CCNA Ccsp App Security Questions

75 of 84 questions · Page 1/2 · Ccsp App Security topic · Answers revealed

1
MCQhard

A company uses a private artifact registry for internal packages. An attacker publishes a malicious package with the same name as an internal package to a public registry. Which attack is being described?

A.Dependency confusion attack
B.Supply chain poisoning
C.Typosquatting
D.Man-in-the-middle attack
AnswerA

This attack exploits package managers that default to public registries over private ones.

Why this answer

This is a dependency confusion attack, where an attacker uploads a malicious package to a public registry (e.g., npm, PyPI, Maven Central) using the same name as a private package used internally by the target organization. When a build system or developer's package manager is configured to check public registries first (or as a fallback), it may download the attacker's malicious version instead of the legitimate internal package, leading to code execution or data exfiltration.

Exam trap

Cisco often tests the distinction between 'dependency confusion' and 'supply chain poisoning' by making them sound similar, but dependency confusion is a specific subtype where the attacker exploits name collision between public and private registries, not a generic compromise of the supply chain.

How to eliminate wrong answers

Option B (Supply chain poisoning) is wrong because supply chain poisoning is a broader category that includes any compromise of the software supply chain (e.g., injecting malicious code into a legitimate package, compromising build servers), not specifically the act of publishing a package with the same name as an internal one to a public registry. Option C (Typosquatting) is wrong because typosquatting relies on a user mistyping a package name (e.g., 'requsts' instead of 'requests'), not on the exact same name as an internal package. Option D (Man-in-the-middle attack) is wrong because a MITM attack intercepts network traffic between the client and registry (e.g., via ARP spoofing or rogue TLS proxy), not by publishing a package to a public registry.

2
MCQmedium

An API endpoint returns user profile data including fields like 'credit_card_number' even when the client application does not need it. Which OWASP API security risk does this represent?

A.Injection
B.Broken Object Level Authorization
C.Mass Assignment
D.Excessive Data Exposure
AnswerD

The API returns unnecessary sensitive data, a common API vulnerability.

Why this answer

Option D is correct because the API returns sensitive data (credit_card_number) that the client application does not need, violating the principle of least data exposure. This is a classic Excessive Data Exposure risk (OWASP API Security Top 10 #3), where the server trusts the client to filter the response rather than limiting the fields returned based on the client's actual authorization or need.

Exam trap

Cisco often tests the distinction between Excessive Data Exposure and Mass Assignment, where candidates mistakenly choose Mass Assignment because both involve 'extra data,' but Mass Assignment specifically applies to write operations (e.g., PUT/POST) where an attacker modifies fields they shouldn't, not to read responses.

How to eliminate wrong answers

Option A is wrong because Injection (e.g., SQL, NoSQL, OS command) involves untrusted data being sent to an interpreter as part of a command or query, not the passive return of unnecessary fields in a response. Option B is wrong because Broken Object Level Authorization (BOLA) deals with an attacker accessing objects (e.g., user profiles) they should not have permission to view, not the server returning extra fields within an authorized response. Option C is wrong because Mass Assignment (also known as Autobinding) occurs when user-supplied input is bound to internal object properties without proper filtering, typically in create/update operations, not in a read-only response that simply includes extra fields.

3
MCQmedium

A DevOps team is implementing a CI/CD pipeline for a cloud application. They want to automatically scan source code for security vulnerabilities before building the application. Which type of scanning should they integrate?

A.Interactive Application Security Testing (IAST)
B.Dynamic Application Security Testing (DAST)
C.Static Application Security Testing (SAST)
D.Runtime Application Self-Protection (RASP)
AnswerC

SAST scans source code or binaries and is typically integrated early in the pipeline.

Why this answer

Static Application Security Testing (SAST) analyzes source code or binaries for security vulnerabilities without executing the application, making it suitable for early integration in CI/CD.

4
Multi-Selectmedium

Which THREE of the following are effective measures to prevent unauthorized access to cloud storage buckets? (Select THREE)

Select 3 answers
A.Enabling bucket versioning
B.Enabling 'Block all public access' settings
C.Enabling server-side encryption
D.Requiring IAM authentication for all access
E.Setting bucket ACLs to 'private'
AnswersB, D, E

Blocking public access prevents unintended exposure.

Why this answer

Private ACLs (or bucket policy denying public access), enabling block public access settings, and requiring IAM authentication limit access to authorized entities. Versioning and encryption help with data protection but don't prevent unauthorized access.

5
MCQmedium

A developer accidentally commits AWS access keys to a public GitHub repository. Which tool would be most effective in detecting this secret exposure?

A.Terraform
B.GitGuardian
C.npm audit
D.tfsec
AnswerB

GitGuardian detects secrets in Git history and commits.

Why this answer

GitGuardian is a tool specifically designed to detect secrets (like AWS keys) committed to code repositories. It monitors for hardcoded credentials and alerts.

6
Multi-Selectmedium

A cloud security team is implementing a DevSecOps pipeline. Which TWO of the following are examples of shift-left security practices? (Select two.)

Select 2 answers
A.Conducting penetration testing after deployment
B.Scanning Infrastructure as Code with Checkov before deployment
C.Performing Dynamic Application Security Testing (DAST) on a running application
D.Running Static Application Security Testing (SAST) during code commit
E.Implementing Runtime Application Self-Protection (RASP) in production
AnswersB, D

IaC scanning catches misconfigurations before resources are created.

Why this answer

Shift-left integrates security early in the SDLC. IaC scanning and SAST are performed before deployment, while DAST and RASP are later stages, and threat modeling is also early but not listed as a tool.

7
MCQmedium

During a code review, a developer discovers hardcoded AWS access keys in a configuration file that was committed to the repository. Which tool is specifically designed to detect such secrets in code repositories?

A.GitGuardian
B.tfsec
C.Checkov
D.Snyk
AnswerA

GitGuardian detects secrets in code repositories, including hardcoded cloud credentials.

Why this answer

GitGuardian is a tool that scans repositories for hardcoded secrets like API keys and credentials, helping prevent credential leakage.

8
MCQmedium

A developer configures an AWS S3 bucket to allow public access by setting a bucket policy that grants 's3:GetObject' to 'Principal: *'. Which vulnerability does this introduce?

A.Mass assignment
B.SSRF vulnerability
C.Exposed S3 bucket
D.Over-permissive IAM
AnswerC

A bucket policy granting access to all principals (Principal: *) makes the bucket publicly readable.

Why this answer

Exposing an S3 bucket to anonymous access allows anyone to read objects, leading to data exposure. This is a common cloud misconfiguration.

9
MCQhard

During a threat modeling session for a cloud application, the team identifies a risk where an attacker could trick the application into making HTTP requests to the cloud metadata endpoint (e.g., http://169.254.169.254). What is the most critical impact of this attack?

A.Denial of service to the metadata service
B.Modification of the cloud instance's configuration
C.Retrieval of temporary IAM credentials for the instance
D.Exposure of the application's source code
AnswerC

Correct. SSRF to the metadata endpoint can return IAM role credentials.

Why this answer

Server-Side Request Forgery (SSRF) to the cloud metadata endpoint can retrieve IAM credentials, granting the attacker access to cloud resources.

10
MCQmedium

A cloud application allows users to upload profile pictures. The application stores the files in an S3 bucket with public read access. An attacker uploads a malicious script that executes when other users view the image. Which type of attack is this?

A.SQL Injection
B.Mass Assignment
C.Stored Cross-Site Scripting (XSS)
D.Server-Side Request Forgery (SSRF)
AnswerC

Malicious script stored in S3 and served to users is stored XSS.

Why this answer

This is a stored cross-site scripting (XSS) attack where malicious content is uploaded and later served to other users. The public bucket enables the attacker to host the script and deliver it to victims.

11
Multi-Selecthard

A security team is implementing a DevSecOps pipeline for a cloud-native application. Which three practices should be included to enhance application security? (Choose THREE.)

Select 3 answers
A.Static application security testing (SAST) in CI/CD
B.Infrastructure as code (IaC) scanning
C.Dependency scanning for open source components
D.Manual penetration testing only at final stage
E.Runtime application self-protection (RASP) deployment
AnswersA, B, C

SAST scans source code early in the pipeline.

Why this answer

Shift-left security involves integrating security early. IaC scanning detects misconfigurations before deployment. SAST scans source code for vulnerabilities.

These three are key DevSecOps practices.

12
MCQhard

A security engineer is reviewing a Terraform configuration and wants to prevent deployment of an S3 bucket with public read access. Which IaC scanning tool is best suited for this task?

A.Checkov
B.GitGuardian
C.Snyk
D.Dependabot
AnswerA

Checkov scans Terraform, CloudFormation, etc. for security misconfigurations.

Why this answer

Checkov is a popular tool for scanning Infrastructure as Code (e.g., Terraform) for misconfigurations before deployment.

13
Multi-Selectmedium

Which TWO of the following are effective methods for preventing hardcoded credentials from being committed to a cloud application's source code repository? (Select TWO)

Select 2 answers
A.Implementing pre-commit hooks with secret scanning
B.Disabling SSH keys for developers
C.Enforcing code reviews by senior developers
D.Encrypting the entire repository
E.Using environment variables instead of hardcoding
AnswersA, E

Pre-commit hooks can scan for secrets before commit.

Why this answer

Pre-commit hooks with secret scanning (Option A) automatically scan code for patterns matching credentials (e.g., AWS access keys, passwords) before a commit is finalized. Tools like GitLeaks or TruffleHog integrate into the local Git workflow, blocking commits that contain secrets and preventing them from ever reaching the remote repository.

Exam trap

Cisco often tests the distinction between preventive controls (pre-commit hooks, environment variables) and detective/reactive controls (code reviews, encryption) to see if candidates understand that only proactive measures can stop secrets from entering the repository in the first place.

14
MCQeasy

What is the primary purpose of a Software Bill of Materials (SBOM) in cloud application security?

A.To list all third-party components and dependencies
B.To track user access permissions
C.To monitor runtime application performance
D.To document the software architecture
AnswerA

SBOM provides a comprehensive inventory for vulnerability management.

Why this answer

The primary purpose of a Software Bill of Materials (SBOM) is to provide a formal, machine-readable inventory of all third-party components, libraries, and dependencies used in a cloud application. This enables automated vulnerability scanning, license compliance checks, and supply chain risk management, which are critical for securing cloud-native applications against known exploits in transitive dependencies.

Exam trap

Cisco often tests the distinction between an SBOM and a software architecture document, leading candidates to mistakenly choose 'document the software architecture' because both involve listing components, but an SBOM is exclusively about third-party dependencies and their provenance, not the application's internal design or structure.

How to eliminate wrong answers

Option B is wrong because tracking user access permissions is the function of Identity and Access Management (IAM) systems, not an SBOM. Option C is wrong because monitoring runtime application performance is the role of Application Performance Monitoring (APM) tools, not an SBOM. Option D is wrong because documenting the software architecture is typically done through architectural diagrams or design documents, while an SBOM focuses specifically on component inventory and dependency relationships.

15
MCQeasy

Which of the following is a cloud-specific vulnerability that can lead to exposure of IAM credentials through the metadata service?

A.SQL injection
B.SSRF to metadata endpoint
C.Insecure deserialization
D.Cross-site scripting (XSS)
AnswerB

SSRF to cloud metadata is a cloud-specific attack vector.

Why this answer

Server-Side Request Forgery (SSRF) that targets the cloud metadata endpoint (e.g., http://169.254.169.254) can retrieve IAM credentials. This is a cloud-specific issue.

16
Multi-Selectmedium

A cloud security engineer is reviewing an AWS IAM policy that includes the following statement: 'Effect: Allow, Action: iam:*, Resource: *'. Which two security concerns does this configuration create? (Choose TWO.)

Select 2 answers
A.Over-permissive IAM role
B.Exposed S3 bucket
C.Hardcoded credentials
D.SSRF vulnerability
E.Privilege escalation risk
AnswersA, E

Assigning a role with iam:* to all resources gives excessive permissions.

Why this answer

The policy allows all IAM actions (iam:*) on all resources (*), which is over-permissive. It can lead to privilege escalation and unauthorized actions.

17
MCQhard

A cloud application uses an IAM role with the policy "Action: s3:*" and "Resource: *". Which principle is violated?

A.Defense in depth
B.Fail secure
C.Separation of duties
D.Least privilege
AnswerD

Least privilege requires minimal necessary permissions; wildcard resources and actions violate this.

Why this answer

The policy grants full access to all S3 actions on all resources, violating the principle of least privilege. Wildcard permissions like s3:* and *:* are over-permissive.

18
MCQeasy

Which practice is essential for securing cloud application secrets such as database passwords and API tokens?

A.Store secrets in environment variables in the source code
B.Use a secrets management service like Vault or cloud secret manager
C.Encrypt secrets with a hardcoded key
D.Share secrets via encrypted email
AnswerB

Secrets managers provide secure storage, rotation, and access control.

Why this answer

Using a dedicated secrets manager like AWS Secrets Manager or HashiCorp Vault prevents hardcoding secrets in code.

19
Multi-Selecthard

Which TWO of the following are effective measures to prevent dependency confusion attacks? (Select two.)

Select 2 answers
A.Using a software composition analysis (SCA) tool only after deployment
B.Pinning dependency versions in the package manager
C.Regularly updating all dependencies to the latest version
D.Using a private artifact registry with scoped package names
E.Configuring the package manager to only resolve from private registries
AnswersD, E

Scoped names (e.g., @company/package) avoid conflicts with public packages.

Why this answer

Using private registries with scoped packages and verifying package names help ensure only intended packages are used. Dependency pinning alone does not prevent confusion if the package is maliciously published with the same name.

20
MCQhard

An attacker exploits a cloud application to make HTTP requests to an internal metadata service and retrieve temporary credentials. Which control would be most effective in preventing this attack?

A.Using signed URLs for all requests
B.Web Application Firewall (WAF) rules
C.Network-level egress filtering to block 169.254.169.254
D.Input validation on URL parameters
AnswerC

Blocking traffic to the metadata IP at the network layer prevents SSRF from reaching it.

Why this answer

Option C is correct because the attack exploits the cloud metadata service at the link-local address 169.254.169.254 (RFC 3927). Network-level egress filtering blocks outbound traffic to this IP, preventing the attacker from reaching the metadata service even if the application is compromised. This is a fundamental defense-in-depth control for cloud workloads.

Exam trap

Cisco often tests the distinction between inbound controls (WAF, input validation) and outbound controls (egress filtering) for SSRF attacks, and the trap here is that candidates assume a WAF or input validation can block internal requests when only network-layer egress rules can stop the outbound connection to the metadata service.

How to eliminate wrong answers

Option A is wrong because signed URLs control access to specific resources (e.g., S3 objects) but do not prevent the application from making arbitrary HTTP requests to internal IPs like the metadata service. Option B is wrong because a WAF inspects incoming HTTP traffic for common web attacks (e.g., SQLi, XSS) but does not block outbound requests from the application to internal IPs; the attacker's exploit is an outbound server-side request, not an inbound attack. Option D is wrong because input validation on URL parameters can mitigate injection attacks but does not prevent the application from making requests to 169.254.169.254 if the attacker controls the request target via other means (e.g., SSRF via redirects or protocol smuggling).

21
Multi-Selecthard

A cloud security architect is designing a DevSecOps pipeline for a multi-cloud environment. Which THREE practices should be included to ensure security is integrated early? (Select THREE)

Select 3 answers
A.Scanning dependencies for known vulnerabilities in the CI pipeline
B.Scanning container images after they are deployed to production
C.Running DAST against the production environment
D.Running IaC security scanning on Terraform templates before deployment
E.Performing SAST scans in the IDE or during pull requests
AnswersA, D, E

Dependency scanning early prevents vulnerable libraries from being used.

Why this answer

Option A is correct because scanning dependencies for known vulnerabilities (e.g., using OWASP Dependency-Check or Snyk) in the CI pipeline catches vulnerable libraries before they are built into artifacts. This is a 'shift-left' practice that prevents insecure components from reaching later stages, aligning with DevSecOps principles of early security integration.

Exam trap

Cisco often tests the concept of 'shift-left' by including late-stage security activities (like post-deployment scanning or production DAST) as distractors, tempting candidates who confuse 'security testing' with 'early integration'.

22
MCQmedium

An API allows users to access their own profile data by providing a user ID. However, an attacker can change the user ID parameter to access another user's data. Which OWASP API Security vulnerability is this?

A.Excessive Data Exposure
B.Mass Assignment
C.Broken User Authentication
D.Broken Object Level Authorization
AnswerD

BOLA/IDOR allows unauthorized access to objects by manipulating identifiers.

Why this answer

Broken Object Level Authorization (BOLA), also known as Insecure Direct Object Reference (IDOR), occurs when an API fails to verify that the user is authorized to access the object identified by the parameter.

23
MCQhard

During a security audit, a cloud security architect discovers that an S3 bucket is configured with a bucket policy that allows 's3:GetObject' from any principal. What is the most likely risk?

A.Denial of service from excessive requests
B.Potential for data exfiltration by unauthorized users
C.Insufficient logging of access
D.Increased cost due to excessive write operations
AnswerB

Public read access allows anyone to download objects, leading to data exfiltration.

Why this answer

A bucket policy allowing 's3:GetObject' from any principal effectively makes the bucket publicly readable, exposing data to anyone on the internet. This is a common misconfiguration leading to data breaches.

24
MCQmedium

An API endpoint returns user profile details including email, phone, and address. The response includes fields that are not needed for the client application. Which OWASP API Security risk does this represent?

A.Mass Assignment
B.Broken Object Level Authorization
C.Excessive Data Exposure
D.Lack of Rate Limiting
AnswerC

The API returns more data than needed, violating the principle of least disclosure.

Why this answer

Excessive data exposure occurs when an API returns more data than necessary, increasing the risk of sensitive information leakage.

25
MCQeasy

Which cloud-specific vulnerability involves an attacker making a server-side request to the cloud metadata endpoint (e.g., 169.254.169.254) to retrieve temporary credentials?

A.Server-Side Request Forgery (SSRF)
B.Cross-Site Scripting (XSS)
C.Broken Object Level Authorization (BOLA)
D.SQL Injection
AnswerA

SSRF allows an attacker to trick the server into making requests to internal resources like metadata endpoints.

Why this answer

Server-Side Request Forgery (SSRF) attacks can target cloud metadata endpoints to obtain IAM credentials.

26
MCQeasy

Which of the following is a key practice for secure management of cloud credentials in application code?

A.Hardcode credentials in environment variables
B.Use IAM roles or managed identities
C.Store credentials in source code comments
D.Encrypt credentials with a static key in the codebase
AnswerB

IAM roles and managed identities provide temporary, automatically rotated credentials.

Why this answer

Option B is correct because using IAM roles or managed identities eliminates the need to embed long-term credentials in application code. This approach relies on temporary, automatically rotated credentials obtained via the cloud provider's metadata service (e.g., AWS IMDSv2, Azure Instance Metadata Service), which significantly reduces the risk of credential leakage and simplifies credential management.

Exam trap

Cisco often tests the misconception that environment variables are a secure alternative to hardcoding, but the trap is that environment variables are still plaintext and can be exposed through process listings, container orchestration tools, or misconfigured logging.

How to eliminate wrong answers

Option A is wrong because hardcoding credentials in environment variables still exposes them in plaintext within the environment, and they can be leaked through logs, debugging output, or container image layers. Option C is wrong because storing credentials in source code comments is a severe security risk, as comments are often included in version control and can be read by anyone with repository access. Option D is wrong because encrypting credentials with a static key in the codebase is fundamentally flawed; the static key itself must be stored somewhere, creating a circular security problem where the key is as vulnerable as the credentials it protects.

27
MCQhard

An attacker publishes a malicious package to a public registry using the same name as an internal package used by a cloud application. This is known as:

A.Cross-site scripting (XSS)
B.Man-in-the-middle attack
C.Dependency confusion attack
D.Supply chain poisoning
AnswerC

This attack leverages naming conflicts between internal and public packages.

Why this answer

Dependency confusion attacks exploit package managers that prioritize public registries over private ones, allowing malicious packages to be installed.

28
Multi-Selectmedium

A cloud security architect is implementing a CI/CD pipeline for a containerized application on AWS. Which TWO practices should be integrated to enforce container image security?

Select 2 answers
A.Implement runtime application self-protection (RASP)
B.Scan container images for vulnerabilities before push to registry
C.Use a cloud WAF to protect the containerized application
D.Sign container images to ensure integrity
E.Run SAST on the application source code
AnswersB, D

Correct. Pre-registry scanning catches vulnerabilities early.

Why this answer

Option B is correct because scanning container images for vulnerabilities before pushing them to a registry is a critical shift-left security practice. It ensures that known Common Vulnerabilities and Exposures (CVEs) in base images or application dependencies are detected and remediated early in the CI/CD pipeline, preventing insecure images from being deployed. Tools like Trivy, Clair, or AWS ECR image scanning integrate directly into the pipeline to enforce this policy.

Exam trap

Cisco often tests the distinction between pipeline-time security controls (like scanning and signing) and runtime or perimeter controls (like RASP and WAF), leading candidates to mistakenly select runtime defenses for a CI/CD enforcement question.

29
MCQhard

A cloud application uses an API that allows users to view other users' profile details by changing the user ID in the request. Which vulnerability is this?

A.Mass assignment
B.Broken authentication
C.Broken object level authorization (BOLA)
D.Excessive data exposure
AnswerC

BOLA/IDOR occurs when an attacker can access objects by manipulating identifiers without proper authorization checks.

Why this answer

Broken Object Level Authorization (BOLA), also known as Insecure Direct Object Reference (IDOR), occurs when an application does not properly verify that the user has permission to access a specific object, such as another user's profile.

30
Multi-Selecthard

A company uses a private artifact registry for internal packages. An attacker could perform a dependency confusion attack by uploading a malicious package to a public registry with the same name as an internal package. Which THREE measures help mitigate this attack?

Select 3 answers
A.Generate an SBOM for each application
B.Use verified publisher names in the public registry
C.Sign all internal packages with a private key
D.Use scoped packages (e.g., @company/package-name)
E.Configure the package manager to prefer the private registry over public
AnswersB, D, E

Correct. Verified publishers help ensure authenticity.

Why this answer

Option B is correct because verified publisher names in a public registry (e.g., npm verified publishers or PyPI trusted publishers) allow the package manager to cryptographically verify that a package was published by a trusted identity. This prevents an attacker from impersonating an internal package name, as the malicious upload would lack the verified publisher claim and be rejected during resolution.

Exam trap

Cisco often tests the misconception that signing packages alone prevents dependency confusion, but signature verification only protects integrity after download, not the resolution order that causes the attack.

31
MCQmedium

An organization is implementing a DevSecOps pipeline for cloud-native applications. Which security testing method should be integrated early in the CI/CD pipeline to analyze source code for vulnerabilities without executing the application?

A.Runtime Application Self-Protection (RASP)
B.Dynamic Application Security Testing (DAST)
C.Interactive Application Security Testing (IAST)
D.Static Application Security Testing (SAST)
AnswerD

SAST analyzes source code or binaries for vulnerabilities without execution, ideal for early integration.

Why this answer

Static Application Security Testing (SAST) scans source code early in the SDLC, aligning with shift-left security.

32
MCQhard

A developer accidentally hardcodes AWS access keys in a public GitHub repository. Which tool is specifically designed to detect such secrets in code repositories?

A.Checkov
B.GitGuardian
C.Snyk
D.tfsec
AnswerB

GitGuardian specializes in detecting secrets in source code.

Why this answer

GitGuardian is a purpose-built tool for detecting secrets (e.g., AWS access keys, API tokens) in code repositories, including public GitHub repos. It scans commit history and uses pattern matching to identify hardcoded credentials, alerting developers in real time. This directly addresses the scenario of accidental exposure in a public repository.

Exam trap

Cisco often tests the distinction between infrastructure-as-code security scanners (Checkov, tfsec) and secret detection tools (GitGuardian), trapping candidates who assume any security tool can find hardcoded credentials.

How to eliminate wrong answers

Option A is wrong because Checkov is a static analysis tool for infrastructure-as-code (e.g., Terraform, CloudFormation) that checks for misconfigurations, not for scanning secrets in code repositories. Option C is wrong because Snyk focuses on vulnerability scanning in open-source dependencies and container images, not on detecting hardcoded secrets in source code. Option D is wrong because tfsec is a security scanner for Terraform configurations, similar to Checkov, and lacks secret detection capabilities for general code repositories.

33
MCQeasy

Which of the following is a key benefit of using a Software Bill of Materials (SBOM)?

A.It automatically fixes vulnerabilities in dependencies
B.It prevents all zero-day attacks
C.It allows for quick identification of vulnerable components
D.It replaces the need for penetration testing
AnswerC

SBOMs enable rapid impact analysis when a vulnerability is disclosed.

Why this answer

An SBOM provides a list of all components and dependencies in an application, enabling organizations to quickly identify which applications are affected by a newly disclosed vulnerability.

34
MCQmedium

Which OWASP Top 10 vulnerability is most directly related to cloud API security when an attacker can modify parameters to access another user's data?

A.Security Misconfiguration
B.Injection
C.Broken Object Level Authorization
D.Cross-Site Request Forgery (CSRF)
AnswerC

BOLA is a common API vulnerability where attackers can access objects by manipulating identifiers.

Why this answer

Broken Object Level Authorization (BOLA) occurs when an API does not properly enforce user permissions on object access.

35
MCQmedium

A security team wants to ensure that only signed container images are deployed in production. Which practice should they implement?

A.Container image scanning with Trivy
B.Implementing a web application firewall (WAF)
C.Using a private registry
D.Image signing and verification
AnswerD

Image signing cryptographically signs images and verification ensures only signed images are used.

Why this answer

Signing container images with tools like Notary or Sigstore ensures the integrity and authenticity of images, preventing tampered or unauthorized images from being deployed.

36
MCQeasy

Which of the following is an example of a runtime application self-protection (RASP) capability?

A.Checking for misconfigured S3 buckets
B.Blocking an SQL injection attempt during execution
C.Analyzing logs after an attack
D.Scanning source code for vulnerabilities
AnswerB

RASP can detect and block attacks at runtime.

Why this answer

RASP operates within the application runtime to detect and block attacks in real-time. Blocking an SQL injection attempt during execution is a typical RASP function.

37
Multi-Selecthard

A cloud security team is implementing a DevSecOps pipeline for a Kubernetes-based application. Which THREE scanning tools should be integrated to detect IaC misconfigurations before deployment?

Select 3 answers
A.GitGuardian
B.KICS
C.Checkov
D.Snyk
E.tfsec
AnswersB, C, E

Correct. KICS scans IaC including Kubernetes and Terraform.

Why this answer

KICS (Keeping Infrastructure as Code Secure) is an open-source tool specifically designed to scan IaC files for security misconfigurations, vulnerabilities, and compliance violations before deployment. It supports multiple IaC formats including Terraform, Kubernetes manifests, Dockerfiles, and CloudFormation, making it a strong choice for a DevSecOps pipeline targeting Kubernetes-based applications.

Exam trap

Cisco often tests the distinction between secret scanning tools (like GitGuardian) and IaC misconfiguration scanners (like KICS, Checkov, tfsec), leading candidates to select GitGuardian because it is a well-known security tool, even though it does not address IaC misconfigurations.

38
Multi-Selectmedium

A cloud application uses IAM roles with wildcard permissions (e.g., iam:* or *:*). Which TWO risks are directly associated with such over-permissive IAM policies?

Select 2 answers
A.Denial of service against other cloud services
B.Privilege escalation to administrative roles
C.Increased cost due to unnecessary resource usage
D.Difficulty in auditing permissions due to logging overhead
E.Unauthorized data exfiltration from S3 buckets or databases
AnswersB, E

Correct. Wildcard permissions allow escalating to full admin.

Why this answer

Wildcard permissions can lead to privilege escalation and data exfiltration. DoS and cost overruns are possible but not direct risks of over-permissive IAM; logging impact is indirect.

39
MCQmedium

An organization uses a private artifact registry for approved package sources. A developer accidentally publishes a package with a similar name to an internal package to the public registry. This could lead to which type of attack?

A.Cross-site request forgery (CSRF)
B.Denial of service (DoS)
C.Dependency confusion
D.Man-in-the-middle (MITM)
AnswerC

Dependency confusion exploits naming conflicts between private and public packages.

Why this answer

Dependency confusion occurs when a package manager (e.g., npm, pip, Maven) resolves a package name to a public registry instead of a private one, because the public registry has a package with the same or similar name. In this scenario, the developer accidentally published a package with a similar name to the public registry, so internal builds may fetch that malicious public package instead of the intended internal one, leading to arbitrary code execution in the build pipeline.

Exam trap

Cisco often tests dependency confusion by describing a scenario where a developer publishes a package with a similar name to a public registry, and candidates mistakenly think of MITM because they focus on 'similar name' as a spoofing attack, but the core mechanism is the package manager's registry resolution order, not network interception.

How to eliminate wrong answers

Option A is wrong because CSRF exploits a user's authenticated session to perform unwanted actions on a web application, not package resolution logic. Option B is wrong because DoS attacks aim to overwhelm a service with traffic or resource exhaustion, not to hijack package dependencies. Option D is wrong because MITM attacks intercept or alter communications between two parties (e.g., via ARP spoofing or rogue certificates), whereas dependency confusion exploits the package manager's name resolution order between registries.

40
MCQeasy

Which practice helps prevent hardcoded cloud credentials from being committed to source code repositories?

A.Implementing secrets management with a vault service
B.Using environment variables for all configuration
C.Storing credentials in a configuration file with restricted permissions
D.Using a .gitignore file to exclude credential files
AnswerA

Secrets management services securely store and provide access to credentials without embedding them in code.

Why this answer

Using secrets management tools like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault to dynamically retrieve credentials at runtime avoids hardcoding them in code.

41
Multi-Selectmedium

A security auditor is reviewing a cloud application's API endpoints. Which THREE OWASP API Security risks are particularly relevant to cloud applications due to their reliance on APIs for resource access?

Select 3 answers
A.Broken Object Level Authorization (BOLA/IDOR)
B.Lack of Rate Limiting
C.Mass Assignment
D.Broken Authentication
E.Excessive Data Exposure
AnswersA, D, E

Correct. BOLA is a top API risk where users can access unauthorized objects.

Why this answer

Broken Object Level Authorization (BOLA/IDOR) is a top OWASP API Security risk because cloud APIs expose object identifiers (e.g., user IDs, document keys) in URLs or request bodies. If the API fails to verify that the authenticated user owns or is permitted to access the requested resource, an attacker can manipulate these identifiers to access or modify another tenant's data, directly violating cloud multi-tenancy isolation.

Exam trap

Cisco often tests the distinction between OWASP API Security Top 10 risk categories (like BOLA, Broken Authentication, Excessive Data Exposure) and general security controls (like rate limiting) or other vulnerability types (like mass assignment) that are not standalone risks in that specific list.

42
MCQmedium

Which practice is most effective for preventing the deployment of container images with known vulnerabilities in a DevSecOps pipeline?

A.Post-deployment vulnerability scanning
B.Image scanning in CI pipeline before push
C.Using only official base images
D.Runtime monitoring with a WAF
AnswerB

Scanning before registry push prevents vulnerable images from being stored.

Why this answer

Scanning container images in the CI pipeline before pushing to a registry ensures that only secure images are stored and deployed. This is a preventive control.

43
MCQhard

An organization uses a private artifact registry for approved packages. What attack does this practice primarily defend against?

A.Dependency confusion attacks
B.Denial of service attacks
C.Man-in-the-middle attacks
D.Injection attacks
AnswerA

Private registries control package sources, preventing dependency confusion.

Why this answer

Dependency confusion attacks occur when an attacker publishes a malicious package with the same name as an internal package to a public registry, tricking the build system into using the malicious one. A private registry ensures only approved packages are used.

44
MCQeasy

Which of the following is a best practice for managing secrets in a cloud-native application?

A.Encrypting secrets and storing them in a configuration file
B.Storing secrets in environment variables inside container images
C.Hardcoding secrets in the application source code
D.Using a cloud secrets manager to retrieve secrets at runtime
AnswerD

Secrets managers provide secure, auditable access.

Why this answer

Using a cloud secrets manager (e.g., AWS Secrets Manager) allows applications to retrieve secrets dynamically, avoiding hardcoded credentials.

45
MCQhard

A company uses Terraform to manage cloud infrastructure. Which infrastructure-as-code (IaC) security scanner can detect misconfigurations such as overly permissive security group rules before deployment?

A.Snyk
B.Dependabot
C.GitGuardian
D.Checkov
AnswerD

Checkov scans IaC files like Terraform for compliance and security issues.

Why this answer

Checkov is an open-source static analysis tool specifically designed to scan Infrastructure as Code (IaC) templates, including Terraform, for security misconfigurations such as overly permissive security group rules (e.g., 0.0.0.0/0 ingress on port 22). It uses a policy-as-code framework with hundreds of built-in checks (e.g., CKV_AWS_24 for unrestricted SSH) and can be integrated into CI/CD pipelines to catch issues before deployment, making it the correct choice for pre-deployment IaC scanning.

Exam trap

Cisco often tests the distinction between IaC security scanners (like Checkov) and other security tools (like Snyk for dependencies, Dependabot for package updates, and GitGuardian for secrets), so candidates must recognize that only Checkov is purpose-built for scanning Terraform configurations before deployment.

How to eliminate wrong answers

Option A is wrong because Snyk is a general-purpose application security testing tool that focuses on open-source dependency vulnerabilities and container images, not specifically on scanning Terraform or IaC templates for misconfigurations like security group rules. Option B is wrong because Dependabot is a GitHub-native tool that automates dependency updates and alerts for known vulnerabilities in package manifests (e.g., npm, Maven), not for scanning IaC code or cloud resource definitions. Option C is wrong because GitGuardian is a secrets detection tool that scans repositories for exposed credentials, API keys, and tokens, not for analyzing Terraform configurations for cloud security misconfigurations.

46
MCQhard

During a security audit of a Kubernetes deployment, a team finds that containers are allowed to run as root with full privilege escalation. Which IaC scanning tool would have detected this misconfiguration before deployment?

A.Snyk
B.KICS
C.Checkov
D.Dependabot
AnswerB

KICS is designed to scan Kubernetes manifests and can detect security issues like running as root with privilege escalation.

Why this answer

KICS (Keeping Infrastructure as Code Secure) is a tool that scans IaC files for security misconfigurations, including Kubernetes manifests. It can detect containers running as root with privilege escalation.

47
MCQmedium

A security engineer is integrating security into a cloud application's CI/CD pipeline. Which practice is an example of 'shift-left' security?

A.Performing a penetration test after deployment
B.Analyzing logs after an incident
C.Running SAST scans during pull request review
D.Scanning container images in production
AnswerC

SAST scans during code review catch vulnerabilities before merge, embodying shift-left.

Why this answer

Shift-left security means performing security activities early in the development lifecycle. Running SAST during the coding phase, before code is merged, is a classic shift-left practice. The other options are either reactive or occur later.

48
MCQeasy

Which cloud-specific attack involves an application making HTTP requests to internal metadata endpoints such as 169.254.169.254 to retrieve cloud instance credentials?

A.Dependency Confusion
B.Server-Side Request Forgery (SSRF)
C.Cross-Site Scripting (XSS)
D.SQL Injection
AnswerB

SSRF tricks the server into making requests to internal endpoints.

Why this answer

The attack described is Server-Side Request Forgery (SSRF), where an attacker exploits a vulnerable application to make HTTP requests to internal metadata endpoints like 169.254.169.254 (the link-local address for cloud instance metadata services). This allows the attacker to retrieve cloud instance credentials (e.g., AWS IAM role temporary credentials) that are normally accessible only from within the instance, leading to privilege escalation and lateral movement.

Exam trap

Cisco often tests SSRF by pairing it with the specific IP 169.254.169.254, and the trap here is that candidates may confuse SSRF with Dependency Confusion (both involve external resources) or think XSS/SQLi can be used to access internal endpoints, but only SSRF exploits server-side request handling to reach cloud metadata.

How to eliminate wrong answers

Option A (Dependency Confusion) is wrong because it involves an attacker uploading a malicious package with the same name as an internal dependency to a public repository, tricking the package manager into installing it; it does not involve HTTP requests to metadata endpoints. Option C (Cross-Site Scripting) is wrong because it injects malicious scripts into web pages viewed by other users, targeting client-side browsers rather than server-side requests to internal IPs. Option D (SQL Injection) is wrong because it manipulates database queries through input fields, not HTTP requests to cloud metadata services.

49
MCQmedium

A cloud-native application is deployed on AWS. During a security review, the team discovers that if an attacker can send a crafted request to the application, the application will make an HTTP request to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Which vulnerability is being exploited?

A.SQL injection
B.Cross-site scripting (XSS)
C.Insecure deserialization
D.Server-Side Request Forgery (SSRF)
AnswerD

SSRF allows an attacker to induce the server to make requests to internal resources, such as the cloud metadata endpoint.

Why this answer

Server-Side Request Forgery (SSRF) targeting the cloud metadata endpoint can expose IAM credentials. The IP 169.254.169.254 is the link-local address for cloud metadata services.

50
MCQhard

An attacker publishes a malicious package to a public registry using the same name as an internal package used by a cloud application. This attack is known as:

A.Dependency confusion
B.Supply chain poisoning
C.Man-in-the-middle attack
D.Typosquatting
AnswerA

Dependency confusion exploits package resolution order to install a malicious public package.

Why this answer

Dependency confusion occurs when an attacker publishes a malicious package to a public registry (e.g., npm, PyPI, Maven Central) using the same name as an internal, private package. When a cloud application's build system is configured to fetch dependencies from both public and private registries, the package manager may prioritize the public registry (often due to higher version numbers or default resolution order), causing the malicious package to be installed instead of the legitimate internal one. This exploits the trust in package resolution algorithms and is a specific form of supply chain attack targeting cloud-native CI/CD pipelines.

Exam trap

Cisco often tests the distinction between dependency confusion and typosquatting, so the trap here is that candidates confuse the exact-name-match technique (dependency confusion) with the misspelling-based technique (typosquatting), leading them to incorrectly select typosquatting when the question explicitly states 'same name.'

How to eliminate wrong answers

Option B (Supply chain poisoning) is wrong because it is a broader category encompassing any attack that compromises a component in the software supply chain (e.g., injecting malicious code into a legitimate package, compromising build servers), whereas dependency confusion is a specific technique that relies on name collision and registry priority. Option C (Man-in-the-middle attack) is wrong because it involves intercepting or altering communications between two parties (e.g., between a client and a registry), not exploiting package name resolution logic; dependency confusion does not require network interception. Option D (Typosquatting) is wrong because it relies on registering a package with a name that is a common misspelling or typo of a popular package (e.g., 'requrests' instead of 'requests'), whereas dependency confusion uses the exact same name as an internal package, not a misspelling.

51
MCQhard

A security engineer is reviewing an S3 bucket policy that grants 's3:GetObject' access to 'Principal: *' and 'Condition: {IpAddress: {aws:SourceIp: ["1.2.3.4/32"]}}'. Despite the IP restriction, why is this policy still considered risky?

A.The policy uses 'GetObject' instead of 'ListBucket'
B.The IP address is not properly masked
C.The bucket is still exposed to anyone who can spoof that IP
D.The condition uses 'aws:SourceIp' which is deprecated
AnswerC

If an attacker can spoof the allowed IP, they can access the bucket; also, the policy allows the principal '*' which is public.

Why this answer

The policy grants public access to a specific IP, but if that IP is compromised or the condition is misconfigured, it can lead to data exposure; additionally, the bucket policy may override other controls.

52
Multi-Selectmedium

A cloud application is deployed on Kubernetes and uses an IAM role for service accounts. Which TWO practices should be implemented to ensure least privilege?

Select 2 answers
A.Grant only the specific permissions required for the application
B.Hardcode the role's access key in the application code
C.Grant the role the 'iam:*' wildcard permission
D.Restrict the role to specific resources using ARNs
E.Use a single role for all services in the cluster
AnswersA, D

Specific permissions limit access to only what is needed.

Why this answer

Least privilege for IAM roles means granting only necessary permissions and using specific resource ARNs to limit scope.

53
Multi-Selecthard

A cloud application exposes an API that allows users to view their own orders. Which TWO vulnerabilities could allow an attacker to view another user's orders?

Select 2 answers
A.Excessive Data Exposure
B.SQL Injection
C.Insecure Direct Object Reference (IDOR)
D.Broken Object Level Authorization (BOLA)
E.Cross-Site Scripting (XSS)
AnswersC, D

IDOR occurs when user input directly references objects without authorization checks.

Why this answer

Broken Object Level Authorization (BOLA) occurs when the API does not verify that the user owns the object, and IDOR (Insecure Direct Object Reference) allows access by manipulating object IDs.

54
Multi-Selectmedium

A development team builds a serverless application using AWS Lambda. The security team wants to prevent hardcoded credentials. Which TWO methods should they enforce for secure secrets management?

Select 2 answers
A.Store secrets in environment variables in plain text
B.Assign an IAM role to the Lambda function and retrieve temporary credentials via the AWS SDK
C.Embed secrets directly in the Lambda function code but encrypt the code
D.Use a third-party secrets manager with a hardcoded API key in the code
E.Use AWS Systems Manager Parameter Store with KMS encryption
AnswersB, E

Correct. IAM roles provide temporary credentials without hardcoding.

Why this answer

Using cloud-native secret managers and IAM roles are secure ways to manage secrets without hardcoding. AWS Systems Manager Parameter Store is a secret manager; Lambda execution roles eliminate the need for embedded credentials.

55
Multi-Selectmedium

Which THREE of the following are recommended practices for securing cloud application APIs? (Select three.)

Select 3 answers
A.Validate and sanitize all user inputs
B.Expose all API endpoints automatically for transparency
C.Allow mass assignment for ease of development
D.Implement rate limiting to prevent abuse
E.Apply least privilege to API keys and roles
AnswersA, D, E

Input validation prevents injection attacks.

Why this answer

Rate limiting, input validation, and least privilege are key API security practices. Mass assignment is a vulnerability to avoid, not a practice, and exposing all endpoints is contrary to security.

56
MCQmedium

A cloud application allows users to upload profile pictures that are stored in Azure Blob Storage. Which vulnerability is most likely if the application does not validate the content type or size of uploaded files?

A.Unrestricted File Upload
B.Server-Side Request Forgery (SSRF)
C.Mass Assignment
D.Broken Object Level Authorization (BOLA)
AnswerA

Unrestricted file upload can lead to remote code execution if dangerous file types are allowed.

Why this answer

Without validation, an attacker could upload a malicious file (e.g., a web shell) that could be executed on the server, leading to remote code execution.

57
Multi-Selectmedium

A security team is implementing container image scanning in a CI pipeline. Which TWO of the following actions should be performed? (Select TWO)

Select 2 answers
A.Disable scanning to speed up the pipeline
B.Scan the image before pushing to the registry
C.Scan the image after deployment to production
D.Sign the image to ensure integrity
E.Scan the image only if it is based on a public base image
AnswersB, D

Scanning before push prevents vulnerable images from being stored.

Why this answer

Scanning the image before pushing to a registry prevents vulnerable images from being stored. Signing images ensures integrity and authenticity, preventing tampered images from being deployed.

58
MCQeasy

A cloud security team wants to integrate security testing early in the development lifecycle to reduce vulnerabilities. Which approach best describes this concept?

A.Runtime application self-protection (RASP)
B.Software bill of materials (SBOM)
C.Web application firewall (WAF)
D.Shift-left security
AnswerD

Shift-left security refers to integrating security early in the SDLC, which aligns with the question.

Why this answer

Shift-left security is the practice of integrating security testing and controls early in the software development lifecycle (SDLC), such as during design and coding phases, rather than waiting until deployment. This proactive approach reduces vulnerabilities by catching flaws when they are cheaper and easier to fix, aligning with DevSecOps principles.

Exam trap

Cisco often tests the distinction between runtime controls (RASP, WAF) and lifecycle integration practices (shift-left), so candidates mistakenly choose a runtime tool because they associate 'security testing' with active monitoring rather than early development phases.

How to eliminate wrong answers

Option A is wrong because Runtime Application Self-Protection (RASP) is a runtime security technology that monitors and blocks attacks from within the application during execution, not an early lifecycle integration approach. Option B is wrong because a Software Bill of Materials (SBOM) is a formal inventory of software components and dependencies, used for supply chain risk management and vulnerability tracking, not for shifting security left in the development process. Option C is wrong because a Web Application Firewall (WAF) is a network-level security control that filters HTTP traffic to protect applications in production, operating at runtime rather than early in the SDLC.

59
MCQmedium

A cloud security team wants to automatically block malicious requests to a web application before they reach the application servers. Which solution should they implement?

A.Intrusion Detection System (IDS)
B.Runtime Application Self-Protection (RASP)
C.Cloud Web Application Firewall (WAF)
D.Static Application Security Testing (SAST)
AnswerC

A cloud WAF inspects incoming traffic and blocks malicious requests at the network edge.

Why this answer

A Cloud Web Application Firewall (WAF) is the correct solution because it operates at the application layer (Layer 7) to inspect HTTP/HTTPS traffic and block malicious requests—such as SQL injection, cross-site scripting (XSS), and OWASP Top 10 attacks—before they reach the application servers. Unlike an IDS, a WAF can actively block traffic in real time, and it is deployed at the network edge or cloud gateway, providing inline prevention without requiring changes to the application code.

Exam trap

The trap here is that candidates confuse IDS (passive alerting) with IPS (inline blocking), or assume RASP can block traffic before it reaches the application, when in fact RASP operates within the application runtime and cannot prevent initial request arrival at the server boundary.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) is a passive monitoring tool that only alerts on suspicious activity (e.g., via signature matching or anomaly detection) and cannot automatically block malicious requests; it lacks inline enforcement capabilities. Option B is wrong because Runtime Application Self-Protection (RASP) runs inside the application runtime environment (e.g., integrated into the JVM or .NET CLR) to detect and block attacks from within the application, but it does not operate before requests reach the application servers—it protects the application from the inside, not at the perimeter. Option D is wrong because Static Application Security Testing (SAST) is a development-phase code analysis tool that scans source code for vulnerabilities (e.g., buffer overflows, insecure APIs) but does not provide runtime protection or block live traffic; it is a preventive measure, not a real-time defense.

60
MCQmedium

A cloud application uses IAM roles to grant permissions to compute instances. What is the primary security advantage of this approach over hardcoding credentials?

A.Simplified load balancing
B.Elimination of hardcoded secrets
C.Improved application performance
D.Reduced network latency
AnswerB

IAM roles provide temporary credentials without embedding secrets in code.

Why this answer

Using IAM roles eliminates the need to hardcode credentials (like access keys) in code, reducing the risk of exposure. IAM roles automatically rotate temporary credentials and are managed by the cloud provider.

61
MCQmedium

A cloud application uses an IAM role with a policy that allows 's3:*' on all buckets. This is an example of which cloud security issue?

A.Exposed S3 bucket
B.Over-permissive IAM
C.Insecure API endpoint
D.Hardcoded credentials
AnswerB

Wildcard permissions like 's3:*' grant too broad access.

Why this answer

Over-permissive IAM roles with wildcard permissions grant excessive privileges, violating least privilege.

62
MCQmedium

A security engineer discovers that a cloud application can access the metadata service endpoint at 169.254.169.254. Which vulnerability is most likely being exploited?

A.Server-Side Request Forgery (SSRF)
B.SQL Injection
C.Cross-Site Scripting (XSS)
D.Insecure Deserialization
AnswerA

SSRF enables an attacker to make requests from the server, potentially accessing internal services like the metadata endpoint.

Why this answer

Server-Side Request Forgery (SSRF) can be used to target the cloud metadata endpoint (169.254.169.254) to retrieve IAM credentials or other sensitive information. This is a cloud-specific vulnerability.

63
MCQmedium

A company is adopting shift-left security. Which action best exemplifies this approach?

A.Running SAST scans during code development
B.Monitoring logs for suspicious activity
C.Performing security reviews after deployment
D.Conducting penetration testing annually
AnswerA

SAST during development catches issues early.

Why this answer

Integrating security testing into the development phase (e.g., SAST, dependency scanning) before code is committed or deployed is the essence of shift-left security.

64
MCQeasy

Which tool is specifically designed to scan Infrastructure as Code (IaC) templates for cloud misconfigurations before deployment?

A.Checkov
B.OWASP ZAP
C.Snyk
D.GitGuardian
AnswerA

Checkov specializes in IaC security scanning.

Why this answer

Checkov is an IaC security scanner that checks Terraform, CloudFormation, and Kubernetes manifests for misconfigurations before deployment. The other tools serve different purposes.

65
Multi-Selectmedium

A DevSecOps team is implementing security scanning in the CI/CD pipeline for a cloud application. Which THREE tools or practices should be included to shift security left?

Select 3 answers
A.Infrastructure-as-Code (IaC) security scanning
B.Static Application Security Testing (SAST)
C.Web Application Firewall (WAF) deployment
D.Runtime Application Self-Protection (RASP)
E.Dependency scanning (e.g., Snyk)
AnswersA, B, E

IaC scanning detects misconfigurations before deployment.

Why this answer

Shift-left security involves integrating security early. SAST scans source code, IaC scanning detects misconfigurations before deployment, and dependency scanning identifies vulnerable libraries.

66
MCQmedium

A security team wants to detect container image vulnerabilities before they are pushed to a registry. Which stage of the CI pipeline should container image scanning occur?

A.After build and before push to registry
B.During runtime in production
C.After deployment to production
D.After push to registry and before deployment
AnswerA

Scanning at this stage prevents vulnerable images from being stored in the registry.

Why this answer

Scanning container images after build but before push ensures vulnerabilities are caught early and not deployed.

67
MCQeasy

Which security testing approach is most effective at identifying vulnerabilities early in the cloud software development lifecycle (SDLC) by analyzing source code without executing the application?

A.Interactive Application Security Testing (IAST)
B.Static Application Security Testing (SAST)
C.Runtime Application Self-Protection (RASP)
D.Dynamic Application Security Testing (DAST)
AnswerB

SAST analyzes source code without execution, fitting the shift-left model.

Why this answer

Static Application Security Testing (SAST) is the correct approach because it analyzes source code, bytecode, or binary code without executing the application, making it ideal for identifying vulnerabilities early in the SDLC (shift-left). Unlike dynamic or runtime tools, SAST scans the codebase statically, catching issues like SQL injection, buffer overflows, and insecure cryptographic implementations before compilation or deployment.

Exam trap

Cisco often tests the distinction between SAST and DAST by framing the question around 'early in the SDLC' and 'without executing the application'—candidates mistakenly choose DAST because it is a common security test, but DAST requires a running application and is performed later in the lifecycle.

How to eliminate wrong answers

Option A is wrong because Interactive Application Security Testing (IAST) requires the application to be running and instrumented, typically within a test environment, to analyze code paths during execution—it does not work on static source code. Option C is wrong because Runtime Application Self-Protection (RASP) is a runtime security control embedded in the application that monitors and blocks attacks during execution, not a testing tool for early SDLC vulnerability detection. Option D is wrong because Dynamic Application Security Testing (DAST) tests the running application from the outside (black-box) by sending HTTP requests and analyzing responses, which requires a deployed instance and cannot analyze source code statically.

68
Multi-Selectmedium

Which TWO of the following are recommended practices for securing container images in a cloud environment? (Select TWO)

Select 2 answers
A.Using the latest tag for all images
B.Scanning images for vulnerabilities in the CI pipeline
C.Running containers as root user
D.Storing images in a public registry for easier access
E.Signing container images with a cryptographic key
AnswersB, E

Vulnerability scanning prevents deployment of insecure images.

Why this answer

Signing container images ensures integrity and prevents tampering, and scanning images in the CI pipeline before deployment catches vulnerabilities early.

69
MCQmedium

A security engineer is reviewing a cloud application that uses AWS S3 buckets. Which vulnerability is most specific to cloud environments and is often exploited to access sensitive data?

A.Buffer overflow
B.SQL injection
C.Exposed S3 buckets with public read access
D.Cross-site scripting (XSS)
AnswerC

Correct. This is a cloud-specific misconfiguration that can expose data.

Why this answer

Exposed S3 buckets with public read access are a cloud-specific misconfiguration vulnerability because they rely on the AWS S3 bucket policy or ACL settings that grant unauthenticated access to objects. Unlike traditional on-premises vulnerabilities, this arises from improper cloud resource configuration, allowing attackers to enumerate and download sensitive data directly via HTTP/HTTPS requests without any authentication.

Exam trap

Cisco often tests the distinction between cloud-specific misconfigurations (like exposed S3 buckets) and traditional application vulnerabilities (like SQL injection or XSS), trapping candidates who confuse general web app flaws with cloud-native risks.

How to eliminate wrong answers

Option A is wrong because buffer overflow is a memory corruption vulnerability in software code, not a cloud-specific misconfiguration; it requires exploiting a programming flaw in an application, not a cloud storage setting. Option B is wrong because SQL injection is a web application vulnerability that targets database queries through user input, not a cloud environment's storage service like S3. Option D is wrong because cross-site scripting (XSS) is a client-side injection attack that executes malicious scripts in a user's browser, unrelated to cloud storage bucket permissions.

70
MCQhard

During a threat modeling session for a cloud-native application, which cloud-specific attack path is most critical to identify?

A.Cross-Site Scripting (XSS) in a web form
B.SQL injection in a legacy database
C.Server-Side Request Forgery (SSRF) to the metadata service
D.Buffer overflow in a compiled binary
AnswerC

SSRF to the metadata endpoint (e.g., 169.254.169.254) can leak cloud IAM credentials.

Why this answer

SSRF targeting cloud metadata endpoints is a critical cloud-specific threat because it can expose IAM credentials, leading to full account compromise. This is a unique cloud attack path not typically present in on-premises environments.

71
MCQhard

Which runtime security control monitors application behavior and can block attacks by analyzing application logic and context?

A.Web application firewall (WAF)
B.Intrusion detection system (IDS)
C.Runtime application self-protection (RASP)
D.Static application security testing (SAST)
AnswerC

RASP instruments the application runtime to detect and block attacks based on application logic.

Why this answer

C is correct because Runtime Application Self-Protection (RASP) is a security technology that is integrated into an application's runtime environment, allowing it to monitor actual application behavior and context (e.g., input validation, SQL queries, API calls) in real time. Unlike external controls, RASP can understand the application's logic and data flow, enabling it to block attacks such as SQL injection or command injection by analyzing the specific context of each request.

Exam trap

Cisco often tests the distinction between network-layer controls (WAF) and application-layer controls (RASP), and the trap here is that candidates mistakenly choose WAF because they think it 'analyzes application logic' when in fact WAFs rely on signatures and patterns, not runtime context.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) operates at the network or HTTP layer, inspecting traffic patterns and signatures (e.g., OWASP ModSecurity rules) without understanding the application's internal logic or runtime context. Option B is wrong because an Intrusion Detection System (IDS) passively monitors network or host events for known attack signatures or anomalies, but it cannot block attacks inline or analyze application-specific logic and context. Option D is wrong because Static Application Security Testing (SAST) analyzes source code or binaries at rest, not during runtime, and thus cannot monitor or block live application behavior.

72
MCQmedium

Which of the following is a best practice for managing secrets in cloud-native applications?

A.Hardcode secrets in environment variables
B.Include secrets in container images
C.Use the same secret across all environments
D.Store secrets in a dedicated secrets management service
AnswerD

Secrets managers provide secure storage, access control, and rotation.

Why this answer

Using a cloud secret manager (like AWS Secrets Manager or HashiCorp Vault) to inject secrets at runtime avoids hardcoding and enables rotation. Least privilege IAM and environment variables are also good but using a dedicated service is best.

73
MCQmedium

A cloud-native application stores sensitive user files in an Amazon S3 bucket. Which misconfiguration poses the greatest risk of data exposure?

A.Bucket versioning enabled
B.Bucket ACL set to public read
C.Default encryption enabled
D.Bucket policy with a condition for source IP
AnswerB

Public read ACL allows anonymous access to all objects.

Why this answer

Setting the S3 bucket ACL to public read allows anyone on the internet to access files, leading to data exposure.

74
MCQmedium

Which of the following is a cloud-specific threat that should be included in a threat model for a cloud application?

A.Exposed S3 bucket
B.Cross-site scripting (XSS)
C.SQL injection
D.Buffer overflow
AnswerA

Misconfigured S3 buckets are a top cloud-specific threat.

Why this answer

Exposed S3 buckets are a common cloud-specific misconfiguration leading to data breaches. Other options are general security issues not unique to cloud.

75
MCQmedium

During a CI/CD pipeline, a developer wants to automatically block builds if Terraform configuration files contain security misconfigurations. Which tool is best suited for this task?

A.Snyk
B.GitGuardian
C.Checkov
D.OWASP ZAP
AnswerC

Checkov scans IaC templates for misconfigurations and integrates into CI/CD pipelines.

Why this answer

Checkov is an open-source IaC scanning tool that checks Terraform, CloudFormation, and Kubernetes configurations for security misconfigurations, making it ideal for blocking builds in CI/CD.

Page 1 of 2 · 84 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ccsp App Security questions.

CCNA Ccsp App Security Questions — Page 1 of 2 | Courseiva