Practice CAS-004 Application Environment, Configuration and Security questions with full explanations on every answer.
Start practicing
Application Environment, Configuration and Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which of the following is the primary purpose of input validation in application security?
2A security architect is designing a microservices application that uses JWTs for authentication. Which of the following is the most critical security concern regarding JWT handling?
3During a security review, you find that a web application uses a Content Security Policy (CSP) header with the value: 'default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com;'. Which attack is the application still vulnerable to?
4An application uses a relational database and constructs SQL queries by concatenating user input. Which secure coding practice should be implemented to mitigate SQL injection?
5A DevOps team is implementing a CI/CD pipeline for a Java application. They want to ensure that all dependencies are scanned for known vulnerabilities before deployment. Which type of tool should they integrate into the pipeline?
6Which two of the following are effective mitigations against XML External Entity (XXE) injection attacks? (Select the two best options.)
7A security assessor is reviewing a containerized application. Which three of the following practices help secure the container runtime environment? (Select the three best options.)
8A security architect is designing a web application that handles sensitive user data. To protect against cross-site scripting (XSS) attacks, which of the following should be implemented?
9During a security review, a developer discovers that a containerized application runs with root privileges. Which of the following is the most secure approach to mitigate this risk while maintaining functionality?
10A security analyst is reviewing a web application's authentication mechanism. Which of the following are best practices to prevent session hijacking? (Select TWO.)
11Which of the following is a primary purpose of using code signing for application deployment?
12An organization is implementing a DevSecOps pipeline. Which of the following are essential security controls to include? (Select TWO.)
13Which of the following is a secure method for storing secrets (e.g., API keys, passwords) in a cloud-native application?
14A company is deploying a web application in a containerized environment. The security team wants to ensure that the application runs with the least privilege necessary. Which of the following is the BEST approach to achieve this?
15A security engineer is reviewing a CI/CD pipeline that builds a Docker image. The engineer notices that the Dockerfile uses a base image from a public registry, installs packages via apt-get without version pinning, and copies a private SSH key into the image. Which of the following vulnerabilities is MOST directly introduced by this practice?
16Which of the following is a primary benefit of using a Web Application Firewall (WAF) in front of a web application?
17An organization uses a microservices architecture where services communicate via REST APIs. To ensure defense in depth, they want to authenticate and authorize every API call. Which of the following implementations BEST enforces this at the application layer?
18Which of the following is the BEST practice for securely storing secrets (e.g., database passwords) in a cloud-native application?
19A security architect is designing a secure software development lifecycle (SSDLC). Which of the following practices are essential for integrating security into the development process? (Select TWO.)
20A company is adopting a serverless architecture using AWS Lambda. Which of the following are security concerns specific to serverless functions? (Select TWO.)
21A security architect is evaluating a web application that uses JSON Web Tokens (JWTs) for authentication. The application uses an RSA256 asymmetric signing algorithm. The architect discovers that the JWT library accepts tokens with the algorithm set to 'none' if the public key is not provided during verification. Which of the following attacks is most likely to succeed if the application does not enforce algorithm validation?
22Drag and drop the steps to perform a forensic acquisition of a hard drive using FTK Imager into the correct order.
23Drag and drop the steps to configure a host-based firewall (Windows Defender Firewall) to block all inbound traffic except RDP into the correct order.
24Match each security feature to its description.
25Match each authentication protocol or method to its characteristic.
26A security architect is designing a secure coding standard for a web application. Which of the following should be prioritized to mitigate cross-site scripting (XSS) risks?
27A company deploys a microservices architecture using container orchestration. The security team wants to enforce mutual TLS between services. Which technology should be used?
28A system administrator is configuring a Linux server to host a web application. Which file permission should be set for the private SSL key?
29A security analyst discovers that a web application is vulnerable to directory traversal. Which of the following is the MOST effective mitigation?
30An organization is implementing a zero-trust architecture for remote access. Which component is essential for continuous authentication?
31A developer is creating a REST API that handles sensitive data. Which HTTP method should be used for updates that are not idempotent?
32A security engineer is hardening a container image. Which practice is MOST effective in reducing the attack surface?
33During a penetration test, a tester finds that an application uses server-side sessions with predictable session IDs. Which attack is this vulnerability most likely to facilitate?
34A company is migrating its applications to a SaaS model. Which of the following should be included in the contract to ensure secure data handling?
35An IAM policy is applied to an AWS user. Which of the following actions is permitted?
36A security analyst is reviewing the firewall rules. Which of the following best describes the rule set's effect?
37Which security issue is addressed by this configuration?
38Which TWO of the following are secure coding practices to prevent SQL injection?
39Which THREE of the following are essential components of a secure software development lifecycle (SSDLC)?
40Which TWO of the following are best practices for securing a database server?
41A developer is implementing input validation for a web application that accepts file uploads. Which of the following is the most secure method to prevent path traversal attacks?
42A security analyst discovers that a containerized application is running with root privileges. Which of the following is the best practice to reduce the attack surface?
43A company is deploying a RESTful API that handles sensitive financial data. Which of the following should be implemented to ensure data integrity during transmission?
44A developer is using a third-party library with a known vulnerability. The vulnerability has a CVSS score of 9.8 and an exploit is publicly available. Which of the following is the most immediate course of action?
45A software development team is adopting a DevSecOps approach. Which of the following practices best integrates security into the continuous integration pipeline?
46A security engineer is reviewing the configuration of an AWS S3 bucket that stores customer data. Which of the following settings is most likely to cause a data breach?
47A security analyst is reviewing the following JSON Web Token (JWT) header: {"alg":"none","typ":"JWT"}. Which of the following vulnerabilities does this indicate?
48During a security assessment, a tester finds that a web application accepts user input and directly uses it in an LDAP query without sanitization. Which of the following attacks is most likely to be successful?
49A security engineer is analyzing a serverless application that uses AWS Lambda. Which of the following is the most critical security concern when the function processes external input?
50Which TWO of the following are best practices for securing a database that stores personally identifiable information (PII)? (Select TWO.)
51Which THREE of the following are common vulnerabilities found in web applications according to the OWASP Top 10 2021? (Select THREE.)
52Which TWO of the following are effective defenses against Server-Side Request Forgery (SSRF) attacks? (Select TWO.)
53Refer to the exhibit. A security review is being conducted on the Python application configuration. Which of the following security issues is present?
54Refer to the exhibit. A security engineer reviews the S3 bucket policy. Which of the following is the most concerning security issue?
55Refer to the exhibit. A security analyst is reviewing the Nginx configuration. Which of the following is the most critical security flaw?
56A security analyst reviews a web application that accepts user-supplied data to generate PDF reports. The application uses a legacy library that directly inserts user input into SQL queries and also includes user input in the PDF generation without sanitization. Which is the most effective countermeasure?
57A company is deploying a containerized application on Kubernetes. The security team requires that only signed images from a private registry be used and that containers run without privileged mode. Which Kubernetes admission controller should be configured to enforce both requirements?
58A developer is writing a mobile app that stores sensitive user data locally on the device. Which is the best practice for protecting the data at rest?
59A security engineer is configuring a web application firewall (WAF) for an e-commerce site. The application uses JSON APIs for all transactions. Which WAF mode provides the best protection against injection attacks while minimizing false positives?
60A financial services company uses a continuous integration/continuous delivery (CI/CD) pipeline to deploy microservices. The security team wants to ensure that no secrets (e.g., API keys, database passwords) are hard-coded in source code repositories. Which tool or practice is most appropriate for detecting secrets before they are committed?
61A developer needs to securely store user passwords in a database. Which hashing technique is recommended for password storage?
62An organization is migrating a legacy application to a containerized environment. The application requires root privileges to bind to a low port (80). What is the most secure approach to handle this requirement?
63A company's web application uses single sign-on (SSO) via SAML. Security analysts notice that attackers are able to forge SAML responses to impersonate users. Which misconfiguration is most likely causing this vulnerability?
64A cloud-based application uses serverless functions to process user uploads. Which of the following is the most effective way to limit the attack surface of the function?
65A company is adopting a secure software development lifecycle (SDLC). Which two practices are most effective for identifying vulnerabilities early in the development process? (Select TWO.)
66Which three measures should be implemented to secure a RESTful API? (Select THREE.)
67Which two are best practices for securing Docker container images? (Select TWO.)
68Refer to the exhibit. Which security issue does this S3 bucket policy present?
69A company uses a microservices architecture with Docker containers orchestrated by Kubernetes. Developers push code to a Git repository, which triggers a CI/CD pipeline using Jenkins. The pipeline builds Docker images and pushes them to a private registry (Harbor). Recently, a critical vulnerability (CVE-2024-XXXX) was discovered in the base image of several containers. The security team wants to ensure that only images that pass vulnerability scans are deployed to production. The pipeline currently builds and pushes images without any security check. Developers are responsible for updating base images, but this has been inconsistent. Which action should the security team take?
70A financial institution manages customer data through a web application built on a LAMP stack. The application uses a third-party library for PDF generation that was patched last year. Recently, the security team discovered that an attacker exploited an unpatched vulnerability in the library to execute arbitrary code on the server. The library vendor has released an update, but the development team is concerned that updating the library will break several custom features that rely on its internal API. The CIO wants to minimize risk while maintaining business continuity. The application is critical to daily operations, and any downtime would result in significant revenue loss. Which course of action should the security analyst recommend?
71A company is migrating its monolithic application to a microservices architecture. The security team wants to implement controls to protect inter-service communication and ensure data integrity. Which THREE security controls should be implemented? (Select THREE.)
72A web developer is designing an e-commerce application that stores customer payment information. The application runs on a cloud platform and uses a relational database. During a security review, the auditor identifies that the database admin credentials are hardcoded in the application configuration file. The developer must implement a solution that eliminates hardcoded credentials and enables automatic rotation of secrets. Which course of action should the developer take?
73A company runs a containerized application in a Kubernetes cluster. After a penetration test, the security team found that several containers are running with root privileges and have unnecessary packages installed. To reduce the attack surface, the team wants to enforce least privilege and minimize the software footprint. Which action should be taken first to address these findings?
74An organization has implemented a zero-trust architecture for its mobile workforce. Employees use company-managed smartphones to access internal applications through a reverse proxy. Recently, users report that they are frequently prompted to re-authenticate, causing workflow interruptions. The security team wants to maintain zero-trust principles while improving the user experience. Analysis shows that session tokens are being revoked after a short idle timeout. Which adjustment should the security team implement to balance security and usability?
The Application Environment, Configuration and Security domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.
The Courseiva CAS-004 question bank contains 74 questions in the Application Environment, Configuration and Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Application Environment, Configuration and Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included