Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsSoftware Development Security
CISSPFree — No Signup

Software Development Security

Practice CISSP Software Development Security questions with full explanations on every answer.

59questions

Start practicing

Software Development Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice Software Development Security questions

10Q20Q30Q50Q

All CISSP Software Development Security questions (59)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?

2

A software company uses a third-party library that has a known critical vulnerability. The library is used extensively and rewriting the code would take months. What is the BEST immediate action to reduce risk?

3

During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users: String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'"; Which of the following is the MOST effective remediation?

4

An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?

5

A company is deploying a containerized application using Kubernetes. Which practice BEST ensures the security of the container images?

6

A development team is implementing a microservices architecture. Which of the following is the BEST approach to secure inter-service communication?

7

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities? (Select TWO.)

8

Which THREE of the following are valid techniques to ensure software integrity during the build and deployment process? (Select THREE.)

9

A financial services company uses a custom web application for online banking. The application is developed in-house using Java and deployed on Apache Tomcat servers. Recently, the security team discovered that the application is vulnerable to a critical remote code execution (RCE) vulnerability due to insecure deserialization of untrusted data. The vulnerability exists in a module that processes session objects. The development team has been assigned to fix this issue. They propose the following options: A. Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes. B. Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default. C. Encrypt all serialized objects using AES-256 before sending them to the client. D. Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads. The application must maintain high availability and minimal latency. Which option provides the MOST effective and sustainable remediation?

10

Drag and drop the steps for conducting a business impact analysis (BIA) in the correct order.

11

Drag and drop the steps for a disaster recovery (DR) plan activation in the correct order.

12

Match each security model to its primary characteristic.

13

Match each OSI layer to its function.

14

A company is implementing a CI/CD pipeline for a web application. Which security testing method should be integrated into the build stage to catch vulnerabilities early?

15

An organization is transitioning from waterfall to agile development. How should security be integrated into the new process to align with the SDLC?

16

In a microservices architecture with a service mesh, what is the most effective approach to secure inter-service communication?

17

Which TWO of the following are mandatory secure coding practices to prevent injection attacks? (Select exactly two.)

18

Which THREE of the following are essential components of a software supply chain security program? (Select exactly three.)

19

Which TWO of the following are fundamental phases of a secure software development lifecycle (SSDLC) where security should be integrated? (Select exactly two.)

20

Refer to the exhibit. Which security weakness should be addressed first in this Dockerfile?

21

Refer to the exhibit. Which attack is this OAuth authorization server policy vulnerable to?

22

Refer to the exhibit. Which vulnerability does this code contain?

23

A development team heavily uses third-party libraries. What is the most effective way to manage vulnerabilities in these libraries?

24

An API gateway is being designed for a set of microservices. Which combination of security controls should be implemented?

25

To enforce separation of duties in a CI/CD pipeline, what architectural principle should be implemented?

26

Which THREE of the following are key practices in the OWASP ASVS (Application Security Verification Standard) for secure software? (Select exactly three.)

27

A company uses Docker containers for microservices. What is the most important security measure for container images?

28

A DevSecOps team wants to integrate security into the CI/CD pipeline without slowing down development. Which approach best achieves this?

29

A development team is integrating a third-party library for encryption. The security team insists on using only the latest version of the library. What is the primary security benefit of this requirement?

30

An organization uses a version control system for all software development. Which practice best ensures that code changes are reviewed for security issues before merging into the main branch?

31

During a code review, a developer notices that an application directly concatenates user input into SQL queries. Which type of vulnerability does this represent?

32

A security engineer is designing an API that handles sensitive customer data. The engineer wants to ensure that only authorized clients can access the API, and that requests are not tampered with in transit. Which approach best addresses both requirements?

33

A DevOps team is implementing a DevSecOps pipeline. Which of the following should be introduced first in the pipeline to catch security issues early and reduce remediation cost?

34

A developer is tasked with securely storing user passwords in a database. Which of the following is the most secure approach?

35

A security assessment reveals that a web application uses client-side input validation exclusively. What is the most likely security risk?

36

An organization is adopting a microservices architecture. Which security control is most effective for ensuring that inter-service communication is authenticated and authorized?

37

A security architect is reviewing a software design that uses a third-party library for XML parsing. The library is known to be vulnerable to XML External Entity (XXE) attacks. The architect recommends replacing the library. What is the primary risk of XXE attacks that the architect wants to avoid?

38

Which TWO of the following are essential elements of a secure software development lifecycle (SSDLC)? (Select exactly 2.)

39

Which THREE of the following are valid countermeasures to prevent SQL injection vulnerabilities? (Select exactly 3.)

40

Which TWO of the following are best practices for securing containerized applications? (Select exactly 2.)

41

Refer to the exhibit. An application running on this server uses HTTPS (port 443). What is the most likely impact of the current firewall rules on the application?

42

Refer to the exhibit. A security engineer reviews this S3 bucket policy. The Developer role is used by a CI/CD pipeline that uploads build artifacts. What security weakness exists in this policy?

43

Refer to the exhibit. A security auditor examines the Git history of a critical security patch. What is the most significant security concern?

44

A development team is implementing a new feature that processes sensitive user data. Which of the following is the most secure approach to prevent data leakage during processing?

45

A company is developing a mobile payment application. To comply with PCI DSS, what should be implemented to protect cardholder data during transmission?

46

A security architect is reviewing the access control model for a microservices architecture. Which approach minimizes the risk of privilege escalation from a compromised service?

47

During a code review, a developer identifies a SQL injection vulnerability. What is the most effective fix?

48

A team uses third-party libraries. What is the best practice to ensure they do not introduce vulnerabilities?

49

An organization is adopting DevOps. Which of the following is a primary security concern when integrating security into CI/CD pipelines?

50

A security analyst is evaluating a web application firewall (WAF). Which TWO features are most critical for preventing common web attacks?

51

A developer is implementing role-based access control (RBAC). Which THREE components are essential for an RBAC system?

52

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities?

53

A financial institution has developed a trading application that sends orders via an internal API. The application processes high-frequency trades and must ensure non-repudiation of orders. The development team implemented digital signatures using RSA with SHA-256. However, testers found that occasionally two different orders produce the same signature. The team suspects a collision resistance issue. After reviewing the implementation, they notice that the private key is generated using a deterministic key generation algorithm that uses a fixed seed derived from the current timestamp. The signatures are generated by signing the order hash directly. What is the most likely root cause of the signature collision?

54

A healthcare organization uses a custom application to manage patient records. The application uses a database with encrypted columns for sensitive data. The security team discovers that an insider has been copying encrypted data to an external drive. While the data is encrypted, the encryption key is stored in a configuration file accessible to the application. Which additional control would best mitigate this risk?

55

A DevOps team implements a CI/CD pipeline that runs security scans automatically. The pipeline fails often due to false positives, causing delays. Which approach balances security and efficiency?

56

An organization develops a SaaS platform that integrates with multiple third-party services via APIs. The platform handles authentication tokens and user data. A security review reveals that the platform uses hardcoded API keys in the source code. What is the most secure way to manage these secrets in a cloud-native environment?

57

A financial application uses a third-party library for PDF generation. A security review finds that the library is no longer maintained and has known vulnerabilities. What is the BEST course of action?

58

Which TWO of the following are security principles that should be applied during software development? (Select TWO)

59

A company develops a web application using microservices architecture deployed on Kubernetes. The security team identifies that the application is vulnerable to injection attacks because user input is concatenated into SQL queries. The development team wants to implement a fix quickly. They propose using parameterized queries, but the database access layer currently uses stored procedures. The team considers modifying the stored procedures to accept parameters and using prepared statements in the code. However, the operations team is concerned about performance impact. Which of the following is the BEST course of action?

Practice all 59 Software Development Security questions

Other CISSP exam domains

Security Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Frequently asked questions

What does the Software Development Security domain cover on the CISSP exam?

The Software Development Security domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Software Development Security questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 59 questions in the Software Development Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Software Development Security for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Software Development Security questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Software Development Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM