CAS-004 · topic practice

Security Engineering practice questions

Practise CompTIA SecurityX CAS-004 Security Engineering practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Engineering

What the exam tests

What to know about Security Engineering

Security Engineering questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Engineering exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Engineering questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full VPN explanation →

A security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

An organization wants to implement a hardware security module (HSM) to protect cryptographic keys. Which of the following is a primary benefit of using an HSM?

Question 4mediummultiple choice
Study the full ACL explanation →

A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?

A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?

Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)

Which THREE of the following are common vulnerabilities in IoT devices? (Select THREE.)

A security analyst is reviewing an AppArmor profile for an application. Based on the exhibit, which action would the application be denied?

Exhibit

Refer to the exhibit.

```
-- AppArmor Profile: /usr/bin/somebin
#include <tunables/global>

profile somebin /usr/bin/somebin {
  capability dac_override,
  network inet dgram,
  /etc/config/* r,
  /var/log/app.log w,
}
```

A network administrator is troubleshooting connectivity issues. Based on the exhibit, which of the following is true about the iptables rules?

Exhibit

Refer to the exhibit.

```
# iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   eth1    10.0.1.0/24          0.0.0.0/0            state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            10.0.1.0/24          state ESTABLISHED
```
Question 10mediummultiple choice
Study the full virtualization explanation →

A company is designing a new data center with high availability requirements. The network team proposes using virtualized network functions (VNFs) on commodity hardware to reduce costs. Which security consideration is MOST important when implementing this design?

A security engineer is hardening a Linux web server. The team requires that the web server process cannot run with root privileges and that any file it writes must have minimal permissions. Which two controls should be implemented together? (Select TWO).

An organization wants to implement a solution that ensures data cannot be read if a storage device is physically stolen. Which encryption approach BEST meets this requirement?

A network administrator is configuring a firewall rule set. The requirement is to allow inbound HTTPS traffic from the internet to a web server at 10.1.1.10, and to allow the web server to respond. All other inbound traffic should be blocked. Which rule set accomplishes this?

A security analyst reviews logs from a web application firewall (WAF) and notices that an attacker is bypassing the WAF by encoding malicious payloads using base64 and then sending them in HTTP headers. Which WAF configuration change would BEST detect and block such attacks?

Which TWO of the following are considered secure design principles for cryptographic systems?

Which THREE of the following are common techniques to mitigate side-channel attacks?

An administrator runs the above iptables command on a Linux server. The server is directly connected to the internet. Which of the following is the MOST significant security issue with this configuration?

Exhibit

Refer to the exhibit.

```
# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
```

A security engineer is reviewing an S3 bucket policy for a bucket named 'corporate-data'. The policy is shown. Which of the following describes a vulnerability in this configuration?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::corporate-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::corporate-data/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 19easymultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a web application that handles sensitive customer data. The application must ensure that if one server is compromised, the attacker cannot access the private keys used for TLS termination. Which of the following approaches best meets this requirement?

A security engineer needs to implement a solution that will detect and block command-and-control (C2) traffic from malware on the internal network. The solution must be able to inspect encrypted traffic and operate at the network layer. Which of the following is the BEST choice?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Engineering sessions

Start a Security Engineering only practice session

Every question in these sessions is drawn from the Security Engineering domain — nothing else.

Related practice questions

Related CAS-004 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CAS-004 exam test about Security Engineering?
Security Engineering questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Engineering questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Engineering domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CAS-004 topics?
Use the topic links above to move to related areas, or go back to the CAS-004 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CAS-004 exam covers. They are not copied from any real exam or dump site.