Secure Application Developer Exam Questions and Answers, Exams of Technology

A set of questions and answers related to secure application development. It covers topics such as fail-safe principles, the principle of least privilege, defense in depth, microservices architecture, threat modeling, secure authentication, attribute-based access control, cookie security, data encryption, and common security vulnerabilities like sql injection and cross-site scripting. The questions are designed to test knowledge of secure coding practices and security measures in application development, making it a useful resource for students and professionals in the field.

Typology: Exams

2024/2025

Available from 10/13/2025

anil-kumar-jain-1
anil-kumar-jain-1 šŸ‡®šŸ‡³

2.9

(15)

27K documents

1 / 116

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
TETAISPDEVIC2010 AS TETAISPDEVIC2010
Secure Application Developer Exam
1. Which principle advocates for designing applications to default to a secure state upon encountering
errors or failures?
A) Defense in Depth
B) Fail Securely
C) Principle of Least Privilege
D) Separation of Duties
Answer: B) Fail Securely
Explanation: Fail Securely is the principle that ensures applications revert to a secure state when an
error occurs, preventing vulnerabilities from being exposed during failures.
---
2. What does the Principle of Least Privilege (PoLP) primarily aim to achieve?
A) Maximize user permissions for flexibility
B) Limit access rights for users and processes to only what is necessary
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Secure Application Developer Exam Questions and Answers and more Exams Technology in PDF only on Docsity!

Secure Application Developer Exam

  1. Which principle advocates for designing applications to default to a secure state upon encountering errors or failures? A) Defense in Depth B) Fail Securely C) Principle of Least Privilege D) Separation of Duties Answer: B) Fail Securely Explanation: Fail Securely is the principle that ensures applications revert to a secure state when an error occurs, preventing vulnerabilities from being exposed during failures.

  1. What does the Principle of Least Privilege (PoLP) primarily aim to achieve? A) Maximize user permissions for flexibility B) Limit access rights for users and processes to only what is necessary

Secure Application Developer Exam

C) Allow all users to access all resources by default D) Remove all access controls to simplify security Answer: B) Limit access rights for users and processes to only what is necessary Explanation: PoLP minimizes potential attack vectors by restricting permissions to only what is essential for each user or process, reducing the risk of misuse or exploitation.


  1. Which security pattern involves understanding layered security controls and implementing compensating controls? A) Defense in Depth B) Zero Trust Architecture C) Separation of Duties D) Attack Surface Reduction Answer: A) Defense in Depth

Secure Application Developer Exam

A) Use unencrypted HTTP for faster communication B) Implement mutual TLS (mTLS) to authenticate and encrypt traffic C) Avoid authentication to reduce complexity D) Share secret keys openly between services Answer: B) Implement mutual TLS (mTLS) to authenticate and encrypt traffic Explanation: mTLS provides mutual authentication and encryption, ensuring secure communication between services and preventing eavesdropping or impersonation.


  1. Which threat modeling methodology aims to identify threats such as Spoofing, Tampering, and Information Disclosure? A) DREAD B) STRIDE C) CVSS

Secure Application Developer Exam

D) PASTA

Answer: B) STRIDE Explanation: STRIDE is a widely used threat modeling methodology that categorizes threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.


  1. In secure authentication, which protocol is commonly used for implementing federated identity management? A) SAML B) LDAP C) SSH D) FTP Answer: A) SAML

Secure Application Developer Exam

A) To improve website load times B) To enhance session security and prevent attacks like CSRF and session hijacking C) To enable cross-origin resource sharing (CORS) D) To allow cookies to be accessible via JavaScript Answer: B) To enhance session security and prevent attacks like CSRF and session hijacking Explanation: These cookie attributes help protect against cross-site scripting (XSS), cross-site request forgery (CSRF), and session hijacking by restricting cookie access and transmission.


  1. Which cryptographic method is typically used for encrypting data at rest in storage systems? A) RSA B) AES C) Diffie-Hellman

Secure Application Developer Exam

D) MD

Answer: B) AES Explanation: AES (Advanced Encryption Standard) is commonly used for symmetric encryption of data at rest due to its efficiency and security.


  1. Which protocol version is recommended to ensure strong security when configuring TLS for data in transit? A) TLS 1. B) TLS 1. C) TLS 1.2 or higher D) SSL 3. Answer: C) TLS 1.2 or higher Explanation: TLS 1.2 and above are considered secure, with TLS 1.3 providing even stronger security features; older versions like TLS 1.0 and SSL 3.0 are deprecated.

