




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Offered by (ISC)², this certification validates secure software development across the SDLC. Candidates are tested on threat modeling, secure architecture/design, secure coding, testing, and governance/compliance practices.
Typology: Exams
1 / 133
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which principle is primarily focused on ensuring that only authorized users can access sensitive data or resources? A) Confidentiality B) Integrity C) Availability D) Non-repudiation Answer: A Explanation: Confidentiality ensures that sensitive information is accessible only to authorized individuals, preventing unauthorized access. Question 2. In the context of the CIA triad, which aspect guarantees that data remains accurate and unaltered during storage or transmission? A) Confidentiality B) Integrity C) Availability D) Authentication Answer: B
Explanation: Integrity maintains the accuracy and consistency of data over its lifecycle, protecting against unauthorized modifications. Question 3. Which of the following best describes the purpose of the AAA model in secure software? A) To manage data encryption keys B) To define authentication, authorization, and accounting processes C) To establish secure coding standards D) To perform threat modeling activities Answer: B Explanation: AAA stands for Authentication, Authorization, and Accounting, which collectively manage user identity, permissions, and activity tracking. Question 4. Non-repudiation primarily provides assurance that: A) Data is confidential B) A party cannot deny involvement in a transaction C) Data remains available during outages D) Unauthorized access is prevented
C) Secure coding practices D) Threat modeling procedures Answer: B Explanation: GDPR and CCPA focus on protecting individuals' privacy rights and controlling personal data processing. Question 7. Which threat modeling methodology is characterized by identifying threats such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege? A) DREAD B) STRIDE C) PASTA D) OCTAVE Answer: B Explanation: STRIDE categorizes security threats into these six areas, providing a structured approach to threat identification. Question 8. In the DREAD risk assessment model, which component measures the potential impact of a security threat? A) Damage
B) Reproducibility C) Exploitability D) Affected Users Answer: A Explanation: DREAD's Damage component evaluates the severity of the impact if a threat is realized. Question 9. An OWASP Top 10 vulnerability that involves injecting malicious code into a web application is known as: A) Broken Access Control B) Injection C) Cross-Site Request Forgery D) Security Misconfiguration Answer: B Explanation: Injection vulnerabilities occur when untrusted data is sent to an interpreter, leading to execution of malicious code, such as SQL injection.
Question 12. Which governance framework provides a comprehensive set of standards for establishing, maintaining, and improving security practices in organizations? A) NIST B) ISO 27001 C) PCI DSS D) HIPAA Answer: B Explanation: ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Question 13. Data classification involves categorizing data based on: A) Its format and size B) Its sensitivity and criticality C) Its source and destination D) Its storage location Answer: B
Explanation: Data classification sorts data according to its sensitivity level and importance, guiding appropriate handling and security controls. Question 14. Which of the following is a common secure design pattern used for managing cryptographic keys securely? A) Singleton Pattern B) Key Management Pattern C) Factory Pattern D) Observer Pattern Answer: B Explanation: Key Management patterns provide structured methods for generating, storing, distributing, and retiring cryptographic keys securely. Question 15. Trust boundaries in software architecture are used to: A) Define zones where different security policies apply B) Separate internal and external network segments C) Control data flow between components D) All of the above
D) Data integrity verification through hashing Answer: B Explanation: PKI manages digital certificates and public-key cryptography, enabling secure communication and identity verification. Question 18. Which source of entropy is considered most reliable for generating cryptographically secure randomness? A) System clock B) Hardware-based random number generators C) User input timings D) Pseudo-random number generators Answer: B Explanation: Hardware-based random number generators provide high- quality entropy for cryptographic purposes, unlike pseudo-random sources. Question 19. During security requirements elicitation, which technique involves describing potential misuse scenarios to identify security needs? A) Use case analysis
B) Abuse case analysis C) Functional decomposition D) Data flow diagrams Answer: B Explanation: Abuse case analysis models how adversaries might misuse system features, revealing security requirements. Question 20. In security requirements documentation, writing requirements that are clear, unambiguous, and testable is essential for: A) Ensuring compliance only B) Facilitating effective implementation and testing C) Reducing development time D) Limiting stakeholder involvement Answer: B Explanation: Clear, unambiguous, and testable requirements enable precise implementation and verification of security controls. Question 21. Which security requirement category addresses capabilities such as user authentication and access controls?
A) Prioritize development tasks B) Identify vulnerabilities early and design effective countermeasures C) Reduce testing efforts later D) All of the above Answer: D Explanation: Threat modeling at design enables early identification of security issues, facilitating effective mitigation and reducing downstream costs. Question 24. In secure design principles, "defense in depth" refers to: A) Using multiple layers of security controls to protect assets B) Relying solely on encryption for security C) Designing a system with only one security control layer D) Avoiding the use of third-party components Answer: A Answer: A Explanation: Defense in depth employs multiple overlapping security controls to reduce the likelihood of a successful attack.
Question 25. Which architectural pattern is especially suitable for designing scalable and secure cloud-native applications? A) Monolithic architecture B) Multi-tier architecture C) Microservices architecture D) Client-server architecture Answer: C Explanation: Microservices enable modular, scalable, and isolated components, facilitating security and agility in cloud-native environments. Question 26. When designing for secure data storage, which practice helps protect data at rest? A) Using SSL/TLS for transmission B) Encrypting data using strong encryption algorithms C) Implementing firewall rules D) Limiting user access to the network Answer: B Explanation: Encrypting data at rest ensures that stored data remains confidential even if storage media are compromised.
Explanation: Access control mechanisms enforce permissions, preventing unauthorized access to resources. Question 29. Secure API design should include: A) Open access to all functions for flexibility B) Proper authentication and authorization checks C) No input validation to improve performance D) Minimal logging to reduce overhead Answer: B Explanation: Proper authentication and authorization ensure only legitimate users can access API functions, maintaining security. Question 30. Conducting security reviews of architectural designs involves: A) Verifying compliance with coding standards B) Identifying insecure design patterns and flaws C) Optimizing system performance only D) Documenting user requirements only Answer: B
Explanation: Security reviews aim to identify and remediate potential design flaws that could lead to vulnerabilities. Question 31. Secure coding practices recommend avoiding which of the following common vulnerabilities? A) Buffer overflows B) Proper input sanitization C) Secure memory management D) Use of parameterized queries Answer: A Explanation: Buffer overflows are a common vulnerability resulting from improper memory handling and must be prevented through secure coding. Question 32. Which static analysis technique is used to identify security vulnerabilities in source code? A) Dynamic testing B) Static Application Security Testing (SAST) C) Penetration testing D) Fuzz testing
Answer: B Explanation: Secure environments protect sensitive data, ensure integrity, and prevent malicious modifications during development. Question 35. Managing dependencies securely involves: A) Ignoring vulnerability reports in third-party libraries B) Regularly scanning for vulnerabilities and applying patches C) Using unverified third-party libraries without review D) Disabling dependency management tools Answer: B Explanation: Regular vulnerability scanning and applying updates reduce risks from third-party libraries. Question 36. Which testing methodology involves executing the application with malicious inputs to find vulnerabilities? A) Static testing B) Fuzz testing C) Code review D) Formal verification
Answer: B Explanation: Fuzz testing automatically generates random or malformed inputs to identify potential vulnerabilities during execution. Question 37. Penetration testing differs from vulnerability assessment in that it: A) Only identifies vulnerabilities without exploitation B) Simulates real-world attacks to exploit vulnerabilities C) Is performed only after deployment D) Is a purely automated process Answer: B Explanation: Penetration testing actively exploits vulnerabilities to assess the security posture, providing more realistic insights. Question 38. Which of the following is a key aspect of a security testing strategy? A) Only testing during deployment B) Defining test cases, metrics, and integrating tests into CI/CD pipelines C) Ignoring manual testing in favor of automated scans only