Download Secure Application Developer Exam Questions and Answers and more Exams Technology in PDF only on Docsity!
Secure Application Developer Exam
- Which principle advocates for designing applications to default to a secure state upon encountering errors or failures? A) Defense in Depth B) Fail Securely C) Principle of Least Privilege D) Separation of Duties Answer: B) Fail Securely Explanation: Fail Securely is the principle that ensures applications revert to a secure state when an error occurs, preventing vulnerabilities from being exposed during failures.
- What does the Principle of Least Privilege (PoLP) primarily aim to achieve? A) Maximize user permissions for flexibility B) Limit access rights for users and processes to only what is necessary
Secure Application Developer Exam
C) Allow all users to access all resources by default D) Remove all access controls to simplify security Answer: B) Limit access rights for users and processes to only what is necessary Explanation: PoLP minimizes potential attack vectors by restricting permissions to only what is essential for each user or process, reducing the risk of misuse or exploitation.
- Which security pattern involves understanding layered security controls and implementing compensating controls? A) Defense in Depth B) Zero Trust Architecture C) Separation of Duties D) Attack Surface Reduction Answer: A) Defense in Depth
Secure Application Developer Exam
A) Use unencrypted HTTP for faster communication B) Implement mutual TLS (mTLS) to authenticate and encrypt traffic C) Avoid authentication to reduce complexity D) Share secret keys openly between services Answer: B) Implement mutual TLS (mTLS) to authenticate and encrypt traffic Explanation: mTLS provides mutual authentication and encryption, ensuring secure communication between services and preventing eavesdropping or impersonation.
- Which threat modeling methodology aims to identify threats such as Spoofing, Tampering, and Information Disclosure? A) DREAD B) STRIDE C) CVSS
Secure Application Developer Exam
D) PASTA
Answer: B) STRIDE Explanation: STRIDE is a widely used threat modeling methodology that categorizes threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
- In secure authentication, which protocol is commonly used for implementing federated identity management? A) SAML B) LDAP C) SSH D) FTP Answer: A) SAML
Secure Application Developer Exam
A) To improve website load times B) To enhance session security and prevent attacks like CSRF and session hijacking C) To enable cross-origin resource sharing (CORS) D) To allow cookies to be accessible via JavaScript Answer: B) To enhance session security and prevent attacks like CSRF and session hijacking Explanation: These cookie attributes help protect against cross-site scripting (XSS), cross-site request forgery (CSRF), and session hijacking by restricting cookie access and transmission.
- Which cryptographic method is typically used for encrypting data at rest in storage systems? A) RSA B) AES C) Diffie-Hellman
Secure Application Developer Exam
D) MD
Answer: B) AES Explanation: AES (Advanced Encryption Standard) is commonly used for symmetric encryption of data at rest due to its efficiency and security.
- Which protocol version is recommended to ensure strong security when configuring TLS for data in transit? A) TLS 1. B) TLS 1. C) TLS 1.2 or higher D) SSL 3. Answer: C) TLS 1.2 or higher Explanation: TLS 1.2 and above are considered secure, with TLS 1.3 providing even stronger security features; older versions like TLS 1.0 and SSL 3.0 are deprecated.
Secure Application Developer Exam
A) Encryption B) Masking C) Tokenization D) Hashing Answer: C) Tokenization Explanation: Tokenization substitutes sensitive data with non-sensitive tokens, reducing risk while maintaining data relationships.
- Under GDPR, what is a primary developer responsibility regarding user data? A) Ignoring user consent B) Implementing privacy by design and obtaining explicit user consent C) Sharing data freely with third parties without restrictions D) Storing user data without encryption
Secure Application Developer Exam
Answer: B) Implementing privacy by design and obtaining explicit user consent Explanation: GDPR emphasizes privacy by design, requiring developers to incorporate data protection measures and obtain clear user consent for data processing.
- Which common security vulnerability involves manipulating URL parameters to access or modify objects without proper authorization? A) SQL Injection B) Cross-Site Scripting (XSS) C) Insecure Direct Object Reference (IDOR) D) Cross-Site Request Forgery (CSRF) Answer: C) Insecure Direct Object Reference (IDOR) Explanation: IDOR occurs when applications expose references to internal objects, allowing attackers to access or modify resources without proper authorization.
Secure Application Developer Exam
B) Stored XSS C) DOM-based XSS D) Cross-site scripting Answer: B) Stored XSS Explanation: Stored XSS involves persistent storage of malicious scripts, which execute when users access affected pages.
- How can developers prevent XML External Entities (XXE) attacks? A) Enable DTD processing in XML parsers B) Disable DTD processing and external entity resolution features C) Use server-side JavaScript D) Encrypt XML data before parsing
Secure Application Developer Exam
Answer: B) Disable DTD processing and external entity resolution features Explanation: Disabling DTD processing prevents malicious external entities from being loaded during XML parsing.
- Which security testing technique analyzes source code for vulnerabilities before deployment? A) DAST B) SAST C) Penetration Testing D) Vulnerability Scanning Answer: B) SAST Explanation: Static Application Security Testing (SAST) examines source code for security flaws early in development.
Secure Application Developer Exam
D) Penetration testing Answer: B) DAST Explanation: Dynamic Application Security Testing (DAST) assesses a live application to find vulnerabilities during runtime.
- What is a common method for securely managing secrets like API keys in CI/CD pipelines? A) Hardcoding secrets into source code B) Using environment variables or secret management tools like Vault or KMS C) Embedding secrets directly into Docker images D) Storing secrets in public repositories Answer: B) Using environment variables or secret management tools like Vault or KMS Explanation: Secure secret management involves using dedicated tools or environment variables that are protected from exposure.
Secure Application Developer Exam
- Which container security best practice involves running containers with the least privileges necessary? A) Running containers as root B) Using minimal base images and non-root user accounts C) Mounting host file systems inside containers D) Disabling container security features Answer: B) Using minimal base images and non-root user accounts Explanation: Running containers with least privileges reduces the attack surface and limits potential damage.
- Which security measure involves monitoring and logging security events to detect unauthorized activity?
Secure Application Developer Exam
Answer: B) Immediate patching and disclosure to stakeholders Explanation: Prompt patching reduces risk, and responsible disclosure ensures transparency and mitigation.
- Which pattern emphasizes minimizing the attack surface by reducing exposed code, services, and ports? A) Defense in Depth B) Attack Surface Reduction C) Zero Trust Architecture D) Separation of Duties Answer: B) Attack Surface Reduction Explanation: Attack Surface Reduction focuses on minimizing the parts of the system exposed to untrusted input, decreasing potential attack vectors.
- What is a primary consideration when designing for Zero Trust Architecture? A) Default trust in internal network components B) Never trust, always verify, and micro-segmentation of network resources
Secure Application Developer Exam
C) Allowing broad access within the network perimeter D) Using perimeter security alone Answer: B) Never trust, always verify, and micro-segmentation of network resources Explanation: Zero Trust assumes no implicit trust and enforces strict identity verification and segmentation at all levels.
- Which architectural pattern involves deploying applications in stateless functions that scale automatically and are billed based on usage? A) Monolithic architecture B) Microservices architecture C) Serverless architecture D) Client-server architecture Answer: C) Serverless architecture Explanation: Serverless architecture involves deploying functions that run on demand, offering scalability and cost benefits without managing servers.