This article contains key questions and verified answers from the SSA E1 Tester Assessment (67031) conducted by TCS (Tata Consultancy Services). Use this guide to prepare, revise, and assess your understanding of software security assurance principles.
1. Software is considered as "Secure" when:
Answer: It does what it is expected to and does not do what it is not expected to
2. Team must monitor for libraries and components that are unmaintained or do not create security patches for older versions
Answer: True
3. Software Security Assurance can be achieved if the efforts, activities and controls are implemented and verified for establishing Confidentiality, Integrity, Availability & Accountability.
Answer: True
4. What remains the same in both internal and external testing?
Answer: The target
5. Which attack can execute scripts in the user's browser and is capable of hijacking user sessions, defacing websites, or redirecting the user to malicious sites?
Answer: Cross-site scripting
6. Role-Based Access control helps prevent which OWASP Top 10 weakness?
Answer: Broken Access Control
7. What does PII stand for?
Answer: Personally Identifiable Information
8. The password database uses unsalted or simple hashes to store everyone’s passwords. A file upload flaw allows an attacker to retrieve the password database. This can lead to?
Answer: Sensitive Data Exposure
9. Which of the following is used to retain integrity in software?
Answer: Hashing
10. Below assessments are part of information security:
Answer: All of the above
11. Race, Ethnicity, Trade Union membership are
Answer: SPI data
12. Which of the following is used to retain confidentiality in software?
Answer: Encryption
13. What are limitations of SAST?
Answer: All of them
14. Process which assembles and analyzes several events, each attributable to a single originating entity, in order to gain information (especially patterns of activity) relating to the originating entity is known as:
Answer: Profiling
15. Which of the following is a hacker's attempt to redirect traffic from a legitimate website to a completely different internet address by changing the host’s file on a victim's computer or exploiting a vulnerability on the DNS server?
Answer: Pharming
16. Impact of Injection attacks?
Answer: All of the above
17. Which of the following can lead to leakage of private data?
Answer: All of the above
18. A corporate Red Team (internal or external) is a continuous service that emulates real-world attackers for the purpose of improving the Blue Team.
Answer: True
19. Organizations should protect personal information by which of the following methods?
Answer: All of the above
20. Saves time and resources, but is not accurate or professional
Answer: Automated pentesting
21. Information gathering can have following?
Answer: All of the above
22. Financial data protection falls under which of the privacy standards?
Answer: PCI DSS
23. In-Reconnaissance, an intruder engages directly with the targeted system to gather information about vulnerabilities
Answer: Active
24. It is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.
Answer: Vulnerability Assessment
25. Which of the following best describes how to sign a document using a digital signature?
Answer: Create a hash of the document and encrypt the resulting hash using the signer's private key
26. Key attribute of audit:
Answer: To map a current state against an arbitrary standard
27. Can be performed to test how a vulnerability can be exploited
Answer: PenTesting
28. The security policy should cover details such as?
Answer: All of the above
29. A scan that checks a system for known vulnerabilities
Answer: Vulnerability Scan
30. What helps in detecting irregular behavior in production?
Answer: Continuous monitoring
31. Which one of the issues can be considered as Security misconfiguration?
Answer: All of the above
32. Development, QA, and production environments should all be configured identically, with each environment’s credentials used in
Answer: Different
33. JWT tokens should be invalidated on the server after logout
Answer: True
34. Reconnaissance is often the early phase of a structured internal or external attack.
Answer: True
35. TCS SSA takes care of the threats to the systems and software from?
Answer: Both of them