CCNA Cissp Software Security Questions

46 questions · Cissp Software Security topic · All types, answers revealed

1
MCQmedium

Which type of testing analyzes source code for security vulnerabilities without executing the program?

A.Static Application Security Testing (SAST)
B.Interactive Application Security Testing (IAST)
C.Penetration testing
D.Dynamic Application Security Testing (DAST)
AnswerA

SAST analyzes source code without execution.

Why this answer

Static Application Security Testing (SAST) analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. It operates by scanning the codebase for known patterns, such as SQL injection or buffer overflow, using techniques like data flow analysis and taint tracking. This white-box approach identifies issues early in the Software Development Life Cycle (SDLC), making it the correct answer for testing that does not require runtime execution.

Exam trap

The trap here is that candidates confuse SAST with DAST because both are automated security testing tools, but SAST is static (no execution) and DAST is dynamic (requires execution), and the question explicitly states 'without executing the program' to eliminate DAST.

How to eliminate wrong answers

Option B (Interactive Application Security Testing, IAST) is wrong because IAST requires the application to be running and instruments the code during execution to detect vulnerabilities, often combining elements of SAST and DAST. Option C (Penetration testing) is wrong because it is a manual or automated black-box/gray-box test that actively exploits vulnerabilities in a running system, not analyzing source code statically. Option D (Dynamic Application Security Testing, DAST) is wrong because it tests the application from the outside while it is executing, typically by sending HTTP requests and analyzing responses, without access to the source code.

2
Multi-Selectmedium

A security architect is reviewing a web application that handles sensitive financial transactions. The application uses a microservices architecture with an API gateway. During the threat modeling session using STRIDE, several threats were identified. Which TWO of the following are effective mitigations for the identified threats? (Select TWO.)

Select 2 answers
A.Implement generic error messages to users while logging detailed errors securely.
B.Implement CSRF tokens for all state-changing requests.
C.Log all user credentials during authentication attempts for audit purposes.
D.Deploy a Web Application Firewall (WAF) to block all incoming traffic from unknown IP addresses.
E.Enforce TLS encryption for all data in transit between microservices and the API gateway.
AnswersA, E

This mitigates Information Disclosure by not exposing system internals in error messages, while still allowing administrators to diagnose issues.

Why this answer

STRIDE includes Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. For Information Disclosure (e.g., in error messages), using generic error messages prevents leakage of sensitive details. For Tampering (e.g., data in transit), TLS encryption protects data integrity and confidentiality.

Logging credentials would be a security issue, not a mitigation. CSRF tokens prevent Cross-Site Request Forgery (a form of Tampering) but are not directly related to the threats described. Input validation helps prevent injection attacks (Tampering) but is less specific to the scenario.

3
MCQhard

A security engineer is evaluating a new third-party software component for use in a critical application. Which document is most important to review to understand the component's supply chain security?

A.End User License Agreement (EULA)
B.Service Level Agreement (SLA)
C.Data Processing Agreement (DPA)
D.Software Bill of Materials (SBOM)
AnswerD

SBOM provides transparency into the components used.

Why this answer

A Software Bill of Materials (SBOM) lists all components, libraries, and dependencies used in the software. It is essential for assessing supply chain risk and identifying known vulnerabilities.

4
MCQhard

A development team is using a third-party library that is known to have a critical vulnerability. The team decides to continue using the library because it is widely used and the vulnerability has not been exploited. Which security risk is the team ignoring?

A.Insecure deserialization
B.Insufficient logging and monitoring
C.Using components with known vulnerabilities
D.Security misconfiguration
AnswerC

This directly matches the scenario.

Why this answer

The team is ignoring the risk of using components with known vulnerabilities, which is explicitly listed in the OWASP Top 10 (A06:2021). Even if a vulnerability has not been exploited yet, continuing to use a library with a known CVE (e.g., a remote code execution flaw in an older version of Log4j) exposes the application to potential attacks once exploit code becomes public. The decision based on 'wide usage' and 'no exploitation so far' is a fallacy, as threat actors often target widely deployed libraries precisely because of their large attack surface.

Exam trap

The trap here is that candidates may think 'no exploitation yet' means the risk is acceptable, but CISSP tests the principle that known vulnerabilities must be remediated regardless of current exploit status, as threat actors will eventually weaponize them.

How to eliminate wrong answers

Option A is wrong because insecure deserialization refers to the lack of validation on serialized objects (e.g., Java deserialization of untrusted data leading to RCE), which is a different vulnerability class not directly related to using a library with a known flaw. Option B is wrong because insufficient logging and monitoring is a failure to detect and respond to security events (e.g., not logging failed authentication attempts), not the decision to use a vulnerable component. Option D is wrong because security misconfiguration involves improper setup of security controls (e.g., default credentials, open cloud storage buckets), not the conscious choice to retain a library with a published CVE.

5
MCQmedium

A security analyst is reviewing the error handling of an application. The application currently displays detailed stack traces to users when an exception occurs. Which of the following is the best practice for error handling in production?

A.Display generic error messages to users and log detailed errors for admins
B.Display detailed errors to users for troubleshooting
C.Disable all error reporting to eliminate information leakage
D.Encrypt error messages before displaying to users
AnswerA

This prevents information leakage while retaining diagnostic data.

Why this answer

Detailed error messages can leak sensitive information. Production systems should show generic messages to users and log detailed errors for administrators.

