CISSP · topic practice

Software Development Security practice questions

Practise Certified Information Systems Security Professional CISSP Software Development Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Software Development Security

What the exam tests

What to know about Software Development Security

Software Development Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Software Development Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Software Development Security questions

20 questions · select your answer, then reveal the explanation

A security team is reviewing a web application that allows users to search for products. The application uses a SQL database and constructs queries by concatenating user input directly into the SQL statement. Which of the following is the most effective mitigation against SQL injection attacks?

During a threat modeling session for a new online banking application, the team uses the STRIDE methodology. Which threat category addresses the risk of an attacker modifying transaction data in transit?

A development team is fixing a stored cross-site scripting (XSS) vulnerability in a web application that displays user comments. The application stores comments in a database and renders them in HTML. Which of the following is the most secure approach to prevent XSS?

A security architect is designing a system that must continue to function even when a component fails. The architect implements multiple layers of security controls so that if one fails, others still provide protection. Which principle is being applied?

During a penetration test, a security analyst discovers that a web application allows an attacker to bypass authorization and view another user's private messages by simply changing a numeric ID in the URL. Which vulnerability is being exploited?

A software development team is adopting secure coding practices. They decide to implement input validation for all user-supplied data. Which approach is recommended as the most effective for preventing injection attacks?

A security team is reviewing a newly acquired third-party software component. They want to ensure that the component's supply chain is secure and that known vulnerabilities are identified. Which of the following tools provides a list of all open-source and third-party components used in the software?

A developer is implementing authentication for a new application. To protect against brute-force attacks, the developer decides to implement account lockout after a certain number of failed attempts. Which security principle does this control enforce?

An organization is migrating to a new application that uses serialized objects to transfer data between services. The security team is concerned about insecure deserialization attacks. Which of the following controls is most effective in preventing deserialization vulnerabilities?

A web application exposes an API that allows users to fetch data from internal network resources based on a URL parameter. An attacker discovers they can use this API to access internal servers that are not meant to be public. Which vulnerability is being exploited?

A security analyst is reviewing the error handling of an application. The application currently displays detailed stack traces to users when an exception occurs. Which of the following is the best practice for error handling in production?

A development team is implementing cryptographic functions for a new application. They need to store passwords securely. Which of the following is the most appropriate approach?

A security engineer is evaluating a web application for common vulnerabilities. The application uses a Content Management System (CMS) that is outdated and has known vulnerabilities. Additionally, the application displays detailed error messages and uses default administrative credentials. Which TWO of the following OWASP Top 10 categories are most relevant to these issues?

During a security audit of a web application, the following issues are found: (1) Session tokens are included in URLs, (2) The application does not invalidate session tokens after logout, and (3) Session tokens are predictable. Which THREE of the following controls are most appropriate to address these issues?

A security team is planning to integrate security testing into the software development lifecycle. They want to identify vulnerabilities early and often. Which TWO of the following testing methods should be implemented during the development phase (before deployment) to catch code-level vulnerabilities?

During the requirements gathering phase of a software development project, which threat modeling methodology is most commonly used to identify threats such as spoofing, tampering, and elevation of privilege?

A development team is implementing a web application that allows users to search for products. To prevent SQL injection attacks, which secure coding practice should be applied?

A security architect is reviewing a design for an e-commerce application. The architect recommends implementing defense in depth. Which of the following is an example of this principle?

Which type of security testing involves analyzing source code for vulnerabilities without executing the code?

A company is evaluating a third-party software library for use in their application. Which document provides a detailed inventory of the library's components and dependencies to help assess supply chain risk?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Software Development Security sessions

Start a Software Development Security only practice session

Every question in these sessions is drawn from the Software Development Security domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Software Development Security?
Software Development Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Software Development Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Software Development Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.