














































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Tailored for secure software development professionals, this practice exam covers SDL phases such as requirements gathering, architecture, coding, testing, deployment, and maintenance. It challenges candidates to apply secure coding standards, threat modeling techniques, vulnerability identification, and secure DevOps principles. The exam includes coding reviews, architecture flaw evaluations, SDLC documentation analysis, and secure deployment scenarios. It reinforces best practices in application security engineering and helps candidates understand how to embed security controls at every lifecycle phase.
Typology: Exams
1 / 86
This page cannot be seen from the preview
Don't miss anything!















































































Question 1. Which of the following best describes the principle of least privilege? A) Granting users all permissions by default B) Providing users only the access necessary to perform their job functions C) Allowing administrators to override all security controls D) Disabling all user accounts after a single failed login Answer: B Explanation: Least privilege limits each user’s permissions to the minimum required for their role, reducing the attack surface. Question 2. In the context of confidentiality, what is a covert channel? A) A direct network socket used for data transfer B) An unintended method of transmitting information that bypasses security controls C) An encrypted tunnel between two servers D) A public key infrastructure component Answer: B Explanation: Covert channels exploit side effects (e.g., timing, power consumption) to leak data without detection. Question 3. Which cryptographic primitive provides data integrity and non‑repudiation? A) Symmetric encryption B) Hash function with a digital signature C) One‑time pad D) RSA key exchange Answer: B Explanation: A hash combined with a private‑key signature ensures the data has not been altered and ties it to the signer.
Question 4. Which of the following is an example of a redundancy technique to improve availability? A) Single‑server deployment B) Load‑balanced cluster of web servers C) Storing logs on a local hard drive only D) Disabling automatic failover Answer: B Explanation: Load balancing across multiple servers provides redundancy, so if one fails, others continue serving traffic. Question 5. Multi‑Factor Authentication (MFA) typically combines which types of factors? A) Something you know, something you have, something you are B) Username and password only C) IP address and MAC address D) Session cookie and URL token Answer: A Explanation: MFA enhances security by requiring at least two of the three factor categories: knowledge, possession, and inherence. Question 6. What does the “single sign‑on” (SSO) capability primarily improve? A) Encryption strength of data at rest B) User convenience while maintaining authentication centralization C) Physical security of server rooms D) Redundancy of network paths Answer: B
Answer: B Explanation: The immutable, publicly verifiable ledger ensures that a transaction cannot be denied by its originator. Question 10. Which regulatory standard specifically addresses payment‑card data protection? A) HIPAA B) GDPR C) PCI DSS D) FERPA Answer: C Explanation: PCI DSS (Payment Card Industry Data Security Standard) defines requirements for securing cardholder data. Question 11. The “defense in depth” strategy primarily means: A) Using a single, strong firewall at the perimeter B) Implementing multiple, layered security controls throughout the system C) Relying solely on encryption for data protection D) Disabling all external network connections Answer: B Explanation: Defense in depth uses overlapping controls (e.g., network, host, application) to provide redundancy if one layer fails. Question 12. Which design principle promotes “no single point of failure” (SPOF)? A) Economy of mechanism B) Complete mediation
C) Resiliency D) Psychological acceptability Answer: C Explanation: Resiliency aims to ensure the system continues operating despite component failures, eliminating SPOFs. Question 13. “Open design” as a security principle is best described by Kerckhoffs’s principle, which states: A) Security should rely on secrecy of the algorithm B) System design must be kept secret from users C) The security of a system should depend only on the secrecy of the key, not the design D) Only open‑source software can be secure Answer: C Explanation: Kerckhoffs’s principle asserts that a system should remain secure even when its design is public; only keys need secrecy. Question 14. Which of the following is an example of “least common mechanism”? A) Sharing a single database connection string among all applications B) Using separate, isolated containers for each microservice C) Storing all logs in a common file D) Implementing a global admin account for all environments Answer: B Explanation: Isolating components reduces shared mechanisms, limiting the risk of unintended interactions. Question 15. A CAPTCHA primarily addresses which security concern?
