Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 6. Security > Review Your Progress

Review Your Progress

These questions test your level of accomplishment in analyzing the integration requirements for a given scenario:

1.You are the architect for a social networking application that allows users to leave comments for other users. Recently, a spate of hacker attacks have disrupted the site, reducing revenue from site partners and advertising. Of the attack types listed next, which two can be addressed by ensuring that all special characters/word sequences are removed from all free text inputs on the web site?
  1. Buffer overflow

  2. Cross-site scripting

  3. SQL injection

  4. Permission errors

Answers: C and D.Patrolling and validating the free text elements of a web application is directly relevant and essential to ensuring that XSS attacks and malicious SQL commands cannot be executed. Answer A is a misnomer, as is D.
2.Which two checks are made possible in the byte-code verification?
  1. Memory usage is controlled.

  2. Access to some files is checked.

  3. Digital signatures are verified.

  4. Data type conversions are checked/controlled.

  5. The language access restrictions (for example, private or protected) are respected.

Answers: C and E.A, D, and B are not checked by the process of byte code verification, as evidenced by the fact that Java applications can run out of memory, access to a given file can be denied at runtime, and casting exceptions can also occur at runtime.
3.You are architecting a DVD rental application that accepts customer feedback. Users can rank movies from one to five by clicking on buttons, as well as input comments about the movie into a text box. Which two can be addressed by filtering special characters from text boxes on JSP forms? (Select all that apply.)
  1. SQL injection

  2. Buffer overflow

  3. Authorization errors

  4. Cross-site scripting

  5. Rootkit attacks

Answers: A and D.Answer B cannot occur in a Java runtime environment, whereas C and E are general security issues, and not directly related to the issue of validating free text entry by end users (malicious or otherwise).
4.The web pages in a system are carefully designed so that links to security-sensitive URLs are not available in pages offered to untrusted users. Which statement is true? (Select the best answer.)
  1. The system security is adequately protected by this approach.

  2. Every security-sensitive target must be additionally protected using the declarative security model.

  3. The system security is adequately protected by this approach, provided only POST requests are accepted by the server.

  4. The system security is adequately protected by this approach, provided only GET requests are accepted by the server.

Answer: B.Answers A, C, and D all represent a lax or incomplete attitude toward the risk of an untrusted user using basic techniques to identify the fully qualified names of the security-sensitive URLs. Only choosing to use the declarative security model (answer B), which forces authentication and authorization, is a true reflection of the security needed.
5.Security restrictions in a use-case require that the behavior of an EJB business method vary according to the role of the user. How should this be achieved? (Select the best answer.)
  1. The deployment descriptor is written using the roles determined by the programmer.

  2. The programmer determines a role reference and uses it in the code. This is mapped to a role in the deployment descriptor.

  3. The business method determines the role of the user using JNDI and configuration information in the deployment descriptor.

  4. The business method determines the role of the user using JAAS and configuration information in the deployment descriptor.

Answer: D.Answer D uses the JAAS framework in the manner in which it was intended—to ascertain at runtime the role of the current principal and to match it to the roles authorized to execute the EJB method in question. Answers A and B do not address how the runtime check takes place. Answer C selects JNDI (Java Naming and Directory Interface) when JAAS is the security framework.
6.A malicious hacker is trying to crash your web site by using various denial of service attacks. Which two flaws should you protect against for this specific threat?
  1. XSS attacks

  2. Authentication failures

  3. Man in the middle attacks

  4. Session hijacking

  5. Weak password exploits

  6. Authorization failures

Answers: C and D.Answers A and E, although both are security issues, are not related directly to DoS attacks. B and F are normal occurrences in an application lifecycle (although they should be logged to identify attempts to gain unauthorized access to the SuD). C and D are well-known mechanisms through which to launch DoS attacks on a system.


  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free 10-Day Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint