




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This certification targets application and security engineers with expertise in secure software development lifecycle (SDLC). Exam topics include threat modeling, secure coding, static and dynamic analysis (SAST/DAST), vulnerability remediation, and integration of security practices into DevOps pipelines. It's commonly associated with EC‑Council's CASE credentials.
Typology: Exams
1 / 119
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which of the following best defines application security? A) The process of developing software without vulnerabilities B) Protecting applications from threats throughout their lifecycle C) Ensuring physical security of server hardware D) Managing user access to network devices Answer: B Explanation: Application security involves safeguarding applications from threats by implementing security measures throughout the software development and operational lifecycle. Question 2. Why is security integrated into the Software Development Life Cycle (SDLC)? A) To reduce development time B) To ensure security considerations are addressed from the beginning C) To eliminate the need for testing D) To replace security training for developers Answer: B Explanation: Integrating security into SDLC ensures vulnerabilities are addressed early, reducing risks and costs associated with fixing security issues later.
Question 3. Which security testing method involves analyzing source code to identify vulnerabilities without executing the program? A) DAST B) SAST C) RAST D) Penetration testing Answer: B Explanation: Static Application Security Testing (SAST) analyzes source code or binaries without executing the application, detecting vulnerabilities early in development. Question 4. In threat modeling, what does the STRIDE methodology stand for? A) Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege B) Security, Trust, Risk, Integrity, Data, Escalation C) Spoofing, Tunneling, Routing, Injection, Denial D) System, Threat, Risk, Impact, Data, Exploit Answer: A Explanation: STRIDE categorizes common threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
A) Fail-safe defaults B) Open design C) Complete mediation D) Psychological acceptability Answer: B Explanation: Open design suggests that security should not rely on secrecy but on robust, peer-reviewed algorithms and designs. Question 8. Which threat modeling technique involves assigning numeric values to risks for prioritization? A) STRIDE B) DREAD C) PASTA D) Attack tree analysis Answer: B Explanation: DREAD assigns scores to Damage, Reproducibility, Exploitability, Affected users, and Discoverability to quantify and prioritize risks. Question 9. Which of the following is a secure architecture pattern that involves dividing an application into distinct layers with specific functions? A) Layered security architecture
B) Monolithic architecture C) Client-server architecture D) Peer-to-peer architecture Answer: A Explanation: Layered security architecture separates components into layers, each with distinct security controls, enhancing defense. Question 10. What is the purpose of data encryption at rest? A) To improve application performance B) To protect stored data from unauthorized access C) To secure data during transmission D) To enhance user authentication Answer: B Explanation: Data encryption at rest ensures stored data is unreadable without decryption keys, protecting against data breaches. Question 11. Which principle supports the idea that security controls should be designed to minimize user inconvenience while maintaining security? A) Principle of least privilege B) Psychological acceptability
D) To enhance output formatting Answer: B Explanation: Input validation ensures that untrusted data is sanitized and conforms to expected formats, preventing injection and related vulnerabilities. Question 14. Which encoding strategy is most effective in preventing Cross-Site Scripting (XSS) attacks? A) Base64 encoding B) Context-specific output encoding C) URL encoding D) Unicode normalization Answer: B Explanation: Context-specific encoding, such as HTML entity encoding for HTML contexts, prevents malicious scripts from executing in browsers. Question 15. In session management, what is a common attack that involves an attacker taking over a valid user session? A) Cross-site scripting B) Session fixation C) SQL injection D) Man-in-the-middle attack
Answer: B Explanation: Session fixation involves an attacker setting a user's session ID to take control of the session after user authentication. Question 16. Which authorization model assigns permissions based on user attributes and environment? A) Role-Based Access Control (RBAC) B) Attribute-Based Access Control (ABAC) C) Discretionary Access Control (DAC) D) Mandatory Access Control (MAC) Answer: B Explanation: ABAC uses user attributes, resource attributes, and environmental conditions to determine access rights dynamically. Question 17. What is a key benefit of secure error handling? A) Faster application response B) Avoiding leakage of sensitive information C) Simplified debugging D) Reduced server resource consumption Answer: B
Question 20. Which of the following is a race condition vulnerability? A) Multiple threads simultaneously modifying shared data leading to inconsistent states B) Unauthorized access to protected resources C) SQL injection through user input D) Cross-site scripting in web pages Answer: A Explanation: Race conditions occur when concurrent processes manipulate shared resources without proper synchronization, leading to unpredictable states. Question 21. Which OWASP Top 10 vulnerability involves executing malicious SQL code through user input? A) Injection B) Broken Authentication C) Sensitive Data Exposure D) Cross-Site Scripting Answer: A Explanation: Injection vulnerabilities, including SQL injection, occur when untrusted input is executed as code within a database query.
Question 22. Which attack exploits the trust a website has in a third-party resource to deliver malicious payloads? A) Cross-Site Request Forgery (CSRF) B) Server-Side Request Forgery (SSRF) C) Open redirect D) Cross-Site Scripting (XSS) Answer: B Explanation: SSRF tricks a server into making unintended requests to internal or external systems, exploiting trust relationships. Question 23. What security feature helps prevent unauthorized code execution on mobile platforms like iOS and Android? A) Sandboxing B) Multi-factor authentication C) Data encryption D) Password complexity rules Answer: A Explanation: Sandboxing isolates applications, limiting their access to system resources and preventing malicious code from affecting other apps.
A) To encrypt data B) To verify the authenticity and integrity of a message C) To hash data D) To generate random numbers Answer: B Explanation: Digital signatures verify the sender's identity and confirm that the message has not been altered. Question 27. What is the main security risk associated with using third-party libraries with known vulnerabilities? A) Increased application performance B) Introduction of exploitable security flaws C) Reduced development time D) Improved user experience Answer: B Explanation: Using vulnerable third-party libraries can introduce security flaws, potentially leading to exploits and data breaches. Question 28. Which protocol provides secure communication for web applications by encrypting data in transit? A) TCP
Answer: B Explanation: TLS (Transport Layer Security) encrypts data transmitted between clients and servers, ensuring confidentiality and integrity. Question 29. Which of the following is a common privacy-by-Design principle? A) Encrypt data at rest and in transit B) Minimize data collection and retention C) Use open source software D) Implement multi-factor authentication Answer: B Explanation: Privacy by Design emphasizes minimizing data collection and retention to protect user privacy from the outset. Question 30. Which type of attack involves maliciously crafting requests that alter the execution of server-side processes? A) Cross-Site Request Forgery B) Command Injection
D) To simplify code maintenance Answer: B Explanation: Secure coding practices focus on validating and sanitizing inputs to prevent vulnerabilities such as injection attacks. Question 33. Which security model assigns permissions based on user roles within an organization? A) Role-Based Access Control (RBAC) B) Attribute-Based Access Control (ABAC) C) Discretionary Access Control (DAC) D) Mandatory Access Control (MAC) Answer: A Explanation: RBAC assigns permissions based on predefined roles, simplifying management of user privileges. Question 34. How does input canonicalization help improve security? A) By ensuring inputs are in a standard, normalized form B) By encrypting user input C) By blocking all special characters D) By converting input to lowercase only
Answer: A Explanation: Canonicalization normalizes input data, preventing attackers from bypassing validation through encoding or obfuscation. Question 35. Which security control is essential for protecting data transmitted over untrusted networks? A) Data masking B) Encryption (e.g., TLS/HTTPS) C) Input validation D) Access control Answer: B Explanation: Encryption protocols like TLS/HTTPS secure data in transit, preventing eavesdropping and man-in-the-middle attacks. Question 36. Which of the following is an example of a secure default setting? A) Enabling all network ports by default B) Disabling unnecessary services and ports C) Allowing all users to access sensitive data D) Making software open source by default Answer: B
Explanation: MD5 is considered insecure because of collision vulnerabilities and should not be used for security-sensitive hashing. Question 39. What is a primary concern when dealing with insecure deserialization? A) Loss of data B) Remote code execution C) Increased latency D) Data corruption Answer: B Explanation: Insecure deserialization can lead to remote code execution, privilege escalation, or data tampering if untrusted data is deserialized. Question 40. Which OWASP Top 10 vulnerability involves attackers exploiting improperly configured security headers or permissions? A) Security misconfiguration B) Sensitive Data Exposure C) Broken Authentication D) Insufficient Logging & Monitoring Answer: A
Explanation: Security misconfiguration includes misconfigured security headers, permissions, or other settings that leave systems vulnerable. Question 41. Which of the following best describes Cross-Site Request Forgery (CSRF)? A) Forcing a user to execute unwanted actions by exploiting their authenticated session B) Injecting malicious scripts into web pages C) Intercepting data during transmission D) Exploiting unpatched server vulnerabilities Answer: A Explanation: CSRF tricks authenticated users into executing unwanted actions on web applications without their consent. Question 42. Which mobile platform feature helps prevent unauthorized access to stored data? A) Sandboxing B) Permissions C) Keychain/Keystore D) Multi-factor authentication Answer: C