam EXIN Secure Programming Foundation (SPF.EN)
21
9 / 40 Your web application uses sessions to maintain state. A user logs in but does not allow cookies to be set. You have to implement an alternative solution for keeping track of the session ID. The session ID is a random 96 bits value and all communication is based on HTTPS. Within this scenario, what is the BEST way to keep track of the session ID? A. Use a URL parameter that contains the session ID. B. Use a hidden parameter that contains the session ID. C. Use a URL parameter that contains the encrypted session ID. D. Use a combination of HTTP headers to generate the session ID. A. Incorrect. URL parameters show up at several places. B. Correct. A hidden parameter can be used instead of a cookie but has to be sent along with every response. (WB Chapter 2) C. Incorrect. Encryption does not resolve this issue. D. Incorrect. A random and unique ID is supposed to be used. 10 / 40 What is the BEST solution to prevent CSRF attacks? A. Use the Referrer-header to check the origin of the previous request. B. Make requests unpredictable by adding a random value and check this value. C. Use HTTPS to protect all communication between the client and the server. D. Make sure that session fixation is not possible which also prevents CSRF attacks. A. Incorrect. The Referrer-header can/could also be manipulated by (newer) browser technologies (AJAX, Flash). B. Correct. A random value (nonce) should be added. This value should also be stored within the session dat A. Upon processing of the request, the stored and the returned value should match. (WB Chapter 2) C. Incorrect. The communication and data is protected. It is still possible to sent malicious content. D. Incorrect. Preventing session fixation is one issue, CSRF an additional issue.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
22
11 / 40 Vulnerabilities exist in different contexts. Two identifiable contexts are the server side and client side contexts. It is important to understand whether a vulnerability is focussed on the server portion of the application (server context) or the client running it (client context). SQL injection and XSS are two different types of vulnerabilities. In which context do these two vulnerabilities exist? A. SQL injection vulnerabilities exist on the client side and XSS vulnerabilities exist on the server side. B. SQL injection vulnerabilities exist on the server side and XSS vulnerabilities exist on the client side. C. Both SQL injection and XSS vulnerabilities exist on the client side. D. Both SQL injection and XSS vulnerabilities exist on the server side. A. Incorrect. SQL injection resides in the server context ans XSS resides in the browser context which is client side. B. Correct. SQL injection resides in the server context ans XSS resides in the browser context which is client side. (WB Chapter 3) C. Incorrect. SQL injection resides in the server context ans XSS resides in the browser context which is client side. D. Incorrect. SQL injection resides in the server context ans XSS resides in the browser context which is client side. 12 / 40 Direct and parameterized queries are two techniques to execute queries that are partly based on user input. Which of the following statements in regard to direct and parameterized queries when used properly is correct? A. A direct query filters meta-characters more efficiently than parameterized queries. B. A direct query filters meta-characters less efficiently than parameterized queries. C. A direct query uses placeholders to process input and a parameterized query uses the supplied parameters. D. A direct query uses the supplied parameters for input and a parameterized query processes input through placeholders. A. Incorrect. The main goal of the parameterized query is security. B. Incorrect. The main goal of the parameterized query is security. C. Incorrect. A direct query takes the supplied input. Escaping has to be done prior and correctly. D. Correct. placeholders are used to process (escape) input. (WB Chapter 3)
Sample exam EXIN Secure Programming Foundation (SPF.EN)
23
13 / 40 You are assigned the honorable task to prevent SQL injection in a small web application. You have listed all lines of code where user input ends up in a SQL query. You also want to make sure that future involvements do not introduce new SQL injection vulnerabilities. What is the BEST solution to accomplish this task? A. Write and use your own routines that escape all input for all database products and rewrite the necessary lines of code. B. Use a transparent layer provided through standard libraries that escapes all input and rewrite the necessary lines of code. C. Prevent the leakage of information about the database product that is used to make SQL injection impossible. D. Prevent the application from showing detailed error messages since these are needed to exploit a SQL vulnerability. A. Incorrect. There are proven libraries hat perform the same task. It is not conclusive that you will include all meta-characters. B. Correct. Transparent layer is provided through techniques like parameterized queries. (WB Chapter 3) C. Incorrect. Leakage of information is not the only way to identify the used database product and exploit SQL injection vulnerabilities. D. Incorrect. Generic messages do not prevent blind SQL injection attacks. 