Practice SSCP Systems and Application Security questions with full explanations on every answer.
Start practicing
Systems and Application Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst notices that a web application is vulnerable to SQL injection. The application uses parameterized queries for most inputs but concatenates user input directly into a query for a legacy module. Which is the BEST immediate remediation?
2An organization is implementing a jump server architecture for managing critical servers. Which additional control BEST reduces the risk of lateral movement if the jump server is compromised?
3A company is deploying a new mobile application that handles sensitive customer data. Which practice BEST ensures data confidentiality on the device?
4During a penetration test, an attacker was able to bypass input validation and execute commands on a web server. The server runs a PHP application. Which of the following is the MOST likely root cause?
5A system administrator needs to ensure that a Linux server is hardened against common attacks. Which configuration change is MOST effective in preventing privilege escalation via SUID binaries?
6A company is migrating its on-premises applications to a public cloud. Which security control is MOST important to implement to protect data in transit?
7A security analyst reviews logs and finds that an attacker exploited a vulnerability in a web application to read arbitrary files from the server. The application runs on Apache with mod_php. Which of the following is the MOST likely vulnerability?
8An organization is implementing a secure software development lifecycle (SDLC). Which activity should be performed during the design phase to minimize security flaws?
9Which TWO of the following are effective controls to prevent buffer overflow attacks? (Choose two.)
10Which THREE of the following are common indicators of a cross-site scripting (XSS) attack? (Choose three.)
11Which TWO of the following are best practices for securing a wireless network? (Choose two.)
12Which THREE of the following are valid methods for authenticating users in a web application? (Choose three.)
13Refer to the exhibit. A web server at 10.0.0.50 received the payload shown. What is the MOST likely impact if the web application is vulnerable?
14Refer to the exhibit. A security analyst observes this event on a workstation. What is the MOST likely explanation?
15Drag and drop the steps for conducting a security incident response under the NIST framework into the correct order.
16Drag and drop the steps for setting up a certificate authority (CA) in Windows Server into the correct order.
17Match each cryptography term to its definition.
18Match each security control to its type (administrative, technical, physical).
19A software development team is implementing input validation for a web application that accepts user email addresses. Which approach BEST prevents email injection attacks?
20An organization wants to protect endpoints from ransomware that encrypts files and demands payment. Which control should be implemented FIRST?
21A company runs containerized applications in a Kubernetes cluster. They need to ensure that containers run with the least privilege and cannot escalate privileges. Which configuration change is MOST effective?
22A database administrator notices unusual queries that seem to be trying to extract data via SQL injection. The application uses parameterized queries for most queries, but some dynamic queries are built using string concatenation. What is the BEST remediation?
23An IT administrator needs to ensure that all workstations receive security patches in a timely manner. Which process is MOST effective for this?
24A company uses a Cloud Workload Protection Platform (CWPP) to secure IaaS workloads. They discover that a virtual machine (VM) is communicating with a known command-and-control server. What is the FIRST action the security team should take?
25An organization allows employees to use personal smartphones to access corporate email and data. Which control is MOST important to protect corporate data if a device is lost or stolen?
26A small business needs basic protection against malware. Which solution is MOST cost-effective and provides real-time protection?
27A DevOps team implements a CI/CD pipeline for a web application. Which security control is BEST to ensure that only properly reviewed code reaches production?
28Which TWO of the following are essential components of a secure configuration baseline for a new server deployment?
29Which THREE of the following are types of application security testing that should be included in a secure SDLC?
30Which THREE of the following are data loss prevention (DLP) controls that can be implemented to protect sensitive data?
31Refer to the exhibit. A security analyst reviews the firewall configuration for a Windows workstation on a private network. What is the MOST significant weakness?
32Refer to the exhibit. A web server log shows two requests from the same IP. What type of attack is being attempted, and which mitigation is MOST effective?
33Refer to the exhibit. An AWS S3 bucket policy is defined as shown. Which statement about this policy is TRUE?
34A company wants to prevent unauthorized applications from running on employee workstations. Which of the following is the most effective control?
35A web application processes user-supplied data in SQL queries. Which practice best prevents SQL injection?
36An organization experiences malware that injects code into legitimate processes. Which security feature should be enabled to prevent code execution in memory pages?
37A critical vulnerability is discovered in an application currently in use. What should be done first?
38A company uses virtual machines for development. To ensure isolation between VMs on the same host, which control is most important?
39A BYOD policy allows personal devices to access corporate email. What is the best control to enforce device encryption and remote wipe?
40An employee receives an email with an attachment claiming to be an invoice but contains a macro virus. What control would have blocked this?
41An organization uses AWS IAM to manage access. Which best practice ensures least privilege?
42During a code review, you discover that an application stores passwords in plaintext. What is the most secure remediation?
43Refer to the exhibit. A security analyst reviews a Windows Security event log entry showing multiple logon failures for user 'admin' from IP 10.0.0.100 within 5 minutes. What type of attack is most likely occurring?
44Refer to the exhibit. A firewall log shows repeated outbound connection attempts from an internal workstation (192.168.1.50) to an external IP (203.0.113.50) on TCP port 445. What is the most likely cause?
45Refer to the exhibit. An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': ['s3:ListBucket','s3:GetObject'], 'Resource': 'arn:aws:s3:::example-bucket/*'. What does this policy allow?
46A system administrator is hardening a Windows server. Which two of the following are effective hardening measures? (Choose two.)
47Which three of the following are best practices for securing a database? (Choose three.)
48Which two of the following measures ensure the integrity of backup data? (Choose two.)
49A security administrator discovers that a web application is vulnerable to SQL injection. Which of the following is the most effective mitigation to implement at the application layer?
50During a security audit, an analyst finds that a server's audit log shows repeated failed login attempts from a single IP, followed by a successful login from the same IP five minutes later. What is the most likely type of attack that occurred?
51A company is implementing a new file-sharing application for employees. Which of the following is the most important security control to prevent unauthorized access to shared files?
52A security engineer needs to select a hashing algorithm for storing user passwords in a database. Which of the following is the most secure choice?
53A company deploys a new web application and wants to ensure that session tokens are not vulnerable to session hijacking. Which of the following controls is most effective?
54An organization is migrating its on-premises applications to a cloud provider. Which of the following security controls should be implemented to protect data at rest in the cloud?
55A security analyst is reviewing a script that performs automated backups. The script uses a hardcoded password to connect to the database. What is the most secure alternative?
56A developer wants to ensure that a web application is protected against cross-site request forgery (CSRF). Which mitigation technique is most commonly recommended?
57An organization requires that all laptops used by employees be encrypted. Which type of encryption should be used to protect the entire hard drive?
58Which TWO of the following are effective measures to prevent buffer overflow attacks in software development?
59Which THREE of the following are common types of malware?
60Which TWO of the following are best practices for securing an application programming interface (API)?
61A company deploys a web application that processes credit card payments. The development team uses parameterized queries for all database interactions. However, during a penetration test, the tester successfully injects malicious code into a search field and retrieves sensitive customer data. Which of the following is the most likely cause?
62An organization uses a cloud-based file synchronization service to share project files with external partners. The security team discovers that an unauthorized third party accessed sensitive documents by guessing weak passwords. Which additional control would most effectively mitigate this risk?
63A help desk technician receives multiple reports that users cannot access a critical web application. The application's error log shows repeated '403 Forbidden' errors. Which of the following is the most likely cause?
64A security analyst needs to ensure that a legacy application running on an unsupported operating system remains secure until it can be replaced. Which strategy provides the most effective risk reduction?
65Which TWO of the following are effective measures to prevent cross-site scripting (XSS) vulnerabilities in a web application?
66Which THREE of the following are best practices for securely managing cryptographic keys in an enterprise environment?
67Which TWO of the following are common indicators of a ransomware attack?
68A company runs a critical web application on an internal server that authenticates users against a Microsoft SQL Server database. The application was developed by a vendor that is no longer in business, and the source code is unavailable. The current authentication process stores user passwords using reversible encryption. The security team has identified this as a high-risk vulnerability. They propose implementing a database-level trigger that hashes the password column during INSERT and UPDATE operations, and modifying the application's stored procedures to compare hashed values during login. However, after implementation, users report that they cannot log in. The authentication logs show that the password comparison always fails. The database administrator confirms that the trigger is working and that new user registrations store the SHA-256 hash. What is the most likely cause of the login failures?
69An organization uses a central syslog server to collect logs from firewalls, servers, and network devices. Recently, the security team noticed that some critical events from the firewall are missing from the syslog server. The firewall configuration sends syslog messages using UDP to the syslog server. The syslog server administrator reports that the server is receiving a high volume of logs and occasionally drops packets due to buffer overflow. The team needs to ensure reliable delivery of all syslog messages without losing any. Which solution should the team implement?
70A small business uses a single Windows Server 2016 machine that also acts as a domain controller, file server, and runs a custom application for inventory management. The server recently exhibited slow performance and frequent crashes. The system administrator runs antivirus and finds no malware. The event log shows several 'Event ID 7000' errors from the Service Control Manager, indicating certain services failed to start. The administrator also notices that the server has not been restarted in 180 days and has several pending updates. What is the most likely cause of the performance issues?
71A healthcare organization uses an electronic health records (EHR) system that stores patient data in a relational database. The system is accessed by doctors and nurses via tablet devices on a wireless network. The security team has detected that some patient records were accessed outside of normal business hours from an IP address not belonging to the organization. The database logs show that the queries originated from the application server. The application logs indicate that the access was performed using a legitimate user account that had been disabled due to employee departure two weeks earlier. Which of the following is the most effective step to prevent recurrence?
72A financial services organization deploys a new web application that allows customers to check account balances and transfer funds. The application uses a RESTful API with JSON payloads. Shortly after deployment, the security team notices unusual traffic patterns: many requests contain excessively long JSON strings in the 'amount' field, and some of these requests return 500 Internal Server Errors. The application logs show that these requests cause high CPU usage on the application server. The developers confirm that the input validation only checks for negative numbers and characters. Which type of attack is most likely occurring, and what is the best immediate mitigation?
73A university IT department manages a lab of 50 computers running Windows 10 that are used by students for coursework. The computers are joined to a domain and have Group Policy applied to restrict administrative access. Recently, several students were able to install unauthorized software by using the built-in Administrator account, which had the same password on all lab computers. The IT department wants to prevent this without affecting the students' ability to run required academic software. Which of the following is the most effective solution?
74Which TWO of the following are effective measures to prevent buffer overflow attacks in a custom-developed application?
75Refer to the exhibit. A security administrator is troubleshooting connectivity to a web server. Users report they can access the website via HTTP and HTTPS, but cannot establish new SSH connections. Which of the following best explains this issue?
76A medium-sized financial services company has recently deployed a new web application that processes sensitive customer data, including Social Security numbers and account balances. The security team implemented network segmentation, a web application firewall (WAF) from a reputable vendor, and quarterly vulnerability scans. The developers assert that they use parameterized queries for all database calls in the main application code. During a recent penetration test, testers successfully exploited a SQL injection vulnerability, extracting the entire customer database. Further investigation reveals that the main application indeed uses parameterized queries, but a third-party reporting module, integrated to generate compliance reports, constructs SQL queries by concatenating user-supplied date range inputs directly into SQL strings. The WAF is configured with a generic rule set and has not been tuned to the application's specific traffic patterns. What is the most effective course of action to remediate this vulnerability and prevent future occurrences?
The Systems and Application Security domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.
The Courseiva SSCP question bank contains 76 questions in the Systems and Application Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Systems and Application Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included