Security Programming Best Practices Quiz

1. What is the primary goal of secure coding practices?

• To enhance graphic performance.
• To improve user interface design.
• To prevent potential security vulnerabilities.
• To reduce application loading times.

2. Which of the following is a best practice for input validation?

• Ignore input validation to simplify code maintenance.
• Ensure applications validate input properly and restrictively, allowing only those types of input that are known to be correct, especially from untrusted sources.
• Validate input only from trusted sources to speed up processing.
• Accept all input without restriction to facilitate ease of use.

3. What should be done with error handling in applications?

• Ensure applications execute proper error handling to avoid exposing detailed system information.
• Ignore all error messages and avoid handling them in applications.
• Display detailed error messages to users for better understanding.
• Let errors crash the system without any error reporting.

4. How should authentication and authorization be handled?

• Implement single-factor authentication for all users for convenience.
• Use basic identification without any verification methods for ease of access.
• Authenticate and authorize users through central systems available at the university, specifically: Kerberos, Active Directory, Shibboleth, MCommunity groups. Never implement your own authentication system. Implement two-factor authentication where possible.
• Allow users to create their own authentication systems to simplify access.

5. What is the principle of access control in secure coding?

• Base access decisions on permission and adhere to the principle of least privilege.
• Allow all access unless explicitly denied to users and developers.
• Use a random selection process for granting access to users and developers.
• Focus on blocking known malicious users only for access control.

6. How should cryptographic practices be implemented?

• Use well-known, properly reviewed, actively maintained cryptography libraries.
• Use outdated or untested cryptography tools without updates.
• Rely on custom encryption algorithms that are not documented.
• Store sensitive data in plain text without any encryption.

7. What is the importance of logging in secure coding?

• Always store passwords in plain text for easy access.
• Implement the use of application logs to detect potential security breaches.
• Use strong encryption to protect sensitive data in transit.
• Regularly update software to fix known vulnerabilities.

8. What is the role of quality assurance checking in secure coding?

• Conduct security training sessions for all employees regularly.
• Write extensive documentation for future reference and updates.
• Use effective quality assurance techniques to identify and eliminate vulnerabilities.
• Deploy software updates immediately without testing.

9. How should code management be handled?

• Ignore documentation and rely on memory for all design decisions.
• Use a simple file system without version control for managing code changes.
• Implement and maintain a change management process, including version control, for changes to existing software applications. Comment your code well, and document all design decisions.
• Handle code changes only during major releases without regular updates.

10. What is the importance of vulnerability management?

• Ignore vulnerabilities as they will eventually disappear.
• Keep software and components up to date to mitigate risks.
• Delay updates until problems arise in the system.
• Change programming languages to avoid vulnerabilities.

11. How should session management be handled?

• Only validate session tokens on the client side for performance.
• Do not allow session tokens to be sent over HTTP (use HTTPS).
• Create session tokens with simple algorithms for speed.
• Always keep session IDs in URLs to enhance accessibility.

12. What is the best practice for password security?

• Only change your password once a year.
• Use a random password and change it regularly.
• Use the same password for all accounts.
• Share your passwords with friends for convenience.

13. How often should passwords be changed?

• Change passwords only when a data breach occurs for convenience.
• Change passwords annually to keep them secure and manageable.
• Change passwords regularly, ideally every 60 to 90 days, to minimize the risk of password compromise.
• Change passwords once every five years to reduce hassle.

14. What is the most secure backup strategy?

• Backing up data only on a local server with no offsite copies.
• Keeping backups solely on a single external drive without redundancy.
• One backup on an external hard disk and another one on a cloud backup, as this spreads the backups over two geographically different regions, making the backup strategy more resilient.
• Relying exclusively on manual backups performed once a year.

15. What should be done if a website has a padlock in the browser bar?

• Change the password on all sites where you use the same password.
• Ignore it and continue browsing as usual.
• Disable the padlock feature in the browser settings.
• Report it to your internet service provider.

