S90.19 무료 덤프문제 온라인 액세스

The use of derived keys is based on symmetric encryption. This is similar to asymmetric encryption because different keys can be derived from a session key and used separately for encryption and decryption.

• A.False
• B.True

Service A, residing outside the private network of an organization, provides logic that sanitizes message error information on behalf of other services that reside inside the private network, behind a firewall. Where is the vulnerability in this architecture?

• A.There is no central management of error messages. Instead, policy enforcement points should be used so that all services are required to comply with a policy that states that any error message generated needs to be free of sensitive data.
• B.The sanitization logic resides outside the private network. Therefore, if communication between Service A and the services within the private network is compromised, an attacker can get access to sensitive data from non-sanitized messages generated by services inside the private network.
• C.None of the above.
• D.There is no single sign-on mechanism in place, which puts all services (within and outside the private network) at risk.

The service contract for Service A uses an XML schema that does not specify the maximum length for the CustomerAddress XML element. A service consumer sends a message that contains a very long string of characters inside the CustomerAddress XML element. This can be an indication of what types of attacks?

• A.XPath injection attack
• B.Insufficient authorization attack
• C.XML parser attack
• D.Buffer overrun attack

The Trusted Subsystem pattern is applied to a service that provides access to a database.
Select the answer that best explains why this service is still at risk of being subjected to an insufficient authorization attack.

• A.Attackers can steal confidential data by monitoring the network traffic that occurs between the service and the database.
• B.Because the Service Perimeter Guard pattern was also not applied, the database is not protected by a firewall.
• C.None of the above.
• D.If an attacker gains access to the security credentials used by the service to access the database, the attacker can access the database directly.

___________ is an industry standard that describes mechanisms for issuing, validating, renewing and cancelling security tokens.

• A.WS-Security
• B.WS-SecurityPolicy
• C.WS-SecureConversation
• D.WS-Trust