Question 1

To prevent XSS attacks any user supplied input should be examinedand any dangerous code removed or escaped to block its execution.

Accepted Answer

This statement correctly describes one of the common practices to prevent XSS attacks. By examining user input and removing or escaping any dangerous code, the vulnerability can be mitigated.

Question 2

The correct implementation in the case of an atomic operation is totest separately for the presence of the lockfile and to not always attempt to create it.

Accepted Answer

Atomic operations, by definition, should ensure that the operation is completed in a single step without the possibility of interference from other operations. Testing separately for the presence of a lockfile and then attempting to create it introduces a race condition, which is not atomic. The correct implementation would use a method that atomically checks for the existence and potentially creates the lockfile in one step, such as using the `open` system call with flags `O_CREAT | O_EXCL` in a POSIX environment.

Question 3

Many computer security vulnerabilities result from poor programmingpractices.

Accepted Answer

Many computer security vulnerabilities are caused by programming errors, such as buffer overflows, SQL injection, and cross-site scripting. These errors can allow attackers to gain unauthorized access to systems or steal sensitive information. Therefore, it is essential to adopt secure coding practices and follow established software development life cycle methodologies to minimize the risk of vulnerabilities.

Question 4

There is a problem anticipating and testing for all potential types ofnon-standard inputs that might be exploited by an attacker to subvert a program.

Accepted Answer

It is difficult to anticipate and test for all potential types of non-standard inputs that could be used by an attacker to exploit a program. This is a common challenge faced by developers and security professionals in ensuring the security of software.

Question 5

An ASCII character can be encoded as a 1 to 4 byte sequence usingthe UTF-8 encoding.

Accepted Answer

An ASCII character is encoded as a single byte in UTF-8 encoding. UTF-8 uses 1 to 4 bytes for encoding characters, but ASCII characters specifically are encoded using just one byte.

Question 6

A difference between defensive programming and normal practices isthat everything is assumed.

Accepted Answer

In defensive programming, nothing is assumed, and the code is written to handle unexpected inputs and situations to prevent errors.

Question 7

Without suitable synchronization of accesses it is possible that valuesmay be corrupted, or changes lost, due to over-lapping access, use, and replacement of shared values.

Accepted Answer

Without proper synchronization, overlapping access to shared values can cause data corruption or loss of changes.

Question 8

Defensive programming requires a changed mindset to traditionalprogramming practices.

Accepted Answer

Defensive programming involves anticipating and guarding against potential errors, exceptions, and edge cases, which requires a different approach compared to just writing code that works under normal conditions. Therefore, a changed mindset is necessary to implement defensive programming practices effectively.

Question 9

_________ is a program flaw that occurs when program input data can accidentally or deliberately influence the flow of execution of the program.

Accepted Answer

Injection attack is a type of program flaw where an attacker can inject malicious code or input into a program, which can then manipulate the program's execution or behavior. This can lead to unauthorized access to data, system compromise, or other security vulnerabilities. Common examples of injection attacks include SQL injection, cross-site scripting (XSS), and command injection. The other options, PHP attack, format string injection attack, and XSSattack, are not recognized terms in the field of cybersecurity.

Question 10

Cross-site scripting attacks attempt to bypass the browser's securitychecks to gain elevated access privileges to sensitive data belonging toanother site.

Accepted Answer

Cross-site scripting attacks (XSS) involve injecting malicious code into a website, which is then executed on a victim's web browser. This allows the attacker to access sensitive data stored on another site, by using the elevated access privileges granted by the victim's browser. Therefore, the statement is true.

Question 11

To counter XSS attacks a defensive programmer needs to explicitlyidentify any assumptions as to the form of input and to verify that anyinput data conform to those assumptions before any use of the data.

Accepted Answer

The answer of To counter XSS attacks a defensive programmer...

Question 12

Key issues from a software security perspective are whether theimplemented algorithm correctly solves the specified problem, whether the machine instructions executed correctly represent the high level algorithm specification, and whether the manipulation of data values in variables is valid and meaningful.

Accepted Answer

These are indeed key issues from a software security perspective. Correct implementation, accurate representation of algorithms, and valid data manipulation are all important for ensuring secure software.

Question 13

Incorrect handling of program _______ is one of the most common failings insoftware security.

Accepted Answer

Incorrect handling of input is one of the most common failings in software security. Improper input validation can lead to vulnerabilities such as buffer overflows, injection attacks, and cross-site scripting.

Question 14

Security flaws occur as a consequence of sufficient checking andvalidation of data and error codes in programs.

Accepted Answer

Security flaws can occur due to various reasons such as inadequate input validation, improper authentication, and authorization mechanisms, lack of encryption, etc. While insufficient checking and validation of data and error codes can contribute to security vulnerabilities, it is not the only cause. Other factors such as design flaws and human errors can also lead to security flaws.

Question 15

"Improper Access Control (Authorization)" is in the _________ software errorcategory.

Accepted Answer

Improper Access Control (Authorization) falls under the Porous Defenses software error category, which refers to vulnerabilities that arise from insufficient or poorly implemented security measures. Access control is a critical defense mechanism that ensures that only authorized users can access the system or sensitive resources. When access control is not correctly implemented, it allows attackers to gain unauthorized access, resulting in data breaches, service disruptions, and other security incidents. Therefore, it is essential to have robust access control mechanisms to prevent unauthorized access to the system or resources.

Question 16

Injection attacks variants can occur whenever one program invokes theservices of another program, service, or function and passes to itexternally sourced, potentially untrusted information without sufficientinspection and validation of it.

Accepted Answer

This statement is true. Injection attacks can occur whenever there is inadequate inspection and validation of externally sourced information passed between programs, services, or functions. This vulnerability can occur in web applications, databases, operating systems, and other software systems. Common injection attacks include SQL injection, cross-site scripting (XSS), and command injection. It is essential to implement strict security measures to prevent injection attacks, such as input validation, parameterized queries, and user authentication and authorization.

Question 17

Defensive programming is sometimes referred to as _________.

Accepted Answer

Defensive programming is programming with the mindset that software may fail at some point and coding to anticipate and minimize that failure. Secure programming refers to coding with security as a top priority, which is closely related to defensive programming. Variable programming, interpretive programming, and chroot programming are not directly related to defensive programming.

Question 18

"Incorrect Calculation of Buffer Size" is in the __________ software error category.

Accepted Answer

The incorrect calculation of buffer size is a type of risky resource management error, as it can lead to buffer overflow attacks and compromise the security of the system.

Question 19

Software security is closely related to software quality and reliability.

Accepted Answer

Software security is an important aspect of software quality and reliability. A secure software is expected to be reliable and free from bugs that can lead to data breaches. Therefore, a software with high quality and reliability is expected to have strong security measures in place to prevent cyber attacks or unauthorized access.

Question 20

Programmers often make assumptions about the type of inputs aprogram will receive.

Accepted Answer

This is true. Programmers often make assumptions about the type of inputs a program will receive, such as assuming that input will always be in a certain format or within a certain range of values. It is important to be aware of these assumptions and to test programs with a variety of input types to ensure that they are robust and reliable.

Quiz 11: Software Security