Question

After significant vulnerabilities and misconfigurations were found in numerous production web applications, a security manager identified the need to implement better development controls.

Which of the following controls should be verified? (Choose two.)

A. Input validation routines are enforced on the server side.
B. Operating systems do not permit null sessions.
C. Systems administrators receive application security training.
D. VPN connections are terminated after a defined period of time.
E. Error-handling logic fails securely.
F. OCSP calls are handled effectively.

Answer 1

For better development controls, it is important to verify that input validation is enforced on the server side and that error-handling logic fails securely. These measures prevent common attacks and protect against information exposure during errors.

Step-by-step explanation:

In response to the question about the need to implement better development controls after identifying vulnerabilities in web applications, the following two controls should be verified:

• Input validation routines are enforced on the server side: It's essential that all input received from users is validated on the server side to prevent attacks such as SQL injection, cross-site scripting, and other forms of malicious input. This should be part of standard development practices.
• Error-handling logic fails securely: When an error occurs in an application, the handling of this error should not expose any sensitive information or provide a potential attack vector. Secure error handling is a critical aspect of application security.

While other options such as training for systems administrators and handling OCSP (Online Certificate Status Protocol) calls may also be important, input validation and secure error handling directly address common application vulnerabilities and are a priority in web application development.