Certified Application Security Engineer CASE Practice Exam, Exams of Technology

A developer-oriented exam covering secure SDLC practices, input validation, threat modeling, secure coding principles, code review, vulnerability detection, DevSecOps integration, API security, and language-specific security flaws (.NET, Java, etc.). Includes development-focused attack-and-defend scenarios.

Typology: Exams

2025/2026

Available from 12/05/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 90

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Certified Application Security Engineer CASE
Practice Exam
**Question 1.** Which of the following best defines the primary goal of application security?
A) To eliminate all software bugs
B) To protect data confidentiality, integrity, and availability within an application
C) To ensure 100 % uptime of the application
D) To replace functional requirements with security requirements
Answer: B
Explanation: Application security aims to safeguard the CIA triad (confidentiality, integrity, availability)
for the data processed by the software, not to eradicate all bugs or guarantee uptime.
**Question 2.** In the context of the SDLC, integrating security activities during the **requirements**
phase typically results in:
A) The highest cost to fix vulnerabilities
B) The lowest cost to fix vulnerabilities
C) No impact on cost because vulnerabilities are fixed later
D) Increased time to market without security benefits
Answer: B
Explanation: Fixing security defects early (requirements phase) is far cheaper than addressing them
during coding, testing, or postdeployment.
**Question 3.** Which OWASP Top 10 category directly addresses the risk of exposing database
connection strings in source code?
A) Injection
B) Sensitive Data Exposure
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a

Partial preview of the text

Download Certified Application Security Engineer CASE Practice Exam and more Exams Technology in PDF only on Docsity!

Practice Exam

Question 1. Which of the following best defines the primary goal of application security? A) To eliminate all software bugs B) To protect data confidentiality, integrity, and availability within an application C) To ensure 100 % uptime of the application D) To replace functional requirements with security requirements Answer: B Explanation: Application security aims to safeguard the CIA triad (confidentiality, integrity, availability) for the data processed by the software, not to eradicate all bugs or guarantee uptime. Question 2. In the context of the SDLC, integrating security activities during the requirements phase typically results in: A) The highest cost to fix vulnerabilities B) The lowest cost to fix vulnerabilities C) No impact on cost because vulnerabilities are fixed later D) Increased time to market without security benefits Answer: B Explanation: Fixing security defects early (requirements phase) is far cheaper than addressing them during coding, testing, or post‑deployment. Question 3. Which OWASP Top 10 category directly addresses the risk of exposing database connection strings in source code? A) Injection B) Sensitive Data Exposure

Practice Exam

C) Security Misconfiguration D) Using Components with Known Vulnerabilities Answer: C Explanation: Security misconfiguration includes exposing credentials, default configurations, and insecure storage of sensitive data such as connection strings. Question 4. An attacker exploits a vulnerable web form by sending the payload '; DROP TABLE Users;--. This is an example of: A) OS Command Injection B) SQL Injection (In‑band) C) Cross‑Site Scripting (XSS) D) LDAP Injection Answer: B Explanation: The payload terminates the original SQL statement and injects a new command, characteristic of in‑band SQL injection. Question 5. Which of the following best describes a blind (inferential) SQL injection? A) The application returns detailed database error messages. B) The attacker receives no direct response but can infer data via behavior differences. C) The injected query is executed on the client side. D) The payload is encoded in base64. Answer: B

Practice Exam

B) Missing authentication check for a “delete account” function C) Use of deprecated cryptographic algorithm D) Failure to escape output in HTML Answer: B Explanation: A missing authentication check reflects an error in business logic, not a typical programming mistake like buffer overflow. Question 9. A Distributed Denial‑of‑Service (DDoS) attack differs from a DoS attack primarily because: A) It targets the application’s business logic. B) It originates from multiple compromised hosts. C) It exploits SQL injection vulnerabilities. D) It requires physical access to the server. Answer: B Explanation: DDoS leverages a botnet or multiple sources to flood the target, whereas DoS uses a single source. Question 10. Which of the following is NOT a common cause of insufficient transport layer protection? A. Using HTTP instead of HTTPS for sensitive data B. Not validating server certificates in TLS handshakes C. Storing passwords in plain text in the database D. Allowing weak cipher suites in TLS configuration

