
































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The CISSP Domain 8 – Software Development Security Ultimate Exam is an advanced study and preparation resource focused on secure software development lifecycle principles, application security controls, and secure coding practices. This exam covers critical topics such as SDLC models, DevSecOps integration, threat modeling, software testing methodologies, code review procedures, change management, application vulnerabilities, software supply chain risks, database security, and secure deployment strategies. Candidates will develop expertise in identifying software security weaknesses, implementing secure coding standards, and managing security throughout the development process. The Ultimate Exam features detailed explanations, practical scenarios, and high-quality practice questions aligned with CISSP software development security objectives to support cybersecurity certification success.
Typology: Exams
1 / 72
This page cannot be seen from the preview
Don't miss anything!

































































Question 1. Which of the following software development methodologies is highly structured, linear, and sequential, where security assessment is traditionally treated as a final verification step prior to release? A) Agile B) Spiral C) Waterfall D) Scrum Answer: C Explanation: The Waterfall model is a classic linear-sequential life cycle model where each phase must be completed before the next phase begins. In this traditional approach, security is often treated as an afterthought or a final verification gate, which can lead to expensive redesigns if vulnerabilities are discovered late. Question 2. A development team is shifting from a traditional waterfall process to an iterative, fast-paced framework where security must be evaluated during brief, time-boxed cycles. Which methodology are they adopting? A) Waterfall B) Scrum C) Cleanroom D) Joint Application Design (JAD) Answer: B Explanation: Scrum is an Agile framework characterized by iterative, incremental progress through time-boxed cycles called sprints. Integrating security into Scrum requires breaking down security requirements into actionable items in the sprint backlog.
Question 3. Under the DevOps "Shift Left" philosophy, at what point should security considerations and testing ideally begin? A) During the deployment phase B) Immediately prior to production release C) At the earliest stages of planning and requirements gathering D) During the maintenance phase Answer: C Explanation: Shifting left refers to moving security practices to the earliest possible phases of the Software Development Life Cycle (SDLC), specifically during planning, requirements gathering, and initial design, to minimize the cost and complexity of fixing vulnerabilities later. Question 4. In a Spiral development model, what is the primary driving factor that determines the progression and focus of each iteration? A) Rigid completion dates B) Code volume metrics C) Risk analysis and assessment D) Customer-led visual design changes Answer: C Explanation: The Spiral model is a risk-driven software development process model. It guides multi-disciplinary teams through iterations by focusing heavily on early identification, analysis, and mitigation of technical, financial, and security risks. Question 5. During the requirements gathering phase of a new software project, the security engineer insists on defining "non-functional security requirements." Which of the following is an example of a non-functional security requirement? A) Users must be able to reset their passwords via an email link.
D) Software Bill of Materials (SBOM) Answer: B Explanation: ASLR is a memory defense mechanism that randomly arranges the address space positions of key data areas (such as the stack, heap, and libraries) of a process. This makes it extremely difficult for an attacker to reliably predict target addresses to execute injected shellcode. Question 8. An operating system security feature marks certain memory regions as non-executable, preventing code from running in those areas (such as the stack or heap). What is this feature called? A) Sandboxing B) Polyinstantiation C) Address Space Layout Randomization (ASLR) D) Data Execution Prevention (DEP) Answer: D Explanation: DEP (also known as No-Execute/NX or W^X "Write XOR Execute") is a system-level memory protection capability that prevents code execution from non- executable memory regions, such as the stack and heap, blocks common exploit vectors like buffer overflows. Question 9. In a DevSecOps CI/CD pipeline, what does the integration of automated security scanners directly within the build process achieve? A) It eliminates the need for manual penetration testing entirely. B) It ensures that every code commit is automatically evaluated for security flaws prior to deployment. C) It guarantees 100% vulnerability-free software deployments. D) It replaces the need for threat modeling during the design phase. Answer: B
Explanation: Integrating automated security scanners (like SAST and dependency checkers) directly into the CI/CD build pipeline allows organizations to continuously test code commits for vulnerabilities, enforcing "shift left" security and stopping flawed builds early. Question 10. When designing an application, why is it critical to explicitly document the trust boundaries? A) To establish performance baselines for the network. B) To identify where data flows cross from a lower level of trust to a higher level of trust, requiring validation. C) To determine which open-source licenses are acceptable for use. D) To allocate budget for hardware upgrades. Answer: B Explanation: Trust boundaries are conceptual lines in threat modeling where data passes between levels of different trust (e.g., from an unauthenticated internet user to an internal database). Identifying these boundaries dictates where input validation, authentication, and encryption controls must be applied. Question 11. Which of the following is a security control integrated into Modern Integrated Development Environments (IDEs) to help developers detect syntax-level security flaws in real time? A) Software Bill of Materials (SBOM) B) Real-time security linting plugins C) Dynamic Application Security Testing (DAST) D) Web Application Firewalls (WAF) Answer: B Explanation: Modern IDEs support security plugins and linters that analyze code in real-time as the developer is typing. This helps identify common insecure coding
unauthorized or unreviewed modifications to the software baseline, maintaining SCM integrity. Question 14. What is the primary purpose of a Software Bill of Materials (SBOM) in modern application development? A) To detail the financial cost of all hardware components used to host the software. B) To provide a structured, machine-readable inventory of all third-party software components, libraries, and dependencies utilized within an application. C) To track the hourly productivity metrics of the development team. D) To document the legal terms of service for end-users. Answer: B Explanation: An SBOM is an ingredient list of all third-party, commercial, and open- source software libraries, components, and dependencies used within an application. It is crucial for tracking license compliance and rapidly identifying software affected by newly discovered vulnerabilities (such as Log4j). Question 15. A security team implements automated secret scanning on their Software Configuration Management (SCM) system. What is this control trying to detect? A) Overly complex code functions. B) Outdated open-source libraries. C) Hardcoded credentials, API keys, or private cryptographic keys in committed code. D) SQL injection vulnerabilities in database queries. Answer: C Explanation: Automated secret scanning tools scan source code repositories to detect accidentally committed sensitive assets, such as cloud provider credentials, API keys, passwords, and private cryptographic keys, allowing teams to revoke and rotate them before exploitation.
Question 16. When securing RESTful Application Programming Interfaces (APIs), which protocol is widely accepted as the standard framework for handling delegated authorization? A) Simple Mail Transfer Protocol (SMTP) B) OAuth 2. C) Simple Object Access Protocol (SOAP) D) Simple Network Management Protocol (SNMP) Answer: B Explanation: OAuth 2.0 is an open standard framework designed specifically for token-based delegated authorization, allowing third-party applications to access restricted resources on behalf of a user without sharing the user's primary credentials. Question 17. Which of the following represents a significant security difference between SOAP (Simple Object Access Protocol) and REST (Representational State Transfer) APIs? A) SOAP is inherently insecure and cannot use encryption. B) SOAP has built-in security standards (WS-Security) that provide enterprise-grade security extensions, whereas REST relies heavily on transport-layer security (HTTPS). C) REST requires specialized binary compilers, while SOAP uses plain text interpreters. D) REST is only compatible with legacy mainframes. Answer: B Explanation: SOAP features the WS-Security specification, which allows for message-level security controls (including XML encryption and digital signatures) within the message itself. REST relies primarily on standard transport-layer security (HTTPS/TLS) and application-level token validation (OAuth/JWT).
Question 20. Which testing methodology is characterized by executing an application and probing it from the outside to identify vulnerabilities, without having access to the source code or inner workings of the system? A) Static Application Security Testing (SAST) B) Dynamic Application Security Testing (DAST) C) White-box Testing D) Manual Code Review Answer: B Explanation: DAST is a black-box testing methodology where the running application is analyzed from the outside. DAST scanners simulate attacks against exposed endpoints to identify vulnerabilities (like SQL injection or XSS) without direct visibility into the application's source code. Question 21. A security analyst is using a tool that analyzes the application's source code, byte code, or binaries for security vulnerabilities without executing the program. What is this method of testing? A) Dynamic Application Security Testing (DAST) B) Fuzzing C) Static Application Security Testing (SAST) D) Pen testing Answer: C Explanation: SAST is a white-box testing technique that scans source code, bytecode, or application binaries while at rest (unexecuted). It aims to find coding errors, architectural design issues, and compliance violations early in the SDLC.
Question 22. What is the principal advantage of Interactive Application Security Testing (IAST) over separate SAST and DAST implementations? A) It does not require any computing power to run. B) It performs physical hardware environmental checks. C) It combines runtime execution analysis with internal code visibility, offering higher accuracy and lower false-positive rates. D) It replaces the need for secure developer training. Answer: C Explanation: IAST deploys an agent inside the application runtime. By combining runtime behavior analysis (DAST-like) with direct visibility into the internal code execution flow, data flows, and memory (SAST-like), IAST produces highly accurate vulnerability reports with fewer false positives. Question 23. During an automated build, a security tool generates thousands of random, malformed, or unexpected inputs to test an application's input parser for crashes, memory leaks, or improper error handling. What is this testing technique? A) Peer Review B) Threat Modeling C) Fuzz Testing (Fuzzing) D) Regression Testing Answer: C Explanation: Fuzzing is an automated testing technique that sends randomized, invalid, or unexpected inputs to a target program to find software bugs, memory corruptions, crash conditions, and security vulnerabilities caused by improper input validation.
Question 26. Which of the following represents a significant risk when heavily utilizing Open-Source Software (OSS) libraries in a software product? A) OSS can never be run in cloud environments. B) Licensing violations (e.g., using GPL code in a proprietary commercial application) and orphan projects with unpatched vulnerabilities. C) OSS cannot handle HTTPS traffic. D) There are no tools available to scan open-source software. Answer: B Explanation: Key risks of using OSS include legal/licensing compliance issues (such as viral licenses that force proprietary code to be made open source) and supply chain vulnerabilities arising from abandoned or poorly maintained projects. Question 27. According to the Cloud Shared Responsibility Model, which party is typically responsible for securing the application layer and its data in a Software-as-a-Service (SaaS) arrangement? A) The physical datacenter landlord. B) The cloud provider entirely. C) The cloud consumer (the customer). D) The internet service provider. Answer: C Explanation: Even in a SaaS model where the cloud provider manages the physical infrastructure, hypervisor, OS, and underlying application platform, the cloud consumer (the customer) remains responsible for configuring application settings, managing user identities/access permissions, and protecting their own data. Question 28. Which of the following is a critical step in maintaining a secure software supply chain?
A) Downloading dependencies directly from random public web forums to save time. B) Relying entirely on the assumption that software vendors never get breached. C) Establishing cryptographically signed software artifacts and utilizing private, curated package repositories. D) Allowing developers to bypass change control during production emergencies. Answer: C Explanation: Secure supply chain practices involve ensuring the integrity and origin of software components. This is achieved by utilizing private repositories that scan and curate third-party packages, verifying cryptographic signatures of downloaded software, and monitoring SBOMs for vulnerabilities. Question 29. An application allows users to directly enter text that is incorporated into an active database query without escaping or parameterization. This leaves the system highly vulnerable to which OWASP Top 10 threat? A) Cross-Site Scripting (XSS) B) Injection (such as SQL Injection) C) Security Misconfiguration D) Broken Object Level Authorization (BOLA) Answer: B Explanation: Injection vulnerabilities occur when untrusted user input is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Question 30. How does a Parameterized Query (or Prepared Statement) protect against SQL Injection vulnerabilities? A) It encrypts the entire database so attackers cannot read it.
B) XSS exploits the user's trust in a site to execute scripts, while CSRF exploits a site's trust in a user's browser by executing unauthorized commands on behalf of an authenticated user. C) XSS only occurs over local area networks, whereas CSRF requires a global WAN. D) CSRF requires physical access to the target web server. Answer: B Explanation: In XSS, malicious scripts are executed in the user's browser because the browser trusts the vulnerable website. In CSRF, an attacker tricks the victim's authenticated browser into sending an unauthorized HTTP request to a trusted application, leveraging the session cookies already stored in the browser. Question 33. A secure web application includes a unique, cryptographically strong, and unpredictable token with every state- changing HTTP request. What vulnerability is this control specifically designed to prevent? A) SQL Injection B) Buffer Overflow C) Cross-Site Request Forgery (CSRF) D) Directory Traversal Answer: C Explanation: Anti-CSRF (or synchronizer) tokens prevent CSRF attacks. Since an external attacker cannot guess or read this unique token associated with the user's current session, any unauthorized requests forged by the attacker will fail validation on the server. Question 34. What type of vulnerability occurs when a program attempts to write more data to a memory storage block than it is allocated to hold, overwriting adjacent memory spaces and potentially hijacking execution flow?
A) Cross-Site Scripting B) Buffer Overflow C) Race Condition D) Insecure Direct Object Reference (IDOR) Answer: B Explanation: A buffer overflow occurs when a program writes data beyond the boundary of a buffer, corrupting adjacent memory. Attackers exploit this to overwrite control structures, such as return addresses on the stack, to point to malicious shellcode. Question 35. In secure coding, what is the concept of "Output Encoding" and why is it used? A) It compresses data before storing it on disk to save space. B) It converts user-supplied data into a safe format before rendering it in the browser, ensuring the browser interprets it as data rather than executable code (such as HTML or JavaScript). C) It encrypts network traffic using modern hashing algorithms. D) It standardizes the code syntax of developers. Answer: B Explanation: Output encoding (or context-aware encoding) translates potentially dangerous characters (like < or >) into safe equivalents (like < or >) before outputting them to a specific context (like HTML, Javascript, or LDAP), preventing injection and XSS. Question 36. An application crashes and displays a detailed stack trace, database connection strings, and inner system filenames on the user's web page. What security weakness does this represent? A) Proper exception handling
C) Inference D) Aggregation Answer: C Explanation: Inference is the process of analyzing and piecing together low- sensitivity or unclassified data records to derive or deduce high-sensitivity or classified information that the user is not authorized to know. Question 39. What is the distinction between Aggregation and Inference in database security? A) Aggregation requires physical access, whereas inference is done remotely. B) Aggregation is the mathematical accumulation of data (where the sum of the data has a higher classification than the individual parts), while inference is the cognitive deduction of hidden information. C) Aggregation only applies to SQL databases, whereas inference applies to NoSQL. D) There is no distinction; they are identical terms. Answer: B Explanation: Aggregation occurs when a collection of individual data facts is gathered together, and the combined set is more sensitive or highly classified than any individual record (e.g., a phone book of secret agents). Inference is using that collected data to logically deduce or guess secret facts. Question 40. In a multi-level secure database, how does "Polyinstantiation" help prevent inference attacks and data leakage? A) By encrypting every database row with a unique cryptographic key. B) By allowing multiple versions of the same database record to exist at different classification levels, preventing lower-clearance users from realizing higher- clearance data exists. C) By forcing all users to share a single administrative account.
D) By running daily automated backups to multiple cloud regions. Answer: B Explanation: Polyinstantiation allows a database to contain multiple records with the same primary key but different data and classification levels. This prevents a low- clearance user from inferring the existence of highly classified records by attempting to insert a duplicate key, maintaining strict confidentiality. Question 41. A development team is setting up a baseline version of a secure software environment to serve as a standard for all future deployments. What is this standard baseline commonly called? A) Shadow Copy B) Gold Image (or Secure Baseline) C) Soft Link D) Sandbox Answer: B Explanation: A Gold Image (or secure baseline) is a pre-configured, hardened, and thoroughly tested template of an operating system or software environment used to ensure consistent, secure, and rapid deployment of systems across an enterprise. Question 42. Before applying a critical security patch directly to an organization's production servers, what is the single most important step in the patch management process? A) Deleting all system audit logs. B) Testing the patch in a staging environment that mirrors production to identify potential conflicts or performance issues. C) Announcing the update on public social media. D) Disabling the intrusion detection system. Answer: B