


















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A developer-oriented exam covering secure SDLC practices, input validation, threat modeling, secure coding principles, code review, vulnerability detection, DevSecOps integration, API security, and language-specific security flaws (.NET, Java, etc.). Includes development-focused attack-and-defend scenarios.
Typology: Exams
1 / 90
This page cannot be seen from the preview
Don't miss anything!



















































































Question 1. Which of the following best defines the primary goal of application security? A) To eliminate all software bugs B) To protect data confidentiality, integrity, and availability within an application C) To ensure 100 % uptime of the application D) To replace functional requirements with security requirements Answer: B Explanation: Application security aims to safeguard the CIA triad (confidentiality, integrity, availability) for the data processed by the software, not to eradicate all bugs or guarantee uptime. Question 2. In the context of the SDLC, integrating security activities during the requirements phase typically results in: A) The highest cost to fix vulnerabilities B) The lowest cost to fix vulnerabilities C) No impact on cost because vulnerabilities are fixed later D) Increased time to market without security benefits Answer: B Explanation: Fixing security defects early (requirements phase) is far cheaper than addressing them during coding, testing, or post‑deployment. Question 3. Which OWASP Top 10 category directly addresses the risk of exposing database connection strings in source code? A) Injection B) Sensitive Data Exposure
C) Security Misconfiguration D) Using Components with Known Vulnerabilities Answer: C Explanation: Security misconfiguration includes exposing credentials, default configurations, and insecure storage of sensitive data such as connection strings. Question 4. An attacker exploits a vulnerable web form by sending the payload '; DROP TABLE Users;--. This is an example of: A) OS Command Injection B) SQL Injection (In‑band) C) Cross‑Site Scripting (XSS) D) LDAP Injection Answer: B Explanation: The payload terminates the original SQL statement and injects a new command, characteristic of in‑band SQL injection. Question 5. Which of the following best describes a blind (inferential) SQL injection? A) The application returns detailed database error messages. B) The attacker receives no direct response but can infer data via behavior differences. C) The injected query is executed on the client side. D) The payload is encoded in base64. Answer: B
B) Missing authentication check for a “delete account” function C) Use of deprecated cryptographic algorithm D) Failure to escape output in HTML Answer: B Explanation: A missing authentication check reflects an error in business logic, not a typical programming mistake like buffer overflow. Question 9. A Distributed Denial‑of‑Service (DDoS) attack differs from a DoS attack primarily because: A) It targets the application’s business logic. B) It originates from multiple compromised hosts. C) It exploits SQL injection vulnerabilities. D) It requires physical access to the server. Answer: B Explanation: DDoS leverages a botnet or multiple sources to flood the target, whereas DoS uses a single source. Question 10. Which of the following is NOT a common cause of insufficient transport layer protection? A. Using HTTP instead of HTTPS for sensitive data B. Not validating server certificates in TLS handshakes C. Storing passwords in plain text in the database D. Allowing weak cipher suites in TLS configuration
Answer: C Explanation: Storing passwords in plain text is a data‑at‑rest issue, not a transport‑layer protection problem. Question 11. In the context of security requirement engineering (SRE), a “use case” primarily describes: A) The steps an attacker takes to exploit a vulnerability B) The functional flow of a legitimate user interacting with the system C) The hardware specifications needed for security controls D) The cost‑benefit analysis of security controls Answer: B Explanation: A security use case outlines normal user behavior to identify where security controls must be applied. Question 12. The SQUARE methodology includes which of the following activities? A) Threat hunting on production systems B) Prioritizing security requirements based on risk assessment C) Deploying firewalls across all network segments D) Conducting penetration testing only after release Answer: B Explanation: SQUARE (Security Quality Requirements Engineering) emphasizes eliciting, analyzing, and prioritizing security requirements.
