Intrabench CSSLP Certified Secure Software Lifecycle Professional Practice Exam, Exams of Technology

Tailored for secure software development professionals, this practice exam covers SDL phases such as requirements gathering, architecture, coding, testing, deployment, and maintenance. It challenges candidates to apply secure coding standards, threat modeling techniques, vulnerability identification, and secure DevOps principles. The exam includes coding reviews, architecture flaw evaluations, SDLC documentation analysis, and secure deployment scenarios. It reinforces best practices in application security engineering and helps candidates understand how to embed security controls at every lifecycle phase.

Typology: Exams

2025/2026

Available from 01/07/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 86

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Intrabench CSSLP Certified Secure Software
Lifecycle Professional Practice Exam
**Question 1.** Which of the following best describes the principle of least privilege?
A) Granting users all permissions by default
B) Providing users only the access necessary to perform their job functions
C) Allowing administrators to override all security controls
D) Disabling all user accounts after a single failed login
Answer: B
Explanation: Least privilege limits each user’s permissions to the minimum required for their
role, reducing the attack surface.
**Question 2.** In the context of confidentiality, what is a covert channel?
A) A direct network socket used for data transfer
B) An unintended method of transmitting information that bypasses security controls
C) An encrypted tunnel between two servers
D) A public key infrastructure component
Answer: B
Explanation: Covert channels exploit side effects (e.g., timing, power consumption) to leak data
without detection.
**Question 3.** Which cryptographic primitive provides data integrity and nonrepudiation?
A) Symmetric encryption
B) Hash function with a digital signature
C) Onetime pad
D) RSA key exchange
Answer: B
Explanation: A hash combined with a privatekey signature ensures the data has not been
altered and ties it to the signer.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56

Partial preview of the text

Download Intrabench CSSLP Certified Secure Software Lifecycle Professional Practice Exam and more Exams Technology in PDF only on Docsity!

Lifecycle Professional Practice Exam

Question 1. Which of the following best describes the principle of least privilege? A) Granting users all permissions by default B) Providing users only the access necessary to perform their job functions C) Allowing administrators to override all security controls D) Disabling all user accounts after a single failed login Answer: B Explanation: Least privilege limits each user’s permissions to the minimum required for their role, reducing the attack surface. Question 2. In the context of confidentiality, what is a covert channel? A) A direct network socket used for data transfer B) An unintended method of transmitting information that bypasses security controls C) An encrypted tunnel between two servers D) A public key infrastructure component Answer: B Explanation: Covert channels exploit side effects (e.g., timing, power consumption) to leak data without detection. Question 3. Which cryptographic primitive provides data integrity and non‑repudiation? A) Symmetric encryption B) Hash function with a digital signature C) One‑time pad D) RSA key exchange Answer: B Explanation: A hash combined with a private‑key signature ensures the data has not been altered and ties it to the signer.

Lifecycle Professional Practice Exam

Question 4. Which of the following is an example of a redundancy technique to improve availability? A) Single‑server deployment B) Load‑balanced cluster of web servers C) Storing logs on a local hard drive only D) Disabling automatic failover Answer: B Explanation: Load balancing across multiple servers provides redundancy, so if one fails, others continue serving traffic. Question 5. Multi‑Factor Authentication (MFA) typically combines which types of factors? A) Something you know, something you have, something you are B) Username and password only C) IP address and MAC address D) Session cookie and URL token Answer: A Explanation: MFA enhances security by requiring at least two of the three factor categories: knowledge, possession, and inherence. Question 6. What does the “single sign‑on” (SSO) capability primarily improve? A) Encryption strength of data at rest B) User convenience while maintaining authentication centralization C) Physical security of server rooms D) Redundancy of network paths Answer: B

Lifecycle Professional Practice Exam

Answer: B Explanation: The immutable, publicly verifiable ledger ensures that a transaction cannot be denied by its originator. Question 10. Which regulatory standard specifically addresses payment‑card data protection? A) HIPAA B) GDPR C) PCI DSS D) FERPA Answer: C Explanation: PCI DSS (Payment Card Industry Data Security Standard) defines requirements for securing cardholder data. Question 11. The “defense in depth” strategy primarily means: A) Using a single, strong firewall at the perimeter B) Implementing multiple, layered security controls throughout the system C) Relying solely on encryption for data protection D) Disabling all external network connections Answer: B Explanation: Defense in depth uses overlapping controls (e.g., network, host, application) to provide redundancy if one layer fails. Question 12. Which design principle promotes “no single point of failure” (SPOF)? A) Economy of mechanism B) Complete mediation

Lifecycle Professional Practice Exam

C) Resiliency D) Psychological acceptability Answer: C Explanation: Resiliency aims to ensure the system continues operating despite component failures, eliminating SPOFs. Question 13. “Open design” as a security principle is best described by Kerckhoffs’s principle, which states: A) Security should rely on secrecy of the algorithm B) System design must be kept secret from users C) The security of a system should depend only on the secrecy of the key, not the design D) Only open‑source software can be secure Answer: C Explanation: Kerckhoffs’s principle asserts that a system should remain secure even when its design is public; only keys need secrecy. Question 14. Which of the following is an example of “least common mechanism”? A) Sharing a single database connection string among all applications B) Using separate, isolated containers for each microservice C) Storing all logs in a common file D) Implementing a global admin account for all environments Answer: B Explanation: Isolating components reduces shared mechanisms, limiting the risk of unintended interactions. Question 15. A CAPTCHA primarily addresses which security concern?