14 / 40 Testing input against a list of known negative inputs which is implemented when you compile a listing of all the negative or bad conditions and then verify if the received input is not included in the list is a technique for filtering input. What is the name of this filtering technique? A. Implementing the Graylist method for input validation. B. Implementing the Blacklist method for input validation. C. Implementing the Whitelist method for input validation. D. Implementing Regular Expressions for input validation. A. Incorrect. Testing a predefined list of bad input is called blacklisting. B. Correct. Testing a predefined list of bad input is called blacklisting. (WB Chapter 3) C. Incorrect. Testing a predefined list of bad input is called blacklisting. D. Incorrect. Testing a predefined list of bad input is called blacklisting.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
24
15 / 40 Validation of user input is possible at the client (browser) and at the server portion of the application. What is the BEST solution to perform validation of user input? A. Perform validation of user input at the client (browser). B. Perform validation of user input at the server portion of the application. C. Perform validation of user input both at the client (browser) and the server portion of the application. D. Perform validation of user input either at the client (browser) or the server portion of the application. A. Incorrect. Validation of user input at the client enhances the usage experience and reduces unnecessary traffic but from a security perspective these controls are easy to defeat. B. Incorrect. Server side validation is a must whereas client side validation is a plus. The question however is about the best solution. C. Correct. Server side validation is a must from a security perspective whereas client side validation is a plus in regard to a more user-friendly application. (WB Chapter 3) D. Incorrect. From a security perspective, input must at least validated server side. 16 / 40 Your web server is set to use UTF-8 encoding for input and output. Some of your validation routines are based on legacy libraries that only accept ISO/IEC 8859 character sets. You have written conversion routines to be used for handling input and output to the validation routine. A user is allowed to enter his/her name in a web form. The input is validated by the validation routines and reflected to the user in the HTML body. What needs to be done with the input to display the output properly and safely? A. The input needs to be normalized, converted and HTML encoded. B. The input needs to be normalized, stripped and HTML encoded. C. The input needs to be converted, stripped and HTML encoded. D. The input needs to be normalized, stripped and converted. A. Correct. The input needs to be normalized first, then converted and handed over to the validation routines and reflected HTML encoded. (WB Chapter 3) B. Incorrect. stripping of output is not a useful for handling this kind of input. C. Incorrect. stripping of output is not a useful for handling this kind of input. D. Incorrect. stripping of output is not a useful for handling this kind of input. HTML encoding is a must to prevent browser attacks.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
25
17 / 40 An attacker has found two input fields that result in a buffer overflow condition. This condition happens within a function that converts all upper case input into lower case and is than used to execute a search. Where does the buffer overflow reside and what does it allow for? A. This buffer overflow resides on the heap and allows for code execution. B. This buffer overflow resides on the heap and allows for data manipulation. C. This buffer overflow resides on the stack and allows for data manipulation. D. This buffer overflow resides on the stack and allows for code execution. A. Incorrect. A function call is made and these variables are normally placed in de stack. B. Incorrect. A function call is made and these variables are normally placed in de stack. C. Incorrect. Data manipulation is not the main goal when exploiting a buffer overflow. D. Correct. A function call indicates a stack-based buffer overflow. The main goal is code execution. (WB Chapter 3) 18 / 40 An attacker found a vulnerability within a web application. He discovered that one of the parameters in the URL can be used to add JavaScript code which is executed within the browser when he sends the request to the website. Which of the following statements BEST describes this vulnerability? A. This is a stored XSS vulnerability. The attacker needs to entice the victim to visit the URL. B. This is a stored XSS vulnerability. Exploitation occurs when someone uses the web application. C. This is a reflected XSS vulnerability. The attacker needs to entice the victim to visit the URL. D. This is a reflected XSS vulnerability. Exploitation occurs when someone uses the web application. A. Incorrect. The JavaScript is not stored. B. Incorrect. The JavaScript is not stored. C. Correct. The JavaScript is not stored within the web application but reflected when requesting the URL. The attacker has to entice the victim to visit the prepared URL. (WB Chapter 3) D. Incorrect. The JavaScript is reflected but needs enticement since the JavaScript is not available within the web application (not stored).
Sample exam EXIN Secure Programming Foundation (SPF.EN)
26
19 / 40 As the developer of a web application, you are assigned the task to implement a strong defense against server XSS. What is the easiest and strongest defense against Server XSS? A. Stripping all JavaScript from user input. B. Context-sensitive server side output encoding. C. Using safe JavaScript APIs. D. Using safe third-party JavaScript code. A. Incorrect. Input validation or data sanitization can also be performed to help prevent Server XSS, but it’s much more difficult to get correct than context-sensitive output encoding. B. Correct. Server XSS (stored and reflected) is best mitigated by correct output encoding. Using safe JavaScript APIs. (WB Chapter 3) C. Incorrect. Using safe JavaScript APIs defends against Client XSS. D. Incorrect. Using JavaScript is not the problem; using JavaScript that is provided by a malicious user is the problem. 20 / 40 Members of the HR department within your company are responsible for maintaining your personal information that resides in the HR application. Information in regard to your working performance is also stored through the HR application but read/write access to this information is limited to the manager of your department. One of the HR members is allowed to read the working performance for monitoring purposes. Authorization for the HR application is implemented according to the desired access model. On what type of authorization is access to data within the HR application based? A. on horizontal authorization B. on vertical authorization C. on object and attribute authorization D. on horizontal and vertical authorization A. Incorrect. Vertical authorization is also in place. B. Incorrect. Horizontal authorization is also in place. C. Incorrect. Object authorization is most commonly used for accessing the object and attribute authorization is found within databases. D. Correct. Vertical: The HR representative is allowed to read the working performance whereas the manager is allowed to read/write; Horizontal: Access to the working performance data is limited to authorized roles/people. (WB Chapter 4)
Sample exam EXIN Secure Programming Foundation (SPF.EN)
27
21 / 40 An authenticated user is authorized to edit, view and delete records that describe all individual parts that belong explicitly to a product that is manufactured by the department he is working for. The company manufactures other products, but the user is not authorized to access parts that belong to these other products. The authenticated user discovers that he is able to get access to unauthorized parts by simply changing a form value that represents the part-number. What is the MOST likely reason for this authorization failure? A. The authorization is based on insecure direct object references. B. The authorization is based on insecure indirect object references. C. The authorization is based on incomplete indirect object references. D. The authorization is based on incomplete direct object references. A. Correct. A direct object reference is used and there are no additional authorization checks which makes the direct object reference insecure. (WB Chapter 4) B. Incorrect. A direct object reference is used. An indirect object reference would not have this failure (when properly used). C. Incorrect. Completeness is not the issue. D. Incorrect. Completeness is not the issue. 22 / 40 Suppose that two separate actions operate on the same resource and that checks are used to validate if the process is allowed to use the resource. What is the attack called that abuses the time window between the check (TOC) and use (TOU) of the resource? A. A session poisoning attack B. A race condition attack C. An atomic operation attack D. An application flow attack A. Incorrect. Session poisoning is an attack where session data is updated incorrectly, allowing an attacker to access unauthorized data B. Correct. This attack is known as a race condition or TOCTOU attack. (WB Chapter 4) C. Incorrect. An atomic operation prevents race conditions. D. Incorrect. The flow of the application is not attacked in the scenario above.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
28
23 / 40 Why is hardening of systems a very important security control? A. Third party software is not always written with security in mind. B. Third party Firewalls do not protect the exposed services properly. C. Third party services are always on and insecure by default and need protection. D. Third party software is not both functional and secure out-of-the-box. A. Incorrect. Although true, but this is not a reason for hardening. B. Incorrect. Protection of services are another subject. C. Incorrect. This statement is harsh and not always true. D. Correct. This describes best the justification. (WB Chapter 5) 24 / 40 Hardening of a system consists of various adjustments. Which of the following is NOT considered hardening of a system? A. Applying the latest security patches. B. Disabling or removing debug features. C. Compiling code with ASLR and DEP protection. D. Changing default passwords. A. Incorrect. This is part of system hardening. B. Incorrect. This is part of system hardening. C. Correct. ASLR and DEP are software protections. (WB Chapter 5) D. Incorrect. This is part of system hardening. 25 / 40 A web application detects an error when handling a request. Instead of displaying full information about the error, a general page including a reference about the error is returned. All information about the error is logged locally, including the reference. What is MOST likely the primary reason for this solution? A. This prevents unnecessary leakage of internal information. B. This is more user friendly than displaying the full error message. C. This prevents unnecessary usage of bandwidth. D. This is the preferred way for developers to solve and administer errors. A. Correct. This way, internal information like stack traces, error conditions and so on are not leaked. (WB Chapter 5) B. Incorrect. This might be user friendly, but is not the main reason. C. Incorrect. A regular page most likely holds more information than an stack trace. D. Incorrect. Solving and administering is not the main reason.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
29
26 / 40 A web application is designed with logging various types of information in mind. Which type of information is MOST important for logging information with regard to security? A. Version information of the modules that are started. B. Stack traces that are generated during an error. C. The entrance, duration and exit timestamps of procedure calls. D. Increase and decrease of privilege levels for logged-in users. A. Incorrect. This is functional information. B. Incorrect. Stack traces should be logged for functional investigation and not displayed. Although this information could be used to identify security issues, this is not the most important. C. Incorrect. This information is most probably used for tuning. D. Correct. When a privilege is increased, this should be logged. The decrease of a privilege (or log out) should also be logged. This allows detections in failures or wrong exit. (WB Chapter 5) 27 / 40 As a developer you have coded to catch every potential error and you have provided a solution that ensures that the code will not be left in an insecure state. What application security principle is described above? A. complete mediation B. fail securely C. detect intrusion D. fail-safe defaults A. Incorrect. This is checking every access to every object for authority. B. Correct. Handling errors securely is a key aspect of secure coding. This includes the handling of exceptions. (WB Chapter 5) C. Incorrect. This is about logging, monitoring the logs and respond to detected intrusions. D. Incorrect. This is about configuring default settings in an positive security model.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
30
28 / 40 As a developer you are concerned about performance and availability of your application. Instead of depending solely on the implementation of a large and extensible server farm, you also implement a solution that limits the amount of resources that can be allocated to a single user. Which purpose BEST describes the reason behind this solution? A. to speed up processing B. to prevent unexpected behavior C. to mitigate a DoS attack D. to reduce the server farm A. Incorrect. More processing power, bandwidth, low-level routines et cetera are used to speed up performance. B. Incorrect. Error handling prevents unexpected behavior better. C. Correct. Limiting resources per user is a way to mitigate Denial-of-Service attacks. (WB Chapter 5) D. Incorrect. You could use this measure to reduce the server farm, but the main reason would be to handle concurrent usage necessary. 29 / 40 When developing an application that uses cryptography, what is the BEST strategy to choose a cryptographic library? A. Develop it yourself: open source libraries can't be trusted. Proof is Heartbleed. B. Use an open source library and audit it yourself. C. Use a commercial library like RSA's Bsafe; they have been audited by professionals. D. Use either an open source or a commercial library and write a security assumption that they are out of scope for your security requirement. A. Incorrect. Developing cryptographic libraries is hard; getting these correct on your own is close to impossible. B. Correct. Although it's a lot of work to do the audit. (WB Chapter 6) C. Incorrect. Although commercial libraries can come with an audit-report, they may be hijacked by state agencies to weaken their cryptographic properties, thus losing all trust. As long as you cannot verify their trustworthiness, they might be suspect. You just don't know. D. Incorrect. Although this is current practice, it's not the correct way.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
31
30 / 40 What is the difference between symmetric cryptography and asymmetric cryptography? A. Symmetric cryptography is based on symmetric passwords. Asymmetric cryptography allows all passwords. B. Symmetric cryptography needs the same operating system for user and browser. Asymmetric cryptography does not. C. Symmetric cryptography is based on both user and software using the same key. Asymmetric cryptography uses a public key. D. Symmetric cryptography checks a password against a stored password. Asymmetric cryptography uses a randomly added string. A. Incorrect. There is no reason to make passwords symmetric. B. Incorrect. The symmetry is not a symmetry of operating system. The languages used are recognized by all operating systems. C. Correct. In an asymmetric cryptography system, all participants have their own key pair, consisting of a so-called private key and public key. (WB Chapter 6) D. Incorrect. This is salting and has nothing to do with cryptography. 31 / 40 Why is a website, of which the certificate is revoked, a risk? A. Because a website with a revoked certificate may not be the website you intended to visit. B. Because the certificate authority that gives out the certificate has been proven to be bad. C. Because the browser is not working correctly, you are shown this error. You need to update. D. It is not a risk, because the original certificate was given out by a trusted certificate authority. A.Correct. Someone may be trying to lure you to a website by using an old version of another website. You should always be very careful with websites that have a revoked certificate. There is a reason the certificate was revoked. (WB Chapter 6) B. Incorrect. This has nothing to do with it. Bad certificate authorities may NOT revoke certificates. C. Incorrect. Certificate revocation has nothing to do with the state of your browser. D. Incorrect. It is a risk, as explained with the correct answer.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
32
32 / 40 You are assigned to set up a website that uses HTTPS. For this purpose you have requested and installed a certificate that is signed by a well-known CA (Certification Authority). What is NOT something that you have to do in order to implement the HTTPS server securely? A. Disable all protocols that are not supported by the server's OS. B. Configure the server to allow only strong protocols and ciphers. C. Implement HSTS to allow for browser based mitigation. D. Configure the server or application to add the 'secure' flag on session cookies. A. Correct. This is not something that you have to do. Protocols that are not supported are not used and cause no errors. (WB Chapter 6) B. Incorrect. Weak protocols and ciphers should not be supported. C. Incorrect. Most browsers have implemented this security control, so use it. D. Incorrect. You need to make sure that session cookies are set with the 'secure' option. 33 / 40 A Swiss bank needs a non-repudiation requirement for the following functional requirement:
"As an account holder, I can transfer money from one account to another." You are asked to help them. What is an appropriate non-repudiation requirement? A. All login attempts should be logged. B. Transfers can only be done from one of the account holder's accounts. C. Every transfer must be logged. D. Negative amounts are not allowed. A. Incorrect. This is a non-repudiation requirement, but does not apply to this functional requirement. B. Incorrect. This is an authorization requirement. C. Correct. This is a non-repudiation requirement that applies to this functional requirement. (WB Chapter 6) D. Incorrect. This is an integrity requirement.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
33
34 / 40 Given this requirement:
"When a user has forgotten his/her password, the user must be able to change it." What is the hidden assumption here? A. It is assumed that users should only be able to change their own password. B. It is assumed that passwords should have a minimum length. C. It is assumed that users do not write down their passwords. D. It is assumed that a user's identity can be established before changing the password. A. Incorrect. The word his/her makes this explicit and therefore it is not an assumption B. Incorrect. This is an unrelated requirement. C. Incorrect. This is an unrelated requirement. D. Correct. Before changing a password you inherently need to know who it is that asks for the password reset. Since this is not explicitly specified, it is a hidden assumption. (WB Chapter 7) 35 / 40 What security principle states that access is denied and the security scheme identifies when access is permitted? A. Default deny B. Defense in depth C. Least privilege D. Input validation A. Correct. Access is denied by default and added when applicable. (WB Chapter 7) B. Incorrect. This is about adding a layered security model. C. Incorrect. This is about restricting access on a need to know basis. D. Incorrect. This is not about authorization but validation.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
34
36 / 40 A newspaper has deployed an editing platform. Its architecture is described below and illustrated with a Data Flow Diagram (DFD).
1. Photographers all over the globe can log in and upload photos using SFTP (Secure FTP). 2. The photos are placed in an upload-directory. 3. The system runs a regularly scheduled process to move the photos from the upload-directory into a SQL database. 4. Editors at the office use the web application to browse the photos and add some photos to articles for publication. (There is no photo-editing feature, photos are published as-is). A threat analysis identified this risk: Photographers can create malformed filenames
that trigger a shell injection attack. If an attacker uploads a file that contains shell commands, the code that should copy the file will execute those shell commands.
The architects replace the SFTP file-upload and the scheduled job with a web interface that inserts the photos directly into the database, hoping to get a more secure system. Choose the BEST answer. Will the system be more secure? A. Yes, this solves the problem completely. B. Yes, but only if the web interface is free of security problems. C. No, this fix does not deal with identity spoofing attacks. D. No, this does not fix the problem at all. A. Incorrect. Adding a complete web interface is not a trivial adaptation, and it is likely that the web interface has some bugs. B. Correct. Replacing part of an architecture can itself lead to other security problems. (WB Chapter 7) C. Incorrect. Identity spoofing attacks were never mentioned as a problem. D. Incorrect. The fix does take care of the shell injection problem by replacing the copy function that used the shell by something that does not use the shell. It fixes this particular problem, but may introduce others.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
35
37 / 40 Which of the following is NOT a principle of secure design? A. Allow for future security enhancements. B. Design security through secrecy. C. Implement least privilege. D. Isolate security controls. A. Incorrect. This is a known security design principle. B. Correct. Security through secrecy is not a secure design principle. (WB Chapter 7) C. Incorrect. This is a well-known security design principle. D. Incorrect. This is a known security design principle. 38 / 40 Which definition BEST describes a vulnerability scan? A. A series of automated tests for known problems. B. A test performed by security experts. C. A stress test to make the application crash. D. A review of vulnerabilities in the design. A. Correct. This is an example of a vulnerability scan. (WB Chapter 7) B. Incorrect. Although security experts may find vulnerabilities, a scan will check whether certain known problems are present. C. Incorrect. Checking for known vulnerabilities does not have to make the application crash D. Incorrect. A review by experts is sometimes called a scan, but is usually applied to processes. A review of a design is called a design review. 39 / 40 Which of the following things should effective security testing involve? A. Testing of people B. Testing of process C. Testing of technology D. All of the above A. Incorrect. Testing of people is important for security testing, but so are the others. B. Incorrect. Testing of processes is important for security testing, but so are the others. C. Incorrect. Testing of technology is important for security testing, but so are the others. D. Correct. People, processes and technology should be tested to ensure effective security testing. (WB Chapter 7)
Sample exam EXIN Secure Programming Foundation (SPF.EN)
36
40 / 40 What is a significant disadvantage of MANUALLY inspecting code? A. The review is performed too quickly to be thorough, when done manually. B. Manual inspection cannot be applied to many situations. C. Manual inspection requires significant human thought and skill to be effective. D. The manual review requires the assistance of complex technologies. A. Incorrect. Though this may happen, this is not always the case. It depends on the person carrying out the inspection. B. Incorrect. Manual inspection is one of the most versatile types of review. C. Correct. A reviewer without the competence, experience and concentration to do a good review is needed. These people are difficult to find and concentration may lack. When this happens, some parts of the code will not be inspected as needed. (WB Chapter 7) D. Incorrect. Actually, a manual review of the code is the least technological thing you can do and needs only a person.
Sample exam EXIN Secure Programming Foundation (SPF.EN)
37
Evaluation The correct answers to the questions are in the table below. number answer
number answer
1
A
21
A
2
A
22
B
3
D
23
D
4
D
24
C
5
C
25
A
6
A
26
D
7
A
27
B
8
D
28
C
9
B
29
B
10
B
30
C
11
B
31
A
12
D
32
A
13
B
33
C
14
B
34
D
15
C
35
A
16
A
36
B
17
D
37
B
18
C
38
A
19
B
39
D
20
D
40
C
Sample exam EXIN Secure Programming Foundation (SPF.EN)
38
Sample exam EXIN Secure Programming Foundation (SPF.EN)
39
Contact EXIN www.exin.com
