Certified Secure Software Lifecycle Professional PracticeUltimate Exam, Exams of Technology

The Certified Secure Software Lifecycle Professional PracticeUltimate Exam is a specialized study resource focused on integrating security throughout the software development lifecycle. Topics include secure coding principles, application security testing, threat modeling, vulnerability management, risk assessment, DevSecOps practices, security governance, compliance frameworks, and secure deployment methodologies. This preparation material helps IT and cybersecurity professionals strengthen secure development expertise and certification readiness.

Typology: Exams

2025/2026

Available from 05/11/2026

nicky-jone
nicky-jone 🇮🇳

2.9

(44)

28K documents

1 / 59

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Certified Secure Software
Lifecycle Professional
PracticeUltimate Exam
**Question 1. Which CIA-triad element primarily protects data from unauthorized
modification?**
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: B
Explanation: Integrity ensures that information remains accurate and unaltered
unless an authorized change is made.
**Question 2. In a multi-factor authentication (MFA) scheme, which combination
provides the highest security?**
A) Password + security question
B) Password + OTP sent via SMS
C) Smart card + fingerprint
D) Username + password
Answer: C
Explanation: A smart card (something you have) combined with a fingerprint
(something you are) uses two different factor categories, offering stronger
protection than knowledge-based factors alone.
**Question 3. Non-repudiation is most closely associated with which of the following
techniques?**
A) Role-based access control
B) Digital signatures
C) Session time-outs
D) Data encryption at rest
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b

Partial preview of the text

Download Certified Secure Software Lifecycle Professional PracticeUltimate Exam and more Exams Technology in PDF only on Docsity!

Lifecycle Professional

PracticeUltimate Exam

Question 1. Which CIA-triad element primarily protects data from unauthorized modification? A) Confidentiality B) Integrity C) Availability D) Authentication Answer: B Explanation: Integrity ensures that information remains accurate and unaltered unless an authorized change is made. Question 2. In a multi-factor authentication (MFA) scheme, which combination provides the highest security? A) Password + security question B) Password + OTP sent via SMS C) Smart card + fingerprint D) Username + password Answer: C Explanation: A smart card (something you have) combined with a fingerprint (something you are) uses two different factor categories, offering stronger protection than knowledge-based factors alone. Question 3. Non-repudiation is most closely associated with which of the following techniques? A) Role-based access control B) Digital signatures C) Session time-outs D) Data encryption at rest

Lifecycle Professional

PracticeUltimate Exam

Answer: B Explanation: Digital signatures provide proof of origin and integrity, preventing a signer from denying having performed the action. Question 4. The principle of least privilege dictates that a process should run with: A) Administrator rights at all times B) The highest privilege required for any possible task C) Only the privileges needed for its current function D) No privileges, relying on the OS to grant them dynamically Answer: C Explanation: Least privilege limits a process to the minimum rights necessary to perform its immediate tasks, reducing attack surface. Question 5. Separation of duties is primarily used to mitigate which type of risk? A) Insider collusion B) Distributed denial-of-service C) Cross-site scripting D) SQL injection Answer: A Explanation: By requiring multiple individuals to complete critical steps, separation of duties reduces the chance that a single insider can misuse privileges. Question 6. Defense in depth is best described as: A) Using a single strong firewall B) Applying multiple, overlapping security controls across layers

Lifecycle Professional

PracticeUltimate Exam

Question 9. Which non-functional security quality describes the system’s ability to continue operation under load or attack? A) Scalability B) Reliability C) Availability D) Maintainability Answer: C Explanation: Availability ensures that services remain accessible even during high demand or malicious attempts. Question 10. GDPR primarily addresses which of the following concerns? A) Data encryption standards B) Cross-border data transfer and individual privacy rights C) Network intrusion detection D) Software licensing compliance Answer: B Explanation: The General Data Protection Regulation governs personal data handling, privacy rights, and cross-border transfers within the EU. Question 11. In data classification, which category typically requires the strongest cryptographic protection? A. Public data B. Internal data C. Sensitive data D. Confidential or regulated data

Lifecycle Professional

PracticeUltimate Exam

Answer: D Explanation: Confidential or regulated data (e.g., PHI, PCI) demands the highest level of encryption and access control. Question 12. An “abuse case” differs from a regular use case in that it focuses on: A) Desired system functionality for end users B) System performance metrics C) Potential malicious actions against the system D) Database schema design Answer: C Explanation: Abuse cases model how an attacker might misuse or exploit the system, helping identify security gaps. Question 13. A traceability matrix is used to: A) Map code modules to developers B) Link security requirements to design, implementation, and test artifacts C) Record the number of vulnerabilities found per sprint D) Document version control histories Answer: B Explanation: Traceability ensures each security requirement is addressed throughout the lifecycle and can be verified during testing. Question 14. In STRIDE threat modeling, “E” stands for: A) Elevation of privilege B) Encryption failure C) External spoofing

Lifecycle Professional

PracticeUltimate Exam

Question 17. When selecting a third-party library, which factor is least relevant to its security posture? A) Number of recent releases B) Popularity on GitHub C) Presence of known CVEs in the library version D) Whether it is licensed under MIT Answer: D Explanation: License type does not directly impact security; the other items relate to maintenance and vulnerability exposure. Question 18. Which API security practice helps prevent broken authentication attacks? A) Using HTTP GET for all requests B) Embedding API keys in URLs C) Enforcing OAuth 2.0 with short-lived access tokens D) Allowing anonymous access to all endpoints Answer: C Explanation: OAuth 2.0 with short-lived tokens limits credential exposure and reduces the chance of token reuse. Question 19. Which OWASP Top 10 category is directly mitigated by proper output encoding? A) Injection B) Broken Authentication C) Cross-Site Scripting (XSS) D) Security Misconfiguration

Lifecycle Professional

PracticeUltimate Exam

Answer: C Explanation: Output encoding neutralizes malicious scripts before they are rendered, preventing XSS. Question 20. Parameterized queries primarily defend against: A) Cross-Site Request Forgery B) SQL Injection C) Insecure Direct Object References D) Sensitive data exposure Answer: B Explanation: Parameterization separates code from data, ensuring user input cannot alter SQL command structure. Question 21. Static Application Security Testing (SAST) differs from Dynamic Application Security Testing (DAST) in that SAST: A) Tests running applications in a production environment B) Analyzes source code or binaries without executing them C) Requires network traffic capture D) Can only find runtime configuration issues Answer: B Explanation: SAST inspects code artifacts statically, while DAST interacts with a live application. Question 22. A manual peer review is especially valuable for detecting: A) Memory leaks detectable by automated tools B) Logical flaws that static analysis may miss C) Deprecated API usage

Lifecycle Professional

PracticeUltimate Exam

A) Unit testing with mock objects B) Fuzz testing with random, oversized inputs C) Manual code review for style guidelines D) Performance benchmarking Answer: B Explanation: Fuzzing feeds unexpected or oversized data, triggering memory-corruption bugs like buffer overflows. Question 26. During vulnerability scanning, a “false positive” indicates: A) A vulnerability that exists but is not reported B) An identified issue that is actually not a security problem C) A critical flaw that was missed by the scanner D) A misconfiguration that prevents scanning Answer: B Explanation: False positives are reported findings that, upon verification, do not represent real vulnerabilities. Question 27. Penetration testing differs from vulnerability scanning because it: A) Only runs on source code B) Simulates real-world attacker behavior and may chain multiple flaws together C) Requires no prior knowledge of the system D) Generates compliance reports automatically Answer: B Explanation: Penetration testing involves manual exploitation and chaining of vulnerabilities to assess impact, whereas scanning is automated and surface-level.

Lifecycle Professional

PracticeUltimate Exam

Question 28. Test data that contains real customer information must be: A) Used as-is for realism B) Sanitized or anonymized before being placed in a test environment C) Encrypted but left in plain text on test servers D) Stored on a shared network drive Answer: B Explanation: Sanitizing or anonymizing protects privacy and complies with data-protection regulations. Question 29. Which metric best reflects the efficiency of a vulnerability remediation process? A) Number of test cases executed per sprint B) Time to Remediate (TTR) C) Lines of code per developer D) Mean time between failures (MTBF) Answer: B Explanation: TTR measures how quickly identified vulnerabilities are fixed, indicating remediation efficiency. Question 30. In an Agile SDLC, security stories are typically placed in the: A) Release planning phase only B) Product backlog, prioritized alongside functional stories C) Post-deployment maintenance window D) Documentation sprint

Lifecycle Professional

PracticeUltimate Exam

B) Only works for mobile apps C) Requires no configuration D) Replaces the need for authentication Answer: A Explanation: RASP is embedded within the application, allowing it to monitor internal state and block attacks more precisely. Question 34. When decommissioning a legacy system, the most critical step to ensure data security is: A) Migrating the database to a new server B) Shutting down the web server C) Securely wiping all storage media containing sensitive data D) Updating the user manual Answer: C Explanation: Proper data sanitization prevents residual data from being recovered after the system is retired. Question 35. A software supply-chain risk management (SCRM) program should first assess: A) The cost of each third-party component B) The vendor’s security posture, including certifications and past incidents C) The color of the vendor’s logo D. The number of lines of code in the component Answer: B Explanation: Understanding a vendor’s security maturity helps prioritize risk mitigation actions.

Lifecycle Professional

PracticeUltimate Exam

Question 36. Software Composition Analysis (SCA) tools primarily help organizations with: A) Detecting runtime memory leaks B) Identifying open-source components and known vulnerabilities within them C) Measuring code coverage of unit tests D) Enforcing naming conventions Answer: B Explanation: SCA scans the bill of materials (BOM) to locate third-party libraries and map them to vulnerability databases. Question 37. Provenance and pedigree verification of a third-party library ensures: A) The library is written in the same programming language as the host application B) The library’s source and build process have not been tampered with C) The library is free of all bugs D) The library is compatible with the operating system Answer: B Explanation: Verifying origin and integrity confirms that the component is authentic and unchanged. Question 38. A contract clause that requires a vendor to notify the customer within 24 hours of a discovered vulnerability is an example of: A) Service Level Agreement (SLA) for uptime B) Liability limitation C) Security-related contractual obligation D) Intellectual property transfer

Lifecycle Professional

PracticeUltimate Exam

A) Logging only successful login attempts B) Storing logs in plaintext on the same server as the application C) Using immutable, time-stamped, digitally signed log entries D) Rotating logs daily without backup Answer: C Explanation: Digitally signed, tamper-evident logs provide proof of events and protect against alteration. Question 42. A “deny-by-default” firewall rule set means that: A) All traffic is allowed unless explicitly blocked B) Only traffic matching explicit allow rules is permitted C) The firewall blocks traffic only during maintenance windows D) The firewall automatically updates its rules Answer: B Explanation: Deny-by-default blocks everything except traffic explicitly permitted, reducing exposure. Question 43. Which of the following is a characteristic of a “fail-secure” system? A) It continues operation with reduced functionality after a fault B) It shuts down or locks out access to prevent unauthorized use when an error occurs C) It logs the error and retries the operation automatically D) It automatically patches itself Answer: B

Lifecycle Professional

PracticeUltimate Exam

Explanation: Fail-secure (or fail-safe) ensures that in the event of a failure, the system defaults to a secure state, often denying access. Question 44. When performing a threat model using STRIDE, the “S” (Spoofing) threat is most closely associated with which security control? A) Input validation B) Strong authentication mechanisms C) Data encryption at rest D) Rate limiting Answer: B Explanation: Spoofing attacks are prevented by robust authentication that verifies the identity of users or components. Question 45. Which of the following is the best way to protect cryptographic keys in a cloud environment? A) Store them in a plain-text configuration file B) Embed them in the application source code C) Use a dedicated Hardware Security Module (HSM) or cloud Key Management Service (KMS) D) Share them via email among developers Answer: C Explanation: HSMs/KMS provide secure storage, access control, and lifecycle management for cryptographic keys. Question 46. An organization wants to ensure that every security requirement can be verified by an automated test. Which artifact best supports this goal? A) A high-level architectural diagram B) A detailed traceability matrix linking requirements to test cases

Lifecycle Professional

PracticeUltimate Exam

Question 49. Which of the following is an example of a “security-by-design” activity performed during the architecture phase? A) Writing unit tests after code is complete B) Conducting a STRIDE threat model to identify potential attacks early C) Applying patches to the operating system after deployment D) Conducting a user satisfaction survey Answer: B Explanation: Threat modeling during design integrates security considerations from the outset. Question 50. When implementing role-based access control (RBAC), the “least privilege” principle is enforced by: A) Assigning every user the “admin” role B) Giving each role only the permissions required to perform its duties C) Allowing users to request additional permissions at runtime D) Ignoring separation of duties Answer: B Explanation: RBAC limits each role to the minimum necessary privileges, aligning with least privilege. Question 51. Which of the following is a primary advantage of using immutable infrastructure in a secure deployment pipeline? A) Reduces the need for configuration management tools B) Guarantees that once an image is built, it cannot be altered, preventing drift and hidden malware C) Allows developers to edit running containers directly D) Eliminates the need for monitoring

Lifecycle Professional

PracticeUltimate Exam

Answer: B Explanation: Immutable images are built once and never changed, ensuring consistency and reducing the chance of post-deployment tampering. Question 52. A “security incident” is defined as any event that: A) Improves system performance B. Leads to a breach of confidentiality, integrity, or availability, or could lead to one C. Involves a user forgetting a password D. Requires a software update Answer: B Explanation: Incidents encompass actual or potential violations of the CIA triad. Question 53. Which of the following is the most effective way to mitigate “Insecure Direct Object References” (IDOR)? A) Relying on obscured URL parameters B) Implementing server-side access control checks for every object request C) Using client-side JavaScript validation only D) Encrypting all URL parameters Answer: B Explanation: Server-side authorization ensures the user is permitted to access the requested resource, eliminating IDOR. Question 54. A secure coding guideline recommends “use constant-time comparison for secrets.” This mitigates which type of attack? A) SQL injection