1.You are an application developer for your company. You are developing an ASP.NET Web application that
customers will use to order products. Certain customers, named Gold customers, have credit with your
company. These customers are allowed to place orders without supplying payment information. All other
customers must provide credit card information to place an order.
The ASP.NET Web site will use Forms authentication to authenticate all users. The authentication code
associates a role named GoldCustomer with the current Web request if the user is a Gold customer.
Your application contains the following method, which returns a value of true if a user enters valid
credit card information or a value of false if the user does not enter valid credit card information.
(Line numbers are included for reference only.)
01 private bool ValidatePaymentInfo(string strCCNum, int expMonth, int expYear) {
02 if (strCCNum.Length = 0) {
03 return false;
04 }
05 if (!Regex.IsMatch(strCCNum, m_strCCPattern)) {
06 return false;
07 }
08 DateTime dtExpires = new DateTime(expYear, expMonth, 1);
09 dtExpires.AddMonths(1);
10 return (DateTime.Now > dtExpires);
11 }
You need to replace the code at line 03 to ensure that the method returns a value of true when the
customer is a member of the GoldCustomer role.
Which code segment should you use?
A: return HttpContext.Current.User.IsInRole(“GoldCustomer”);
B: return HttpContext.Current.User.Identity.Name = "GoldCustomer";
C: WindowsPrincipal p = new WindowsPrincipal(WindowsIdentity.GetCurrent());
return p.IsInRole("GoldCustomer");
D: return WindowsIdentity.GetCurrent().Name = “GoldCustomer”;
Correct Answers: A 1y0-a06 1y0-a09 310-202 xk0-002
2.You are an application developer for your company. You are conducting a code review of an assembly
written by another developer. The assembly is named MyAssembly.exe. The assembly is for an application
that accesses data in a Microsoft SQL Server database. All users of the application have access to the
database by using their Microsoft Windows user accounts.
The assembly contains the following code segment.
string userid;
string password;
userid = “sa”;
password = “”;
SqlConnection sqlConnection = new SqlConnection();
string connectionString;
connectionString = “data source=myServer”;
connectionString += “;initial catalog=myDatabase”;
connectionString += “;user id=” + userid;
connectionString += “;password=” + password;
sqlConnection.ConnectionString = connectionString;
sqlConnection.Open();
You need to improve the security of the code segment.
What should you do?
A: Replace the code segment with the following code segment.
SqlConnection sqlConnection = new SqlConnection();
string connectionString;
connectionString = “data source=myServer”;
connectionString += “;Integrated Security=SSPI”;
connectionString += “;initial catalog=myDatabase”;
sqlConnection.ConnectionString = connectionString;
sqlConnection.Open();
B: Replace the code segment with the following code segment.
SqlConnection sqlConnection = new SqlConnection();
string connectionString;
connectionString =
“data source=myserver;initial catalog=myDatabase;user id=sa;password=;”;
sqlConnection.ConnectionString = connectionString;
sqlConnection.Open();
C: Run the caspol.exe -resolveperm MyAssembly.exe command from the command line.
D: Run the permview decl MyAssembly.exe command from the command line.
Correct Answers: A
3.You are an application developer for your company. You are reviewing the security for a console
application that was written by another developer. The application uses impersonation to run as a member
of the Administrators group. The following code segment is the only code that deals with security in the
application.
RegistryKey key =
Registry.CurrentUser.CreateSubKey(“Name”);
key.SetValue(“Name”, “Tester”);
You need to improve the security of the application.
What should you do?
A: Change the application to run as the interactive user.
B: Run the application from the command line by using the runas command and specify the Administrator
account.
C: Change the application to use code access security.
D: Change the application to write to the HKEY_LOCAL_MACHINE hive.
Correct Answers: A
4.You are an application developer for your company. You are developing a client application that queries
a Microsoft SQL Server database. The application uses an unmanaged component to retrieve data from
another application, and your application uses that data as part of a SQL query.
In the application code, you use a variable named externalobject to refer to the unmanaged component. A
variable named calcval contains an integer value that is calculated by your application. A SqlCommand
object named sqlcmd is already defined and associated with an open ADO.NET connection to the SQL Server
database.
The application contains the following code segment.
string myquery;
myquery = “INSERT INTO DataStore (ExternalID, CalcValue)”;
myquery += ” VALUES(” + externalobject.LegacyData + “,”;
myquery += calcval.ToString() + “)”;
sqlcmd.CommandText = myquery;
sqlcmd.ExecuteNonQuery();
You need to improve the security of this code segment.
What should you do?
A: Place the code segment within a try-catch block.
B: In the code segment, ensure that the value of externalobject.LegacyData meets the length and type
requirements of the SQL Server table.
C: Validate that externalobject.LegacyData contains only expected data and no additional SQL statements.
D: Copy the contents of externalobject.LegacyData into a string variable, and append the string variable
to the SQL statement.
Correct Answers: C mb2-631 MB6-821 N10-004
5.You are an application developer for your company. You are developing an ASP.NET Web application. All
users in the company use Microsoft Internet Explorer 6.0. A group of users is testing the application.
The users report that when an exception occurs, the full exception information is displayed in their Web
browsers.
You need to ensure that the full exception information is not displayed when an exception occurs.
What should you do?
A: Require users to use HTTPS to access the application.
B: Trap all exceptions and display a generic error message.
C: Instruct users to enable friendly error messages in Internet Explorer.
D: Obfuscate the compiled assemblies of the application
E: Modify the application’s configuration to disable custom errors.
