Question: 84 You are developing an ASP.NET MVC application that uses forms authentication. The application uses SQL queries that display customer order data. Logs show there have been several malicious attacks against the servers. You need to prevent all SQL injection attacks from malicious users against the application. How should you secure the queries? A. Check the input against patterns seen in the logs and other records. B. Escape single quotes and apostrophes on all string-based input parameters. C. Implement parameterization of all input strings. D. Filter out prohibited words in the input submitted by the users. Answer: C Explanation: SQL Injection Prevention, Defense Option 1: Prepared Statements (Parameterized Queries) The use of prepared statements (aka parameterized queries) is how all developers should first be taught how to write database queries. They are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. Reference: SQL Injection Prevention Cheat Sheet Question: 85 You are developing an ASP.NET MVC application that uses forms authentication against a third-party database. You need to authenticate the users. Which code segment should you use?
92 A. Option A B. Option B C. Option C D. Option D Answer: C Explanation: Class ProviderBase The provider model is intended to encapsulate all or part of the functionality of multiple ASP.NET features, such as membership, profiles, and protected configuration. Question: 86 You are designing an enterprise-level Windows Communication Foundation (WCF) application. User accounts will migrate from the existing system. The new system must be able to scale to accommodate the increasing load. You need to ensure that the application can handle large-scale role changes. What should you use for authorization? (Each correct answer presents a complete solution. Choose all that apply.) A. Resource-based trusted subsystem model B. Identity-based approach C. Role-based approach D. Resource-based impersonation/delegation model Answer: B,C Explanation:
93 Advanced Maturity: Authorization as a Service In the advanced level of maturity for authorization, role storage and management is consolidated and authorization itself is a service available to any solution that is service-enabled. * The Trusted Subsystems Model Once authorization is available as an autonomous service, the need for impersonation is eliminated. Instead of assuming the identity of the user, the application uses its own credentials to access services and resources, but it captures the user's identity and passes it as a parameter (or token) to be used for authorization when a request is made. This model is referred to as the trusted subsystem model, because the application acts as a trusted subsystem within the security domain.
You've reached the end of your free preview.
Want to read all 111 pages?
- Spring '16
- .NET Framework