CCNA Software Dev Security Questions

59 questions · Software Dev Security topic · All types, answers revealed

1
Multi-Selectmedium

A security analyst is evaluating a web application firewall (WAF). Which TWO features are most critical for preventing common web attacks?

Select 2 answers
A.Virtual patching.
B.Signature-based detection.
C.SSL inspection.
D.Rate limiting.
E.Behavioral analysis.
AnswersB, E

Detects known attack signatures like SQL injection patterns.

Why this answer

Signature-based detection catches known attack patterns; behavioral analysis identifies anomalies and unknown attacks. SSL inspection is for decryption, not prevention. Rate limiting is for availability.

Virtual patching is a specific technique that is less critical than core detection engines.

2
MCQhard

A financial services company uses a custom web application for online banking. The application is developed in-house using Java and deployed on Apache Tomcat servers. Recently, the security team discovered that the application is vulnerable to a critical remote code execution (RCE) vulnerability due to insecure deserialization of untrusted data. The vulnerability exists in a module that processes session objects. The development team has been assigned to fix this issue. They propose the following options: A. Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes. B. Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default. C. Encrypt all serialized objects using AES-256 before sending them to the client. D. Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads. The application must maintain high availability and minimal latency. Which option provides the MOST effective and sustainable remediation?

A.Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default.
B.Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads.
C.Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes.
D.Encrypt all serialized objects using AES-256 before sending them to the client.
AnswerA

This eliminates the insecure deserialization vector by using a safer serialization format and disabling dangerous features.

Why this answer

Option A is correct because replacing Java serialization with JSON serialization (e.g., Jackson) and disabling polymorphic deserialization eliminates the root cause of insecure deserialization—Java's native serialization mechanism that automatically executes arbitrary code when deserializing untrusted data. JSON serialization with strict type handling prevents the attacker from injecting malicious objects, providing a sustainable fix without relying on fragile blacklists or encryption that doesn't address the vulnerability.

Exam trap

The trap here is that candidates often choose encryption (Option D) thinking it secures the data in transit, but encryption does not address the deserialization logic flaw—the vulnerability remains after decryption, and the attacker can still trigger RCE if they control the serialized stream.

How to eliminate wrong answers

Option B is wrong because a WAF can only block known payload patterns, but deserialization attacks can be obfuscated or use novel gadgets, making it an incomplete and unsustainable defense that fails against zero-day exploits. Option C is wrong because while ObjectInputFilter can whitelist classes, it is a Java-specific filter that can be bypassed if not perfectly configured (e.g., via nested objects or reflection), and it still relies on the insecure Java serialization protocol, which is inherently risky. Option D is wrong because encrypting serialized objects does not prevent the deserialization vulnerability; if the attacker obtains the decryption key or the encrypted data is decrypted server-side, the malicious payload will still be executed upon deserialization.

3
MCQeasy

A development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?

A.Implementation
B.Design
C.Testing
D.Requirements gathering
AnswerB

Threat modeling is a design-time activity that helps identify and address security threats before implementation.

Why this answer

Threat modeling is a structured activity that identifies potential threats, vulnerabilities, and attack vectors against a system. It is most effective during the Design phase because architectural decisions, data flow diagrams, trust boundaries, and component interactions are being defined, allowing security controls to be built in rather than bolted on later. Performing threat modeling here aligns with the 'shift left' principle of secure SDLC, reducing cost and effort compared to retrofitting security after implementation.

Exam trap

The trap here is that candidates confuse 'Requirements gathering' (where high-level security goals are set) with 'Design' (where concrete architectural decisions enable actionable threat modeling), leading them to pick D instead of B.

How to eliminate wrong answers

Option A is wrong because Implementation focuses on writing code; threat modeling at this stage is too late to influence architecture and would require costly rework to fix design-level flaws. Option C is wrong because Testing occurs after code is built; while security testing can validate threats, it cannot prevent design flaws from being embedded. Option D is wrong because Requirements gathering captures functional and security objectives but lacks the detailed system architecture and data flow context needed for effective threat modeling (e.g., STRIDE or PASTA analysis).

4
MCQhard

During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users: String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'"; Which of the following is the MOST effective remediation?

A.Use regular expressions to validate the username and password inputs
B.Encode the input using HTML entity encoding before inclusion in the query
C.Escape single quotes in the input parameters
D.Replace the concatenated query with a prepared statement and bind parameters
AnswerD

Prepared statements ensure user input is treated as data, not executable SQL.

Why this answer

Option D is correct because prepared statements with parameterized queries separate SQL logic from user input, preventing SQL injection entirely. In Java, using PreparedStatement with bind variables (e.g., `ps.setString(1, user)`) ensures the database treats input as data, not executable code, which is the only reliable defense against SQL injection attacks.

Exam trap

The trap here is that candidates often choose input validation (Option A) or escaping (Option C) because they seem like reasonable security measures, but the CISSP exam emphasizes that parameterized queries/prepared statements are the definitive, defense-in-depth solution for SQL injection, not ad-hoc sanitization.

How to eliminate wrong answers

Option A is wrong because regular expressions alone cannot prevent SQL injection; an attacker can craft input that passes validation but still contains malicious SQL syntax (e.g., using alternate encodings or bypassing regex logic). Option B is wrong because HTML entity encoding is designed to prevent XSS, not SQL injection; it does not neutralize SQL metacharacters like single quotes or dashes in a database context. Option C is wrong because escaping single quotes is insufficient; attackers can exploit other SQL injection vectors such as backslash escapes, second-order injection, or using `UNION` statements without quotes, and escaping is error-prone across different database drivers.

5
MCQmedium

A company is deploying a containerized application using Kubernetes. Which practice BEST ensures the security of the container images?

