LFD121 Developing Secure Software Practice Exam, Exams of Technology

This exam focuses on secure development lifecycle practices and application hardening. Candidates perform threat modeling, identify vulnerabilities like buffer overflows, injection flaws, and insecure configurations, and implement mitigation strategies. Hands-on challenges evaluate secure coding techniques, dependency scanning, unit-testing security assumptions, and using tools such as static and dynamic analyzers. It also tests knowledge of encryption, authentication protocols, secure APIs, software supply chain risks, and compliance requirements.

Typology: Exams

2025/2026

Available from 01/11/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 102

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
LFD121 Developing Secure Software
Practice Exam
**Question 1.** Which principle states that a system should give users only the privileges they
need to perform their tasks?
A) Failsafe defaults
B) Least privilege
C) Open design
D) Psychological acceptability
Answer: B
Explanation: Least privilege limits user rights to the minimum necessary, reducing the impact of
a compromised account.
**Question 2.** In the CIA triad, which component is primarily concerned with ensuring that
data is not altered maliciously?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: B
Explanation: Integrity guarantees that information remains accurate and unmodified.
**Question 3.** Which of the following is an example of a denylist (blacklist) approach to input
validation?
A) Accepting only alphanumeric characters
B) Rejecting any input containing the string “<script>”
C) Using a regular expression that matches valid email formats
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download LFD121 Developing Secure Software Practice Exam and more Exams Technology in PDF only on Docsity!

Practice Exam

Question 1. Which principle states that a system should give users only the privileges they need to perform their tasks? A) Fail‑safe defaults B) Least privilege C) Open design D) Psychological acceptability Answer: B Explanation: Least privilege limits user rights to the minimum necessary, reducing the impact of a compromised account. Question 2. In the CIA triad, which component is primarily concerned with ensuring that data is not altered maliciously? A) Confidentiality B) Integrity C) Availability D) Authentication Answer: B Explanation: Integrity guarantees that information remains accurate and unmodified. Question 3. Which of the following is an example of a deny‑list (blacklist) approach to input validation? A) Accepting only alphanumeric characters B) Rejecting any input containing the string “

Practice Exam

D) Normalizing Unicode characters before processing Answer: B Explanation: A deny‑list blocks known bad patterns; rejecting “

Practice Exam

Answer: B Explanation: Canonicalization normalizes inputs, eliminating alternate representations that could evade filters. Question 9. Which of the following is a secure logging practice? A) Logging full user passwords for audit B) Including stack traces in production logs visible to users C) Masking sensitive data such as credit‑card numbers before logging D) Writing logs to a publicly accessible directory Answer: C Explanation: Sensitive data should be redacted or masked to avoid exposure. Question 10. Which principle recommends that a system should default to a secure state when a decision cannot be made? A) Fail‑safe defaults B) Complete mediation C) Least privilege D) Open design Answer: A Explanation: Fail‑safe defaults ensure that the default configuration is secure, denying access unless explicitly allowed.

Practice Exam

Question 11. In the context of secure software development, what does “complete mediation” refer to? A) Validating every access request against policy B) Encrypting all data at rest C) Using multi‑factor authentication for all users D) Performing code reviews after deployment Answer: A Explanation: Complete mediation requires that each request be checked for authorization, preventing cached decisions. Question 12. Which of the following is a common attack that targets the “availability” aspect of the CIA triad? A) SQL injection B) Phishing C) Distributed Denial‑of‑Service (DDoS) D) Man‑in‑the‑middle Answer: C Explanation: DDoS attacks aim to make a service unavailable to legitimate users. Question 13. Which secure design pattern helps separate concerns by dividing a system into distinct layers with defined responsibilities? A) Singleton B) Proxy C) Layered architecture

Practice Exam

Question 16. Which of the following best describes a “fail‑open” behavior? A) System denies all requests when an error occurs B) System defaults to a secure state on failure C) System continues operation with reduced security on failure D) System shuts down completely on any error Answer: C Explanation: Fail‑open allows functionality to continue, potentially exposing security; fail‑safe defaults are preferred. Question 17. Which of these is a static analysis (SAST) detection capability? A) Detecting runtime SQL injection attempts B) Identifying hard‑coded credentials in source code C) Measuring response times under load D) Capturing network traffic patterns Answer: B Explanation: SAST scans source code for patterns like hard‑coded secrets. Question 18. Which HTTP header helps mitigate cross‑site scripting (XSS) attacks? A) Content‑Security‑Policy (CSP) B) Server C) Transfer‑Encoding D) Keep‑Alive

Practice Exam

Answer: A Explanation: CSP restricts sources of executable scripts, reducing XSS risk. Question 19. When integrating an external library, which license consideration is most critical for a commercial product? A) Whether the license is GNU GPL B) Whether the library uses a dark theme C) Whether the library is written in C++ D) Whether the library has a README file Answer: A Explanation: GPL may require source disclosure; understanding license obligations is essential. Question 20. Which of the following is an example of “separation of privilege”? A) Requiring both a password and a hardware token for admin actions B) Allowing any user to install software C) Storing logs in a single file accessible to all D) Using a single admin account for all tasks Answer: A Explanation: Separation of privilege splits authority across multiple checks, reducing risk of a single compromised factor. Question 21. In secure memory management, what is the purpose of zeroizing memory after use?

Practice Exam

Explanation: Digital signatures prove the origin of a message, preventing denial. Question 24. Which of the following is a secure way to store API keys in a containerized application? A) Hard‑coding them in source code B) Storing them in environment variables without encryption C) Using a secret management service (e.g., HashiCorp Vault) and injecting at runtime D) Placing them in a public Git repository Answer: C Explanation: Secret management services provide controlled access and auditability. Question 25. Which testing technique simulates attacks against a running application to find vulnerabilities? A) Unit testing B) Static analysis C) Dynamic analysis (DAST) D) Code review Answer: C Explanation: DAST interacts with the live app, sending malformed inputs to uncover flaws. Question 26. Which principle advises that security mechanisms should be usable and not impede legitimate users? A) Psychological acceptability B) Least privilege

Practice Exam

C) Fail‑safe defaults D) Economy of mechanism Answer: A Explanation: Psychological acceptability ensures security does not hinder productivity, encouraging proper use. Question 27. Which of the following is a common sign that an application suffers from an injection vulnerability? A) Slow page load times B) Unexpected error messages revealing SQL syntax C) High CPU usage during idle periods D) Frequent user logouts Answer: B Explanation: Error messages exposing database details often indicate injection flaws. Question 28. Which of these is a recommended practice when performing error handling in a web application? A) Returning stack traces to the client B) Displaying generic error messages without internal details C) Logging errors to a publicly accessible file D) Ignoring errors to keep the user experience smooth Answer: B Explanation: Generic messages avoid leaking implementation details while still informing users.

Practice Exam

D) Number of development team members Answer: B Explanation: Encryption of PII is a security requirement that must be considered from the start. Question 32. Which of the following is a primary advantage of using a “sandbox” for executing untrusted code? A) Improves code readability B) Provides isolation to limit system impact C) Increases network bandwidth D) Reduces the need for unit tests Answer: B Explanation: Sandboxing confines untrusted code, protecting the host system. Question 33. Which of the following cryptographic hash functions is considered broken for collision resistance? A) SHA‑ 256 B) SHA‑ 3 C) MD D) BLAKE Answer: C Explanation: MD5 has known collisions and should not be used for integrity checks.

Practice Exam

Question 34. Which of the following is a recommended approach when handling user‑supplied file names for storage? A) Directly using the supplied name as the path B) Appending a random UUID to a sanitized version of the name C) Storing files in the root directory D) Allowing path traversal characters like “../” Answer: B Explanation: Sanitizing and adding a UUID prevents name collisions and path traversal attacks. Question 35. Which of the following is a characteristic of “defense in depth”? A) Relying on a single firewall B) Implementing multiple overlapping security controls C) Using only encryption for data protection D) Disabling all logging to improve performance Answer: B Explanation: Defense in depth layers controls to mitigate failure of any single control. Question 36. Which of the following is an effective method to protect against command injection when calling external programs? A) Concatenating user input directly into a shell command string B) Using parameterized APIs or system calls that separate arguments from the command interpreter C) Disabling input validation D) Allowing any characters in the input

Practice Exam

A) Sending a password reset link via email without rate limiting B) Using a one‑time token that expires after 15 minutes C) Requiring the user to answer a security question D. Logging the reset request Answer: A Explanation: Unlimited reset requests can be abused for enumeration or denial‑of‑service attacks. Question 40. Which of the following is an example of “complete mediation” in a web application? A) Checking user permissions only at login and storing the result in a session variable B) Verifying permissions on every request to a protected resource C) Trusting client‑side JavaScript to enforce access control D) Using a static HTML page for all users Answer: B Explanation: Complete mediation requires re‑checking authorizations for each request. Question 41. Which of the following best defines “supply chain security” in software development? A) Securing the physical delivery trucks for hardware components B) Ensuring that third‑party components and libraries are free from known vulnerabilities and malicious code C) Using a single vendor for all software tools D) Encrypting source code before committing to version control

Practice Exam

Answer: B Explanation: Supply chain security focuses on the integrity of external software assets. Question 42. Which of the following is a recommended practice for handling exceptions in a security‑critical module? A) Propagating raw exception messages to the user interface B) Logging detailed stack traces in a secure, non‑public log and showing a generic error to the user C) Swallowing all exceptions silently D) Restarting the application without logging Answer: B Explanation: Detailed logs aid debugging while generic user messages prevent information leakage. Question 43. Which of the following is a characteristic of a “deny‑all” firewall rule set? A) All inbound traffic is allowed by default B) Only explicitly permitted traffic is allowed C) It requires manual rule creation for every possible connection D) It disables logging Answer: B Explanation: Deny‑all blocks everything unless a rule permits it.

Practice Exam

Answer: B Explanation: Fail‑safe defaults start with a secure configuration, reducing exposure. Question 47. Which of the following is a secure way to transmit a session identifier to a client? A) In a URL query parameter over HTTP B) As a secure, HttpOnly cookie over HTTPS C) In a hidden form field without encryption D) Via email after login Answer: B Explanation: Secure, HttpOnly cookies over HTTPS protect against XSS and eavesdropping. Question 48. Which of the following is an advantage of using IAST (Interactive Application Security Testing) over pure SAST? A) IAST works without running the application B) IAST can detect runtime vulnerabilities with code context while the app is exercised C) IAST requires no instrumentation D) IAST only scans compiled binaries Answer: B Explanation: IAST combines static analysis with runtime information for more accurate detection.

Practice Exam

Question 49. Which of the following is a common indicator of a successful cross‑site request forgery (CSRF) attack? A) The user’s password is displayed in plain text B) An authenticated user’s account performs an unintended action without their knowledge C) The server returns a 404 error for all requests D) The browser shows a certificate warning Answer: B Explanation: CSRF exploits the user’s authenticated session to perform actions they did not intend. Question 50. Which of the following practices helps prevent insecure deserialization vulnerabilities? A) Accepting any serialized object from the client B) Using strict type checking and avoiding native deserialization of untrusted data C) Disabling all logging D) Storing serialized data in plain text files Answer: B Explanation: Validating and restricting deserialization inputs mitigates object injection attacks. Question 51. Which of the following is the most appropriate response when a newly disclosed vulnerability affects a library used in production? A) Ignore it until the next major release B) Immediately apply a security patch or upgrade to a fixed version C) Remove all logging to hide the issue