CCNA Ccsp App Security Questions

9 of 84 questions · Page 2/2 · Ccsp App Security topic · Answers revealed

76
MCQeasy

What is a Software Bill of Materials (SBOM) primarily used for?

A.Documenting all open-source and third-party components in an application
B.Tracking user access to cloud resources
C.Recording incident response procedures
D.Listing security controls implemented in the cloud environment
AnswerA

SBOM provides an inventory of dependencies for security analysis.

Why this answer

An SBOM lists all components and dependencies in a software product, aiding in vulnerability management and supply chain security.

77
Multi-Selecthard

Which THREE of the following are key components of a secure cloud SDLC that support shift-left security? (Select THREE)

Select 3 answers
A.Post-deployment penetration testing
B.Infrastructure as Code (IaC) security scanning
C.Annual security awareness training
D.Threat modeling during the design phase
E.Automated SAST and DAST in the CI/CD pipeline
AnswersB, D, E

IaC scanning prevents misconfigurations before provisioning.

Why this answer

Infrastructure as Code (IaC) security scanning is a key component of shift-left security because it allows teams to detect misconfigurations and compliance violations in cloud templates (e.g., Terraform, CloudFormation) before any resources are provisioned. By integrating scanners like Checkov or tfsec into the development pipeline, security issues are identified and remediated during coding, not after deployment, which reduces risk and cost.

Exam trap

Cisco often tests the distinction between 'shift-left' (pre-deployment) and 'shift-right' (post-deployment) activities, so candidates mistakenly select post-deployment penetration testing (A) because they think all security testing is shift-left, but the key is that shift-left specifically means moving security earlier in the lifecycle, not after deployment.

78
MCQmedium

A container image is built and scanned in a CI pipeline. Which practice should be implemented to ensure that the image has not been tampered with before deployment?

A.Using a minimal base image
B.Scanning the image with a vulnerability scanner
C.Signing the image with a private key and verifying the signature
D.Storing the image in a private registry
AnswerC

Image signing ensures authenticity and integrity.

Why this answer

Signing container images provides cryptographic verification of image integrity, ensuring they have not been altered since signing.

79
MCQeasy

Which security testing technique is most effective at identifying vulnerabilities early in the development lifecycle by analyzing source code without executing it?

A.Runtime Application Self-Protection (RASP)
B.Dynamic Application Security Testing (DAST)
C.Interactive Application Security Testing (IAST)
D.Static Application Security Testing (SAST)
AnswerD

SAST examines source code statically, enabling early detection.

Why this answer

Static Application Security Testing (SAST) analyzes source code at rest, allowing early detection of vulnerabilities before compilation or execution. This aligns with shift-left security principles.

80
MCQmedium

Which vulnerability is considered a cloud-specific API security issue?

A.Broken Object Level Authorization (BOLA)
B.SQL Injection
C.Cross-Site Request Forgery (CSRF)
D.Clickjacking
AnswerA

BOLA is a cloud-relevant API vulnerability where object access controls are insufficient.

Why this answer

Broken Object Level Authorization (BOLA or IDOR) is a common API vulnerability where an attacker can access objects by modifying IDs. This is not unique to cloud but is critical in cloud APIs due to shared responsibility.

81
MCQmedium

What is the primary purpose of a Software Bill of Materials (SBOM) in cloud application security?

A.To scan infrastructure as code
B.To inventory all dependencies and facilitate vulnerability management
C.To automate deployment of containers
D.To document software licensing
AnswerB

SBOMs enable identification of vulnerable components and support supply chain risk management.

Why this answer

An SBOM lists all components (libraries, dependencies) used in a software application, helping to track vulnerabilities and ensure supply chain security.

82
Multi-Selectmedium

An organization wants to prevent secrets from being exposed in source code. Which two practices should they adopt? (Choose TWO.)

Select 2 answers
A.Implement secret scanning in the CI/CD pipeline
B.Encrypt all source code files
C.Use a firewall to block access to code repositories
D.Use a secrets management service to retrieve credentials at runtime
E.Disable git history
AnswersA, D

Secret scanning tools can detect and block commits containing secrets.

Why this answer

Using a secrets manager (like AWS Secrets Manager or Vault) avoids hardcoding credentials. Scanning for secrets in code repositories (e.g., GitGuardian) helps detect and remove any secrets that might have been committed.

83
MCQeasy

A development team is adopting a DevSecOps approach for a cloud-native application. Which practice best exemplifies the shift-left security principle?

A.Reviewing logs for security incidents weekly
B.Scanning Infrastructure as Code (IaC) templates with Checkov before deployment
C.Configuring a cloud WAF after the application is live
D.Performing runtime penetration testing after deployment
AnswerB

Correct. IaC scanning in the CI pipeline identifies misconfigurations early, aligning with shift-left.

Why this answer

Option B is correct because scanning Infrastructure as Code (IaC) templates with Checkov before deployment embodies the shift-left security principle by identifying and remediating misconfigurations early in the development lifecycle. This proactive approach prevents security issues from reaching production, reducing risk and cost compared to post-deployment fixes.

Exam trap

Cisco often tests the misconception that shift-left means any security activity performed early in the lifecycle, but the trap here is that candidates may confuse post-deployment controls (like WAF or pen testing) with true shift-left practices, which must occur before code is deployed or infrastructure is provisioned.

How to eliminate wrong answers

Option A is wrong because reviewing logs for security incidents weekly is a reactive, post-deployment monitoring practice that does not shift security left; it detects issues after they have occurred. Option C is wrong because configuring a cloud WAF after the application is live is a runtime security control applied after deployment, not an early-stage preventive measure. Option D is wrong because performing runtime penetration testing after deployment is a late-stage validation activity that does not catch vulnerabilities during development or build phases.

84
MCQmedium

In a DevSecOps pipeline for a cloud application, which practice best ensures that only approved open-source components are used?

A.Signing container images
B.Implementing dependency scanning with Snyk
C.Using a private artifact registry with allow-lists
D.Running SAST scans on all source code
AnswerC

A private registry restricts dependencies to those approved.

Why this answer

Option C is correct because a private artifact registry with allow-lists enforces a whitelist of approved open-source components, preventing developers from pulling unvetted dependencies directly from public repositories. This ensures that only components that have passed security and compliance reviews are used in the pipeline, directly addressing the requirement for 'approved' open-source components.

Exam trap

Cisco often tests the distinction between detection tools (like Snyk or SAST) and enforcement controls (like allow-lists), so candidates mistakenly choose a scanning tool that finds vulnerabilities rather than a policy-based mechanism that prevents unapproved components from being used at all.

How to eliminate wrong answers

Option A is wrong because signing container images ensures integrity and authenticity of the image itself, but does not control which open-source components are included inside the image. Option B is wrong because dependency scanning with Snyk identifies known vulnerabilities in open-source components but does not enforce a policy of only using pre-approved components; it detects issues after the component is already included. Option D is wrong because SAST (Static Application Security Testing) scans analyze custom source code for security flaws, not the approval status or provenance of open-source libraries.

← PreviousPage 2 of 2 · 84 questions total

Ready to test yourself?

Try a timed practice session using only Ccsp App Security questions.