Service A requires message confidentiality using message-layer security. You are asked to create a security policy for Service A that communicates its confidentiality requirements. However, you have not yet determined the type of encryption mechanism that will be used to enable message confidentiality.
What types of binding assertions can you use to convey what service consumers should expect in the WS-Security header of SOAP messages exchanged by the service?
A. Transport binding assertion
B. Symmetric binding assertion
C. Asymmetric binding assertion
D. Protection binding assertion
The same security policy has been redundantly implemented as part of the service contracts for Web services A, B and C. In order to reduce the effort of maintaining multiple redundant service policies, it has been decided to centralize policy enforcement across these three services.
Which of the following industry standards will need to be used for Web services A, B and C in order for their service contracts to share the same security policy document?
A. WS-PolicyAttachment
B. WS-SecureConversation
C. WS-Trust
D. WS-Security
Service A contains reporting logic that issues SOL queries against a database to generate reports. The actual SQL query syntax is determined at runtime. It has been reported that some of these queries ended up retrieving highly confidential data by accessing tables that service consumers were not authorized for.
How can this be avoided?
A. Stored procedures should be used instead of executing an SQL query that is determined at runtime.
B. The Message Screening pattern needs to be applied to Service A.
C. The database security should be increased so that the account under which Service A executes SQL queries has restricted access.
D. None of the above
Service A's logic has been implemented using unmanaged code. An attacker sends a message to Service A that contains specially crafted data capable of manipulating the quoting within a particular XPath expression. This results in the release of confidential information.
Service A is a victim of which kind of attack?
A. Buffer overrun attack
B. Insufficient authorization attack
C. XPath injection attack
D. None of the above.
The Service Perimeter Guard pattern can be used in combination with other patterns to help avoid both data-oriented attacks and access-oriented attacks.
A. True
B. False
A service is designed to respond to an error condition by issuing a message containing detailed error information. This message includes connection information for a database that is shared by numerous services within the service inventory. An attacker intentionally sends an invalid message to the service in order to trigger an error and receive the connection information. The attacker then proceeds to connect to the database and issues a series of malicious SQL queries that make the database non-responsive. As a result, a number of services within the service inventory are disabled.
Which of the following types of attacks were successfully carried out?
A. SQL injection attack
B. Exception generation attack
C. Denial of service attack
D. Buffer overrun attack
When considering the ESB as providing intermediary logic, which of the following types of subject confirmation methods relate to its access control issues?
A. Holder-of-key
B. Sender-vouches
C. Issuer-vouches
D. None of the above.
An IT enterprise has three domain service inventories that map to three different departments. Each service inventory uses a security token service (STS) based authentication broker to enable single sign-on for services within the respective service inventory boundary. The tokens used for all single sign-on mechanisms are based on SAML assertions. You are given a new requirement to extend this security architecture so that services from different domain service inventories can communicate.
What new security mechanisms are required to fulfill this requirement?
A. The individual authentication brokers need to be replaced with one single authentication broker so that one single token can be used by services across all domain service inventories.
B. An additional authentication broker needs to be added in between each domain service inventory in order to enable communication between services using disparate security tokens.
C. There is no need to introduce a new security mechanism. The individual domain service inventories need to be combined into a single enterprise service inventory. That way, the Service Perimeter Guard pattern can be applied so that services won't need to authenticate each other.
D. There is no need to introduce a new security mechanism. The existing SAML tokens can be used by services across the domain service inventories as long as the existing authentication brokers are configured to issue service inventory-specific assertions for SAML tokens from specific domain service inventories.
An XML bomb attack and an XML external entity attack are both considered types of XML parser attacks.
A. True
B. False
The use of parameterized expressions can help avoid which type of attack?
A. XML parser attack
B. Buffer overrun attack
C. XPath injection attack
D. Exception generation attack
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only SOA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your S90-19A exam preparations and SOA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.