Arcitura Education SOA Security Lab S90.20 Exam Questions

Page: 1 / 14
Total 30 questions

Want more questions? Get Premium Access.
()

Question 1

Service Consumer A submits a request message with security credentials to Service A (1). The identity store that Service A needs to use in order to authenticate the security credentials can only be accessed via a legacy system that resides in a different service inventory. Therefore, to authenticate Service Consumer A, Service A must first forward the security credentials to the legacy system (2). The legacy system then returns the requested identity to Service A (3). Service A authenticates Service Consumer A against the identity received from the legacy system. If the authentication is successful, Service A retrieves the requested data from Database A (4), and returns the data in a response message sent back to Service Consumer A (5). Service A belongs to Service Inventory A which further belongs to Security Domain A and the legacy system belongs to Service Inventory B which further belongs to Security Domain B .(The legacy system is encapsulated by other services within Service Inventory B, which are not shown in the diagram.) These two security domains trust each other. Communication between Service A and the legacy system is kept confidential using transport-layer security. It was recently discovered that a malicious attacker, posing as Service Consumer A, has been accessing Service A .An investigation revealed that these attacks occurred because security credentials supplied by Service Consumer A were transmitted in plaintext. Furthermore, vulnerabilities to replay attacks and malicious intermediaries have been detected. Which of the following statements describes a solution that can counter these types of attacks?

Also, list the industry standards required by the proposed solution.

AApply the Data Origin Authentication pattern together with the Data Confidentiality pattern in order to establish message-layer security that guarantees the confidentiality and integrity of messages exchanged by Service Consumer A and Service A .Further, a security policy can be created to require that security credentials submitted to Service A must be digitally signed and encrypted and also contain a timestamp to validate the actual time the request was issued. Industry standards that can be used for this solution are WS-Policy, WS-Security-Policy, XMLEncryption, and XML-Signature.

BApply the Service Perimeter Guard pattern together with the Trusted Subsystem pattern to establish a perimeter service that can perform security functions on behalf of Service A .Theutility service can verify the validity of the request messages from Service Consumer A by authenticating the request message against an identity store. If the request message is authenticated, the utility service then sends it to Service A for further processing. All communications between Service A and Service Consumer A can be encrypted using the public key of the intended recipient, and signed using the private key of the sender. Industry standards that can be used for this solution are XML-Encryption, XML-Signature, and WS-Trust.

CApply the Service Perimeter Guard pattern to establish a perimeter service that can perform security functions on behalf of-Service A .Next, apply the Data Confidentiality pattern so that the security credential information provided by Service Consumer A with the request message is encrypted with the secret key shared between the perimeter service and Service Consumer A .The perimeter service evaluates the credentials and if successfully authenticated, forwards the request message to Service A .Transport-layer security is used to protect message exchanges between Service A and Service Consumer A .

DApply the Trusted Subsystem pattern together with the Data Origin Authentication pattern in order to establish a utility service-that performs the security processing on behalf of Service A .Service Consumer A must digitally sign all request messages and encrypt the credential information using the public key of the utility service. The utility service can then verify the security credentials and the digital signature to establish the validity of the request message. If the request message is permitted, the utility service establishes a composite trust domain that encompasses Service Consumer A, Service A, Database A, and the legacy system. Because all communications remain within a single trust domain, malicious intermediaries will not be able to gain access to any exchanged data.

Answer : A

Question 2

Service A provides a data retrieval capability that can be used by a range of service consumers, including Service Consumer A .In order to retrieve the necessary data, Service Consumer A first sends a request message to Service A (1). Service A then exchanges request and response messages with Service B (2, 3), Service C (4, 5), and Service D (6. 7). After receiving all three response messages from Services B .C .and D, Service A assembles the collected data into a response message that it returns to Service Consumer A (8). The owner of Service A charges service consumers for each usage of the data retrieval capability. Recently, the owner of Service Consumer A has complained that the data returned by Service A is incorrect, incomplete, and from invalid sources. As evidence, the Service Consumer A owner has presented the owner of Service A with sample messages containing the incorrect and incomplete contents. As a result, the Service Consumer A owner has refused to pay the usage fees. Subsequent to an internal investigation, the owner of Service A determines that the data returned by Service A is consistently correct and complete. There are suspicions that the Service Consumer A owner is altering the original messages and issuing these complaints fraudulently in order to avoid paying the usage fees. How can the owner of Service A prove that Service A is returning correct and complete data and that this data originated from the correct sources?

AApply the Data Origin Authentication and the Data Confidentiality patterns to ensure that request and response messagesexchanged between Service A and Services B .C, and D are digitally signed and encrypted. This guarantees message integrity and confidentiality.

BApply the Data Origin Authentication pattern to verily that request and response messages exchanged by Service Consumer A and Service A and exchanged by Service A and Services B, C, and D originated from the claimed sources and have not been altered prior to transmission. Also, enhance the Service A architecture so that all messages sent to its service consumers are logged.

CApply the Brokered Authentication pattern to send the security credentials of Service Consumer A to Services B, C, and D.Service A can carry out the brokered authentication logic and therefore act as the intermediary security broker. Upon receiving Service Consumer A's request message, Service A can further verify the credentials against an external certificate authority, if the request is authenticated. Service A can create a signed SAML assertion containing Service Consumer A's credentials and the authorization information. Service A then forwards the original request message and the signed SAML assertion to Services B,C, and D .

DThe service contract of Service A can be extended with an ignorable WS-Policy assertion that states that all request and response messages are logged by Service A and that false complaints will be prosecuted.

Answer : B

Question 3

Services A, B, and C reside in Service Inventory A and Services D, E, and F reside in Service Inventory B .Service B is an authentication broker that issues WS-Trust based SAML tokens to Services A and C upon receiving security credentials from Services A and C .Service E is an authentication broker that issues WS-Trust based SAML tokens to Services D and F upon receiving security credentials from Services D and E .Service B uses the Service Inventory A identify store to validate the security credentials of Services A and C .Service E uses the Service Inventory B identity store to validate the security credentials of Services D and F .To date, the two service inventories have existed independently from each other. However, a requirement has emerged that the services in Service Inventory A need to be able to use the services in Service Inventory B, and vice versa. How can cross-service inventory message exchanges be enabled with minimal changes to the existing service inventory architectures and without introducing new security mechanisms?

ABecause SAML tokens cannot be used across multiple security domains, authentication brokers C and E need to be replaced with one single authentication broker so that one token issuer is used for all services across both of the service inventories.

BThe current security mechanism already fulfills the requirement because SAML tokens can be used across multiple security-domains. The only change required is for each authentication broker to be configured so that it issues service inventory-specific assertions for SAML tokens originating from other service inventories.

CThe individual domain service inventories need to be combined into one enterprise service inventory. The Service Perimeter Guard pattern can be applied to establish a contact point for request messages originating from outside the service inventory. Within the service inventory, services no longer need to be authenticated because they are all part of the same trust boundary.

DThe Trusted Subsystem pattern is applied to encapsulate Services B and E using a central utility service that balances request and response messages exchanged between Services B and E, depending on which service inventory the messages originate from. The utility service also contains transformation logic to ensure that the SAML tokens issued by Services B and E are compatible. This guarantees that an issued SAML token can be used across Service Inventories A and B without further need for runtime conversion.

