PrepIQ Certified Secure Software Developer S CSSD Ultimate Exam, Exams of Technology

This exam assesses secure coding practices, threat modeling, code review methodologies, SDLC security integration, API-hardening techniques, and vulnerability mitigation strategies. It includes questions and scenarios covering OWASP ASVS, SAST/DAST tool usage, and defensive programming techniques for modern development frameworks.

Typology: Exams

2025/2026

Available from 05/01/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 116

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ Certified Secure Software Developer S
CSSD Ultimate Exam
Question 1. **Which security principle states that a system should default to a
secure state when an error occurs?**
A) Least Privilege
B) Fail-Secure
C) Open Design
D) Economy of Mechanism
Answer: B
Explanation: Fail-Secure (or Fail-Safe) requires that, on failure, the system remains
in a secure condition rather than exposing data or functionality.
---
Question 2. **In the context of authentication, which method combines something
you have with something you are?**
A) Password-only authentication
B) Multi-Factor Authentication (MFA) using token and biometrics
C) Single Sign-On (SSO)
D) Federated identity
Answer: B
Explanation: MFA that uses a physical token (something you have) and a biometric
factor (something you are) satisfies the definition.
---
Question 3. **Which access control model enforces permissions based on user roles
rather than individual identities?**
A) Discretionary Access Control (DAC)
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download PrepIQ Certified Secure Software Developer S CSSD Ultimate Exam and more Exams Technology in PDF only on Docsity!

CSSD Ultimate Exam

Question 1. Which security principle states that a system should default to a secure state when an error occurs? A) Least Privilege B) Fail-Secure C) Open Design D) Economy of Mechanism Answer: B Explanation: Fail-Secure (or Fail-Safe) requires that, on failure, the system remains in a secure condition rather than exposing data or functionality.

Question 2. In the context of authentication, which method combines something you have with something you are? A) Password-only authentication B) Multi-Factor Authentication (MFA) using token and biometrics C) Single Sign-On (SSO) D) Federated identity Answer: B Explanation: MFA that uses a physical token (something you have) and a biometric factor (something you are) satisfies the definition.

Question 3. Which access control model enforces permissions based on user roles rather than individual identities? A) Discretionary Access Control (DAC)

CSSD Ultimate Exam

B) Mandatory Access Control (MAC) C) Role-Based Access Control (RBAC) D) Attribute-Based Access Control (ABAC) Answer: C Explanation: RBAC assigns permissions to roles; users acquire those permissions by being assigned the role.

Question 4. What does Kerkerhoffs’s Principle (Open Design) imply for cryptographic systems? A) The algorithm must be kept secret at all times. B) Security should rely on the secrecy of the key, not the algorithm. C) Only proprietary software can be trusted. D) Security mechanisms must be hidden from users. Answer: B Explanation: The principle states that a system’s security should depend only on the secrecy of the key, not on keeping the design secret.

Question 5. Which metric best measures the speed at which identified vulnerabilities are fixed? A) Mean Time To Detect (MTTD) B) Average Remediation Time (ART) C) Code Coverage Percentage

CSSD Ultimate Exam

Explanation: External entities are shown as squares or rounded rectangles, indicating actors outside the system.

Question 8. Which secure design pattern helps prevent SQL injection by separating data from code? A) Factory B) Singleton C) Parameterized Query (Prepared Statement) pattern D) Observer Answer: C Explanation: Parameterized queries ensure user input is treated as data, not executable code, mitigating injection risks.

Question 9. What is the primary purpose of using a cryptographic hash with a salt when storing passwords? A) To encrypt the password for reversible decryption B) To make each hash unique even for identical passwords C) To increase the length of the password D) To compress the password for storage efficiency Answer: B Explanation: Salting adds random data to each password before hashing, preventing attackers from using pre-computed tables.

CSSD Ultimate Exam

Question 10. Which of the following is an example of a “complete mediation” violation? A) A user logs in once and then accesses multiple resources without rechecking permissions. B) A system uses role-based access control. C) All inputs are validated at the UI layer. D) Encryption is applied to data at rest. Answer: A Explanation: Complete mediation requires every access request to be checked; caching a permission check and reusing it violates this principle.

Question 11. Which compliance standard specifically mandates encryption of cardholder data at rest? A) GDPR B) HIPAA C) PCI DSS D) ISO 27001 Answer: C Explanation: PCI DSS Requirement 3 requires strong cryptography to protect stored cardholder data.

CSSD Ultimate Exam

B) Known CVEs associated with each component C) The exact line of source code where a vulnerability is exploited D) License types for each component Answer: C Explanation: SCA tools identify components and known vulnerabilities but do not pinpoint exploit lines in source code.

Question 15. Which of the following is the most appropriate response to a discovered zero-day vulnerability in a production system? A) Immediately shut down the entire system. B) Apply a temporary mitigation, then develop and deploy a patch. C) Wait for the vendor to release an official fix before taking any action. D) Ignore it if no attacks have been observed yet. Answer: B Explanation: A temporary mitigation (e.g., configuration change, firewall rule) reduces risk while a proper patch is prepared.

Question 16. What does “defense in depth” primarily aim to achieve? A) Reduce the number of security controls to a single layer. B) Provide multiple, independent layers of protection. C) Ensure that only one security mechanism is used per component. D) Replace all perimeter defenses with endpoint security.

CSSD Ultimate Exam

Answer: B Explanation: Defense in depth stacks several controls so that if one fails, others still protect the asset.

Question 17. Which of the following best describes “least privilege” in the context of a microservice architecture? A) All services run as the same privileged user to simplify management. B) Each service runs under a distinct account with only the permissions it needs. C) Services are granted admin rights during development and left unchanged. D) Privileges are assigned based on the most senior developer’s role. Answer: B Explanation: Least privilege limits each microservice to the minimal rights required for its function.

Question 18. In the OWASP Top Ten, which category does “Broken Access Control” belong to? A) A1 – Injection B) A5 – Security Misconfiguration C) A4 – Insecure Design D) A5 – Broken Access Control (as of 2021) Answer: D Explanation: The 2021 OWASP Top Ten lists Broken Access Control as its own category (A5).

CSSD Ultimate Exam

Question 21. Which of the following is a primary benefit of using immutable infrastructure in a CI/CD pipeline? A) Allows on-the-fly patching of running servers. B) Guarantees that each deployment is identical to the last. C) Eliminates the need for version control. D) Enables faster manual configuration of each server. Answer: B Explanation: Immutable infrastructure means servers are never changed after deployment; updates are made by replacing the entire image, ensuring consistency.

Question 22. What type of testing combines static analysis with runtime behavior to find vulnerabilities? A) SAST B) DAST C) IAST D) Fuzz testing Answer: C Explanation: Interactive Application Security Testing (IAST) instruments the application during execution, merging static and dynamic analysis.

Question 23. Which of the following is the most appropriate way to store an API secret key in a containerized application?

CSSD Ultimate Exam

A) Hard-code it in the source code. B) Store it in a Dockerfile environment variable. C) Pass it at runtime via a secrets manager or environment variable injected by the orchestrator. D) Include it in the container image layers. Answer: C Explanation: Secrets should be injected at runtime from a secure vault or orchestrator, avoiding storage in images or code.

Question 24. In the context of logging for accountability, which property ensures that logs cannot be altered without detection? A) Log rotation B) Log aggregation C) Tamper-evident logging (e.g., signed logs) D) Log level configuration Answer: C Explanation: Tamper-evident mechanisms, such as digital signatures or hash chaining, make unauthorized modifications detectable.

Question 25. Which security control is primarily responsible for ensuring that data remains available during a network outage? A) Encryption B) Redundancy and replication

CSSD Ultimate Exam

Answer: B Explanation: Economy of mechanism advocates simple, small, and well-understood designs that are easier to verify.

Question 28. Which of the following is a recommended practice for secure decommissioning of an application? A) Leaving all service accounts active for future reference. B) Archiving source code without encryption. C) Securely wiping databases and revoking all keys. D) Publishing the decommission plan publicly. Answer: C Explanation: Secure data disposition and credential removal are essential steps when retiring an application.

Question 29. In the context of cryptographic agility, why is it important to abstract cryptographic algorithms behind an interface? A) To hide encryption from auditors. B) To allow easy replacement of algorithms without major code changes. C) To make the code run faster. D) To prevent developers from using encryption. Answer: B Explanation: Abstracting algorithms enables swapping out weak or deprecated ciphers with stronger ones with minimal impact.

