PrepAway - Latest Free Exam Questions & Answers

Which of the following practices should be implemented to help prevent race conditions, buffer overflows, and

Ann, the software security engineer, works for a major software vendor. Which of the following practices
should be implemented to help prevent race conditions, buffer overflows, and other similar
vulnerabilities prior to each production release?

PrepAway - Latest Free Exam Questions & Answers

A.
Product baseline report

B.
Input validation

C.
Patch regression testing

D.
Code review

Explanation:
The problems listed in this question can be caused by problems with the application code. Reviewing the
code will help to prevent the problems.The purpose of code review is to look at all custom written code for holes that may exist. The review
needs also to examine changes that the code—most likely in the form of a finished application—may
make: configuration files, libraries, and the like. During this examination, look for threats such as
opportunities for injection to occur (SQL, LDAP, code, and so on), cross-site request forgery, and
authentication. Code review is often conducted as a part of gray box testing. Looking at source code can
often be one of the easiest ways to find weaknesses within the application. Simply reading the code is
known as manual assessment, whereas using tools to scan the code is known as automated assessment.
Incorrect Answers:
A: A product baseline report is a report that compares the current state of the product to the original
product specification. It is not used to prevent race conditions, buffer overflows, and other similar
vulnerabilities in an application.
B: Input validation can improve application performance by catching malformed input in the application
that could cause problems with the output. For example, if a user is expected to enter a number into a
field in the application, input validation can be used to ensure that the input is numeric and not text. It
can also be used to prevent attacks such as cross-site scripting and SQL injection. It is not used to prevent
race conditions, buffer overflows, and other similar vulnerabilities in an application.
C: Regression testing is a type of software testing that seeks to uncover new software bugs, or
regressions, in existing functional and non-functional areas of a system after changes such as
enhancements, patches or configuration changes, have been made to them.
The intent of regression testing is to ensure that changes such as those mentioned above have not
introduced new faults. One of the main reasons for regression testing is to determine whether a change
in one part of the software affects other parts of the software.
Application patches may be released after the original application has been released. However, a code
review should be performed before the application is released in the first place.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 345
http://en.wikipedia.org/wiki/Regression_testing


Leave a Reply