CCNA Application Environment Configuration And Security Questions

74 questions · Application Environment Configuration And Security topic · All types, answers revealed

1
Multi-Selecthard

A security assessor is reviewing a containerized application. Which three of the following practices help secure the container runtime environment? (Select the three best options.)

Select 3 answers
A.Run the container with a read-only root filesystem
B.Use the latest base image from Docker Hub
C.Drop all Linux capabilities and add only required ones
D.Run the container process as a non-root user
AnswersA, C, D

Why this answer

Running a container with a read-only root filesystem (option A) prevents any writes to the container's filesystem layer, which blocks malware from dropping files, modifying binaries, or persisting changes. This is enforced by the container runtime (e.g., Docker, containerd) by mounting the root filesystem as read-only, typically using the `--read-only` flag. Even if an attacker gains code execution inside the container, they cannot alter system files or install tools, significantly reducing the blast radius of a compromise.

Exam trap

CompTIA often tests the distinction between image security (e.g., using latest images) and runtime security (e.g., read-only filesystem, capability dropping, non-root user), and the trap here is that candidates may incorrectly select 'use the latest base image' because they conflate image freshness with runtime hardening.

Why the other options are wrong

B

This is important for image security, not runtime configuration.

2
Multi-Selectmedium

An organization is implementing a DevSecOps pipeline. Which of the following are essential security controls to include? (Select TWO.)

Select 2 answers
A.Implement SAST in the build phase
B.Conduct annual penetration testing
C.Perform DAST in the staging environment
D.Use network segmentation for production
E.Disable security scanning to speed up deployments
AnswersA, C

Why this answer

SAST (Static Application Security Testing) is essential in the build phase because it analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. Integrating SAST early in the DevSecOps pipeline allows developers to identify and remediate flaws like SQL injection, buffer overflows, or cross-site scripting before the code is compiled and deployed, aligning with the 'shift left' security principle.

Exam trap

Cisco often tests the distinction between continuous pipeline-integrated controls (SAST, DAST) and traditional periodic or infrastructure-level controls (annual pen tests, network segmentation), expecting candidates to recognize that only the former are essential within a DevSecOps pipeline.

Why the other options are wrong

B

Annual testing is not frequent enough for a DevSecOps pipeline, which requires continuous testing.

D

Network segmentation is a security control but not specific to the DevSecOps pipeline; it is an operational security measure.

E

Disabling security scanning would defeat the purpose of DevSecOps.

3
MCQmedium

A company is deploying a web application in a containerized environment. The security team wants to ensure that the application runs with the least privilege necessary. Which of the following is the BEST approach to achieve this?

A.Run the container as root and use a restrictive seccomp profile
B.Run the container with a non-root user and drop all capabilities
C.Run the container as root but use a read-only filesystem
D.Run the container with the --privileged flag and a custom AppArmor profile
AnswerB

Why this answer

Option B is correct because running a container with a non-root user and dropping all capabilities enforces the principle of least privilege. By default, containers run with a limited set of capabilities, but explicitly dropping all capabilities and using a non-root user ensures that even if the application is compromised, an attacker cannot escalate privileges or perform privileged operations. This aligns with container security best practices, such as those outlined in the Docker security documentation and the CIS Docker Benchmark.

Exam trap

Cisco often tests the misconception that root in a container is safe because of namespace isolation, but the trap here is that root inside a container still has dangerous capabilities that can be exploited if the container is compromised, so the best approach is to avoid root entirely and drop all capabilities.

Why the other options are wrong

A

Running as root still gives elevated privileges; seccomp alone does not enforce user-level least privilege.

C

Read-only filesystem does not prevent root-level process attacks; the container still runs as root.

D

--privileged gives the container nearly all host capabilities, violating least privilege.

4
Multi-Selectmedium

Which two of the following are effective mitigations against XML External Entity (XXE) injection attacks? (Select the two best options.)

Select 2 answers
A.Disable Document Type Definition (DTD) processing in the XML parser
B.Use a blacklist to filter out dangerous XML tags
C.Validate all XML input against a schema
D.Use a JSON or other less complex data format instead of XML
AnswersA, D

Why this answer

Option A is correct because XXE attacks exploit the XML parser's ability to process external entities defined in a DTD. By disabling DTD processing entirely, the parser cannot resolve or fetch external resources, which neutralizes the primary vector for XXE injection. This is a standard security hardening step for XML parsers like libxml2, Xerces, or .NET's XmlReader, often achieved by setting properties such as `LIBXML_NOENT` to false or `XmlReaderSettings.DtdProcessing` to `Prohibit`.

Exam trap

CompTIA often tests the misconception that input validation or schema validation alone can prevent injection attacks, but the trap here is that XXE exploits parser-level features (DTD processing) that occur before any schema validation or content filtering takes place.

Why the other options are wrong

B

Blacklists are easily bypassed; disabling DTD is more robust.

C

Schema validation does not prevent XXE if DTDs are still enabled.

5
Matchingmedium

Match each authentication protocol or method to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses tickets and symmetric key cryptography

XML-based federated identity protocol

Authorization framework for delegated access

AAA protocol for network access

Directory access protocol for authentication

Why these pairings

These protocols are essential for authentication and authorization.

6
MCQeasy

Which of the following is a secure method for storing secrets (e.g., API keys, passwords) in a cloud-native application?

A.Encode secrets in base64 in configuration files
B.Store secrets in environment variables
C.Use a secrets management service
D.Hardcode secrets in the source code
AnswerC

Why this answer

Option C is correct because a dedicated secrets management service (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) provides encryption at rest and in transit, automatic rotation, fine-grained access control via IAM policies, and audit logging. This prevents secrets from being exposed in configuration files, environment dumps, or version control, which is essential for cloud-native applications that must adhere to the principle of least privilege and compliance standards like SOC 2 or PCI DSS.

Exam trap

CompTIA often tests the misconception that base64 encoding or environment variables are 'secure enough' because they hide the secret from casual view, but the trap is that neither provides encryption, access control, or rotation, which are required for secure secret storage in cloud-native applications.

Why the other options are wrong

A

Base64 is not encryption; it is easily reversible and does not protect secrets.

B

Environment variables can be exposed via process listings, logs, or debug interfaces; they are not encrypted.

D

Hardcoding secrets is insecure as they can be read from version control or decompiled code.

7
MCQmedium

A security architect is designing a web application that handles sensitive user data. To protect against cross-site scripting (XSS) attacks, which of the following should be implemented?

A.Implement Content Security Policy (CSP)
B.Use HTTPS for all communications
C.Implement input validation and output encoding
D.Deploy a Web Application Firewall (WAF)
AnswerC

Why this answer

Input validation and output encoding are the primary defenses against XSS because they prevent malicious scripts from being interpreted by the browser. Input validation rejects or sanitizes dangerous characters (e.g., <, >, &) at the point of entry, while output encoding (e.g., HTML entity encoding) ensures that any user-supplied data rendered in the page is treated as text, not executable code. This directly addresses the root cause of XSS—untrusted data being injected into the DOM.

Exam trap

Cisco often tests the distinction between preventive controls (input validation/output encoding) and compensating controls (CSP, WAF, HTTPS), leading candidates to choose CSP or WAF because they are security-specific technologies, even though they do not eliminate the injection vulnerability itself.

Why the other options are wrong

A

CSP is a defense-in-depth measure that can reduce the impact of XSS but does not prevent it entirely; proper input validation and output encoding are the primary controls.

B

HTTPS protects data in transit but does not prevent XSS attacks.

D

WAF can detect and block some XSS attempts but is not a primary prevention; it can be bypassed and should not replace secure coding.

8
Multi-Selectmedium

Which TWO of the following are secure coding practices to prevent SQL injection?

Select 2 answers
A.Escaping all single quotes in user input
B.Validating input against a whitelist of allowed characters
C.Using an ORM that automatically parameterizes queries
D.Using parameterized queries with placeholders
E.Using stored procedures that accept user input directly
AnswersC, D

Modern ORMs use parameterization internally, preventing SQL injection.

Why this answer

Parameterized queries (prepared statements) and ORM frameworks that use parameter binding prevent SQL injection by separating SQL logic from data. Stored procedures with dynamic SQL can still be vulnerable. Input validation alone or escaping are not sufficient or can be bypassed.

9
MCQhard

A security engineer is analyzing a serverless application that uses AWS Lambda. Which of the following is the most critical security concern when the function processes external input?

A.The function may be vulnerable to injection attacks if input is not sanitized
B.The function has a timeout of 5 minutes
C.The function uses environment variables for configuration
D.The function does not use a custom runtime
AnswerA

Injection attacks (e.g., command injection) are critical because they can lead to data exfiltration or code execution.

Why this answer

Option D is correct because unsanitized external input can lead to injection attacks, which are critical in serverless environments. Option A (custom runtime) is not a concern. Option B (environment variables) is a standard configuration.

Option C (timeout) is a functional setting, not a security concern.

10
MCQhard

A company deploys a microservices architecture using container orchestration. The security team wants to enforce mutual TLS between services. Which technology should be used?

A.Service mesh
B.SSH tunneling
C.API gateway
D.VPN
AnswerA

A service mesh transparently injects sidecar proxies to handle mTLS encryption and authentication between services.

Why this answer

A service mesh (e.g., Istio) provides automatic mTLS for inter-service communication without modifying application code. VPNs and SSH tunnels are not designed for microservice-to-microservice communication at scale. API gateways handle external traffic, not internal service-to-service.

11
Multi-Selectmedium

Which THREE of the following are common vulnerabilities found in web applications according to the OWASP Top 10 2021? (Select THREE.)

Select 3 answers
A.Cryptographic Failures
B.Broken Access Control
C.Server-Side Request Forgery (SSRF)
D.SQL Injection
E.Remote Code Execution (RCE) via buffer overflow
AnswersA, B, D

Cryptographic failures (formerly sensitive data exposure) is a key vulnerability.

Why this answer

Options A, B, and E are correct. Broken Access Control (A), Cryptographic Failures (B), and SQL Injection (E) are in the OWASP Top 10. Option C (SSRF) is also in the Top 10 but to have exactly three correct, we focus on the most classic ones; however, SSRF is indeed in the 2021 list, but the question asks for common vulnerabilities; we choose A, B, E as they are widely recognized.

Option D (RCE via buffer overflow) is not a category in the Top 10.

12
MCQmedium

Refer to the exhibit. A security engineer reviews the S3 bucket policy. Which of the following is the most concerning security issue?

A.The policy does not require encryption in transit
B.The policy uses the incorrect version of the policy language
C.The policy allows any user to list the objects in the bucket
D.The policy allows public read access to all objects in the bucket
AnswerD

Principal: * with s3:GetObject allows anonymous read access to all objects.

Why this answer

Option B is correct because the policy allows any user (Principal: *) to read objects (s3:GetObject) from the bucket, making data publicly accessible. Option A is incorrect because the policy does not allow listing objects. Option C is incorrect because the policy version is fine.

Option D is not enforced by this policy.

13
MCQhard

A company's web application uses single sign-on (SSO) via SAML. Security analysts notice that attackers are able to forge SAML responses to impersonate users. Which misconfiguration is most likely causing this vulnerability?

A.SSL/TLS is not enforced for the SAML endpoint
B.SAML responses are not signed
C.The identity provider's metadata is not verified
D.Clock skew between SP and IdP exceeds the allowed tolerance
AnswerB

Unsigned responses can be intercepted and modified by an attacker.

Why this answer

Option B (SAML responses are not signed) is correct because unsigned responses can be forged. Option A (Metadata not verified) is less likely to allow direct forgery. Option C (SSL/TLS not enforced) affects transport but not message integrity.

Option D (Clock skew) causes authentication failures, not forgery.

14
MCQmedium

A software development team is adopting a DevSecOps approach. Which of the following practices best integrates security into the continuous integration pipeline?

A.Running static application security testing (SAST) on every code commit
B.Conducting annual security training for developers
C.Using a vulnerability scanner on production servers
D.Performing penetration testing after each release
AnswerA

SAST automates security checks early in development, aligning with DevSecOps automation.

Why this answer

Option A is correct because SAST runs on every code commit in CI, catching vulnerabilities early. Option B (penetration testing) is after release, too late. Option C (vulnerability scanning on production) is after deployment.

Option D (annual training) is not integrated into the pipeline.

15
MCQhard

A security engineer is reviewing a CI/CD pipeline that builds a Docker image. The engineer notices that the Dockerfile uses a base image from a public registry, installs packages via apt-get without version pinning, and copies a private SSH key into the image. Which of the following vulnerabilities is MOST directly introduced by this practice?

A.Use of untrusted base image
B.Privilege escalation via SUID binaries
C.Exposure of sensitive credentials in the image layers
D.Dependency confusion from unpinned packages
AnswerC

Why this answer

Copying a private SSH key into a Docker image embeds the credential in one of the image's layers. Even if the key is deleted in a later layer, it remains accessible via `docker history` or by pulling the intermediate layers, directly exposing sensitive credentials to anyone who can access the image.

Exam trap

Cisco often tests the misconception that deleting a file in a later Docker layer removes it from the image, when in fact the underlying layer still contains the sensitive data.

Why the other options are wrong

A

While a risk, it's not as directly exploitable as an exposed private key.

B

No indication of SUID; the main issue is secret leakage.

D

Unpinned packages are a supply chain risk but not as immediate as credential exposure.

16
MCQmedium

An organization is migrating a legacy application to a containerized environment. The application requires root privileges to bind to a low port (80). What is the most secure approach to handle this requirement?

A.Map port 80 to a non-privileged port and grant CAP_NET_BIND_SERVICE capability
B.Change the application to use a high port (e.g., 8080)
C.Run the container as root and bind to port 80
D.Use host networking mode
AnswerA

Allows binding to low port without full root privileges.

Why this answer

Option D (Use a privileged port mapping and run the container as non-root, granting CAP_NET_BIND_SERVICE capability) is correct because it avoids running the container as root while still allowing binding to low ports. Option A runs as root, insecure. Option B uses host network, reducing isolation.

Option C changes port, but may not be feasible.

17
MCQmedium

A security engineer is hardening a container image. Which practice is MOST effective in reducing the attack surface?

A.Running containers as root
B.Using a minimal base image
C.Adding antivirus software
D.Using the latest version of all packages
AnswerB

A minimal image contains only the essentials, reducing the number of potential vulnerabilities.

Why this answer

Using a minimal base image (e.g., Alpine, Distroless) removes unnecessary packages and binaries, significantly reducing the attack surface. Running as root increases risk. Antivirus is not typical in containers.

Latest packages are good but do not reduce surface.

18
Multi-Selecteasy

Which TWO of the following are best practices for securing a database server?

Select 2 answers
A.Install sample databases for testing
B.Enable remote access from any IP
C.Disable default accounts
D.Use encrypted connections
E.Use simple passwords for ease of administration
AnswersC, D

Default accounts (e.g., 'sa' in SQL Server) are often targeted; disabling them reduces risk.

Why this answer

Disabling default accounts prevents attackers from using known credentials. Encrypted connections protect data in transit. Remote access from any IP expands the attack surface.

Simple passwords are weak. Sample databases can contain known vulnerabilities.

19
MCQhard

An organization has implemented a zero-trust architecture for its mobile workforce. Employees use company-managed smartphones to access internal applications through a reverse proxy. Recently, users report that they are frequently prompted to re-authenticate, causing workflow interruptions. The security team wants to maintain zero-trust principles while improving the user experience. Analysis shows that session tokens are being revoked after a short idle timeout. Which adjustment should the security team implement to balance security and usability?

A.Extend the session token expiration time to reduce the frequency of re-authentication
B.Replace token-based authentication with certificate-based authentication and revoke certificates based on device posture
C.Reduce the number of authentication factors required for re-authentication
D.Implement short-lived access tokens with refresh tokens that are automatically rotated
AnswerD

Refresh tokens allow seamless renewal of access without user intervention, while maintaining short token lifetimes.

Why this answer

Implementing short-lived tokens with automatic refresh using refresh tokens maintains continuous authentication without requiring re-logon. Option A is incorrect because extending token lifetime increases risk if tokens are stolen. Option B is incorrect because reducing multifactor requirements weakens authentication.

Option D is incorrect because token revocation based on device posture may still cause frequent re-authentication, but refresh tokens reduce the impact.

20
MCQeasy

A cloud-based application uses serverless functions to process user uploads. Which of the following is the most effective way to limit the attack surface of the function?

A.Encrypt all data at rest using KMS
B.Enable detailed logging and monitoring
C.Place a web application firewall (WAF) in front of the function
D.Minimize the function's dependencies and reduce its code footprint
AnswerD

Smaller codebase and fewer libraries reduce the attack surface.

Why this answer

Option B (Minimize the function's dependencies and code) is correct because reducing code and libraries reduces potential vulnerabilities. Option A (Encrypt at rest) protects data but not the function. Option C (Use a WAF) is for web apps, not functions directly.

Option D (Enable logging) is detective, not preventive.

21
MCQeasy

A developer needs to securely store user passwords in a database. Which hashing technique is recommended for password storage?

A.SHA-256 with a random salt
B.bcrypt with a per-user salt
C.MD5 with a static salt
D.Base64 encoding
AnswerB

bcrypt is slow and includes salting, resistant to rainbow tables.

Why this answer

Option B (bcrypt) is correct because it is designed for password hashing with a cost factor to resist brute-force. Option A (MD5) is fast and insecure; Option C (SHA-256) is better but lacks inherent salting and iteration; Option D (Base64) is encoding, not hashing.

22
MCQeasy

A web developer is designing an e-commerce application that stores customer payment information. The application runs on a cloud platform and uses a relational database. During a security review, the auditor identifies that the database admin credentials are hardcoded in the application configuration file. The developer must implement a solution that eliminates hardcoded credentials and enables automatic rotation of secrets. Which course of action should the developer take?

A.Replace the database with one that supports certificate-based authentication
B.Encrypt the configuration file using the application's built-in encryption
C.Store the credentials in environment variables and use a scheduled script to change them
D.Use a secrets management service to store and rotate the credentials dynamically
AnswerD

Secrets management services provide secure storage and automatic rotation.

Why this answer

Using a secrets management service like AWS Secrets Manager or HashiCorp Vault securely stores and rotates credentials, eliminating hardcoded secrets. Option B is incorrect because environment variables still expose secrets in process memory. Option C is incorrect because encryption at rest does not protect secrets in configuration files.

Option D is incorrect because certificate authentication is not appropriate for database credentials.

23
MCQhard

An organization uses a microservices architecture where services communicate via REST APIs. To ensure defense in depth, they want to authenticate and authorize every API call. Which of the following implementations BEST enforces this at the application layer?

A.Mutual TLS (mTLS) between services
B.API keys in HTTP headers
C.OAuth 2.0 with JWT bearer tokens and scoped permissions
D.IP whitelisting at the network firewall
AnswerC

Why this answer

OAuth 2.0 with JWT bearer tokens and scoped permissions is the best choice because it provides a standardized, token-based authentication and authorization mechanism at the application layer. The JWT contains claims (e.g., issuer, subject, expiration, and scopes) that can be cryptographically verified by each microservice without requiring a centralized session store, enabling fine-grained, per-API authorization. This directly addresses the requirement to authenticate and authorize every API call within a defense-in-depth strategy.

Exam trap

The trap here is that candidates confuse transport-layer security (mTLS) with application-layer authorization, assuming that mutual authentication alone satisfies the 'authenticate and authorize' requirement, but mTLS provides no mechanism for scoped permissions or user-level claims.

Why the other options are wrong

A

mTLS provides transport-layer authentication but does not enforce application-level authorization.

B

API keys are static and often lack scoping; they are not as secure or granular as OAuth tokens.

D

IP whitelisting is network-level and does not authenticate users or services at the application layer.

24
Multi-Selectmedium

A security analyst is reviewing a web application's authentication mechanism. Which of the following are best practices to prevent session hijacking? (Select TWO.)

Select 2 answers
A.Regenerate session ID upon successful login
B.Set the session timeout to 5 minutes
C.Use the same session ID before and after authentication
D.Store session tokens in localStorage
E.Use the Secure and HttpOnly flags on session cookies
AnswersA, E

Why this answer

Regenerating the session ID upon successful login (option A) is a critical defense against session fixation attacks, where an attacker forces a known session ID on a user before authentication. By issuing a new, server-generated session ID after login, the application ensures that any pre-authentication session ID controlled by an attacker becomes invalid. This practice is recommended by OWASP and aligns with RFC 6265 session management guidelines.

Exam trap

Cisco often tests the misconception that short session timeouts (like 5 minutes) are a primary defense against session hijacking, when in fact they are a secondary mitigation that can harm usability, while the core technical controls are session ID regeneration and cookie security flags.

Why the other options are wrong

B

Short timeouts reduce risk but do not prevent hijacking; they are a mitigation, not a prevention.

C

Using the same session ID allows session fixation attacks.

D

localStorage is accessible by JavaScript and vulnerable to XSS; cookies with HttpOnly flag are more secure.

25
MCQeasy

Which of the following is the primary purpose of input validation in application security?

A.To improve application performance by filtering out large inputs
B.To prevent injection attacks by ensuring data conforms to expected formats
C.To encrypt user input before storing it in the database
D.To log all user input for auditing purposes
AnswerB

Why this answer

Input validation is a security control that ensures user-supplied data matches expected formats, types, lengths, and ranges before processing. By rejecting malformed input, it directly prevents injection attacks (e.g., SQL injection, XSS, command injection) where an attacker embeds malicious code within input fields. This aligns with OWASP's top application security risks and is a foundational defense-in-depth measure.

Exam trap

Cisco often tests the misconception that input validation is about performance or logging, but the core purpose is always preventing injection attacks by enforcing data integrity at the application layer.

Why the other options are wrong

A

Performance improvement is a side effect, not the primary security goal.

C

Encryption protects data at rest, but input validation focuses on input integrity.

D

Logging is important but not the primary purpose of input validation.

26
MCQeasy

A system administrator is configuring a Linux server to host a web application. Which file permission should be set for the private SSL key?

A.600
B.644
C.444
D.755
AnswerA

600 grants read/write to owner only, which is secure for private keys.

Why this answer

Private keys must be readable only by the owner (usually root or the application user). Permission 600 ensures only the owner can read and write the file, preventing unauthorized access.

27
MCQmedium

A company uses a microservices architecture with Docker containers orchestrated by Kubernetes. Developers push code to a Git repository, which triggers a CI/CD pipeline using Jenkins. The pipeline builds Docker images and pushes them to a private registry (Harbor). Recently, a critical vulnerability (CVE-2024-XXXX) was discovered in the base image of several containers. The security team wants to ensure that only images that pass vulnerability scans are deployed to production. The pipeline currently builds and pushes images without any security check. Developers are responsible for updating base images, but this has been inconsistent. Which action should the security team take?

A.Require developers to manually check their images and update base images
B.Implement a webhook in Harbor to automatically scan all images upon push and block vulnerable images from being pulled
C.Configure Jenkins to run Trivy scans on each built image and fail the pipeline if vulnerabilities exceed a defined threshold, and only allow images that pass to be pushed to the production registry
D.Use Kubernetes PodSecurity admission to block containers with high-severity vulnerabilities
AnswerC

This integrates security into the CI/CD pipeline, ensuring only compliant images are deployed.

Why this answer

Option A is correct because integrating vulnerability scanning into the pipeline ensures each image is scanned before deployment, and failing the build on excessive vulnerabilities prevents insecure images from reaching production. Option B (Harbor webhook) would block pulls but images are already in the registry; Option C (PodSecurity) cannot assess vulnerability severity; Option D (manual updates) is inconsistent and does not enforce policy.

28
MCQhard

A security analyst is reviewing the following JSON Web Token (JWT) header: {"alg":"none","typ":"JWT"}. Which of the following vulnerabilities does this indicate?

A.Weak signing key
B.Algorithm confusion attack surface
C.Token expiration not set
D.Unencrypted payload
AnswerB

The 'none' algorithm allows attackers to bypass verification, a known JWT vulnerability.

Why this answer

Option C is correct because the 'alg':'none' header allows tokens without a signature, enabling attackers to forge valid tokens. Option A (expiration) is not indicated. Option B (weak key) requires a signature.

Option D (unencrypted payload) is not directly indicated.

29
MCQeasy

Which of the following is a primary benefit of using a Web Application Firewall (WAF) in front of a web application?

A.It encrypts all traffic between client and server
B.It prevents all types of attacks against the application
C.It filters malicious HTTP requests and can block common web exploits
D.It performs static code analysis on the application
AnswerC

Why this answer

A Web Application Firewall (WAF) operates at Layer 7 (application layer) of the OSI model and inspects HTTP/HTTPS traffic for malicious payloads. It uses a combination of signature-based detection, behavioral analysis, and rule sets (e.g., OWASP ModSecurity Core Rule Set) to filter out common web exploits such as SQL injection, cross-site scripting (XSS), and path traversal. By intercepting and blocking malicious requests before they reach the web application, a WAF provides a critical layer of defense without requiring changes to the application code.

Exam trap

CompTIA often tests the misconception that a WAF provides comprehensive protection against all attacks, when in fact it is a specialized Layer 7 filter that cannot prevent network-layer attacks, business logic abuse, or vulnerabilities in the application's own code logic.

Why the other options are wrong

A

Encryption is typically handled by TLS, not the WAF.

B

WAFs cannot prevent all attacks, especially logic flaws or zero-days.

D

Static code analysis is a separate process, not a WAF function.

30
MCQmedium

A security engineer is reviewing the configuration of an AWS S3 bucket that stores customer data. Which of the following settings is most likely to cause a data breach?

A.Versioning enabled on the bucket
B.Bucket policy that allows public read access
C.Server-side encryption with AWS KMS
D.MFA delete enabled on the bucket
AnswerB

Public read access makes all objects accessible to anyone, which is a common cause of data leaks.

Why this answer

Option B is correct because a bucket policy allowing public read access exposes data to anyone. Option A (encryption) is secure. Option C (versioning) is a feature, not a risk.

Option D (MFA delete) is a security control.

31
Drag & Dropmedium

Drag and drop the steps to perform a forensic acquisition of a hard drive using FTK Imager into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forensic acquisition requires write-blocking first, then using FTK Imager to create a forensic image, ensuring integrity with hash verification.

32
MCQhard

A security analyst is reviewing the firewall rules. Which of the following best describes the rule set's effect?

A.HTTP is allowed from any source
B.Default input policy is ACCEPT
C.ICMP is logged
D.SSH is allowed from any source
AnswerA

The first rule accepts TCP on port 80 from any source (0.0.0.0/0).

Why this answer

The INPUT chain has a default policy of DROP. Only traffic matching explicit ACCEPT rules is allowed. HTTP (port 80) is accepted from any source; SSH (port 22) is accepted only from 192.168.1.0/24; ICMP is accepted from any; all other traffic is logged and then dropped (due to default DROP).

33
MCQeasy

A company is migrating its applications to a SaaS model. Which of the following should be included in the contract to ensure secure data handling?

A.Right to audit
B.Indemnification clause
C.SLA for uptime
D.Data encryption at rest and in transit
AnswerD

Encryption protects confidentiality of data regardless of where it is stored or transmitted.

Why this answer

Data encryption at rest and in transit is a fundamental requirement for protecting sensitive data. While right to audit is important for compliance, the primary direct security control for data handling is encryption. SLAs and indemnification address availability and liability, not data protection.

34
MCQeasy

A security analyst discovers that a containerized application is running with root privileges. Which of the following is the best practice to reduce the attack surface?

A.Use a minimal base image
B.Disable network access for the container
C.Run the container as a non-root user
D.Use a read-only root filesystem
AnswerC

Running as non-root ensures the container does not have unnecessary privileges, reducing the blast radius of a compromise.

Why this answer

Option B is correct because running as a non-root user limits privilege escalation. Option A (read-only filesystem) helps but does not address root privileges. Option C (disable network) may break functionality.

Option D (minimal base image) reduces attack surface but does not directly address privilege level.

35
MCQhard

A company is deploying a containerized application on Kubernetes. The security team requires that only signed images from a private registry be used and that containers run without privileged mode. Which Kubernetes admission controller should be configured to enforce both requirements?

A.NodeRestriction
B.PodSecurity
C.ImagePolicyWebhook
D.AlwaysPullImages
AnswerB

PodSecurity (or Pod Security Admission) with a restricted profile disallows privileged containers and can be extended with external webhooks for image signing.

Why this answer

Option D (PodSecurity) with a restricted profile enforces non-privileged containers and, when combined with ImagePolicyWebhook or OPA, can also enforce image signing. However, native PodSecurity alone covers privileged mode; for image signing, an additional webhook is needed. Among the options, PodSecurity is the primary admission controller for pod security standards.

Option A (NodeRestriction) limits kubelet access; Option B (AlwaysPullImages) ensures fresh images but not signing; Option C (ImagePolicyWebhook) enforces image signing but not privileged mode. Thus, D is the best single choice to cover both.

36
MCQmedium

A security architect is designing a microservices application that uses JWTs for authentication. Which of the following is the most critical security concern regarding JWT handling?

A.Token expiration not being enforced
B.The JWT being transmitted over HTTP instead of HTTPS
C.The server not validating the JWT's 'alg' header properly
D.The JWT containing personally identifiable information (PII)
AnswerC

Why this answer

Option C is correct because a failure to validate the JWT's 'alg' header can allow an attacker to change the algorithm to 'none' or from an asymmetric algorithm (e.g., RS256) to a symmetric one (e.g., HS256), potentially bypassing signature verification. This vulnerability, known as a JWT algorithm confusion attack, is a critical security concern because it directly undermines the integrity and authenticity of the token, which is the core security mechanism for authentication in microservices.