Practice Exam

Answer: C Explanation: Storing passwords in plain text is a data‑at‑rest issue, not a transport‑layer protection problem. Question 11. In the context of security requirement engineering (SRE), a “use case” primarily describes: A) The steps an attacker takes to exploit a vulnerability B) The functional flow of a legitimate user interacting with the system C) The hardware specifications needed for security controls D) The cost‑benefit analysis of security controls Answer: B Explanation: A security use case outlines normal user behavior to identify where security controls must be applied. Question 12. The SQUARE methodology includes which of the following activities? A) Threat hunting on production systems B) Prioritizing security requirements based on risk assessment C) Deploying firewalls across all network segments D) Conducting penetration testing only after release Answer: B Explanation: SQUARE (Security Quality Requirements Engineering) emphasizes eliciting, analyzing, and prioritizing security requirements.

Practice Exam

B) Fail‑Securely C) Defense‑in‑Depth D) Input Validation (or “Never Trust Input”) Answer: D Explanation: While not an official named principle, the concept “Never Trust Input” underlies secure design and is essential for preventing injection attacks. Question 16. A Web Application Firewall (WAF) primarily protects against which type of attacks? A) Physical tampering of servers B) Network‑layer DDoS attacks only C) Application‑layer attacks such as XSS and SQL injection D) Insider threats from privileged users Answer: C Explanation: WAFs inspect HTTP traffic to block malicious payloads targeting the application layer. Question 17. Which design principle encourages separating duties so that no single component can perform all critical functions? A) Least Privilege B) Separation of Duties C) Secure Defaults D) Minimize Attack Surface

Practice Exam

Answer: B Explanation: Separation of Duties ensures that critical tasks are divided among multiple entities to reduce risk. Question 18. When implementing defense‑in‑depth, which of the following is an example of a layered control? A) Storing passwords in plain text but limiting access to the database B) Using both input validation and parameterized queries for database access C) Relying solely on network firewalls to block attacks D) Disabling logging to improve performance Answer: B Explanation: Combining input validation (first layer) with parameterized queries (second layer) exemplifies defense‑in‑depth. Question 19. In a three‑tier architecture, where should centralized logging typically be placed? A) Presentation tier only B) Business logic tier only C) Data access tier only D) Across all tiers, aggregating logs to a dedicated logging server Answer: D Explanation: Centralized logging collects events from all tiers to a secure server for analysis and retention.

Practice Exam

Answer: B Explanation: RBAC groups permissions into roles; users acquire those permissions by being assigned to roles. Question 23. An Insecure Direct Object Reference (IDOR) vulnerability is best mitigated by: A) Encrypting all URLs B) Implementing proper access control checks on the server side C) Using HTTPS for all traffic D) Adding CAPTCHAs to forms Answer: B Explanation: IDOR occurs when the server fails to enforce authorization on object identifiers; proper server‑side checks prevent it. Question 24. Which cryptographic primitive provides data integrity but not confidentiality? A) Symmetric encryption (AES) B) Asymmetric encryption (RSA) C) Hash functions (SHA‑256) D) Digital signatures Answer: C Explanation: Hash functions generate a digest to verify integrity; they do not encrypt the data.

Practice Exam

Question 25. When using AES in CBC mode, which additional step is required to ensure confidentiality of the first block? A) Use a static IV B) Use a random IV and transmit it securely C) Append a MAC after encryption D) Perform key stretching Answer: B Explanation: A random, unpredictable IV prevents patterns in the first ciphertext block; it must be communicated (often in clear) alongside the ciphertext. Question 26. Which of the following attacks exploits the reuse of a nonce in an encryption scheme? A) Replay attack B) Padding oracle attack C) Key‑replay attack on stream ciphers D) SQL injection Answer: C Explanation: Reusing a nonce with a stream cipher (or certain AEAD modes) allows attackers to recover plaintext by XOR‑ing ciphertexts. Question 27. Session fixation can be prevented by: A) Using HTTP only cookies B) Regenerating the session ID after successful authentication

Practice Exam

Explanation: Detailed error messages reveal internal implementation details and can aid attackers. Question 30. Which of the following statements about static application security testing (SAST) is true? A) It requires a running instance of the application. B) It can detect runtime configuration issues. C) It analyzes source code or binaries without execution. D) It replaces the need for any dynamic testing. Answer: C Explanation: SAST is a white‑box technique that inspects code artifacts statically. Question 31. A dynamic application security testing (DAST) tool is most effective at detecting: A) Hard‑coded secrets in source files B) SQL injection vulnerabilities in a live web application C) Unused libraries in the codebase D) Memory leaks in compiled binaries Answer: B Explanation: DAST interacts with a running application, making it suitable for detecting injection flaws. Question 32. Software Composition Analysis (SCA) primarily helps organizations to: A) Identify business logic errors in custom code B) Detect vulnerable open‑source components and license issues

Practice Exam

C) Perform fuzz testing on APIs D) Harden the operating system configuration Answer: B Explanation: SCA scans dependencies to find known vulnerabilities and licensing problems. Question 33. Which of the following is a secure default configuration for a newly deployed web server? A) Directory listing enabled B) All HTTP methods (GET, POST, PUT, DELETE) allowed C) Default admin credentials unchanged D) TLS 1.2 enabled with strong cipher suites only Answer: D Explanation: Enabling only TLS 1.2 with strong ciphers follows the principle of secure defaults. Question 34. During pre‑deployment, which activity best ensures that the application’s security configuration is correct? A) Running unit tests only B) Conducting a configuration audit against a baseline checklist C) Performing load testing for performance D) Updating the user manual Answer: B

Practice Exam

A) Using gets() for input B) Relying on compiler warnings only C) Employing functions like strncpy() with explicit bounds checking D) Disabling stack canaries Answer: C Explanation: strncpy() (or safer alternatives) allows the programmer to limit copied data, mitigating overflow risk. Question 38. When implementing multi‑factor authentication (MFA), which combination provides the strongest security? A) Password + security question B) Password + OTP sent via SMS C) Password + hardware token (e.g., YubiKey) D) Password + biometric fingerprint Answer: C Explanation: Hardware tokens are resistant to phishing and replay attacks, offering stronger assurance than SMS or security questions. Question 39. Which of the following is a characteristic of a strong session identifier? A) Predictable sequential numbers B) Short length (≤8 characters) C) High entropy and randomness D) Derived from the user’s username

Practice Exam

Answer: C Explanation: High entropy makes session IDs resistant to guessing and brute‑force attacks. Question 40. Which OWASP Top 10 category directly addresses insufficient logging and monitoring? A) A5 – Security Misconfiguration B) A9 – Using Components with Known Vulnerabilities C) A10 – Insufficient Logging & Monitoring D) A3 – Sensitive Data Exposure Answer: C Explanation: The category explicitly covers lack of proper logging and monitoring. Question 41. In threat modeling, a trust boundary is best described as: A) The point where data is encrypted B) The interface where data moves between components of differing trust levels C) The location of the database server D) The boundary of the corporate network Answer: B Explanation: Trust boundaries separate zones with different security assumptions, requiring controls at the interface.

Practice Exam

C) Blocking all POST requests D) Requiring a CAPTCHA for every form submission Answer: B Explanation: CSRF tokens are unique per session and must be submitted with state‑changing requests, confirming the request’s origin. Question 45. Which of the following is an example of unvalidated redirects? A) Using Response.Redirect(url) where url is taken directly from a query parameter without validation B) Hard‑coding all redirects in the application C) Redirecting only after successful authentication D) Using relative URLs for internal navigation Answer: A Explanation: Accepting user‑controlled URLs for redirects without validation leads to open redirect vulnerabilities. Question 46. In cryptographic key management, which practice reduces the risk of key exposure? A) Storing keys in plain text on the file system B) Embedding keys directly in source code C) Using a hardware security module (HSM) for key storage and operations D) Rotating keys once every five years Answer: C

Practice Exam

Explanation: HSMs protect keys in tamper‑resistant hardware and perform cryptographic operations without exposing the raw key. Question 47. Which of the following best describes parameterized queries? A) Queries that concatenate user input into SQL strings B) Queries that use placeholders for user data, letting the database treat inputs as data, not code C) Queries that are executed only during the deployment phase D) Queries that are stored in a separate configuration file Answer: B Explanation: Parameterized (prepared) statements separate code from data, preventing SQL injection. Question 48. Which of the following is a primary benefit of integrating security testing early in the Agile development process? A) Reducing the need for any testing later in the lifecycle B) Allowing security defects to be identified and fixed when they are cheapest to remediate C) Eliminating the requirement for a security team D) Ensuring that all code is written in a single programming language Answer: B Explanation: Early detection aligns with the lower cost of fixing defects early in the SDLC. Question 49. An application logs user actions to a file that is world‑writable. This violates which security principle? A) Defense‑in‑Depth