第25個冬天

  What is a limitation of DAST compared to SAST? Response: A. DAST can only test static parts of the application B. DAST cannot identify vulnerabilities in the source code not executed during the test C. DAST is more effective at finding vulnerabilities in non-web applications D. DAST replaces all other testing methods Why is it important to integrate SAST in the early stages of development? Response: A. To increase the time it takes to detect vulnerabilities B. To detect vulnerabilities early and reduce the cost of fixing them C. SAST is less effective in the early stages D. To focus only on final testing stages How can combining SAST and DAST improve application security? Response: A. By focusing only on post-deployment testing B. It creates redundancies that increase vulnerability C. By providing a comprehensive view of both static code vulnerabilities and runtime issues D. Combining these tests is discouraged in modern development practices What advantage does DAST provide when...

  1.Which of the following .NET components can be used to remove unused references from the managed heap? A) Garbage Collector B) Common Language Runtime C) Common Type System D) WCF Services ption A is CORRECT because the Garbage Collector in .NET is designed specifically for memory management. It automatically frees objects that are no longer in use, cleaning up the managed heap from unnecessary references. 2.Which class is used to write trace output to the window event log? A) DefaultTraceListener B) TextWriterTraceListener C) EventLogTraceListener D) ConsoleTraceListener Option C is CORRECT because EventLogTraceListener allows the output of tracing and debugging statements in an application to be sent to the EventLog. Hence, it is used to write trace output to the window event log. 3.What is the secure option to avoid sesnitive information leakage in exception handling? A) ex.Message B) ex.StackTrace C) ex.Details D) Non of them Option A is CORRECT because 'ex.Message' only...

  1.Which is not the common threats to session management? A.CSRF B.XSS C.Token Brute-Force Attack D.Token Maniulation Attack XSS (Cross-Site Scripting) is a type of attack that injects malicious code into a web application. It is not a threat to session management, as it does not directly target the session itself.  Instead, XSS attacks are used to gain access to sensitive information, such as user credentials, by exploiting vulnerabilities in the application code. XSS attacks can be used to hijack user sessions, but they are not a direct threat to session management. CSRF攻擊 XSS攻擊 web.config中httpOnlyCookies必設true 2.Which is not the type of client side session management? A.Cookies B.Query String C.Profile D.ViewState Option C is CORRECT because profile is not a type of client-side session management. The profile is a component of ASP.NET for storing user-specific data on the server-side, not the client-side. 3.Which is default session mode? A.InProc B.SqlServer C.StateServer ...

  https://aspen.eccouncil.org/VerifyBadge?type=certification&a=kiADSq5i3DR6LB9eghQXZrckYwZi4fD07Rgq4bi9jAo= https://moda.gov.tw/ACS/laws/certificates/676 https://www-api.moda.gov.tw/File/Get/acs/zh-tw/epCm7MlcYGOKmPH EC-Council CASE應用程式安全工程師認證課程培訓內容涵蓋SDLC(產品開發週期)流程每個階段所涉及的安全問題。 從規劃、建置應用程式到測試和部署產品，如應用程式安全性、威脅和攻擊、安全需求蒐集、身份驗證和授權的安全編碼、加密、安全部署和維護等全方位的安全知識。 CASE是目前軟體開發安全市場中最全面性的認證，已被全球領先的軟體工程師、測試人員和招聘機構所使用。 考試考的確實不簡單....超多實作測驗跟情境觀念題。 EC Council CASE.NET(312-95)_筆記_Module1專有名詞及定義 Module 1: Understanding Application Security, Threats, and Attacks Module 2: Security Requirements Gathering Module 3: Secure Application Design and Architecture Module 4: Secure Coding Practices for Input Validation Module 5: Secure Coding Practices for Authentication and Authorization Module 6: Secure Coding Practices for Cryptography Module 7: Secure Coding Practices for Session Management Module 8: Secure Coding Practices for Error Handling Module 9: Static and Dynamic Application Security Testing (SAST ...