CSSD Ultimate Exam

Question 30. Which of the following is an example of a “misuse case” in requirements engineering? A) A user logs in successfully with valid credentials. B) An attacker attempts to submit a malicious payload to an upload endpoint. C) The system encrypts data at rest using AES-256. D) A developer writes unit tests for a new feature. Answer: B Explanation: Misuse cases describe how an adversary might exploit the system, helping identify security requirements.

Question 31. Which of the following statements about “fuzz testing” is true? A) It only works on compiled binaries, not interpreted languages. B) It provides deterministic results that guarantee finding all bugs. C) It sends large volumes of random or semi-random data to interfaces to discover crashes. D) It replaces the need for code reviews. Answer: C Explanation: Fuzz testing feeds unexpected inputs to provoke crashes, memory errors, or security flaws.

CSSD Ultimate Exam

Question 34. Which OWASP ASVS level focuses on “critical security controls” for high-risk applications? A. Level 1 – Basic B. Level 2 – Standard C. Level 3 – Advanced D. Level 4 – Critical Answer: C Explanation: ASVS Level 3 targets applications that require stringent security controls due to high impact.

Question 35. What is the primary purpose of a “security gate” in an Agile SDLC? A. To halt development until all user stories are completed. B. To enforce a mandatory security review before moving to the next sprint or release. C. To replace functional testing. D. To ensure that only the security team can commit code. Answer: B Explanation: Security gates act as checkpoints where security criteria must be satisfied before progress.

Question 36. Which of the following is a recommended practice for handling secrets in source control? A. Store them in a .env file and commit the file.

CSSD Ultimate Exam

B. Encrypt the entire repository with a master password. C. Use a .gitignore entry to exclude secret files and retrieve them from a secret manager at build time. D. Write secrets in comments for easy reference. Answer: C Explanation: Excluding secret files from version control and injecting them securely at build time prevents accidental exposure.

Question 37. When designing a system that must comply with GDPR’s “right to be forgotten”, which design decision is most appropriate? A. Store all user data indefinitely for audit purposes. B. Encrypt user data with a key that can be destroyed to render the data unreadable. C. Keep a single backup copy that is never deleted. D. Use immutable logs that cannot be altered. Answer: B Explanation: Destroying the encryption key effectively makes the data unrecoverable, satisfying deletion requests while preserving logs.

Question 38. Which of the following is an example of “defense in depth” at the network layer? A. Using only a host-based firewall.

CSSD Ultimate Exam

C. Storing keys in plaintext for easy access. D. Using the same key for all environments. Answer: B Explanation: Key rotation replaces old keys with new ones and re-encrypts data to limit exposure if a key is compromised.

Question 41. In the context of secure software supply chain, what does “artifact provenance” refer to? A. The size of the binary file. B. The origin, build process, and authenticity of a software component. C. The programming language used to create the artifact. D. The number of downloads the artifact has. Answer: B Explanation: Provenance tracks where an artifact came from, how it was built, and verifies its integrity.

Question 42. Which of the following is a common indicator that a web application suffers from insecure deserialization? A. The application returns HTTP 404 for unknown URLs. B. The server logs show “ObjectInputStream” errors after sending crafted data. C. The UI displays a broken image link. D. The database connection times out.

CSSD Ultimate Exam

Answer: B Explanation: Errors related to object deserialization when processing malicious payloads suggest insecure deserialization.

Question 43. Which of the following is NOT a typical characteristic of a well-written security requirement? A. Testable and measurable. B. Ambiguous and open to interpretation. C. Unambiguous and complete. D. Aligned with business risk. Answer: B Explanation: Security requirements should be clear; ambiguity undermines verification.

Question 44. When using a Content Delivery Network (CDN) to improve availability, which security consideration must still be addressed? A. The CDN automatically provides authentication. B. Sensitive data must still be encrypted in transit and at rest. C. CDN eliminates the need for input validation. D. The CDN replaces the need for a firewall. Answer: B Explanation: While CDNs improve availability, data confidentiality and integrity must still be protected.