Secure Application Developer Exam

A) Encryption B) Masking C) Tokenization D) Hashing Answer: C) Tokenization Explanation: Tokenization substitutes sensitive data with non-sensitive tokens, reducing risk while maintaining data relationships.


  1. Under GDPR, what is a primary developer responsibility regarding user data? A) Ignoring user consent B) Implementing privacy by design and obtaining explicit user consent C) Sharing data freely with third parties without restrictions D) Storing user data without encryption

Secure Application Developer Exam

Answer: B) Implementing privacy by design and obtaining explicit user consent Explanation: GDPR emphasizes privacy by design, requiring developers to incorporate data protection measures and obtain clear user consent for data processing.


  1. Which common security vulnerability involves manipulating URL parameters to access or modify objects without proper authorization? A) SQL Injection B) Cross-Site Scripting (XSS) C) Insecure Direct Object Reference (IDOR) D) Cross-Site Request Forgery (CSRF) Answer: C) Insecure Direct Object Reference (IDOR) Explanation: IDOR occurs when applications expose references to internal objects, allowing attackers to access or modify resources without proper authorization.

Secure Application Developer Exam

B) Stored XSS C) DOM-based XSS D) Cross-site scripting Answer: B) Stored XSS Explanation: Stored XSS involves persistent storage of malicious scripts, which execute when users access affected pages.


  1. How can developers prevent XML External Entities (XXE) attacks? A) Enable DTD processing in XML parsers B) Disable DTD processing and external entity resolution features C) Use server-side JavaScript D) Encrypt XML data before parsing

Secure Application Developer Exam

Answer: B) Disable DTD processing and external entity resolution features Explanation: Disabling DTD processing prevents malicious external entities from being loaded during XML parsing.


  1. Which security testing technique analyzes source code for vulnerabilities before deployment? A) DAST B) SAST C) Penetration Testing D) Vulnerability Scanning Answer: B) SAST Explanation: Static Application Security Testing (SAST) examines source code for security flaws early in development.

Secure Application Developer Exam

D) Penetration testing Answer: B) DAST Explanation: Dynamic Application Security Testing (DAST) assesses a live application to find vulnerabilities during runtime.


  1. What is a common method for securely managing secrets like API keys in CI/CD pipelines? A) Hardcoding secrets into source code B) Using environment variables or secret management tools like Vault or KMS C) Embedding secrets directly into Docker images D) Storing secrets in public repositories Answer: B) Using environment variables or secret management tools like Vault or KMS Explanation: Secure secret management involves using dedicated tools or environment variables that are protected from exposure.

Secure Application Developer Exam

  1. Which container security best practice involves running containers with the least privileges necessary? A) Running containers as root B) Using minimal base images and non-root user accounts C) Mounting host file systems inside containers D) Disabling container security features Answer: B) Using minimal base images and non-root user accounts Explanation: Running containers with least privileges reduces the attack surface and limits potential damage.

  1. Which security measure involves monitoring and logging security events to detect unauthorized activity?

Secure Application Developer Exam

Answer: B) Immediate patching and disclosure to stakeholders Explanation: Prompt patching reduces risk, and responsible disclosure ensures transparency and mitigation.

  1. Which pattern emphasizes minimizing the attack surface by reducing exposed code, services, and ports? A) Defense in Depth B) Attack Surface Reduction C) Zero Trust Architecture D) Separation of Duties Answer: B) Attack Surface Reduction Explanation: Attack Surface Reduction focuses on minimizing the parts of the system exposed to untrusted input, decreasing potential attack vectors.

  1. What is a primary consideration when designing for Zero Trust Architecture? A) Default trust in internal network components B) Never trust, always verify, and micro-segmentation of network resources

Secure Application Developer Exam

C) Allowing broad access within the network perimeter D) Using perimeter security alone Answer: B) Never trust, always verify, and micro-segmentation of network resources Explanation: Zero Trust assumes no implicit trust and enforces strict identity verification and segmentation at all levels.


  1. Which architectural pattern involves deploying applications in stateless functions that scale automatically and are billed based on usage? A) Monolithic architecture B) Microservices architecture C) Serverless architecture D) Client-server architecture Answer: C) Serverless architecture Explanation: Serverless architecture involves deploying functions that run on demand, offering scalability and cost benefits without managing servers.