A.Scan images for vulnerabilities and use minimal base images
B.Restrict containers from running as root
C.Use the latest version of the base image without scanning
D.Enable container escape protection
AnswerA

Vulnerability scanning and minimal images reduce risk.

Why this answer

Scanning container images for known vulnerabilities (e.g., using Trivy, Clair, or Snyk) and using minimal base images (e.g., Alpine or distroless) directly reduces the attack surface and eliminates unnecessary packages that may contain exploitable flaws. This practice is foundational to secure software supply chain management and aligns with the principle of least functionality in containerized environments.

Exam trap

The trap here is that candidates often confuse runtime security controls (like root restrictions or escape protection) with image-level security, mistakenly thinking they ensure the image itself is free of vulnerabilities, when in fact they only mitigate exploitation after deployment.

How to eliminate wrong answers

Option B is wrong because restricting containers from running as root is a runtime security control (e.g., using `securityContext.runAsNonRoot: true`), not a practice that ensures the security of the container images themselves; it addresses privilege escalation at runtime, not image composition. Option C is wrong because using the latest version of a base image without scanning introduces unknown vulnerabilities and violates the secure development lifecycle; latest tags can be stale or contain unpatched CVEs, and scanning is essential to verify integrity. Option D is wrong because container escape protection (e.g., using seccomp, AppArmor, or gVisor) is a runtime isolation mechanism that prevents a compromised container from breaking out to the host, but it does not address vulnerabilities embedded within the image layers.

6
MCQhard

Refer to the exhibit. A security engineer reviews this S3 bucket policy. The Developer role is used by a CI/CD pipeline that uploads build artifacts. What security weakness exists in this policy?

A.The GetObject action does not have a condition, allowing read access to anyone.
B.The principal specifies a role ARN, but it should be a user ARN for granularity.
C.The Developer role has both write and read permissions, enabling data exfiltration if compromised.
D.The condition on PutObject is too restrictive and may cause upload failures.
AnswerC

A pipeline only needs write access; read access allows an attacker to read all objects in the bucket.

Why this answer

Option C is correct because the policy allows the Developer role to both write (PutObject) and read (GetObject) objects. If the pipeline is compromised, an attacker can exfiltrate sensitive data. Option A is wrong because the condition on PutObject is a good practice to ensure the bucket owner retains control.

Option B is wrong because the condition does enforce a requirement, but it's a security feature, not weakness. Option D is wrong because the principal specifies the role ARN exactly.

7
Multi-Selecteasy

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities?

Select 2 answers
A.Code obfuscation.
B.Input validation.
C.Dynamic memory allocation without bounds.
D.Use of unsafe functions like strcpy.
E.Use of compilers with stack protection.
AnswersB, E

Validating input length prevents overflow.

Why this answer

Input validation ensures data fits within buffers; stack protection (e.g., canaries) detects overflow. Unsafe functions like strcpy are a cause, not prevention. Dynamic memory allocation without bounds still risks overflow.

Code obfuscation does not prevent overflow.

8
MCQeasy

A development team is implementing a new feature that processes sensitive user data. Which of the following is the most secure approach to prevent data leakage during processing?

A.Use a separate virtual machine for each request.
B.Use memory encryption for all user data.
C.Store all data in a temporary file and delete it after processing.
D.Log all data access for auditing.
AnswerB

Protects data in memory from memory scraping attacks.

Why this answer

Memory encryption protects data in memory from unauthorized access. Storing data in temporary files on disk increases exposure. Virtual machines per request are resource-intensive and not always feasible.

Logging is detective, not preventive.

9
Matchingmedium

Match each security model to its primary characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No read up, no write down

No read down, no write up

Well-formed transactions and separation of duties

Prevents conflict of interest among clients

Rules for granting and taking permissions

Why these pairings

These models enforce different access control policies.

10
MCQmedium

A software company uses a third-party library that has a known critical vulnerability. The library is used extensively and rewriting the code would take months. What is the BEST immediate action to reduce risk?

A.Remove the library from the codebase immediately
B.Disable the vulnerable feature in the library
C.Increase logging and monitoring to detect exploitation attempts
D.Implement a Web Application Firewall (WAF) rule to block exploitation
AnswerD

A WAF can provide virtual patching to mitigate the vulnerability in transit.

Why this answer

Option D is correct because implementing a Web Application Firewall (WAF) rule to block exploitation provides an immediate, compensating control that mitigates the known vulnerability without requiring code changes. This is the best immediate action because it buys time for a permanent fix while reducing risk, aligning with the principle of defense in depth. The WAF can inspect HTTP/HTTPS traffic for attack patterns (e.g., SQL injection, path traversal) specific to the vulnerable library and block malicious requests at the application layer.

Exam trap

The trap here is that candidates often choose 'Remove the library immediately' (Option A) because it seems like the most direct fix, but they fail to consider the business continuity impact and the need for a risk-based, phased approach to remediation.

How to eliminate wrong answers

Option A is wrong because removing the library immediately would break the application, causing a denial of service and potentially greater business impact than the vulnerability itself. Option B is wrong because disabling the vulnerable feature may not be feasible if the feature is integral to the library's core functionality, and it could still leave other attack surfaces exposed (e.g., memory corruption bugs). Option C is wrong because increasing logging and monitoring only detects exploitation attempts after they occur, not preventing them; it does not reduce the risk of a successful attack in real time.

11
MCQeasy

Refer to the exhibit. Which vulnerability does this code contain?

A.SQL injection
B.Command injection
C.Buffer overflow
D.Cross-site scripting (XSS)
AnswerA

User input is concatenated into the query without sanitization.

Why this answer

Option A is correct because the code concatenates user input directly into an SQL query, allowing SQL injection. Option B is wrong because buffer overflow is not present. Option C is wrong because XSS occurs in web output.

