Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Application Environment, Configuration and Security practice sets

CAS-004 Application Environment, Configuration and Security • Complete Question Bank

CAS-004 Application Environment, Configuration and Security — All Questions With Answers

Complete CAS-004 Application Environment, Configuration and Security question bank — all 0 questions with answers and detailed explanations.

74
Questions
Free
No signup
Certifications/CAS-004/Practice Test/Application Environment, Configuration and Security/All Questions
Question 1easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following is the primary purpose of input validation in application security?

Question 2mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security architect is designing a microservices application that uses JWTs for authentication. Which of the following is the most critical security concern regarding JWT handling?

Question 3hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

During a security review, you find that a web application uses a Content Security Policy (CSP) header with the value: 'default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com;'. Which attack is the application still vulnerable to?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

An application uses a relational database and constructs SQL queries by concatenating user input. Which secure coding practice should be implemented to mitigate SQL injection?

Question 5hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A DevOps team is implementing a CI/CD pipeline for a Java application. They want to ensure that all dependencies are scanned for known vulnerabilities before deployment. Which type of tool should they integrate into the pipeline?

Question 6mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which two of the following are effective mitigations against XML External Entity (XXE) injection attacks? (Select the two best options.)

Question 7hardmulti select
Read the full Application Environment, Configuration and Security explanation →

A security assessor is reviewing a containerized application. Which three of the following practices help secure the container runtime environment? (Select the three best options.)

Question 8mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security architect is designing a web application that handles sensitive user data. To protect against cross-site scripting (XSS) attacks, which of the following should be implemented?

Question 9hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

During a security review, a developer discovers that a containerized application runs with root privileges. Which of the following is the most secure approach to mitigate this risk while maintaining functionality?

Question 10mediummulti select
Read the full Application Environment, Configuration and Security explanation →

A security analyst is reviewing a web application's authentication mechanism. Which of the following are best practices to prevent session hijacking? (Select TWO.)

Question 11easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following is a primary purpose of using code signing for application deployment?

Question 12mediummulti select
Read the full Application Environment, Configuration and Security explanation →

An organization is implementing a DevSecOps pipeline. Which of the following are essential security controls to include? (Select TWO.)

Question 13easymultiple choice
Read the full NAT/PAT explanation →

Which of the following is a secure method for storing secrets (e.g., API keys, passwords) in a cloud-native application?

Question 14mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A company is deploying a web application in a containerized environment. The security team wants to ensure that the application runs with the least privilege necessary. Which of the following is the BEST approach to achieve this?

Question 15hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security engineer is reviewing a CI/CD pipeline that builds a Docker image. The engineer notices that the Dockerfile uses a base image from a public registry, installs packages via apt-get without version pinning, and copies a private SSH key into the image. Which of the following vulnerabilities is MOST directly introduced by this practice?

Question 16easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following is a primary benefit of using a Web Application Firewall (WAF) in front of a web application?

Question 17hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

An organization uses a microservices architecture where services communicate via REST APIs. To ensure defense in depth, they want to authenticate and authorize every API call. Which of the following implementations BEST enforces this at the application layer?

Question 18easymultiple choice
Read the full NAT/PAT explanation →

Which of the following is the BEST practice for securely storing secrets (e.g., database passwords) in a cloud-native application?

Question 19hardmulti select
Read the full Application Environment, Configuration and Security explanation →

A security architect is designing a secure software development lifecycle (SSDLC). Which of the following practices are essential for integrating security into the development process? (Select TWO.)

Question 20mediummulti select
Read the full Application Environment, Configuration and Security explanation →

A company is adopting a serverless architecture using AWS Lambda. Which of the following are security concerns specific to serverless functions? (Select TWO.)

Question 21hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security architect is evaluating a web application that uses JSON Web Tokens (JWTs) for authentication. The application uses an RSA256 asymmetric signing algorithm. The architect discovers that the JWT library accepts tokens with the algorithm set to 'none' if the public key is not provided during verification. Which of the following attacks is most likely to succeed if the application does not enforce algorithm validation?

Question 22mediumdrag order
Read the full Application Environment, Configuration and Security explanation →

Drag and drop the steps to perform a forensic acquisition of a hard drive using FTK Imager into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 23mediumdrag order
Read the full Application Environment, Configuration and Security explanation →

Drag and drop the steps to configure a host-based firewall (Windows Defender Firewall) to block all inbound traffic except RDP into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 24mediummatching
Read the full Application Environment, Configuration and Security explanation →

Match each security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trust relationships between identity providers

Controls and monitors admin accounts

Restricts access based on physical location

Obfuscates sensitive data in non-production environments

Replaces sensitive data with non-sensitive placeholders

Question 25mediummatching
Read the full Application Environment, Configuration and Security explanation →

Match each authentication protocol or method to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses tickets and symmetric key cryptography

XML-based federated identity protocol

Authorization framework for delegated access

AAA protocol for network access

Directory access protocol for authentication

Question 26mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security architect is designing a secure coding standard for a web application. Which of the following should be prioritized to mitigate cross-site scripting (XSS) risks?

Question 27hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A company deploys a microservices architecture using container orchestration. The security team wants to enforce mutual TLS between services. Which technology should be used?

Question 28easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A system administrator is configuring a Linux server to host a web application. Which file permission should be set for the private SSL key?

Question 29mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security analyst discovers that a web application is vulnerable to directory traversal. Which of the following is the MOST effective mitigation?

Question 30hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

An organization is implementing a zero-trust architecture for remote access. Which component is essential for continuous authentication?

Question 31easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer is creating a REST API that handles sensitive data. Which HTTP method should be used for updates that are not idempotent?

Question 32mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security engineer is hardening a container image. Which practice is MOST effective in reducing the attack surface?

Question 33hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

During a penetration test, a tester finds that an application uses server-side sessions with predictable session IDs. Which attack is this vulnerability most likely to facilitate?

Question 34easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A company is migrating its applications to a SaaS model. Which of the following should be included in the contract to ensure secure data handling?

Question 35mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

An IAM policy is applied to an AWS user. Which of the following actions is permitted?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::example-bucket"
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::secret-bucket"
    }
  ]
}
Question 36hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security analyst is reviewing the firewall rules. Which of the following best describes the rule set's effect?

Network Topology
0.0.0.0/0 0.0.0.0/0 tcp dpt:80ACCEPT tcp192.168.1.0/24 0.0.0.0/0 tcp dpt:22ACCEPT icmp0.0.0.0/0LOG allRefer to the exhibit.Chain INPUT (policy DROP)target prot opt source destination
Question 37easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which security issue is addressed by this configuration?

Exhibit

Refer to the exhibit.
<Directory /var/www/html>
    Options -Indexes
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
Question 38mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are secure coding practices to prevent SQL injection?

Question 39hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are essential components of a secure software development lifecycle (SSDLC)?

Question 40easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are best practices for securing a database server?

Question 41easymultiple choice
Read the full NAT/PAT explanation →

A developer is implementing input validation for a web application that accepts file uploads. Which of the following is the most secure method to prevent path traversal attacks?

Question 42easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security analyst discovers that a containerized application is running with root privileges. Which of the following is the best practice to reduce the attack surface?

Question 43easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A company is deploying a RESTful API that handles sensitive financial data. Which of the following should be implemented to ensure data integrity during transmission?

Question 44mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer is using a third-party library with a known vulnerability. The vulnerability has a CVSS score of 9.8 and an exploit is publicly available. Which of the following is the most immediate course of action?

Question 45mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A software development team is adopting a DevSecOps approach. Which of the following practices best integrates security into the continuous integration pipeline?

Question 46mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security engineer is reviewing the configuration of an AWS S3 bucket that stores customer data. Which of the following settings is most likely to cause a data breach?

Question 47hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security analyst is reviewing the following JSON Web Token (JWT) header: {"alg":"none","typ":"JWT"}. Which of the following vulnerabilities does this indicate?

Question 48hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

During a security assessment, a tester finds that a web application accepts user input and directly uses it in an LDAP query without sanitization. Which of the following attacks is most likely to be successful?

Question 49hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security engineer is analyzing a serverless application that uses AWS Lambda. Which of the following is the most critical security concern when the function processes external input?

Question 50easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are best practices for securing a database that stores personally identifiable information (PII)? (Select TWO.)

Question 51mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are common vulnerabilities found in web applications according to the OWASP Top 10 2021? (Select THREE.)

Question 52hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are effective defenses against Server-Side Request Forgery (SSRF) attacks? (Select TWO.)

Question 53easymultiple choice
Study the full Python automation breakdown →

Refer to the exhibit. A security review is being conducted on the Python application configuration. Which of the following security issues is present?

Exhibit

import os
api_key = os.environ['API_KEY']
db_connection = os.getenv('DB_CONNECTION', 'sqlite:///default.db')
if not api_key:
    print("Warning: API key not set")
Question 54mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

Refer to the exhibit. A security engineer reviews the S3 bucket policy. Which of the following is the most concerning security issue?

Network Topology
$ aws s3api get-bucket-policybucket mycompany-data"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::mycompany-data/*\"}]}"
Question 55hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

Refer to the exhibit. A security analyst is reviewing the Nginx configuration. Which of the following is the most critical security flaw?

Exhibit

# nginx.conf
server {
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;
    location /admin {
        proxy_pass http://internal-admin:8080;
        allow 192.168.1.0/24;
        deny all;
    }
    location /api {
        proxy_pass http://internal-api:8080;
    }
}
Question 56mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security analyst reviews a web application that accepts user-supplied data to generate PDF reports. The application uses a legacy library that directly inserts user input into SQL queries and also includes user input in the PDF generation without sanitization. Which is the most effective countermeasure?

Question 57hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A company is deploying a containerized application on Kubernetes. The security team requires that only signed images from a private registry be used and that containers run without privileged mode. Which Kubernetes admission controller should be configured to enforce both requirements?

Question 58easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer is writing a mobile app that stores sensitive user data locally on the device. Which is the best practice for protecting the data at rest?

Question 59mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security engineer is configuring a web application firewall (WAF) for an e-commerce site. The application uses JSON APIs for all transactions. Which WAF mode provides the best protection against injection attacks while minimizing false positives?

Question 60hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A financial services company uses a continuous integration/continuous delivery (CI/CD) pipeline to deploy microservices. The security team wants to ensure that no secrets (e.g., API keys, database passwords) are hard-coded in source code repositories. Which tool or practice is most appropriate for detecting secrets before they are committed?

Question 61easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer needs to securely store user passwords in a database. Which hashing technique is recommended for password storage?

Question 62mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

An organization is migrating a legacy application to a containerized environment. The application requires root privileges to bind to a low port (80). What is the most secure approach to handle this requirement?

Question 63hardmultiple choice
Read the full NAT/PAT explanation →

A company's web application uses single sign-on (SSO) via SAML. Security analysts notice that attackers are able to forge SAML responses to impersonate users. Which misconfiguration is most likely causing this vulnerability?

Question 64easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A cloud-based application uses serverless functions to process user uploads. Which of the following is the most effective way to limit the attack surface of the function?

Question 65mediummulti select
Read the full Application Environment, Configuration and Security explanation →

A company is adopting a secure software development lifecycle (SDLC). Which two practices are most effective for identifying vulnerabilities early in the development process? (Select TWO.)

Question 66hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which three measures should be implemented to secure a RESTful API? (Select THREE.)

Question 67easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which two are best practices for securing Docker container images? (Select TWO.)

Question 68mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

Refer to the exhibit. Which security issue does this S3 bucket policy present?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 69mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A company uses a microservices architecture with Docker containers orchestrated by Kubernetes. Developers push code to a Git repository, which triggers a CI/CD pipeline using Jenkins. The pipeline builds Docker images and pushes them to a private registry (Harbor). Recently, a critical vulnerability (CVE-2024-XXXX) was discovered in the base image of several containers. The security team wants to ensure that only images that pass vulnerability scans are deployed to production. The pipeline currently builds and pushes images without any security check. Developers are responsible for updating base images, but this has been inconsistent. Which action should the security team take?

Question 70hardmultiple choice
Read the full NAT/PAT explanation →

A financial institution manages customer data through a web application built on a LAMP stack. The application uses a third-party library for PDF generation that was patched last year. Recently, the security team discovered that an attacker exploited an unpatched vulnerability in the library to execute arbitrary code on the server. The library vendor has released an update, but the development team is concerned that updating the library will break several custom features that rely on its internal API. The CIO wants to minimize risk while maintaining business continuity. The application is critical to daily operations, and any downtime would result in significant revenue loss. Which course of action should the security analyst recommend?

Question 71mediummulti select
Read the full Application Environment, Configuration and Security explanation →

A company is migrating its monolithic application to a microservices architecture. The security team wants to implement controls to protect inter-service communication and ensure data integrity. Which THREE security controls should be implemented? (Select THREE.)

Question 72easymultiple choice
Read the full NAT/PAT explanation →

A web developer is designing an e-commerce application that stores customer payment information. The application runs on a cloud platform and uses a relational database. During a security review, the auditor identifies that the database admin credentials are hardcoded in the application configuration file. The developer must implement a solution that eliminates hardcoded credentials and enables automatic rotation of secrets. Which course of action should the developer take?

Question 73mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A company runs a containerized application in a Kubernetes cluster. After a penetration test, the security team found that several containers are running with root privileges and have unnecessary packages installed. To reduce the attack surface, the team wants to enforce least privilege and minimize the software footprint. Which action should be taken first to address these findings?

Question 74hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

An organization has implemented a zero-trust architecture for its mobile workforce. Employees use company-managed smartphones to access internal applications through a reverse proxy. Recently, users report that they are frequently prompted to re-authenticate, causing workflow interruptions. The security team wants to maintain zero-trust principles while improving the user experience. Analysis shows that session tokens are being revoked after a short idle timeout. Which adjustment should the security team implement to balance security and usability?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CAS-004 Practice Test 1 — 10 Questions→CAS-004 Practice Test 2 — 10 Questions→CAS-004 Practice Test 3 — 10 Questions→CAS-004 Practice Test 4 — 10 Questions→CAS-004 Practice Test 5 — 10 Questions→CAS-004 Practice Exam 1 — 20 Questions→CAS-004 Practice Exam 2 — 20 Questions→CAS-004 Practice Exam 3 — 20 Questions→CAS-004 Practice Exam 4 — 20 Questions→Free CAS-004 Practice Test 1 — 30 Questions→Free CAS-004 Practice Test 2 — 30 Questions→Free CAS-004 Practice Test 3 — 30 Questions→CAS-004 Practice Questions 1 — 50 Questions→CAS-004 Practice Questions 2 — 50 Questions→CAS-004 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity EngineeringSecurity ArchitectureSecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Application Environment, Configuration and Security setsAll Application Environment, Configuration and Security questionsCAS-004 Practice Hub