Exam 200-901 topic 1 question 93 discussion

C is the answer

The answer must be C. The scenario specifically mentions that the communication is done over HTTPS, which provides encryption during transit. Therefore, it is not the primary security issue in this scenario.

A. User ---HTTPS--- > Application ----NOT Encrypted-----> Vault Services

It is C. The main big issue here is that the API key are in the config files, hence they are in plain text. If the system is compromised the key is readeable. Now, A is not a concern because usually internal apps communicate through plain HTTP. Think it this way when you are at home you are not as vigilant of your surroundings as when you are in the streets. Same here, we have the app that communicates with external clients, that is encripted, but for internal services it is not encripted (As far as we know). HTTPS is encription in transit, to avoid snooping or MITM, but if someone is inside your house (or your infrastrcuture) your worries are not snooping, they already have access!!

I'll go with C because it mentions HTTPS

Correct answer is C API keys to services are part of the configuration files of the application. This is de problem. API KEY should be used to safely environment values, that is the better recomendation

C seems to be the most correct since HTTPS is mentioned

This is a very tricky question. There are two main parts: 1. Talks about the credentials that the app receives from the external vault service. 2. It later uses these same credentials to sync via HTTPS to other services. We don't know if step 1 is also encrypted with TLS (HTTPS). If you really dig into it, it is indeed A.

I go C here

Does anyone know if this one is correct? I've tried googling it and can't figure out the correct answer

It should be C