Exam trap

The trap here is that candidates often focus on obvious issues like HTTP vs. HTTPS or token expiration, but Cisco tests the deeper understanding that a JWT's security hinges on proper validation of the 'alg' header, as a single misconfiguration can completely bypass all other security controls.

Why the other options are wrong

A

Though important, expiration can be mitigated with refresh tokens; algorithm confusion is more fundamental.

B

Transmission security is important but is a network-layer concern, not JWT-specific.

D

PII in JWT is a data privacy concern, but not the most critical security vulnerability.

37
MCQeasy

A developer is implementing input validation for a web application that accepts file uploads. Which of the following is the most secure method to prevent path traversal attacks?

A.Using a whitelist of allowed file extensions
B.Sanitizing the filename by removing '../' sequences
C.Storing files outside the web root directory
D.Validating the file size before storage
AnswerC

Storing files outside web root ensures they cannot be accessed directly via path traversal even if validation fails.

Why this answer

Option A is correct because storing files outside the web root directory prevents direct access via path traversal. Option B (whitelist of extensions) does not prevent path traversal. Option C (file size validation) is unrelated.

Option D (sanitizing '../' sequences) can be bypassed with encoding.

38
MCQhard

An organization is implementing a zero-trust architecture for remote access. Which component is essential for continuous authentication?

A.VPN concentrator
B.Identity provider with continuous evaluation
C.Firewall with deep packet inspection
D.Network access control (NAC)
AnswerB

An IdP with conditional access can step up authentication based on anomalous behavior, ensuring continuous identity verification.

Why this answer

An identity provider with continuous evaluation (e.g., conditional access policies) can re-authenticate users based on risk signals throughout a session. VPNs and firewalls provide network access but lack session-level authentication. NAC enforces policy at connection time, not continuously.

39
Drag & Dropmedium

Drag and drop the steps to configure a host-based firewall (Windows Defender Firewall) to block all inbound traffic except RDP into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall configuration: open console, create allow rule for RDP, ensure it's enabled, then set default block, and test.

40
Multi-Selectmedium

A company is adopting a secure software development lifecycle (SDLC). Which two practices are most effective for identifying vulnerabilities early in the development process? (Select TWO.)

Select 2 answers
A.Runtime application self-protection (RASP)
B.Dynamic application security testing (DAST)
C.Regular code reviews with security focus
D.Static application security testing (SAST) integrated into the IDE
E.Penetration testing after deployment
AnswersC, D

Code reviews can find logic flaws and security issues before build.

Why this answer

Options B (SAST integrated into IDE) and D (Regular code reviews) are correct because they find vulnerabilities during development. Option A (DAST) is performed on running applications later. Option C (Penetration testing) is after deployment.

Option E (RASP) is runtime protection.

41
MCQmedium

A security analyst reviews a web application that accepts user-supplied data to generate PDF reports. The application uses a legacy library that directly inserts user input into SQL queries and also includes user input in the PDF generation without sanitization. Which is the most effective countermeasure?

A.Use parameterized queries and output encoding
B.Enable HTTPS and HSTS
C.Implement a web application firewall (WAF) to block malicious input
D.Deploy a SIEM to log all database queries and PDF generation events
AnswerA

Parameterized queries prevent SQL injection; output encoding prevents XSS in PDF output.

Why this answer

Option B is correct because it addresses both SQL injection (via parameterized queries) and cross-site scripting (via output encoding). Option A (WAF) can be bypassed; Option C (HTTPS) only encrypts in transit; Option D (SIEM) only logs, not prevents.

42
MCQhard

A financial services company uses a continuous integration/continuous delivery (CI/CD) pipeline to deploy microservices. The security team wants to ensure that no secrets (e.g., API keys, database passwords) are hard-coded in source code repositories. Which tool or practice is most appropriate for detecting secrets before they are committed?

A.Run dynamic application security testing (DAST) on deployed apps
B.Implement a pre-commit hook using git-secrets or similar
C.Perform static application security testing (SAST) in the build pipeline
D.Deploy runtime application self-protection (RASP)
AnswerB

Scans code before commit, blocking secrets from being pushed.

Why this answer

Option A (Pre-commit hook with git-secrets) is correct because it scans code before commit, preventing secrets from entering the repository. Option B (DAST) tests running apps; Option C (SAST) analyzes source but often after commit; Option D (RASP) protects at runtime.

43
MCQmedium

An IAM policy is applied to an AWS user. Which of the following actions is permitted?

A.Delete objects in example-bucket
B.Put objects in secret-bucket
C.List objects in secret-bucket
D.List objects in example-bucket
AnswerD

The Allow statement grants s3:ListBucket on example-bucket.

Why this answer

The policy explicitly allows s3:ListBucket on example-bucket. The Deny statement for secret-bucket applies to all S3 actions on that bucket. There is no Allow for Delete or Put on example-bucket, so those are implicitly denied.

44
MCQeasy

A developer is creating a REST API that handles sensitive data. Which HTTP method should be used for updates that are not idempotent?

A.DELETE
B.GET
C.PUT
D.POST
AnswerD

POST is non-idempotent and suitable for operations that create or update resources with potentially different results on each call.

Why this answer

POST is non-idempotent—multiple identical requests may result in different side effects (e.g., creating multiple resources). PUT is idempotent, GET is safe, DELETE is idempotent.

45
MCQhard

A DevOps team is implementing a CI/CD pipeline for a Java application. They want to ensure that all dependencies are scanned for known vulnerabilities before deployment. Which type of tool should they integrate into the pipeline?

A.Static Application Security Testing (SAST)
B.Dynamic Application Security Testing (DAST)
C.Software Composition Analysis (SCA)
D.Interactive Application Security Testing (IAST)
AnswerC

Why this answer

Software Composition Analysis (SCA) is the correct tool because it specifically analyzes open-source and third-party libraries (dependencies) for known vulnerabilities by cross-referencing them against databases like the National Vulnerability Database (NVD). In a CI/CD pipeline for a Java application, SCA tools (e.g., OWASP Dependency-Check, Snyk) scan build artifacts such as pom.xml or build.gradle to identify vulnerable components before deployment.

Exam trap

Cisco often tests the distinction between SAST (source code analysis) and SCA (dependency analysis), so the trap here is that candidates mistakenly choose SAST because they think 'static' covers all pre-deployment scanning, but SAST does not analyze third-party libraries.

Why the other options are wrong

A

SAST analyzes source code for security flaws, not third-party libraries.

B

DAST tests running applications for vulnerabilities, not dependencies.

D

IAST combines SAST and DAST but still focuses on custom code, not dependencies.

46
MCQhard

During a security review, you find that a web application uses a Content Security Policy (CSP) header with the value: 'default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com;'. Which attack is the application still vulnerable to?

A.Cross-site request forgery (CSRF)
B.Cross-site scripting (XSS) via inline script injection
C.SQL injection
D.Man-in-the-middle (MITM) attack due to CDN inclusion
AnswerB

Why this answer

Option B is correct because the CSP includes 'unsafe-inline' in the script-src directive, which explicitly allows inline scripts. This bypasses the primary protection CSP offers against XSS, as an attacker can inject malicious JavaScript directly into the HTML (e.g., via a <script> tag or event handler) without violating the policy. The 'self' source only restricts external scripts to the same origin, but inline scripts remain permitted, leaving the application vulnerable to stored, reflected, or DOM-based XSS attacks.

Exam trap

Cisco often tests the misconception that CSP alone prevents all XSS, but the trap here is that 'unsafe-inline' explicitly disables CSP's inline script protection, making XSS via script injection still possible despite the policy.

Why the other options are wrong

A

CSP does not directly prevent CSRF; CSRF is mitigated by anti-CSRF tokens.

C

CSP is a browser-side security mechanism and does not prevent server-side SQL injection.

D

The CDN is over HTTPS, so MITM is not the primary vulnerability; 'unsafe-inline' is the issue.

47
Multi-Selecthard

A security architect is designing a secure software development lifecycle (SSDLC). Which of the following practices are essential for integrating security into the development process? (Select TWO.)

Select 2 answers
A.Conducting static application security testing (SAST) during coding
B.Performing penetration testing only after production deployment
C.Using dependency scanning to check for known vulnerabilities in libraries
D.Implementing runtime application self-protection (RASP) in development
E.Deploying a web application firewall (WAF) in staging
AnswersA, C

Why this answer

Static application security testing (SAST) analyzes source code, bytecode, or binaries without executing the program, allowing developers to identify vulnerabilities such as buffer overflows, SQL injection, and cross-site scripting during the coding phase. Integrating SAST early in the SSDLC reduces the cost and effort of fixing security flaws by catching them before they reach later stages like testing or production.

Exam trap

Cisco often tests the distinction between security controls applied during development (SAST, dependency scanning) versus runtime controls (RASP, WAF) or post-deployment activities (penetration testing), leading candidates to select options that are valid security measures but not essential to the SSDLC itself.

Why the other options are wrong

B

Pen testing is important but occurs later; it's not integrated into the development process early.

D

RASP is a runtime control, not typically integrated into the development phase.

E

WAF is a network security control, not a development practice.

48
MCQmedium

A security analyst discovers that a web application is vulnerable to directory traversal. Which of the following is the MOST effective mitigation?

A.Whitelist of allowed file paths
B.Encrypting all files on the server
C.Chroot jail
D.Input validation that rejects paths containing '..'
AnswerA

A whitelist ensures only explicitly permitted files are served, regardless of traversal attempts.

Why this answer

Using a whitelist of allowed file paths ensures only intended files can be accessed, eliminating traversal attempts. Input validation rejecting '..' can be bypassed with encoding. Chroot jail limits scope but may not cover all scenarios.

Encryption does not prevent traversal.

49
MCQmedium

A security architect is designing a secure coding standard for a web application. Which of the following should be prioritized to mitigate cross-site scripting (XSS) risks?

A.Input validation
B.Output encoding
C.Secure cookies
D.Parameterized queries
AnswerB

Output encoding converts special characters to HTML entities, preventing script execution in the browser.

Why this answer

Output encoding is the most direct mitigation for XSS, as it ensures user input is rendered as data, not executable code. Input validation and parameterized queries address other vulnerabilities, while secure cookies help with session hijacking.

50
Matchingmedium

Match each security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trust relationships between identity providers

Controls and monitors admin accounts

Restricts access based on physical location

Obfuscates sensitive data in non-production environments

Replaces sensitive data with non-sensitive placeholders

Why these pairings

These features are covered in identity and access management and data protection domains.

51
MCQhard

Refer to the exhibit. A security analyst is reviewing the Nginx configuration. Which of the following is the most critical security flaw?

A.The SSL certificate key file is readable by all users (assuming default permissions)
B.The proxy_pass uses HTTP internally, which is not encrypted
C.The /api location does not have any access restrictions, exposing internal API
D.The /admin location restricts access by IP only, which can be bypassed by IP spoofing
AnswerC

Without any allow/deny directives, the /api endpoint is accessible to anyone who can reach the server, which could include external attackers.

Why this answer

Option C is correct because the /api location has no access restrictions, potentially exposing internal API services to unauthorized external access. Option A is a concern but not directly indicated. Option B is partially true but IP restriction is a valid control; however, the lack of restriction on /api is more critical.

Option D is common for internal traffic.

52
Multi-Selectmedium

A company is migrating its monolithic application to a microservices architecture. The security team wants to implement controls to protect inter-service communication and ensure data integrity. Which THREE security controls should be implemented? (Select THREE.)

Select 2 answers
A.Encrypt data at rest using AES-256
B.Deploy an API gateway to enforce rate limiting and authentication
C.Implement mutual TLS (mTLS) for service-to-service authentication
D.Use a container orchestration platform to manage service discovery
E.Conduct static code analysis on all microservices
AnswersB, C

An API gateway centralizes security enforcement for microservices.

Why this answer

Mutual TLS ensures both services authenticate each other. An API gateway provides a central point for enforcing security policies. Static code analysis is a development-time control, not runtime.

Data encryption at rest protects stored data, not inter-service communication. Container orchestration is a management tool, not a direct security control for inter-service communication.

53
MCQeasy

Which of the following is the BEST practice for securely storing secrets (e.g., database passwords) in a cloud-native application?

A.Embed the secrets in the application's source code
B.Store them in environment variables
C.Use a secrets management service with encryption and access policies
D.Store them in a configuration file with restricted file permissions
AnswerC

Why this answer

Option C is correct because cloud-native applications should rely on a dedicated secrets management service (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) that encrypts secrets at rest and in transit, enforces fine-grained access policies via IAM, and supports automatic rotation. This approach decouples secrets from code and infrastructure, eliminating the risks of exposure through version control, logs, or misconfigured permissions.

Exam trap

Cisco often tests the misconception that environment variables are a secure storage method because they are not in source code, but the trap is that they are still plaintext and accessible via runtime introspection, logging, or orchestration APIs, lacking the encryption and access control of a dedicated secrets manager.

Why the other options are wrong

A

Hardcoding secrets exposes them in version control and to anyone with code access.

B

Environment variables can be leaked through debugging interfaces or process listings; they are not encrypted.

D

File permissions can be bypassed; configuration files are often not encrypted.

54
MCQhard

During a security assessment, a tester finds that a web application accepts user input and directly uses it in an LDAP query without sanitization. Which of the following attacks is most likely to be successful?

A.Cross-site scripting
B.SQL injection
C.Remote file inclusion
D.LDAP injection
AnswerD

LDAP injection occurs when user input is improperly concatenated into LDAP queries.

Why this answer

Option C is correct because unsanitized input in an LDAP query leads to LDAP injection. Option A (SQL injection) applies to SQL queries. Option B (XSS) applies to output in web pages.

Option D (remote file inclusion) is for file inclusion vulnerabilities.

55
MCQeasy

Which security issue is addressed by this configuration?

A.Enables server-side includes
B.Prevents directory listing
C.Blocks access to all files
D.Enables CGI execution
AnswerB

`-Indexes` explicitly disables directory listing.

Why this answer

The `-Indexes` option disables directory listing, preventing visitors from seeing the contents of a directory if no index file is present. `AllowOverride None` disables .htaccess overrides, and `Allow from all` permits access.

56
Multi-Selecthard

Which TWO of the following are effective defenses against Server-Side Request Forgery (SSRF) attacks? (Select TWO.)

Select 2 answers
A.Whitelist allowed outbound IP addresses and domains
B.Use a web application firewall (WAF) to block SSRF signatures
C.Enforce strict referrer headers on requests
D.Disable unused URL schemes (e.g., file://, dict://)
E.Implement input validation on all user-supplied URLs
AnswersA, D

Restricting outbound connections to known safe destinations prevents the server from making requests to internal or malicious hosts.

Why this answer

Options A and B are correct. Whitelisting allowed outbound destinations (A) and disabling unused URL schemes (B) are direct defenses. Option C (input validation) is helpful but can be bypassed.

Option D (WAF) is signature-based and not a primary defense. Option E (referrer headers) is not specific to SSRF.

57
Multi-Selecteasy

Which two are best practices for securing Docker container images? (Select TWO.)

Select 2 answers
A.Use multi-stage builds to reduce image size
B.Store images on a public registry for easy sharing
C.Use the latest tag for base images
D.Run containers as a non-root user
E.Scan images for known vulnerabilities before deployment
AnswersD, E

Non-root containers limit the impact of a compromise.

Why this answer

Options B (Run containers as non-root) and C (Scan images for vulnerabilities) are correct. Option A (Use latest tag) is insecure as it can change unexpectedly. Option D (Store on public registry) exposes images.

Option E (Multi-stage builds) is a good practice but not primarily about security; however, it reduces attack surface, so it could be considered. But to align with standard best practices, B and C are more direct. Option E reduces attack surface but is often considered a build optimization that also helps security.

However, the most common security best practices are run as non-root and vulnerability scanning. So I'll stick with B and C.

58
MCQeasy

Refer to the exhibit. A security review is being conducted on the Python application configuration. Which of the following security issues is present?

A.The DB_CONNECTION environment variable is missing a default value
B.The default database connection is SQLite, which is insecure for production
C.The code does not handle the case where API_KEY is not set, potentially causing an error
D.The API key is stored in an environment variable, which is insecure
AnswerC

Using os.environ with no default will raise an exception if the variable is missing, which can lead to information disclosure or denial of service.

Why this answer

Option D is correct because os.environ['API_KEY'] will raise a KeyError if the environment variable is not set, causing the application to crash and potentially reveal error messages. Option A (environment variables are insecure) is false; they are a standard method. Option B (missing default) is false because getenv provides a default.

Option C (SQLite insecure) is not necessarily true and not the immediate issue.

59
Multi-Selectmedium

A company is adopting a serverless architecture using AWS Lambda. Which of the following are security concerns specific to serverless functions? (Select TWO.)

Select 2 answers
A.Insecure deserialization of function input
B.Event injection via malformed input
C.Container escape vulnerabilities
D.Overly permissive IAM roles assigned to the function
E.SQL injection in the database
AnswersB, D

Why this answer

Event injection via malformed input (B) is a specific serverless security concern because AWS Lambda functions are triggered by events from sources like API Gateway, S3, or DynamoDB Streams. An attacker can craft malicious input that exploits the function's event-handling logic, leading to unintended execution paths or data corruption. This differs from traditional injection attacks because the event structure itself can be manipulated to bypass validation.

Exam trap

CompTIA often tests the misconception that serverless functions are immune to injection attacks because they are 'stateless' or 'event-driven,' but the trap here is that event injection is a distinct attack vector where the event structure itself is the injection surface, not just the data within it.

Why the other options are wrong

A

A general web vulnerability, not specific to serverless.

C

Serverless functions run in isolated containers, but escape is more relevant to traditional containers.

E

A general web vulnerability, not specific to serverless.

60
MCQhard

A security architect is evaluating a web application that uses JSON Web Tokens (JWTs) for authentication. The application uses an RSA256 asymmetric signing algorithm. The architect discovers that the JWT library accepts tokens with the algorithm set to 'none' if the public key is not provided during verification. Which of the following attacks is most likely to succeed if the application does not enforce algorithm validation?

A.Algorithm confusion (key confusion) attack where the attacker uses the public key as an HMAC secret
B.Signature exclusion attack using the 'none' algorithm
C.Timing attack to brute-force the private key
D.Header injection attack to modify the JWT header
AnswerB

Why this answer

Option B is correct because the JWT library accepts tokens with the algorithm set to 'none' when the public key is not provided during verification. This allows an attacker to forge a JWT with the 'none' algorithm, bypassing signature verification entirely. The attack succeeds because the application fails to enforce a whitelist of allowed algorithms, as recommended by RFC 7518.

Exam trap

Cisco often tests the distinction between algorithm confusion attacks (which involve key reuse) and signature exclusion attacks (which exploit the 'none' algorithm), and the trap here is that candidates confuse the 'none' algorithm vulnerability with the more complex key confusion attack described in option A.

Why the other options are wrong

A

This attack targets libraries that use the same key for both HMAC and RSA, but the scenario describes a library that accepts 'none' algorithm, not HMAC.

C

Timing attacks target side-channel leakage, not algorithm validation bypass.

D

Header injection is about modifying headers in requests, not exploiting JWT algorithm handling.

61
MCQhard

During a penetration test, a tester finds that an application uses server-side sessions with predictable session IDs. Which attack is this vulnerability most likely to facilitate?

A.Session fixation
B.Clickjacking
C.Session hijacking
D.CSRF
AnswerC

With predictable session IDs, an attacker can obtain a valid session and impersonate the user.

Why this answer

Predictable session IDs allow an attacker to guess or brute-force valid session tokens, leading to session hijacking. Session fixation requires the attacker to set a known session ID, not predict. CSRF and clickjacking exploit user actions, not session prediction.

62
MCQmedium

A company runs a containerized application in a Kubernetes cluster. After a penetration test, the security team found that several containers are running with root privileges and have unnecessary packages installed. To reduce the attack surface, the team wants to enforce least privilege and minimize the software footprint. Which action should be taken first to address these findings?

A.Apply SELinux labels to restrict container capabilities
B.Rebuild the container images using minimal base images and remove unnecessary packages
C.Configure the containers to run as non-root user and use read-only filesystems
D.Implement network policies to limit lateral movement between pods
AnswerB

Minimal images reduce attack surface by eliminating unnecessary components.

Why this answer

Using minimal base images (e.g., Alpine or distroless) reduces the attack surface by removing unnecessary tools and libraries. Option B is incorrect because running containers as non-root is important but does not address unnecessary packages. Option C is incorrect because read-only filesystems improve security but do not reduce the number of packages.

Option D is incorrect because network policies control traffic but not container privileges or packages.

63
MCQmedium

A developer is using a third-party library with a known vulnerability. The vulnerability has a CVSS score of 9.8 and an exploit is publicly available. Which of the following is the most immediate course of action?

A.Update the library to the patched version if available
B.Contact the vendor for a patch
C.Remove the library and rewrite functionality
D.Implement a WAF rule to block exploitation
AnswerA

Updating to the latest patched version directly removes the vulnerability.

Why this answer

Option D is correct because updating to the patched version is the most immediate and effective fix. Option A (WAF rule) is a workaround, not a fix. Option B (contact vendor) delays, and a patch may already exist.

Option C (rewrite) is too drastic if a patch is available.

64
MCQeasy

A developer is writing a mobile app that stores sensitive user data locally on the device. Which is the best practice for protecting the data at rest?

A.Use SQLite without encryption
B.Use the device's keychain/keystore with encryption
C.Store data in a remote database only
D.Store data in plain XML files
AnswerB

Keychain/keystore uses hardware-backed encryption for secure local storage.

Why this answer

Option A is correct because using the device's keychain/keystore provides encrypted storage. Option B (plain XML) is insecure; Option C (SQLite without encryption) exposes data; Option D (remote database only) prevents offline access and may not be feasible.

65
MCQhard

A financial institution manages customer data through a web application built on a LAMP stack. The application uses a third-party library for PDF generation that was patched last year. Recently, the security team discovered that an attacker exploited an unpatched vulnerability in the library to execute arbitrary code on the server. The library vendor has released an update, but the development team is concerned that updating the library will break several custom features that rely on its internal API. The CIO wants to minimize risk while maintaining business continuity. The application is critical to daily operations, and any downtime would result in significant revenue loss. Which course of action should the security analyst recommend?

