Practice CISSP Software Development Security questions with full explanations on every answer.
Start practicing
Software Development Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security team is reviewing a web application that allows users to search for products. The application uses a SQL database and constructs queries by concatenating user input directly into the SQL statement. Which of the following is the most effective mitigation against SQL injection attacks?
2During a threat modeling session for a new online banking application, the team uses the STRIDE methodology. Which threat category addresses the risk of an attacker modifying transaction data in transit?
3A development team is fixing a stored cross-site scripting (XSS) vulnerability in a web application that displays user comments. The application stores comments in a database and renders them in HTML. Which of the following is the most secure approach to prevent XSS?
4A security architect is designing a system that must continue to function even when a component fails. The architect implements multiple layers of security controls so that if one fails, others still provide protection. Which principle is being applied?
5During a penetration test, a security analyst discovers that a web application allows an attacker to bypass authorization and view another user's private messages by simply changing a numeric ID in the URL. Which vulnerability is being exploited?
6A software development team is adopting secure coding practices. They decide to implement input validation for all user-supplied data. Which approach is recommended as the most effective for preventing injection attacks?
7A security team is reviewing a newly acquired third-party software component. They want to ensure that the component's supply chain is secure and that known vulnerabilities are identified. Which of the following tools provides a list of all open-source and third-party components used in the software?
8A developer is implementing authentication for a new application. To protect against brute-force attacks, the developer decides to implement account lockout after a certain number of failed attempts. Which security principle does this control enforce?
9An organization is migrating to a new application that uses serialized objects to transfer data between services. The security team is concerned about insecure deserialization attacks. Which of the following controls is most effective in preventing deserialization vulnerabilities?
10A web application exposes an API that allows users to fetch data from internal network resources based on a URL parameter. An attacker discovers they can use this API to access internal servers that are not meant to be public. Which vulnerability is being exploited?
11A security analyst is reviewing the error handling of an application. The application currently displays detailed stack traces to users when an exception occurs. Which of the following is the best practice for error handling in production?
12A development team is implementing cryptographic functions for a new application. They need to store passwords securely. Which of the following is the most appropriate approach?
13A security engineer is evaluating a web application for common vulnerabilities. The application uses a Content Management System (CMS) that is outdated and has known vulnerabilities. Additionally, the application displays detailed error messages and uses default administrative credentials. Which TWO of the following OWASP Top 10 categories are most relevant to these issues?
14During a security audit of a web application, the following issues are found: (1) Session tokens are included in URLs, (2) The application does not invalidate session tokens after logout, and (3) Session tokens are predictable. Which THREE of the following controls are most appropriate to address these issues?
15A security team is planning to integrate security testing into the software development lifecycle. They want to identify vulnerabilities early and often. Which TWO of the following testing methods should be implemented during the development phase (before deployment) to catch code-level vulnerabilities?
16During the requirements gathering phase of a software development project, which threat modeling methodology is most commonly used to identify threats such as spoofing, tampering, and elevation of privilege?
17A development team is implementing a web application that allows users to search for products. To prevent SQL injection attacks, which secure coding practice should be applied?
18A security architect is reviewing a design for an e-commerce application. The architect recommends implementing defense in depth. Which of the following is an example of this principle?
19Which type of security testing involves analyzing source code for vulnerabilities without executing the code?
20A company is evaluating a third-party software library for use in their application. Which document provides a detailed inventory of the library's components and dependencies to help assess supply chain risk?
21During a security review of a web application, testers discover that the application discloses detailed error messages to users, including stack traces. Which secure coding best practice is being violated?
22An application authenticates users using session tokens. A security analyst finds that the application does not invalidate session tokens after logout, allowing session fixation attacks. Which secure coding practice should be implemented to mitigate this?
23A developer is implementing cryptographic storage for sensitive user data. Which of the following is a cryptographic best practice?
24Which of the following is an example of an Insecure Direct Object Reference (IDOR) vulnerability?
25A security team is conducting a penetration test on a web application. They identify that the application is vulnerable to reflected cross-site scripting (XSS). Which of the following is the most effective mitigation?
26During a vulnerability assessment, a security analyst discovers that a web application uses a library known to be vulnerable to Log4Shell (CVE-2021-44228). Which type of vulnerability does this represent?
27A development team is designing a new application and wants to ensure that if a failure occurs, the system remains secure by default. Which design principle should they apply?
28A security analyst is reviewing a web application that handles financial transactions. Which TWO of the following are effective controls against Cross-Site Request Forgery (CSRF)?
29An organization is acquiring a third-party software product. Which THREE of the following should be included in the security assessment of the vendor?
30A security engineer is hardening a web server before deploying a new application. Which TWO of the following are examples of security misconfiguration vulnerabilities that should be addressed?
31During the requirements gathering phase of a secure SDLC, the team uses a threat modeling approach that focuses on identifying threats such as spoofing, tampering, and denial of service. Which threat modeling methodology is being employed?
32A security architect is designing an authentication system. To prevent session fixation attacks, which secure design principle should be implemented?
33Which of the following is the primary purpose of output encoding in web application security?
34During a security assessment, a penetration tester discovers that a web application exposes internal IP addresses in error messages. Which vulnerability category does this represent?
35A development team is using a third-party library that is known to have a critical vulnerability. The team decides to continue using the library because it is widely used and the vulnerability has not been exploited. Which security risk is the team ignoring?
36Which of the following is a secure coding practice to prevent SQL injection attacks?
37A security analyst is reviewing a web application and notices that it includes a feature that allows users to view their own profile by providing a user ID in the URL (e.g., /profile?userid=123). The application does not verify that the logged-in user owns that profile. Which vulnerability is present?
38Which type of testing analyzes source code for security vulnerabilities without executing the program?
39A security engineer is evaluating a new third-party software component for use in a critical application. Which document is most important to review to understand the component's supply chain security?
40What is the primary purpose of a Web Application Firewall (WAF) in a deployment environment?
41A security architect is reviewing a web application's design and identifies several potential vulnerabilities. Which TWO of the following are effective mitigations for cross-site scripting (XSS) attacks?
42A security team is performing a risk assessment on a legacy application that uses insecure deserialization. Which TWO of the following are recommended approaches to mitigate the risk of insecure deserialization?
43An organization is planning to acquire a new SaaS application for customer relationship management. Which THREE of the following should be included in the vendor security assessment?
44During a code review, a developer identifies that the application uses a custom encryption algorithm for storing sensitive data. Which THREE of the following are secure cryptographic practices that should be recommended instead?
45A security analyst is reviewing the authentication mechanism of a web application. Which TWO of the following are examples of broken authentication vulnerabilities?
46A security architect is reviewing a web application that handles sensitive financial transactions. The application uses a microservices architecture with an API gateway. During the threat modeling session using STRIDE, several threats were identified. Which TWO of the following are effective mitigations for the identified threats? (Select TWO.)
The Software Development Security domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 46 questions in the Software Development Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Software Development Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included