Certified Secure Software Lifecycle Professional Exam, Exams of Technology

Offered by (ISC)², this certification validates secure software development across the SDLC. Candidates are tested on threat modeling, secure architecture/design, secure coding, testing, and governance/compliance practices.

Typology: Exams

2024/2025

Available from 07/26/2025

BookVenture
BookVenture 🇮🇳

3.2

(20)

26K documents

1 / 133

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Certified Secure Software Lifecycle
Professional Exam
Question 1. Which principle is primarily focused on ensuring that only
authorized users can access sensitive data or resources?
A) Confidentiality
B) Integrity
C) Availability
D) Non-repudiation
Answer: A
Explanation: Confidentiality ensures that sensitive information is
accessible only to authorized individuals, preventing unauthorized
access.
Question 2. In the context of the CIA triad, which aspect guarantees
that data remains accurate and unaltered during storage or
transmission?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Certified Secure Software Lifecycle Professional Exam and more Exams Technology in PDF only on Docsity!

Professional Exam

Question 1. Which principle is primarily focused on ensuring that only authorized users can access sensitive data or resources? A) Confidentiality B) Integrity C) Availability D) Non-repudiation Answer: A Explanation: Confidentiality ensures that sensitive information is accessible only to authorized individuals, preventing unauthorized access. Question 2. In the context of the CIA triad, which aspect guarantees that data remains accurate and unaltered during storage or transmission? A) Confidentiality B) Integrity C) Availability D) Authentication Answer: B

Professional Exam

Explanation: Integrity maintains the accuracy and consistency of data over its lifecycle, protecting against unauthorized modifications. Question 3. Which of the following best describes the purpose of the AAA model in secure software? A) To manage data encryption keys B) To define authentication, authorization, and accounting processes C) To establish secure coding standards D) To perform threat modeling activities Answer: B Explanation: AAA stands for Authentication, Authorization, and Accounting, which collectively manage user identity, permissions, and activity tracking. Question 4. Non-repudiation primarily provides assurance that: A) Data is confidential B) A party cannot deny involvement in a transaction C) Data remains available during outages D) Unauthorized access is prevented

Professional Exam

C) Secure coding practices D) Threat modeling procedures Answer: B Explanation: GDPR and CCPA focus on protecting individuals' privacy rights and controlling personal data processing. Question 7. Which threat modeling methodology is characterized by identifying threats such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege? A) DREAD B) STRIDE C) PASTA D) OCTAVE Answer: B Explanation: STRIDE categorizes security threats into these six areas, providing a structured approach to threat identification. Question 8. In the DREAD risk assessment model, which component measures the potential impact of a security threat? A) Damage

Professional Exam

B) Reproducibility C) Exploitability D) Affected Users Answer: A Explanation: DREAD's Damage component evaluates the severity of the impact if a threat is realized. Question 9. An OWASP Top 10 vulnerability that involves injecting malicious code into a web application is known as: A) Broken Access Control B) Injection C) Cross-Site Request Forgery D) Security Misconfiguration Answer: B Explanation: Injection vulnerabilities occur when untrusted data is sent to an interpreter, leading to execution of malicious code, such as SQL injection.

Professional Exam

Question 12. Which governance framework provides a comprehensive set of standards for establishing, maintaining, and improving security practices in organizations? A) NIST B) ISO 27001 C) PCI DSS D) HIPAA Answer: B Explanation: ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Question 13. Data classification involves categorizing data based on: A) Its format and size B) Its sensitivity and criticality C) Its source and destination D) Its storage location Answer: B

Professional Exam

Explanation: Data classification sorts data according to its sensitivity level and importance, guiding appropriate handling and security controls. Question 14. Which of the following is a common secure design pattern used for managing cryptographic keys securely? A) Singleton Pattern B) Key Management Pattern C) Factory Pattern D) Observer Pattern Answer: B Explanation: Key Management patterns provide structured methods for generating, storing, distributing, and retiring cryptographic keys securely. Question 15. Trust boundaries in software architecture are used to: A) Define zones where different security policies apply B) Separate internal and external network segments C) Control data flow between components D) All of the above

Professional Exam

D) Data integrity verification through hashing Answer: B Explanation: PKI manages digital certificates and public-key cryptography, enabling secure communication and identity verification. Question 18. Which source of entropy is considered most reliable for generating cryptographically secure randomness? A) System clock B) Hardware-based random number generators C) User input timings D) Pseudo-random number generators Answer: B Explanation: Hardware-based random number generators provide high- quality entropy for cryptographic purposes, unlike pseudo-random sources. Question 19. During security requirements elicitation, which technique involves describing potential misuse scenarios to identify security needs? A) Use case analysis