6
MCQeasy

During the requirements gathering phase of a software development project, which threat modeling methodology is most commonly used to identify threats such as spoofing, tampering, and elevation of privilege?

A.CVSS
B.STRIDE
C.OCTAVE
D.PASTA
AnswerB

STRIDE is the methodology that includes Spoofing, Tampering, and Elevation of Privilege as threat categories.

Why this answer

STRIDE is a threat modeling methodology developed by Microsoft that categorizes threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. During the requirements gathering phase, STRIDE is commonly used to systematically identify and classify potential security threats against each system component, making it the correct choice for identifying threats like spoofing, tampering, and elevation of privilege.

Exam trap

The trap here is that candidates often confuse CVSS (a scoring system) or OCTAVE (a risk assessment framework) with threat modeling methodologies, but the question specifically asks for the methodology most commonly used to identify threat types like spoofing and tampering, which is STRIDE.

How to eliminate wrong answers

Option A (CVSS) is wrong because CVSS (Common Vulnerability Scoring System) is a framework for scoring the severity of known vulnerabilities, not a threat modeling methodology used during requirements gathering to identify threats like spoofing or tampering. Option C (OCTAVE) is wrong because OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk assessment framework focused on organizational risk and strategic planning, not a lightweight threat modeling technique for identifying specific threat types during software development requirements. Option D (PASTA) is wrong because PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric threat modeling methodology that aligns business objectives with technical requirements, but it is not the most commonly used methodology for simply identifying threats like spoofing, tampering, and elevation of privilege during the requirements phase; STRIDE is more straightforward and widely adopted for that purpose.

7
Multi-Selectmedium

A security engineer is evaluating a web application for common vulnerabilities. The application uses a Content Management System (CMS) that is outdated and has known vulnerabilities. Additionally, the application displays detailed error messages and uses default administrative credentials. Which TWO of the following OWASP Top 10 categories are most relevant to these issues?

Select 2 answers
A.Vulnerable and Outdated Components
B.Security Misconfiguration
C.Injection
D.Cryptographic Failures
E.Broken Access Control
AnswersA, B

Using outdated CMS with known vulnerabilities is a component risk.

Why this answer

A is correct because the outdated CMS with known vulnerabilities directly corresponds to OWASP A06:2021 – Vulnerable and Outdated Components. This category covers using software versions with unpatched security flaws, which attackers can exploit via public exploit databases or automated scanners.

Exam trap

Cisco often tests the distinction between 'Security Misconfiguration' and 'Broken Access Control' by presenting default credentials as a configuration issue rather than an authorization flaw, leading candidates to incorrectly select Broken Access Control.

8
MCQhard

A security architect is designing an authentication system. To prevent session fixation attacks, which secure design principle should be implemented?

A.Using HTTPS for all communications
B.Setting session timeout to 30 minutes
D.Regenerating session IDs after successful login
AnswerD

Regenerating the session ID invalidates any session ID set before authentication.

Why this answer

Session fixation attacks occur when an attacker forces a user to use a known session ID. Regenerating the session ID after successful login (e.g., via `session_regenerate_id()` in PHP or `HttpServletRequest.changeSessionId()` in Java) ensures that the pre-authentication session ID is discarded and a new, unpredictable one is issued, breaking the attacker's control.

Exam trap

The trap here is that candidates confuse session fixation with session hijacking or general secure transmission, leading them to choose HTTPS or MFA, which are important but do not directly counter the fixation mechanism.

How to eliminate wrong answers

Option A is wrong because HTTPS encrypts data in transit but does not prevent an attacker from fixing a session ID before login; it protects against eavesdropping, not session fixation. Option B is wrong because setting a session timeout limits the window of opportunity for an attacker to use a fixed session, but it does not invalidate the fixed session ID after authentication; the attacker can still reuse it within the timeout period. Option C is wrong because multi-factor authentication strengthens identity verification but does not address the core issue of an attacker controlling the session ID; the fixed session ID remains valid even with MFA.

9
MCQhard

A developer is implementing cryptographic storage for sensitive user data. Which of the following is a cryptographic best practice?

A.Using a static initialization vector (IV) for all encryption operations
B.Encrypting data with a hardcoded key in source code
C.Hashing passwords with MD5 for performance
D.Using AES-256 in Galois/Counter Mode (GCM) for authenticated encryption
AnswerD

AES-256-GCM provides strong encryption and authentication, a best practice.

Why this answer

Industry-standard algorithms like AES-256 and SHA-256 are recommended, while MD5 and SHA-1 are deprecated due to weaknesses. Authenticated encryption (e.g., GCM) provides both confidentiality and integrity.

10
MCQmedium

During a security review of a web application, testers discover that the application discloses detailed error messages to users, including stack traces. Which secure coding best practice is being violated?

A.Input validation
B.Error handling
C.Secure logging
D.Output encoding
AnswerB

Proper error handling requires generic user-facing messages and detailed server-side logs.

Why this answer

Error handling best practices dictate that generic error messages should be shown to users, while detailed errors (e.g., stack traces) should be logged internally to avoid information disclosure.

11
MCQmedium

During a security assessment, a penetration tester discovers that a web application exposes internal IP addresses in error messages. Which vulnerability category does this represent?

A.Broken access control
B.Sensitive data exposure
C.Security misconfiguration
D.Insecure deserialization
AnswerC

Verbose error messages are a configuration issue that should be disabled in production.

Why this answer

Exposing internal IP addresses in error messages is a classic example of a security misconfiguration (C). The web application is likely configured to output detailed error messages (e.g., stack traces or debug information) that include internal network details, which should be suppressed in production environments. This violates the principle of least information disclosure and is categorized under security misconfiguration because it stems from improper default or runtime settings.

Exam trap

The trap here is that candidates confuse the disclosure of internal IP addresses with 'sensitive data exposure' (B), but CISSP categorizes this under security misconfiguration because the root cause is a failure to properly configure error handling, not the inherent sensitivity of the data itself.

How to eliminate wrong answers

Option A is wrong because broken access control refers to failures in enforcing user permissions (e.g., accessing unauthorized resources via path traversal or privilege escalation), not the inadvertent disclosure of internal network information in error outputs. Option B is wrong because sensitive data exposure typically involves the exposure of protected data such as passwords, credit card numbers, or PII, whereas internal IP addresses are not classified as sensitive data under most regulatory frameworks (e.g., GDPR, PCI DSS) unless they reveal system architecture that could aid an attacker. Option D is wrong because insecure deserialization involves the manipulation of serialized objects to execute arbitrary code or bypass authentication, which is unrelated to the verbosity of error messages.

12
MCQmedium

A security analyst is reviewing a web application and notices that it includes a feature that allows users to view their own profile by providing a user ID in the URL (e.g., /profile?userid=123). The application does not verify that the logged-in user owns that profile. Which vulnerability is present?

A.Security misconfiguration
B.Cross-site scripting (XSS)
C.Insecure direct object reference (IDOR)
D.Cross-site request forgery (CSRF)
AnswerC

The scenario describes direct access to objects without authorization checks.

Why this answer

Insecure Direct Object References (IDOR) occur when an application exposes direct references to internal objects (like user IDs) without proper access control checks. This allows an attacker to access other users' data by manipulating the ID.

13
MCQmedium

A security team is reviewing a web application that allows users to search for products. The application uses a SQL database and constructs queries by concatenating user input directly into the SQL statement. Which of the following is the most effective mitigation against SQL injection attacks?

A.Using parameterized queries with prepared statements
B.Escaping all user input before concatenation
C.Input validation using a blacklist of known malicious patterns
D.Implementing a Web Application Firewall (WAF)
AnswerA

Parameterized queries separate SQL code from data, preventing injection.

Why this answer

Parameterized queries with prepared statements separate SQL logic from user input by sending the query structure to the database first, then binding input values as data parameters. This prevents the database from interpreting user input as executable SQL code, even if the input contains malicious characters. It is the only defense that completely eliminates the injection vector at the database interaction layer.

Exam trap

The trap here is that candidates often choose input validation or escaping because they seem proactive, but the CISSP exam emphasizes that parameterized queries are the only definitive defense against SQL injection at the code level, as they enforce separation of code and data by design.

How to eliminate wrong answers

Option B is wrong because escaping user input is error-prone and context-dependent; an attacker can bypass escaping if the escape function is not perfectly aligned with the database's character set or query context (e.g., using alternate encodings or second-order injection). Option C is wrong because blacklist-based input validation can be circumvented by obfuscation techniques (e.g., using hex, Unicode, or case variations) and fails to block novel or unknown attack patterns. Option D is wrong because a WAF operates at the network or application layer and can only detect known attack signatures; it cannot prevent injection if the underlying code still concatenates input, and it can be bypassed by encoding or timing attacks.

14
MCQeasy

Which of the following is a secure coding practice to prevent SQL injection attacks?

A.Escaping all user input
B.Using parameterized queries
C.Using stored procedures exclusively
D.Validating input length
AnswerB

Parameterized queries separate SQL logic from data.

Why this answer

Parameterized queries (also known as prepared statements) separate SQL code from data by using placeholders (e.g., '?' in ODBC/JDBC or ':param' in Oracle) that are bound to user-supplied values at execution time. This ensures that input is always treated as data, never as executable SQL syntax, effectively neutralizing SQL injection regardless of the input content.

Exam trap

The trap here is that candidates often confuse 'stored procedures' with being inherently secure, but the CISSP exam tests that stored procedures can still be vulnerable if they use dynamic SQL with concatenated input, whereas parameterized queries (or prepared statements) are the definitive defense.

How to eliminate wrong answers

Option A is wrong because escaping all user input is error-prone and context-dependent; different database systems require different escape characters (e.g., backslash in MySQL vs. doubling single quotes in SQL Server), and incomplete or incorrect escaping can still allow injection. Option C is wrong because stored procedures alone do not prevent SQL injection if they contain dynamic SQL built with string concatenation (e.g., EXECUTE IMMEDIATE in Oracle or sp_executesql with concatenated parameters in SQL Server). Option D is wrong because validating input length only restricts the size of the input, not its content; an attacker can still inject malicious SQL within a valid length limit (e.g., a 10-character string like '1 OR 1=1').

15
MCQeasy

A developer is implementing authentication for a new application. To protect against brute-force attacks, the developer decides to implement account lockout after a certain number of failed attempts. Which security principle does this control enforce?

A.Fail-secure
B.Strong authentication
C.Defense in depth
D.Least privilege
AnswerB

Account lockout strengthens authentication by limiting attack attempts.

Why this answer

Account lockout after failed attempts reduces the feasibility of brute-force attacks, enforcing strong authentication mechanisms.

16
MCQhard

A company is evaluating a third-party software library for use in their application. Which document provides a detailed inventory of the library's components and dependencies to help assess supply chain risk?

A.Service Level Agreement (SLA)
B.Data processing agreement
C.Vulnerability disclosure report
D.Software Bill of Materials (SBOM)
AnswerD

SBOM lists all components and dependencies for supply chain risk assessment.

Why this answer

A Software Bill of Materials (SBOM) lists all components and dependencies, aiding vulnerability management and supply chain security.

17
MCQeasy

Which type of security testing involves analyzing source code for vulnerabilities without executing the code?

A.SAST
B.Penetration testing
C.IAST
D.DAST
AnswerA

SAST analyzes source code without execution, identifying vulnerabilities like injection flaws.

Why this answer

SAST (Static Application Security Testing) analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. It operates by scanning the codebase for patterns known to be insecure (e.g., SQL injection via string concatenation) using techniques like data flow analysis, taint tracking, and pattern matching, all performed at rest.

Exam trap

The trap here is that candidates confuse SAST with DAST because both are 'security testing' acronyms, but the key differentiator is that SAST analyzes code without execution (static), while DAST requires a running application (dynamic).

How to eliminate wrong answers

Option B is wrong because penetration testing is a dynamic, manual or automated process that tests a running application or system by simulating attacks, not by analyzing static source code. Option C is wrong because IAST (Interactive Application Security Testing) combines static and dynamic analysis by instrumenting the application and monitoring its behavior during runtime execution, not by analyzing code without execution. Option D is wrong because DAST (Dynamic Application Security Testing) tests an application while it is running, typically by sending malicious payloads and observing responses, which requires execution and does not involve source code analysis.

18
MCQhard

During a penetration test, a security analyst discovers that a web application allows an attacker to bypass authorization and view another user's private messages by simply changing a numeric ID in the URL. Which vulnerability is being exploited?

A.Broken authentication
B.Insecure direct object reference (IDOR)
C.Server-side request forgery (SSRF)
D.Security misconfiguration
AnswerB

IDOR allows direct access to objects without authorization.

Why this answer

B is correct because the vulnerability allows an attacker to access another user's private messages by simply changing a numeric ID in the URL, which is a classic example of Insecure Direct Object Reference (IDOR). This occurs when the application exposes a direct reference to an internal object (e.g., a database key) without proper access control checks, enabling unauthorized access to resources belonging to other users.

Exam trap

The trap here is that candidates confuse IDOR with broken authentication because both involve unauthorized access, but IDOR specifically targets direct object references without proper access controls, whereas broken authentication focuses on flaws in the authentication process itself.

How to eliminate wrong answers

Option A is wrong because broken authentication refers to flaws in session management, credential handling, or login mechanisms (e.g., weak password policies, session fixation), not the direct manipulation of object references in URLs. Option C is wrong because Server-Side Request Forgery (SSRF) involves an attacker inducing the server to make requests to internal or external resources, not directly accessing another user's data via a modified URL parameter. Option D is wrong because security misconfiguration covers issues like default credentials, unnecessary services, or verbose error messages, but does not specifically describe the lack of authorization checks on object references.

19
MCQeasy

Which of the following is the primary purpose of output encoding in web application security?

A.Preventing buffer overflow attacks
B.Preventing cross-site request forgery (CSRF)
C.Preventing cross-site scripting (XSS) attacks
D.Preventing SQL injection attacks
AnswerC

Output encoding ensures user input is treated as data, not executable code.

Why this answer

Output encoding is the practice of converting special characters (e.g., <, >, &, ") into their corresponding HTML entities (e.g., &lt; &gt; &amp; &quot;) before sending data to the browser. This ensures that any user-supplied data is treated as text, not executable code, thereby neutralizing injected scripts. It is the primary defense against stored, reflected, and DOM-based cross-site scripting (XSS) attacks because it breaks the parser's ability to interpret the data as active content.

Exam trap

The trap here is that candidates confuse output encoding with input validation or sanitization, mistakenly thinking it prevents SQL injection or CSRF, but output encoding only neutralizes XSS by ensuring data is rendered as text in the browser, not as executable code.

How to eliminate wrong answers

Option A is wrong because buffer overflow attacks are prevented by bounds checking, input validation, and safe memory functions (e.g., strncpy instead of strcpy), not by output encoding, which operates on output to browsers, not on memory buffers. Option B is wrong because CSRF is prevented by anti-CSRF tokens (e.g., synchronizer tokens or SameSite cookies), not by output encoding, which does not validate the origin or authenticity of requests. Option D is wrong because SQL injection is prevented by parameterized queries (prepared statements) or stored procedures, not by output encoding, which applies to HTML/JavaScript contexts, not to database query construction.

20
Multi-Selectmedium

A security engineer is hardening a web server before deploying a new application. Which TWO of the following are examples of security misconfiguration vulnerabilities that should be addressed?

Select 2 answers
A.Use of an outdated version of a JavaScript library with known vulnerabilities
B.Default administrator credentials remain unchanged
C.Verbose error messages reveal stack traces to users
D.Lack of CSRF tokens in forms
E.Weak password policy allowing short passwords
AnswersB, C

Default credentials are a classic security misconfiguration.

Why this answer

Default administrator credentials are a classic security misconfiguration because they represent a failure to change vendor-supplied defaults before deployment. Attackers can easily guess or look up these credentials (e.g., admin:admin) to gain unauthorized access to the web server's management interface. This is explicitly listed in the OWASP Top 10 as a security misconfiguration (A05:2021).

Exam trap

Cisco often tests the distinction between 'security misconfiguration' and other vulnerability types (e.g., using outdated libraries is a 'using components with known vulnerabilities' issue, not a misconfiguration), so candidates mistakenly classify all common weaknesses as misconfigurations.

21
Multi-Selecthard

A security team is performing a risk assessment on a legacy application that uses insecure deserialization. Which TWO of the following are recommended approaches to mitigate the risk of insecure deserialization?

Select 2 answers
A.Implementing integrity checks (e.g., digital signatures) on serialized objects
B.Encrypting the serialized data
C.Using allow lists for classes that can be deserialized
D.Using generic exception handling to catch errors
E.Logging all deserialization attempts
AnswersA, C

Ensures the object has not been tampered with.

Why this answer

Option A is correct because implementing integrity checks, such as digital signatures, ensures that serialized objects have not been tampered with during transit or storage. This prevents an attacker from modifying the serialized data to inject malicious objects, which is a primary vector for insecure deserialization attacks. By verifying the signature before deserialization, the application can reject any object that does not match the expected integrity hash.

Exam trap

The trap here is that candidates often confuse encryption with integrity protection, thinking that encrypting serialized data prevents tampering, but encryption alone does not provide authentication or integrity — an attacker can still modify ciphertext (bit-flipping attacks) unless combined with a MAC or digital signature.

22
MCQmedium

A development team is designing a new application and wants to ensure that if a failure occurs, the system remains secure by default. Which design principle should they apply?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Fail-secure
AnswerD

Fail-secure ensures the system defaults to a secure state on failure.

Why this answer

Fail-secure ensures that when a system fails, it defaults to a secure state (e.g., denying access) rather than an insecure one.

23
MCQmedium

A security architect is reviewing a design for an e-commerce application. The architect recommends implementing defense in depth. Which of the following is an example of this principle?

A.Encrypting data at rest only
B.Implementing both a web application firewall (WAF) and input validation
C.Using a single firewall at the network perimeter
D.Requiring strong passwords for all users
AnswerB

Multiple layers (WAF and input validation) provide defense in depth against attacks.

Why this answer

Defense in depth uses multiple layers of security controls so that if one fails, others still provide protection.

24
MCQmedium

A development team is implementing a web application that allows users to search for products. To prevent SQL injection attacks, which secure coding practice should be applied?

A.Input validation using a blacklist of SQL keywords
B.Parameterized queries with prepared statements
C.Output encoding of user input
D.Using stored procedures exclusively
AnswerB

Parameterized queries ensure user input is treated as data, preventing SQL injection.

Why this answer

Parameterized queries with prepared statements (Option B) are the definitive defense against SQL injection because they separate SQL logic from user-supplied data. The database engine compiles the query structure first, then binds input values as parameters, ensuring that malicious input cannot alter the intended SQL command. This approach is language-agnostic and works across all modern database interfaces (e.g., JDBC, PDO, ADO.NET).

Exam trap

The trap here is that candidates often confuse stored procedures as a silver bullet for SQL injection, failing to realize that the security lies in how parameters are bound, not in the procedure container itself.

How to eliminate wrong answers

Option A is wrong because blacklisting SQL keywords is inherently incomplete and easily bypassed; attackers can use encoding, comments, or alternative syntax (e.g., CHAR(), CONCAT()) to evade the filter. Option C is wrong because output encoding (e.g., HTML entity encoding) is designed to prevent cross-site scripting (XSS), not SQL injection, which occurs at the database layer before output is rendered. Option D is wrong because stored procedures alone do not prevent SQL injection if dynamic SQL is constructed within the procedure; the protection comes only when parameters are used inside the stored procedure, not from the procedure itself.

25
MCQhard

A development team is implementing cryptographic functions for a new application. They need to store passwords securely. Which of the following is the most appropriate approach?

A.Use a key derivation function (e.g., bcrypt) with a per-user salt
B.Encrypt passwords using AES-256 with a static key
C.Store passwords in plaintext but in a protected database
D.Hash passwords with SHA-256 without salt
AnswerA

Bcrypt with salt is resistant to brute-force and rainbow table attacks.

Why this answer

Passwords should be salted and hashed using a strong, slow hash function like bcrypt, scrypt, or PBKDF2. Salting prevents rainbow table attacks.

26
Multi-Selectmedium

A security architect is reviewing a web application's design and identifies several potential vulnerabilities. Which TWO of the following are effective mitigations for cross-site scripting (XSS) attacks?

Select 2 answers
A.Enabling Content Security Policy (CSP)
B.Using CSRF tokens
C.Disabling client-side scripts entirely
D.Implementing parameterized queries
E.Using output encoding
AnswersA, E

CSP restricts script execution sources.

Why this answer

Output encoding ensures user input is treated as data, and Content Security Policy (CSP) restricts sources of executable scripts. Input validation can help but is not as effective alone; whitelist validation is emphasized, but output encoding and CSP are primary defenses.

27
MCQhard

A development team is fixing a stored cross-site scripting (XSS) vulnerability in a web application that displays user comments. The application stores comments in a database and renders them in HTML. Which of the following is the most secure approach to prevent XSS?

A.Use Content Security Policy (CSP) headers to restrict script execution
B.Sanitize input by removing all HTML tags before storing
C.Apply output encoding based on the context (e.g., HTML entity encoding)
D.Store comments in a separate domain to isolate them
AnswerC

Context-aware encoding prevents script execution.

Why this answer

Output encoding (C) is the most secure approach because it neutralizes malicious scripts at the point of rendering, ensuring that user-controlled data is treated as text rather than executable code. For HTML contexts, HTML entity encoding (e.g., `&lt;script&gt;`) prevents the browser from interpreting injected tags, regardless of how the data was stored. This aligns with the defense-in-depth principle and is the primary mitigation for stored XSS as recommended by OWASP.

Exam trap

Cisco often tests the misconception that input sanitization (removing tags) is the best approach, but the CISSP emphasizes that output encoding is the definitive control because it works regardless of how data enters the system and preserves data integrity for legitimate use.

How to eliminate wrong answers

Option A is wrong because CSP is a defense-in-depth layer that can restrict script execution, but it does not fix the root cause—malicious data remains in the database and could still be exploited if CSP is misconfigured or bypassed (e.g., via JSONP or older browser versions). Option B is wrong because removing all HTML tags before storing destroys legitimate formatting (e.g., bold, lists) and is overly restrictive; a more nuanced sanitization (e.g., whitelist-based) is possible, but output encoding is still needed as a final safeguard. Option D is wrong because storing comments on a separate domain does not prevent XSS—the comments are still rendered in the original application's HTML context, and the same-domain origin policy does not block script execution from injected content.

28
MCQhard

An organization is migrating to a new application that uses serialized objects to transfer data between services. The security team is concerned about insecure deserialization attacks. Which of the following controls is most effective in preventing deserialization vulnerabilities?

A.Applying cryptographic integrity checks (e.g., HMAC) to serialized objects
B.Implementing input validation on deserialized data
C.Using a allowlist of classes allowed to be deserialized
D.Running deserialization in a sandboxed environment
AnswerA

Integrity checks verify that the data hasn't been altered.

Why this answer

Integrity checks (e.g., digital signatures) ensure that serialized data has not been tampered with, preventing malicious objects from being deserialized.

29
MCQeasy

What is the primary purpose of a Web Application Firewall (WAF) in a deployment environment?

A.Encrypting all web traffic
B.Filtering malicious HTTP traffic
C.Managing user authentication
D.Performing vulnerability scanning
AnswerB

WAF inspects and blocks malicious requests.

Why this answer

A WAF filters, monitors, and blocks HTTP traffic to and from a web application. It helps protect against common web attacks like SQL injection, XSS, and CSRF by analyzing traffic at the application layer.

30
MCQmedium

During a threat modeling session for a new online banking application, the team uses the STRIDE methodology. Which threat category addresses the risk of an attacker modifying transaction data in transit?

A.Information Disclosure
B.Tampering
C.Elevation of Privilege
D.Spoofing
AnswerB

Tampering involves unauthorized alteration of data.

Why this answer

Tampering refers to the malicious modification of data. STRIDE's 'T' stands for Tampering.

31
MCQhard

During a vulnerability assessment, a security analyst discovers that a web application uses a library known to be vulnerable to Log4Shell (CVE-2021-44228). Which type of vulnerability does this represent?

A.Server-side request forgery (SSRF)
B.Vulnerable components
C.Insecure deserialization
D.Security misconfiguration
AnswerB

Log4Shell is a vulnerability in a third-party component (Log4j).

Why this answer

Log4Shell is a remote code execution vulnerability in the Log4j library, an example of using vulnerable components (third-party libraries with known vulnerabilities).

32
MCQeasy

Which of the following is an example of an Insecure Direct Object Reference (IDOR) vulnerability?

A.An attacker intercepts session cookies to impersonate a user
B.An attacker uses a SQL injection to retrieve data from the database
C.An attacker submits a cross-site request forgery (CSRF) token to perform actions
D.An attacker changes the user ID parameter in a URL to view another user's profile
AnswerD

This is classic IDOR: modifying a direct object reference (user ID) to access unauthorized data.

Why this answer

IDOR occurs when an application exposes a direct reference to an internal object (e.g., database key) and does not verify the user's authorization to access that object.

33
Multi-Selecthard

An organization is acquiring a third-party software product. Which THREE of the following should be included in the security assessment of the vendor?

Select 3 answers
A.Vulnerability scanning of dependencies
B.Reviewing the Software Bill of Materials (SBOM)
C.Verifying software license compliance
D.Performing a vendor security assessment
E.Ensuring code signing is used in the vendor's development process
AnswersA, B, D

Scanning identifies known vulnerabilities in libraries.

Why this answer

Reviewing the SBOM, vulnerability scanning of dependencies, and vendor security assessments are key elements of third-party security evaluation. Code signing is a deployment control, not assessment; license compliance is legal but not security-specific.

34
MCQmedium

During the requirements gathering phase of a secure SDLC, the team uses a threat modeling approach that focuses on identifying threats such as spoofing, tampering, and denial of service. Which threat modeling methodology is being employed?

A.PASTA
B.Trike
C.STRIDE
D.OCTAVE
AnswerC

STRIDE directly maps to the threats mentioned.

Why this answer

STRIDE is a threat modeling framework developed by Microsoft that categorizes threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

35
MCQeasy

A security architect is designing a system that must continue to function even when a component fails. The architect implements multiple layers of security controls so that if one fails, others still provide protection. Which principle is being applied?

A.Separation of duties
B.Defense in depth
C.Fail-secure
D.Least privilege
AnswerB

Defense in depth uses multiple overlapping controls.

Why this answer

Defense in depth (B) is the correct principle because it involves implementing multiple layers of security controls (e.g., firewalls, intrusion detection systems, encryption, access controls) so that if one layer fails or is bypassed, other layers continue to provide protection, ensuring the system remains functional. This directly matches the scenario where the architect designs for continued operation despite component failure by layering controls.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'fail-secure' because both involve planning for failure, but fail-secure prioritizes security over availability (e.g., locking down on failure) whereas defense in depth prioritizes continued operation through redundancy of controls.

How to eliminate wrong answers

Option A is wrong because separation of duty is a principle that prevents fraud or error by requiring multiple individuals to complete a sensitive task (e.g., one person authorizes, another executes), not by layering controls for resilience. Option C is wrong because fail-secure means that when a component fails, the system defaults to a secure state (e.g., locking all doors on power loss), which may actually halt functionality rather than ensure continued operation. Option D is wrong because least privilege restricts users or processes to only the minimum permissions needed to perform their tasks, which is a access control principle unrelated to maintaining function during component failures.

36
Multi-Selectmedium

During a code review, a developer identifies that the application uses a custom encryption algorithm for storing sensitive data. Which THREE of the following are secure cryptographic practices that should be recommended instead?

Select 3 answers
A.Using industry-standard algorithms (e.g., AES-256)
B.Implementing proper key management practices
C.Using authenticated encryption (e.g., AES-GCM)
D.Hashing the data with MD5 for faster performance
E.Using a static IV for simplicity
AnswersA, B, C

Standard algorithms have been vetted by the security community.

Why this answer

Option A is correct because using industry-standard algorithms like AES-256 ensures the encryption is based on publicly vetted, mathematically robust ciphers that have undergone extensive cryptanalysis. Custom encryption algorithms are highly risky as they lack peer review and often contain subtle flaws that can be exploited, whereas AES-256 is a NIST-approved symmetric block cipher with a 256-bit key size that provides strong confidentiality for sensitive data.

Exam trap

The trap here is that candidates may think 'any encryption is better than none' or that 'hashing is a form of encryption,' but the CISSP exam emphasizes that custom algorithms and broken hashes like MD5 are never acceptable for protecting sensitive data, and that proper cryptographic practices require standards, key management, and authenticated modes.

37
Multi-Selecteasy

A security analyst is reviewing the authentication mechanism of a web application. Which TWO of the following are examples of broken authentication vulnerabilities?

Select 2 answers
A.Insecure direct object reference in profile URLs
B.Verbose error messages disclosing user IDs
C.Lack of multi-factor authentication for sensitive actions
D.Session timeout set to 60 minutes
E.Allowing weak passwords without complexity requirements
AnswersC, E

MFA adds an extra layer of security.

Why this answer

Allowing weak passwords (e.g., 'password123') and not having multi-factor authentication (MFA) are broken authentication issues. Session timeout is a security control, not a vulnerability. Verbose error messages are a misconfiguration, and IDOR is an access control issue.

38
Multi-Selectmedium

A security analyst is reviewing a web application that handles financial transactions. Which TWO of the following are effective controls against Cross-Site Request Forgery (CSRF)?

Select 2 answers
A.Setting cookies with the SameSite attribute to Strict
B.Using anti-CSRF tokens in forms
C.Using HTTPS for all pages
D.Enforcing strong password policies
E.Implementing input validation on all user inputs
AnswersA, B

SameSite=Strict prevents cookies from being sent in cross-site requests, mitigating CSRF.

Why this answer

CSRF tokens are unique per request and validate the source, while SameSite cookies restrict cookie sending to same-site requests.

39
MCQmedium

A security team is reviewing a newly acquired third-party software component. They want to ensure that the component's supply chain is secure and that known vulnerabilities are identified. Which of the following tools provides a list of all open-source and third-party components used in the software?

A.Vulnerability scanner
B.Static Application Security Testing (SAST)
C.Dynamic Application Security Testing (DAST)
D.Software Bill of Materials (SBOM)
AnswerD

SBOM lists components and dependencies.

Why this answer

A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of components used in building software.

40
MCQeasy

A software development team is adopting secure coding practices. They decide to implement input validation for all user-supplied data. Which approach is recommended as the most effective for preventing injection attacks?

A.Encoding input before processing
B.Using regular expressions to sanitize input
C.Blacklist validation to block known malicious patterns
D.Whitelist validation to allow only known good patterns
AnswerD

Whitelisting ensures only expected input is accepted.

Why this answer

Whitelist (allowlist) validation defines acceptable input patterns and rejects everything else, which is more effective than trying to block malicious patterns.

41
Multi-Selectmedium

An organization is planning to acquire a new SaaS application for customer relationship management. Which THREE of the following should be included in the vendor security assessment?

Select 3 answers
A.Checking license compliance for open source components
B.Reviewing the vendor's security certifications (e.g., SOC 2, ISO 27001)
C.Requesting a Software Bill of Materials (SBOM)
D.Assessing the vendor's incident response process
E.Requiring employee security training records
AnswersB, C, D

Provides assurance of security controls.

Why this answer

Reviewing the vendor's security certifications (e.g., SOC 2), assessing their incident response process, and requesting a Software Bill of Materials (SBOM) are key steps. License compliance is important but not directly security, and employee training is internal to the vendor but less critical than the others.

42
MCQmedium

A web application exposes an API that allows users to fetch data from internal network resources based on a URL parameter. An attacker discovers they can use this API to access internal servers that are not meant to be public. Which vulnerability is being exploited?

A.Insecure direct object reference (IDOR)
B.Remote code execution (RCE)
C.Cross-site request forgery (CSRF)
D.Server-side request forgery (SSRF)
AnswerD

SSRF exploits the server's ability to make requests to internal systems.

Why this answer

SSRF allows an attacker to induce the server to make requests to internal or external resources, bypassing firewalls and access controls.

43
MCQmedium

An application authenticates users using session tokens. A security analyst finds that the application does not invalidate session tokens after logout, allowing session fixation attacks. Which secure coding practice should be implemented to mitigate this?

A.Using short session timeouts
B.Setting the secure flag on cookies
C.Regenerating session ID after successful login
D.Implementing HTTPS for all communications
AnswerC

Regenerating session ID prevents fixation by ensuring the attacker's session ID is not used.

Why this answer

Proper session management includes invalidating session tokens on logout and generating new tokens after authentication to prevent fixation.

44
Multi-Selectmedium

During a security audit of a web application, the following issues are found: (1) Session tokens are included in URLs, (2) The application does not invalidate session tokens after logout, and (3) Session tokens are predictable. Which THREE of the following controls are most appropriate to address these issues?

Select 4 answers
A.Regenerate session tokens after login
B.Store session tokens in cookies with Secure and HttpOnly flags
C.Invalidate session tokens on logout and set short expiration times
D.Use a cryptographically secure random number generator for token generation
E.Implement IP address binding for session tokens
AnswersA, B, C, D

Regeneration prevents session fixation attacks.

Why this answer

Option A is correct because regenerating session tokens after login prevents session fixation attacks, where an attacker forces a known session ID on a user before authentication. This ensures that the session identifier used post-login is not the same as the one used pre-login, mitigating the risk of an attacker hijacking the authenticated session. This control directly addresses the issue of predictable session tokens by ensuring a fresh, unpredictable token is issued upon authentication.

Exam trap

Cisco often tests the misconception that IP binding is a strong session management control, but in reality it is fragile and not a primary defense against session token exposure, predictability, or improper invalidation.

45
Multi-Selecthard

A security team is planning to integrate security testing into the software development lifecycle. They want to identify vulnerabilities early and often. Which TWO of the following testing methods should be implemented during the development phase (before deployment) to catch code-level vulnerabilities?

Select 2 answers
A.Interactive Application Security Testing (IAST)
B.Penetration testing
C.Vulnerability scanning
D.Static Application Security Testing (SAST)
E.Dynamic Application Security Testing (DAST)
AnswersA, D

IAST instruments the application and provides real-time analysis during testing.

Why this answer

SAST (Static Application Security Testing) analyzes source code for vulnerabilities without executing it. IAST (Interactive Application Security Testing) combines SAST and DAST by instrumenting the application and analyzing runtime behavior. Both are suitable for development phase.

DAST requires a running application, and penetration testing is usually done later.

46
MCQmedium

A security team is conducting a penetration test on a web application. They identify that the application is vulnerable to reflected cross-site scripting (XSS). Which of the following is the most effective mitigation?

A.Using HTTPS to encrypt traffic
B.Implementing a Content Security Policy (CSP) with strict directives
C.Validating input against a whitelist of allowed characters
D.Encoding all user-supplied data before reflecting it in the response
AnswerD

Output encoding (e.g., HTML encoding) is the primary defense against reflected XSS.

Why this answer

Option D is correct because reflecting user-supplied data without proper encoding allows an attacker to inject arbitrary HTML/JavaScript that executes in the victim's browser. Output encoding (e.g., HTML entity encoding for context like <script> to &lt;script&gt;) neutralizes the injected script by treating it as data rather than executable code. This directly addresses the root cause of reflected XSS—failure to separate user input from executable content in the response.

Exam trap

The trap here is that candidates often confuse input validation (Option C) with output encoding, but the CISSP emphasizes that output encoding is the definitive control for injection flaws because it ensures data is treated as data regardless of input validation failures.

How to eliminate wrong answers

Option A is wrong because HTTPS encrypts data in transit but does not prevent the server from reflecting malicious input in the response; the XSS payload still executes in the browser after decryption. Option B is wrong because while CSP can mitigate XSS by restricting script sources, it is a defense-in-depth control and not the most effective primary mitigation—it can be bypassed if the application reflects user input into inline script contexts or if CSP is misconfigured (e.g., using 'unsafe-inline'). Option C is wrong because input validation against a whitelist is effective for input validation but does not guarantee safety when data is reflected; an attacker may bypass the whitelist or inject via other input channels, and output encoding is required regardless of input validation.

Ready to test yourself?

Try a timed practice session using only Cissp Software Security questions.