7Safe Certified Secure Coding for Software Developers CSCSD Exam, Exams of Technology

The 7Safe Certified Secure Coding for Software Developers Exam validates secure software development practices. It covers secure design principles, common coding vulnerabilities, threat modeling, code review techniques, and secure SDLC integration. This certification prepares developers to build resilient and secure software applications from the ground up.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 113

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
7Safe Certified Secure Coding for Software
Developers CSCSD Exam
Question 1. **What does the “C” in the CIA triad stand for in secure software design?**
A) Control
B) Confidentiality
C) Certification
D) Consistency
Answer: B
Explanation: Confidentiality ensures that sensitive data is only accessible to authorized users, a
core principle of the CIA triad.
Question 2. **Which principle focuses on preventing unauthorized modification of data?**
A) Availability
B) Integrity
C) Authentication
D) Authorization
Answer: B
Explanation: Integrity guarantees that data remains accurate and unaltered except by
authorized processes.
Question 3. **In the context of secure coding, what is the primary purpose of
nonrepudiation?**
A) To hide data from attackers
B) To ensure actions cannot be denied by the party that performed them
C) To encrypt data at rest
D) To limit user privileges
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download 7Safe Certified Secure Coding for Software Developers CSCSD Exam and more Exams Technology in PDF only on Docsity!

Developers CSCSD Exam

Question 1. What does the “C” in the CIA triad stand for in secure software design? A) Control B) Confidentiality C) Certification D) Consistency Answer: B Explanation: Confidentiality ensures that sensitive data is only accessible to authorized users, a core principle of the CIA triad. Question 2. Which principle focuses on preventing unauthorized modification of data? A) Availability B) Integrity C) Authentication D) Authorization Answer: B Explanation: Integrity guarantees that data remains accurate and unaltered except by authorized processes. Question 3. In the context of secure coding, what is the primary purpose of non‑repudiation? A) To hide data from attackers B) To ensure actions cannot be denied by the party that performed them C) To encrypt data at rest D) To limit user privileges

Developers CSCSD Exam

Answer: B Explanation: Non‑repudiation uses mechanisms such as digital signatures and tamper‑evident logs so a user cannot deny having performed an action. Question 4. Which of the following best describes the concept of “economy of mechanism”? A) Using the cheapest available security tools B) Designing security components that are simple and easy to verify C) Outsourcing security to third‑party vendors D) Encrypting all data regardless of necessity Answer: B Explanation: Economy of mechanism advocates for simple, small, and well‑understood security designs to reduce the attack surface. Question 5. What is the main difference between authentication and authorization? A) Authentication verifies identity; authorization determines access rights B) Authentication encrypts data; authorization signs data C) Authentication logs actions; authorization monitors performance D) Authentication manages sessions; authorization handles cookies Answer: A Explanation: Authentication confirms who a user is, while authorization decides what the authenticated user is allowed to do.

Developers CSCSD Exam

D) Deployment Answer: B Explanation: The Construction domain of SAMM focuses on secure architecture, design, and coding practices. Question 9. During threat modeling, what is a “trust boundary”? A) The line where code is compiled B) The point where data moves from a trusted to an untrusted zone C) The moment when a user logs out D) The encryption key storage location Answer: B Explanation: A trust boundary separates components with different trust levels, and crossing it requires security controls. Question 10. Why is fixing a vulnerability during development typically cheaper than after release? A) Developers receive bonuses for early fixes B) Fewer resources are required and downstream rework is avoided C) Customers prefer paying for patches later D) Licensing costs decrease Answer: B Explanation: Early remediation avoids costly redesign, testing, and potential breach remediation after deployment.

Developers CSCSD Exam

Question 11. Which type of injection exploits unsanitized user input to execute operating system commands? A) SQL Injection B) LDAP Injection C) Command Injection D) XPath Injection Answer: C Explanation: Command injection occurs when user input is directly passed to a system shell without proper validation. Question 12. What is the primary defense against SQL Injection? A) Input length checks only B) Parameterized queries / prepared statements C) Disabling database logging D) Using stored procedures exclusively Answer: B Explanation: Parameterized queries separate code from data, preventing malicious input from being interpreted as SQL commands. Question 13. Which OWASP Top 10 category includes insecure direct object references (IDOR)? A) Broken Authentication B) Sensitive Data Exposure

Developers CSCSD Exam

Explanation: Stored XSS persists the payload in a database or other storage, affecting any user who retrieves the data. Question 16. What does CSRF primarily exploit? A) Lack of input validation B) Trust of the victim’s browser to send authenticated requests automatically C) Weak password policies D) Insecure cryptographic algorithms Answer: B Explanation: CSRF tricks a logged‑in user’s browser into sending a forged request that the server accepts as legitimate. Question 17. Which mitigation technique is most effective against CSRF? A) Using HTTP Basic Auth B) Implementing SameSite cookie attribute and anti‑CSRF tokens C) Enabling CORS for all origins D) Disabling JavaScript Answer: B Explanation: SameSite cookies restrict cross‑origin requests, and anti‑CSRF tokens verify request intent. Question 18. Insecure deserialization can lead to which severe outcome? A) Information disclosure only B) Remote Code Execution (RCE)

Developers CSCSD Exam

C) Denial of Service only D) None of the above Answer: B Explanation: Deserializing untrusted data can allow attackers to instantiate malicious objects that execute arbitrary code. Question 19. Which practice helps prevent insecure deserialization attacks? A) Accepting any serialized format B) Using signed and integrity‑checked tokens (e.g., JWT) instead of raw objects C) Storing serialized data in plain text files D) Disabling TLS Answer: B Explanation: Signed tokens ensure the data has not been tampered with, reducing the risk of malicious object injection. Question 20. A default admin password left unchanged on a production server is an example of which security issue? A) Insecure cryptography B) Security misconfiguration C) Broken authentication D) Insufficient logging Answer: B Explanation: Default credentials constitute a misconfiguration that attackers can exploit.

Developers CSCSD Exam

C) Base64 encoding D) No encoding needed Answer: B Explanation: HTML entity encoding converts characters like <, ", and ' to safe equivalents within HTML attributes. Question 24. Canonicalization is essential because: A) It encrypts data before storage B) It normalizes different representations of the same data to prevent bypasses C) It compresses data for faster transmission D) It generates unique identifiers Answer: B Explanation: Normalizing inputs (e.g., decoding URL‑encoded strings) stops attackers from using alternate encodings to evade filters. Question 25. Which flag on a cookie ensures it is only sent over HTTPS connections? A) HttpOnly B) Secure C) SameSite D) Path Answer: B Explanation: The Secure attribute tells browsers to transmit the cookie only over encrypted HTTPS channels.

Developers CSCSD Exam

Question 26. What does the HttpOnly flag on a cookie protect against? A) Cross‑site scripting (XSS) stealing the cookie via client‑side scripts B) Session fixation attacks C) Man‑in‑the‑middle decryption D) CSRF attacks Answer: A Explanation: HttpOnly prevents JavaScript from accessing the cookie, mitigating XSS‑based theft. Question 27. An absolute session timeout of 30 minutes means: A) The session expires after 30 minutes of total time, regardless of activity B) The session expires after 30 minutes of inactivity C) The session never expires D) The session expires only when the user logs out Answer: A Explanation: Absolute timeout sets a hard limit on session lifespan, independent of user activity. Question 28. Which logging practice helps maintain privacy compliance? A) Logging user passwords in plaintext B) Redacting or omitting personally identifiable information (PII) from logs C) Storing logs on the client side D) Disabling logging entirely

Developers CSCSD Exam

B) SHA‑ 1

C) bcrypt D) DES Answer: C Explanation: bcrypt (or Argon2) is designed to be slow and includes a salt, making brute‑force attacks harder. Question 32. What is “salting” in password storage? A) Encrypting the password with a symmetric key B) Adding a unique random value to each password before hashing C) Storing passwords in clear text D) Using a static secret pepper for all passwords Answer: B Explanation: Salting ensures that identical passwords result in different hashes, preventing rainbow‑table attacks. Question 33. Which key management practice reduces the risk of secret leakage? A) Hard‑coding API keys in source code B) Storing keys in a secure vault or hardware security module (HSM) C) Sharing keys via email D) Embedding keys in client‑side JavaScript Answer: B

Developers CSCSD Exam

Explanation: Secure vaults or HSMs protect keys at rest and control access, mitigating accidental exposure. Question 34. Digital signatures primarily provide which security property? A) Confidentiality B) Integrity and authenticity C) Availability D) Non‑repudiation only Answer: B Explanation: A digital signature verifies that data has not been altered (integrity) and confirms the signer’s identity (authenticity). Non‑repudiation is a derived benefit. Question 35. Which of the following is a common pitfall when generating cryptographic keys? A) Using a cryptographically secure random number generator (CSPRNG) B) Deriving keys from predictable sources like timestamps C. Rotating keys regularly D. Storing keys in an encrypted database Answer: B Explanation: Predictable key material can be guessed by attackers; keys must be generated with high entropy. Question 36. What is the main advantage of using AES‑GCM over AES‑CBC? A) GCM provides authenticated encryption, ensuring integrity in addition to confidentiality

Developers CSCSD Exam

Explanation: X‑Frame‑Options (e.g., DENY or SAMEORIGIN) instructs browsers not to embed the page in frames, preventing click‑jacking. Question 39. What does the Content‑Security‑Policy (CSP) directive “script-src ‘self’” accomplish? A) Allows scripts from any source B) Blocks all scripts C) Allows scripts only from the same origin as the page D) Enables inline scripts Answer: C Explanation: ‘self’ limits script loading to resources that originate from the same scheme, host, and port as the document. Question 40. Which of the following is a recommended way to protect against XML External Entity (XXE) attacks? A) Disabling DTD processing in the XML parser B) Allowing any external entity reference C) Using only JSON for data exchange D) Enabling schema validation without restrictions Answer: A Explanation: Turning off DTD (Document Type Definition) processing prevents the parser from resolving external entities that could be malicious. Question 41. In the context of OWASP Top 10, which category includes “Using components with known vulnerabilities”?

Developers CSCSD Exam

A) Security Misconfiguration B) Vulnerable and Outdated Components C) Broken Access Control D) Insufficient Logging & Monitoring Answer: B Explanation: The “Vulnerable and Outdated Components” category addresses the risk of using libraries or frameworks that contain known flaws. Question 42. Which practice helps ensure that third‑party libraries do not introduce security issues? A) Ignoring version updates B) Regularly scanning dependencies with a Software Composition Analysis (SCA) tool C) Embedding the source code directly without review D) Disabling all security warnings Answer: B Explanation: SCA tools identify known vulnerabilities in dependencies, allowing teams to remediate them promptly. Question 43. What is the purpose of “defense‑in‑depth” in secure software engineering? A) To rely on a single security control B) To layer multiple security mechanisms so that if one fails, others still protect the system C) To eliminate the need for testing D) To focus only on network security

Developers CSCSD Exam

B) Enforcing least‑privilege principles for processes and users C) Using HTTPS for all traffic D) Disabling error messages Answer: B Explanation: Limiting privileges reduces the impact if an attacker gains unauthorized access, preventing privilege escalation. Question 47. What is the primary security benefit of using a “sandbox” for executing untrusted code? A) Improves performance B) Isolates the code from the host system, limiting its capabilities C) Guarantees zero bugs in the code D) Enables automatic code signing Answer: B Explanation: Sandboxing restricts file system, network, and system calls, containing potential malicious behavior. Question 48. Which of the following is a secure method for transmitting a secret key from a client to a server? A) Sending it in a URL query parameter over HTTP B) Embedding it in a JavaScript file C) Using TLS (HTTPS) with mutual authentication D) Storing it in a cookie without encryption

Developers CSCSD Exam

Answer: C Explanation: TLS provides confidentiality and integrity; mutual authentication further assures both parties’ identities. Question 49. In the OWASP ASVS Level 2 requirement, what is the minimum password length recommended? A) 4 characters B) 8 characters C) 12 characters D) No minimum Answer: B Explanation: ASVS Level 2 requires passwords to be at least 8 characters long, encouraging stronger secrets. Question 50. Which of the following best describes “rate limiting” as a security control? A) Blocking all traffic from an IP address B) Restricting the number of requests a client can make in a given timeframe C) Encrypting all API responses D) Using CAPTCHA on every page Answer: B Explanation: Rate limiting mitigates brute‑force attacks and abuse by throttling request volume per client. Question 51. Which HTTP status code should be returned for a successful CSRF token validation failure?