What does deny-by-default imply in secure configuration?

Enhance your coding skills with the Code Standards and Practices Level 3 Test. Access well-crafted questions, insightful explanations, and progress tracking to master this exam. Prepare effectively for your Level 3 certification with our comprehensive study materials!

Multiple Choice

What does deny-by-default imply in secure configuration?

Explanation:
Deny-by-default is about starting from a safe baseline and only enabling what is strictly necessary. In secure configuration, everything is denied or kept off by default, and you explicitly authorize each feature, permission, or access path you need. This minimizes the attack surface because unneeded features, ports, or permissions remain closed, so there’s less to abuse if a system is misconfigured or targeted by an attacker. Think of it like a firewall that blocks all traffic by default and only allows specific, trusted connections, or an application that exposes endpoints only after explicit authorization. That’s why the idea of blocking risky features unless explicitly enabled fits best—it captures the preventative stance of default-deny. The other options don’t align with the concept: enabling all features by default would increase risk; focusing only on logging doesn’t describe the broader access/feature policy; and never updating dependencies is a separate maintenance concern and not what deny-by-default prescribes.

Deny-by-default is about starting from a safe baseline and only enabling what is strictly necessary. In secure configuration, everything is denied or kept off by default, and you explicitly authorize each feature, permission, or access path you need. This minimizes the attack surface because unneeded features, ports, or permissions remain closed, so there’s less to abuse if a system is misconfigured or targeted by an attacker. Think of it like a firewall that blocks all traffic by default and only allows specific, trusted connections, or an application that exposes endpoints only after explicit authorization.

That’s why the idea of blocking risky features unless explicitly enabled fits best—it captures the preventative stance of default-deny. The other options don’t align with the concept: enabling all features by default would increase risk; focusing only on logging doesn’t describe the broader access/feature policy; and never updating dependencies is a separate maintenance concern and not what deny-by-default prescribes.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy