PrepIQ Beingcert Certified Secure Coding Ultimate Exam, Exams of Technology

This certification focuses on secure software development practices, including vulnerability prevention, encryption, and secure architecture design. It is awarded under BeingCert standards. The exam assesses secure programming and threat mitigation knowledge.

Typology: Exams

2025/2026

Available from 06/01/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 56

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ Beingcert Certified Secure
Coding Ultimate Exam
**Question 1. Which component of the CIA triad primarily protects data from
unauthorized disclosure?**
A) Integrity
B) Availability
C) Confidentiality
D) Authentication
Answer: C
Explanation: Confidentiality ensures that information is not disclosed to
unauthorized individuals.
**Question 2. In the principle of least privilege, a user should be granted
access only to resources that are:**
A) Frequently used
B) Required for their job functions
C) Owned by the organization
D) Publicly available
Answer: B
Explanation: Least privilege limits access to the minimum necessary for a
user’s responsibilities.
**Question 3. Which design principle advocates that a system should be
simple and have as few components as possible?**
A) Fail-Safe Defaults
B) Economy of Mechanism
C) Complete Mediation
D) Psychological Acceptability
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38

Partial preview of the text

Download PrepIQ Beingcert Certified Secure Coding Ultimate Exam and more Exams Technology in PDF only on Docsity!

Coding Ultimate Exam

Question 1. Which component of the CIA triad primarily protects data from unauthorized disclosure? A) Integrity B) Availability C) Confidentiality D) Authentication Answer: C Explanation: Confidentiality ensures that information is not disclosed to unauthorized individuals. Question 2. In the principle of least privilege, a user should be granted access only to resources that are: A) Frequently used B) Required for their job functions C) Owned by the organization D) Publicly available Answer: B Explanation: Least privilege limits access to the minimum necessary for a user’s responsibilities. Question 3. Which design principle advocates that a system should be simple and have as few components as possible? A) Fail-Safe Defaults B) Economy of Mechanism C) Complete Mediation D) Psychological Acceptability Answer: B

Coding Ultimate Exam

Explanation: Economy of Mechanism promotes simplicity to reduce the chance of errors. Question 4. A developer must ensure that default configurations deny access unless explicitly allowed. This is an example of: A) Open Design B) Least Common Mechanism C) Fail-Safe Defaults D) Defense in Depth Answer: C Explanation: Fail-Safe Defaults mean systems start in a secure state, requiring explicit permission to enable access. Question 5. Which regulatory standard focuses on protecting cardholder data? A) GDPR B) HIPAA C) PCI-DSS D) SOX Answer: C Explanation: PCI-DSS (Payment Card Industry Data Security Standard) governs protection of payment card information. Question 6. Under GDPR, an organization must notify affected individuals of a breach within: A) 24 hours B) 48 hours C) 72 hours

Coding Ultimate Exam

C) ATT&CK

D) Microsoft Threat Modeling Answer: D Explanation: Microsoft’s Threat Modeling uses STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege). Question 10. Reducing the attack surface of an application can be achieved by: A) Adding more third-party libraries B) Exposing all internal APIs publicly C) Disabling unnecessary services and ports D) Increasing password complexity only Answer: C Explanation: Removing unused functionality limits opportunities for attackers. Question 11. Which secure coding standard is maintained by the CERT Coordination Center? A) OWASP Top 10 B) CWE/SANS Top 25 C) CERT C Coding Standard D) NIST SP 800- 53 Answer: C Explanation: The CERT C Coding Standard provides language-specific secure coding rules. Question 12. Automated static analysis tools primarily detect: A) Runtime performance bottlenecks

Coding Ultimate Exam

B) Logical errors in business rules C) Vulnerabilities in source code without execution D) Network latency issues Answer: C Explanation: Static analysis examines source code for patterns indicative of security flaws without running the program. Question 13. Which testing technique simulates attacks against a running application to find vulnerabilities? A) SAST B) DAST C) Unit testing D) Code coverage analysis Answer: B Explanation: Dynamic Application Security Testing (DAST) interacts with a live app to uncover runtime vulnerabilities. Question 14. Penetration testing differs from vulnerability scanning mainly because it: A) Generates false positives B) Requires no prior knowledge of the system C) Involves manual exploitation of identified issues D) Only tests for configuration errors Answer: C Explanation: Pen testers manually attempt to exploit vulnerabilities, while scanners automate detection.