Option D is wrong because command injection involves system commands, not SQL.

12
MCQmedium

An organization is transitioning from waterfall to agile development. How should security be integrated into the new process to align with the SDLC?

A.Perform a single security review at the end of the release cycle
B.Conduct security testing only during the integration phase
C.Skip threat modeling and rely solely on automated scanning
D.Include security requirements in user stories and conduct threat modeling each iteration
AnswerD

This embeds security into agile practices.

Why this answer

Option D is correct because iterative threat modeling and security user stories ensure security is part of each sprint. Option A is wrong because security only at release misses early flaws. Option B is wrong because skipping threat modeling increases risk.

Option C is wrong because automated scans alone cannot replace threat modeling.

13
MCQmedium

Refer to the exhibit. Which security weakness should be addressed first in this Dockerfile?

A.Installing Python without version pinning
B.No multistage build is used
C.The container runs as root by default
D.The use of 'latest' tag for the base image
AnswerC

Running as root greatly increases the attack surface; a non-root user should be created.

Why this answer

Option C is correct because running as root inside the container increases the impact of a compromise. Option A is wrong because Python itself is not a weakness. Option B is wrong because pinning base image tags is important but less critical than running as root.

Option D is wrong because multistage builds are a best practice but not the most urgent issue.

14
MCQmedium

A financial application uses a third-party library for PDF generation. A security review finds that the library is no longer maintained and has known vulnerabilities. What is the BEST course of action?

A.Restrict network access to the PDF server.
B.Encrypt all PDF files after generation.
C.Implement a web application firewall to block attacks targeting the library.
D.Replace the library with a maintained alternative.
AnswerD

Replacing the library permanently eliminates the vulnerability.

Why this answer

Option B is correct because replacing the library with a maintained alternative directly addresses the root cause of using an unmaintained, vulnerable library. Option A is wrong because a WAF only mitigates some attacks without fixing the underlying vulnerability. Option C is wrong because encryption does not prevent exploitation of the library.

Option D is wrong because network restrictions do not fix the library's vulnerabilities.

15
MCQhard

Refer to the exhibit. Which attack is this OAuth authorization server policy vulnerable to?

A.Privilege escalation via scope confusion
B.Cross-site scripting (XSS)
C.Cross-site request forgery (CSRF)
D.SQL injection
AnswerA

Default permissions can grant unintended access if not carefully scoped.

Why this answer

Option B is correct because the default_permissions include 'file:read', which could allow an attacker to obtain read access without proper scope assignment. Option A is wrong because CSRF is mitigated by tokens, not scope policy. Option C is wrong because XSS is a client-side vulnerability.

Option D is wrong because injection requires untrusted input to change the policy.

16
MCQmedium

A company is developing a mobile payment application. To comply with PCI DSS, what should be implemented to protect cardholder data during transmission?

A.Apply base64 encoding.
B.Use RC4 encryption.
C.Implement TLS 1.2 or higher with strong ciphers.
D.Use SSL 3.0.
AnswerC

TLS provides secure, authenticated encryption.

Why this answer

TLS 1.2 or higher with strong ciphers is the current standard for secure transmission. RC4 and SSL 3.0 are deprecated. Base64 is encoding, not encryption.

17
Multi-Selectmedium

Which TWO of the following are essential elements of a secure software development lifecycle (SSDLC)? (Select exactly 2.)

Select 2 answers
A.Security testing during the verification phase
B.Threat modeling during the design phase
C.Code obfuscation after compilation
D.Penetration testing after deployment
E.User acceptance testing before release
AnswersA, B

Security testing validates that security requirements are met.

Why this answer

Options A and B are correct because threat modeling during design and security testing during verification are standard phases in SSDLC. Option C is wrong because user acceptance testing is functional, not security-focused. Option D is wrong because code obfuscation is a post-development technique, not a lifecycle element.

Option E is wrong because penetration testing is part of security testing, not a separate phase.

18
Multi-Selecteasy

Which TWO of the following are fundamental phases of a secure software development lifecycle (SSDLC) where security should be integrated? (Select exactly two.)

Select 2 answers
A.Testing and validation
B.Software retirement
C.User acceptance testing
D.Production operations
E.Requirements gathering
AnswersA, E

Security testing should occur before release.

Why this answer

Options C and E are correct. Security requirements must be defined early; security testing should be performed before deployment. Option A is wrong because production operations are post-deployment.

Option B is wrong because retirement is final. Option D is wrong because it is too late.

19
MCQhard

A security architect is reviewing the access control model for a microservices architecture. Which approach minimizes the risk of privilege escalation from a compromised service?

A.Use attribute-based access control (ABAC) with service-specific policies.
B.Implement role-based access control (RBAC) with global roles.
C.Use API keys for all service-to-service communication.
D.Deploy a single sign-on solution.
AnswerA

ABAC allows context-aware, fine-grained policies to limit escalation.

Why this answer

ABAC uses attributes (user, resource, environment) to grant fine-grained permissions, reducing the blast radius if a service is compromised. RBAC with global roles is too coarse. SSO does not address service-to-service.

API keys are weak for authentication.

20
MCQhard

An organization is adopting DevOps. Which of the following is a primary security concern when integrating security into CI/CD pipelines?

A.Credential management for automated tools.
B.Increased number of releases.
C.Automated testing slows down deployment.
D.Resistance from development teams.
AnswerA

Hardcoded or improperly stored credentials are a common attack vector.

Why this answer

Credential management is critical; secrets like API keys and passwords often leak in pipeline logs or repositories. Automated testing does not inherently slow deployment if properly designed. Increased release frequency can be managed.

Resistance is a cultural issue, not a technical security concern.

21
Multi-Selectmedium

Which TWO of the following are mandatory secure coding practices to prevent injection attacks? (Select exactly two.)

Select 2 answers
A.Encode output to the browser
B.Encrypt sensitive input data
C.Use custom error messages that detail the failure
D.Use parameterized queries or prepared statements
E.Validate and sanitize all user input
AnswersD, E

Separates SQL logic from data, preventing injection.

Why this answer

Options A and D are correct. Input validation ensures data conforms to expected patterns; parameterized queries separate code from data. Option B is wrong because encoding outputs is for XSS, not injection.

Option C is wrong because error messages should not reveal internal details. Option E is wrong because encryption does not prevent injection.

22
MCQhard

Refer to the exhibit. A security auditor examines the Git history of a critical security patch. What is the most significant security concern?

A.The security fix was reverted, re-exposing the application to the authentication bypass vulnerability.
B.Developer A and Developer B are not following a formal commitment process.
C.The commit message of the revert does not explain why the vulnerability fix was removed.
D.The fix was authored by Developer B but reverted by Developer A without approval.
AnswerA

Reversing the fix reintroduces the vulnerability.

Why this answer

Option D is correct because a developer reverted a security fix, re-introducing the vulnerability. This is a serious regression. Option A is wrong while commitment discipline is informal, the bigger issue is the revert.

Option B is wrong because the timestamps show the revert happened after the fix. Option C is wrong because the commit message explicitly says it reverts the fix, so the intent is clear.

23
Drag & Dropmedium

Drag and drop the steps for conducting a business impact analysis (BIA) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

BIA starts with identifying critical functions, then determining their MTD, identifying dependencies, assessing impacts, and finally documenting priorities.

24
MCQeasy

A development team is integrating a third-party library for encryption. The security team insists on using only the latest version of the library. What is the primary security benefit of this requirement?

A.Improves performance due to optimized code.
B.Ensures the library has more features than older versions.
C.Reduces the attack surface by patching known vulnerabilities.
D.Guarantees backward compatibility with existing code.
AnswerC

The latest version includes fixes for vulnerabilities discovered in prior versions.

Why this answer

Option C is correct because using the latest version ensures that known vulnerabilities in older versions are patched. Option A is wrong because backward compatibility is not the primary security benefit. Option B is wrong because newer versions may introduce new features but can also break compatibility.

Option D is wrong because performance improvements are secondary to security.

25
Multi-Selecthard

A developer is implementing role-based access control (RBAC). Which THREE components are essential for an RBAC system?

Select 3 answers
A.Permissions
B.Attributes
C.Users
D.Roles
E.Sessions
AnswersA, C, D

Permissions define access rights.

Why this answer

RBAC is defined by users, roles, and permissions. Sessions are optional enhancements. Attributes are part of ABAC, not RBAC.

26
MCQmedium

An API gateway is being designed for a set of microservices. Which combination of security controls should be implemented?

A.HTTP Basic Authentication over HTTPS
B.TLS encryption with anonymous access
C.OAuth 2.0 with scopes and rate limiting
D.API keys passed in query strings
AnswerC

OAuth 2.0 provides token-based authorization with scopes; rate limiting mitigates DDoS.

Why this answer

Option D is correct because OAuth 2.0 with scopes provides fine-grained authorization, and rate limiting prevents abuse. Option A is wrong because basic auth sends credentials in plaintext. Option B is wrong because HTTPS alone does not authorize.

Option C is wrong because no authentication leaves the API open.

27
MCQeasy

A company is implementing a CI/CD pipeline for a web application. Which security testing method should be integrated into the build stage to catch vulnerabilities early?

A.Only using open-source vulnerability scanners
B.Dynamic Application Security Testing (DAST) in the production stage
C.Manual code review after each sprint
D.Static Application Security Testing (SAST) in the build stage
AnswerD

SAST scans source code early, fitting CI/CD build stages.

Why this answer

Option B is correct because Static Application Security Testing (SAST) analyzes source code without execution, making it suitable for early detection in the build stage. Option A is wrong because DAST requires a running application. Option C is wrong because manual code review is too slow for continuous integration.

Option D is wrong because relying solely on open-source tools may miss custom code flaws.

28
MCQhard

A development team is implementing a microservices architecture. Which of the following is the BEST approach to secure inter-service communication?

A.Use JSON Web Tokens (JWT) for each request
B.Use API keys transmitted in HTTP headers
C.Place all services behind a single API gateway
D.Implement mutual TLS (mTLS) between services
AnswerD

mTLS provides strong authentication and encryption for inter-service communication.

Why this answer

Mutual TLS (mTLS) is the best approach because it provides both encryption and bidirectional authentication between services, ensuring that only authorized services can communicate. Unlike token-based methods, mTLS verifies the identity of both the client and server using X.509 certificates, which is critical in a zero-trust microservices environment where network boundaries are porous.

Exam trap

ISC2 often tests the misconception that an API gateway secures all inter-service communication, but candidates forget that east-west traffic between microservices bypasses the gateway and requires its own security mechanism like mTLS.

How to eliminate wrong answers

Option A is wrong because JWT per request authenticates the user or service but does not encrypt the communication channel, leaving data vulnerable to interception; it also adds overhead for every request without addressing transport-layer security. Option B is wrong because API keys in HTTP headers are static credentials that can be easily leaked, replayed, or intercepted if the channel is not encrypted, and they provide no mutual authentication. Option C is wrong because placing all services behind a single API gateway creates a central point of failure and a bottleneck, and it does not secure east-west traffic between services—internal calls bypass the gateway entirely.

29
MCQeasy

An organization uses a version control system for all software development. Which practice best ensures that code changes are reviewed for security issues before merging into the main branch?

A.Requiring all pull requests to be approved by at least one peer reviewer.
B.Configuring the CI pipeline to run static analysis tools only on the main branch.
C.Enforcing that all commits pass automated unit tests before merging.
D.Using pre-commit hooks to scan for secrets in code before commit.
AnswerA

Peer review is a manual review process that can catch security issues that automated tools miss.

Why this answer

Option A is correct because mandatory peer review (pull request review) allows reviewers to examine code for security flaws before integration. Option B is wrong because static analysis alone may miss logic flaws, and automated scanning should complement human review. Option C is wrong because automated unit tests typically do not test security.

Option D is wrong because pre-commit hooks are limited to client-side checks, not a robust review process.

30
MCQmedium

A team uses third-party libraries. What is the best practice to ensure they do not introduce vulnerabilities?

A.Whitelist all libraries based on reputation.
B.Perform static analysis only on custom code.
C.Isolate libraries in a sandbox.
D.Use the latest version of each library.
AnswerD

Latest versions include security patches for known vulnerabilities.

Why this answer

Keeping libraries up to date ensures known vulnerabilities are patched. Static analysis only on custom code misses library vulnerabilities. Whitelisting based on reputation is insufficient.

Sandboxing limits impact but does not prevent exploitation.

31
MCQhard

To enforce separation of duties in a CI/CD pipeline, what architectural principle should be implemented?

A.Allow all developers to deploy their own code to production
B.Use a single approval gate without role distinction
C.Grant a single DevOps team full access to both source code and deployment
D.Require different permissions for committing code vs. deploying to production
AnswerD

Separates responsibilities between development and operations.

Why this answer

Option B is correct because requiring different permissions for code commit and deployment enforces separation. Option A is wrong because a single admin violates separation. Option C is wrong because allowing all developers to deploy combines duties.

Option D is wrong because manual approval alone does not enforce separate roles.

32
MCQhard

A security architect is reviewing a software design that uses a third-party library for XML parsing. The library is known to be vulnerable to XML External Entity (XXE) attacks. The architect recommends replacing the library. What is the primary risk of XXE attacks that the architect wants to avoid?

A.Disclosure of sensitive files from the server
B.Remote code execution by injecting malicious XML
C.Denial of service (DoS) from entity expansion
D.Cross-site scripting (XSS) delivered via XML response
AnswerA

XXE can read internal files like /etc/passwd or perform server-side request forgery.

Why this answer

Option B is correct because XXE attacks can allow an attacker to read arbitrary files from the server's filesystem or perform SSRF. Option A is wrong while DoS is possible, the primary risk is information disclosure. Option C is wrong because XXE does not typically inject malicious code.

Option D is wrong because XXE targets the server, not the client.

33
Multi-Selecteasy

Which TWO of the following are security principles that should be applied during software development? (Select TWO)

Select 2 answers
A.Least privilege
B.Security through obscurity
C.Defense in depth
D.Single point of failure
E.Fail open
AnswersA, C

Least privilege ensures users and processes have only the minimum necessary permissions.

Why this answer

Options A and C are correct. Defense in depth (A) and least privilege (C) are fundamental security principles. Option B is wrong because single point of failure is a risk, not a principle.

Option D is wrong because fail open is insecure; fail closed is preferred. Option E is wrong because security through obscurity is not a reliable principle.

34
Multi-Selecthard

Which THREE of the following are valid techniques to ensure software integrity during the build and deployment process? (Select THREE.)

Select 3 answers
A.Implementing role-based access control on the build server
B.Using cryptographic hashes (e.g., SHA-256) to verify files
C.Continuous integration automated builds
D.Performing checksum verification after deployment
E.Code signing with a trusted certificate
AnswersB, D, E

Hashes detect unauthorized changes.

Why this answer

Cryptographic hashes like SHA-256 produce a unique fixed-size digest of a file's contents. By comparing the hash of a built artifact against a known-good hash, you can detect any unauthorized modification, corruption, or tampering that occurred during the build or deployment process. This directly ensures software integrity by verifying that the file has not been altered.

Exam trap

The trap here is confusing process controls (like RBAC or CI automation) with integrity verification mechanisms; candidates often think that restricting access or automating builds inherently ensures the software hasn't been tampered with, but only cryptographic techniques like hashing and signing provide direct integrity assurance.

35
Multi-Selecthard

Which TWO of the following are best practices for securing containerized applications? (Select exactly 2.)

Select 2 answers
A.Mounting the host filesystem to persist logs
B.Running the container process as a non-root user
C.Cleaning the certificate store to prevent MITM
D.Exposing port 22 for SSH debugging in production
E.Using minimal base images such as Alpine or scratch
AnswersB, E

Non-root user reduces privilege escalation risk.

Why this answer

Options A and D are correct. Dockerfile best practice includes running as non-root to limit container breakout. Using minimal base images reduces attack surface.

Option B is wrong because debug ports should be disabled in production. Option C is wrong because clearing the certificate store breaks TLS communication. Option E is wrong because bind mounting the host's root filesystem is highly insecure.

36
MCQmedium

Refer to the exhibit. An application running on this server uses HTTPS (port 443). What is the most likely impact of the current firewall rules on the application?

A.Clients will only be able to connect from IP addresses in the 10.0.0.0/8 range.
B.The application will function normally as HTTP is allowed.
C.Clients will be unable to connect to the application because HTTPS is not explicitly allowed.
D.All HTTPS traffic will be logged and then dropped.
AnswerC

Only port 80 is allowed; port 443 is blocked by the default DROP policy.

Why this answer

Option B is correct because the exhibit shows an ACCEPT rule for port 80 but no rule for port 443. The default policy is DROP, so HTTPS traffic will be dropped. Option A is wrong because port 80 HTTP is allowed but not HTTPS.

Option C is wrong because there is no rule for port 443. Option D is wrong because the rules do not log HTTPS traffic; the LOG rule is for source 10.0.0.0/8.

37
Drag & Dropmedium

Drag and drop the steps for a disaster recovery (DR) plan activation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DR activation: declare, notify, failover, restore, test and resume.

38
Multi-Selecthard

Which THREE of the following are valid countermeasures to prevent SQL injection vulnerabilities? (Select exactly 3.)

Select 3 answers
A.Using parameterized queries or prepared statements
B.Implementing strict input validation on user-supplied data
C.Encoding output to the user
D.Hashing the input before insertion into the database
E.Using stored procedures with explicit parameter definitions
AnswersA, B, E

Parameterized queries prevent malicious input from altering SQL structure.

Why this answer

Options A, B, and D are correct. Parameterized queries separate code from data, stored procedures can be written securely, and input validation limits harmful characters. Option C is wrong because output encoding does not prevent injection at the database layer.

Option E is wrong because hashing would break the query logic.

39
Multi-Selectmedium

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities? (Select TWO.)

Select 2 answers
A.Perform bounds checking on array indices and pointers
B.Use dynamic memory allocation for all buffers
C.Enable Address Space Layout Randomization (ASLR)
D.Use bounded string functions (e.g., strncpy instead of strcpy)
E.Deallocate memory after use
AnswersA, D

Bounds checking ensures memory accesses are within allocated space.

Why this answer

Bounds checking ensures that array indices and pointers do not reference memory outside the allocated buffer, directly preventing the overwrite of adjacent memory that leads to buffer overflows. This is a fundamental defensive coding practice that validates all input and index values before use.

Exam trap

The trap here is that candidates confuse system-level mitigations (like ASLR) or memory management practices (like deallocation) with actual secure coding practices that prevent the vulnerability from being written into the code.

40
MCQeasy

During a code review, a developer notices that an application directly concatenates user input into SQL queries. Which type of vulnerability does this represent?

A.Cross-site scripting (XSS)
B.Cross-site request forgery (CSRF)
C.Buffer overflow
D.SQL injection
AnswerD

Concatenating user input into SQL queries allows an attacker to modify the query structure.

Why this answer

Option B is correct because direct concatenation of user input into SQL queries is a classic SQL injection vulnerability. Option A is wrong because XSS involves injecting scripts into web pages. Option C is wrong because CSRF relies on tricking a user's browser.

Option D is wrong because buffer overflow is a memory corruption issue.

41
MCQhard

In a microservices architecture with a service mesh, what is the most effective approach to secure inter-service communication?

A.Segment services into separate VLANs without encryption
B.Use TLS only for all communication
C.Implement mutual TLS (mTLS) and identity-based access policies
D.Rely on API keys in the request headers
AnswerC

mTLS provides strong authentication and encryption per request.

Why this answer

Option A is correct because mutual TLS (mTLS) with identity-based policies authenticates and encrypts each service-to-service call. Option B is wrong because TLS alone does not authenticate the caller. Option C is wrong because API keys are less secure and harder to manage at scale.

Option D is wrong because network segmentation without encryption does not protect against eavesdropping.

42
MCQhard

A company develops a web application using microservices architecture deployed on Kubernetes. The security team identifies that the application is vulnerable to injection attacks because user input is concatenated into SQL queries. The development team wants to implement a fix quickly. They propose using parameterized queries, but the database access layer currently uses stored procedures. The team considers modifying the stored procedures to accept parameters and using prepared statements in the code. However, the operations team is concerned about performance impact. Which of the following is the BEST course of action?

A.Use parameterized queries immediately without modifying stored procedures.
B.Implement both parameterized queries and modify stored procedures to use parameters, and then monitor performance.
C.Modify stored procedures to use dynamic SQL with input validation.
D.Use input validation only, as stored procedures inherently prevent injection.
AnswerB

This provides defense in depth and allows performance assessment before full rollout.

Why this answer

Option C is correct because it addresses the vulnerability through both parameterized queries and parameterized stored procedures, then monitors performance to address the operations team's concern. Option A is wrong because parameterized queries alone may not protect if the stored procedures still concatenate input. Option B is wrong because dynamic SQL within stored procedures can still be vulnerable to injection.

Option D is wrong because input validation alone is not sufficient to prevent injection; stored procedures without parameterization can still be vulnerable.

43
Matchingmedium

Match each OSI layer to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frames and MAC addressing

Routing and logical addressing

End-to-end reliability and segmentation

User interface and application services

Why these pairings

The OSI model layers provide standard network functions.

44
MCQhard

A security assessment reveals that a web application uses client-side input validation exclusively. What is the most likely security risk?

A.Attacker can inject malicious scripts that execute on the client side.
B.An attacker can submit malicious data directly to the server without client-side constraints.
C.The application will have poor user experience due to slow responses.
D.The client-side code can be obfuscated but not decrypted.
AnswerB

Client-side validation only works in the browser; server-side validation is necessary to prevent malicious input.

Why this answer

Option A is correct because client-side validation is easily bypassed by an attacker who sends requests directly to the server. Option B is wrong because usability is not a security risk. Option C is wrong while client-side can be tampered; the core risk is missing server-side validation.

Option D is wrong because XSS is typically mitigated by output encoding, not input validation.

45
MCQmedium

A security engineer is designing an API that handles sensitive customer data. The engineer wants to ensure that only authorized clients can access the API, and that requests are not tampered with in transit. Which approach best addresses both requirements?

