Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Software Development Security practice sets

CISSP Software Development Security • Complete Question Bank

CISSP Software Development Security — All Questions With Answers

Complete CISSP Software Development Security question bank — all 0 questions with answers and detailed explanations.

59
Questions
Free
No signup
Certifications/CISSP/Practice Test/Software Development Security/All Questions
Question 1easymultiple choice
Read the full Software Development Security explanation →

A development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?

Question 2mediummultiple choice
Read the full Software Development Security explanation →

A software company uses a third-party library that has a known critical vulnerability. The library is used extensively and rewriting the code would take months. What is the BEST immediate action to reduce risk?

Question 3hardmultiple choice
Read the full Software Development Security explanation →

During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users:

String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'";

Which of the following is the MOST effective remediation?

Question 4easymultiple choice
Read the full Software Development Security explanation →

An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?

Question 5mediummultiple choice
Read the full Software Development Security explanation →

A company is deploying a containerized application using Kubernetes. Which practice BEST ensures the security of the container images?

Question 6hardmultiple choice
Read the full Software Development Security explanation →

A development team is implementing a microservices architecture. Which of the following is the BEST approach to secure inter-service communication?

Question 7mediummulti select
Read the full Software Development Security explanation →

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities? (Select TWO.)

Question 8hardmulti select
Read the full Software Development Security explanation →

Which THREE of the following are valid techniques to ensure software integrity during the build and deployment process? (Select THREE.)

Question 9hardmultiple choice
Read the full Software Development Security explanation →

A financial services company uses a custom web application for online banking. The application is developed in-house using Java and deployed on Apache Tomcat servers. Recently, the security team discovered that the application is vulnerable to a critical remote code execution (RCE) vulnerability due to insecure deserialization of untrusted data. The vulnerability exists in a module that processes session objects. The development team has been assigned to fix this issue. They propose the following options:

A. Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes. B. Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default. C. Encrypt all serialized objects using AES-256 before sending them to the client. D. Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads.

The application must maintain high availability and minimal latency. Which option provides the MOST effective and sustainable remediation?

Question 10mediumdrag order
Read the full Software Development Security explanation →

Drag and drop the steps for conducting a business impact analysis (BIA) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 11mediumdrag order
Read the full Software Development Security explanation →

Drag and drop the steps for a disaster recovery (DR) plan activation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Read the full Software Development Security explanation →

Match each security model to its primary characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No read up, no write down

No read down, no write up

Well-formed transactions and separation of duties

Prevents conflict of interest among clients

Rules for granting and taking permissions

Question 13mediummatching
Read the full Software Development Security explanation →

Match each OSI layer to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frames and MAC addressing

Routing and logical addressing

End-to-end reliability and segmentation

User interface and application services

Question 14easymultiple choice
Read the full Software Development Security explanation →

A company is implementing a CI/CD pipeline for a web application. Which security testing method should be integrated into the build stage to catch vulnerabilities early?

Question 15mediummultiple choice
Read the full Software Development Security explanation →

An organization is transitioning from waterfall to agile development. How should security be integrated into the new process to align with the SDLC?

Question 16hardmultiple choice
Read the full Software Development Security explanation →

In a microservices architecture with a service mesh, what is the most effective approach to secure inter-service communication?

Question 17mediummulti select
Read the full Software Development Security explanation →

Which TWO of the following are mandatory secure coding practices to prevent injection attacks? (Select exactly two.)

Question 18hardmulti select
Read the full Software Development Security explanation →

Which THREE of the following are essential components of a software supply chain security program? (Select exactly three.)

Question 19easymulti select
Read the full Software Development Security explanation →

Which TWO of the following are fundamental phases of a secure software development lifecycle (SSDLC) where security should be integrated? (Select exactly two.)

Question 20mediummultiple choice
Read the full Software Development Security explanation →

Refer to the exhibit. Which security weakness should be addressed first in this Dockerfile?

Exhibit

FROM ubuntu:latest
RUN apt-get update && apt-get install -y python
COPY . /app
WORKDIR /app
CMD ["python", "app.py"]
Question 21hardmultiple choice
Read the full Software Development Security explanation →

Refer to the exhibit. Which attack is this OAuth authorization server policy vulnerable to?

Exhibit

{
  "scopes": [
    {"name": "read", "permissions": ["file:read"]},
    {"name": "write", "permissions": ["file:write"]}
  ],
  "default_permissions": ["file:read"]
}
Question 22easymultiple choice
Read the full Software Development Security explanation →

Refer to the exhibit. Which vulnerability does this code contain?

