yQuestion.

aspx
Secure Usage of Authorized Code Repositories

1. Which type ofinformation, if uploaded on public

repositories (such as GitHub, Gitlab, BitBucket, Git, Stash
etc.) could trigger a security incident?

Oa. Source Code Correct Answer

Ob. API Keys Uploading Infosys or Client
confidential or proprietary
Oc. IP addresses, System credentials
information (source code,
d. Architecture diagrams architecture diagrams, IP
addresses, system
Oe. All of the above Credentials and API Key etc.)
on public repositories
(GitHub, Gitlab, BitBucket,
Git, Stashetc.) wouldresult
in an incident.

2 On completion of a project, you receive a note of

appreciation from the client. Along with the appreciation,
you plan to post the project details and the link to the
project code uploaded on public GitHub with your Linkedin
contacts and also tag the Client in your post. Is this
acceptable?

a . Yes, as the Client is on Linkedin and the post is

Correct Answer
professional
Posting/Sharing Client
b . No, tagging Client in the public post is unprofessional Informationlike Client
Oc. No, it is not acceptable as it may violate the name, any link refermng to
Client informatiorn and other
confidentiality terms agreed with the Client and would projectInformation on
trigger arn incident.
public repositories like
d.Yes, publicly posting project accomplishments will help GitHubor Social media (lik
boost my career Facebook Twitter, Linkedin
etc.) is a violation of the
e . Both b and c
confidentiality tems agreed
with the Client and would

35°C Haze
estion.aspx
Xand Y are developing a utility for a Client project. Though
not permitted by the client, X copies the input file from the
Client environment and sends it to Y via Infosys email .Y
completes the Ul testing using the input file sent by X and
finally uploads the developed utility source code on a public
GitHub repository.Considering above scenario, identify all
the violations in this scenario which could trigger a security
incident?
A. Uploading the source code on the public GitHub
repository
B. Testing without improper test cases
C. Sending Client information via Infosys email ID
D. Collaborating on developing a utility for a Client project
E. Copying input file from Client environment and sharing it
with a colleague on his personal email ID for Ul testing

Oa. A,B and E Correct Answer

Ob. A,Cand D Sending or uploading any

Client information including
Oc.A, D and E Confidential source code,
project files etc. to Infosys
d. A, Cand E email ID or any external
Oe. Aand C email ID or public
repositories or outside
Client environment unless
authorized by the Client
teamis against the
Information Security policy
and could lead to a security
breach

4. Uploading Infosys, Client confidential or proprietary

information on untrusted public repositories could lead to
which of the following repercussions?

Oa. Intellectual Property (IP) infringement/Copyright Correct Answer

violations Uploading Client

Confidential Information
Ob. No repercussions as public repositories like GitHub isa Over publicly available sites,
secure platform for collaboration
technical forums and public
Oc. Information Leakageresulting in penalties repositories such as GitHub
etc. is strictly prohibited as
Od. Both a and c
tcan laad toinfarnmatian
35°C Ha
estion.aspx

5. It's5pm, Friday evening and you are working on a critical

client code which needs to be delivered by Monday
morning, however you don t have Infosys/Client assigned
laptop.Given the strict deadline, what action would you
take to complete the deliverable?
Oa. Email the code to your personal mail D or upload it on Correct Answer
public GitHub so that you can work on it from home during
weekend Sending any Client
Confidential files to your
Ob. Connect using friend's laptop over iConnect and personal ID or uploading it
download the code on his laptop to work on it. on public repositories to
work from home will trigger
Oc. Though not permitted as per client policy, take a print of
thecode and carry it home tor analysis. an incident. Furthermore,
never send any Client
d. Stay backin office for an hour and complete work on the information including
clientcode before you leave for the day. Confidential source code,
Oe. Both b and d projectfilesetc. to Infosys
email D or any external
email ID unless authorized
bythe Client team.

6 Which of the collaboration platforms are most appropriate

towork on projects, share source code, ideas etc. ?

Oa. Infosys GitHub Enterprise or TFS (Team Foundation Correct Answer

Server), if authorized
Infosys GitHub Enterprise/
b. Public repositories (such as GitHub, Gitlab, BitBucket TFS (Team Foundation
Git, Stash etc.) Server) or Client
c . Client provided code repository, ifauthorized provided/authorized public
Code repositories can be
Od. Both a and c used to work on projects,
share source code, ideas
Oe. None of the above and make changes to the
files and would not resultin
anIntormation Security
incident. However, care shal
be taken to not upload any
Contidential data that could
be misused or leaked.

35°C
7. While working on the Client network, which of the following
actions could lead to a violation of the Client policy?
A. Uploading a client code snippet (class file) on an external
website to decompile and get the source code of the class
file.
B. Uploading Client code, Server and other information on
public repository (GitHub
C. Posting Client project details on an external site
D.Sending Client project documentation to your personal
email ID.
E.None of the above
Oa. Aand C Correct Answer

Ob.A, Band D Sending any Client sensitive

information (including
c. A, B,C and D Source code, configurationsS
Od. B, Cand D PIl etc.) to
Infosys/External/Personal
Oe.E email ID is strictly
prohibited. Similarly
uploading any Client
sensitive information
including source code,
contigurations, project files,
Pll etc) to Public code
repositories (such as GitHub
etc.) orany External sites
outside the Client
environment unless
authorized by the Client
teamis againstthe
InformationSecurity policy
and could lead to an
Information security breach.

8.
You're working on an Infosys developed framework which is
open source based and available on Infosys GitHub
Enterprise platform you plan to re-use a useful component
thatwas delivered to another client to enhance the product
voL are develoning. What
wil vou do ne?

35 C Haz
estion.aspx

8. You're working on an Infosys developed framework which is

open source based and available on Infosys GitHub
Enterprise platformyouplanto re-use a usefulcomponent
that was delivered to another client to enhance the product
you are developing. What will you do next?

Oa. Carve-out the component and include it in the project. Correct Answer
After all Infosys developed it, what objections could the All code developed as part
client have. ofa client funded projectis
b. Allcode developed as part of aclientfunded project is the intellectual property of
theintellectual property of the client and we cannot re-use the Client and we cannot re
itin any shape or form. use it in any shape or form
Oc. You will suggest a feature addition, run an IP check and
or be made public.
re-develop the compornent using Infosys own guidelines
Od. You will seek your Manager's approval to re-use the
useful open source component and include it in your
project
Oe. You will create a copy of the code and carefully re-name
allreferences to the clientin the code before offering it as
a product

9 You are using a client provided laptop on which you are

authorized to use Client provided code repository.You are
alsoworking on a personal project that has source code on
public repository (GitHub). Is it permitted to use the client
provided laptop to work on your personal project

Oa. You can use the client provisioned laptop as long as you Correct Answe
donot upload client source code on public repository
Client provided laptop
Ob. No, the client provisioned laptop should not be used to should be used only for
work on your personal project delivering services to the
Oc. Post obtaining necessary approvals from clients. Client provided
the client, you laptop should not be used
can start using
the client laptop for your personal project to work on personal
Od. None of the above projects since it couldbe a
violation of Client mandated
InformationSecurity policy.

35C Ha
estion.aspx

9 You are using a client provided laptop on which you are

authorized to use Client provided code repository.You are
alsoworking on a personal project that has source code on
public repository (GitHub). Is it permitted to use the client
provided laptop to work on your personal project
Oa. You can use the client provisioned laptop as long as you Correct Answer
donot upload client source code on public repository Client provided laptop
Ob. No, the client provisioned laptop should notbe used to should be used onlyfor
Work on yourpersonal project delivering services to the
clients. Client provided
Oc. Post obtaining necessary approvals from the client, you laptop should not be used
can start using the client laptop for your personal project to work on personal
d. None of the above projects since it could be a
violation of Client mandated
Information Security policy.

10. A developer in a project gets access to Open Source code in

domain and customizes and enhances it for a
the public
client deliverable. He then uploads this code to public
GitHub repository since it is essentially an Open Source
code. Is this permitted ?

Oa. It is permitted to upload this code since the base is an Correct Answer
Open Source code component No matter the origin of the
Ob. Since it is part of aclient deliverable, it is not permitted

Source code either Open

touploadthis code to publicGit Hub, irrespective of the Source, written from
factthat it is Open Source based scratch, reuse of an already
developed asset etc. any
Oc. Itis permitted to upload thiscodeto public GitHub, once code that is part of the
you receive explicit approval from the client and it is Client deliverable cannot be
confirmed that there is no client confidential information in uploaded to public GitHub.
thecode
Od. Both b and c

Check Resu