Practice CISSP Software Development Security questions with full explanations on every answer.
Start practicing
Software Development Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?
2A software company uses a third-party library that has a known critical vulnerability. The library is used extensively and rewriting the code would take months. What is the BEST immediate action to reduce risk?
3During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users: String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'"; Which of the following is the MOST effective remediation?
4An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?
5A company is deploying a containerized application using Kubernetes. Which practice BEST ensures the security of the container images?
6A development team is implementing a microservices architecture. Which of the following is the BEST approach to secure inter-service communication?
7Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities? (Select TWO.)
8Which THREE of the following are valid techniques to ensure software integrity during the build and deployment process? (Select THREE.)
9A financial services company uses a custom web application for online banking. The application is developed in-house using Java and deployed on Apache Tomcat servers. Recently, the security team discovered that the application is vulnerable to a critical remote code execution (RCE) vulnerability due to insecure deserialization of untrusted data. The vulnerability exists in a module that processes session objects. The development team has been assigned to fix this issue. They propose the following options: A. Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes. B. Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default. C. Encrypt all serialized objects using AES-256 before sending them to the client. D. Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads. The application must maintain high availability and minimal latency. Which option provides the MOST effective and sustainable remediation?
10Drag and drop the steps for conducting a business impact analysis (BIA) in the correct order.
11Drag and drop the steps for a disaster recovery (DR) plan activation in the correct order.
12Match each security model to its primary characteristic.
13Match each OSI layer to its function.
14A company is implementing a CI/CD pipeline for a web application. Which security testing method should be integrated into the build stage to catch vulnerabilities early?
15An organization is transitioning from waterfall to agile development. How should security be integrated into the new process to align with the SDLC?
16In a microservices architecture with a service mesh, what is the most effective approach to secure inter-service communication?
17Which TWO of the following are mandatory secure coding practices to prevent injection attacks? (Select exactly two.)
18Which THREE of the following are essential components of a software supply chain security program? (Select exactly three.)
19Which TWO of the following are fundamental phases of a secure software development lifecycle (SSDLC) where security should be integrated? (Select exactly two.)
20Refer to the exhibit. Which security weakness should be addressed first in this Dockerfile?
21Refer to the exhibit. Which attack is this OAuth authorization server policy vulnerable to?
22Refer to the exhibit. Which vulnerability does this code contain?
23A development team heavily uses third-party libraries. What is the most effective way to manage vulnerabilities in these libraries?
24An API gateway is being designed for a set of microservices. Which combination of security controls should be implemented?
25To enforce separation of duties in a CI/CD pipeline, what architectural principle should be implemented?
26Which THREE of the following are key practices in the OWASP ASVS (Application Security Verification Standard) for secure software? (Select exactly three.)
27A company uses Docker containers for microservices. What is the most important security measure for container images?
28A DevSecOps team wants to integrate security into the CI/CD pipeline without slowing down development. Which approach best achieves this?
29A development team is integrating a third-party library for encryption. The security team insists on using only the latest version of the library. What is the primary security benefit of this requirement?
30An organization uses a version control system for all software development. Which practice best ensures that code changes are reviewed for security issues before merging into the main branch?
31During a code review, a developer notices that an application directly concatenates user input into SQL queries. Which type of vulnerability does this represent?
32A security engineer is designing an API that handles sensitive customer data. The engineer wants to ensure that only authorized clients can access the API, and that requests are not tampered with in transit. Which approach best addresses both requirements?
33A DevOps team is implementing a DevSecOps pipeline. Which of the following should be introduced first in the pipeline to catch security issues early and reduce remediation cost?
34A developer is tasked with securely storing user passwords in a database. Which of the following is the most secure approach?
35A security assessment reveals that a web application uses client-side input validation exclusively. What is the most likely security risk?
36An organization is adopting a microservices architecture. Which security control is most effective for ensuring that inter-service communication is authenticated and authorized?
37A security architect is reviewing a software design that uses a third-party library for XML parsing. The library is known to be vulnerable to XML External Entity (XXE) attacks. The architect recommends replacing the library. What is the primary risk of XXE attacks that the architect wants to avoid?
38Which TWO of the following are essential elements of a secure software development lifecycle (SSDLC)? (Select exactly 2.)
39Which THREE of the following are valid countermeasures to prevent SQL injection vulnerabilities? (Select exactly 3.)
40Which TWO of the following are best practices for securing containerized applications? (Select exactly 2.)
41Refer to the exhibit. An application running on this server uses HTTPS (port 443). What is the most likely impact of the current firewall rules on the application?
42Refer to the exhibit. A security engineer reviews this S3 bucket policy. The Developer role is used by a CI/CD pipeline that uploads build artifacts. What security weakness exists in this policy?
43Refer to the exhibit. A security auditor examines the Git history of a critical security patch. What is the most significant security concern?
44A development team is implementing a new feature that processes sensitive user data. Which of the following is the most secure approach to prevent data leakage during processing?
45A company is developing a mobile payment application. To comply with PCI DSS, what should be implemented to protect cardholder data during transmission?
46A security architect is reviewing the access control model for a microservices architecture. Which approach minimizes the risk of privilege escalation from a compromised service?
47During a code review, a developer identifies a SQL injection vulnerability. What is the most effective fix?
48A team uses third-party libraries. What is the best practice to ensure they do not introduce vulnerabilities?
49An organization is adopting DevOps. Which of the following is a primary security concern when integrating security into CI/CD pipelines?
50A security analyst is evaluating a web application firewall (WAF). Which TWO features are most critical for preventing common web attacks?
51A developer is implementing role-based access control (RBAC). Which THREE components are essential for an RBAC system?
52Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities?
53A financial institution has developed a trading application that sends orders via an internal API. The application processes high-frequency trades and must ensure non-repudiation of orders. The development team implemented digital signatures using RSA with SHA-256. However, testers found that occasionally two different orders produce the same signature. The team suspects a collision resistance issue. After reviewing the implementation, they notice that the private key is generated using a deterministic key generation algorithm that uses a fixed seed derived from the current timestamp. The signatures are generated by signing the order hash directly. What is the most likely root cause of the signature collision?
54A healthcare organization uses a custom application to manage patient records. The application uses a database with encrypted columns for sensitive data. The security team discovers that an insider has been copying encrypted data to an external drive. While the data is encrypted, the encryption key is stored in a configuration file accessible to the application. Which additional control would best mitigate this risk?
55A DevOps team implements a CI/CD pipeline that runs security scans automatically. The pipeline fails often due to false positives, causing delays. Which approach balances security and efficiency?
56An organization develops a SaaS platform that integrates with multiple third-party services via APIs. The platform handles authentication tokens and user data. A security review reveals that the platform uses hardcoded API keys in the source code. What is the most secure way to manage these secrets in a cloud-native environment?
57A financial application uses a third-party library for PDF generation. A security review finds that the library is no longer maintained and has known vulnerabilities. What is the BEST course of action?
58Which TWO of the following are security principles that should be applied during software development? (Select TWO)
59A company develops a web application using microservices architecture deployed on Kubernetes. The security team identifies that the application is vulnerable to injection attacks because user input is concatenated into SQL queries. The development team wants to implement a fix quickly. They propose using parameterized queries, but the database access layer currently uses stored procedures. The team considers modifying the stored procedures to accept parameters and using prepared statements in the code. However, the operations team is concerned about performance impact. Which of the following is the BEST course of action?
The Software Development Security domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 59 questions in the Software Development Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Software Development Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included