B) Fail‑Securely C) Defense‑in‑Depth D) Input Validation (or “Never Trust Input”) Answer: D Explanation: While not an official named principle, the concept “Never Trust Input” underlies secure design and is essential for preventing injection attacks. Question 16. A Web Application Firewall (WAF) primarily protects against which type of attacks? A) Physical tampering of servers B) Network‑layer DDoS attacks only C) Application‑layer attacks such as XSS and SQL injection D) Insider threats from privileged users Answer: C Explanation: WAFs inspect HTTP traffic to block malicious payloads targeting the application layer. Question 17. Which design principle encourages separating duties so that no single component can perform all critical functions? A) Least Privilege B) Separation of Duties C) Secure Defaults D) Minimize Attack Surface
Answer: B Explanation: Separation of Duties ensures that critical tasks are divided among multiple entities to reduce risk. Question 18. When implementing defense‑in‑depth, which of the following is an example of a layered control? A) Storing passwords in plain text but limiting access to the database B) Using both input validation and parameterized queries for database access C) Relying solely on network firewalls to block attacks D) Disabling logging to improve performance Answer: B Explanation: Combining input validation (first layer) with parameterized queries (second layer) exemplifies defense‑in‑depth. Question 19. In a three‑tier architecture, where should centralized logging typically be placed? A) Presentation tier only B) Business logic tier only C) Data access tier only D) Across all tiers, aggregating logs to a dedicated logging server Answer: D Explanation: Centralized logging collects events from all tiers to a secure server for analysis and retention.
Answer: B Explanation: RBAC groups permissions into roles; users acquire those permissions by being assigned to roles. Question 23. An Insecure Direct Object Reference (IDOR) vulnerability is best mitigated by: A) Encrypting all URLs B) Implementing proper access control checks on the server side C) Using HTTPS for all traffic D) Adding CAPTCHAs to forms Answer: B Explanation: IDOR occurs when the server fails to enforce authorization on object identifiers; proper server‑side checks prevent it. Question 24. Which cryptographic primitive provides data integrity but not confidentiality? A) Symmetric encryption (AES) B) Asymmetric encryption (RSA) C) Hash functions (SHA‑256) D) Digital signatures Answer: C Explanation: Hash functions generate a digest to verify integrity; they do not encrypt the data.
Question 25. When using AES in CBC mode, which additional step is required to ensure confidentiality of the first block? A) Use a static IV B) Use a random IV and transmit it securely C) Append a MAC after encryption D) Perform key stretching Answer: B Explanation: A random, unpredictable IV prevents patterns in the first ciphertext block; it must be communicated (often in clear) alongside the ciphertext. Question 26. Which of the following attacks exploits the reuse of a nonce in an encryption scheme? A) Replay attack B) Padding oracle attack C) Key‑replay attack on stream ciphers D) SQL injection Answer: C Explanation: Reusing a nonce with a stream cipher (or certain AEAD modes) allows attackers to recover plaintext by XOR‑ing ciphertexts. Question 27. Session fixation can be prevented by: A) Using HTTP only cookies B) Regenerating the session ID after successful authentication
Explanation: Detailed error messages reveal internal implementation details and can aid attackers. Question 30. Which of the following statements about static application security testing (SAST) is true? A) It requires a running instance of the application. B) It can detect runtime configuration issues. C) It analyzes source code or binaries without execution. D) It replaces the need for any dynamic testing. Answer: C Explanation: SAST is a white‑box technique that inspects code artifacts statically. Question 31. A dynamic application security testing (DAST) tool is most effective at detecting: A) Hard‑coded secrets in source files B) SQL injection vulnerabilities in a live web application C) Unused libraries in the codebase D) Memory leaks in compiled binaries Answer: B Explanation: DAST interacts with a running application, making it suitable for detecting injection flaws. Question 32. Software Composition Analysis (SCA) primarily helps organizations to: A) Identify business logic errors in custom code B) Detect vulnerable open‑source components and license issues
