Make sure you name your answer sheet Else no points for you 

Set 0, Q 0 How many types of NoSQL data store are there? A (< 50) B (between 50 and 100) C (between 101 and 200) D (> 201) 

Set 0, Q 1 Is escaping a technique of: A (validation) B (filtering) C (sanitisation) 

Set 0, Q 2 If you are using cookies for storage of client-side session artefacts, what is your main concern: A (CSRF) B (XSS) 

Set 0, Q 3 What are the OWASP recommendations for the adaptive one-way KDF? Adaptive because the workload increases each year to keep up with advances in hardware technology. You now have control of how slow you want it to be to crack those passwords. The count should be: A (doubled each subsequent year), B (tripled each subsequent year), C (doubled each subsequent two years) 

Set 0, Q 4 Bracketing is a technique used: A (By social engineers to elicit more precise information from a target) B (To force an attacker into a specific area of the targets network) C (When building a threat modelling team to make sure you have all the correct specialities represented within the team to be effective) D (To group types of security defects into particular types) 

Set 0, Q 5 How many types of escaping can you think of? The team that gets closest gets the point. 

Set 0, Q 6 Which of the following XML metacharacters would not be used to test for XML injection vulnerabilities? A (Single quotes: ') B (Double quotes: ") C (Angle brackets: ><) D (Comma: ,) E (Comment tags: ) F (Ampersand: &) G (CDATA section delimiters: ) 

Set 0, Q 7 We have a system that takes a username and password and validates that both are correct in order to obtain information. We use any password for the password input, and the following string for the username: jdeer")(&))(" What is the type of injection that we are using here? A (SQL) B (NoSQL) C (XPath) D (LDAP) E (XML) F (XQuery) G (Command) H (XSLT) I (none of the above) 

Set 0, Q 8 What does the syntax in the system just described that takes the username and password look like? Closest answer gets a point 

Set 0, Q 9 What is the notation called in the previous syntax? 

Hand in your answer sheet 

Set 0, A 0 How many types of NoSQL data store are there? A (< 50) B (between 50 and 100) C (between 101 and 200) D (> 225) 

Set 0, A 1 Is escaping a technique of: A (validation) B (filtering) C (sanitisation) 

Set 0, A 2 If you are using cookies for storage of client-side session artefacts, what is your main concern: A (CSRF) B (XSS) Cookies are susceptible to both CSRF and XSS attacks (although XSS to a lesser degree). LocalStorage is only concerned with XSS. 

Set 0, A 3 What are the OWASP recommendations for the adaptive one-way KDF? The count should be: A (doubled each subsequent year), B (tripled each subsequent year), C (doubled each subsequent two years) 

Set 0, A 4 Bracketing is a technique used: A (By social engineers to elicit more precise information from a target) B (To force an attacker into a specific area of the targets network) C (When building a threat modelling team to make sure you have all the correct specialities represented within the team to be effective) D (To group types of security defects into particular types) 

Set 0, A 5 How many types of escaping can you think of? The team that gets closest gets the point. HTML Escape Attribute Escape JavaScript Escape HTML Escape JSON values in HTML context CSS Escape URL Escape Sanitise HTML Prevent DOM-based XSS 

Set 0, A 6 Which of the following XML metacharacters would not be used to test for XML injection vulnerabilities? A (Single quotes: ') B (Double quotes: ") C (Angle brackets: ><) D (Comma: ,) E (Comment tags: ) F (Ampersand: &) G (CDATA section delimiters: ) 

Set 0, A 7 We have a system that takes a username and password and validates that both are correct in order to obtain information. We use any password for the password input, and the following string for the username: jdeer")(&))(" What is the type of injection that we are using here? A (SQL) B (NoSQL) C (XPath) D (LDAP) E (XML) F (XQuery) G (Command) H (XSLT) I (none of the above) 

Set 0, A 8 What does the syntax in the system just described that takes the username and password look like? Closest answer gets a point string ldapLoginQuery = "(&(uId="jdeer")(userPassword="3xp10it3d"))"; With search filter applied: string ldapLoginQuery = "(&(uId="jdeer")(&))("")(userPassword="incorrectpass"))"; 

Set 0, A 9 What is the notation called in the previous syntax? Polish notation (PN), or normal Polish notation (NPN), or simply prefix notation. 

Make sure you name your answer sheet Else no points for you 

Set 1, Q 0 Which of the following functionalities should you include in an authentication and session management system? A (Logout functionality) B (Regular expressions) C (Escaping functionality) D (Forwarding system functionality) 

Set 1, Q 1 State whether the following statement is True or False. When implementing an authentication or session system, you should ensure that new session IDs are not created at login. A (True) B (False) 

Set 1, Q 2 Which of the following is the best way to protect a Web application from invalidated redirects and forwards? A (Validate the referrer header) B (Use extended validation certificates) C (Use the escaping technique) D (Disallow requests to unauthorized file types) 

Set 1, Q 3 Which of the following procedures are involved in the hardening process? A (Disable unnecessary features) B (Resubmit POST parameters during redirection) C (Repeat the process at random intervals) D (Update the environment with changes only when needed) 

Set 1, Q 4 Your application is created using a language that does not support a clear distinction between code and data. Which vulnerability is most likely to occur in your application? A (Insecure direct object references) B (Failure to restrict URL access) C (Injection) D (Insufficient transport layer protection) 

Set 1, Q 5 Which of the following threats is most likely to be caused by poor input validation? A (Enabling of IPSec) B (Insecure cryptographic storage) C (Insufficient transport layer protection) D (Insecure direct object reference) 

Set 1, Q 6 Which of the following is the best way to prevent a DOM-based XSS attack? A (Set the HttpOnly flag in cookies) B (Validate any input that comes from another Web site) C (Ensure that session IDs are not exposed in a URL) D (Ensure that a different nonce is created for each request) 

Set 1, Q 7 Which of the following is an authentication system mandatory requirement? A (Form variables are used for managing session IDs) B (Use a GOTCHA to prevent automated attacks) C (User logout and session inactivity controls) D (Session IDs are only accepted from cookies and parameter variables) 

Set 1, Q 8 Which of the following consequences is most likely to occur due to an injection attack? A (Spoofing) B (Cross-site request forgery) C (Denial of service) D (Insecure direct object references) 

Set 1, Q 9 Which of the following scenarios is most likely to cause an injection attack? A (Unvalidated input is embedded in an instruction stream) B (Unvalidated input can be distinguished from valid instructions) C (A Web application does not validate a client’s access to a resource) D (A Web action performs an operation on behalf of the user without checking a shared secret) 

Hand in your answer sheet 

Set 1, A 0 Which of the following functionalities should you include in an authentication and session management system? A (Logout functionality) B (Regular expressions) C (Escaping functionality) D (Forwarding system functionality) 

Set 1, A 1 State whether the following statement is True or False. When implementing an authentication or session system, you should ensure that new session IDs are not created at login. A (True) B (False) 

Set 1, A 2 Which of the following is the best way to protect a Web application from invalidated redirects and forwards? A (Validate the referrer header) B (Use extended validation certificates) C (Use the escaping technique) D (Disallow requests to unauthorized file types) 

Set 1, A 3 Which of the following procedures are involved in the hardening process? A (Disable unnecessary features) B (Resubmit POST parameters during redirection) C (Repeat the process at random intervals) D (Update the environment with changes only when needed) 

Set 1, A 4 Your application is created using a language that does not support a clear distinction between code and data. Which vulnerability is most likely to occur in your application? A (Insecure direct object references) B (Failure to restrict URL access) C (Injection) D (Insufficient transport layer protection) 

Set 1, A 5 Which of the following threats is most likely to be caused by poor input validation? A (Enabling of IPSec) B (Insecure cryptographic storage) C (Insufficient transport layer protection) D (Insecure direct object reference) 

Set 1, A 6 Which of the following is the best way to prevent a DOM-based XSS attack? A (Set the HttpOnly flag in cookies) B (Validate any input that comes from another Web site) C (Ensure that session IDs are not exposed in a URL) D (Ensure that a different nonce is created for each request) 

Set 1, A 7 Which of the following is an authentication system mandatory requirement? A (Form variables are used for managing session IDs) B (Use a GOTCHA to prevent automated attacks) C (User logout and session inactivity controls) D (Session IDs are only accepted from cookies and parameter variables) 