Answer : B

Question 4

Service Consumer A sends a request message with an authentication token to Service A, but before the message reaches Service A, it is intercepted by Service Agent A (1). Service Agent A validates the security credentials and also validates whether the message is compliant with Security Policy A .If either validation fails, Service Agent A rejects the request message and writes an error log to Database A (2A). If both validations succeed, the request message is sent to Service A (2B). Service A retrieves additional data from a legacy system (3) and then submits a request message to Service B Before arriving at Service B, the request message is intercepted by Service Agent B (4) which validates its compliance with Security Policy SIB then Service Agent C (5) which validates its compliance with Security Policy B .If either of these validations fails, an error message is sent back to Service A .that then forwards it to Service Agent A so that it the error can be logged in Database A (2A). If both validations succeed, the request message is sent to Service B (6). Service B subsequently stores the data from the message in Database B (7). Service A and Service Agent A reside in Service Inventory A .Service B and Service Agents B and C reside in Service Inventory B .Security Policy SIB is used by all services that reside in Service Inventory B .Service B can also be invoked by other service from within Service Inventory B .Request messages sent by these service consumers must also be compliant with Security Policies SIB and B .New services are being planned for Service Inventory A .To accommodate service inventory-wide security requirements, a new security policy (Security Policy SIA) has been created. Compliance to Security Policy SIA will be required by all services within Service Inventory A .Some parts of Security Policy A and Security Policy SIB are redundant with Security Policy SIA .How can the Policy Centralization pattern be correctly applied to Service Inventory A without changing the message exchange requirements of the service composition?

AThe parts of Security Policy A and Security Policy SIB that are redundant with Security Policy SIA are removed so that there is no overlap among these three security policies. A new service agent is introduced into Service Inventory A to validate compliance to the new Security Policy SIA prior to messages being validated by Service Agent A .Another new service agent is introduced into Service Inventory B to validate compliance to the new Security Policy SIA prior to messages being validated by Service Agents B and C .

BThe parts of Security Policy A that are redundant with Security Policy SIA are removed so that there is no overlap between these two security policies. A new service agent is introduced into Service Inventory A to validate compliance to the new Security Policy SIA prior to messages being validated by Service Agent A .

CThe parts of Security Policy A and Security Policy SIB that are redundant with Security Policy SIA are removed so that there is no overlap among these three security policies. Service Agent A is updated so that it can validate messages for compliance with both Security Policy A and Security Policy SIA .Service Agent B is updated so that it can validate messages for compliance with both Security Policy SIA and Security Policy SIB .Service Agent C remains unchanged.

DDue to the amount of overlap among Security Policy A, Security Policy SIA, and Security Policy SIB, the Policy Centralization pattern cannot be correctly applied without changing the message exchange requirements of the service composition.

Answer : B

Question 5

Service Consumer A sends a request message to Service A (1), after which Service A sends a request message to Service B (2). Service B forwards the message to have its contents calculated by Service C (3). After receiving the results of the calculations via a response message from Service C (4), Service B then requests additional data by sending a request message to Service D (5). Service D retrieves the necessary data from Database A (6), formats it into an XML document, and sends the response message containing the XML-formatted data to Service B (7). Service B appends this XML document with the calculation results received from Service C, and then records the entire contents of the XML document into Database B (8). Finally, Service B sends a response message to Service A (9) and Service A sends a response message to Service Consumer A (10). Services A, B and D are agnostic services that belong to Organization A and are also being reused in other service compositions. Service C is a publicly accessible calculation service that resides outside of the organizational boundary. Database A is a shared database used by other systems within Organization A and Database B is dedicated to exclusive access by Service B .Service B has recently been experiencing a large increase in the volume of incoming request messages. It has been determined that most of these request messages were auto-generated and not legitimate. As a result, there is a strong suspicion that the request messages originated from an attacker attempting to carry out denial-of-service attacks on Service B .Additionally, several of the response messages that have been sent to Service A from Service B contained URI references to external XML schemas that would need to be downloaded in order to parse the message data. It has been confirmed that these external URI references originated with data sent to Service B by Service C .The XML parser currently being used by Service A is configured to download any required XML schemas by default. This configuration cannot be changed. What steps can be taken to improve the service composition architecture in order to avoid future denial-of-service attacks against Service B and to further protect Service A from data access-oriented attacks?

