Sample Questions:
A developer is designing a very sensitive web application that will be accessed by both desktop web browsers and mobile Android applications. What is one way the developer can implement a multi-factor authentication system for these users?
Have the user memorize a PIN in addition to their password and require them to supply both when attempting to log in.
Have the user answer a security question once they authenticate using their username and password.
Require a one-time-use code sent via an SMS message in addition to a username and password.
Have the user supply their last password in addition to their current password when they attempt to log in.
Which of the following is a disadvantage of using a static embedded API Key for client authentication to a web service?
API Keys require the use of a certificate issued by a commercial Certificate Authority.
API Keys are used with asymmetric cryptography, which is slow and can negatively impact the performance of the client application
API Keys cannot be transmitted over HTTPS, so they are open to compromise.
API Keys can be discovered and abused by an attacker.
Which of the following defines why it is important for a developer to deploy known-good (whitelist) input validation for all requests made to a web service API?
Known-good validation ensures that all inputs are in an expected format and are valid before processing them.
As requests to the API come over the network, they must be considered untrusted.
Known-good (whitelist) can be performed much faster than known-bad input validation.
Known-good input validation is the only way to prevent command (SQL) injection attacks and since web services are typically integrated with a backend SQL database, this checking ensures the integrity and confidentiality of the database.
Known-good input validation first checks to ensure that incoming requests are being made by a valid and known client before beginning to process them, so that inputs from attackers are never processed, thus protecting the web service.
Once an Android client has authenticated to a web service, what must be done on the server-side to ensure correct authorization checks are being performed?
For each request that is considered more sensitive than previous ones, force the client to reauthenticate so that the user's identity can be confirmed. For each request, check the session token to verify the client has been authorized for that device and session.
For each request, ensure that the client is authenticated and that the specific Android device identified in the request is the same as for the last request. For each request, ensure that the client is authenticated and that the specific client is authorized to perform the specific action on the specific data.
