Labour Day Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Activedumpsnet Logo
  1. Home
  2. SOA
  3. SOA Certification
  4. S90.19 - Advanced SOA Security

SOA S90.19 Advanced SOA Security Exam Practice Test

Note! Following S90.19 Exam is Retired now. Please select the alternative replacement for your Exam Certification.
Page: 1 / 8
Total 83 questions
Get S90.19 Full Access Download S90.19 PDF

Advanced SOA Security Questions and Answers

Question 1

The service contract for Service A uses an XML schema that does not specify the maximum length for the CustomerAddress XML element. A service consumer sends a message that contains a very long string of characters inside the CustomerAddress XML element. This can be an indication of what types of attacks?

Options:

A.

XML parser attack

B.

Buffer overrun attack

C.

Insufficient authorization attack

D.

XPath injection attack

Question 2

The use of derived keys is based on symmetric encryption. This is similar to asymmetric encryption because different keys can be derived from a session key and used separately for encryption and decryption.

Options:

A.

True

B.

False

Question 3

Service A's logic has been implemented using managed code. An attacker sends an XML bomb to Service A. As a result, Service A's memory consumption started increasing at an alarming rate and then decreased back to normal. The service was not affected by this attack and quickly recovered. Which of the following attacks were potentially avoided?

Options:

A.

XML parser attack

B.

Buffer overrun attack

C.

Insufficient authorization attack

D.

Denial of service

Question 4

Which of the following statements is true?

Options:

A.

When the maxOccurs attribute in an XML schema element is not specified it creates a security risk because attackers can specify this element multiple times.

B.

When numeric ranges within an XML schema are not specified it creates a security risk because attackers can introduce very large numeric values within the message data.

C.

When the xsd:any element is used within an XML schema it can introduce a security risk because it allows attackers to extend the schema.

D.

All of above.

Question 5

Service A requires message confidentiality using message-layer security. You are asked to create a security policy for Service A that communicates its confidentiality requirements. However, you have not yet determined the type of encryption mechanism that will be used to enable message confidentiality. What types of binding assertions can you use to convey what service consumers should expect in the WS-Security header of SOAP messages exchanged by the service?

Options:

A.

Transport binding assertion

B.

Symmetric binding assertion

C.

Asymmetric binding assertion

D.

Protection binding assertion

Question 6

The difference between the Exception Shielding and Message Screening patterns is in how the core service logic processes incoming messages received by malicious service consumers?

Options:

A.

True

B.

False

Question 7

An XML bomb attack and an XML external entity attack are both considered types of XML parser attacks.

Options:

A.

True

B.

False

Question 8

Message screening logic and exception shielding logic can co-exist in a single perimeter guard service.

Options:

A.

True

B.

False

Question 9

Service A, residing outside the private network of an organization, provides logic that sanitizes message error information on behalf of other services that reside inside the private network, behind a firewall. Where is the vulnerability in this architecture?

Options:

A.

There is no central management of error messages. Instead, policy enforcement points should be used so that all services are required to comply with a policy that states that any error message generated needs to be free of sensitive data.

B.

The sanitization logic resides outside the private network. Therefore, if communication between Service A and the services within the private network is compromised, an attacker can get access to sensitive data from non-sanitized messages generated by services inside the private network.

C.

There is no single sign-on mechanism in place, which puts all services (within and outside the private network) at risk.

D.

None of the above.

Question 10

The Message Screening pattern can be applied to a service acting as a trusted subsystem for an underlying database. That way, the database would be protected from SOL injection attacks.

Options:

A.

True

B.

False

Question 11

The same security policy has been redundantly implemented as part of the service contracts for Web services A, B and C. In order to reduce the effort of maintaining multiple redundant service policies, it has been decided to centralize policy enforcement across these three services. Which of the following industry standards will need to be used for Web services A, B and C in order for their service contracts to share the same security policy document?

Options:

A.

WS-PolicyAttachment

B.

WS-SecureConversation

C.

WS-Trust

D.

WS-Security

Question 12

The Service Perimeter Guard pattern is applied to position a perimeter service outside of the firewall. The firewall only permits the perimeter service to access services within a specific service inventory. Which of the following statements describes a valid problem with this security architecture?

Options:

A.

The Trusted Subsystem pattern was not applied to the perimeter service.

B.

The perimeter service needs to be located inside the firewall and the firewall needs to be configured so that only known service consumers have access to the service inventory.

C.

The Service Perimeter Guard pattern cannot be applied to a service outside of a service inventory.

D.

None of the above

Load More S90.19 Questions 
Page: 1 / 8
Total 83 questions
Get S90.19 Full Access Download S90.19 PDF