




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A practice exam for the mase certified application security engineer certification. It includes multiple-choice questions covering various aspects of application security, such as injection attacks, risk assessment, secure software development lifecycle (ssdlc), owasp top 10 risks, and cryptographic principles. Each question is followed by a detailed explanation of the correct answer, making it a valuable resource for exam preparation and understanding key security concepts. The exam covers topics like buffer overflows, cia triad, threat modeling, dread risk assessment, trust boundaries, oauth 2.0, and json web tokens (jwt).
Typology: Exams
1 / 120
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which of the following best describes the primary business impact of a successful injection attack? A) Loss of confidentiality of data at rest B) Unauthorized execution of arbitrary code on the server C) Degradation of network bandwidth D) Increased latency for legitimate users Answer: B Explanation: Injection attacks allow an attacker to send malicious commands that the server executes, leading to unauthorized code execution and potential system compromise. Question 2. In the context of application security, the term “risk” is most accurately defined as: A) A known vulnerability present in the codebase B) The probability that a threat will exploit a vulnerability, multiplied by the impact of that exploitation C) The total number of discovered bugs in an application D) The cost of implementing security controls Answer: B Explanation: Risk combines likelihood and impact; it quantifies potential loss from a threat exploiting a vulnerability.
Question 3. Which phase of the Secure Software Development Lifecycle (SSDLC) is most cost‑effective for identifying design‑level security flaws? A) Implementation B) Testing C) Design D) Deployment Answer: C Explanation: Detecting flaws during design prevents expensive rework later; fixing design issues is cheaper than correcting code or deployed systems. Question 4. The “Shift‑Left” concept in security primarily encourages: A) Performing security testing after production release B) Integrating security activities early in the development lifecycle C) Outsourcing security testing to third‑party vendors D) Delaying security reviews until the maintenance phase Answer: B Explanation: Shift‑Left moves security leftward (earlier) in the lifecycle, reducing cost and improving security posture. Question 5. Which OWASP Top 10 risk directly addresses the failure to enforce proper access controls on privileged functions? A) Injection
D) Authentication Answer: D Explanation: Authentication is a security mechanism, not one of the three core CIA principles. Question 8. In the PAR framework (Protection, Analysis, Response), the “Analysis” step primarily involves: A) Deploying firewalls and encryption B) Investigating alerts and determining root cause C) Blocking malicious IP addresses D) Performing regular backups Answer: B Explanation: Analysis focuses on examining security events to understand and prioritize incidents. Question 9. Which security principle states that a system should default to denying access unless explicitly granted? A) Least Privilege B) Fail‑Safe Defaults C) Defense in Depth D) Separation of Privilege Answer: B
Explanation: Fail‑Safe Defaults require that default configurations deny access, reducing accidental exposure. Question 10. During threat modeling, the STRIDE acronym includes “Tampering.” Which of the following attacks best illustrates tampering? A) An attacker modifies a JSON Web Token payload without detection B) An attacker intercepts traffic to read confidential data C) An attacker launches a denial‑of‑service attack D) An attacker replays a previously captured request Answer: A Explanation: Tampering involves unauthorized modification of data, such as altering a JWT’s claims. Question 11. In DREAD risk assessment, the “Exploitability” factor measures: A) The potential damage caused by an exploit B) How easy it is for an attacker to launch the exploit C) The number of users affected D) How often the vulnerability is discovered Answer: B Explanation: Exploitability rates the effort required to successfully exploit a vulnerability.
A) Defense in Depth B) Fail‑Safe Defaults C) Least Privilege D) Secure by Default Answer: A Explanation: Defense in Depth layers controls so that if one fails, others still protect the asset. Question 15. An “Abuse Case” is primarily used to: A) Document functional requirements for a new feature B) Identify how an attacker might misuse a system C) Outline performance benchmarks for the application D) Describe the user interface flow for a login screen Answer: B Explanation: Abuse cases focus on undesirable actions, helping security teams anticipate attacks. Question 16. In the SQUARE methodology, the first step is: A) Design security controls B) Identify security goals and objectives C) Perform risk assessment
D) Validate security requirements Answer: B Explanation: SQUARE begins by defining security goals to guide subsequent requirement gathering. Question 17. Which of the following is an example of a “fail‑safe” default configuration for a newly deployed web server? A) Enabling directory listing for all folders B) Disabling all unnecessary modules and services C) Allowing anonymous FTP access D) Setting default passwords to “admin” Answer: B Explanation: Disabling unnecessary services reduces attack surface and is a fail‑safe default. Question 18. Which cryptographic hash function is considered insecure for password storage due to its speed and lack of salting? A) Argon B) bcrypt C) MD D. PBKDF Answer: C
Question 21. In OAuth 2.0, the “authorization code” grant type is primarily used to: A) Directly provide an access token to a public client without user interaction B) Exchange a short‑lived code for an access token, adding a layer of security for confidential clients C) Authenticate users using a username and password only D. Store user credentials on the client side Answer: B Explanation: The authorization code flow separates user authentication from token issuance, protecting credentials. Question 22. Which of the following token formats includes a digitally signed payload that can be verified without contacting the issuer? A) SAML Assertion B) OAuth 2.0 Access Token (opaque) C) JSON Web Token (JWT) D. API Key Answer: C Explanation: JWTs are self‑contained, signed tokens that can be validated locally.
Question 23. Which of the following is the most appropriate method to protect session identifiers from being intercepted over an insecure network? A) Storing them in local storage B) Transmitting them over HTTP only C) Using Secure and HttpOnly cookie flags with TLS encryption D. Embedding them in URLs Answer: C Explanation: Secure and HttpOnly flags, combined with TLS, protect cookies from interception and client‑side script access. Question 24. A “session fixation” attack is mitigated by: A) Re‑using the same session ID for the entire user lifecycle B) Generating a new session identifier after successful authentication C) Disabling cookies entirely D. Storing session IDs in the URL query string Answer: B Explanation: Regenerating the session ID on login prevents an attacker from forcing a known ID. Question 25. Which response header helps mitigate Cross‑Site Request Forgery (CSRF) attacks? A) X‑Content‑Type‑Options
D. Using regular expressions that match everything except a few characters Answer: B Explanation: Allow‑listing restricts input to expected values, reducing the chance of malicious data slipping through. Question 28. Parameterized queries primarily protect against which type of vulnerability? A) Cross‑Site Scripting (XSS) B) SQL Injection C) Directory Traversal D. Insecure Direct Object References Answer: B Explanation: Parameterized queries separate code from data, preventing malicious data from altering SQL commands. Question 29. Which of the following is a recommended practice when handling errors that are exposed to end users? A) Display the full stack trace to aid debugging B) Return generic error messages without revealing internal details C) Include the database schema in the error response D. Echo user input back in the error page verbatim Answer: B
Explanation: Generic messages prevent information leakage that could aid attackers. Question 30. A centralized logging solution improves security by: A) Reducing the amount of log data generated B) Allowing attackers to easily locate logs C) Enabling correlation of events across multiple components and faster detection of anomalies D. Storing logs only on the client side Answer: C Explanation: Centralized logs provide unified visibility and facilitate incident detection and response. Question 31. Which of the following best describes a “false positive” in SAST findings? A) A vulnerability that exists but is not reported B) A reported issue that is not actually a security flaw C) A vulnerability that was introduced during testing D. An exploit that works only under specific conditions Answer: B Explanation: False positives are warnings that do not correspond to real security issues.
A) Business logic errors B) Input validation and memory‑corruption defects C. Authentication misconfigurations D. Authorization role hierarchy issues Answer: B Explanation: Fuzzing feeds random or malformed inputs to provoke crashes, revealing validation and memory issues. Question 35. In a penetration test, a “white‑box” approach means the tester: A) Has no prior knowledge of the application architecture B) Has full access to source code, design documents, and credentials C) Uses only publicly available information D. Relies on social engineering only Answer: B Explanation: White‑box testing provides the tester with internal knowledge, enabling deeper analysis. Question 36. Which of the following is a key benefit of a vulnerability disclosure program? A) It eliminates the need for internal security testing B) It encourages external researchers to responsibly report findings, increasing coverage of hidden bugs
C. It guarantees that all reported bugs will be fixed within 24 hours D. It replaces the need for a Web Application Firewall Answer: B Explanation: A disclosure program leverages external expertise to find vulnerabilities that internal teams might miss. Question 37. Which container security control helps ensure that only trusted images are deployed in production? A) Disabling all network ports in the container runtime B) Using image signing and verification with Notary or similar tools C. Running containers as root D. Allowing containers to pull images from any public registry without checks Answer: B Explanation: Image signing verifies provenance, preventing tampered or untrusted images from being used. Question 38. The principle of “separation of privilege” dictates that: A) A single user should have all privileges needed to perform any action B) Multiple conditions must be satisfied before granting access to a sensitive operation C. All code should run with administrator rights D. Privileges should be granted automatically based on user role
Explanation: WAFs inspect HTTP traffic and can block known injection patterns like SQLi and XSS. Question 41. Which of the following is a recommended practice when configuring TLS for a web application? A) Supporting SSL v2 for backward compatibility B) Enabling only strong cipher suites such as TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA C. Using self‑signed certificates in production D. Disabling forward secrecy Answer: B Explanation: Strong, forward‑secrecy‑enabled cipher suites protect data confidentiality and integrity. Question 42. In the context of Infrastructure as Code (IaC), which tool can help detect insecure configurations before deployment? A) Wireshark B. Terraform C. Checkov or tfsec (static analysis tools for IaC) D. Nmap Answer: C
Explanation: IaC scanning tools analyze code for misconfigurations, providing early remediation. Question 43. Which of the following best describes “defense in depth” in a layered architecture? A) Relying on a single firewall at the network perimeter B) Implementing multiple, overlapping security controls at network, host, and application layers C. Using only encryption to protect data D. Disabling all external ports on a server Answer: B Explanation: Defense in depth uses several controls so that failure of one does not compromise the system. Question 44. A “race condition” vulnerability typically arises due to: A) Improper input validation of user‑supplied data B) Concurrent processes accessing shared resources without proper synchronization C. Weak password policies D. Lack of HTTPS enforcement Answer: B