Module 8: Secure Coding Practices for Error Handling

 

1.Which of the following .NET components can be used to remove unused references from the managed heap?

A) Garbage Collector

B) Common Language Runtime

C) Common Type System

D) WCF Services

ption A is CORRECT because the Garbage Collector in .NET is designed specifically for memory management. It automatically frees objects that are no longer in use, cleaning up the managed heap from unnecessary references.

2.Which class is used to write trace output to the window event log?

A) DefaultTraceListener

B) TextWriterTraceListener

C) EventLogTraceListener

D) ConsoleTraceListener

Option C is CORRECT because EventLogTraceListener allows the output of tracing and debugging statements in an application to be sent to the EventLog. Hence, it is used to write trace output to the window event log.

3.What is the secure option to avoid sesnitive information leakage in exception handling?

A) ex.Message

B) ex.StackTrace

C) ex.Details

D) Non of them

Option A is CORRECT because 'ex.Message' only displays a general description of the error, it does not provide specific details about the exception preventing any potential sensitive information from being leaked.

Option B is INCORRECT because 'ex.StackTrace' provides the complete sequence of methods that led to the exception which might cause the leak of sensitive information as it could include the function name, line number or local variables.

Option C is INCORRECT because 'ex.Details' does not exist in .NET exception handling. This option is part of incorrect syntax.

4.How should error messages be designed to avoid giving away sensitive information?

Response:

A. By providing specific details about the error and how to fix it

B. By using technical jargon that is difficult for laypeople to understand

C. By offering generic, user-friendly error messages without revealing details

D. By redirecting all errors to a single message that requests user patience

5.How can improper error handling impact application security?

Response:

A. It can reveal system information that may help attackers

B. It improves the user experience by providing detailed feedback

C. It simplifies the debugging process

D. It has no impact on security

6.What is an effective strategy for error logging in applications?

Response:

A. Storing logs in publicly accessible locations

B. Logging all error details directly to the user interface

C. Using centralized logging with restricted access

D. Avoiding logging to enhance performance

7.What is the best practice for handling errors in an application securely?

Response:

A. Displaying detailed error messages to users

B. Logging detailed error information securely while showing generic messages to users

C. Ignoring error handling to simplify code

D. Using a single generic error message for all types of errors

8.In ASP.NET Core, how can secure error handling be implemented?

(Select two)

Response:

A. Using the built-in Developer Exception Page for all environments

B. Configuring custom error pages for production environments

C. Logging detailed error information including stack traces in production logs

D. Employing the UseExceptionHandler middleware in the production environment

9.What role does exception handling play in secure coding practices?

Response:

A. It is only necessary for high-security applications

B. Proper exception handling ensures that errors are managed predictably and securely

C. Exception handling should be avoided to reduce code complexity

D. It has no impact on the security of an application

10.Why is proper error and exception handling important in secure coding?

Response:

A. To enhance the application's performance and speed

B. To prevent the disclosure of sensitive information through error messages

C. To make the application more user-friendly

D. To reduce the storage space required for logs

11.Why should developers avoid revealing specific database error messages to users?

Response:

A. It enhances the database performance

B. Specific messages can guide developers in troubleshooting

C. It can provide attackers with insights into the database structure

D. Generic messages are more difficult to understand

12.What is a key practice in preventing information disclosure through error messages?

Response:

A. Displaying detailed error messages to users to help them troubleshoot issues

B. Logging detailed error information to a secure, restricted location

C. Using generic error messages for all exceptions

D. Encouraging users to report any vague error messages they encounter

13.Which approach should be avoided to prevent improper error handling?

Response:

A. Catching specific exception types rather than using a general catch-all

B. Swallowing exceptions without any logging or handling

C. Implementing a global exception handler

D. Logging the stack trace for analysis by developers