Lifecycle Professional Practice Exam

Question 18. In a data‑classification scheme, “high impact” data typically requires which of the following controls? A) No encryption, as it is low‑risk B) Strong encryption at rest and in transit, strict access controls, and detailed audit logging C) Only password protection on files D) Public sharing on a website Answer: B Explanation: High‑impact data demands robust confidentiality, integrity, and accountability mechanisms. Question 19. Which role is primarily responsible for defining the sensitivity level of data? A) Data custodian B) Data processor C) Data owner D) End user Answer: C Explanation: The data owner determines classification, usage, and protection requirements for the data they own. Question 20. A “misuse case” differs from a normal use case because it: A) Describes legitimate user interactions only B) Focuses on how an attacker might exploit the system C) Is written in a programming language D) Does not require stakeholder input Answer: B Explanation: Misuse cases model potential malicious actions, helping identify security gaps.

Lifecycle Professional Practice Exam

Question 21. In a Security Requirement Traceability Matrix (STRM), traceability links are established between: A) Code modules and hardware specifications B) Security requirements, design elements, test cases, and verification results C) Marketing materials and user manuals Below is a continuation of the Intrabench CSSLP® Practice Exam. I have provided questions 22 through 120 (99 questions) in the requested format – each question is unique, includes four answer choices, the correct answer, and a brief explanation. If you need the remaining questions (121‑250), just let me know and I’ll continue in a follow‑up reply.


Question 22. Which security design principle requires that every access request be checked against the security policy, even if the user has previously been granted access? A) Least privilege B) Complete mediation C) Open design D) Economy of mechanism Answer: B Explanation: Complete mediation ensures each request is validated, preventing cached permissions from being abused. Question 23. In a cloud IaaS model, which security responsibility lies with the customer? A) Physical security of the data centre

Lifecycle Professional Practice Exam

Question 26. “Fail‑secure” (deny‑by‑default) behavior means the system: A) Reboots automatically after a crash B) Grants access when a failure occurs C) Denies access when a failure occurs D) Continues processing with reduced security Answer: C Explanation: Fail‑secure defaults to the most restrictive state on error. Question 27. The “economy of mechanism” principle encourages: A) Adding many security controls B) Keeping designs simple and small C) Using proprietary, complex algorithms D) Frequent policy changes Answer: B Explanation: Simpler mechanisms are easier to verify and less error‑prone. Question 28. Which security pattern provides a central point for managing user identities and authentication across multiple applications? A) Access proxy B) Identity manager C) Secure token service D) Policy enforcement point Answer: B Explanation: An identity manager centralises authentication and provisioning.

Lifecycle Professional Practice Exam

Question 29. The primary purpose of a Security Requirement Traceability Matrix (STRM) is to: A) List all encryption keys used B) Map security requirements to design, implementation, and test artifacts C) Document user passwords D) Record hardware serial numbers Answer: B Explanation: STRM ensures every requirement is traced through the development lifecycle. Question 30. Which of the following is a primary benefit of using a Software Composition Analysis (SCA) tool? A) Detecting runtime memory leaks B) Identifying known vulnerable open‑source components C) Performing static code analysis for business‑logic errors D) Generating UI mock‑ups Answer: B Explanation: SCA scans the bill‑of‑materials for components with known CVEs. Question 31. The DREAD risk‑assessment model evaluates threats based on: A) Detectability, Reusability, Accessibility, Efficiency, Durability B) Damage, Reproducibility, Exploitability, Affected users, Discoverability C) Dependency, Resilience, Availability, Encryption, Disclosure D) Development, Review, Auditing, Enforcement, Documentation Answer: B Explanation: DREAD stands for Damage, Reproducibility, Exploitability, Affected users, Discoverability.

Lifecycle Professional Practice Exam

Question 35. Which security pattern is used to protect credentials while in transit between services? A) Identity manager B) Secure token service (STS) C) Access proxy D) Policy enforcement point Answer: B Explanation: STS issues short‑lived tokens, avoiding credential exposure. Question 36. Which of the following is a primary benefit of “defense in depth” for a web application? A) Only a WAF is needed B) Multiple layers such as input validation, authentication, authorization, logging, and a WAF are employed C) All traffic is allowed to simplify debugging D) The application runs on a single server without segmentation Answer: B Explanation: Layered controls reduce the chance that a single flaw compromises the system. Question 37. Which testing technique uses the source code to design test cases that achieve maximum path coverage? A) Black‑box testing B) Grey‑box testing C) White‑box testing D) Exploratory testing

Lifecycle Professional Practice Exam

Answer: C Explanation: White‑box testing examines internal structure to achieve path coverage. Question 38. The primary purpose of a “fuzzing” test is to: A) Verify ISO 27001 compliance B) Generate random inputs to discover crashes or unexpected behaviour C) Measure response time under load D) Validate UI layout consistency Answer: B Explanation: Fuzzing feeds malformed data to expose handling errors. Question 39. In a CI/CD pipeline, the best stage to run static application security testing (SAST) is: A) After production deployment B) During code‑commit or pull‑request validation C) During user‑acceptance testing (UAT) D) Only when a security incident is reported Answer: B Explanation: Early SAST catches issues before they propagate downstream. Question 40. Which security control most effectively prevents man‑in‑the‑middle attacks on a web service? A) Using HTTP instead of HTTPS B) Enforcing TLS with certificate pinning C) Disabling client‑side validation D) Allowing all traffic on port 80

Lifecycle Professional Practice Exam

D) Containers guarantee compliance with all regulations Answer: B Explanation: Isolation reduces the attack surface and limits impact of compromised components. Question 44. In an incident‑response plan, the “containment” phase primarily aims to: A) Identify the root cause of the incident B) Eradicate the attacker’s foothold and prevent further spread C) Restore normal operations without analysis D) Notify customers before any analysis is done Answer: B Explanation: Containment stops the attack from propagating while remediation is prepared. Question 45. A security metrics dashboard is used to: A) Replace all manual security testing B) Provide real‑time visibility into security posture and trends for decision‑making C) Automatically patch systems without human approval D) Store encryption keys for the organisation Answer: B Explanation: Dashboards summarise key indicators (e.g., vulnerabilities, incidents) to guide management. Question 46. A code‑signing certificate is primarily used to: A) Encrypt data at rest B) Verify the integrity and origin of software binaries

Lifecycle Professional Practice Exam

C) Authenticate users to a web application D) Generate random passwords for users Answer: B Explanation: Digital signatures assure that code has not been altered and originates from a trusted publisher. Question 47. “Hard‑coding secrets” is an example of a security anti‑pattern because: A) It improves performance B) Secrets become visible in source code and version control, increasing exposure risk C) It complies with PCI DSS D) It makes secret rotation easier Answer: B Explanation: Embedding keys/passwords in code makes them discoverable by attackers. Question 48. Which principle ensures a user cannot grant themselves higher privileges without proper authorization? A) Least privilege B) Separation of duties C) Complete mediation D) Open design Answer: A Explanation: Least privilege limits users to only the permissions needed for their role. Question 49. Verifying the cryptographic hash of a third‑party library before use helps ensure: A) The library is the latest version

Lifecycle Professional Practice Exam

C) Perform OS patch management D) Generate cryptographic keys for the application Answer: B Explanation: A WAF inspects HTTP traffic and enforces rules against known attack patterns. Question 53. Under GDPR, a Data Protection Impact Assessment (DPIA) is required when: A) Processing is occasional and low‑risk B) The processing is likely to result in a high risk to individuals’ rights (e.g., large‑scale profiling) C) Data is stored on a local hard‑drive only D) The organisation is a non‑EU private individual Answer: B Explanation: DPIAs evaluate high‑risk processing activities. Question 54. An example of “defense in depth” for a database is: A) Relying solely on a firewall B) Using network segmentation, encryption at rest, role‑based access control, and regular audits C) Storing passwords in plain text inside the DB D) Allowing all IP addresses to connect directly to the DB Answer: B Explanation: Multiple layers (network, encryption, access control, monitoring) protect the data. Question 55. Tokenization is primarily used to: A) Replace sensitive data with a non‑sensitive surrogate that can be mapped back under controlled conditions B) Generate random passwords for users

Lifecycle Professional Practice Exam

C) Compress large files for storage efficiency D) Encrypt data using asymmetric keys only Answer: A Explanation: Tokenization removes sensitive data from the primary environment while preserving referential integrity. Question 56. A key characteristic of immutable infrastructure in DevSecOps is: A) Servers are patched in‑place after deployment B) Once deployed, infrastructure is never modified; updates are performed by redeploying new images C) Configuration files are edited directly on production machines D) All code is stored on mutable shared drives Answer: B Explanation: Immutable infrastructure eliminates drift and ensures consistency. Question 57. The most appropriate method to protect API keys stored in source‑code repositories is to: A) Commit them in plain text for easy access B) Store them in a secrets‑management solution and reference them at build/run time C) Encode them with Base64 and push the encoded string D) Hide them behind HTML comments Answer: B Explanation: Secrets managers keep keys out of version control and enforce access controls. Question 58. In threat modelling, the “attack surface” refers to: