PrepIQ 7Safe Certified Secure Coding for Software Developers CSCSD Ultimate Exam, Exams of Technology

Prepare for secure coding practices involving input validation, authentication security, secure session management, OWASP Top 10 risks, and defensive programming techniques.

Typology: Exams

2025/2026

Available from 06/03/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 49

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ 7Safe Certified Secure Coding for
Software Developers CSCSD Ultimate Exam
**Question 1.** Which component of the CIA triad primarily ensures that data is not
disclosed to unauthorized parties?
A) Integrity
B) Availability
C) Confidentiality
D) Non-repudiation
Answer: C
Explanation: Confidentiality protects information from being accessed by anyone
who does not have permission, which directly addresses unauthorized disclosure.
**Question 2.** In a web application, what is the main difference between
authentication and authorization?
A) Authentication verifies identity; authorization determines access rights.
B) Authentication encrypts data; authorization decrypts data.
C) Authentication logs user actions; authorization audits them.
D) Authentication manages sessions; authorization manages cookies.
Answer: A
Explanation: Authentication confirms who a user is, while authorization decides
what the authenticated user is allowed to do.
**Question 3.** Which technique provides non-repudiation for a transaction
performed by a web service?
A) Storing the request in a log file.
B) Using HTTPS for transport.
C) Applying a digital signature to the payload.
D) Encrypting the payload with a symmetric key.
Answer: C
Explanation: A digital signature binds the sender’s identity to the data, preventing
the sender from denying the transaction.
**Question 4.** Under privacy best practices, which of the following actions helps
achieve data minimization?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31

Partial preview of the text

Download PrepIQ 7Safe Certified Secure Coding for Software Developers CSCSD Ultimate Exam and more Exams Technology in PDF only on Docsity!

Software Developers CSCSD Ultimate Exam

Question 1. Which component of the CIA triad primarily ensures that data is not disclosed to unauthorized parties? A) Integrity B) Availability C) Confidentiality D) Non-repudiation Answer: C Explanation: Confidentiality protects information from being accessed by anyone who does not have permission, which directly addresses unauthorized disclosure. Question 2. In a web application, what is the main difference between authentication and authorization? A) Authentication verifies identity; authorization determines access rights. B) Authentication encrypts data; authorization decrypts data. C) Authentication logs user actions; authorization audits them. D) Authentication manages sessions; authorization manages cookies. Answer: A Explanation: Authentication confirms who a user is, while authorization decides what the authenticated user is allowed to do. Question 3. Which technique provides non-repudiation for a transaction performed by a web service? A) Storing the request in a log file. B) Using HTTPS for transport. C) Applying a digital signature to the payload. D) Encrypting the payload with a symmetric key. Answer: C Explanation: A digital signature binds the sender’s identity to the data, preventing the sender from denying the transaction. Question 4. Under privacy best practices, which of the following actions helps achieve data minimization?

Software Developers CSCSD Ultimate Exam

A) Storing all user activity for analytics. B) Collecting only the data required for the specific purpose. C) Encrypting data at rest. D) Using pseudonyms for all user identifiers. Answer: B Explanation: Data minimization means gathering only the information necessary for the intended function, reducing privacy risk. Question 5. The principle of “economy of mechanism” encourages developers to: A) Use the most complex algorithm available. B) Keep security components simple and small. C) Add multiple layers of security regardless of cost. D) Outsource security to third-party services. Answer: B Explanation: Simple, well-understood security mechanisms are easier to verify and less prone to errors. Question 6. In a Waterfall SDLC, when is the optimal point to perform threat modeling? A) During the coding phase. B) After the system is deployed. C) At the requirements and design phase. D) During user acceptance testing. Answer: C Explanation: Early threat modeling (requirements/design) identifies risks before implementation, reducing remediation cost. Question 7. Which security framework explicitly defines “Security Requirements” as a separate phase in its process? A) OWASP SAMM