Correct Answers: B 1Y0-A05 220-602 642-515
6.You are an application developer for your company. You are conducting a code review of an application
that was developed by another developer. The code declares a variable named permvalue and a variable
named grouplist.
A portion of the application code defines security permissions for the user. The application is designed
so that permvalue contains an integer that indicates various permissions within the application, and
grouplist contains the name of a user group. The permvalue variable also contains values that indicate
other information about the user. The grouplist and permvalue variables are initially populated by other
components, which are called by the main application.
The application contains the following code segment. (Line numbers are included for reference only.)
01 switch(grouplist) {
02 case “Admin”:
03 case “Administrator”:
04 permvalue = permvalue | 256;
05 break;
06 case “Reviewer”:
07 permvalue = permvalue | 128;
08 break;
09 case “Manager”:
10 permvalue = permvalue | 64;
11 break;
12 }
The design document for the application states that permvalue must have a value of zero when the user has
no permissions. The design document also states that users not belonging to one of the four predefined
groups must have no permissions.
You need to ensure that the code segment assigns the correct value to permvalue in all circumstances.
What should you do?
A: Add the following code before line 01 of the code segment.
if(permvalue = 0) {
throw new ApplicationException();
}
B: Add the following code before line 01 of the code segment.
permvalue = 0;
C: Add the following code between lines 01 and 02 of the code segment.
case "":
permvalue = 0;
break;
D: Add the following code between lines 11 and 12 of the code segment.
default:
permvalue = 0;
break;
Correct Answers: D
7.You are an application developer for your company. You are developing an application that will be used
by all company users. You log on to your development computer by using a user account that has local
Administrator permissions. However, most company users log on to their client computers by using an
account that has only local User permissions.
You need to ensure that your testing activities accurately reflect the production environment in which
the application will run.
How should you test the application?
A: Use a test certificate to digitally sign the compiled assemblies of the application.
B: Remove your user account from the local Administrators group on your development computer.
C: Add your user account to the local Users group on your development computer.
D: Run the compiled application from the command line by using the runas command and specifying a user
account that has only local User permissions.
Correct Answers: D
8.You are an application developer for your company. You create a Web application that is used by all
users in the company. The application is hosted on the intranet Web server, which is named WebServer.
WebServer has IIS 5.0 installed. The Web application is configured to use Integrated Windows
authentication. The Web.config file specifies that the authentication mode is set to Windows.
The application connects to a Microsoft SQL Server database named DataStore. The database is located on
WebServer. The SQL Server computer is configured with SQL Server logins disabled. The database connection
code is shown in the following code segment.
string myConnStr;
myConnStr = @"Initial Catalog“”DataStore””;”;
myConnStr = myConnStr + “Data Source=localhost;Integrated Security=SSPI;”;
SqlConnection myConn = new SqlConnection(myConnStr);
string myInsert;
myInsert = “INSERT INTO Customer (CustomerID, Name) Values(‘123’, ‘John Doe’)”;
SqlCommand myCmd = new SqlCommand(myInsert);
myCmd.Connection = myConn;
myConn.Open();
myCmd.ExecuteNonQuery();
myCmd.Connection.Close();
When you run the application by using Microsoft Internet Explorer, you receive an error message that
reads in part: “Login failed for user WebServerASPNET.”
You need to ensure that the application can run successfully without prompting the user for a user name
and password.
What should you do?
A: Change the authentication mode in IIS to basic authentication. Update the connection string.
B: Change the authentication mode in IIS to Anonymous and supply a login ID and password for a SQL Server
login account that has access to the database. Update the connection string.
C: Enable Integrated Windows authentication in Internet Explorer.
D: Enable impersonation in the Web.config file.
Correct Answers: D
9.You are an application developer for your company, which is named Litware, Inc. You are developing a
Windows Forms scheduling application for a medical clinic. Each user of the application belongs to either
a Windows group named Receptionist or a Windows group named Manager. The domain name is Litwareinc.
The business rules of the application state that receptionists and managers can add and remove
appointments to time slots in the schedule. However, only managers can mark time slots as unavailable for
scheduled appointments. The application includes the following method, which is used to mark time slots
as unavailable.
private void BlockOutTime(int physicianID, DateTime dtStart, DateTime dtEnd)
You need to modify the code to ensure that an exception is thrown when the BlockOutTime method is called
by a user who is not a member of the Manager group.
What should you do?
A: Add the following attribute to the method.
[PrincipalPermission(SecurityAction.Demand, Role=@”LitwareincManager”)]
B: Add the following attribute to the method.
[SecurityRole(“Manager”)]
C: Add the following attribute to the method.
[SecureMethod]
D: Add the following code segment to the beginning of the method.
PrincipalPermission p = new PrincipalPermission(null, @”LitwareincManager”);
p.IsUnrestricted();
Correct Answers: A
10.You are an application developer for your company. You are developing a forms-based application that
reads files that are named by users of the application. The application contains the following method.
bool approveFileName(string fileName) {
string docRoot=@”C:MyAppDocuments";
/ Your code goes here… Throw an exception if you meet an error.
return true;
}
Users of the application must not be allowed to access files that are stored in any location other than
the C:MyAppDocuments folder.
You need to add code to the method to achieve this goal.
Which code segment or code segments should you use? (Choose all that apply.)
A:fileName=Path.GetFullPath(fileName);
B:fileName=fileName.ToUpper();
C:fileName=fileName.ToLower();
D:docRoot=docRoot.ToLower();
E:fileName=docRoot+fileName;
F:if (!fileName.StartsWith(docRoot))
throw new ApplicationException (
“User asked for file in wrong directory”);
Correct Answers: A, C, D, F