A.Disable the PDF generation feature entirely until the library can be updated in the next quarterly release
B.Deploy a virtual private network (VPN) for all access to the server and restrict input to only trusted IPs
C.Implement a web application firewall (WAF) with a custom rule to block known attack patterns against the library, and then schedule the patch for the next maintenance window
D.Immediately apply the vendor's patch and then test all features in a staging environment for a month before production rollout
AnswerC

WAF provides virtual patching to block exploits while the team tests the update.

Why this answer

Option C is correct because deploying a WAF with custom rules provides virtual patching, reducing risk immediately while allowing time for thorough testing of the library update. Option A (immediate patch) could break features without adequate testing. Option B (VPN) does not address the vulnerability.

Option D (disable PDF generation) removes functionality, impacting business operations.

66
MCQmedium

A security engineer is configuring a web application firewall (WAF) for an e-commerce site. The application uses JSON APIs for all transactions. Which WAF mode provides the best protection against injection attacks while minimizing false positives?

A.Anomaly detection and learning mode
B.Positive security model with strict API schema validation
C.Passive mode for monitoring only
D.Negative security model with a large rule set
AnswerB

Only allows traffic that matches expected schema, effectively preventing injections.

Why this answer

Option C (Positive security model) is correct because it whitelists allowed inputs, reducing false positives. Option A (Negative) blocks known attacks but can generate false positives. Option B (Learning) helps but may not be fully protective.

Option D (Off) provides no protection.

67
Multi-Selecteasy

Which TWO of the following are best practices for securing a database that stores personally identifiable information (PII)? (Select TWO.)

Select 2 answers
A.Encrypt data at rest using AES-256
B.Use default admin credentials for easy access
C.Enable audit logging for all queries
D.Store all data in plaintext for performance
E.Implement role-based access control (RBAC)
AnswersA, E

Encryption protects data confidentiality even if storage media is compromised.

Why this answer

Options A and C are correct. Encrypting data at rest (A) and implementing role-based access control (C) are fundamental security controls. Option B (default admin credentials) is insecure.

Option D (plaintext storage) is prohibited by regulations. Option E (audit logging) is important but not as directly focused on data protection as encryption and access control.

68
MCQeasy

A company is deploying a RESTful API that handles sensitive financial data. Which of the following should be implemented to ensure data integrity during transmission?

A.TLS 1.3
B.Input validation
C.JSON Web Token (JWT) authentication
D.API rate limiting
AnswerA

TLS encrypts the entire session and ensures data integrity via MACs.

Why this answer

Option C is correct because TLS 1.3 provides encryption and integrity for data in transit. Option A (input validation) is for application-level input. Option B (rate limiting) protects against DoS.

Option D (JWT) is for authentication, not transmission integrity.

69
Multi-Selecthard

Which three measures should be implemented to secure a RESTful API? (Select THREE.)

Select 3 answers
A.Use JSONP for cross-origin requests
B.Implement proper error handling that does not expose stack traces
C.Disable rate limiting to ensure availability
D.Validate all input against a strict schema
E.Use OAuth2 with scopes for authorization
AnswersB, D, E

Generic error messages prevent information leakage.

Why this answer

Options A (OAuth2 with scopes), C (Validate all input), and E (Proper error handling without stack traces) are correct. Option B (Disable rate limiting) lowers security. Option D (Use JSONP) introduces cross-origin risks.

70
MCQmedium

Refer to the exhibit. Which security issue does this S3 bucket policy present?

A.The bucket allows anonymous GET operations from any IP
B.The bucket policy is too restrictive
C.The bucket allows anonymous PUT operations from any source
D.The bucket is not encrypted
AnswerC

The second statement permits any principal to put objects without an IP condition.

Why this answer

Option A is correct because the second statement allows anonymous PUT without any IP restriction, meaning anyone can upload objects to the bucket. Option B is incorrect because the GET action is restricted to the specified IP range. Options C and D are not indicated by the policy.

71
MCQeasy

Which of the following is a primary purpose of using code signing for application deployment?

A.To encrypt the application code
B.To verify the integrity and authenticity of the code
C.To prevent reverse engineering
D.To speed up application deployment
AnswerB

Why this answer

Code signing uses a digital signature (typically RSA or ECDSA) to bind the publisher's identity to the code. The primary purpose is to verify both the integrity (the code has not been tampered with) and the authenticity (the code comes from a trusted source) before deployment. This is achieved by hashing the code and signing the hash with the publisher's private key; the recipient verifies the signature using the publisher's public certificate.

Exam trap

Cisco often tests the misconception that code signing provides encryption or obfuscation, when in fact it only provides integrity and authenticity verification without hiding the code content.

Why the other options are wrong

A

Encryption is for confidentiality; code signing does not encrypt the code.

C

Code signing does not prevent reverse engineering; obfuscation or other techniques are used for that.

D

Code signing adds overhead, not speed.

72
MCQmedium

An application uses a relational database and constructs SQL queries by concatenating user input. Which secure coding practice should be implemented to mitigate SQL injection?

A.Use stored procedures exclusively
B.Escape all user input with a database-specific escaping function
C.Implement parameterized queries / prepared statements
D.Use an ORM (Object-Relational Mapping) framework
AnswerC

Why this answer

Parameterized queries (prepared statements) separate SQL logic from user data by using placeholders (e.g., `?` in MySQLi or `:param` in PDO). The database driver automatically escapes the input values, ensuring they are treated as data, not executable code. This directly prevents SQL injection because the query structure is fixed before user input is bound.

Exam trap

Cisco often tests the misconception that stored procedures or ORMs are inherently safe, but the trap is that both can still be vulnerable if they allow dynamic SQL construction or raw query execution without parameterization.

Why the other options are wrong

A

Stored procedures can still be vulnerable if dynamic SQL is used within them.

B

Escaping is error-prone and not as reliable as parameterized queries.

D

ORMs can reduce risk but may still generate dynamic SQL if not used carefully.

73
MCQhard

During a security review, a developer discovers that a containerized application runs with root privileges. Which of the following is the most secure approach to mitigate this risk while maintaining functionality?

A.Set the container to run as a non-root user and drop all unnecessary capabilities
B.Disable root login inside the container by modifying /etc/passwd
C.Use a read-only root filesystem for the container
D.Enable SELinux or AppArmor on the host
AnswerA

Why this answer

Running a container as a non-root user with dropped capabilities is the most secure approach because it follows the principle of least privilege. By default, containers run as root, which grants unnecessary kernel capabilities that could be exploited for privilege escalation. Setting a non-root user and using `--cap-drop=ALL` with selective `--cap-add` ensures the application retains only required permissions, reducing the attack surface without breaking functionality.

Exam trap

Cisco often tests the misconception that disabling root login or using filesystem restrictions (read-only) is sufficient, when the real risk is the container process running as UID 0 with full capabilities, which requires explicit user context and capability dropping to mitigate.

Why the other options are wrong

B

Disabling root login does not prevent the container process from running as root; the process still has root privileges.

C

A read-only filesystem limits writes but does not reduce privileges; the container still runs as root.

D

These are mandatory access control mechanisms that can confine a process, but they do not directly address the root privilege issue; combining with non-root user is better.

74
Multi-Selecthard

Which THREE of the following are essential components of a secure software development lifecycle (SSDLC)?

Select 3 answers
A.Continuous deployment
B.Static application security testing (SAST)
C.Code signing
D.Threat modeling
E.Penetration testing
AnswersB, D, E

SAST analyzes source code for vulnerabilities during the development phase.

Why this answer

Threat modeling identifies risks early; SAST automates code scanning for vulnerabilities; penetration testing validates security controls. Code signing ensures integrity but is not a core SSDLC process; continuous deployment is a DevOps practice, not a security activity.

Ready to test yourself?

Try a timed practice session using only Application Environment Configuration And Security questions.