











































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The PrepIQ MASE Certified Application Security Engineer Ultimate Exam prepares professionals to identify and mitigate application security risks throughout the software development lifecycle. Coverage includes secure coding principles, vulnerability assessment, OWASP methodologies, and application defense strategies.
Typology: Exams
1 / 51
This page cannot be seen from the preview
Don't miss anything!












































Question 1. Which SDLC model explicitly incorporates security activities at each phase rather than treating security as an after-thought? A) Waterfall B) V-Model C) Microsoft Security Development Lifecycle (SDL) D) Spiral Answer: C Explanation: Microsoft SDL embeds security tasks—such as threat modeling, secure coding, and security testing—into every phase of development, unlike traditional models that add security only at the end. Question 2. In the STRIDE threat modeling methodology, which category best describes an attacker exploiting a missing authorization check that allows a user to access another user’s account data? A) Spoofing B) Tampering C) Repudiation D) Elevation of Privilege Answer: D Explanation: Elevation of Privilege (EoP) occurs when an attacker gains higher privileges than intended, such as accessing another user’s data due to insufficient authorization. Question 3. When gathering security requirements, an “abuse case” differs from a normal use case primarily because it: A) Describes how a legitimate user interacts with the system. B) Focuses on system performance under load. C) Illustrates malicious or unintended interactions with the system. D) Details UI layout and navigation. Answer: C Explanation: Abuse cases model attacker behaviors and misuse scenarios, helping to derive security controls that mitigate those threats.
Question 4. Which architectural pattern most naturally limits the blast radius of a compromised component by isolating its runtime environment? A) Monolithic architecture B) Microservices architecture C) Service-Oriented Architecture (SOA) D) Client-Server architecture Answer: B Explanation: Microservices run in separate processes or containers, so a breach in one service is less likely to affect others, reducing blast radius. Question 5. In OWASP SAMM, the “Governance” function primarily addresses which of the following? A) Automated code scanning B) Secure coding standards C) Risk management and policy enforcement D) Penetration testing execution Answer: C Explanation: Governance in SAMM covers risk assessment, policy creation, and ensuring security objectives align with business goals. Question 6. Which of the following is the most effective mitigation against SQL Injection? A) Escaping user input using string concatenation B) Using prepared statements with parameterized queries C) Filtering input with a blacklist of keywords D) Storing user input in encrypted form Answer: B Explanation: Parameterized queries separate code from data, preventing attackers from injecting malicious SQL regardless of input content.
Question 10. In a horizontally scaled environment, which design pattern helps prevent privilege escalation by ensuring each service only has the minimum permissions it needs? A) Singleton pattern B) Least-privilege principle applied through scoped API tokens C) Factory pattern D) Observer pattern Answer: B Explanation: Assigning scoped, least-privilege tokens to each service limits the impact of a compromised component and prevents escalation. Question 11. Which XSS variant is most likely to be triggered when malicious JavaScript is stored in a database and later rendered in a page without proper encoding? A) Reflected XSS B) Stored XSS C) DOM-based XSS D) Mutated XSS Answer: B Explanation: Stored XSS occurs when malicious payloads are persisted (e.g., in a DB) and served to other users without proper output encoding. Question 12. To mitigate Reflected XSS, a developer should: A) Encode user-supplied data based on the context in which it is inserted (HTML, attribute, JavaScript, URL). B) Block all request parameters that contain the string “script”. C) Store all inputs in a server-side cache. D) Use a Content Security Policy that disables all scripts. Answer: A Explanation: Context-aware output encoding neutralizes malicious characters according to where the data appears, effectively preventing reflected XSS.
Question 13. Which of the following best describes DOM-based XSS? A) The payload is injected via an HTTP request and reflected in the server response. B) The payload is stored in a server-side database and later displayed. C) The malicious script is executed as a result of client-side JavaScript manipulating the DOM with untrusted data. D) The attack exploits a misconfigured web server directory. Answer: C Explanation: DOM-based XSS originates entirely on the client side, where JavaScript reads untrusted data (e.g., location hash) and writes it into the DOM without proper sanitization. Question 14. Which OWASP recommendation is most appropriate for preventing XSS in a Java web application that uses JSP? A) Use the JSTL tag for all dynamic content. B) Disable JavaScript in the browser. C) Encode all request parameters before processing them. D) Turn off HTTP GET requests. Answer: A Explanation: automatically HTML-encodes output, reducing XSS risk for dynamic content in JSP pages. Question 15. Insecure deserialization attacks often lead to which of the following outcomes? A) Bypass of input validation only B) Remote Code Execution (RCE) C) Increased network latency D) Loss of session cookies only Answer: B Explanation: Deserializing untrusted data can invoke object constructors or methods that lead to RCE, especially when gadget chains are present.
Question 19. When performing input validation, “allow-list” (or whitelist) validation is preferred over “deny-list” because: A) It is easier to implement. B) It blocks all possible inputs. C) It specifies exactly what is permitted, reducing the chance of missing a malicious pattern. D) It requires less processing power. Answer: C Explanation: Allow-listing defines acceptable inputs, making it more secure than deny-listing which attempts to block known bad patterns but may miss new ones. Question 20. Which regular expression pattern is safe for validating an email address according to RFC 5322? A) .* B) [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,} C) .+@.+\..+ D) [\w\W]* Answer: B Explanation: Option B follows a commonly accepted subset of RFC 5322, allowing typical characters while rejecting malformed addresses. Question 21. In cryptographic hashing, why is Argon2 considered superior to MD5 for password storage? A) Argon2 is faster than MD5. B) Argon2 provides memory-hard computation, making brute-force attacks more expensive. C) Argon2 produces shorter hashes. D) Argon2 is a symmetric encryption algorithm. Answer: B Explanation: Argon2’s memory-hard design forces attackers to allocate significant RAM, greatly increasing the cost of cracking hashed passwords.
Question 22. Which of the following is a security flaw when developers hard-code cryptographic keys in source code? A) Increased CPU usage B) Violation of the principle of least privilege C) Exposure of secrets through version control or binaries, enabling attackers to decrypt data. D) Reduced entropy of random numbers. Answer: C Explanation: Hard-coded keys can be extracted from repositories or compiled artifacts, giving attackers direct access to encrypted data. Question 23. Which of the following key management practices aligns with the concept of “key rotation”? A) Storing keys in plain text files. B) Changing encryption keys at regular intervals and re-encrypting existing data. C) Using the same key for all environments. D) Embedding keys in environment variables without encryption. Answer: B Explanation: Regular key rotation limits the amount of data exposed if a key is compromised and requires re-encryption with the new key. Question 24. A session token is sent via a cookie with the HttpOnly flag set. Which attack vector does this primarily mitigate? A) Cross-Site Request Forgery (CSRF) B) Session fixation C) Client-side script theft of the cookie (e.g., XSS) D) Man-in-the-middle (MITM) attacks Answer: C Explanation: HttpOnly prevents JavaScript from accessing the cookie, reducing the risk of token theft via XSS.
Question 28. Which logging best practice helps ensure tamper-evidence for security events? A) Storing logs in plain text on the same server as the application. B) Rotating logs daily without integrity checks. C) Forwarding logs to a write-once, append-only storage with cryptographic signing. D) Deleting logs after 24 hours. Answer: C Explanation: Immutable, signed logs provide a reliable audit trail that cannot be altered without detection. Question 29. In the context of SAST, which of the following is a limitation compared to DAST? A) It can detect runtime configuration errors. B) It can analyze compiled binaries only. C) It cannot see vulnerabilities that arise from the interaction of components at runtime. D) It requires a live server to operate. Answer: C Explanation: SAST examines source or bytecode statically, missing issues that only manifest when the application runs and components interact. Question 30. Which of the following statements about DAST tools is true? A) They require source code access. B) They can discover authentication bypasses by interacting with the running application. C) They can detect insecure cryptographic primitives in compiled libraries. D) They replace the need for unit testing. Answer: B Explanation: DAST probes the live application, allowing it to find runtime issues such as authentication flaws and injection points.
Question 31. An IAST solution provides benefits over pure SAST and DAST because it: A) Runs only during compilation. B) Instruments the application at runtime, delivering precise vulnerability locations with source context. C) Requires no instrumentation of the application. D) Generates only false positives. Answer: B Explanation: IAST combines static analysis with runtime data, offering accurate findings tied to source lines while the app executes. Question 32. Fuzz testing is most effective at uncovering which class of vulnerabilities? A) Business logic errors B) Memory corruption, crashes, and unhandled exceptions caused by unexpected input C) Incorrect HTTP status codes D) Poor UI layout Answer: B Explanation: Fuzzers supply random, malformed inputs to provoke crashes, buffer overflows, and other low-level faults. Question 33. Which of the following is a recommended configuration for a Dockerfile to reduce attack surface? A) Use the latest tag for the base image. B) Run the container as root. C) Install only required packages and set a non-root user with USER. D) Expose all ports by default. Answer: C Explanation: Installing minimal packages and dropping privileges to a non-root user limits what an attacker can do if the container is compromised.
Question 37. Which of the following is the most secure way to store secrets used by a CI/CD pipeline? A) Hard-code them in the pipeline script. B) Store them in a version-controlled .env file. C) Use a dedicated secret management service (e.g., HashiCorp Vault, AWS Secrets Manager) with restricted access. D) Place them in plain text on the build server’s filesystem. Answer: C Explanation: Dedicated secret managers provide encryption, audit logging, and fine-grained access control, protecting secrets from exposure. Question 38. When integrating static analysis into a pull-request workflow, which strategy reduces developer fatigue while maintaining security? A) Fail the PR on every low-severity finding. B) Categorize findings by severity and only block the merge on high-severity or “critical” issues. C) Disable all warnings to speed up the pipeline. D) Require manual code review for every line of code. Answer: B Explanation: Prioritizing high-severity findings prevents noise, allowing developers to focus on critical defects without constant interruptions. Question 39. Which of the following is a characteristic of a “zero-trust” approach to API security in microservice environments? A) Implicit trust for all services within the same network zone. B) Mutual TLS (mTLS) authentication and fine-grained authorization for every request. C) Relying solely on network firewalls. D) Allowing any service to call any other service without verification. Answer: B Explanation: Zero-trust assumes no implicit trust; each request is authenticated and authorized, often using mTLS and token-based policies.
Question 40. In the context of GDPR, a “data-processing agreement” (DPA) is required between: A) The data subject and the data controller. B) The data controller and the data processor. C) The data processor and the end-user. D) The application developer and the hosting provider. Answer: B Explanation: GDPR mandates a DPA to define responsibilities and safeguards when a controller outsources processing to a processor. Question 41. Which of the following PCI-DSS requirements directly influences how you store cryptographic keys? A) Requirement 3 – Protect stored cardholder data. B) Requirement 1 – Install and maintain a firewall. C) Requirement 6 – Develop and maintain secure systems and applications. D) Requirement 8 – Identify and authenticate access to system components. Answer: A Explanation: Requirement 3 specifies that encryption keys protecting cardholder data must be securely stored, limiting access and ensuring rotation. Question 42. Which of the following is an example of a “security-by-design” principle? A) Adding a security audit after the product launch. B) Conducting threat modeling early in the architecture phase. C) Deferring encryption implementation until a breach occurs. D) Relying on user education alone. Answer: B Explanation: Early threat modeling embeds security considerations into the design, embodying security-by-design.
Question 46. Which of the following is a secure way to implement password reset functionality? A) Send the user’s current password via email. B) Generate a one-time token, store it hashed, and require the user to provide the token within a short expiration window. C) Use a predictable reset URL that includes the username. D) Allow any user to reset any other user’s password without verification. Answer: B Explanation: One-time, hashed tokens with limited lifetimes protect against token theft and replay attacks. Question 47. Which of the following is an example of a “business logic” vulnerability? A) SQL injection in a search field. B) Allowing a user to apply a discount coupon multiple times despite a “single-use” rule. C) Missing X-Content-Type-Options header. D) Using weak TLS cipher suites. Answer: B Explanation: Business logic flaws arise from improper enforcement of functional rules, such as reusing a single-use coupon. Question 48. In the context of “secure defaults”, which of the following settings is recommended for a newly provisioned database? A) Allow remote root login. B) Enable trust authentication for all users. C) Disable default accounts and enforce strong password policies. D) Open all ports to the internet. Answer: C Explanation: Disabling default accounts and enforcing strong passwords reduces the attack surface from the outset.
Question 49. Which of the following is the most appropriate response when a new critical vulnerability is disclosed in a third-party library used by your application? A) Wait for the next major release to apply the fix. B) Immediately patch the library, test, and deploy the update via the CI/CD pipeline. C) Ignore the vulnerability if no exploit is known. D) Remove the library entirely without replacement. Answer: B Explanation: Prompt patching, followed by testing and automated deployment, limits exposure to known exploits. Question 50. Which of the following best describes “runtime application self-protection” (RASP)? A) Static code analysis performed during compilation. B) Instrumentation that monitors and blocks attacks while the application runs. C) Network firewall rules applied to the host. D) Manual code review by security analysts. Answer: B Explanation: RASP embeds protective logic inside the app, detecting and blocking malicious behavior at runtime. Question 51. Which OWASP Top 10 category does “Improper Input Validation leading to XML External Entity (XXE) attacks” belong to? A) A01 – Broken Access Control B) A02 – Cryptographic Failures C) A04 – Insecure Design D) A05 – Security Misconfiguration Answer: D Explanation: XXE is typically a result of insecure configuration of XML parsers, fitting the Security Misconfiguration category.
Explanation: “Fail-secure” means that on failure, the application defaults to a safe, restrictive posture rather than exposing data. Question 55. Which of the following is a primary advantage of using “immutable infrastructure” in a DevSecOps pipeline? A) Allows on-the-fly patching of running servers. B) Guarantees that every environment is built from the same vetted artifact, reducing configuration drift and hidden vulnerabilities. C) Eliminates the need for version control. D) Enables developers to edit production servers directly. Answer: B Explanation: Immutable infrastructure ensures consistency and repeatability, making it easier to enforce security baselines. Question 56. Which of the following is the most effective way to protect against CSRF attacks for state-changing POST requests? A) Use the SameSite=Strict cookie attribute only. B) Require a unique, unpredictable CSRF token in the request body or header and validate it server-side. C) Rely on HTTP Basic Authentication. D) Disable JavaScript in the browser. Answer: B Explanation: CSRF tokens tie the request to the user’s session and cannot be forged by a third-party site, providing robust protection. Question 57. A developer uses eval() on user-supplied JSON data in a Node.js application. Which vulnerability is most likely introduced? A) SQL Injection B) Server-Side Request Forgery (SSRF) C) Remote Code Execution (RCE) D) Information Disclosure Answer: C
Explanation: eval() executes arbitrary code; feeding it untrusted JSON can lead to RCE if malicious scripts are injected. Question 58. Which of the following is a recommended practice when using third-party APIs that require API keys? A) Embed the API key directly in JavaScript served to browsers. B) Store the API key in an environment variable on the server and never expose it to the client. C) Include the API key in the URL query string of public requests. D) Write the API key in a publicly accessible README file. Answer: B Explanation: Keeping API keys on the server side prevents them from being harvested by attackers through client-side inspection. Question 59. Which of the following is a security benefit of using Content Security Policy (CSP) with a strict script-src directive? A) It disables all network traffic. B) It prevents the browser from loading any external JavaScript, mitigating XSS. C) It encrypts all HTTP responses. D) It forces all users to use HTTPS. Answer: B Explanation: A restrictive script-src CSP limits where scripts can be loaded from, reducing the chance that malicious scripts execute. Question 60. In a CI pipeline, which stage is the most appropriate place to run a Software Composition Analysis (SCA) scan? A) After deployment to production. B) During the build step, before compiling the code. C) During the unit testing phase. D) After the code is merged to the main branch but before packaging. Answer: D