Exhibit

import sqlite3
conn = sqlite3.connect('database.db')
cursor = conn.cursor()
user_input = request.GET.get('username')
query = "SELECT * FROM users WHERE username = '" + user_input + "'"
cursor.execute(query)
Question 23easymultiple choice
Read the full Software Development Security explanation →

A development team heavily uses third-party libraries. What is the most effective way to manage vulnerabilities in these libraries?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

An API gateway is being designed for a set of microservices. Which combination of security controls should be implemented?

Question 25hardmultiple choice
Read the full Software Development Security explanation →

To enforce separation of duties in a CI/CD pipeline, what architectural principle should be implemented?

Question 26mediummulti select
Read the full Software Development Security explanation →

Which THREE of the following are key practices in the OWASP ASVS (Application Security Verification Standard) for secure software? (Select exactly three.)

Question 27mediummultiple choice
Read the full Software Development Security explanation →

A company uses Docker containers for microservices. What is the most important security measure for container images?

Question 28hardmultiple choice
Read the full Software Development Security explanation →

A DevSecOps team wants to integrate security into the CI/CD pipeline without slowing down development. Which approach best achieves this?

Question 29easymultiple choice
Read the full Software Development Security explanation →

A development team is integrating a third-party library for encryption. The security team insists on using only the latest version of the library. What is the primary security benefit of this requirement?

Question 30easymultiple choice
Read the full Software Development Security explanation →

An organization uses a version control system for all software development. Which practice best ensures that code changes are reviewed for security issues before merging into the main branch?

Question 31easymultiple choice
Read the full NAT/PAT explanation →

During a code review, a developer notices that an application directly concatenates user input into SQL queries. Which type of vulnerability does this represent?

Question 32mediummultiple choice
Read the full Software Development Security explanation →

A security engineer is designing an API that handles sensitive customer data. The engineer wants to ensure that only authorized clients can access the API, and that requests are not tampered with in transit. Which approach best addresses both requirements?

Question 33mediummultiple choice
Read the full Software Development Security explanation →

A DevOps team is implementing a DevSecOps pipeline. Which of the following should be introduced first in the pipeline to catch security issues early and reduce remediation cost?

Question 34mediummultiple choice
Read the full Software Development Security explanation →

A developer is tasked with securely storing user passwords in a database. Which of the following is the most secure approach?

Question 35hardmultiple choice
Read the full Software Development Security explanation →

A security assessment reveals that a web application uses client-side input validation exclusively. What is the most likely security risk?

Question 36hardmultiple choice
Read the full Software Development Security explanation →

An organization is adopting a microservices architecture. Which security control is most effective for ensuring that inter-service communication is authenticated and authorized?

Question 37hardmultiple choice
Read the full Software Development Security explanation →

A security architect is reviewing a software design that uses a third-party library for XML parsing. The library is known to be vulnerable to XML External Entity (XXE) attacks. The architect recommends replacing the library. What is the primary risk of XXE attacks that the architect wants to avoid?

Question 38mediummulti select
Read the full Software Development Security explanation →

Which TWO of the following are essential elements of a secure software development lifecycle (SSDLC)? (Select exactly 2.)

Question 39hardmulti select
Read the full Software Development Security explanation →

Which THREE of the following are valid countermeasures to prevent SQL injection vulnerabilities? (Select exactly 3.)

Question 40hardmulti select
Read the full Software Development Security explanation →

Which TWO of the following are best practices for securing containerized applications? (Select exactly 2.)

Question 41mediummultiple choice
Read the full Software Development Security explanation →

Refer to the exhibit. An application running on this server uses HTTPS (port 443). What is the most likely impact of the current firewall rules on the application?

Network Topology
20 1200 DROP alleth0 * 10.0.0.0/80 0 DROP all100 5000 ACCEPT all10 800 LOG all5 600 ACCEPT tcpRefer to the exhibit.```# iptables -L -n -v
Question 42hardmultiple choice
Read the full Software Development Security explanation →

Refer to the exhibit. A security engineer reviews this S3 bucket policy. The Developer role is used by a CI/CD pipeline that uploads build artifacts. What security weakness exists in this policy?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/Developer"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::myapp-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Sid": "Stmt2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/Developer"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::myapp-bucket/*"
    }
  ]
}
```
Question 43hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security auditor examines the Git history of a critical security patch. What is the most significant security concern?

Exhibit

Refer to the exhibit.
```
# Git log output
commit 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b
Author: Developer A <dev.a@company.com>
Date:   Mon Jan 15 14:30:00 2024 -0500

    Revert "Fix authentication bypass vulnerability"
    
    This reverts commit 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b.

commit 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b
Author: Developer B <dev.b@company.com>
Date:   Sun Jan 14 10:15:00 2024 -0500

    Fix authentication bypass vulnerability
```
Question 44easymultiple choice
Read the full Software Development Security explanation →

A development team is implementing a new feature that processes sensitive user data. Which of the following is the most secure approach to prevent data leakage during processing?

Question 45mediummultiple choice
Read the full Software Development Security explanation →

A company is developing a mobile payment application. To comply with PCI DSS, what should be implemented to protect cardholder data during transmission?

Question 46hardmultiple choice
Read the full Software Development Security explanation →

A security architect is reviewing the access control model for a microservices architecture. Which approach minimizes the risk of privilege escalation from a compromised service?

Question 47easymultiple choice
Read the full Software Development Security explanation →

During a code review, a developer identifies a SQL injection vulnerability. What is the most effective fix?

Question 48mediummultiple choice
Read the full Software Development Security explanation →

A team uses third-party libraries. What is the best practice to ensure they do not introduce vulnerabilities?

Question 49hardmultiple choice
Read the full Software Development Security explanation →

An organization is adopting DevOps. Which of the following is a primary security concern when integrating security into CI/CD pipelines?

Question 50mediummulti select
Read the full Software Development Security explanation →

A security analyst is evaluating a web application firewall (WAF). Which TWO features are most critical for preventing common web attacks?

Question 51hardmulti select
Read the full Software Development Security explanation →

A developer is implementing role-based access control (RBAC). Which THREE components are essential for an RBAC system?

Question 52easymulti select
Read the full Software Development Security explanation →

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities?

Question 53hardmultiple choice
Read the full NAT/PAT explanation →

A financial institution has developed a trading application that sends orders via an internal API. The application processes high-frequency trades and must ensure non-repudiation of orders. The development team implemented digital signatures using RSA with SHA-256. However, testers found that occasionally two different orders produce the same signature. The team suspects a collision resistance issue. After reviewing the implementation, they notice that the private key is generated using a deterministic key generation algorithm that uses a fixed seed derived from the current timestamp. The signatures are generated by signing the order hash directly. What is the most likely root cause of the signature collision?

Question 54mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization uses a custom application to manage patient records. The application uses a database with encrypted columns for sensitive data. The security team discovers that an insider has been copying encrypted data to an external drive. While the data is encrypted, the encryption key is stored in a configuration file accessible to the application. Which additional control would best mitigate this risk?

Question 55easymultiple choice
Read the full Software Development Security explanation →

A DevOps team implements a CI/CD pipeline that runs security scans automatically. The pipeline fails often due to false positives, causing delays. Which approach balances security and efficiency?

Question 56hardmultiple choice
Read the full NAT/PAT explanation →

An organization develops a SaaS platform that integrates with multiple third-party services via APIs. The platform handles authentication tokens and user data. A security review reveals that the platform uses hardcoded API keys in the source code. What is the most secure way to manage these secrets in a cloud-native environment?

Question 57mediummultiple choice
Read the full Software Development Security explanation →

A financial application uses a third-party library for PDF generation. A security review finds that the library is no longer maintained and has known vulnerabilities. What is the BEST course of action?

Question 58easymulti select
Read the full Software Development Security explanation →

Which TWO of the following are security principles that should be applied during software development? (Select TWO)

Question 59hardmultiple choice
Read the full NAT/PAT explanation →

A company develops a web application using microservices architecture deployed on Kubernetes. The security team identifies that the application is vulnerable to injection attacks because user input is concatenated into SQL queries. The development team wants to implement a fix quickly. They propose using parameterized queries, but the database access layer currently uses stored procedures. The team considers modifying the stored procedures to accept parameters and using prepared statements in the code. However, the operations team is concerned about performance impact. Which of the following is the BEST course of action?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 10 Questions→CISSP Practice Test 2 — 10 Questions→CISSP Practice Test 3 — 10 Questions→CISSP Practice Test 4 — 10 Questions→CISSP Practice Test 5 — 10 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Software Development Security setsAll Software Development Security questionsCISSP Practice Hub