- Which security concept ensures that data has not been altered in an unauthorized manner?
- Authentication
- Confidentiality
- Availability
- Integrity
Correct answer: Integrity
Integrity ensures that data and systems remain accurate and complete, and that unauthorized modifications are prevented or detected.
- The principle of least privilege states that a subject should be granted what level of access?
- Only the access required to perform its function
- Access equal to its peers
- Read-only access to all resources
- Full administrative access for convenience
Correct answer: Only the access required to perform its function
Least privilege limits subjects to only the minimum rights needed to perform their tasks, reducing the attack surface and limiting damage from compromise.
- Which design principle holds that a system should default to a denied or secure state when a failure occurs?
- Economy of mechanism
- Fail open
- Open design
- Fail secure
Correct answer: Fail secure
Fail secure (fail safe) ensures that when a control fails, access is denied rather than granted, preserving the protected state.
- What does the security concept of non-repudiation provide?
- Continuous system availability
- Encryption of data at rest
- Separation of network segments
- Assurance that a party cannot deny having performed an action
Correct answer: Assurance that a party cannot deny having performed an action
Non-repudiation provides proof of the origin or delivery of data so a party cannot later deny having taken an action, often achieved through digital signatures and audit logs.
- Defense in depth is best described as which of the following?
- Relying on a single strong perimeter control
- Layering multiple independent security controls
- Disabling unused services only
- Encrypting all data with one algorithm
Correct answer: Layering multiple independent security controls
Defense in depth layers multiple, diverse controls so that if one fails, others continue to provide protection.
- The concept of complete mediation requires that:
- Authorization is delegated to the client
- Only the first access is validated
- Every access to a resource is checked against authorization
- Access permissions are cached for performance
Correct answer: Every access to a resource is checked against authorization
Complete mediation requires that every access to every object be checked for authority, preventing reliance on cached or prior permission decisions.
- Which term describes reducing the number of features, services, and entry points exposed by an application?
- Security through obscurity
- Threat amplification
- Attack surface reduction
- Privilege escalation
Correct answer: Attack surface reduction
Attack surface reduction minimizes the available entry points and functionality an attacker could exploit, lowering overall risk.
- Separation of duties primarily protects against which risk?
- Hardware failure
- Slow application performance
- Weak encryption keys
- A single individual completing a sensitive process alone
Correct answer: A single individual completing a sensitive process alone
Separation of duties divides critical tasks among multiple people so no single individual can commit and conceal fraud or error.
- The principle of economy of mechanism recommends that security designs be:
- As complex as possible
- As simple and small as possible
- Hidden from auditors
- Dependent on proprietary algorithms
Correct answer: As simple and small as possible
Economy of mechanism favors simple, small designs because they are easier to analyze, test, and verify for correctness.
- Which concept refers to the assurance that authorized users have timely and reliable access to systems and data?
- Authorization
- Non-repudiation
- Confidentiality
- Availability
Correct answer: Availability
Availability ensures that systems, services, and information are accessible to authorized users when needed.
- Open design as a security principle asserts that:
- Security should depend on secrecy of the design
- Security should not depend on the secrecy of the mechanism, only of keys
- All source code must be public
- Designs should never be documented
Correct answer: Security should not depend on the secrecy of the mechanism, only of keys
Open design states that the security of a mechanism should not rely on the obscurity of its design but on the protection of secret keys or passwords.
- The AAA model in security stands for:
- Authentication, Authorization, Accounting
- Access, Allocation, Assurance
- Availability, Authenticity, Auditing
- Authentication, Availability, Accounting
Correct answer: Authentication, Authorization, Accounting
AAA refers to Authentication (verifying identity), Authorization (granting permissions), and Accounting (tracking actions).
- Which concept describes ensuring that the identity claimed by a subject is genuine?
- Auditing
- Authorization
- Authentication
- Accounting
Correct answer: Authentication
Authentication verifies that a subject is who or what it claims to be before access decisions are made.
- Psychological acceptability as a design principle means that:
- Security mechanisms should not make resources harder to access than necessary
- Security overrides usability entirely
- Users should be forced to accept all risks
- Security must be invisible to users at all times
Correct answer: Security mechanisms should not make resources harder to access than necessary
Psychological acceptability holds that security controls should be usable and not impose undue burden, or users will bypass them.
- What is the primary goal of an isolation or sandboxing mechanism?
- To remove the need for authentication
- To share memory across all processes
- To increase processing speed
- To contain a process so it cannot affect others or the host
Correct answer: To contain a process so it cannot affect others or the host
Sandboxing isolates code execution so that a compromised or malicious process cannot affect other processes or the underlying system.
- Which is an example of a least common mechanism principle violation?
- Each user has a dedicated session token
- Per-user encryption keys
- A shared global variable used by multiple privilege levels
- Separate logs per tenant
Correct answer: A shared global variable used by multiple privilege levels
Least common mechanism discourages sharing mechanisms among users of different privilege; a shared global variable across privilege levels creates a covert channel and risk.
- Confidentiality is most directly supported by which control?
- Encryption
- Redundant power supplies
- Load balancing
- Checksums
Correct answer: Encryption
Encryption protects confidentiality by rendering data unreadable to unauthorized parties.
- A covert channel is best defined as:
- A documented API endpoint
- A redundant network link
- An approved encrypted tunnel
- An unintended communication path that bypasses security policy
Correct answer: An unintended communication path that bypasses security policy
A covert channel is an unauthorized communication path that allows information to flow in violation of the security policy.
- Which term refers to building security into software from the earliest phases rather than adding it later?
- Security by obscurity
- Reactive defense
- Patch management
- Security by design
Correct answer: Security by design
Security by design embeds security considerations throughout the lifecycle starting at inception, which is more effective and cheaper than bolting it on later.
- The CIA triad does NOT include which of the following?
- Availability
- Confidentiality
- Authentication
- Integrity
Correct answer: Authentication
The CIA triad consists of Confidentiality, Integrity, and Availability; Authentication is a separate concept.
- When eliciting security requirements, what type of requirement specifies behavior the system must NOT allow?
- Functional requirement
- Performance requirement
- Usability requirement
- Negative (abuse case) requirement
Correct answer: Negative (abuse case) requirement
Negative or abuse-case requirements define behaviors the system must prevent, capturing what should not happen.
- Which activity helps identify how an attacker might misuse a feature during requirements gathering?
- Code review
- Load testing
- Use case modeling
- Misuse case modeling
Correct answer: Misuse case modeling
Misuse case modeling extends use cases to describe hostile actors and how they attempt to abuse functionality, surfacing security requirements.
- A requirement stating 'all personally identifiable information must be encrypted at rest' is an example of a:
- Performance requirement
- Usability requirement
- Compliance/regulatory-driven requirement
- Cosmetic requirement
Correct answer: Compliance/regulatory-driven requirement
Such a requirement typically derives from privacy regulations and compliance obligations governing the protection of PII.
- Data classification during requirements helps the team primarily to:
- Determine appropriate protection levels for information
- Decide UI colors
- Select a programming language
- Reduce code size
Correct answer: Determine appropriate protection levels for information
Classifying data by sensitivity informs which security controls and protection requirements apply to each data type.
- Which document captures the agreed-upon security expectations and protections an organization promises for a system?
- Marketing brief
- Release note
- Security policy
- Style guide
Correct answer: Security policy
A security policy defines required protections and expectations, which then drive specific security requirements for systems.
- Requirements traceability ensures that:
- Requirements are hidden from testers
- Each requirement can be linked to design, implementation, and tests
- All requirements are functional
- Requirements never change
Correct answer: Each requirement can be linked to design, implementation, and tests
Traceability maps each requirement forward to design, code, and test cases (and back), ensuring coverage and verification.
- When gathering requirements for handling regulated health data, which regulation is most relevant in the United States?
Correct answer: HIPAA
HIPAA governs the protection of health information in the United States and drives requirements for systems processing such data.
- A subject-object matrix developed during requirements helps define:
- Who (subjects) may perform which actions on what (objects)
- UI layout
- Database indexing strategy
- Network latency
Correct answer: Who (subjects) may perform which actions on what (objects)
A subject-object matrix maps subjects to permitted operations on objects, clarifying access control requirements.
- Which is a key security requirement category concerned with proving who did what and when?
- Animation requirements
- Compression requirements
- Color scheme requirements
- Auditing and logging requirements
Correct answer: Auditing and logging requirements
Auditing and logging requirements define what events must be recorded to support accountability, monitoring, and forensics.
- Defining acceptable data retention and disposal periods addresses which requirement area?
- Throughput requirements
- Data lifecycle/retention requirements
- Localization requirements
- Caching requirements
Correct answer: Data lifecycle/retention requirements
Data retention and disposal requirements specify how long data is kept and how it is securely destroyed, often driven by law and policy.
- Which technique helps prioritize security requirements based on potential business impact?
- Alphabetical ordering
- Code formatting
- Random selection
- Risk-based analysis
Correct answer: Risk-based analysis
Risk-based analysis weighs threats, likelihood, and impact to prioritize which security requirements deliver the most risk reduction.
- A requirement specifying that user passwords must meet complexity and length rules is primarily a(n):
- Availability requirement
- Performance requirement
- Interoperability requirement
- Authentication strength requirement
Correct answer: Authentication strength requirement
Password complexity and length rules strengthen authentication and are captured as authentication security requirements.
- Identifying the data flow of sensitive information across system boundaries during requirements supports:
- Reducing build time
- Understanding where protections must be applied
- Selecting a font
- Choosing a UI framework
Correct answer: Understanding where protections must be applied
Tracking sensitive data flows reveals trust boundaries and the points at which security controls and requirements must be enforced.
- Which requirement type ensures the system enforces appropriate access decisions for each role?
- Cosmetic requirements
- Authorization requirements
- Telemetry requirements
- Compression requirements
Correct answer: Authorization requirements
Authorization requirements specify the access rules and role permissions the system must enforce.
- GDPR's 'right to be forgotten' would most directly generate which requirement?
- More colorful dashboards
- Faster page load times
- The ability to erase a data subject's personal data on request
- Higher CPU utilization
Correct answer: The ability to erase a data subject's personal data on request
The right to erasure requires functionality enabling deletion of a data subject's personal data, becoming a concrete security/privacy requirement.
- Which is the BEST source for deriving security requirements about acceptable use of a third-party API?
- Internal marketing slides
- The UI mockups
- The API provider's terms, SLAs, and security documentation
- A random blog post
Correct answer: The API provider's terms, SLAs, and security documentation
Provider terms, SLAs, and security documentation define obligations and constraints that should be reflected in requirements.
- Threat modeling is BEST described as:
- A code formatting standard
- A backup procedure
- A load testing technique
- A structured process to identify, enumerate, and prioritize potential threats
Correct answer: A structured process to identify, enumerate, and prioritize potential threats
Threat modeling systematically identifies assets, threats, and mitigations early in design to reduce risk.
- In the STRIDE model, the 'S' stands for:
- Sandboxing
- Spoofing
- Scanning
- Scaling
Correct answer: Spoofing
STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
- Which STRIDE category corresponds to a threat to integrity?
- Tampering
- Denial of service
- Spoofing
- Information disclosure
Correct answer: Tampering
Tampering threatens integrity by altering data or code; the mitigation property is integrity.
- A trust boundary in an architecture diagram represents:
- A physical wall in the data center
- A point where data crosses between different trust levels
- A coding style change
- A version control branch
Correct answer: A point where data crosses between different trust levels
A trust boundary marks where data or control passes between zones of differing trust, requiring validation and security controls.
- Which architectural approach reduces risk by ensuring no single component is implicitly trusted?
- Single sign-on only
- Zero trust architecture
- Flat network design
- Hardcoded credentials
Correct answer: Zero trust architecture
Zero trust assumes no implicit trust and continuously verifies every request regardless of network location.
- Tokenization is primarily used in design to:
- Compress images
- Increase rendering speed
- Translate languages
- Replace sensitive data with non-sensitive surrogate values
Correct answer: Replace sensitive data with non-sensitive surrogate values
Tokenization substitutes sensitive data with tokens that have no exploitable value, reducing exposure of the original data.
- Which design pattern centralizes authorization decisions so they are consistently enforced?
- A spaghetti controller
- A singleton logger
- A god object
- A policy decision point / reference monitor
Correct answer: A policy decision point / reference monitor
A reference monitor or policy decision point centralizes and consistently enforces access control decisions across the system.
- The DREAD model is used to:
- Compile source code
- Rank and rate the severity of identified threats
- Encrypt network traffic
- Schedule backups
Correct answer: Rank and rate the severity of identified threats
DREAD rates threats by Damage, Reproducibility, Exploitability, Affected users, and Discoverability to prioritize risk.
- Which is a benefit of designing with loose coupling and high cohesion?
- Easier isolation and containment of security issues
- Elimination of all bugs
- Guaranteed encryption
- Automatic patching
Correct answer: Easier isolation and containment of security issues
Loose coupling and high cohesion make modules easier to isolate, review, and contain, limiting the blast radius of a security flaw.
- When designing a system handling cardholder data, applying network segmentation primarily helps to:
- Improve font rendering
- Slow down attackers' typing
- Increase database size
- Reduce the scope of systems subject to strict controls
Correct answer: Reduce the scope of systems subject to strict controls
Segmentation isolates systems that process cardholder data, reducing the compliance scope and limiting lateral movement.
- A security architecture review is best performed:
- Only during incident response
- Only after release
- During the design phase before implementation
- Never, if developers are skilled
Correct answer: During the design phase before implementation
Reviewing architecture during design catches flaws early when they are cheapest to fix, before code is written.
- Which cryptographic design decision provides forward secrecy?
- Disabling TLS
- Reusing the same static key forever
- Using ephemeral key exchange for each session
- Storing keys in source code
Correct answer: Using ephemeral key exchange for each session
Ephemeral key exchange (e.g., ephemeral Diffie-Hellman) provides forward secrecy so past sessions stay protected even if a long-term key is later compromised.
- An attack tree is a design artifact used to:
- Track code coverage
- Plan a sprint backlog
- Map database tables
- Decompose how a goal could be achieved by an attacker
Correct answer: Decompose how a goal could be achieved by an attacker
An attack tree breaks down an attacker's goal into the sub-steps and methods that could achieve it, aiding threat analysis.
- Choosing to validate input on the server even when the client validates it reflects which principle?
- Never trust the client / defense in depth
- Single point of trust
- Economy of mechanism only
- Security through obscurity
Correct answer: Never trust the client / defense in depth
Client-side validation can be bypassed, so server-side validation is required; relying on both reflects defense in depth.
- A microservices design improves security posture when it:
- Trusts all internal traffic implicitly
- Enforces authentication and authorization between services
- Disables logging to save space
- Shares one database password across all services in code
Correct answer: Enforces authentication and authorization between services
Authenticating and authorizing inter-service calls prevents a compromised service from freely accessing others.
- Which is the most effective defense against SQL injection in implementation?
- Using a faster CPU
- Hiding the database name
- Parameterized queries / prepared statements
- Increasing connection pool size
Correct answer: Parameterized queries / prepared statements
Parameterized queries separate code from data so user input cannot alter the SQL command structure.
- Output encoding is primarily used to prevent which vulnerability?
- Cross-site scripting (XSS)
- Race condition
- Hardware failure
- Buffer overflow
Correct answer: Cross-site scripting (XSS)
Encoding output for the correct context (HTML, JS, URL) prevents injected scripts from executing, mitigating XSS.
- Which practice helps prevent buffer overflow vulnerabilities in languages like C?
- Using bounds-checked functions and safe string handling
- Increasing variable names length
- Removing comments
- Disabling the compiler
Correct answer: Using bounds-checked functions and safe string handling
Bounds-checked functions and careful buffer management prevent writing beyond allocated memory, mitigating overflow attacks.
- Storing passwords securely requires:
- Plaintext storage for recovery
- Reversible encryption only
- Base64 encoding
- Salted, slow cryptographic hashing (e.g., bcrypt/Argon2)
Correct answer: Salted, slow cryptographic hashing (e.g., bcrypt/Argon2)
Passwords should be stored using a salted, computationally expensive one-way hash like bcrypt or Argon2 to resist cracking.
- Which is an example of insecure handling of secrets in code?
- Retrieving a key from a vault at runtime
- Using environment-injected credentials
- Loading a key from a secrets manager
- Hardcoding an API key in the source repository
Correct answer: Hardcoding an API key in the source repository
Hardcoding secrets in source exposes them to anyone with repository access and version history, a serious vulnerability.
- Canonicalization attacks are best mitigated by:
- Trusting the first decode
- Disabling Unicode
- Ignoring input encoding
- Canonicalizing input to a standard form before validation
Correct answer: Canonicalizing input to a standard form before validation
Converting input to a single canonical form before validating prevents attackers from sneaking malicious values through alternate encodings.
- A TOCTOU (time-of-check to time-of-use) flaw is a type of:
- Cross-site request forgery
- SQL injection
- Race condition
- Buffer overflow
Correct answer: Race condition
TOCTOU is a race condition where state changes between when it is checked and when it is used, allowing exploitation.
- To prevent cross-site request forgery (CSRF), a common implementation control is:
- Faster servers
- Larger cookies
- Anti-CSRF tokens tied to the user session
- Longer passwords
Correct answer: Anti-CSRF tokens tied to the user session
Unpredictable anti-CSRF tokens validated server-side ensure requests originate from the legitimate application, not a forged source.
- Which is a secure coding practice for error handling?
- Disable all logging
- Return generic errors to users and log details internally
- Display full stack traces to end users
- Expose database error messages
Correct answer: Return generic errors to users and log details internally
Detailed errors should be logged internally while users see generic messages, preventing information leakage that aids attackers.
- Integer overflow can lead to security issues primarily because it can:
- Make code run faster
- Encrypt data automatically
- Cause incorrect size calculations and unexpected memory operations
- Improve readability
Correct answer: Cause incorrect size calculations and unexpected memory operations
Integer overflow can wrap values and corrupt size or length calculations, leading to buffer overflows or logic bypasses.
- Which is the safest approach to handling untrusted file uploads?
- Save them directly in an executable directory
- Trust the file extension provided
- Validate type/size, store outside webroot, and scan content
- Execute uploads to verify they work
Correct answer: Validate type/size, store outside webroot, and scan content
Validating, storing outside the webroot, and scanning uploads prevents execution of malicious files and limits exposure.
- Using a memory-safe language or managed runtime primarily reduces the risk of:
- Memory corruption vulnerabilities
- Poor UI design
- Business logic errors
- Slow database queries
Correct answer: Memory corruption vulnerabilities
Memory-safe languages prevent common memory corruption issues like buffer overflows and use-after-free by managing memory automatically.
- Which practice helps ensure cryptography is implemented correctly?
- Use ECB mode for all data
- Invent a custom cipher
- Use well-vetted libraries instead of writing your own algorithms
- Reuse the same IV every time
Correct answer: Use well-vetted libraries instead of writing your own algorithms
Using vetted, maintained cryptographic libraries avoids subtle errors that arise from rolling your own cryptography.
- Deserialization of untrusted data is dangerous because it can:
- Allow remote code execution or object injection
- Reduce memory usage
- Speed up parsing
- Improve type safety
Correct answer: Allow remote code execution or object injection
Insecure deserialization can let attackers craft payloads that execute code or instantiate dangerous objects.
- Static application security testing (SAST) analyzes:
- User interface colors
- Network packets only
- Only the running application
- Source code or binaries without executing the program
Correct answer: Source code or binaries without executing the program
SAST inspects source code or compiled artifacts statically to find vulnerabilities without running the application.