Software Developers CSCSD Ultimate Exam

D) A07 – Identification & Authentication Failures Answer: A Explanation: Insecure Direct Object References are a sub-type of broken access control. Question 11. Which of the following is a typical indicator of a SQL injection vulnerability? A) Use of prepared statements. B) Direct concatenation of user input into a query string. C) Parameterized stored procedures. D) Input length validation. Answer: B Explanation: Concatenating raw input into SQL creates an injection vector because attackers can alter the query structure. Question 12. A web application accepts a filename from the user and opens it on the server. Which vulnerability is most likely? A) Cross-Site Scripting B) Command Injection C) Path Traversal D) Insecure Deserialization Answer: C Explanation: Allowing user-controlled file paths can lead to directory traversal, enabling access to unauthorized files. Question 13. Which type of XSS is executed when malicious script is stored in a database and later displayed to victims? A) Reflected XSS B) Stored XSS C) DOM-based XSS D) Self-XSS

Software Developers CSCSD Ultimate Exam

Answer: B Explanation: Stored XSS persists on the server (e.g., in a database) and is served to users later. Question 14. In a CSRF attack, the attacker relies on the victim’s: A) Ability to read encrypted cookies. B) Existing authenticated session with the target site. C) Knowledge of the server’s private key. D) Use of a vulnerable browser plugin. Answer: B Explanation: CSRF abuses an existing authenticated session to execute unwanted actions on behalf of the victim. Question 15. Which of the following best describes insecure deserialization? A) Sending serialized data over an unencrypted channel. B) Deserializing data from an untrusted source without validation. C) Using JSON instead of XML for data exchange. D) Storing serialized objects in a database. Answer: B Explanation: Insecure deserialization occurs when untrusted data is deserialized, potentially leading to code execution. Question 16. A default admin password left unchanged on a newly deployed server is an example of: A) Weak cryptography B) Security misconfiguration C) Insufficient logging D) Broken authentication Answer: B Explanation: Default credentials are a classic misconfiguration that provides easy entry for attackers.

Software Developers CSCSD Ultimate Exam

A) Secure B) HttpOnly C) SameSite=Strict D) Domain Answer: B Explanation: The HttpOnly flag tells browsers not to expose the cookie to JavaScript, mitigating XSS theft. Question 21. An “absolute timeout” for a session differs from an “idle timeout” in that: A) Absolute timeout ends the session after a fixed period regardless of activity. B) Absolute timeout resets after each request. C) Idle timeout logs the user out after a period of inactivity. D) Both A and C are correct. Answer: D Explanation: Absolute timeout is a maximum session lifespan; idle timeout triggers after inactivity. Both are distinct mechanisms. Question 22. Which logging practice helps avoid leaking sensitive information? A) Logging full credit-card numbers for debugging. B) Including stack traces in production logs. C) Redacting or hashing PII before writing to logs. D) Storing logs in plain text on a publicly accessible directory. Answer: C Explanation: Redacting or hashing sensitive data reduces the risk of exposing personal or credential information. Question 23. Which symmetric encryption algorithm is considered deprecated for new applications due to weak key size? A) AES- 256 B) 3DES (Triple DES)

Software Developers CSCSD Ultimate Exam

C) ChaCha D) AES- 128 Answer: B Explanation: 3DES uses 112-bit effective key strength and is being phased out in favor of stronger algorithms like AES. Question 24. For password storage, which of the following is the most appropriate approach? A) SHA-1 hash without a salt. B) MD5 hash with a static salt. C) bcrypt with a per-user salt. D) Encrypting the password with a symmetric key. Answer: C Explanation: bcrypt incorporates a per-user salt and work factor, making brute-force attacks computationally expensive. Question 25. Which key management practice reduces the risk of secret exposure in source code repositories? A) Hard-coding keys in configuration files. B) Storing keys in environment variables only during development. C) Using a dedicated secret-management service (e.g., Vault). D) Embedding keys in compiled binaries. Answer: C Explanation: Centralized secret-management services provide controlled access, rotation, and auditability, avoiding hard-coded secrets. Question 26. Digital signatures primarily provide which security property? A) Confidentiality B) Integrity and authenticity C) Non-repudiation only D) Availability

Software Developers CSCSD Ultimate Exam

Explanation: Manipulating identifiers in URLs to access other users’ resources indicates missing authorization checks. Question 30. A developer uses the following code to build a shell command:

$cmd = "ping -c 4 ". $_GET['host']; exec($cmd);

What type of vulnerability does this introduce? A) SQL Injection B) Command Injection C) Cross-Site Scripting D) Insecure Direct Object Reference Answer: B Explanation: Concatenating unsanitized user input into a system command enables command injection. Question 31. Which HTTP header helps mitigate CSRF attacks by restricting cross-origin requests? A) X-Content-Type-Options B) Content-Security-Policy C) X-Frame-Options D) SameSite Answer: D Explanation: The SameSite cookie attribute tells browsers not to send cookies on cross-site requests, reducing CSRF risk. Question 32. When implementing rate limiting for login attempts, which metric is most effective to prevent credential stuffing? A) Number of requests per IP per minute. B. Total bandwidth used per hour.

Software Developers CSCSD Ultimate Exam

C) Number of successful logins per user per day. D. Number of password reset emails sent per user. Answer: A Explanation: Limiting requests from a single IP slows automated credential stuffing attacks. Question 33. Which of the following is a recommended practice when handling error messages in a public-facing API? A) Return full stack traces to the client. B) Provide generic error codes without internal details. C. Echo the user’s input back in the response. D. Include database schema information in the error payload. Answer: B Explanation: Generic messages avoid revealing implementation details that could aid attackers. Question 34. In the context of cryptographic hash functions, what does “collision resistance” mean? A) It is impossible to find two inputs that produce the same hash. B) It is computationally infeasible to find two distinct inputs with the same hash. C) The hash output is always the same length. D) The hash can be reversed to retrieve the original input. Answer: B Explanation: Collision resistance means finding a pair of inputs that hash to the same value is computationally impractical. Question 35. Which of the following is the most secure way to store API keys used by a backend service? A) In a plain-text file checked into version control. B) As environment variables on the host machine. C) In a secrets manager with access control and audit logging.

Software Developers CSCSD Ultimate Exam

Explanation: Least privilege limits each principal to the minimal rights required for its tasks. Question 39. In a microservices architecture, which practice helps protect inter-service communication? A) Sending JSON over HTTP without encryption. B) Using mutual TLS (mTLS) for service-to-service authentication. C. Relying on IP whitelisting only. D. Storing API keys in each service’s source code. Answer: B Explanation: mTLS provides both encryption and mutual authentication between services. Question 40. Which of the following is a primary advantage of using prepared statements over manual query concatenation? A) They improve database performance. B) They automatically encrypt the query. C) They separate code from data, preventing SQL injection. D) They reduce the size of the SQL string. Answer: C Explanation: Prepared statements send the SQL code and parameters separately, eliminating the chance for user input to alter query structure. Question 41. Which OWASP Top 10 category addresses the risk of using outdated components with known vulnerabilities? A) A05 – Security Misconfiguration B) A06 – Vulnerable and Outdated Components C) A03 – Injection D) A09 – Security Logging and Monitoring Failures Answer: B Explanation: “Vulnerable and Outdated Components” focuses on libraries, frameworks, and other components that are not up-to-date.

Software Developers CSCSD Ultimate Exam

Question 42. When implementing password reset functionality, which of the following reduces the risk of token hijacking? A) Using a short, predictable token. B) Sending the token via HTTP GET parameters. C) Storing the token in a secure, HttpOnly cookie. D) Allowing the token to be reused multiple times. Answer: C Explanation: Storing the token in an HttpOnly cookie prevents client-side script access and reduces exposure. Question 43. Which of the following is the best practice for handling user-uploaded files? A) Store them in the web root with the original filename. B) Rename the file to a random identifier and store it outside the web root. C) Trust the file’s MIME type header. D) Allow any file type to be uploaded. Answer: B Explanation: Renaming and storing files outside the web root prevents direct execution and path traversal attacks. Question 44. In the context of session fixation attacks, which mitigation is most effective? A) Accepting any session ID provided by the client. B) Regenerating the session ID after authentication. C. Using a fixed session ID for all users. D. Disabling cookies altogether. Answer: B Explanation: Regenerating the session identifier after login prevents an attacker from pre-setting a known ID.

Software Developers CSCSD Ultimate Exam

A) Storing the user’s password in a cookie. B) Using a long-lived session ID without additional checks. C) Issuing a random, securely generated token linked to the user and revoking it on logout. D. Embedding the username in the cookie. Answer: C Explanation: A random token that is stored server-side and can be revoked provides a safe persistent login mechanism. Question 49. Which of the following best describes “fail-closed” behavior in security controls? A) The system continues operating even when a security component fails. B) The system denies access when a security component fails. C. The system logs the failure but allows traffic. D. The system automatically reboots on failure. Answer: B Explanation: Fail-closed ensures that when a protective mechanism breaks, the default action is to block access, preserving security. Question 50. A developer decides to log user input fields for debugging. Which practice should be applied to avoid leaking sensitive data? A) Log the raw input without filtering. B) Mask or redact fields such as passwords, credit-card numbers, and SSNs before logging. C. Store logs on a publicly accessible S3 bucket. D. Include the entire HTTP request body in the log. Answer: B Explanation: Redacting sensitive fields prevents accidental exposure of confidential information in logs. Question 51. Which of the following is a primary benefit of using Content Security Policy (CSP) headers?

Software Developers CSCSD Ultimate Exam

A) Encrypting data at rest. B) Preventing the browser from loading any external scripts. C) Reducing the risk of XSS by restricting allowed content sources. D. Enforcing HTTPS on all requests. Answer: C Explanation: CSP restricts where scripts, styles, and other resources can be loaded from, mitigating XSS attacks. Question 52. In the context of key rotation, why is it important to re-encrypt existing data after rotating a symmetric key? A) To change the file permissions. B) To ensure old encrypted data cannot be decrypted with the compromised key. C) To improve performance. D) To comply with GDPR’s data minimization rule. Answer: B Explanation: Rotating the key without re-encrypting data leaves old ciphertext vulnerable if the old key was compromised. Question 53. Which of the following is an example of a “side-channel” attack? A) SQL injection. B) Timing analysis of cryptographic operations. C. Phishing email. D. Cross-site request forgery. Answer: B Explanation: Side-channel attacks exploit indirect information such as execution time, power consumption, or electromagnetic leaks. Question 54. When using the OWASP ZAP tool for automated scanning, which type of vulnerability is it most likely to detect? A. Insider threats. B. Business logic flaws.

Software Developers CSCSD Ultimate Exam

Answer: C Explanation: 403 indicates the server understood the request but refuses to fulfill it due to insufficient permissions. Question 58. Which of the following is a secure method for generating random tokens for CSRF protection? A) Using Math.random() in JavaScript. B) Using a cryptographically secure random number generator (CSPRNG). C) Using the current timestamp. D. Concatenating the user’s username with a static string. Answer: B Explanation: CSPRNGs produce unpredictable values suitable for security tokens. Question 59. Which of the following statements about “principle of least astonishment” in secure coding is correct? A) Users should be surprised by security prompts. B) APIs should behave in a predictable, secure manner to avoid misuse. C. Developers should use obscure function names. D. Security checks should be hidden from auditors. Answer: B Explanation: Predictable behavior reduces accidental security bypasses and makes secure usage intuitive. Question 60. Which of the following is the most effective way to protect against “password spraying” attacks? A) Enforce complex password composition rules. B) Implement account lockout after a small number of failed attempts per account. C. Require users to change passwords daily. D. Store passwords in reversible encryption. Answer: B

Software Developers CSCSD Ultimate Exam

Explanation: Limiting failed attempts per account (and optionally per IP) thwarts large-scale password-spraying attempts. Question 61. Which of the following best describes “immutable infrastructure” in the context of secure deployments? A) Servers are patched in place without rebooting. B) Once a server is deployed, it is never modified; updates are performed by redeploying new instances. C. All configuration files are read-only. D. Developers can edit production code directly. Answer: B Explanation: Immutable infrastructure reduces configuration drift and simplifies security compliance by replacing rather than modifying resources. Question 62. When using OAuth 2.0, which grant type is most appropriate for a server-to-server communication without user interaction? A) Authorization Code Grant B) Implicit Grant C) Client Credentials Grant D) Resource Owner Password Credentials Grant Answer: C Explanation: The client credentials grant allows machines to obtain an access token directly using their own credentials. Question 63. Which of the following is a primary reason to avoid using the ECB mode of operation for block ciphers? A) It provides authentication. B) It leaks patterns in the plaintext. C) It requires a unique IV for each block. D. It is slower than CBC. Answer: B