Professional Exam

B) Abuse case analysis C) Functional decomposition D) Data flow diagrams Answer: B Explanation: Abuse case analysis models how adversaries might misuse system features, revealing security requirements. Question 20. In security requirements documentation, writing requirements that are clear, unambiguous, and testable is essential for: A) Ensuring compliance only B) Facilitating effective implementation and testing C) Reducing development time D) Limiting stakeholder involvement Answer: B Explanation: Clear, unambiguous, and testable requirements enable precise implementation and verification of security controls. Question 21. Which security requirement category addresses capabilities such as user authentication and access controls?

Professional Exam

A) Prioritize development tasks B) Identify vulnerabilities early and design effective countermeasures C) Reduce testing efforts later D) All of the above Answer: D Explanation: Threat modeling at design enables early identification of security issues, facilitating effective mitigation and reducing downstream costs. Question 24. In secure design principles, "defense in depth" refers to: A) Using multiple layers of security controls to protect assets B) Relying solely on encryption for security C) Designing a system with only one security control layer D) Avoiding the use of third-party components Answer: A Answer: A Explanation: Defense in depth employs multiple overlapping security controls to reduce the likelihood of a successful attack.

Professional Exam

Question 25. Which architectural pattern is especially suitable for designing scalable and secure cloud-native applications? A) Monolithic architecture B) Multi-tier architecture C) Microservices architecture D) Client-server architecture Answer: C Explanation: Microservices enable modular, scalable, and isolated components, facilitating security and agility in cloud-native environments. Question 26. When designing for secure data storage, which practice helps protect data at rest? A) Using SSL/TLS for transmission B) Encrypting data using strong encryption algorithms C) Implementing firewall rules D) Limiting user access to the network Answer: B Explanation: Encrypting data at rest ensures that stored data remains confidential even if storage media are compromised.

Professional Exam

Explanation: Access control mechanisms enforce permissions, preventing unauthorized access to resources. Question 29. Secure API design should include: A) Open access to all functions for flexibility B) Proper authentication and authorization checks C) No input validation to improve performance D) Minimal logging to reduce overhead Answer: B Explanation: Proper authentication and authorization ensure only legitimate users can access API functions, maintaining security. Question 30. Conducting security reviews of architectural designs involves: A) Verifying compliance with coding standards B) Identifying insecure design patterns and flaws C) Optimizing system performance only D) Documenting user requirements only Answer: B

Professional Exam

Explanation: Security reviews aim to identify and remediate potential design flaws that could lead to vulnerabilities. Question 31. Secure coding practices recommend avoiding which of the following common vulnerabilities? A) Buffer overflows B) Proper input sanitization C) Secure memory management D) Use of parameterized queries Answer: A Explanation: Buffer overflows are a common vulnerability resulting from improper memory handling and must be prevented through secure coding. Question 32. Which static analysis technique is used to identify security vulnerabilities in source code? A) Dynamic testing B) Static Application Security Testing (SAST) C) Penetration testing D) Fuzz testing

Professional Exam

Answer: B Explanation: Secure environments protect sensitive data, ensure integrity, and prevent malicious modifications during development. Question 35. Managing dependencies securely involves: A) Ignoring vulnerability reports in third-party libraries B) Regularly scanning for vulnerabilities and applying patches C) Using unverified third-party libraries without review D) Disabling dependency management tools Answer: B Explanation: Regular vulnerability scanning and applying updates reduce risks from third-party libraries. Question 36. Which testing methodology involves executing the application with malicious inputs to find vulnerabilities? A) Static testing B) Fuzz testing C) Code review D) Formal verification

Professional Exam

Answer: B Explanation: Fuzz testing automatically generates random or malformed inputs to identify potential vulnerabilities during execution. Question 37. Penetration testing differs from vulnerability assessment in that it: A) Only identifies vulnerabilities without exploitation B) Simulates real-world attacks to exploit vulnerabilities C) Is performed only after deployment D) Is a purely automated process Answer: B Explanation: Penetration testing actively exploits vulnerabilities to assess the security posture, providing more realistic insights. Question 38. Which of the following is a key aspect of a security testing strategy? A) Only testing during deployment B) Defining test cases, metrics, and integrating tests into CI/CD pipelines C) Ignoring manual testing in favor of automated scans only