D385: Logging and Security Issues Test Questions And
Answers Verified 100% Correct
What are the 3 tenants of Defensive Programming? - ANSWER - never
trust data - validate everything
- robust error handling
What are Assertion statements? - ANSWER - a statement that
something must be true at a certain point in a program
- if true the program does nothing
- if false the program halts immediately and prints an error
message (if one is provided)
Three Assertion Categories? - ANSWER - Precondition:
something that must be true at the start of a function in order for it to work
correctly
- Postcondition: something that the function guarantees is true when it
finishes
- Invariant: something that is always true at a particular point inside a piece
of code
Unconstrained Input - ANSWER - the user can input as much
data as they want
CERT Top 10 Secure Coding Practices - ANSWER 1. validate input
2. heed compiler warning
3. architect/design for security
4. keep it simple
5. default deny
6. least privileges
7. sanitize data
8. defense in depth
9. QA
10. standards
, Unit Test - ANSWER - smallest, testable pieces of code called
units
- verifies that each part of the code works correctly and as
intended
What are the popular Python unit testing frameworks? -
ANSWER - PyUnit (built-in)
- PyTest
Which SDL phase uses static code analysis? - ANSWER -
implementation
- white box testing during the implementation phase
What are true about assertions? - ANSWER - they are
conditional Boolean expressions
- they have an optional message part
- they are used to check the types or values of arguments
What happens when assertion condition result is false? -
ANSWER - the program will stop and given an error message
What is the general structure of an assertion statement? -
ANSWER - assert expression [assertion_message]
Which test is solely black box testing? - ANSWER - Integration
testing
What are two techniques of defensive programming? - ANSWER
- value substitution
- exception handling
Which two classes does the bdb module implement? - ANSWER
- Breakpoint
- Bdb
, Which attribute provides a dictionary of breakpoint instances? -
ANSWER - bplist
- maintains a (file, line) tuple of breakpoints
Which function can be used to return all set breakpoints? -
ANSWER - get_all_breaks( )
- returns a string with all set breakpoints
Which three data types are considered user-provided? - ANSWER -
cookies
- POST data payloads
- URL parameters
How many arguments does the clear_break() method take? -
ANSWER - Two
- filename, line number
Which three QA security-specific test type categories must be
performed on software? - ANSWER - benchmark
- scheduled
- exploratory
Manual Code Review Process Steps - ANSWER 1. identify
security code review objectives
2. perform preliminary scan
3. review code for security issues
4. review for security issues unique to the architecture
What are limitations of Static Code Analysis? - ANSWER - does
not account for runtime vulnerabilities
- requires the tester to posses both testing and software
development skills
- tools would have to be language specific
Answers Verified 100% Correct
What are the 3 tenants of Defensive Programming? - ANSWER - never
trust data - validate everything
- robust error handling
What are Assertion statements? - ANSWER - a statement that
something must be true at a certain point in a program
- if true the program does nothing
- if false the program halts immediately and prints an error
message (if one is provided)
Three Assertion Categories? - ANSWER - Precondition:
something that must be true at the start of a function in order for it to work
correctly
- Postcondition: something that the function guarantees is true when it
finishes
- Invariant: something that is always true at a particular point inside a piece
of code
Unconstrained Input - ANSWER - the user can input as much
data as they want
CERT Top 10 Secure Coding Practices - ANSWER 1. validate input
2. heed compiler warning
3. architect/design for security
4. keep it simple
5. default deny
6. least privileges
7. sanitize data
8. defense in depth
9. QA
10. standards
, Unit Test - ANSWER - smallest, testable pieces of code called
units
- verifies that each part of the code works correctly and as
intended
What are the popular Python unit testing frameworks? -
ANSWER - PyUnit (built-in)
- PyTest
Which SDL phase uses static code analysis? - ANSWER -
implementation
- white box testing during the implementation phase
What are true about assertions? - ANSWER - they are
conditional Boolean expressions
- they have an optional message part
- they are used to check the types or values of arguments
What happens when assertion condition result is false? -
ANSWER - the program will stop and given an error message
What is the general structure of an assertion statement? -
ANSWER - assert expression [assertion_message]
Which test is solely black box testing? - ANSWER - Integration
testing
What are two techniques of defensive programming? - ANSWER
- value substitution
- exception handling
Which two classes does the bdb module implement? - ANSWER
- Breakpoint
- Bdb
, Which attribute provides a dictionary of breakpoint instances? -
ANSWER - bplist
- maintains a (file, line) tuple of breakpoints
Which function can be used to return all set breakpoints? -
ANSWER - get_all_breaks( )
- returns a string with all set breakpoints
Which three data types are considered user-provided? - ANSWER -
cookies
- POST data payloads
- URL parameters
How many arguments does the clear_break() method take? -
ANSWER - Two
- filename, line number
Which three QA security-specific test type categories must be
performed on software? - ANSWER - benchmark
- scheduled
- exploratory
Manual Code Review Process Steps - ANSWER 1. identify
security code review objectives
2. perform preliminary scan
3. review code for security issues
4. review for security issues unique to the architecture
What are limitations of Static Code Analysis? - ANSWER - does
not account for runtime vulnerabilities
- requires the tester to posses both testing and software
development skills
- tools would have to be language specific
