CT-SECPreview

Sophie is analyzing the security requirements of user stories to ensure that the security-related aspects of the users' needs have been adequately covered. She is also defining the most workable approach to develop the application in a secure way.
In which stage of the software development life cycle should this activity be performed?

Which ONE of the following security vulnerabilities can be identified through structural testing during component testing?

Scenario:
At “Happy Wrench Plumbing”, an administrator (admin) manages clients and other users and is able to edit their personal details in the application by accessing the URL: http://www.abcxyz.com/editusers.
It is necessary to test if non-admin users can perform this above-mentioned functionality.
Question:
Which ONE of the following options CORRECTLY corresponds to the security testing type that is necessary to achieve this goal?

Annie is creating a fake email id to present herself as the CTO of a company. She is also using social media, instant messaging, and SMS to trick some potential victims into providing sensitive information.
Which ONE of the following attacks is she planning?

Scenario:
An international health insurance company has an advanced management system for its services that can be accessed by different types of stakeholders.
As a consequence of a deficiency in the security requirements for a new module, a data access monitoring process has not been implemented for the stakeholders involved in customer management. This feature implies that, every time any corporate stakeholder accesses a customer’s data, a record must be kept identifying the user, date and time of access as well as the reason(s) for accessing this data.
Question:
Based on the above scenario, which TWO aspects associated with the requirements could be impacted by the implementation of the solution? (Choose two.)

Background:
CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text, but current computer programs cannot.
Scenario:
A web application available for mobile devices provides value-added services upon free registration of future users. This application provides a series of free and other paid services. The project’s security manager has proposed to include a CAPTCHA during the registration process.
Question:
Which ONE of the following objectives of security tests for this feature is CORRECT?

A firewall has been implemented so that communications can be filtered according to users being the connections and data according to pattern descriptions.
What type of access restriction product or mechanism is described above?

George is a security tester who is using a suite of tools to perform different tasks, such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. He aims to determine the hosts available on the network, services and OS versions they are running, what type of packet filters and/or firewalls are in use and also to make a list of string parameters like ‘ or “, -- or #, /…/, +, ||, %, PRINT.
Which TWO of the following types of testing is George performing? (Choose two.)

Security risk assessment is used to prioritize the security risks in order to align the tests with business security objectives.
Which ONE of the following options will lead to a misalignment between the business security objectives and the tests?

Background:
The organization you work for develops a secure electronic document transmission system. You are part of the security test team. In particular, you are responsible for evaluating the tests at the component level.
Scenario:
The component you evaluate is responsible for one of the mechanisms used to validate the identity of the electronic document source. The source is validated with a variable length string that is generated each time the source of a document requests its transmission to a destination.
The chain has the following characteristics:
• Minimum length: 6 characters
• Maximum length: 12 characters
• Special characters allowed: @ # $ & % ? !
• Numerical values from 0 to 9
• Alphabetic values: all letters of the English alphabet
• A chain:

• must begin with a lowercase letter
• must contain at least one uppercase letter
• must contain at least two different special characters
• must contain at least two numeric characters
  The following strings, between others, have been used for input data in the various component test cycles:

String -

1. aA#@5a
2. aB#@5
3. aB#@56
4. aB#@567
5. abCd?!gH48kl
6. abcd?!gh48kl
7. abCd?!gH48klm
8. bbBb?!bB48bb
9. abCd?!gH489klm
10. bbBb?!B48bb
    Question:
    Which ONE of the following sets of input values allows 100% coverage of two boundary values for the length of the string?

An organization has a security policy in place for the protection of its digital and physical assets. The policy also includes offsite storage on tape and backup on cloud. The security testing objectives do not cover offsite storage.
Which ONE of the following arguments regarding this situation is VALID?

Which ONE of the following behaviors can provide information to an attacker in the reconnaissance phase of an attack?

Which ONE of the following aspects should NOT be considered when setting up the return on investment (ROI) calculation for any open source tool?

You have been assigned to perform the risk assessment for an internal project in your organization. You choose to involve customers, regulatory agencies or standards recommended/mandated by them.
Which ONE of the following options represents a type of security threat that you are likely to miss because of the inadequate involvement of certain types of stakeholders, such as the public/community?

Scenario:
Jason is a security tester who is planning to a run system hardening. He plans to keep all the servers that he will be testing in a secure datacenter, making sure to harden these before connecting them to the internet or to an external network. He plans to install only the required software, avoiding all other unnecessary software installations.
He will also remove any components or functions he does not need, restricting access to the applications based on user roles, removing all default passwords and inspecting integrations with other applications and systems.
He plans to ensure that all the rules for the firewall are regularly audited, and that the security of remote access points and test user accounts are tested.
Question:
Which TWO of the following types of system hardening is Jason planning? (Choose two.)

Which ONE of the following options is NOT CORRECT with respect to the dynamic and static testing tools in the security testing context?

Risks identified for a traffic control system include authentication and authorization risks, SQL injection attacks, system being put into invalid states such as multiple green lights, man-in-the middle attack and network borne attacks.
Which ONE of the following abstract tests does NOT relate to any of the risks identified in the risk assessment?