Coding Ultimate Exam

Question 18. Which of the following is a weakness of block-list (negative) validation? A) It is easier to implement B) It can miss unknown malicious inputs C) It improves performance D) It enforces strict type checking Answer: B Explanation: Block-list relies on known bad patterns and may not catch novel attacks. Question 19. The most effective way to prevent SQL injection is to: A) Escape special characters manually B) Use prepared statements with bound parameters C) Filter user input with regular expressions D) Encode output as HTML entities Answer: B Explanation: Prepared statements separate code from data, eliminating injection vectors. Question 20. Context-aware output encoding for XSS requires different encodings for which contexts? A) HTML, JavaScript, CSS, URL B) XML, JSON, CSV, Binary C) TCP, UDP, ICMP, ARP D) LDAP, SMTP, FTP, SSH Answer: A

Coding Ultimate Exam

Explanation: Each context (HTML, JavaScript, CSS, URL) has its own escaping rules to prevent script execution. Question 21. To mitigate command injection, a developer should: A) Concatenate user input directly into shell commands B) Use language-provided APIs that avoid invoking a shell C) Encode the command output as Base D) Increase the command timeout value Answer: B Explanation: Avoiding shell invocation or using safe APIs prevents untrusted input from being interpreted as commands. Question 22. When validating file uploads, which check is NOT sufficient on its own? A) Verifying file extension B) Checking MIME type C) Scanning for viruses D) All of the above must be combined Answer: D Explanation: Each check can be bypassed; a defense-in-depth approach uses multiple validations. Question 23. Storing uploaded files outside the web root helps protect against: A) SQL injection B) Cross-site request forgery C) Direct URL access to malicious files D) Session fixation

Coding Ultimate Exam

D) Logging the reset request for audit Answer: B Explanation: Disclosing account existence aids enumeration attacks. Question 27. Which cookie attribute prevents JavaScript from reading the cookie? A) Secure B) HttpOnly C) SameSite D) Domain Answer: B Explanation: HttpOnly instructs browsers to block client-side scripts from accessing the cookie. Question 28. The SameSite=Strict attribute protects against: A) Cross-site scripting (XSS) B) Cross-site request forgery (CSRF) C) Session fixation D) Man-in-the-middle attacks Answer: B Explanation: SameSite=Strict ensures the cookie is sent only for same-site requests, mitigating CSRF. Question 29. Session fixation attacks can be prevented by: A) Reusing the same session ID after login B) Regenerating a new session ID after authentication C) Storing session IDs in URL parameters

Coding Ultimate Exam

D) Extending session timeout indefinitely Answer: B Explanation: Generating a fresh session ID on login stops an attacker from pre-setting a known ID. **Question 30. Which of the following best describes a stack buffer overflow? ** A) Overrunning heap metadata B) Writing beyond the bounds of a stack-allocated buffer C) Corrupting a global variable D) Misusing a pointer after free Answer: B Explanation: Stack buffer overflow occurs when data exceeds the allocated stack buffer, overwriting adjacent memory. Question 31. Address Space Layout Randomization (ASLR) primarily mitigates: A) SQL injection B) Predictable memory address attacks such as return-oriented programming C) Cross-site scripting D) Insecure password storage Answer: B Explanation: ASLR randomizes memory region locations, making it harder for attackers to predict addresses for exploits. Question 32. Data Execution Prevention (DEP) blocks: A) Reading from protected files B) Executing code in non-executable memory regions

Coding Ultimate Exam

B) A pointer is dereferenced after its memory has been released C) Two threads write to the same variable simultaneously D) An array index is out of bounds Answer: B Explanation: Accessing freed memory can lead to arbitrary code execution or crashes. Question 36. To safely allocate dynamic memory in C, a developer should: A) Ignore the return value of malloc B) Always check that the pointer returned by malloc is not NULL C) Use global variables for all allocations D) Rely on compiler optimizations to free memory automatically Answer: B Explanation: Checking for NULL ensures the program handles allocation failures gracefully. Question 37. Which symmetric encryption algorithm is considered the industry standard for bulk data encryption? A) DES B) AES C) RSA D) Blowfish Answer: B Explanation: AES (Advanced Encryption Standard) is widely accepted for its security and performance. Question 38. Public-key (asymmetric) encryption is primarily used for:

Coding Ultimate Exam

A) Encrypting large files efficiently B) Secure key exchange and digital signatures C) Hashing passwords D) Compressing data Answer: B Explanation: Asymmetric cryptography enables secure key exchange and authentication via signatures. Question 39. Which mode of operation provides both confidentiality and integrity for encrypted data? A) ECB B) CBC C) GCM D) OFB Answer: C Explanation: GCM (Galois/Counter Mode) offers authenticated encryption, guaranteeing integrity and confidentiality. Question 40. Using a self-signed certificate in production is discouraged because: A) It provides stronger encryption than CA-signed certificates B) Clients cannot verify the issuer’s trustworthiness C. It reduces network latency D. It automatically revokes after 30 days Answer: B Explanation: Self-signed certificates lack a trusted third-party signature, causing trust validation failures.

Coding Ultimate Exam

Explanation: Requiring uppercase letters adds minimal entropy compared to length and blacklist checks. Question 44. Which of the following is NOT a recommended practice for secure session management? A) Storing session identifiers in URLs B) Regenerating session IDs after privilege elevation C) Using Secure and HttpOnly cookie flags D) Implementing inactivity timeouts Answer: A Explanation: URL-based session IDs can be captured via logs, referers, or shoulder surfing. Question 45. In the context of threat modeling, “Elevation of Privilege” refers to: A) Gaining unauthorized access to higher-level functions B) Reducing user permissions after login C) Encrypting data with a stronger algorithm D) Scaling the application horizontally Answer: A Explanation: Elevation of Privilege describes an attacker moving from a lower to a higher privilege level. Question 46. The DREAD risk assessment model evaluates threats based on five factors. Which factor measures the potential damage? A) Damage potential B) Reproducibility C) Exploitability

Coding Ultimate Exam

D) Affected users Answer: A Explanation: Damage potential assesses the severity of impact if the vulnerability is exploited. Question 47. Which of the following is a characteristic of “defense in depth”? A) Relying on a single security control B) Implementing multiple, overlapping security mechanisms C) Disabling logging to improve performance D) Using only network-level firewalls Answer: B Explanation: Defense in depth uses layered controls so that if one fails, others still protect the system. Question 48. Which of the following statements about “complete mediation” is true? A) Authorization checks are performed only at login B) Every access request is validated against the current security policy C) Permissions are cached indefinitely for performance D. Access control is optional for public resources Answer: B Explanation: Complete mediation requires that each request be checked, preventing stale or bypassed checks. Question 49. “Open design” suggests that security should not depend on: A) Strong encryption algorithms B) Secret implementation details

Coding Ultimate Exam

A) X-Content-Type-Options B) X-Frame-Options C) X-XSS-Protection D) Content-Security-Policy Answer: B Explanation: X-Frame-Options instructs browsers whether a page may be framed, preventing click-jacking. Question 53. Which of the following is a secure way to generate a random token for CSRF protection? A) Use Math.random() in JavaScript B) Use a cryptographically secure PRNG like SecureRandom C) Use the current timestamp D) Use the user’s IP address Answer: B Explanation: Cryptographically secure random generators produce unpredictable tokens. Question 54. In a Linux environment, which permission setting for a configuration file containing secrets is considered most appropriate? A) 777 (rwxrwxrwx) B) 644 (rw-r--r--) C) 600 (rw-------) D) 755 (rwxr-xr-x) Answer: C Explanation: 600 restricts access to the file owner only, protecting sensitive data.

Coding Ultimate Exam

Question 55. Which of the following is a primary benefit of using a Content Security Policy (CSP)? A) Encrypts all traffic between client and server B) Reduces the risk of reflected XSS by limiting allowed sources C) Stores passwords securely in the browser D. Guarantees authentication without a password Answer: B Explanation: CSP defines trusted content sources, mitigating XSS by blocking unexpected scripts. Question 56. Which of the following is NOT a typical characteristic of a secure password storage scheme? A) Salted hash B) Fast hash function like MD C) Use of a work factor (e.g., cost parameter) D) Unique per-user salt Answer: B Explanation: Fast hashes are unsuitable because they enable rapid brute-force attacks; slow, adaptive hashes are preferred. Question 57. When performing input validation, which order of checks is generally recommended? A) Length → Type → Format → Business rules B) Format → Length → Business rules → Type C) Business rules → Type → Length → Format D) Type → Length → Format → Business rules Answer: D