Chapter 11: Practice Test 3 439
review to peers. Pair programming requires two developers, only one of whom writes code
while both collaborate. IDE forcing is not a type of code review; an IDE is an integrated
development environment.- A. The Time of Check to Time of Use (TOC/TOU) attack exploits timing differences
between when a system verifies authorization and software uses that authorization to
perform an action. It is an example of a race condition attack. The other three attacks
mentioned do not depend on precise timing.
6 7. B. Encapsulation is a process that adds a header and possibly a footer to data received at
each layer before handoff to the next layer. TCP wrappers are a host-based network access
control system, attribution is determining who or what performed an action or sent data,
and data hiding is a term from object-oriented programming that is not relevant here.
- C. Salting adds random text to the password before hashing in an attempt to defeat
automated password cracking attacks that use precomputed values. MD5 and SHA-1
are both common hashing algorithms, so using them does not add any security. Double-
hashing would only be a minor inconvenience for an attacker and would not be as effective
as the use of salting. - A. Guidelines provide advice based on best practices developed throughout industry and
organizations, but they are not compulsory. Compliance with guidelines is optional. - C. Usernames are an identification tool. They are not secret, so they are not suitable for
use as a password. - C. Regression testing ensures proper functionality of an application or system after it has
been changed. Unit testing focuses on testing each module of a program instead of against
its previous functional state. White and black box testing both describe the amount of
knowledge about a system or application, rather than a specific type or intent for testing. - C. Risk transference involves shifting the impact of a potential risk from the organization
incurring the risk to another organization. Insurance is a common example of risk
transference. - A. The four canons of the (ISC)^2 code of ethics are to protect society, the common good,
necessary public trust and confidence, and the infrastructure; act honorably, honestly,
justly, responsibly, and legally; provide diligent and competent service to principals; and
advance and protect the profession. - C. A trust that allows one forest to access another’s resources without the reverse being
possible is an example of a one-way trust. Since Jim doesn’t want the trust path to flow as
the domain tree is formed, this trust has to be nontransitive. - B. Susan’s team is performing static analysis, which analyzes nonrunning code. Dynamic
analysis uses running code, whereas gray box assessments are a type of assessment done
without full knowledge. Fuzzing feeds unexpected inputs to a program as part of dynamic
analysis.