mutiple choice questions regarding security in SCEA-1

Hi All,

I got the below questions from one of the Blogs written in course of preparing for SCEA.
Please help me getting the most correct answer to this questions as I have problem figuring out.


Which is an appropriate technique for minimizing the consequences of a successful attack?

A. Input validation
B. Principle of least privilege
C. Encryption of wire transmissions
D. Use of strong/two-factor authentication


Your company is going through an extensive security audit and it has been identified that your internet-facing web site is vulnerable to SQL injection from authenticated users. Which two are appropriate for mitigating this threat? (Choose two.)

A. Using security roles in the deployment descriptor
B. In stored procedures called with prepared statements
C. Adding an intercepting validation filter to your system,
D. Requiring SSL in the deployment descriptor transport guarantee.




Thanks!
Aruna.

Questions were from http://mycollectivematerial.blogspot.com/.

What do you think the answer is. Also, the site gives a correct answer. What was it? Do you agree? Why or why not?

Hi Jeanne,

Please bear with me as I am not very good at security.

For first question the answer is B.Principle of least privilege.When I read the question I thought all of the choices are required for minimizing the consequences of a successful attack.

And the answer to second question is B and C , I absolutely agree with option C , however i could not understand why procedure should be introduced in the design to mitigate the threat.

Please clarify.

Thanks & Regards,
Aruna.

Aruna,
I agree with the sample answers.

For the first one, A/C/D reduce the chance of an attack. B reduces the impact of the attack one the user is in.

For the second one, B prevents SQL injection because binding variables are used instead of raw strings.

Thanks a lot Jeanne