When developing an external facing web-based system, which of the following would be the MAIN focus of the security assessment prior to implementation and production?
A.
Ensuring Secure Sockets Layer (SSL) certificates are signed by a certificate authority
B.
Ensuring Secure Sockets Layer (SSL) certificates are internally signed
statement is wrong. first, it's not an ssl but a x509 certificate and it is secure by securing the transport layer. and it is considered by implementation, therefore d is correct. injections etc. are part of L7 protections like input validation
Cryptographic failure is #2 after Broken Access Control in OWASP Top 10.
https://owasp.org/www-project-developer-guide/draft/training_education/owasp_top_ten/
I would say A. web-based System (is pretty generic that I could have additional components)... in addition, the main focus of the developer during the security assessment is ensuring that base line are met.. which is SSL Certificates are signed by certificate authority. Thinking CIA concept more than security.
Ensuring that SSL certificates are signed by a certificate authority is an important aspect of web application security, but it can be done at any stage of the development cycle or even after implementation. On the other hand, ensuring that input validation is enforced is critical to the security of web applications, and it should be a primary focus of the security assessment prior to implementation and production. The earlier input validation is implemented in the development cycle, the easier it is to prevent potential security vulnerabilities and attacks.
D- answer
When developing an external facing web-based system, the main focus of the security assessment prior to implementation and production would be D. Ensuring that input validation is enforced.
Input validation is a critical aspect of web application security, as it helps to prevent malicious users from injecting harmful code or data into the system. Input validation can help protect against a wide range of attacks, including SQL injection, cross-site scripting (XSS), and command injection.
The main focus of the security assessment prior to implementation and production of an external facing web-based system would be ensuring input validation is enforced, as this helps prevent attacks such as injection attacks, which can allow attackers to execute malicious code or access sensitive information. Ensuring SSL certificates are signed by a certificate authority and assessing the URL are also important considerations, but they are not the main focus of the security assessment. Ensuring SSL certificates are internally signed is not relevant to the security assessment of an external facing web-based system.
D should not be the answer. Because what if that web based application is not made to allow users to insert data? Then input validation is not required. But SSL certificate is always required for websites published to the internet.
I really like your reasoning but the same logic applies for "A" as well. What if the website doesn't use cookies, doesn't have a user login functionality, and doesn't allow users to enter data? In this case, certificates won't be necessary as well.
TLS(SSL) provides protection against MitM-attacks.
It is a common misunderstanding that you might only need transport encryption when the user transfers data or the websites provides sensible data.
But what about an attacker who is modifying a trustworthy static website by injecting malicous code which is then executed in the users browser?
It is the same reason why you hardly find unencrypted FTP downloads nowadays (most users won't do a hashsum check).
"But what about an attacker who is modifying a trustworthy static website by injecting malicous code which is then executed in the users browser?"
I don't think SSL/TLS would provide protection on that. How would SSL/TLS even protect against that?
TLS used in a public website is not mutual authentication (but there can be mutual TLS in other applications that use TLS). It only authenticates the web server but not the client. So, a web server does not authenticates whether it's a valid user or not. I'm assuming when we say "external facing web-based system", we're building the web server, not the client.
TLS is not very important if your attacker is not a man in the middle but actually the end-user. (But if it's a mutual TLS, then there's some point to be made)
I would say A. because there is no mentioning about security of the website self. So D is not the answer because first step is HTTPS so A. HTTP with answer D looks weird to me
Prior to implementation and production means we can only enforce input validation. Reast all options are either production or implementation related. Knocking out B as it does not make any sense.
to me the key words here are "prior to", SSL is something you would configure during the implementation into production (as it's transitioning from the test environment), so to me, would be part of the provisioning/implementation process... I would certainly want to make sure the web app doesn't accept malformed input which could lead to confidentiality issues after deployment...
I would say given answer is correct.
websecurity.digicert.com/en/uk/security-topics/what-is-ssl-tls-https#:~:text=Transport%20Layer%20Security%20(TLS)%20is,SSL%20is%20still%20widely%20used.
It's generally known as SSL/TLS, one thing. Not 2 separate SSL and TLS entities. Not sure why they would want to confuse us like this.
upvoted 3 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
BDSec
Highly Voted 2 years, 2 months agosphenixfire
1 year, 11 months agojackdryan
1 year, 6 months agofranbarpro
Highly Voted 2 years, 1 month agohomeysl
Most Recent 8 months, 1 week agomaawar83
11 months agoSoleandheel
11 months, 2 weeks ago74gjd_37
1 year, 2 months ago[Removed]
1 year, 7 months agobsongwk
1 year, 8 months agoDee83
1 year, 10 months agoDJOEK
1 year, 10 months agooudmaster
1 year, 11 months agozelda923
1 year, 10 months agodmo_d
1 year, 6 months agomarziparzi
7 months, 4 weeks agosphenixfire
1 year, 11 months agojuniorhs86
2 years agosec_007
2 years ago[Removed]
2 years, 1 month agoNcoa
2 years, 1 month agoRollizo
2 years, 1 month agoJamati
2 years ago