Exam SY0-601 topic 1 question 404 discussion

Prevention of information exposure. This concept focuses on ensuring that sensitive information, such as stack traces, debug output, and detailed error messages, are not disclosed to unauthorized parties through the user interface.

My boy Du told me its D

D is right

The correct answer should be Error handling but D is the closets imo.

OWASP is not a "concept"... The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security... So how can the answer ever be "A" unless COMPTIA's English Language is rubbish... "Error Handling and Logging" is listed as one of the secure coding practice by OWASP and the closest available choice in the question is "D. Prevention of information exposure".

Prevention of information exposure is a secure application development concept that aims to block verbose error messages from being shown in a user's interface. Verbose error messages can potentially reveal sensitive information about the application's underlying infrastructure, code, or data, which can be exploited by attackers. OWASP (Option A) stands for the Open Web Application Security Project, which is a community-driven organization focused on improving the security of software. While OWASP provides guidelines and resources for secure application development, it is not specifically focused on blocking verbose error messages.

Verbose error messages are good for developers in helping them find errors. However, it is bad because verbose is wordy and can give to much info to the wrong ppl. Verbose messages are best in testing environments since if seen in the testing and development stages it isn't yet public facing and those wrong eyes will never see them. Blocked via a proper rollout.

Prevention of information exposure isn't an application development concept, but obfuscation is. "Here’s an example of code obfuscation. This is a single line of code in PHP that puts on the screen a message that says, Hello world, so it’s echo, a quote sign, Hello World, in the quotes, and a semicolon. This exact same function can be represented by this amount of code. This is obfuscated code, that has taken a very simple echo message and put this on the screen, and turned it into something that’s extremely difficult for a human to look at, and understand that that’s what’s going to happen."....."Fortunately, the computer understands the obfuscated code perfectly. It only prevents human beings from being able to read through that code and understand what’s going on. The obfuscated code makes it more difficult for someone to look at the software, and determine where any security vulnerabilities might be." -professor messer

D is the correct anwser. Explaination: 1. The question state that "application" in general, so we could understand that it's referring to both web-application and desktop application. 2. The best option (with the most information) is D, since OWASP is a standard for web security -> we could rule this out, although it also have prevention controls for information exposure.

Which Owasp top 10 security flaw is considered the most prevalent? 6. Security Misconfiguration. Security misconfiguration is the most common vulnerability on the list, and is often the result of using default configurations or displaying excessively verbose errors. https://www.calendar-uk.co.uk/faq/which-owasp-top-10-security-flaw-is-considered-the-most-prevalent

OWASP (The Open Worldwide Application Security Project) is a community that provides resources, etc. for web applicate security. This question is asking for a "secure application development concept." OWASP is not a 'concept.' Or am I wrong? CompTIA kills me with these vague questions.

D,The information is mean the data about the production information, not include the verbose error messages,so I perfer A

I guess A? OWASP...

I don't know, the answer could be both A and D. Someone explain.

https://owasp.org/www-community/Improper_Error_Handling