Advanced SOA Security v6.0 (S90.19)

Page:    1 / 6   
Total 83 questions

Service A contains reporting logic that issues SOL queries against a database to generate reports. The actual SQL query syntax is determined at runtime. It has been reported that some of these queries ended up retrieving highly confidential data by accessing tables that service consumers were not authorized for. How can this be avoided?

  • A. Stored procedures should be used instead of executing an SQL query that is determined at runtime.
  • B. The Message Screening pattern needs to be applied to Service A.
  • C. The database security should be increased so that the account under which Service A executes SQL queries has restricted access.
  • D. None of the above


Answer : C

Architects responsible for a domain service inventory are being asked to make some of their services available to service consumers from outside the organization. However, they are reluctant to do so and consult you to help define a security architecture that will keep all of the existing services within the domain service inventory hidden within a private network.
Which of the following is a valid approach for fulfilling this requirement?

  • A. Apply the Brokered Authentication pattern to position an authentication broker outside the private network that has been configured to access the internal services via a firewall. The authentication broker becomes the sole contact point for external service consumers.
  • B. Apply the Service Perimeter Guard pattern in order to position a perimeter service outside the private network that has been configured to access the internal services via a firewall. The perimeter service becomes the sole contact point for external service consumers.
  • C. Apply the Trusted Subsystem pattern in order to position a service outside the private network that authenticates each incoming request and then uses its own set of credentials to get access to internal services. This service becomes the sole contact point for external service consumers.
  • D. None of the above.


Answer : B

Which of the following statements regarding the usage of security tokens for authentication and authorization are true?

  • A. Security tokens can be validated without resorting to pre-shared secrets.
  • B. Security tokens issued by a token issuer in the same security domain can be used with a different token issuer in a different security domain in order to get access to services in that domain.
  • C. Security token issuance and cancellation are done by the relying party.
  • D. Security tokens can only be issued by a legitimate token issuer.


Answer : A,B

A security architecture needs to be created in order to guarantee that messages that are sent to Service A must comply to a security policy that is published as part of Service A's service contract. The application of which of the following patterns will fulfill this requirement?

  • A. Message Screening
  • B. Brokered Authentication
  • C. Exception Shielding
  • D. None of the above


Answer : D

A service protected from an XML bomb attack will automatically also be protected from a schema poisoning attack.

  • A. True
  • B. False


Answer : B

The application of the Trusted Subsystem pattern can help centralize access to services.

  • A. True
  • B. False


Answer : A

The use of XML schemas for data validation helps avoid several types of data-centric threats.

  • A. True
  • B. False


Answer : A

Architects have applied the Service Perimeter Guard pattern to a service inventory by adding a perimeter service inside the firewall that receives all incoming request messages and then routes them to the appropriate services. The firewall has been configured to allow any service consumers to send messages to the perimeter service. You are told that this security architecture is flawed. Which of the following statements describes a valid approach for improving the security architecture?

  • A. The Trusted Subsystem pattern needs to be applied to the perimeter service so that it can authenticate all incoming requests before forwarding them to services within the service inventory.
  • B. The perimeter service needs to be outside the firewall and the firewall needs to be configured so that only the perimeter service has access to the services within the service inventory.
  • C. The described security architecture is not flawed because the Service Perimeter Guard pattern was applied correctly.
  • D. None of the above.


Answer : B

A common alternative to_____________ is the use of a ____________.

  • A. Public key cryptography, private key
  • B. Digital signatures, symmetric key
  • C. Public key cryptography, public key
  • D. Private keys, digital signatures


Answer : C

The Message Screening pattern can be used to avoid which of the following types of attacks?

  • A. buffer overrun attack
  • B. XPath injection attack
  • C. SQL injection attack
  • D. exception generation attack


Answer : A,B,C

The same security policy has been redundantly implemented as part of the service contracts for Web services A, B and C. In order to reduce the effort of maintaining multiple redundant service policies, it has been decided to centralize policy enforcement across these three services. Which of the following industry standards will need to be used for
Web services A, B and C in order for their service contracts to share the same security policy document?

  • A. WS-PolicyAttachment
  • B. WS-SecureConversation
  • C. WS-Trust
  • D. WS-Security


Answer : A

Because of a new security requirement, all messages received by Service A need to be logged. This requirement needs to be expressed in a policy that is part of Service A's service contract. However, the addition of this policy must not impact existing service consumers that have already formed dependencies on Service A's service contract. How can this be accomplished?

  • A. The policy can be centralized and isolated into a separate policy document that is linked to the service contract.
  • B. The policy can be expressed using a digital certificate that is added to the service contract.
  • C. The policy can be expressed using an ignorable policy assertion that is added to the service contract.
  • D. None of the above.


Answer : C

The use of parameterized expressions can help avoid which type of attack?

  • A. XML parser attack
  • B. Buffer overrun attack
  • C. XPath injection attack
  • D. Exception generation attack


Answer : C

The Service Perimeter Guard pattern can be applied together with the Message Screening pattern, resulting in a perimeter service that contains message screening logic.

  • A. True
  • B. False


Answer : A

The service contract for Service A uses an XML schema that does not specify the maximum length for the CustomerAddress XML element. A service consumer sends a message that contains a very long string of characters inside the CustomerAddress XML element. This can be an indication of what types of attacks?

  • A. XML parser attack
  • B. Buffer overrun attack
  • C. Insufficient authorization attack
  • D. XPath injection attack


Answer : A,B

Page:    1 / 6   
Total 83 questions