Software Security Week 6 Quiz Answer
In this article i am gone to share Coursera Course Software Security Week 6 Quiz Answer with you..
What is penetration testing?
- Whole-system testing for security flaws and bugs
- A security-minded form of unit testing that applies early in the development process
- A procedure for testing libraries or other program components for vulnerabilities
- All of the above
Which of the following are benefits of penetration testing?
- You can prove a positive: Penetration testing will establish your system is secure
- Compositionality of security properties means tested components are secure even if others change
- They specifically consider adversarial thinking, which is not usually necessary for normal tests
- Results are often reproducible
What does it mean to “be stealthy” during a penetration test?
- Performing the tests from an undisclosed location
- Performing penetration testing without the target organization knowing
- Using encryption during tests to make the source of attacks impossible to determine
- Taking care to avoid activities during a penetration test that might attract attention, e.g., by operators or IDS services
What is a web proxy?
- A simulator for the web, for use when off-line
- A piece of software that intercepts and possibly modifies requests (and responses) between a web browser and web server
- An agent that makes decisions on the client’s behalf when interacting with web applications
- A piece of software that makes a web application look like a standalone application, making it easier to test
What is Nmap?
- It is a map of the Internet
- It is a network fuzz testing tool
- It is a suite of tools for scripting attacks: probe, construct, encode, inject, wait for response
- It is a scanner which works by injecting packets to a range of addresses, and inferring what hosts and services might be at those addresses, based on the responses
What is ethical hacking?
- “Hacking” ethics so they justify unintended selfish behavior
- Hacking into systems run by those whose ethics you disagree with
- A slang term for rapid software development, e.g., as part of hackathons
- Hacking systems (e.g., during penetration testing) to expose vulnerabilities so they can be fixed, rather than exploited
Which of the following statements describe fuzz testing (aka fuzzing)?
- It is always black-box, in being indifferent to the software’s functionality
- It has been used to find security vulnerabilities in many commodity programs
- It is concerned with finding known-bad behaviors, like crashes and hangs
- It focuses on simple testing patterns and does not employ sophisticated analysis techniques
Which of the following are true of whitebox fuzzing?
- Radamsa is (at least in part) a whitebox fuzzer
- SAGE is (at least in part) a whitebox fuzzer
- It takes into account the program’s internals in some manner when deciding which inputs to choose
- It makes no sense to combine it with grammar-based fuzzing since the latter is just another way to consider the program’s semantics
Which of the following is true of mutation-based fuzzing?
- Each input is mutation that follows a given grammar
- It only makes sense for file-based fuzzing, not network-based fuzzing
- It works by making small mutations to the target program to induce faults
- It generates each different input by modifying a prior input
Which of the following styles of fuzzer is more likely to explore paths covering every line of code in the following program?
Which of the following are functions of a network-based fuzzer?
- Acting as a server
- Scanning a network address range
- Acting as a “man in the middle”
Suppose you want to use fuzzing on a program to try to find memory errors; which of the following statements is true?
- Fuzzing doesn’t find memory errors, it finds crashes and hangs
- Compiling the program with address sanitizer (ASAN) will make errors harder to reproduce
- Compiling the program with address sanitizer (ASAN) will make the source of a memory error easier to find
- You should not use a grammar-based fuzzer, because its adherence to the grammar means it will not find memory errors