1Z0-574 Online Practice Questions and Answers

Correct Answer: BCE

Explanation:

B:End to end security is an information-centric perspective of security where information is protected

throughout the entire computing environment. That is, from the points where system interactions originate,

through all points of integration, processing, and persistence.

End to end security is often associated with the secure transmission, processing, and storage of data,

where at no time are data unprotected Note:

For a typical web-based application, end to end security generally begins at the client/browser, and ends at

the application database and all external dependencies of the application.

A common challenge in providing end to end security is finding a suitable way to secure data in all states

and points along the processing path that does not interfere with any transmission, routing, processing,

and storage functions that need to occur along the way. Sensitive data will usually need to be decrypted at

certain points in order for processing or message routing to occur.

Correct Answer: A

Explanation:

Note: It is quite common to encounter use cases that require transformation of information from one format to another, especially in the area of enterprise integration. Source systems and target systems may use very different representations of data and in some cases, a canonical data model might be used as a common intermediate format. In some cases, the transformation is a simple field-to-field mapping whereas in other cases it is a complex manipulation and conversion of data. It should be possible to visually map the source and target representations with the ability to enrich the elements to support both simple and complex data transformations.

Correct Answer: AC

Explanation:

A: Computer hardware virtualization (or hardware virtualisation) is the virtualization of computers or operating systems. It hides the physical characteristics of a computing platform from users, instead showing another abstract computing platform.

C: Computer clusters have historically run on separate physical computers with the same operating system. With the advent of virtualization, the cluster nodes may run on separate physical computers with different operating systems which are painted above with a virtual layer to look similar. The cluster may also be virtualized on various configurations as maintenance takes place.

References:

Correct Answer: D

Explanation:

Applications can be classified in a number of ways, such as:

*

By the user community it serves, such as HR, Finance, company executives, all employees, all persons working on behalf of the company (includes contractors and temporary workers), general public, etc. (not A)

*

Based on information confidentiality. Some applications process personal information while others do not. Likewise, in military terms, an application might be targeted towards individuals with a specific level of clearance. (not B)

*

Based on business criticality. Some applications may have a direct and severe contribution or impact to revenue. Examples include order processing, credit card processing, call processing, securities trading, and travel reservations. Others may have little or no impact. (not C)

*

Based on the applicability of existing laws and regulations. For example, HIPPA puts more security emphasis on patient records than would otherwise exist. (not E)

*

Based on network exposure. Levels might include: locked down (no network access), secure production environment access, general organization-wide intranet access, partner access, Internet access limited to a specific user community, and Internet access open to the public.

References:

Correct Answer: AC

Explanation: The primary focus of the Metadata Repository (aka Enterprise Metadata Repository or Enterprise Repository) is design-time, and it usually has no role in the runtime environment of most SOA deployments. The metadata repository is primarily a human interface for asset capture and presentment. It has integration with the service registry to promote the service interfaces and with the security framework for repository security like authentication and access control.

Core capabilities of the metadata repository include:

*

Asset Management

*

Asset Lifecycle Management

*

Usage Tracking

*

Service Discovery

*

Version Management (C)

*

Service Taxonomy

*

Dependency Analysis (A)

*

Portfolio Management

References:

Correct Answer: A

Explanation:

Round-trip engineering is the ability to effectively perform both forward and reverse engineering to

seamlessly transform the lifecycle assets. Forward engineering is very useful the first time that code is

generated from a model. It saves much of the mundane work of keying in classes, attributes, and methods.

Reverse engineering is very useful both to transform code into a model when no model previously existed,

as well as to resynchronize a model with the code at the end of a change.

Note:

During an iterative development cycle, once a model has been updated as part of an iteration, another

round of forward engineering should allow code to be refreshed with any new classes, methods or

attributes that have been added to the model. Source code generally contains much more than the model

and tools must be very adept at reconstructing the source code that existed prior to the new round of

forward engineering. At minimum, the modeling tool should successfully support forward engineering the

first time and reverse engineering throughout the process.

References:

Correct Answer: C

Explanation:

The Java EE Management specification (JSR 77) provides a standard model for managing a J2EE

Platform and describes a standard data model for monitoring and managing the runtime state of any Java

EE Web application server and its resources.

Note: The J2EE Management specification includes standard mappings of the model to the Common

Information Model (CIM), to an SNMP Management Information Base (MIB), and to the Java object model

through a server-resident Enterprise JavaBeans (EJB) component, known as the J2EE Management EJB

Component (MEJB). The MEJB provides interoperable remote access to the model from any standard

J2EE application.

References:

Correct Answer: A

Explanation:

Cache hit rate or ratio: The percentage of times the cache was hit successfully over the total number of

tries is called the hit ratio.

References:

Correct Answer: C

Explanation:

In order to avoid man-in-the-middle attacks a security framework must have capabilities such as:

*

Logging in users without the need to type passwords or PINs (not D)

*

Dynamically challenging the user for different information, e.g., asking a random question for which only the user will know the answer

*

Encrypting and signing transmissions from the client to the back end server (not A)

*

Detecting replays using embedded transaction ids or timestamps (not E)

*

Presenting proof to the user that the site they are visiting is authentic

Propagating a single proof object, or assertion, can be susceptible to man-in-the-middle attacks and replay attacks. If a rogue entity observes an assertion, it could reuse that assertion for illegitimate requests. Possible solutions include:

*

(notB) Invalidate the assertion after every request. In the case of chained SOA Services, service providers must verify each assertion they receives with the authority. The authority can invalidate assertions in its internal cache. Any future verifications with the same assertion would fail. SOA Service providers would need to obtain a new assertion in order to make subsequent service requests. This solves both types of problems mentioned above.

*

(notE) Reduce and enforce the assertion's time to live attribute. This would narrow the window of opportunity to reuse an assertion. The assertion would have to be captured and reused in a short period of time (programmatically vs. manually). While this limits the potential for man-in-the-middle attacks, it's not as effective for replay attacks

*

Require the signature of a trusted service consumer (client application) in addition to the signed assertion. The caller's signature should cover the assertion to bind it to the message. If all service consumers are required to sign their request messages, then service providers can be shielded from rogue clients, thereby preventing man-in-the-middle attacks.

This solution would need to be enhanced to solve replay attacks. One option is to include a unique request id, timestamp, or sequence number in the request. The target resource could maintain a cache of ids and refuse duplicate requests. A common request id service could be created to issue unique request ids and validate all requests that are received within the security domain

References:

Correct Answer: AB

Explanation: A Rich Internet Application (RIA) is a Web application that has many of the characteristics of desktop application software, typically delivered by way of a site-specific browser, a browser plug-in, an independent sandbox, extensive use of JavaScript, or a virtual machine. Adobe Flash, JavaFX, and Microsoft Silverlight are currently the three most common platforms.

Not D: Rich internet applications (RIA) move some (but usually not all) of the view and controller functionality to the Client Tier.

Note: Web 2.0 introduces even more client-side code to enrich the user experience (i.e. Rich Internet Applications). This can be done in a standardized way, such as the Ajax framework. New message-injection attacks are possible in areas such as cross-site scripting and cross-site-forgery due to poor protocol implementations and poor message parsing. An example exploit is the SAMY worm created on MySpace.