MASE Certified Application Security Engineer Exam, Exams of Technology

This exam measures professional expertise in securing software applications throughout the development lifecycle. Topics include secure coding principles, OWASP vulnerabilities, threat modeling, application security testing (SAST, DAST, IAST), and remediation strategies. Candidates are evaluated on their ability to integrate security into application design, development, and deployment processes.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 97

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
MASE Certified Application Security Engineer
Exam
**Question 1. Which secure SDLC model was created by Microsoft and emphasizes threat
modeling early in the development lifecycle?**
A) OWASP SAMM
B) BSIMM
C) Microsoft Security Development Lifecycle (SDL)
D) NIST CSF
Answer: C
Explanation: Microsoft SDL is a prescriptive framework that integrates security activities,
including early threat modeling, throughout the development process.
**Question 2. In the STRIDE threatmodeling methodology, the “E” stands for which category of
threat?**
A) Elevation of privilege
B) Enumeration
C) Exploitation of trust
D) Error handling
Answer: A
Explanation: STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure,
Elevation of privilege, and Denial of service.
**Question 3. When gathering security requirements, an “abuse case” is best described as:**
A) A functional user story describing normal behavior
B) A scenario that outlines how an attacker could misuse a feature
C) A compliance checklist for GDPR
D) A performance benchmark for encryption routines
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61

Partial preview of the text

Download MASE Certified Application Security Engineer Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. Which secure SDLC model was created by Microsoft and emphasizes threat modeling early in the development lifecycle? A) OWASP SAMM B) BSIMM C) Microsoft Security Development Lifecycle (SDL) D) NIST CSF Answer: C Explanation: Microsoft SDL is a prescriptive framework that integrates security activities, including early threat modeling, throughout the development process. Question 2. In the STRIDE threat‑modeling methodology, the “E” stands for which category of threat? A) Elevation of privilege B) Enumeration C) Exploitation of trust D) Error handling Answer: A Explanation: STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Elevation of privilege, and Denial of service. Question 3. When gathering security requirements, an “abuse case” is best described as: A) A functional user story describing normal behavior B) A scenario that outlines how an attacker could misuse a feature C) A compliance checklist for GDPR D) A performance benchmark for encryption routines Answer: B

Exam

Explanation: Abuse cases focus on malicious usage patterns, helping teams identify security controls needed to mitigate those threats. Question 4. Which architectural style typically introduces the most surface area for injection attacks? A) Monolithic B) Serverless functions C) Microservices communicating via REST APIs D) Event‑driven architecture using message queues Answer: C Explanation: Microservices expose many public endpoints (often REST) that, if not properly validated, increase injection risk. Question 5. The OWASP Top 10 entry “Broken Access Control” most commonly includes which of the following vulnerabilities? A) Stored XSS B) Insecure Direct Object References (IDOR) C) SQL injection D) Weak cryptographic algorithms Answer: B Explanation: IDOR is a classic example of broken access control where objects are accessed without proper authorization checks. Question 6. Which of the following is the most effective mitigation against SQL injection? A) Escaping special characters manually B) Using parameterized (prepared) statements C) Encoding output with HTML entities

Exam

B) Remote code execution (RCE) C) Information disclosure through stack traces D) Session fixation Answer: B Explanation: Attackers can craft malicious serialized objects that trigger execution paths resulting in RCE. Question 10. Software Composition Analysis (SCA) primarily helps organizations to: A) Detect runtime memory leaks B) Identify outdated or vulnerable third‑party libraries C) Perform static code analysis on proprietary code D) Automate container image scanning Answer: B Explanation: SCA tools create an inventory of open‑source components and match them against known vulnerability databases. Question 11. Which of the following is an “allow‑list” approach to input validation? A) Reject any input containing the string “

Exam

Question 12. When storing passwords, which algorithm provides the strongest resistance against GPU‑accelerated cracking? A) MD B) SHA‑ 1 C) bcrypt D) SHA‑ 256 Answer: C Explanation: bcrypt incorporates a work factor and a salt, making brute‑force attacks significantly slower on GPUs. Question 13. Which cookie attribute prevents a browser from sending the cookie over an insecure (HTTP) connection? A) HttpOnly B) Secure C) SameSite=Strict D) Domain Answer: B Explanation: The Secure flag ensures the cookie is transmitted only over HTTPS. Question 14. An application returns detailed stack traces to the client on error. This practice primarily violates which security principle? A) Least privilege B) Defense in depth C) Fail‑secure D) Information disclosure avoidance Answer: D

Exam

C) In the release approval gate D) During runtime monitoring Answer: B Explanation: Running SAST during the build catches code‑level issues early, before artifacts are packaged. Question 18. Which IaC scanning tool can detect insecure security‑group rules in Terraform templates? A) SonarQube B) Checkov C) Burp Suite D) OWASP ZAP Answer: B Explanation: Checkov is designed to analyze Terraform, CloudFormation, and other IaC files for misconfigurations. Question 19. Which Dockerfile instruction is most likely to introduce unnecessary attack surface if misused? A) FROM B) COPY C) RUN apt‑get install … D) CMD Answer: C Explanation: RUN commands that install extra packages can pull in vulnerable binaries and increase the image footprint.

Exam

Question 20. In Kubernetes, which resource type is used to enforce runtime security policies such as disallowing privileged containers? A) ConfigMap B) ServiceAccount C) PodSecurityPolicy (or PodSecurityAdmission) D) Ingress Answer: C Explanation: PodSecurityPolicy (or the newer PodSecurityAdmission) defines constraints on pod security settings. Question 21. Which of the following is the primary goal of “breaking the build” in a DevSecOps pipeline? A) To prevent any new code from being merged B) To halt deployment when high‑severity security findings are detected C) To force developers to write unit tests D) To trigger a rollback of the previous release Answer: B Explanation: Breaking the build stops the pipeline when critical security issues are found, ensuring they are addressed before release. Question 22. During threat modeling, a “trust boundary” is best described as: A) The point where data is encrypted B) A location where data moves from a higher‑trust zone to a lower‑trust zone C) The boundary of a class in object‑oriented design D) The API endpoint that requires authentication Answer: B

Exam

D) Using only client‑side validation for inputs Answer: B Explanation: Defense‑in‑depth uses overlapping controls so that if one fails, others still protect the asset. Question 26. In the context of session management, what does “session fixation” refer to? A) The server automatically expiring idle sessions B) An attacker forcing a user’s session identifier to a known value C) Storing session data in insecure cookies D) Reusing the same session token across multiple applications Answer: B Explanation: Session fixation attacks involve an attacker setting a session ID before authentication, then hijacking it after login. Question 27. Which cryptographic mode provides both confidentiality and integrity for data at rest? A) ECB B) CBC without MAC C) GCM (Galois/Counter Mode) D) OFB Answer: C Explanation: GCM is an authenticated encryption mode that ensures confidentiality and integrity. Question 28. A web application logs the full contents of user‑submitted JSON payloads, including passwords, to a central log server. This violates which best practice? A) Log rotation

Exam

B) Centralized logging C) Redaction of sensitive data (PII) in logs D) Use of structured logging Answer: C Explanation: Sensitive data such as passwords must be masked or omitted from logs to prevent leakage. Question 29. Which of the following is a typical output of a static analysis tool like SonarQube when scanning for security issues? A) HTTP response codes from a live server B) A list of vulnerable third‑party dependencies with CVE IDs C) Code‑level findings such as “SQL query concatenated with user input” D) Container image size metrics Answer: C Explanation: SAST tools examine source code and flag insecure coding patterns like unsafe string concatenation. Question 30. In a serverless application, which of the following is a common security concern unique to the model? A) Unpatched operating system kernels B) Over‑privileged IAM roles granted to functions C) Insecure default passwords on the host OS D) Lack of TLS encryption on internal network traffic Answer: B Explanation: Serverless functions often run with IAM roles; granting excessive permissions can lead to privilege abuse.

Exam

Answer: B Explanation: Deserializing untrusted, encoded data without validation is a classic insecure deserialization scenario. Question 34. Which of the following is a primary benefit of integrating a Software Composition Analysis (SCA) tool into the CI pipeline? A) Detecting syntax errors in code B) Preventing the use of vulnerable open‑source components before they reach production C) Measuring code coverage for unit tests D) Scanning for cross‑site scripting in HTML pages Answer: B Explanation: SCA identifies known vulnerabilities in third‑party libraries early, enabling remediation before release. Question 35. In the context of OWASP SAMM, which practice area focuses on “Secure Architecture Design”? A) Governance B) Construction C) Verification D) Design Answer: D Explanation: SAMM’s Design domain covers secure architecture, threat modeling, and security requirements. Question 36. Which of the following is a recommended practice for handling error messages in production environments? A) Return stack traces to the client for debugging

Exam

B) Log detailed errors internally but show generic messages to users C) Disable all error logging to improve performance D) Include sensitive configuration values in error pages for transparency Answer: B Explanation: Detailed errors should be kept internal, while users receive generic messages to avoid information leakage. Question 37. Which of the following best describes “horizontal privilege escalation”? A) Gaining admin rights on the same account B) Accessing resources belonging to another user with the same role level C) Escalating from a low‑privilege user to root D) Bypassing authentication entirely Answer: B Explanation: Horizontal escalation involves moving laterally to access another peer’s data without increasing privilege level. Question 38. A developer uses the eval() function in JavaScript to parse JSON from an untrusted source. Which vulnerability does this introduce? A) Cross‑site request forgery (CSRF) B) Server‑side request forgery (SSRF) C) Remote code execution via script injection D) Open redirect Answer: C Explanation: eval() executes arbitrary code; feeding it untrusted data can lead to code execution.

Exam

Explanation: Defense‑in‑depth combines several protective measures across the stack. Question 42. Which of the following best describes “privilege creep” in the context of CI/CD pipelines? A) Gradually increasing the timeout for build jobs B) Adding more permissions to service accounts over time without review C) Reducing the number of stages in a pipeline to speed up releases D) Using default Docker images for all builds Answer: B Explanation: Privilege creep occurs when accounts accumulate unnecessary rights, increasing attack surface. Question 43. Which tool is specifically designed to perform interactive application security testing (IAST) for Java applications? A) FindSecBugs B) Contrast Security C) OWASP ZAP D) Burp Suite Pro Answer: B Explanation: Contrast Security provides IAST by instrumenting Java (and other) runtimes to detect vulnerabilities at runtime. Question 44. Which of the following is the primary purpose of a “security gate” in a CI/CD pipeline? A) To enforce code style guidelines B) To pause deployment until security scans pass predefined thresholds C) To schedule nightly builds

Exam

D) To archive old artifacts Answer: B Explanation: A security gate blocks promotion of code when security criteria (e.g., no high‑severity findings) are not met. Question 45. When performing threat modeling using PASTA, which phase focuses on “risk analysis and management”? A) Phase 1 – Definition B) Phase 3 – Attack Modeling C) Phase 5 – Vulnerability Analysis D) Phase 7 – Risk Analysis & Management Answer: D Explanation: Phase 7 of PASTA is dedicated to assessing risk and defining mitigation priorities. Question 46. Which of the following is a recommended way to protect against “command injection” in a Python web application? A) Concatenate user input directly into shell commands B) Use the subprocess.run() function with a list of arguments and shell=False C) Encode user input with URL encoding before passing to the shell D) Disable all logging Answer: B Explanation: Passing arguments as a list and disabling the shell prevents interpretation of special characters. Question 47. Which of the following best describes the “principle of least privilege” as applied to database accounts? A) Granting every application user admin rights on the DB

Exam

Question 50. Which of the following is the most effective way to prevent “open redirect” vulnerabilities? A) Encode all URLs with Base64 before redirecting B) Validate that the redirect target is an allow‑listed internal URL before performing the redirect C) Use JavaScript window.location for redirects D) Disable the HTTP Referer header Answer: B Explanation: Allow‑listing trusted destinations ensures attackers cannot redirect users to malicious sites. Question 51. Which of the following best describes “runtime application self‑protection” (RASP)? A) A static analysis tool that runs during compilation B) A security mechanism embedded in the application that monitors and blocks attacks in real time C) A network firewall that filters traffic before it reaches the app D) An external SaaS scanning service that runs nightly Answer: B Explanation: RASP resides within the running application and can intervene when malicious behavior is detected. Question 52. In the OWASP Top 10, “Cryptographic Failures” primarily refers to which of the following? A) Using weak hashing algorithms for passwords B) Failing to validate user input C) Storing session IDs in cookies D) Allowing cross‑origin resource sharing (CORS) from any domain

Exam

Answer: A Explanation: Cryptographic failures include weak algorithms, improper key management, and lack of encryption. Question 53. Which of the following is a primary reason to enable “Secure” flag on authentication cookies? A) To prevent JavaScript from accessing the cookie (prevent XSS) B) To ensure the cookie is only sent over HTTPS connections C) To limit the cookie to a specific subdomain D) To enforce SameSite restrictions Answer: B Explanation: The Secure flag restricts cookie transmission to encrypted channels, protecting it from network sniffing. Question 54. Which of the following best describes “code signing” in the context of application security? A) Encrypting source code before committing to version control B) Applying a digital signature to compiled binaries to verify authenticity and integrity C) Using a checksum to detect corrupted files on disk D) Obfuscating code to hide business logic Answer: B Explanation: Code signing provides a cryptographic guarantee that the binary has not been altered and originates from a trusted source. Question 55. Which of the following is a common mitigation for “XML External Entity (XXE)” attacks? A) Disabling DTD processing in XML parsers