16. Is it useful to run antivirus software on an Android phone?

• No, Android has built-in security features that negate the need for antivirus.
• Yes, antivirus apps are often unnecessary and can slow down the phone.
• No, running antivirus software can lead to device malfunctions and errors.
• Yes, even if you download apps from Google`s official app store, as Google Play can host apps that contain viruses.

17. What are considered personal data under GDPR?

• Your favorite color, your pet`s name, your social hobbies, and food preferences.
• Your IP address, your birthdate, your home address, and other sensitive information.
• Your music playlist, your social media likes, your travel history, and gaming score.
• Your bank balance, your credit score, your shopping habits, and your email drafts.

18. What should be done if you receive a suspicious SMS asking you to click on a link?

• Click the link to see where it goes.
• Reply to the SMS asking for clarification.
• Do not click the link. Instead, reach out to the vendor to check if they really sent the link.
• Ignore the message and delete it.

19. Which month is recognized as Cyber Security Month?

• January
• April
• November
• October

20. Who performs a social engineering attack?

• A Programmer.
• A Systems Administrator.
• A Social Engineer.
• A Hacker.

21. What is the best thing to do if you find a USB device in the hallway at work?

• Throw it away without a second thought.
• Inform your IT department because it could be a USB device containing malware to infect your company`s systems.
• Leave it there for someone else to find and deal with.
• Plug it into your computer to see what files are on it.

22. Which URL brings you to Google’s Home Page?

• http://www.gogle.com
• http://google.come
• https://www.google.com
• https://www.gooogle.com

23. Which of the following URLs could NOT be used in a so-called `Typosquatting Attack`?

• http://micosoft.com (misspelled).
• http://micrsoft.com (misspelled).
• http://microsoft.co (domain variation).
• http://microsoft.com (the correct spelling).

24. What should you do if you receive an invite to take a quiz to receive free glasses?

• Join the quiz to potentially win a prize.
• This is a bad idea, as it is likely a scam to steal your personal data.
• Ignore the invite and delete it immediately.
• Take the quiz without hesitation.

25. What helps decide whether an online shopping website is trustworthy?

• Verify the price is lower than competitors.
• Check the website`s layout and design for appeal.
• Look for HTTPS in the URL, a padlock icon, and check for reviews.
• Ensure the website has a contact number on the homepage.

26. What is OWASP secure coding?

• A set of secure coding best practices and guidelines by OWASP.
• A list of programming languages for secure coding.
• A set of tools for network security implementation.
• A framework for web application design principles.

27. What is a secure code review?

• A secure code review focuses solely on the visual design of the application.
• A secure code review only tests the software`s functionality without considering security.
• A secure code review is conducted to improve the application`s user interface exclusively.
• A secure code review involves examining the code to identify potential security vulnerabilities and ensuring that it adheres to secure coding practices.

28. What should be done with hardcoded credentials and security tokens in code?

• Share hardcoded credentials with your team via email for convenience.
• Clean up hardcoded credentials and security tokens long before your apps are released to prevent security implications.
• Use default security tokens in your code without any changes.
• Store hardcoded credentials and security tokens in a text file for easy access.

29. How should components with known vulnerabilities be handled?

• Ignore known vulnerabilities until a major problem arises.
• Continuously modify vulnerable components without testing their impact.
• Always use the latest versions of all components, regardless of vulnerabilities.
• Refrain from using components with known vulnerabilities and constantly monitor for new vulnerabilities throughout the development process.

30. What is the importance of auditing and logging in secure coding?

• Auditing and logging help detect software vulnerabilities and document results and lessons learned, ensuring that security issues are addressed promptly.
• Auditing and logging are only necessary for compliance, not security best practices.
• Data encryption is the primary function of auditing and logging in secure coding.
• Auditing and logging do not contribute to understanding application performance.