Advanced SOA Security (S90.19) Free Practice Test

Question 1

A service uses specialized logic to compare the size of a request message to the maximum allowable size that is specified for request messages. Upon a mismatch, the service triggers an error that results in the issuance of a message with detailed error information.
What type of attack does this specialized logic not help protect the service from?

A. buffer overrun attack

B. XML parser attack

C. XPath injection attack

D. exception generation attack

Correct Answer: D

Question 2

A legacy system is used as a shared resource by a number of services within a service inventory. The services that access the legacy system use the same user account. The legacy system is also directly accessed by other applications that also use the same set of credentials as the services. It was recently reported that a program gained unauthorized access to confidential data in the legacy system. However, because all of the programs that access the legacy system use the same set of credentials, it is difficult to find out which program carried out the attack. How can another attack like this be avoided?

A. The Trusted Subsystem pattern can be applied to avoid direct access to the legacy system by any program except a designated service.

B. The Service Perimeter Guard pattern can be applied so that all programs that are not services are required to access the legacy system via a perimeter service.

C. None of the above.

D. The Message Screening pattern can be applied to monitor incoming request messages.

Correct Answer: A

Question 3

An ESB is introduced into an IT enterprise, primarily to enable communication between a set of disparate Web services. As a first step, the ESB needs to be configured to carry out data model transformation in order to overcome differences in the XML schemas used by the Web services. However, the messages exchanged by the Web services need to be encrypted. What needs to be done in order for the ESB to enable communication between the Web services without compromising message confidentiality?

A. The Web services need to be designed to support transport-layer security instead of message-layer security.

B. The ESB needs to be configured so that it can decrypt and encrypt messages.

C. The messages need to be digitally signed instead of encrypted.

D. In this scenario, the ESB cannot enable communication between the Web services without compromising message confidentiality.

Correct Answer: B

Question 4

Service A expresses its requirement for message-layer security to service consumers via a security policy. Since the launch of Service A, its popularity has grown and it is decided that a fee should be charged for its use. Consequently, the design of Service A is changed so that it is capable of keeping a log of all request messages received from service consumers. The fact that Service A is logging all incoming messages is something that can also be expressed via a policy.

A. False

B. True

Correct Answer: B

Question 5

How can the use of pre-compiled XPath expressions help avoid attacks?

A. Pre-compiled XPath expressions contain no white space, which helps avoid buffer overrun attacks

B. Pre-compiled XPath expressions execute faster and therefore help avoid denial of service attacks.

C. Pre-compiled XPath expressions reduce the chance of missing escape characters, which helps avoid XPath injection attacks

D. They can't because XPath expressions cannot be pre-compiled

Correct Answer: C

Question 6

Which of the following statements is true?

A. All of above.

B. When numeric ranges within an XML schema are not specified it creates a security risk because attackers can introduce very large numeric values within the message data.

C. When the maxOccurs attribute in an XML schema element is not specified it creates a security risk because attackers can specify this element multiple times.

D. When the xsd:any element is used within an XML schema it can introduce a security risk because it allows attackers to extend the schema.

Correct Answer: A

Question 7

Which of the following types of attack always affect the availability of a service?

A. Exception generation attack

B. None of the above

C. XPath injection attack

D. SQL injection attack

Correct Answer: B

Question 8

As an SOA security specialist you are being asked to educate an IT team about how to best design security policies for a given set of services. Which of the following recommendations are valid?

A. common security requirements can be centralized into shared security policies

B. security policies can be decoupled from service logic

C. security policies are defined by using WSDL and XML Schema industry standards together

D. security policies can be part of service contracts and are therefore subject to the Service Loose Coupling principle

Correct Answer: A,B,D

Question 9

Which of the following types of WS-SecurityPolicy assertions is required in order to determine whether derived keys are needed for a key agreement security session?

A. token assertions

B. None of the above.

C. protection assertions

D. security binding assertions

Correct Answer: A

Welcome to TestSimulate

SOA Advanced SOA Security (S90.19) Free Practice Test