WGU D385 Software Security and Testing Exam 2024 New Latest Updated Version

WGU D385 Software Security and Testing Exam 2024 New Latest Updated Version How does a server authenticate itself? - ANS-By sending a publickey certificate to the client, which is issued by a certificate authority. The certificate contains the servers public key. What does the Strict-Transport-Security response header do? - ANS-Tells a browser that it should be accessed only via HTTPS. What package is used to send and receive data between other systems? - ANS-The requests package What are HTTP sessions used for? - ANS-To isolate the traffic, context, and and state of each user. How should session ID's be transmitted and why? - ANS-They should be sent and received confidentially over HTTPS (not HTTP) because stealing session IDs is a big area of exploitation. A hijacked session ID looks the same as a legitimate request. What is session sniffing? - ANS-Eavesdroppers steal session IDs over HTTP on websites that use HTTP on unverified users, then when the user is verified they can use the same session ID to hijack the account over HTTPS. What is a cookie? - ANS-A small piece of data used to communicate between the server, website, browser. Communicates the session ID. What does the secure directive do? - ANS-Helps prevent MITM attacks by ensuring a cookie will be transmitted over HTTPS not HTTP, preventing attackers from intercepting the session ID. What does the domain directive do? - ANS-Controls which hosts the browser should send the session ID to. What does the max-age directive do? - ANS-Declares an expiration time for a cookie. What hash function should you use for most general purpose cryptographic hashing? - ANS-SHA-256 What hash function should you consider using for high security environments, though it may have less support? - ANS-SHA3-256 What hash function should you use for very large messages? - ANSBLAKE2 What two hash functions should you avoid, as they're now considered unsecure? - ANS-MD5 and SHA1 What is the difference between hash functions and checksum functions? - ANS-Hash functions have stronger collision resistance, checksums are faster. Checksums are not useful for security. What module do you use for cryptographic hashing in Python? - ANS-hashlib What 3 properties characterize hash functions? - ANS-1. Deterministic behavior 2. Fixed-length hash values 3. Avalanche effect Should you use the secrets or random module for generating secure random numbers? - ANS-secrets What do keyed hash functions do? - ANS-Hash functions using different keys produce different hash values of the same message. Hash functions using the same key produce matching hash values of the same message. Ensures data authentication. What are HMAC functions? - ANS-A generic way to use any ordinary hash function as though it were a keyed hash function, since most hash functions don't support keys natively. Takes 3 inputs: message, key, ordinary cryptographic hash function. What is a timing attack? - ANS-Attacker obtains hints about private information by measuring the time a system takes to perform an operation (ex: string comparison) How can you avoid a timing attack with the hmac module? - ANSYou can use compare_digest in place of ==. This always compares all characters before it returns thus preventing timing attack vulnerabilities. What is a side channel attack? - ANS-Derives unauthorized information by measuring any physical side channel (such as time sound, power consumption, electromagnetic radiation, radio waves, and heat) Python has no native encryption API, so what might you use instead? - ANS-cryptography or pycryptodome packages When using the high level "recipes layer" API of cryptography, what protocol/class will you be interacting with? - ANS-Ferne