A.Enforcing TLS for all communications
B.Requiring a digital signature using HMAC on each request
C.Implementing OAuth 2.0 with Bearer tokens over HTTPS
D.Using API keys transmitted in the request header
AnswerC

OAuth 2.0 provides delegated authorization, and HTTPS ensures confidentiality and integrity of tokens and data.

Why this answer

Option D is correct because OAuth 2.0 provides authorization (access tokens) and when used over HTTPS, ensures integrity and confidentiality. Option A is wrong because API keys alone provide authentication but not tamper protection. Option B is wrong because TLS provides encryption but not authorization.

Option C is wrong because HMAC provides integrity but not authorization.

46
MCQmedium

A healthcare organization uses a custom application to manage patient records. The application uses a database with encrypted columns for sensitive data. The security team discovers that an insider has been copying encrypted data to an external drive. While the data is encrypted, the encryption key is stored in a configuration file accessible to the application. Which additional control would best mitigate this risk?

A.Enable audit logging on the application.
B.Implement role-based access control on the configuration file.
C.Use transparent data encryption (TDE) at the database level.
D.Store the encryption key in a hardware security module (HSM) with access policies.
AnswerD

HSM keeps the key secure and enforces strict access control.

Why this answer

Storing the encryption key in an HSM with access policies ensures the key is never in cleartext accessible to the application or user; it also enforces access controls and auditing. Role-based access on the config file is insufficient because the application still needs to read the key. TDE protects data at rest but does not protect the key.

Auditing is detective, not preventive.

47
MCQeasy

An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?

A.Security testing is performed only at the end of the project
B.Security issues can be addressed incrementally throughout development
C.Security requirements are finalized upfront
D.Security documentation is minimized to reduce overhead
AnswerB

Agile's short cycles allow for prompt remediation of security findings.

Why this answer

In Agile development, security testing and remediation are integrated into each iteration (sprint), allowing teams to identify and fix vulnerabilities incrementally rather than waiting until the end. This continuous feedback loop reduces the risk of late-stage security surprises and aligns with the principle of 'shifting left' on security.

Exam trap

The trap here is conflating 'Agile' with 'no documentation' or 'no upfront planning,' when in reality Agile requires disciplined, just-in-time security activities and maintains necessary documentation for compliance and risk management.

How to eliminate wrong answers

Option A is wrong because performing security testing only at the end of the project is a characteristic of the waterfall model, not Agile, and it increases the cost and effort to remediate issues found late. Option C is wrong because Agile embraces changing requirements; security requirements are refined iteratively through backlog grooming and user stories, not finalized upfront. Option D is wrong because while Agile may reduce unnecessary documentation, security documentation (e.g., threat models, security acceptance criteria) is still essential and should not be minimized to the point of compromising auditability or compliance.

48
MCQeasy

A DevOps team implements a CI/CD pipeline that runs security scans automatically. The pipeline fails often due to false positives, causing delays. Which approach balances security and efficiency?

A.Tune scan rules to reduce false positives while retaining critical checks.
B.Turn off all security scans.
C.Manually review every false positive.
D.Only run scans on code that is deployed to production.
AnswerA

Reduces noise while keeping essential security.

Why this answer

Tuning scan rules reduces false positives while maintaining critical security checks, thus minimizing delays without disabling security. Turning off scans removes security. Manual review of every false positive is inefficient.

Running scans only on production bypasses early detection.

49
Multi-Selecthard

Which THREE of the following are essential components of a software supply chain security program? (Select exactly three.)

Select 3 answers
A.Using signed and verified software artifacts
B.Maintaining a software bill of materials (SBOM) for all dependencies
C.Running penetration tests on the production environment
D.Conducting static analysis on all in-house code
E.Performing security assessments on third-party vendors
AnswersA, B, E

Signing ensures integrity and authenticity of artifacts.

Why this answer

Options B, C, and E are correct. SBOMs provide transparency; vendor assessments ensure third-party security; signed artifacts verify integrity. Option A is wrong because static analysis is internal, not supply chain.

Option D is wrong because penetration tests are broader, not specifically supply chain.

50
MCQhard

A financial institution has developed a trading application that sends orders via an internal API. The application processes high-frequency trades and must ensure non-repudiation of orders. The development team implemented digital signatures using RSA with SHA-256. However, testers found that occasionally two different orders produce the same signature. The team suspects a collision resistance issue. After reviewing the implementation, they notice that the private key is generated using a deterministic key generation algorithm that uses a fixed seed derived from the current timestamp. The signatures are generated by signing the order hash directly. What is the most likely root cause of the signature collision?

A.The hash function SHA-256 provides insufficient collision resistance for the order volume.
B.The use of a fixed seed for key generation leads to weak keys, making it possible for an attacker to forge signatures.
C.The private key is reused across multiple instances, causing storage conflicts.
D.The signature algorithm does not use a random salt or padding, causing deterministic signatures that can collide when the same order is processed twice.
AnswerD

Deterministic signatures produce the same output for the same input; if two orders have identical hashes (e.g., due to data equality or collision), they yield identical signatures.

Why this answer

The signature algorithm does not include randomization (e.g., no random padding like in RSA-PSS), so the signature is deterministic. If two different orders produce the same hash (due to a collision or identical order data), they will have the same signature. While key generation with a fixed seed weakens the key, it does not cause signature collisions directly.

The hash function is unlikely to be the issue. Key reuse across instances is not described.

51
MCQeasy

A development team heavily uses third-party libraries. What is the most effective way to manage vulnerabilities in these libraries?

A.Only use libraries from sources with no known vulnerabilities
B.Ignore vulnerabilities unless a known exploit exists
C.Manually review each library's source code for flaws
D.Use a Software Composition Analysis (SCA) tool and monitor CVE databases
AnswerD

SCA tools automate vulnerability detection and CVE tracking.

Why this answer

Option C is correct because automated scanning with CVE monitoring provides continuous visibility. Option A is wrong because ignoring vulnerabilities is risky. Option B is wrong because manual review does not scale.

Option D is wrong because 'no assurance' is not a strategy.

52
MCQhard

An organization develops a SaaS platform that integrates with multiple third-party services via APIs. The platform handles authentication tokens and user data. A security review reveals that the platform uses hardcoded API keys in the source code. What is the most secure way to manage these secrets in a cloud-native environment?

A.Use environment variables in the deployment configuration.
B.Use .gitignore to prevent them from being committed.
C.Encrypt the secrets and store them in the database.
D.Store secrets in a dedicated secrets management service like AWS Secrets Manager or Azure Key Vault.
AnswerD

Provides secure storage, access control, and automatic rotation.

Why this answer

A dedicated secrets management service provides centralized, encrypted storage with access control, auditing, and rotation. Environment variables are better than hardcoding but are still exposed in process memory and logs. Encrypting and storing in the database shifts the problem to key management. .gitignore prevents committing but secrets are still in the working directory.

53
Multi-Selectmedium

Which THREE of the following are key practices in the OWASP ASVS (Application Security Verification Standard) for secure software? (Select exactly three.)

Select 3 answers
A.Secure error handling and logging
B.Integration with password managers
C.Authentication and session management
D.Network segmentation between tiers
E.Input validation and sanitization
AnswersA, C, E

ASVS V7 covers error handling.

Why this answer

Options A, C, and D are correct. Input validation, error handling, and authentication are core ASVS areas. Option B is wrong because password managers are not part of ASVS.

Option E is wrong because network segmentation is infrastructure, not application security.

54
MCQhard

An organization is adopting a microservices architecture. Which security control is most effective for ensuring that inter-service communication is authenticated and authorized?

A.Implementing mutual TLS (mTLS) between services
B.Relying on network segmentation and IP allowlisting
C.Using JSON Web Tokens (JWT) in the HTTP header
D.Using pre-shared API keys for each service pair
AnswerA

mTLS provides bidirectional certificate-based authentication and encrypted communication.

Why this answer

Option C is correct because mutual TLS (mTLS) ensures that both parties in communication are authenticated, providing strong identity verification and encryption. Option A is wrong because API keys alone do not provide mutual authentication. Option B is wrong while JWT can carry claims, it does not inherently encrypt the channel.

Option D is wrong because IP allowlisting is prone to spoofing within cloud environments.

55
MCQmedium

A company uses Docker containers for microservices. What is the most important security measure for container images?

A.Use minimal base images and scan them for vulnerabilities
B.Use the latest version of base image to ensure patches
C.Hardcode secrets into the image
D.Run containers as root for easier privilege management
AnswerA

Reduces attack surface and identifies known flaws.

Why this answer

Option A is correct because minimal base images reduce attack surface, and vulnerability scanning detects known issues. Option B is wrong because using 'latest' tags can cause inconsistent builds. Option C is wrong because running as root is insecure.

Option D is wrong because hardcoding secrets is never recommended.

56
MCQmedium

A developer is tasked with securely storing user passwords in a database. Which of the following is the most secure approach?

A.Do not store passwords; use federated identity
B.Hash the password with bcrypt using a unique salt per user
C.Encrypt the password using AES and store the ciphertext
D.Hash the password with MD5 and store the hash
AnswerB

Bcrypt is a slow, salted hashing algorithm specifically designed for passwords.

Why this answer

Option C is correct because using a strong, salted hashing algorithm like bcrypt is the industry standard for password storage. Option A is wrong because hashing without a salt allows precomputation attacks. Option B is wrong because encryption is reversible if the key is compromised.

Option D is wrong because claiming not to store passwords is impractical for most applications.

57
MCQmedium

A DevOps team is implementing a DevSecOps pipeline. Which of the following should be introduced first in the pipeline to catch security issues early and reduce remediation cost?

A.Container vulnerability scanning after image build
B.Static application security testing (SAST) during the build stage
C.Pre-commit hooks that run linters and secret scanners
D.Dynamic application security testing (DAST) in staging environment
AnswerC

Pre-commit hooks catch issues before code is committed, the earliest point in the pipeline.

Why this answer

Option B is correct because pre-commit hooks run on the developer's machine before code is committed, catching issues very early. Option A is wrong because SAST is typically run after code is committed but before build. Option C is wrong because DAST is run after deployment.

Option D is wrong because container scanning occurs after image creation.

58
MCQeasy

During a code review, a developer identifies a SQL injection vulnerability. What is the most effective fix?

A.Use stored procedures exclusively.
B.Use an ORM framework.
C.Escape all input.
D.Implement parameterized queries.
AnswerD

Parameterized queries (prepared statements) separate code from data.

Why this answer

Parameterized queries (prepared statements) ensure user input is treated as data, not executable code. Stored procedures can still be vulnerable if dynamically built. Escaping input is error-prone.

ORMs often use SQL underneath and may not prevent injection if misused.

59
MCQhard

A DevSecOps team wants to integrate security into the CI/CD pipeline without slowing down development. Which approach best achieves this?

A.Perform comprehensive security tests only on major releases
B.Conduct a security review after each release and fix issues retrospectively
C.Require manual security sign-off before each production deployment
D.Implement automated security scanning with gating (pass/fail) in the pipeline
AnswerD

Automation provides fast, consistent security checks.

Why this answer

Option D is correct because automated security gates with pass/fail criteria provide fast feedback without manual delays. Option A is wrong because manual reviews are slow. Option B is wrong because skipping testing increases risk.

Option C is wrong because after-the-fact reviews do not prevent flawed releases.

Ready to test yourself?

Try a timed practice session using only Software Dev Security questions.