Tag: security

Questions Related to security

Whats the name of the TCS security library available for the remediation of security vulnerabilities?
technology security

  1. TCS Security API

  2. TCS Security Library

  3. TCS Application Security API

  4. TCS e-Security Library

Show answer
Correct Option: A

As per the ASAP Process what all artifacts are provided to help aid in the analysis phase?
technology security

  1. Security URS

  2. Security URS and SRS

  3. Security Design Guidelines

  4. All of the above

Show answer
Correct Option: B

Who does the review of the security elements of the updated project artifacts at the end of each phase of the application development life cycle?
technology security

  1. Application development team

  2. Project Manager

  3. ASAP Team

  4. Testing Team

Show answer
Correct Option: C

Why is “Black List” input validation considered a weak validation method ?
technology security

  1. Because the validation settings are hard coded.

  2. Susceptible to bypass using various forms of character encoding

  3. Because it's difficult to implement a black list filter that also takes into account data sent using the POST method

  4. Because it is typically implemented using regular expressions to match known good data patterns

Show answer
Correct Option: B

Once an input data validation flags an input as “invalid” what would be the most secure response ?
technology security

  1. Escape the invalid characters and continue processing the input data

  2. Accept the input data without modifying it and log the validation error

  3. Delete the invalid characters and continue processing the input data

  4. Reject the entire input data and send an error message back to the user

Show answer
Correct Option: D

A Buffer over flow occurs when …
technology security

  1. The application does not have enough memory allocated to handle the large amount of input

  2. The Operating System does not have enough RAM to handle large amount of input

  3. The client does not have enough memory allocated to handle the large amount of input

  4. A variable in the program does not have enough memory allocated to handle the amount of input

Show answer
Correct Option: D

Web server will log which part of a GET request?

technology security

  1. Hidden tags

  2. Query Strings

  3. Header

  4. Cookies

Show answer
Correct Option: B

AI Explanation

To answer this question, we need to understand the components of a GET request.

A GET request is a type of HTTP request that is used to retrieve information from a server. It consists of several components, including the URL, headers, and query parameters.

The correct answer is B) Query Strings. Query strings are a part of the URL that follows a question mark (?) and contains key-value pairs. They are used to send additional information to the server, such as parameters or filters for the requested data.

Web servers typically log the query strings of a GET request in their access logs. This allows administrators to monitor and analyze the incoming requests and track the specific parameters and values used in each request.

Let's go through each option to understand why it is correct or incorrect:

A) Hidden tags - Hidden tags are not a part of a GET request. They are typically used in HTML forms to include additional data that is not visible to the user. Web servers do not log hidden tags.

B) Query Strings - This option is correct because query strings are a part of the URL and contain additional information sent to the server. Web servers typically log the query strings of a GET request.

C) Header - The header of a GET request contains metadata about the request, such as the user agent, accepted content types, and cookies. While headers are logged by web servers, they do not specifically log the header as a separate part of the request.

D) Cookies - Cookies are a separate component of a GET request and are used to store session information or user preferences. While web servers may log the cookies sent in a request, they are not specifically logged as a part of the GET request.

Therefore, the correct answer is B) Query Strings, as web servers log the query strings of a GET request.

How can we prevent dictionary attacks on password hashes ?

technology security

  1. Hashing the password twice

  2. Encrypting the password using the private key

  3. Use an encryption algorithm you wrote your self so no one knows how it works

  4. Salting the hash

Show answer
Correct Option: D
Explanation:

To prevent dictionary attacks on password hashes, we can use a technique called "salting." A salt is a random string of characters that is added to a password before it is hashed. This adds an additional layer of complexity to the hash, making it more difficult for an attacker to use a pre-computed dictionary of hashes to crack passwords.

Now, let's go through each option and explain why it is right or wrong:

A. Encrypting the password using the private key: This option is incorrect. Encryption and hashing are two different techniques. Encryption is a two-way process that can be reversed using a key, while hashing is a one-way process that cannot be reversed. Also, using a private key to encrypt the password would not prevent dictionary attacks.

B. Hashing the password twice: This option is incorrect. Hashing the password twice does not provide any additional security against dictionary attacks. In fact, it can create a vulnerability known as "hash collision," where two different passwords can produce the same hash.

C. Use an encryption algorithm you wrote yourself so no one knows how it works: This option is incorrect. Creating your encryption algorithm is not recommended since it is hard to ensure that the algorithm can resist all types of attacks.

D. Salting the hash: This option is correct. Salting the hash involves adding a random string of data to the password before hashing it. This makes it more difficult for an attacker to precompute a dictionary of hashes and use it to crack passwords. Thus, option D is the correct answer.

The Answer is: D

Implementing Access Control based on a hard coded IP address
technology security

  1. Can be done as it as an internal IP

  2. Can be done for internet facing servers as there are no chances of IP conflicts

  3. Is a good security practice

  4. Is a bad security practice

Show answer
Correct Option: D

Temporary files

technology security

  1. Should be placed securely in a folder called “temp” in the web root

  2. Can be placed anywhere in the web root as long as there are no links to them

  3. Should be completely removed from the server

  4. Can be placed anywhere after changing the extension

Show answer
Correct Option: C
Explanation:

To handle temporary data, one frequently used practice is to store the data in temporary files. To correctly handle temporary files, the user needs to know where the files should be placed, how to handle the files, and how to remove them when they are no longer needed.

Option A is incorrect because placing temporary files in a folder called "temp" in the web root is not secure. Doing so would allow anyone with access to the web root to access and potentially manipulate these files.

Option B is also incorrect because placing temporary files anywhere in the web root is not safe. This can make the files accessible to anyone who knows the filename or path.

Option C is not always necessary. While it is important to remove temporary files when they are no longer needed, it is not always possible to remove them completely from the server. In some cases, temporary files may be necessary for the proper functioning of the application.

Option D is not a recommended practice. Changing the file extension does not provide any additional security or protection against unauthorized access.

Therefore, the best option is to store temporary files in a separate folder that is not accessible from the web. This folder should have strict access permissions to ensure that only authorized users can access it. Once the files are no longer needed, they should be deleted using secure deletion methods.

The Answer is: C