- Dynamic application security testing (DAST) is characterized by:
- Compiling code
- Reading source code line by line
- Reviewing requirements documents
- Testing the running application from the outside
Correct answer: Testing the running application from the outside
DAST exercises a running application, sending inputs and observing responses to find runtime vulnerabilities.
- Fuzz testing primarily aims to:
- Verify UI alignment
- Send malformed or random inputs to find crashes and flaws
- Measure code readability
- Optimize compilation
Correct answer: Send malformed or random inputs to find crashes and flaws
Fuzzing feeds unexpected, malformed, or random data to an application to uncover crashes, memory errors, and input-handling flaws.
- Penetration testing differs from vulnerability scanning because it:
- Only lists potential issues automatically
- Never involves manual effort
- Cannot find any vulnerabilities
- Actively attempts to exploit weaknesses to demonstrate impact
Correct answer: Actively attempts to exploit weaknesses to demonstrate impact
Penetration testing actively exploits weaknesses to validate and demonstrate real impact, going beyond automated scanning.
- Which testing approach uses knowledge of internal code structure?
- Acceptance testing
- Smoke testing
- Black-box testing
- White-box testing
Correct answer: White-box testing
White-box testing leverages knowledge of internal structure and code to design test cases, including security-relevant paths.
- Interactive application security testing (IAST) works by:
- Only scanning source files
- Instrumenting the running app to observe code behavior during tests
- Measuring CPU temperature
- Reading firewall logs
Correct answer: Instrumenting the running app to observe code behavior during tests
IAST uses instrumentation inside the running application to correlate runtime behavior with code, improving accuracy.
- A test case verifying that a low-privilege user cannot access an admin function is testing:
- Performance
- Code style
- Localization
- Authorization / access control
Correct answer: Authorization / access control
Attempting privileged actions as a low-privilege user verifies that access control and authorization are correctly enforced.
- Which metric helps assess how thoroughly tests exercise the code?
- Disk RPM
- Page views
- Code coverage
- Color depth
Correct answer: Code coverage
Code coverage measures how much of the codebase is exercised by tests, helping identify untested, potentially risky paths.
- Regression testing in a security context ensures that:
- Documentation is complete
- Servers are faster
- New features look attractive
- Previously fixed vulnerabilities do not reappear
Correct answer: Previously fixed vulnerabilities do not reappear
Security regression testing confirms that past fixes remain effective and that changes have not reintroduced vulnerabilities.
- A false positive in a security scan refers to:
- A reported issue that is not actually a vulnerability
- A real vulnerability that was missed
- A successful exploit
- A passing test
Correct answer: A reported issue that is not actually a vulnerability
A false positive is a flagged finding that turns out not to be a genuine vulnerability, consuming triage effort.
- A false negative is most concerning because it means:
- A real vulnerability went undetected
- Coverage was too high
- A harmless item was flagged
- Tests ran too fast
Correct answer: A real vulnerability went undetected
A false negative is a real vulnerability the testing failed to detect, leaving the application exposed.
- Security test cases should be derived primarily from:
- UI mockups only
- Abuse cases and identified threats/requirements
- Marketing copy
- Random guesses
Correct answer: Abuse cases and identified threats/requirements
Effective security tests trace to abuse cases, threat models, and security requirements to ensure relevant attacks are exercised.
- Software Composition Analysis (SCA) tools focus on:
- Measuring database latency
- Spell checking documentation
- Identifying vulnerable third-party and open-source components
- Checking button alignment
Correct answer: Identifying vulnerable third-party and open-source components
SCA tools inventory dependencies and flag known vulnerabilities and license risks in third-party components.
- When a critical vulnerability is found late in testing, the BEST response is to:
- Assess risk and remediate or formally accept the risk before release
- Delete the test results
- Ship and hope no one notices
- Ignore it to meet the deadline
Correct answer: Assess risk and remediate or formally accept the risk before release
Findings should be risk-assessed and either remediated or have residual risk formally accepted by an authorized owner before release.
- A Secure Software Development Lifecycle (SDLC) integrates security by:
- Building security activities into every phase
- Avoiding documentation
- Adding a single review at the end
- Outsourcing all decisions
Correct answer: Building security activities into every phase
A secure SDLC embeds security tasks (requirements, design review, testing, etc.) into every phase rather than as a one-time gate.
- A security gate (milestone) in the lifecycle is used to:
- Require defined security criteria be met before proceeding
- Replace all testing
- Speed up coding by skipping reviews
- Eliminate requirements
Correct answer: Require defined security criteria be met before proceeding
Security gates enforce that defined criteria (e.g., passing reviews and tests) are satisfied before a project advances to the next phase.
- Which framework provides a model to measure and improve software security maturity?
- OWASP SAMM or BSIMM
- RAID
- OSI model
- TCP/IP
Correct answer: OWASP SAMM or BSIMM
OWASP SAMM and BSIMM are maturity models used to assess and improve an organization's software security program.
- Configuration management in the lifecycle primarily ensures:
- Marketing approval of code
- Changes to artifacts are tracked and controlled
- Faster CPUs are purchased
- Random deployments
Correct answer: Changes to artifacts are tracked and controlled
Configuration management tracks and controls changes to code, configurations, and artifacts, supporting integrity and traceability.
- A risk acceptance decision should be made by:
- An external attacker
- Any developer informally
- An authorized business owner who understands the residual risk
- The compiler
Correct answer: An authorized business owner who understands the residual risk
Residual risk should be formally accepted by an authorized owner with the authority and understanding to bear that risk.
- Security metrics and reporting in lifecycle management help to:
- Replace testing entirely
- Demonstrate program effectiveness and guide improvement
- Increase technical debt
- Hide defects from leadership
Correct answer: Demonstrate program effectiveness and guide improvement
Metrics provide visibility into the security program's effectiveness and inform decisions about where to invest improvements.
- Integrating security into Agile development is best achieved by:
- Assigning security to no one
- Doing security only after all sprints
- Skipping security to maintain velocity
- Including security tasks and acceptance criteria in each sprint
Correct answer: Including security tasks and acceptance criteria in each sprint
In Agile, security should be woven into backlog items, definition of done, and each sprint rather than deferred to the end.
- A software security policy and standards primarily serve to:
- Eliminate the need for testing
- Set consistent expectations and requirements across teams
- Replace the SDLC
- Guarantee zero bugs
Correct answer: Set consistent expectations and requirements across teams
Policies and standards establish consistent, organization-wide security expectations that teams must follow.
- Security training for developers is part of lifecycle management because it:
- Replaces code review
- Slows down all projects permanently
- Reduces the introduction of vulnerabilities at the source
- Is only useful for testers
Correct answer: Reduces the introduction of vulnerabilities at the source
Trained developers write more secure code, reducing the number of vulnerabilities introduced and the cost of remediation.
- Which lifecycle activity defines who is responsible for security tasks across the project?
- Choosing office furniture
- Selecting screen resolution
- Buying marketing ads
- Defining roles and responsibilities (RACI)
Correct answer: Defining roles and responsibilities (RACI)
Clearly defined roles and responsibilities ensure security tasks have accountable owners throughout the lifecycle.
- Decommissioning software securely at end of life should include:
- Ignoring the system
- Secure data disposal and revocation of access and credentials
- Publishing source code publicly
- Leaving all data and accounts active
Correct answer: Secure data disposal and revocation of access and credentials
Secure decommissioning requires sanitizing data, revoking access and credentials, and removing or archiving the system properly.
- A documented incident response plan tied to the lifecycle ensures that:
- Incidents are ignored
- No logging is needed
- Only developers respond ad hoc
- Security incidents are handled in a defined, repeatable manner
Correct answer: Security incidents are handled in a defined, repeatable manner
An incident response plan defines repeatable procedures so the organization can detect, contain, and recover from incidents effectively.
- Code signing during deployment provides assurance of:
- Code authenticity and integrity
- Faster execution
- Smaller binary size
- Better UI design
Correct answer: Code authenticity and integrity
Code signing lets recipients verify the publisher's identity and that the code has not been tampered with since signing.
- Hardening a server before deployment includes:
- Removing unnecessary services, accounts, and default credentials
- Enabling all services for flexibility
- Keeping default passwords
- Opening all ports
Correct answer: Removing unnecessary services, accounts, and default credentials
Hardening reduces the attack surface by disabling unneeded services, removing default accounts, and applying secure configurations.
- A bootstrapping secret needed at deployment is most securely provided by:
- Emailing it in plaintext
- Posting it in a wiki
- A secrets management system or vault
- Embedding it in the application package
Correct answer: A secrets management system or vault
Secrets managers and vaults provision credentials securely at runtime, avoiding exposure in packages or documents.
- Continuous monitoring during operations primarily helps to:
- Reduce logging
- Detect anomalies and security events in a timely manner
- Remove the need for patching
- Increase server temperature
Correct answer: Detect anomalies and security events in a timely manner
Continuous monitoring of logs, metrics, and alerts enables timely detection of and response to security events.
- Patch management is critical to operations because it:
- Remediates known vulnerabilities before they are exploited
- Slows attackers by confusing them
- Improves graphics quality
- Removes the need for backups
Correct answer: Remediates known vulnerabilities before they are exploited
Timely patching closes known vulnerabilities, reducing the window in which attackers can exploit them.
- A secure deployment pipeline should:
- Enforce integrity checks and least-privilege automation credentials
- Skip testing for speed
- Store credentials in plaintext logs
- Allow anyone to push to production
Correct answer: Enforce integrity checks and least-privilege automation credentials
A secure pipeline verifies artifact integrity and uses least-privilege, protected credentials for automated deployments.
- Which operational practice provides the ability to investigate a security incident after the fact?
- Disabling all audit trails
- Comprehensive, tamper-resistant logging
- Logging only successful logins
- Deleting logs nightly
Correct answer: Comprehensive, tamper-resistant logging
Comprehensive, protected logs provide the forensic evidence needed to investigate and understand incidents.
- Configuration drift in production is a concern because it can:
- Encrypt all data
- Introduce insecure or unexpected states over time
- Improve performance automatically
- Reduce the attack surface
Correct answer: Introduce insecure or unexpected states over time
Drift occurs when systems deviate from their secure baseline, potentially introducing vulnerabilities or weakening controls.
- Before retiring a production database, the secure step is to:
- Securely sanitize or destroy the stored data
- Share its credentials broadly
- Disable backups only
- Leave it online indefinitely
Correct answer: Securely sanitize or destroy the stored data
Data on retired systems must be securely sanitized or destroyed to prevent unauthorized recovery of sensitive information.
- A runbook for operations supports security by:
- Providing consistent, documented procedures for handling events
- Eliminating monitoring
- Hiding incident steps
- Encouraging improvised responses
Correct answer: Providing consistent, documented procedures for handling events
Runbooks document repeatable procedures so operators handle events consistently and correctly, including security incidents.
- Vulnerability management in operations should prioritize remediation based on:
- Risk, exploitability, and asset criticality
- How recently the server was rebooted
- The color of the dashboard
- Alphabetical order of CVE IDs
Correct answer: Risk, exploitability, and asset criticality
Effective vulnerability management ranks fixes by risk, exploitability, and the criticality of affected assets.
- Backups support security operations primarily by enabling:
- Faster compilation
- Recovery and availability after incidents such as ransomware
- Smaller log files
- Reduced encryption needs
Correct answer: Recovery and availability after incidents such as ransomware
Secure, tested backups allow recovery of data and systems after destructive incidents, supporting availability.
- Blue-green or canary deployment strategies improve security and reliability by:
- Removing the need for testing
- Disabling monitoring
- Hardcoding secrets
- Allowing quick rollback if a release introduces problems
Correct answer: Allowing quick rollback if a release introduces problems
These strategies limit exposure and enable fast rollback if a new release introduces defects or vulnerabilities.
- A Software Bill of Materials (SBOM) is used in supply chain security to:
- Track employee hours
- Inventory components and dependencies in a product
- Schedule meetings
- Measure CPU usage
Correct answer: Inventory components and dependencies in a product
An SBOM lists the components and dependencies in software, enabling rapid identification of affected products when a vulnerability is disclosed.
- Verifying the integrity of a downloaded open-source library is best done by:
- Assuming popular packages are safe
- Trusting the file name
- Checking a cryptographic hash or signature from a trusted source
- Skipping verification to save time
Correct answer: Checking a cryptographic hash or signature from a trusted source
Comparing a cryptographic hash or verifying a signature confirms the artifact was not tampered with in transit.
- A typosquatting attack in the supply chain involves:
- Publishing a malicious package with a name similar to a popular one
- Reducing build time
- Signing code correctly
- Encrypting all dependencies
Correct answer: Publishing a malicious package with a name similar to a popular one
Typosquatting tricks developers into installing a malicious package whose name closely resembles a legitimate one.
- Pinning dependency versions and using lockfiles helps the supply chain by:
- Encrypting source code
- Ensuring reproducible builds and preventing silent malicious updates
- Removing the need for SCA
- Making builds slower for security
Correct answer: Ensuring reproducible builds and preventing silent malicious updates
Pinning versions and lockfiles produce reproducible builds and prevent unexpected or malicious updates from being pulled in automatically.
- Third-party vendor risk assessment should evaluate:
- How fast the vendor replies to marketing emails
- Only the vendor's logo design
- The vendor's security practices and ability to meet obligations
- The vendor's office location color
Correct answer: The vendor's security practices and ability to meet obligations
Vendor assessments examine security practices, certifications, and contractual ability to meet security obligations.
- A dependency confusion attack exploits:
- Strong code signing
- Package managers preferring a malicious public package over an internal one
- Network segmentation
- Encrypted backups
Correct answer: Package managers preferring a malicious public package over an internal one
Dependency confusion occurs when a build system pulls a malicious public package that shares a name with an internal private one.
- Securing the build environment (CI/CD) is important to the supply chain because:
- A compromised build system can inject malicious code into releases
- It has no impact on shipped software
- It only matters for documentation
- It only affects developer morale
Correct answer: A compromised build system can inject malicious code into releases
Attackers who compromise the build pipeline can insert malicious code that is then signed and distributed to all customers.
- Contractual security requirements with a supplier should include:
- Right to audit, breach notification, and security obligations
- Only the price
- Only delivery dates
- Only the color of packaging
Correct answer: Right to audit, breach notification, and security obligations
Strong supplier contracts specify security obligations, audit rights, and breach notification to manage third-party risk.
- Provenance in the software supply chain refers to:
- The size of the binary
- The marketing history of a product
- The number of downloads
- Verifiable information about the origin and build of an artifact
Correct answer: Verifiable information about the origin and build of an artifact
Provenance provides trustworthy metadata about where and how an artifact was built, supporting integrity and trust decisions.
- When a transitive dependency has a critical vulnerability, the appropriate action is to:
- Disable the application permanently
- Update or replace it and verify no exploitable path remains
- Remove all logging
- Ignore it because it is indirect
Correct answer: Update or replace it and verify no exploitable path remains
Transitive dependencies must be remediated like direct ones; update or replace the component and confirm the risk is addressed.
- Using a private, curated artifact repository helps the supply chain by:
- Increasing the number of unknown packages
- Encrypting nothing
- Controlling and vetting which components enter the build
- Disabling version control
Correct answer: Controlling and vetting which components enter the build
A curated internal repository lets the organization vet, approve, and control the components developers can pull into builds.
- Reviewing open-source license compliance is part of supply chain management because:
- Licenses affect CPU speed
- Licenses determine UI colors
- License violations create legal and operational risk
- Licenses change encryption strength
Correct answer: License violations create legal and operational risk
Tracking and complying with component licenses avoids legal exposure and operational disruption from non-compliant use.
- Establishing trust in a delivered hardware or firmware component is supported by:
- The component's color
- The vendor's verbal assurance only
- A hardware root of trust and signed firmware
- Trusting the shipping box
Correct answer: A hardware root of trust and signed firmware
A hardware root of trust and signed firmware allow verification that components and their code are authentic and unmodified.
- Continuously monitoring dependencies for newly disclosed vulnerabilities is important because:
- Monitoring removes the need for patching
- A component safe today may have a vulnerability disclosed tomorrow
- It only matters at first install
- Dependencies never change
Correct answer: A component safe today may have a vulnerability disclosed tomorrow
New vulnerabilities are disclosed continually, so ongoing monitoring of dependencies is needed to respond promptly throughout the product's life.
- A development team adds a second, independent authentication factor in front of an application that already enforces strong password rules, validates input at the API gateway, and encrypts data at rest. Which secure design principle is most directly demonstrated by relying on these overlapping, independent layers rather than any single control?
- Fail-safe defaults
- Economy of mechanism
- Defense in depth
- Open design
Correct answer: Defense in depth
Defense in depth is the principle illustrated here: security does not rely on a single point of detection or enforcement, so the resource stays protected even if one layer fails. The team layers authentication, input validation, and encryption as independent controls. Economy of mechanism is about keeping a single mechanism simple, not stacking multiple controls, so it does not describe this strategy.
- An architect must decide how a new authorization module behaves when its policy-decision service times out and returns no answer. To satisfy the fail-secure design principle, what should the module do?
- Cache the last decision made for that user and apply it
- Escalate the request to an administrator for manual approval
- Deny the request and refuse access until a valid decision is returned
- Grant the request to preserve availability and log the timeout
Correct answer: Deny the request and refuse access until a valid decision is returned
Denying the request and refusing access until a valid decision is returned is the fail-secure (fail-safe defaults) behavior: when a mechanism fails or cannot reach a decision, it should default to a denied, protected state rather than an open one. Granting access to preserve availability fails open, which is exactly the unsafe outcome this principle prohibits, because a failure then exposes the resource.
- A microservice signs every outbound message with the sender's private key so a recipient can later prove which service originated each message and that it was not altered in transit. Which two core security concepts does this design provide together?
- Authentication and confidentiality
- Confidentiality and availability
- Availability and accountability
- Integrity and non-repudiation
Correct answer: Integrity and non-repudiation
Integrity and non-repudiation are provided together by a digital signature: the signature lets the recipient detect any unauthorized alteration (integrity) and prevents the signer from later denying that it produced the message (non-repudiation). A signature alone does not encrypt the payload, so it does not provide confidentiality, which is why the options pairing confidentiality with this design are wrong.
- During design review, an engineer proposes that the system's security should depend on keeping the encryption algorithm itself secret from outsiders. Citing the open design principle, the reviewer rejects this. What does the open design principle assert?
- Security should not depend on the secrecy of the design or implementation, only on the secrecy of keys
- The user interface should be open and easy to navigate for all users
- Designs should be reviewed openly by every developer before release
- All source code must be released publicly under an open-source license
Correct answer: Security should not depend on the secrecy of the design or implementation, only on the secrecy of keys
Open design holds that security should not rest on the secrecy of the mechanism or algorithm, only on the secrecy of cryptographic keys; mechanisms are assumed to be known to adversaries. This is the opposite of security through obscurity. It does not require publishing source code under an open-source license, which confuses an unrelated software-licensing idea with the design principle.
- A web application caches each user's authorization decision after their first request and reuses it for the rest of the session, even after an administrator revokes that user's role mid-session. Which secure design principle does this caching most clearly violate?
- Economy of mechanism
- Separation of duties
- Psychological acceptability
- Complete mediation
Correct answer: Complete mediation
Complete mediation is violated: this principle requires that every access to every protected object be checked for current authority at the time of access, not just once. Caching a stale decision lets a revoked user keep access, defeating the re-check. Economy of mechanism concerns design simplicity and does not address whether each access is independently authorized.