AApply the Data Origin Authentication pattern so that Service B can verify that request messages that claim to have been sent by Service A actually did originate from Service A .Apply-the Message Screening pattern to add logic to Service A so that it can verify that external URIs in response messages from Service B refer to trusted sources.

BApply the Service Perimeter Guard pattern to establish a perimeter service between Service B and Service C .Apply the-Brokered Authentication pattern by turning the perimeter service into an authentication broker that is capable of ensuring that only legitimate response messages are being sent to Service C from Service B Further apply the Data Origin Authentication pattern to enable the perimeter service to verify that messages that claim to have been sent by Service C actually originated from Service C .Apply the Message Screening pattern to add logic to the perimeter service to also verify that URIs in request messages are validated against a list of permitted URIs from where XML schema downloads have been pre-approved.

CApply the Service Perimeter Guard pattern and the Message Screening pattern together to establish a service perimeter guard that can filter response messages from Service C before they reach Services A and B .The filtering rules are based on the IP address of Service C .If a request message originates from an IP address not listed as one of the IP addresses associated with Service C .then the response message is rejected.

DApply the Direct Authentication pattern so that Service C is required to provide security credentials, such as Username tokens, with any response messages it sends to Service B .Furthermore, add logic to Service A so that it can validate security credentials passed to it via response messages from Service B .by using an identity store that is shared by Services A and B .

Answer : A

Question 6

Service A is a publically accessible service that provides free multimedia retrieval capabilities to a range of service consumers. To carry out this functionality, Service A is first invoked by Service Consumer A (1). Based on the nature of the request message received from Service Consumer A, Service A either invokes Service B or Service C .When Service B is invoked by Service A (2A) it retrieves data from publicly available sources (not shown) and responds with the requested data (3A). When Service C is invoked by Service A (2B) it retrieves data from proprietary sources within the IT enterprise (not shown) and responds with the requested data (3B). After receiving a response from Service B or Service C, Service A sends the retrieved data to Service Consumer A (4). Service B does not require service consumers to be authenticated, but Service C does require authentication of service consumers. The service contract for Service A therefore uses WS-Policy alternative policies in order to express the two different authentication requirements to Service Consumer A .When Service Consumer A sends a request message (1), Service A determines whether the request requires the involvement of Service C and then checks to ensure that the necessary security credentials were received as part of the message. If the credentials provided by Service Consumer A are verified. Service A creates a signed SAML assertion and sends it with the request message to Service C (2B) This authentication information is protected by public key encryption However, responses to Service Consumer A's request message (3B, 4) are not encrypted for performance reasons. Recently, the usage of Service C has noticeably declined. An investigation has revealed response messages issued by Service C (3B) have been repeatedly intercepted and accessed by unauthorized and malicious intermediaries. As a result, Service Consumer A has lost confidence in the use of Service A for the retrieval of proprietary data because it is being viewed as a security risk. This is especially troubling, because the owner of Service A had planned to start charging a fee for Service A's ability to provide proprietary data via the use of Service C .How can this service composition architecture be changed to address the security problem with minimal impact on runtime performance?

AUse the existing PKI to provide message-layer security for the response messages originating from Service C .To provide-message confidentiality, Service C can encrypt the response messages using Service Consumer A's public key. This prevents unauthorized intermediaries from accessing the content of response messages.

BUse the existing PKI to provide two-way authentication of the exchanged messages. After receiving a request from the service consumer, Service A can respond with a signed acknowledgement of the message, encrypted by the public key of Service Consumer A .Only Service Consumer A will be able to decrypt the encrypted acknowledgement. Service Consumer A then responds to the acknowledgement, thereby verifying its identity with Service A .Because both Service Consumer A and Service A are mutually authenticated, end-to-end transport-layer security is sufficient to provide message confidentiality in order to prevent unauthorized intermediaries from accessing messages originating from Service C .

CUse the existing PKI to establish secure communication between Service Consumer A and Service C .A symmetric key can be generated for the data being sent from Service C to Service Consumer A Service C can generate a session key that is encrypted with Service Consumer A's public key. Service C can then attach the session key to the response message, which is encrypted using the session key. Because only Service Consumer A can decrypt the encrypted session key, the data transmitted in the message is safe from access by unauthorized intermediaries.

DUse the existing PKI to specify encryption and digital signature requirements on the messages. Service C can use Service-Consumer A's public key to generate a symmetric key. Service Consumer A can also generate the same session key from its own public key. Service C can use the session key to encrypt the response message (and the hash value of the response message), concatenate them, and send them to Service Consumer A .Service Consumer A separates the concatenated and encrypted hash value, decrypts it, and then decrypts the encrypted response message. As a result, the confidentiality and integrity of the response message are guaranteed.

Answer : C

Question 7

Service A provides a customized report generating capability. Due to infrastructure limitations, the number of service consumers permitted to access Service A concurrently is strictly controlled. Service A validates request messages based on the supplied credentials (1). If the authentication of the request message is successful, Service A sends a message to Service B (2) to retrieve the required data from Database A (3). Service A stores the response from Service B (4) in memory and then issues a request message to Service C (5). Service C retrieves a different set of data from Database A (6) and sends the result back to Service A (7). Service A consolidates the data received from Services B and C and sends the generated report in the response message to its service consumer (8).

This service composition was recently shut down after it was discovered that Database A had been successfully attacked twice in a row. The first type of attack consisted of a series of coordinated request messages sent by the same malicious service consumer, with the intention of triggering a range of exception conditions within the database in order to generate various error messages. The second type of attack consisted of a service consumer sending request messages with malicious input with the intention of gaining control over the database server. This attack resulted in the deletion of database records and tables. An investigation revealed that both attacks were carried out by malicious service consumers that were authorized. How can the service composition security architecture be improved to prevent these types of attacks?

AApply the Data Confidentiality pattern together with the Data Origin Authentication pattern. This establishes message-level-security so that all messages are encrypted and digitally signed. Secondly, the Service A logic must be enhanced so that it can keep track of the trustworthiness of its service consumers If a request message originated from a trustworthy service consumer, then the request message is processed as normal. If the request message originates from a non-trustworthy service consumer, then the request message is rejected and an error message is returned to the service consumer.

BApply the Service Perimeter Guard pattern together with the Trusted Subsystem pattern. This establishes a perimeter service between Database A and any service that requires access to it (including Services B and C). The perimeter service evaluates incoming data requests and filters out those that can introduce a security risk. Only request messages issued by authorized services and service consumers are forwarded to Database A .Responses originating from Database A are further evaluated by the trusted subsystem to remove any unauthorized data. The two patterns together ensure that only authorized data is returned to the service consumer and that no request messages present a security threat to Database A.

CApply the Exception Shielding pattern together with the Message Screening pattern. This establishes new logic within Service A that screens incoming request messages for data-driven attacks (such as SQL injection and X-Path injection attacks), and also evaluates whether exception details returned by Database A contains potentially confidential or unsafe information. Any inappropriate exception information is replaced with sanitized content.

DApply the Trusted Subsystem pattern to protect Database A from data-driven attacks and to evaluate whether database-responses contain inappropriate data. The trusted subsystem maintains a snapshot of Database A and executes the original service consumer's request message against the snapshot. The processing logic that accesses the snapshot has limited privileges in order to prevent malicious attacks from overtaking the database. If no security violation is detected during the processing of the snapshot, then the original service consumer's request is forwarded to Database A .If an error message is generated during the processing of the snapshot, then it is returned to the original service consumer and the request is not forwarded to Database A .Because the error message was generated on the snapshot, it cannot contain unsafe information about Database A.

Answer : C