Set 1, A 8 Which of the following consequences is most likely to occur due to an injection attack? A (Spoofing) B (Cross-site request forgery) C (Denial of service) D (Insecure direct object references) 

Set 1, A 9 Which of the following scenarios is most likely to cause an injection attack? A (Unvalidated input is embedded in an instruction stream) B (Unvalidated input can be distinguished from valid instructions) C (A Web application does not validate a client’s access to a resource) D (A Web action performs an operation on behalf of the user without checking a shared secret) 

Make sure you name your answer sheet Else no points for you 

Set 2, Q 0 Who created the Sensible Security Model? A (Adam Shostack) B (Wil Allsopp) C (OWASP) D (Bruce Schneier) 

Set 2, Q 1 What are the five steps of the Sensible Security Model? 

Set 2, Q 2 What is the name of the OSINT tool used to gather info from github accounts? A (gitrob) B (gitlifter) C (gitrape) D (gitloot) E (gitclone) 

Set 2, Q 3 What is the name of this NMap scan: nmap -D ,,,,,ME 

Set 2, Q 4 What does the ME specify in the previous question? 

Set 2, Q 5 Name three DNS recon tools. 

Set 2, Q 6 What would you use Dradis for? 

Set 2, Q 7 Collectd, statsd, Graphite: when combined are an excellent suite of components for: A (building intrusion detection systems) B (statistical analysis of vulnerabilities in Docker images) C (capturing and graphing VPS and application statistics) D (file integrity checking and graphing) 

Hand in your answer sheet 

Set 2, A 0 Who created the Sensible Security Model? A (Adam Shostack) B (Wil Allsopp) C (OWASP) D (Bruce Schneier) 

Set 2, A 1 What are the five steps of the Sensible Security Model? 1. SSM Asset Identification 2. SSM Identify Risks 3. SSM Countermeasures 4. SSM Risks that Solution Causes 5. SSM Costs and Trade-offs 

Set 2, A 2 What is the name of the OSINT tool used to gather info from github accounts? A (gitrob) B (gitlifter) C (gitrape) D (gitloot) E (gitclone) 

Set 2, A 3 What is the name of this NMap scan: nmap -D ,,,,,ME Decoy 

Set 2, A 4 What does the ME specify in the previous question? Decoys your source address, if in 6th position or later, even the best scan detectors are unlikely to show your address at all 

Set 2, A 5 Name three DNS recon tools. Domain Information Groper (dig) dnsenum dnsrecon 

Set 2, A 6 What would you use Dradis for? Gathering, storage, sharing of OSINT 

Set 2, A 7 Collectd, statsd, Graphite: when combined are an excellent suite of components for: A (building intrusion detection systems) B (statistical analysis of vulnerabilities in Docker images) C (capturing and graphing VPS and application statistics) D (file integrity checking and graphing) 

Make sure you name your answer sheet Else no points for you 

Set 3, Q 0 Where is the cheapest place to find and deal with not just security defects, but all defects? 

Set 3, Q 1 Baiting, Reciprocity, Scarcity are commonly used: A (In reconnaissance) B (By anti virus) C (In social engineering) D (When planning for physical security) 

Set 3, Q 2 What is the concept or principle behind the JavaScript supersets: Flow and TypeScript A (Liskov Substitution principle) B (Open/closed principle) C (Interface segregation principle) D (Design by Contract) 

Set 3, Q 3 Which of the following is used to prevent Clickjacking, also known as a "UI redress attack" A (HTTPS Connection) B (X-Frame-Options HTTP Header) C (Content-Security-Policy HTTP Header) D (None of the above) 

Set 3, Q 4 The following are the steps taken in a specific order by the Diffie-Hellman key agreement, used as part of negotiating a session key for SSH for example. Place the steps into the correct order. E. Both client and server agree on a symmetric cipher, so that they are both encrypting/decrypting with the same block cipher, usually AES F. Each party then create a public key which they exchange with the other party. These public keys are created using the symmetric cipher from step 2, the shared prime number from step 1, and derived from the private key from step 3 C. Both client and server come to agreement on a seed value, that is a large prime number D. All communications from here on are encrypted with the same shared secret key, the connection from here on is known as the binary packet protocol. Each party can use their own shared secret key to encrypt and decrypt, messages from the other party A. Each party then creates another prime number of their own to be used as a private key for this ephemeral DH interaction B. The party receiving the other parties public key, uses this, along with their own private key, and the shared prime number from step 1 to compute their own secret key. Because each party does the same, they both arrive at the same (shared/symmetric/secret) key. 