- A startup designs a custom, highly intricate access-control engine with many interacting rules and special cases, believing complexity makes it harder to attack. A CSSLP reviewer warns this works against a core design principle. Which principle favors a smaller, simpler design that is easier to verify?
- Defense in depth
- Economy of mechanism
- Open design
- Complete mediation
Correct answer: Economy of mechanism
Economy of mechanism favors keeping security mechanisms as small and simple as possible so they can be thoroughly analyzed, tested, and verified for correctness. Added complexity expands the attack surface and hides flaws rather than preventing them. Defense in depth is about layering independent controls, which is a different concern from the simplicity of any one mechanism.
- A finance application is being designed so that no single employee can both create a new vendor record and approve payments to that vendor. Implementing this rule in the workflow primarily enforces which secure design principle, and what risk does it address?
- Complete mediation, to re-check authority on every transaction
- Least common mechanism, to reduce shared resources among users
- Separation of duties, to prevent fraud and abuse of privilege by a single individual
- Least privilege, to minimize the permissions assigned to each role
Correct answer: Separation of duties, to prevent fraud and abuse of privilege by a single individual
Separation of duties is enforced: splitting a sensitive end-to-end process across two or more people ensures no single individual can complete it alone, which deters and detects fraud and collusion. Least privilege is related but narrower, governing how many permissions a single role holds rather than splitting a critical workflow across distinct people.
- A batch job historically ran as a domain administrator simply because that account already existed. A CSSLP recommends creating a dedicated service account scoped only to the specific database tables and file shares the job touches. Which principle does this change implement?
- Fail-safe defaults
- Psychological acceptability
- Open design
- Least privilege
Correct answer: Least privilege
Least privilege is implemented: every program and account should run with only the minimum permissions needed to perform its function, so a scoped service account replaces the over-privileged administrator account. This shrinks the blast radius if the job is compromised. Fail-safe defaults concerns how a mechanism behaves on failure, not how broadly an account's permissions are scoped.
- A security feature requires users to memorize a 20-character password, rotate it weekly, and re-type it before every action, which leads users to write passwords on sticky notes and reuse them. Which secure design principle has the design failed to honor?
- Complete mediation
- Separation of privilege
- Least common mechanism
- Psychological acceptability
Correct answer: Psychological acceptability
Psychological acceptability is the failed principle: protection mechanisms must be easy enough to use that people apply them correctly and routinely, otherwise users circumvent them and security drops. The burdensome scheme pushes users toward insecure workarounds. Complete mediation, by contrast, addresses checking authority on each access and says nothing about usability.
- A CSSLP is asked to map proposed controls to the CIA triad. Hashing files to detect tampering, geographically replicating a database, and encrypting records at rest map respectively to which three properties?
- Integrity, availability, confidentiality
- Availability, confidentiality, integrity
- Integrity, confidentiality, availability
- Confidentiality, integrity, availability
Correct answer: Integrity, availability, confidentiality
The correct mapping is integrity, availability, confidentiality: hashing detects unauthorized modification (integrity), geographic replication keeps the service reachable through outages (availability), and encryption at rest protects against unauthorized disclosure (confidentiality). The CIA triad pairs each control to the property it most directly preserves, and these three controls align in that order.
- In a threat-modeling discussion, a teammate claims that confidentiality means the same thing as availability. As a CSSLP, how should you correct this and define confidentiality, integrity, and availability precisely?
- Confidentiality and availability both ensure data is accurate, while integrity ensures access
- Confidentiality ensures uptime, integrity validates identity, and availability encrypts data
- Confidentiality limits disclosure to authorized parties, integrity prevents unauthorized modification, and availability ensures timely authorized access
- Confidentiality logs all access, integrity backs up data, and availability authorizes users
Correct answer: Confidentiality limits disclosure to authorized parties, integrity prevents unauthorized modification, and availability ensures timely authorized access
The accurate definition is that confidentiality limits disclosure of data to authorized parties, integrity prevents and detects unauthorized modification of data, and availability ensures authorized users get timely, reliable access. These are three distinct properties of the CIA triad, not synonyms. Confidentiality is about preventing disclosure, while availability is about access being reliably present, so conflating the two is incorrect.
- An architect designs two unrelated tenant applications to share one common logging and parsing library that runs with elevated privileges and handles each tenant's raw input. A reviewer flags that a flaw in this shared component could compromise both tenants at once. Which design principle is this concern based on?
- Least common mechanism
- Fail-safe defaults
- Open design
- Defense in depth
Correct answer: Least common mechanism
Least common mechanism is the basis for the concern: minimizing mechanisms shared across multiple users or tenants reduces the chance that a single shared component becomes a common path for compromise or unintended information flow. A privileged shared library serving both tenants is exactly the shared mechanism this principle warns against. Defense in depth addresses layering controls, not reducing shared components.
- An organization is adopting a Secure Software Development Life Cycle (Secure SDLC) and wants a single guiding principle that distinguishes it from a traditional SDLC. Which statement best captures the defining characteristic of a Secure SDLC?
- Security is replaced by purchasing cyber-insurance to cover residual risk
- Security activities are performed by an external audit team after the product ships
- Security considerations and verification activities are embedded into every phase of development
- Security is addressed exclusively during a dedicated penetration test before release
Correct answer: Security considerations and verification activities are embedded into every phase of development
Embedding security considerations and verification activities into every phase is what defines a Secure SDLC. A Secure SDLC weaves activities such as security requirements, threat modeling, secure design review, secure coding, and security testing into each stage rather than treating security as a single late gate. Saving all security for a pre-release pen test or an external audit is the bolt-on, reactive model the Secure SDLC is meant to replace.
- A lifecycle manager is comparing software security maturity models to benchmark the organization's program. Which pairing correctly describes the fundamental difference between BSIMM and OWASP SAMM?
- Both are compliance certifications issued by ISO that organizations must pass annually
- BSIMM is a descriptive model built by observing real firms, while SAMM is a prescriptive self-assessment framework
- BSIMM is a prescriptive how-to standard, while SAMM is an observational study of firms
- BSIMM measures network maturity, while SAMM measures only physical security maturity
Correct answer: BSIMM is a descriptive model built by observing real firms, while SAMM is a prescriptive self-assessment framework
BSIMM is descriptive (built by observing what real organizations actually do) while OWASP SAMM is prescriptive (a framework you use to self-assess and plan improvements). BSIMM reports the activities seen across participating firms as a measuring stick, whereas SAMM defines maturity levels and recommended activities you aim toward. Neither is an ISO certification, and both address software security maturity, not physical security.
- An organization implementing OWASP SAMM v2 needs to assign the practice that establishes the software security policy, defines roles and responsibilities, and tracks program metrics. Under which SAMM business function does this work fall?
- Governance
- Verification
- Implementation
- Operations
Correct answer: Governance
Governance is the SAMM v2 business function that owns Strategy & Metrics, Policy & Compliance, and Education & Guidance. It establishes the overall software security policy, defines roles and responsibilities, and tracks program-level metrics. SAMM v2 has five business functions: Governance, Design, Implementation, Verification, and Operations. Implementation covers Secure Build, Secure Deployment, and Defect Management; Verification covers testing and architecture assessment; and Operations covers incident, environment, and operational management.
- A DevSecOps team wants security checks to run automatically every time code is committed to the CI/CD pipeline. Which characterization of DevSecOps best reflects its core intent within lifecycle management?
- DevSecOps integrates and automates security as a shared responsibility throughout the development pipeline
- DevSecOps means a separate security team manually approves each release after deployment
- DevSecOps eliminates the need for threat modeling because automation finds all flaws
- DevSecOps defers all security testing until the production monitoring phase
Correct answer: DevSecOps integrates and automates security as a shared responsibility throughout the development pipeline
DevSecOps integrates and automates security as a shared responsibility across the development pipeline. It shifts security left by embedding automated SAST, SCA, DAST, secrets scanning, and policy gates into CI/CD so issues surface continuously rather than at a late manual approval. It does not replace threat modeling or defer testing to production; rather it makes security everyone's job throughout the lifecycle.
- A team practicing SSDLC configures its CI pipeline so a build that produces a critical SAST finding is automatically blocked from promotion. What is this control commonly called, and what lifecycle goal does it serve?
- A regression suite, which verifies functional parity between releases
- A security gate, which enforces defined security criteria before code advances
- A code freeze, which halts all commits before a release
- A canary deployment, which exposes a change to a small user subset
Correct answer: A security gate, which enforces defined security criteria before code advances
Blocking promotion of a build with a critical finding is a security gate, which enforces that defined security criteria are met before code advances to the next stage. In a Secure SDLC and DevSecOps pipeline, gates operationalize policy by failing the build on critical results from SAST, SCA, or other scanners. A regression suite checks functionality, a canary controls rollout exposure, and a code freeze just stops commits, none of which enforce security pass/fail criteria.
- During lifecycle management, a security lead must categorize findings so the most dangerous ones are fixed first. Which approach best supports defect tracking and remediation prioritization across the program?
- Assign each defect a severity and risk rating and track it to closure in a managed system
- Resolve defects strictly in the order they were reported, regardless of impact
- Close all low-severity items first because they are quicker to fix
- Wait until release to triage all defects at once to save effort
Correct answer: Assign each defect a severity and risk rating and track it to closure in a managed system
Assigning each defect a severity and risk rating and tracking it to closure in a managed system is the sound defect-management approach. Risk-based triage ensures high-impact vulnerabilities are remediated before low-impact ones, and a tracking system provides accountability, metrics, and an audit trail. First-come-first-served, quick-wins-first, or batch-at-release approaches all let serious risks linger.
- A program office wants a metric that signals how long known vulnerabilities remain exploitable in production before being fixed. Which security metric most directly measures this?
- Number of unit tests written per release
- Mean time to remediate (MTTR) for vulnerabilities
- Average build duration in the CI pipeline
- Lines of code per developer per sprint
Correct answer: Mean time to remediate (MTTR) for vulnerabilities
Mean time to remediate (MTTR) directly measures how long vulnerabilities stay open before being fixed, reflecting the window of exposure. Tracking MTTR and defect density over time lets lifecycle managers gauge whether the program is improving and where bottlenecks exist. Lines of code, unit-test counts, and build duration are productivity or performance metrics, not measures of vulnerability exposure.
- An organization is formalizing change management for its applications. A developer needs an emergency hotfix deployed outside the normal release window. What does a mature change-management process require before that change goes live?
- Immediate deployment with documentation completed afterward only if time allows
- Approval solely from the developer who wrote the fix
- Skipping review because emergency changes are exempt from all controls
- Authorization, risk assessment, and a tested rollback plan recorded through the change process
Correct answer: Authorization, risk assessment, and a tested rollback plan recorded through the change process
A mature change-management process requires authorization, a risk assessment, and a tested rollback plan recorded even for emergency changes. Emergency changes use an expedited path, but they are still reviewed, approved, and documented so integrity and traceability are preserved. Letting a single author self-approve or exempting emergency changes entirely defeats the purpose of change control.
- A lifecycle manager maintains an authoritative inventory of every approved component, version, and configuration baseline that makes up a release. Which discipline does this represent, and why does it matter for security?
- User acceptance testing, because it confirms business requirements
- Configuration management, because it controls and tracks the integrity of release artifacts
- Marketing release planning, because it sets the launch date
- Capacity planning, because it forecasts future server demand
Correct answer: Configuration management, because it controls and tracks the integrity of release artifacts
Maintaining an authoritative inventory of approved components, versions, and baselines is configuration management, which controls and tracks the integrity of release artifacts. Knowing exactly what is in a build is essential for verifying integrity, responding to newly disclosed vulnerabilities, and proving that only approved code shipped. Capacity planning, release marketing, and acceptance testing serve other goals.
- An enterprise wants to align its in-house Secure SDLC activities to a recognized U.S. government framework that defines high-level secure development practices grouped into Prepare the Organization, Protect the Software, Produce Well-Secured Software, and Respond to Vulnerabilities. Which framework is this?
- ITIL service management
- PCI DSS
- COBIT control objectives
- NIST Secure Software Development Framework (SSDF), SP 800-218
Correct answer: NIST Secure Software Development Framework (SSDF), SP 800-218
The NIST Secure Software Development Framework (SSDF), SP 800-218, organizes secure development into Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV). Organizations map their SSDLC and DevSecOps controls to SSDF practices and demonstrate compliance through pipeline evidence. PCI DSS, ITIL, and COBIT address payment security, IT service management, and IT governance respectively, not the secure development lifecycle.
- A CISO argues that fixing a security flaw discovered during the requirements or design phase is dramatically cheaper than fixing the same flaw after release. Which lifecycle-management principle supports investing in early security activities?
- Security spending should be concentrated entirely in production monitoring
- The cost of remediation rises sharply the later a defect is found (shift left)
- Defects found late are always trivial to fix
- Security through obscurity
Correct answer: The cost of remediation rises sharply the later a defect is found (shift left)
The principle that remediation cost rises sharply the later a defect is found supports shifting security left into requirements and design. Catching flaws early, when only documents or designs need changing, avoids the expensive rework, retesting, and incident costs of fixing them in production. This economic rationale is a core driver of the Secure SDLC and DevSecOps investment in early activities.
- An organization with a low maturity score on a software security model wants a structured path to improve. How should a maturity model such as SAMM or BSIMM be used in lifecycle management?
- As a replacement for all security testing tools
- As a baseline-and-roadmap tool for measuring current state and planning incremental improvement
- As a one-time pass/fail audit that ends the program once cleared
- As a marketing badge with no internal assessment value
Correct answer: As a baseline-and-roadmap tool for measuring current state and planning incremental improvement
A maturity model is best used as a baseline-and-roadmap tool: you assess current state, set target maturity levels, and plan incremental improvements over time. SAMM and BSIMM let an organization measure where it stands across practices and prioritize where to invest next. They are not one-time audits, testing-tool replacements, or mere badges; they drive continuous program improvement.
- A security program needs a body that reviews proposed changes, weighs their risk, and authorizes or rejects them before they enter a release. Which governance mechanism fulfills this role?
- A continuous integration runner
- A bug bounty triage queue
- A change advisory board (CAB) or change control board
- A standup retrospective
Correct answer: A change advisory board (CAB) or change control board
A change advisory board (CAB), or change control board, reviews proposed changes, assesses their risk, and authorizes or rejects them before release. This formal authority is central to change management within lifecycle governance, ensuring no unvetted change enters production. A standup retrospective, bounty triage, and CI runner are operational mechanisms that do not hold change-authorization authority.
- An organization formally documents that a known medium-severity vulnerability will not be fixed before launch because mitigation cost outweighs the residual risk. Within lifecycle governance, what must accompany this risk-acceptance decision to be valid?
- Deletion of the finding from the tracker so it does not reappear
- Documented approval by an authorized risk owner with authority to accept the residual risk
- Sign-off from the individual developer who found the issue
- An automatic exemption because the severity is only medium
Correct answer: Documented approval by an authorized risk owner with authority to accept the residual risk
A valid risk-acceptance decision requires documented approval by an authorized risk owner who has the authority and understanding to accept the residual risk. The decision, its rationale, and the accepting party must be recorded so accountability is preserved and the item can be revisited. A developer cannot self-accept enterprise risk, findings must not be deleted to hide them, and no severity is automatically exempt.
- A team integrating security into an Agile workflow wants to ensure security work is not dropped under sprint pressure. Which practice most effectively embeds security into Agile lifecycle management?
- Adding security acceptance criteria to stories and including them in the Definition of Done
- Holding a single security review only after the final sprint
- Assigning security tasks to no one so velocity is maximized
- Tracking security work in a separate plan disconnected from the backlog
Correct answer: Adding security acceptance criteria to stories and including them in the Definition of Done
Adding security acceptance criteria to user stories and folding them into the Definition of Done embeds security directly into each sprint. This makes security a completion requirement rather than optional work that slips under deadline pressure. A single post-sprint review, unassigned tasks, or a disconnected side plan all let security work fall through the cracks.
- A software product is reaching end of life and will be retired. Which set of activities best represents secure decommissioning within lifecycle management?
- Publishing the source code and databases publicly to reduce storage costs
- Disabling the user interface while leaving back-end services and data fully accessible
- Leaving the system online with all accounts active in case it is needed again
- Sanitizing or securely destroying data, revoking credentials and access, and archiving records per policy
Correct answer: Sanitizing or securely destroying data, revoking credentials and access, and archiving records per policy
Secure decommissioning means sanitizing or securely destroying data, revoking credentials and access, and archiving required records according to retention policy. Properly retiring a system prevents orphaned data, dormant accounts, and forgotten services from becoming attack vectors. Leaving the system or its back end live, or publishing its data, creates serious residual exposure.
- A lifecycle manager wants developers to write fewer vulnerabilities in the first place rather than relying solely on downstream scanning. Which program investment most directly reduces the introduction of flaws at the source?
- Buying faster build servers
- Increasing the number of production replicas
- Adding more marketing for the release
- Role-based secure coding training and developer education
Correct answer: Role-based secure coding training and developer education
Role-based secure coding training and developer education most directly reduces the number of vulnerabilities introduced at the source. Educated developers recognize and avoid common flaws, lowering remediation cost and downstream scanning load. Faster build servers, more replicas, and marketing do not change the rate at which insecure code is written.
- An organization must demonstrate to an auditor that every release was built only from approved, integrity-verified components and that no unauthorized change entered the pipeline. Which combination of lifecycle disciplines provides this assurance?
- Configuration management together with change control and an audit trail
- User experience design and A/B testing
- Capacity planning together with load balancing
- Localization together with accessibility testing
Correct answer: Configuration management together with change control and an audit trail
Configuration management combined with change control and an audit trail provides assurance that releases were built from approved, integrity-verified components and that no unauthorized change slipped in. Configuration management identifies and baselines artifacts, change control authorizes modifications, and the audit trail records who changed what and when. UX design, capacity planning, and localization address other concerns and offer no such integrity evidence.
- A security program publishes dashboards showing vulnerability density, gate pass rates, and remediation timelines to leadership each quarter. Beyond reporting status, what is the primary lifecycle-management purpose of these security metrics?
- To assign individual blame for every defect found
- To demonstrate program effectiveness and drive data-informed improvement decisions
- To satisfy auditors while keeping the data hidden from engineering teams
- To replace the need for any hands-on security testing
Correct answer: To demonstrate program effectiveness and drive data-informed improvement decisions
The primary purpose of security metrics is to demonstrate program effectiveness and drive data-informed decisions about where to improve. Trends in vulnerability density, gate pass rates, and remediation time show whether the Secure SDLC is working and where to invest next. Metrics do not replace testing, exist to assign blame, or serve only auditors while being withheld from the teams who must act on them.
- A continuous-improvement initiative wants the organization to learn from each incident and audit so the same weaknesses are not repeated across future projects. Which lifecycle activity best institutionalizes this learning?
- Treating each project as fully independent with no shared knowledge
- Discarding incident records once the immediate fix is deployed
- Feeding lessons learned back into policies, standards, training, and the SDLC process
- Restricting incident findings to a single individual's private notes
Correct answer: Feeding lessons learned back into policies, standards, training, and the SDLC process
Feeding lessons learned back into policies, standards, training, and the SDLC process institutionalizes continuous improvement. This closed feedback loop turns incident and audit findings into updated controls and education so recurring weaknesses are designed out of future projects. Discarding records, siloing knowledge, or isolating projects prevents the organization from maturing its security program.
- A regulated organization needs each application granted a formal authorization to operate based on an assessment of its risk before it goes live, with periodic reauthorization thereafter. Which lifecycle-governance process does this describe?
- A risk-based authorization (accreditation) and continuous monitoring process
- Penetration testing scheduling
- Sprint capacity estimation
- Marketing go-to-market planning
Correct answer: A risk-based authorization (accreditation) and continuous monitoring process
Granting a formal authorization to operate after a risk assessment, with periodic reauthorization, describes a risk-based authorization (accreditation) and continuous monitoring process, as embodied in frameworks like the NIST Risk Management Framework. It ties a documented risk decision to an authorizing official and requires ongoing monitoring to keep that authorization valid. Pen-test scheduling, capacity estimation, and go-to-market planning are unrelated to authorization governance.
- During requirements gathering, a team writes: 'For every account-creation use case, the system must resist an attacker who automates registration to enumerate valid usernames.' What type of requirements artifact is the team developing?
- An abuse case
- A functional acceptance test
- A service-level agreement
- A data flow diagram
Correct answer: An abuse case
This is an abuse case. An abuse case describes how a hostile actor deliberately tries to misuse or exploit a feature (here, scripted registration to enumerate accounts), and it is written alongside the normal use case to surface the security requirements needed to stop it, such as rate limiting and generic error messages. A data flow diagram is a design/threat-modeling artifact rather than a requirements case, and an SLA defines service performance commitments, not attacker behavior.
- What is the core difference between a misuse case and an abuse case in secure requirements work?
- A misuse case captures unintended or accidental harmful use, while an abuse case captures deliberate malicious exploitation by an adversary
- A misuse case applies only to web apps; an abuse case applies only to mobile apps
- A misuse case is documented by attackers; an abuse case is documented by developers
- They are identical terms with no practical distinction
Correct answer: A misuse case captures unintended or accidental harmful use, while an abuse case captures deliberate malicious exploitation by an adversary
In the CSSLP and secure-requirements context, a misuse case models how the system could be used in a harmful or unintended way (including accidental or careless behavior that causes harm), while an abuse case specifically models the deliberate, hostile actions of an adversary. Both are negative scenarios derived from use cases to drive security requirements, but the abuse case centers on an intentional attacker. Neither is restricted to a particular platform.
- Which statement correctly distinguishes a functional security requirement from a non-functional security requirement?
- A functional security requirement specifies a security behavior the software must perform, while a non-functional security requirement specifies a quality or constraint such as how resilient or available that behavior must be
- Functional security requirements are optional, while non-functional ones are mandatory
- Non-functional security requirements are tested by users, functional ones are not
- A functional security requirement always involves encryption, while a non-functional one never does
Correct answer: A functional security requirement specifies a security behavior the software must perform, while a non-functional security requirement specifies a quality or constraint such as how resilient or available that behavior must be
A functional security requirement specifies a discrete security behavior the system must perform, such as 'the system shall lock an account after five consecutive failed logins.' A non-functional security requirement expresses a quality, constraint, or systemic property, such as 'authentication services shall remain available 99.9% of the time' or 'the system shall scale to enforce TLS on 10,000 concurrent sessions.' Both can be mandatory, and encryption can appear in either category.
- A bank's requirements team must decide who is accountable for approving access to customer financial records and who applies day-to-day protection in the application. Which two data classification concepts are they assigning?
- Data subject and data processor
- Data owner and data custodian
- Data labeler and data anonymizer
- Data controller and data minimizer
Correct answer: Data owner and data custodian
They are assigning the data owner and the data custodian. The data owner is accountable for classifying the data and approving access and protection requirements, while the data custodian implements and maintains the controls the owner specifies in day-to-day operations. Data controller and data processor are GDPR privacy roles rather than the ownership roles defined in data classification requirements.
- Why is identifying data classification requirements early in the requirements phase important for secure software?
- It guarantees the software will pass a PCI-DSS audit automatically
- It eliminates the need for any later threat modeling
- It determines the proportional protection, labeling, and handling controls the software must enforce based on data sensitivity
- It replaces the need to define functional requirements
Correct answer: It determines the proportional protection, labeling, and handling controls the software must enforce based on data sensitivity
Data classification requirements drive proportional controls: by labeling data according to sensitivity (for example public, internal, confidential, restricted), the team derives the protection, access, encryption, and handling requirements the software must enforce for each class. This ensures controls match the value and risk of the data rather than over- or under-protecting it. Classification informs but does not replace threat modeling or functional requirements, and it does not by itself guarantee an audit outcome.
- A security requirements traceability matrix (SRTM) in secure software development is primarily used to:
- Schedule the production deployment windows for each release
- Store the encryption keys used by the application
- Map each security requirement to its design, implementation, and test artifacts so none is missed or untested
- Record the results of penetration tests after release
Correct answer: Map each security requirement to its design, implementation, and test artifacts so none is missed or untested
An SRTM maps each security requirement to the design elements, code, and test cases that satisfy and verify it, providing bidirectional traceability so every requirement is implemented and validated and nothing is silently dropped. It is a coverage and accountability tool across the lifecycle, not a deployment scheduler, key store, or pen-test log. This is why an SRTM is the standard mechanism for proving security requirement coverage.
- What does 'security requirement traceability' ensure across the software development lifecycle?
- That requirements are automatically converted into source code
- That all requirements are written in a single document
- That requirements can only be read by the security team
- That every defined security requirement can be linked forward to its implementation and tests, and backward to its source or driver
Correct answer: That every defined security requirement can be linked forward to its implementation and tests, and backward to its source or driver
Security requirement traceability ensures each requirement can be followed forward to the design, code, and test artifacts that fulfill and verify it, and traced backward to the business need, regulation, or threat that drove it. This bidirectional linkage prevents orphaned or untested requirements and supports impact analysis when something changes. It is about linkage and coverage, not access restriction, single-document formatting, or automatic code generation.
- A team needs an artifact that lists each security requirement alongside its unique identifier, its source, the responsible owner, the implementing component, and the test that verifies it. Which artifact best fits this need?
- A threat model report
- A security requirements traceability matrix
- A software bill of materials
- A data retention schedule
Correct answer: A security requirements traceability matrix
A security requirements traceability matrix is exactly this artifact: a table that records each requirement with an identifier, its origin, the responsible party, the component or design element that implements it, and the test case verifying it. A software bill of materials inventories components and dependencies, a threat model report enumerates threats, and a retention schedule governs how long data is kept; none of these provides requirement-to-test traceability.
- A SaaS product must let EU users withdraw consent for marketing data processing and have their records deleted on request. Which category of secure software requirement is being defined?
- Performance requirements
- Privacy requirements
- Interoperability requirements
- Availability requirements
Correct answer: Privacy requirements
This defines privacy requirements. Privacy requirements address how personal data is collected, used, retained, and disposed of, including user consent and the right to withdraw it, data subject rights such as erasure, anonymization, retention limits, and cross-border transfer constraints, often driven by GDPR or CCPA. These are distinct from availability or performance requirements, which concern uptime and speed rather than how personal data is governed.
- During requirements analysis, a developer maps that the application processes cardholder data. Which compliance requirement most directly governs how that data must be protected, and should be captured as a requirements driver?
Correct answer: PCI-DSS
PCI-DSS (Payment Card Industry Data Security Standard) governs the storage, processing, and transmission of cardholder data and should be captured as a compliance driver for the relevant security requirements. HIPAA governs protected health information, SOX addresses financial reporting controls, and FERPA covers student education records, none of which is the primary standard for payment card data.
- A health-records application must enforce safeguards for protected health information. Which compliance regime should requirements analysts cite as the driver for these controls?
- HIPAA
- PCI-DSS
- Gramm-Leach-Bliley Act
- GDPR Article 9 only
Correct answer: HIPAA
HIPAA is the primary U.S. compliance regime governing protected health information and is the correct driver to cite for safeguards on health records, generating requirements for access control, audit logging, and encryption of PHI. Gramm-Leach-Bliley governs financial institutions, PCI-DSS governs payment card data, and while GDPR may apply to EU health data it is not the U.S. PHI regime an analyst would primarily cite here.
- In the requirements phase, why should security requirements be 'flowed down' to third-party suppliers and component providers?
- To ensure suppliers contractually meet the same security requirements the system depends on, closing supply-chain gaps
- To transfer all liability for breaches to the supplier permanently
- To avoid having to test supplier components internally
- To reduce the number of requirements the internal team must document
Correct answer: To ensure suppliers contractually meet the same security requirements the system depends on, closing supply-chain gaps
Flowing security requirements down to suppliers ensures that third parties who provide components or services are contractually bound to meet the same security standards the system relies on, so that a weak supplier does not undermine the overall security posture. Requirements traceability still applies to those external dependencies. It does not absolve the acquiring organization of liability or eliminate the need to validate supplier deliverables.
- A privacy requirement states that analytics data must be processed so that individuals cannot be re-identified even if the dataset is breached. Which technique most directly satisfies this requirement?
- Session timeout
- Data anonymization
- Input validation
- Role-based access control
Correct answer: Data anonymization
Data anonymization most directly satisfies this requirement by irreversibly removing or transforming identifiers so individuals cannot be re-identified from the dataset, reducing privacy risk even if the data is exposed. Role-based access control limits who can access data but does not de-identify it, while input validation and session timeout address injection and session risks rather than re-identification.
- A requirements analyst documents that customer transaction logs must be retained for exactly seven years and then securely destroyed. This is an example of which requirement type?
- A load-balancing requirement
- A non-repudiation functional requirement
- An identity federation requirement
- A data retention requirement within privacy and compliance requirements
Correct answer: A data retention requirement within privacy and compliance requirements
This is a data retention requirement, which falls under privacy and compliance requirements. Retention requirements specify how long data must be kept and when it must be securely destroyed, often driven by regulation or contract, and they shape the data lifecycle controls the software must implement. It is not a non-repudiation, load-balancing, or federation requirement, which address proof of action, traffic distribution, and cross-domain identity respectively.