Question 18. In a data‑classification scheme, “high impact” data typically requires which of the following controls? A) No encryption, as it is low‑risk B) Strong encryption at rest and in transit, strict access controls, and detailed audit logging C) Only password protection on files D) Public sharing on a website Answer: B Explanation: High‑impact data demands robust confidentiality, integrity, and accountability mechanisms. Question 19. Which role is primarily responsible for defining the sensitivity level of data? A) Data custodian B) Data processor C) Data owner D) End user Answer: C Explanation: The data owner determines classification, usage, and protection requirements for the data they own. Question 20. A “misuse case” differs from a normal use case because it: A) Describes legitimate user interactions only B) Focuses on how an attacker might exploit the system C) Is written in a programming language D) Does not require stakeholder input Answer: B Explanation: Misuse cases model potential malicious actions, helping identify security gaps.
Question 21. In a Security Requirement Traceability Matrix (STRM), traceability links are established between: A) Code modules and hardware specifications B) Security requirements, design elements, test cases, and verification results C) Marketing materials and user manuals Below is a continuation of the Intrabench CSSLP® Practice Exam. I have provided questions 22 through 120 (99 questions) in the requested format – each question is unique, includes four answer choices, the correct answer, and a brief explanation. If you need the remaining questions (121‑250), just let me know and I’ll continue in a follow‑up reply.
Question 22. Which security design principle requires that every access request be checked against the security policy, even if the user has previously been granted access? A) Least privilege B) Complete mediation C) Open design D) Economy of mechanism Answer: B Explanation: Complete mediation ensures each request is validated, preventing cached permissions from being abused. Question 23. In a cloud IaaS model, which security responsibility lies with the customer? A) Physical security of the data centre
Question 26. “Fail‑secure” (deny‑by‑default) behavior means the system: A) Reboots automatically after a crash B) Grants access when a failure occurs C) Denies access when a failure occurs D) Continues processing with reduced security Answer: C Explanation: Fail‑secure defaults to the most restrictive state on error. Question 27. The “economy of mechanism” principle encourages: A) Adding many security controls B) Keeping designs simple and small C) Using proprietary, complex algorithms D) Frequent policy changes Answer: B Explanation: Simpler mechanisms are easier to verify and less error‑prone. Question 28. Which security pattern provides a central point for managing user identities and authentication across multiple applications? A) Access proxy B) Identity manager C) Secure token service D) Policy enforcement point Answer: B Explanation: An identity manager centralises authentication and provisioning.
Question 29. The primary purpose of a Security Requirement Traceability Matrix (STRM) is to: A) List all encryption keys used B) Map security requirements to design, implementation, and test artifacts C) Document user passwords D) Record hardware serial numbers Answer: B Explanation: STRM ensures every requirement is traced through the development lifecycle. Question 30. Which of the following is a primary benefit of using a Software Composition Analysis (SCA) tool? A) Detecting runtime memory leaks B) Identifying known vulnerable open‑source components C) Performing static code analysis for business‑logic errors D) Generating UI mock‑ups Answer: B Explanation: SCA scans the bill‑of‑materials for components with known CVEs. Question 31. The DREAD risk‑assessment model evaluates threats based on: A) Detectability, Reusability, Accessibility, Efficiency, Durability B) Damage, Reproducibility, Exploitability, Affected users, Discoverability C) Dependency, Resilience, Availability, Encryption, Disclosure D) Development, Review, Auditing, Enforcement, Documentation Answer: B Explanation: DREAD stands for Damage, Reproducibility, Exploitability, Affected users, Discoverability.
Question 35. Which security pattern is used to protect credentials while in transit between services? A) Identity manager B) Secure token service (STS) C) Access proxy D) Policy enforcement point Answer: B Explanation: STS issues short‑lived tokens, avoiding credential exposure. Question 36. Which of the following is a primary benefit of “defense in depth” for a web application? A) Only a WAF is needed B) Multiple layers such as input validation, authentication, authorization, logging, and a WAF are employed C) All traffic is allowed to simplify debugging D) The application runs on a single server without segmentation Answer: B Explanation: Layered controls reduce the chance that a single flaw compromises the system. Question 37. Which testing technique uses the source code to design test cases that achieve maximum path coverage? A) Black‑box testing B) Grey‑box testing C) White‑box testing D) Exploratory testing
Answer: C Explanation: White‑box testing examines internal structure to achieve path coverage. Question 38. The primary purpose of a “fuzzing” test is to: A) Verify ISO 27001 compliance B) Generate random inputs to discover crashes or unexpected behaviour C) Measure response time under load D) Validate UI layout consistency Answer: B Explanation: Fuzzing feeds malformed data to expose handling errors. Question 39. In a CI/CD pipeline, the best stage to run static application security testing (SAST) is: A) After production deployment B) During code‑commit or pull‑request validation C) During user‑acceptance testing (UAT) D) Only when a security incident is reported Answer: B Explanation: Early SAST catches issues before they propagate downstream. Question 40. Which security control most effectively prevents man‑in‑the‑middle attacks on a web service? A) Using HTTP instead of HTTPS B) Enforcing TLS with certificate pinning C) Disabling client‑side validation D) Allowing all traffic on port 80
D) Containers guarantee compliance with all regulations Answer: B Explanation: Isolation reduces the attack surface and limits impact of compromised components. Question 44. In an incident‑response plan, the “containment” phase primarily aims to: A) Identify the root cause of the incident B) Eradicate the attacker’s foothold and prevent further spread C) Restore normal operations without analysis D) Notify customers before any analysis is done Answer: B Explanation: Containment stops the attack from propagating while remediation is prepared. Question 45. A security metrics dashboard is used to: A) Replace all manual security testing B) Provide real‑time visibility into security posture and trends for decision‑making C) Automatically patch systems without human approval D) Store encryption keys for the organisation Answer: B Explanation: Dashboards summarise key indicators (e.g., vulnerabilities, incidents) to guide management. Question 46. A code‑signing certificate is primarily used to: A) Encrypt data at rest B) Verify the integrity and origin of software binaries
C) Authenticate users to a web application D) Generate random passwords for users Answer: B Explanation: Digital signatures assure that code has not been altered and originates from a trusted publisher. Question 47. “Hard‑coding secrets” is an example of a security anti‑pattern because: A) It improves performance B) Secrets become visible in source code and version control, increasing exposure risk C) It complies with PCI DSS D) It makes secret rotation easier Answer: B Explanation: Embedding keys/passwords in code makes them discoverable by attackers. Question 48. Which principle ensures a user cannot grant themselves higher privileges without proper authorization? A) Least privilege B) Separation of duties C) Complete mediation D) Open design Answer: A Explanation: Least privilege limits users to only the permissions needed for their role. Question 49. Verifying the cryptographic hash of a third‑party library before use helps ensure: A) The library is the latest version
C) Perform OS patch management D) Generate cryptographic keys for the application Answer: B Explanation: A WAF inspects HTTP traffic and enforces rules against known attack patterns. Question 53. Under GDPR, a Data Protection Impact Assessment (DPIA) is required when: A) Processing is occasional and low‑risk B) The processing is likely to result in a high risk to individuals’ rights (e.g., large‑scale profiling) C) Data is stored on a local hard‑drive only D) The organisation is a non‑EU private individual Answer: B Explanation: DPIAs evaluate high‑risk processing activities. Question 54. An example of “defense in depth” for a database is: A) Relying solely on a firewall B) Using network segmentation, encryption at rest, role‑based access control, and regular audits C) Storing passwords in plain text inside the DB D) Allowing all IP addresses to connect directly to the DB Answer: B Explanation: Multiple layers (network, encryption, access control, monitoring) protect the data. Question 55. Tokenization is primarily used to: A) Replace sensitive data with a non‑sensitive surrogate that can be mapped back under controlled conditions B) Generate random passwords for users
C) Compress large files for storage efficiency D) Encrypt data using asymmetric keys only Answer: A Explanation: Tokenization removes sensitive data from the primary environment while preserving referential integrity. Question 56. A key characteristic of immutable infrastructure in DevSecOps is: A) Servers are patched in‑place after deployment B) Once deployed, infrastructure is never modified; updates are performed by redeploying new images C) Configuration files are edited directly on production machines D) All code is stored on mutable shared drives Answer: B Explanation: Immutable infrastructure eliminates drift and ensures consistency. Question 57. The most appropriate method to protect API keys stored in source‑code repositories is to: A) Commit them in plain text for easy access B) Store them in a secrets‑management solution and reference them at build/run time C) Encode them with Base64 and push the encoded string D) Hide them behind HTML comments Answer: B Explanation: Secrets managers keep keys out of version control and enforce access controls. Question 58. In threat modelling, the “attack surface” refers to: