A developer has implemented a piece of client-side JavaScript code to sanitize a user's provided input to a web page login screen. The code ensures that only the upper case and lower case letters are entered in the username field, and that only a 6-digit PIN is entered in the password field. A security administrator is concerned with the following web server log:

10.235.62.11 ?- [02/Mar/2014:06:13:04] "GET /site/script.php?user=adminandpass=pass%20or%201=1 HTTP/1.1" 200 5724

Given this log, which of the following is the security administrator concerned with and which fix should be implemented by the developer?

A. The security administrator is concerned with nonprintable characters being used to gain administrative access, and the developer should strip all nonprintable characters.

B. The security administrator is concerned with XSS, and the developer should normalize Unicode characters on the browser side.

C. The security administrator is concerned with SQL injection, and the developer should implement server side input validation.

D. The security administrator is concerned that someone may log on as the administrator, and the developer should ensure strong passwords are enforced.

A pentester must attempt to crack passwords on a windows domain that enforces strong complex passwords. Which of the following would crack the MOST passwords in the shortest time period?

A. Online password testing

B. Rainbow tables attack

C. Dictionary attack

D. Brute force attack

A large financial company has a team of security-focused architects and designers that contribute into broader IT architecture and design solutions. Concerns have been raised due to the security contributions having varying levels of quality and consistency. It has been agreed that a more formalized methodology is needed that can take business drivers, capabilities, baselines, and re-usable patterns into account. Which of the following would BEST help to achieve these objectives?

A. Construct a library of re-usable security patterns

B. Construct a security control library

C. Introduce an ESA framework

D. Include SRTM in the SDLC

Which of the following activities could reduce the security benefits of mandatory vacations?

A. Have a replacement employee run the same applications as the vacationing employee.

B. Have a replacement employee perform tasks in a different order from the vacationing employee.

C. Have a replacement employee perform the job from a different workstation than the vacationing employee.

D. Have a replacement employee run several daily scripts developed by the vacationing employee.

A security firm is writing a response to an RFP from a customer that is building a new network based software product. The firm's expertise is in penetration testing corporate networks. The RFP explicitly calls for all possible behaviors of the product to be tested, however, it does not specify any particular method to achieve this goal. Which of the following should be used to ensure the security and functionality of the product? (Select TWO).

A. Code review

B. Penetration testing

C. Grey box testing

D. Code signing

E. White box testing