Set 3, Q 5 What is the best investment you can make in order to add security to your Dockerised components? A (Use Control Groups to limit, track and monitor the resources available to each container) B (Reduce the number of System calls that can be made from within your container) C (Change the default user from root to one of lower privileges) D (Improve application security) E (Fine tune the Linux Namespaces (mnt, PID, net, UTS, IPC, user)) F (Make sure the images you are consuming have been checked with the likes of (Haskell Dockerfile Linter, Lynis, Docker Bench, CoreOS Clair, Banyanops collector, Anchore, TwistLock, Drydock, Actuary)) 

Set 3, Q 6 How many capabilities are there in Linux? A (12) B (38) C (48) D (>300) 

Set 3, Q 7 How many system calls are enabled by default with SecComp in the Linux kernel? A (<50) B (>100) C (>200) D (>300) 

Set 3, Q 8 How many system calls does the default Docker container profile disable? A (38) B (44) C (>100) D (>200) 

Hand in your answer sheet 

Set 3, A 0 Where is the cheapest place to find and deal with not just security defects, but all defects? Up front 

Set 3, A 1 Baiting, Reciprocity, Scarcity are commonly used: A (In reconnaissance) B (By anti virus) C (In social engineering) D (When planning for physical security) 

Set 3, A 2 What is the concept or principle behind the JavaScript supersets: Flow and TypeScript A (Liskov Substitution principle) B (Open/closed principle) C (Interface segregation principle) D (Design by Contract) (DbC) enforces preconditions, postconditions and invariants in our routines 

Set 3, A 3 Which of the following is used to prevent Clickjacking, also known as a "UI redress attack" A (HTTPS Connection) B (X-Frame-Options HTTP Header) C (Content-Security-Policy HTTP Header) D (None of the above) 

Set 3, A 4 The following are the steps taken in a specific order by the Diffie-Hellman key agreement, used as part of negotiating a session key for SSH for example. Place the steps into the correct order. C. Both client and server come to agreement on a seed value, that is a large prime number E. Both client and server agree on a symmetric cipher, so that they are both encrypting/decrypting with the same block cipher, usually AES A. Each party then creates another prime number of their own to be used as a private key for this ephemeral DH interaction F. Each party then create a public key which they exchange with the other party. These public keys are created using the symmetric cipher from step 2, the shared prime number from step 1, and derived from the private key from step 3 B. The party receiving the other parties public key, uses this, along with their own private key, and the shared prime number from step 1 to compute their own secret key. Because each party does the same, they both arrive at the same (shared/symmetric/secret) key. D. All communications from here on are encrypted with the same shared secret key, the connection from here on is known as the binary packet protocol. Each party can use their own shared secret key to encrypt and decrypt, messages from the other party 

Set 3, A 5 What is the best investment you can make in order to add security to your Dockerised components? A (Use Control Groups to limit, track and monitor the resources available to each container) B (Reduce the number of System calls that can be made from within your container) C (Change the default user from root to one of lower privileges) D (Improve application security) E (Fine tune the Linux Namespaces (mnt, PID, net, UTS, IPC, user)) F (Make sure the images you are consuming have been checked with the likes of (Haskell Dockerfile Linter, Lynis, Docker Bench, CoreOS Clair, Banyanops collector, Anchore, TwistLock, Drydock, Actuary)) 

Set 3, A 6 How many capabilities are there in Linux? A (12) B (38) C (48) D (>300) 

Set 3, A 7 How many system calls are enabled by default with SecComp in the Linux kernel? A (<50) B (>100) C (>200) D (>300) 

Set 3, A 8 How many system calls does the default Docker container profile disable? A (38) B (44) … enough? Often only 3 or 4 are required C (>100) D (>200) 

Make sure you name your answer sheet Else no points for you 

Set 4, Q 0 At what point would a Scrum Team usually create Evil Test Conditions? A (During Sprint Planning) B (Immediately before pulling a Sprint Backlog Item into WIP) C (Immediately after doing the code for a Sprint Backlog Item) D (Immediately before Sprint Review) 

