CISSP · topic practice

Software Development Security practice questions

Practise Certified Information Systems Security Professional CISSP Software Development Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Software Development Security

What the exam tests

What to know about Software Development Security

Software Development Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Software Development Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Software Development Security questions

20 questions · select your answer, then reveal the explanation

A development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?

A software company uses a third-party library that has a known critical vulnerability. The library is used extensively and rewriting the code would take months. What is the BEST immediate action to reduce risk?

During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users:

String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'";

Which of the following is the MOST effective remediation?

An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?

A company is deploying a containerized application using Kubernetes. Which practice BEST ensures the security of the container images?

A development team is implementing a microservices architecture. Which of the following is the BEST approach to secure inter-service communication?

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities? (Select TWO.)

Which THREE of the following are valid techniques to ensure software integrity during the build and deployment process? (Select THREE.)

A financial services company uses a custom web application for online banking. The application is developed in-house using Java and deployed on Apache Tomcat servers. Recently, the security team discovered that the application is vulnerable to a critical remote code execution (RCE) vulnerability due to insecure deserialization of untrusted data. The vulnerability exists in a module that processes session objects. The development team has been assigned to fix this issue. They propose the following options:

A. Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes. B. Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default. C. Encrypt all serialized objects using AES-256 before sending them to the client. D. Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads.

The application must maintain high availability and minimal latency. Which option provides the MOST effective and sustainable remediation?

Drag and drop the steps for conducting a business impact analysis (BIA) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps for a disaster recovery (DR) plan activation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each security model to its primary characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No read up, no write down

No read down, no write up

Well-formed transactions and separation of duties

Prevents conflict of interest among clients

Rules for granting and taking permissions

Match each OSI layer to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frames and MAC addressing

Routing and logical addressing

End-to-end reliability and segmentation

User interface and application services

A company is implementing a CI/CD pipeline for a web application. Which security testing method should be integrated into the build stage to catch vulnerabilities early?

An organization is transitioning from waterfall to agile development. How should security be integrated into the new process to align with the SDLC?

In a microservices architecture with a service mesh, what is the most effective approach to secure inter-service communication?

Which TWO of the following are mandatory secure coding practices to prevent injection attacks? (Select exactly two.)

Which THREE of the following are essential components of a software supply chain security program? (Select exactly three.)

Which TWO of the following are fundamental phases of a secure software development lifecycle (SSDLC) where security should be integrated? (Select exactly two.)

Refer to the exhibit. Which security weakness should be addressed first in this Dockerfile?

Exhibit

FROM ubuntu:latest
RUN apt-get update && apt-get install -y python
COPY . /app
WORKDIR /app
CMD ["python", "app.py"]

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Software Development Security sessions

Start a Software Development Security only practice session

Every question in these sessions is drawn from the Software Development Security domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Software Development Security?
Software Development Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Software Development Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Software Development Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.