You are the architect for XYZ bank. XYZ is redesigning their online banking offering and you need
to ensure that the new design follows security best practices for the JEE platform.
Select three security best practices for JEE applications.
A.
Schedule regular penetration testing.
B.
Log all security related application events.
C.
Implement an exception-handling strategy.
D.
Encrypt data, both on the wire and at rest.
E.
Use both programmatic and declarative security.
F.
Treat users as untrusted even when authenticated.
Dont agree with E, why is it a best practice to use both. Have security yes, but not both programmatic and declarative
Same question here Why E ???
By exclusion. Would you better say A and D? They’re sistemistic concerns not JEE. F? Ahahah
Rethinking about the D, it actually may be true…
I would say ABC
Why ?
A – A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data,[1][2] as well as strengths,[3] enabling a full risk assessment to be completed.
Ref : https://en.wikipedia.org/wiki/Penetration_test
C – An important aspect of secure application development is to prevent information leakage. Error messages give an attacker great insight into the inner workings of an application.
Ref : https://www.owasp.org/index.php/Error_Handling#Error.2C_Exception_handling_.26_Logging.
ADE
For banking application , fine security is must (using programmatic)