Set 4, Q 1 In which order should the following disciplines for preventing the traversal of untrusted data through the various execution contexts of your application be performed? A (sanitisation -> filtering -> validation) B (validation -> filtering -> sanitisation) C (filtering -> sanitisation -> validation) D (sanitisation -> validation -> filtering) 

Set 4, Q 2 The sounding board technique is used by social engineers to: A (Gain additional information from your target using flattery) B (Elicit information by stating deliberate false statements in the hopes that your target will correct you with the accurate information) C (Create an environment where the target will feel comfortable about grumbling or bragging about their situation and thus divulge useful information) D (elicit sensitive information from the target by pretending to divulge confidential information to them) 

Set 4, Q 3 In what order would the following steps take place in a social engineering engagement: Exploitation Connecting with target Reconnaissance Execution/Exit 

Set 4, Q 4 One of the most effective and legal ways of obtaining quality information on a target is to hire their staff by offering them a better deal. Which of the following activities does not fit into the list of Morale, Productivity and Engagement Killers that will make technical staff more likely to be snatched? A (Adding people to a late project) B (Noisy, Crowded Offices) C (Uninterrupted development time) D (Email) E (Meetings) F (Context switching) 

Set 4, Q 5 Which of the following tools is used for password profiling? A (Wordhoud) B (Net-creds) C (Spiderfoot) D (Find-creds) E (Crunch) F (LinEnum) 

Set 4, Q 6 Explain what Fortress Mentality is 

Set 4, Q 7 If I leave my computer locked when I leave it, is it safe? Provide (yes or no) and a creative answer 

Set 4, Q 8 When I leave my computer and I'm logged out, is it safe? Provide (yes or no) and a creative answer 

Set 4, Q 9 How can physical service labels be used against an organisation? 

Hand in your answer sheet 

Set 4, A 0 At what point would a Scrum Team usually create Evil Test Conditions? A (During Sprint Planning) B (Immediately before pulling a Sprint Backlog Item into WIP) C (Immediately after doing the code for a Sprint Backlog Item) D (Immediately before Sprint Review) 

Set 4, A 1 In which order should the following disciplines for preventing the traversal of untrusted data through the various execution contexts of your application be performed? A (sanitisation -> filtering -> validation) B (validation -> filtering -> sanitisation) C (filtering -> sanitisation -> validation) D (sanitisation -> validation -> filtering) 

Set 4, A 2 The sounding board technique is used by social engineers to: A (Gain additional information from your target using flattery) B (Elicit information by stating deliberate false statements in the hopes that your target will correct you with the accurate information) C (Create an environment where the target will feel comfortable about grumbling or bragging about their situation and thus divulge useful information) D (elicit sensitive information from the target by pretending to divulge confidential information to them) 

Set 4, A 3 In what order would the following steps take place in a social engineering engagement: Reconnaissance Connecting with target Exploitation Execution/Exit 

Set 4, A 4 One of the most effective and legal ways of obtaining quality information on a target is to hire their staff by offering them a better deal. Which of the following activities does not fit into the list of Morale, Productivity and Engagement Killers that will make technical staff more likely to be snatched? A (Adding people to a late project) B (Noisy, Crowded Offices) C (Uninterrupted development time) D (Email) E (Meetings) F (Context switching) 

Set 4, A 5 Which of the following tools is used for password profiling? A (Wordhoud) B (Net-creds) C (Spiderfoot) D (Find-creds) E (Crunch) F (LinEnum) 

Set 4, A 6 Explain what Fortress Mentality is The mentality that internals are safe and that attackers only exist on the outside (applicable in physical and network security) 

Set 4, A 7 If I leave my computer locked when I leave it, is it safe? Provide (yes or no) and a creative answer Probably not, depends on physical and network access and what ports you have open and what is listening on them. 

Set 4, A 8 When I leave my computer and I'm logged out, is it safe? Provide (yes or no) and a creative answer Not a lot of difference to the previous answer. 

Set 4, A 9 How can physical service labels be used against an organisation? Potentially valuable information can be obtained about who the service agents are, which can be used to build a pretext for social engineering the target 

Time to add scores...