Which of the following should customers who are involved with UI developer agreements be concerned with when considering the use of these products on highly sensitive projects?
I totally feel you mate, I am a non-English speaker, I think CompTIA meant below,
Which one of the 4 multiple choices, should customers (who are involved with UI developer agreements) be concerned with when considering the use of these products (I don't know, what products they are talking about??) on highly sensitive projects?
God knows, what CompTIA is thinking, while writing this question.
the POINT is Customer...
Customer with UI developer concerned is configuration security is important more than the code. For coding concerned should be vendor with UI developer.
Let me confuse everybody. My instinct says D.
But comptia sg page 256 says
"In some cases, application developers, vendors, and systems
administrators make it easy for an attacker. Systems often ship with
default administrative accounts that may remain unchanged. For
example, Figure 6.11 shows a section of the manual for a Zyxel router
that includes a default username and password as well as
instructions for changing that password."
I would assume that the customer outsourced the code development because they thought the external party would be doing a great job in code development; this negates the issue of weak configurations. The question would be how to ensure that they have the necessary NDA in place to ensure the secrecy of the codes due to the sensitive nature of the project. My choice is D.
The reason I lean towards Weak configurations is this: While Outsourced code development involves bringing in external individuals or firms to handle software development, it doesn't automatically equate to vulnerabilities. However, Weak configurations pose a direct risk, potentially leading to vulnerabilities within the system.
So (A), Weak configurations would be my biggest concern.
While outsourced code development is indeed a concern for customers involved in UI developer agreements, it's not directly related to the use of the products on highly sensitive projects. The concern with outsourced code development generally revolves around issues like code quality, reliability, and adherence to specifications. However, for highly sensitive projects, ensuring the security of user accounts is paramount, as any compromise in user account security could lead to unauthorized access to sensitive data or resources. Therefore, unsecure user accounts (option C) would typically be the primary concern in such scenarios.
Originally, I figured D: outsourced code development, however, there's no indication that the UI developer would outsource their work.
Weak configurations make a lot of sense with regards to storing api keys and connection strings, etc in a config file in a public facing UI (mobile apps or websites). From my experience, this is pretty common (even worse, I've seen javascript files with API keys out for the taking!).
Insecure user accounts represent a direct vulnerability where unauthorized users could gain access to the system or sensitive information through compromised accounts. This is often a more immediate and direct threat compared to weak configurations, which might leave the system vulnerable to exploitation but may not necessarily result in unauthorized access without other vulnerabilities being exploited.
Therefore, addressing insecure user accounts should generally take precedence as it involves directly securing access points to the system. Once user accounts are secured, attention can be turned to addressing weak configurations to further enhance the overall security posture of the system.
UI developer agreements....folks, agreements have nothing to do with weak configurations. They are most likely concerned about undocumented backdoors due to code outsourcing. D
For a UI? Maybe for backend work, but weak configurations are warned about all the time with any web development work. Directory traversal to config files with everything from database logins to api keys are one. Setting permissions on directories, and much much more. It's an extremely common attack vector (looking for the config files). As a dev for 25 years, I can attest to this, still lingering, problem - especially with UI people.
Customers who are involved with UI developer agreements should be particularly concerned with **Outsourced Code Development** when considering the use of these products on highly sensitive projects.
Outsourced code development can introduce a variety of risks, especially when dealing with sensitive projects. These risks include, but are not limited to, the potential for weak or insecure coding practices, lack of control over the development process, and potential for intellectual property theft. Therefore, it's crucial to have robust security measures and strict oversight in place when outsourcing code development. So, the correct answer is D. Outsourced Code Development.
For UI, we're really talking about javascript, right? The code is right there for anyone to see. If the client side is configured wrong (or holds db logins, api keys, or poor directory permissions, etc), this most common attack vector is easily exploited.
I have to go with A. The reason is the question already states the customer is outsourcing the code development, so naturally it is a concern. Taking it a step further, what would the customer be concerned with using a 3rd party.
Customers are more likely to be concerned about outsourcing than weak configuration. In fact most times they cannot tell the difference in configuration! Control is still within the developer's hands but with outsourcing, the risk compounds!
But it's for UI (web client side) and all the code is in javascript (these days), so they can't really hide much, however, in client side work, config files are often exploited as well as weak directory permissions (configs). It's the most common attack vector for websites, followed by XSS, CSRF, and SQLi
UI developer agreements most likely mean that the UI development is outsourced to a third party hence there is a need for a contract/agreement.
When third party is performing code development, organisation/company should be aware of the following:
• Accessing the code base
– Internal access over a VPN
– Cloud-based access
• Verify security to other systems
– The development systems should be isolated
• Test the code security
– Check for backdoors
– Validate data protection and encryption
Taken from profmesser
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
zits88
Highly Voted 1 year, 8 months agoWinEH
1 year, 6 months agoApplebeesWaiter1122
Highly Voted 2 years agoAlcpt
7 months, 2 weeks agoKelvinYau
Most Recent 6 months, 2 weeks agoJayysaystgis
6 months, 3 weeks agoAlcpt
7 months, 2 weeks agoDapsie
11 months, 1 week agoJackyCIT
1 year, 1 month agoRami1996
1 year, 1 month agoBD69
1 year, 2 months agoalicia2024
1 year, 2 months agojohnabayot
1 year, 3 months agoMortG7
1 year, 3 months agoBD69
1 year, 1 month ago[Removed]
1 year, 6 months agoBD69
1 year, 1 month agoRichwayst
1 year, 6 months ago32d799a
1 year, 8 months agoBigIshai
1 year, 8 months agoBD69
1 year, 1 month agoje123
1 year, 9 months ago