C) Perform fuzz testing on APIs D) Harden the operating system configuration Answer: B Explanation: SCA scans dependencies to find known vulnerabilities and licensing problems. Question 33. Which of the following is a secure default configuration for a newly deployed web server? A) Directory listing enabled B) All HTTP methods (GET, POST, PUT, DELETE) allowed C) Default admin credentials unchanged D) TLS 1.2 enabled with strong cipher suites only Answer: D Explanation: Enabling only TLS 1.2 with strong ciphers follows the principle of secure defaults. Question 34. During pre‑deployment, which activity best ensures that the application’s security configuration is correct? A) Running unit tests only B) Conducting a configuration audit against a baseline checklist C) Performing load testing for performance D) Updating the user manual Answer: B
A) Using gets() for input B) Relying on compiler warnings only C) Employing functions like strncpy() with explicit bounds checking D) Disabling stack canaries Answer: C Explanation: strncpy() (or safer alternatives) allows the programmer to limit copied data, mitigating overflow risk. Question 38. When implementing multi‑factor authentication (MFA), which combination provides the strongest security? A) Password + security question B) Password + OTP sent via SMS C) Password + hardware token (e.g., YubiKey) D) Password + biometric fingerprint Answer: C Explanation: Hardware tokens are resistant to phishing and replay attacks, offering stronger assurance than SMS or security questions. Question 39. Which of the following is a characteristic of a strong session identifier? A) Predictable sequential numbers B) Short length (≤8 characters) C) High entropy and randomness D) Derived from the user’s username
Answer: C Explanation: High entropy makes session IDs resistant to guessing and brute‑force attacks. Question 40. Which OWASP Top 10 category directly addresses insufficient logging and monitoring? A) A5 – Security Misconfiguration B) A9 – Using Components with Known Vulnerabilities C) A10 – Insufficient Logging & Monitoring D) A3 – Sensitive Data Exposure Answer: C Explanation: The category explicitly covers lack of proper logging and monitoring. Question 41. In threat modeling, a trust boundary is best described as: A) The point where data is encrypted B) The interface where data moves between components of differing trust levels C) The location of the database server D) The boundary of the corporate network Answer: B Explanation: Trust boundaries separate zones with different security assumptions, requiring controls at the interface.
C) Blocking all POST requests D) Requiring a CAPTCHA for every form submission Answer: B Explanation: CSRF tokens are unique per session and must be submitted with state‑changing requests, confirming the request’s origin. Question 45. Which of the following is an example of unvalidated redirects? A) Using Response.Redirect(url) where url is taken directly from a query parameter without validation B) Hard‑coding all redirects in the application C) Redirecting only after successful authentication D) Using relative URLs for internal navigation Answer: A Explanation: Accepting user‑controlled URLs for redirects without validation leads to open redirect vulnerabilities. Question 46. In cryptographic key management, which practice reduces the risk of key exposure? A) Storing keys in plain text on the file system B) Embedding keys directly in source code C) Using a hardware security module (HSM) for key storage and operations D) Rotating keys once every five years Answer: C
Explanation: HSMs protect keys in tamper‑resistant hardware and perform cryptographic operations without exposing the raw key. Question 47. Which of the following best describes parameterized queries? A) Queries that concatenate user input into SQL strings B) Queries that use placeholders for user data, letting the database treat inputs as data, not code C) Queries that are executed only during the deployment phase D) Queries that are stored in a separate configuration file Answer: B Explanation: Parameterized (prepared) statements separate code from data, preventing SQL injection. Question 48. Which of the following is a primary benefit of integrating security testing early in the Agile development process? A) Reducing the need for any testing later in the lifecycle B) Allowing security defects to be identified and fixed when they are cheapest to remediate C) Eliminating the requirement for a security team D) Ensuring that all code is written in a single programming language Answer: B Explanation: Early detection aligns with the lower cost of fixing defects early in the SDLC. Question 49. An application logs user actions to a file that is world‑writable. This violates which security principle? A) Defense‑in‑Depth