- For the use case 'customer uploads a profile photo,' which of the following is the best example of a corresponding abuse case that should drive a security requirement?
- Customer uploads a photo larger than the preferred resolution
- System displays the photo on the profile page
- Customer cancels the upload midway
- Attacker uploads a polyglot file that is both a valid image and an executable script to achieve code execution
Correct answer: Attacker uploads a polyglot file that is both a valid image and an executable script to achieve code execution
The strongest abuse case is an attacker uploading a polyglot file that is simultaneously a valid image and a malicious script aiming for code execution, because it is a deliberate hostile scenario that drives concrete requirements like content-type validation, file scanning, and rendering in a non-executable context. A large photo, a canceled upload, or normal display are ordinary or accidental conditions, not adversarial abuse cases.
- A multinational application must avoid transferring EU residents' personal data to jurisdictions lacking adequate protections without a lawful mechanism. Capturing this as a requirement addresses which privacy concern?
- Connection pooling
- Code signing
- Cross-border data flow restrictions
- Two-factor authentication
Correct answer: Cross-border data flow restrictions
This addresses cross-border data flow restrictions, a privacy requirement concerned with where personal data may legally be transferred and stored, including the need for lawful transfer mechanisms when moving EU data to other jurisdictions. It is a data-governance concern rather than an authentication, performance, or integrity control like two-factor authentication, connection pooling, or code signing.
- Which approach best ensures that the security requirements written for an application are complete and verifiable rather than vague aspirations?
- Relying solely on the development team's judgment without documentation
- Writing each requirement to be specific, testable, and traceable, then recording it in the SRTM with a verification method
- Deferring all security requirements until after the code is written
- Stating requirements as broad goals such as 'the system shall be secure'
Correct answer: Writing each requirement to be specific, testable, and traceable, then recording it in the SRTM with a verification method
Security requirements should be specific, testable, and traceable, and recorded in the SRTM with a defined verification method so each can be objectively confirmed. Broad statements like 'the system shall be secure' cannot be tested or traced and provide no assurance. Deferring requirements until after coding or relying on undocumented judgment removes accountability and coverage, which is precisely what the requirements process exists to prevent.
- A team adopts the OWASP Application Security Verification Standard (ASVS) during the requirements phase. What is the primary value of doing so?
- It supplies a catalog of standardized, leveled security requirements the team can select from and verify against
- It provides a runtime web application firewall ruleset
- It replaces the need for any data classification work
- It automatically generates the application's source code
Correct answer: It supplies a catalog of standardized, leveled security requirements the team can select from and verify against
OWASP ASVS provides a catalog of standardized, tiered security verification requirements (across three levels) that teams can use as a source for selecting and defining their own security requirements and later verifying against. Using it as a requirements baseline improves completeness and gives testable criteria. ASVS is a requirements and verification standard, not a WAF ruleset or a code generator, and it does not eliminate organization-specific data classification analysis.
- A requirements reviewer finds that the SRTM lists a requirement 'all admin actions shall be logged for non-repudiation' but no corresponding test case or implementing component is recorded. What is the most appropriate conclusion?
- The requirement is fully satisfied because it is documented
- The traceability gap means the requirement may be unimplemented or unverified and must be resolved before sign-off
- Logging requirements never need test cases
- The requirement should be deleted to keep the matrix clean
Correct answer: The traceability gap means the requirement may be unimplemented or unverified and must be resolved before sign-off
A traceability gap, where a requirement has no linked implementing component or test case, signals that the requirement may be unimplemented or unverified and must be resolved before sign-off. The whole point of the SRTM is to expose such gaps so they are remediated, not hidden. Documenting a requirement does not satisfy it, deleting it would silently drop a needed control, and security-relevant logging requirements do require verification.
- An architect wants a structured way to identify, enumerate, and prioritize threats against a payment service during the design phase, before any code is written. Which activity directly produces this outcome?
- Software composition analysis
- Threat modeling
- Penetration testing
- Fuzz testing
Correct answer: Threat modeling
Threat modeling is the right activity. It is a structured, design-phase process that decomposes the system, identifies potential threats against assets and entry points, ranks them, and maps countermeasures, all before implementation. Penetration testing, SCA, and fuzzing are later, code- or runtime-dependent activities that cannot inform the architecture early enough.
- A team is choosing a threat modeling methodology and wants one that is explicitly attacker-centric, risk-driven, and organized into seven sequential stages from defining business objectives through final risk and impact analysis. Which methodology fits this description?
- PASTA (Process for Attack Simulation and Threat Analysis)
- CVSS
- STRIDE
- DREAD
Correct answer: PASTA (Process for Attack Simulation and Threat Analysis)
PASTA is the methodology described. The Process for Attack Simulation and Threat Analysis is a risk-centric, attacker-focused approach run as seven stages: define objectives, define technical scope, decompose the application, analyze threats, analyze vulnerabilities, analyze attacks, and assess risk and impact. STRIDE is a threat-classification mnemonic, DREAD is a scoring scheme, and CVSS scores known vulnerabilities rather than modeling threats.
- During design analysis an architect builds a diagram whose root node is the attacker's goal of stealing a session token, with child nodes representing the alternative sub-goals and AND/OR steps needed to achieve it. What is this artifact called?
- A data flow diagram
- A sequence diagram
- An entity-relationship diagram
- An attack tree
Correct answer: An attack tree
This is an attack tree. The root node represents the attacker's overall objective and the branches decompose it into the alternative paths and conditions (modeled with AND/OR logic) required to reach that goal, helping the team reason about and prioritize defenses. A data flow diagram models how data moves between processes and stores, not how an attacker reaches a goal.
- A reviewer rates a discovered threat using the criteria Damage, Reproducibility, Exploitability, Affected users, and Discoverability. Which threat modeling aid is being used?
Correct answer: DREAD
These five criteria define DREAD. DREAD is a qualitative rating scheme used to score and rank the severity of threats by Damage, Reproducibility, Exploitability, Affected users, and Discoverability, so teams can prioritize remediation. STRIDE classifies the type of threat but does not rank severity; PASTA is a full seven-stage process.
- On a data flow diagram for a web application, the architect draws a dashed line where unauthenticated internet traffic reaches the application server, and another where the application reaches the database. What do these dashed lines represent?
- Trust boundaries
- Code module dependencies
- Network cable runs
- Performance bottlenecks
Correct answer: Trust boundaries
The dashed lines are trust boundaries. A trust boundary marks the point where data crosses between zones of differing privilege or trust, such as untrusted internet input entering a trusted process. Identifying these crossings is critical because each one is where validation, authentication, and authorization controls must be enforced.
- A developer asks how STRIDE and DREAD relate when used together in a threat model. Which statement correctly distinguishes their roles?
- STRIDE identifies and categorizes threats while DREAD rates and ranks their severity
- Both are scoring systems that produce a single numeric risk value
- STRIDE is for networks and DREAD is for databases
- STRIDE encrypts data while DREAD signs it
Correct answer: STRIDE identifies and categorizes threats while DREAD rates and ranks their severity
The correct distinction is that STRIDE identifies and classifies threats while DREAD rates and ranks them. STRIDE is a mnemonic that surfaces categories of threats (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege); DREAD then scores each identified threat by Damage, Reproducibility, Exploitability, Affected users, and Discoverability so they can be prioritized. They are commonly paired, not interchangeable.
- Which threat in the STRIDE model maps directly to a violation of the authorization property, in which a low-privilege component gains rights it should not have?
- Spoofing
- Information disclosure
- Elevation of privilege
- Repudiation
Correct answer: Elevation of privilege
Elevation of privilege is the STRIDE threat that violates authorization. STRIDE pairs each threat with the security property it breaks: Spoofing breaks authentication, Tampering breaks integrity, Repudiation breaks non-repudiation, Information disclosure breaks confidentiality, Denial of service breaks availability, and Elevation of privilege breaks authorization.
- Before threat enumeration begins, an architect catalogs every entry point, exit point, interface, protocol, and externally reachable feature of the application to understand where an attacker could interact with it. This activity is best described as:
- Static code analysis
- Regression testing
- Capacity planning
- Attack surface analysis
Correct answer: Attack surface analysis
This is attack surface analysis. It systematically maps all points where untrusted actors can supply input or receive output, including network ports, APIs, file uploads, and UI fields, so the team understands and can minimize the reachable area an attacker could exploit. Reducing the attack surface is a core design-phase risk reduction technique.
- A team adopts a data flow diagram as the foundation of its threat model. What is the primary security value of building the DFD first?
- It replaces the need for access control entirely
- It automatically generates unit tests for each function
- It measures runtime CPU and memory usage
- It reveals how data moves between processes, stores, and external entities so threats can be analyzed at each trust boundary crossing
Correct answer: It reveals how data moves between processes, stores, and external entities so threats can be analyzed at each trust boundary crossing
The DFD's value is that it reveals how data moves between processes, data stores, and external entities, exposing exactly where data crosses trust boundaries. Threats are then enumerated at each crossing and element, which is why DFD-based decomposition is the backbone of STRIDE-style threat modeling. It does not measure performance or replace controls.
- An architect needs to choose a threat modeling methodology. Which of the following correctly describes a defining trait of each option commonly compared?
- PASTA categorizes threats into six fixed letters and assigns no risk score
- STRIDE is a threat-classification mnemonic, PASTA is a risk-centric seven-stage process, and DREAD is a severity-rating scheme
- STRIDE is attacker-centric and runs seven stages
- DREAD decomposes attacker goals into a tree of sub-goals
Correct answer: STRIDE is a threat-classification mnemonic, PASTA is a risk-centric seven-stage process, and DREAD is a severity-rating scheme
The accurate statement is that STRIDE is a threat-classification mnemonic, PASTA is a risk-centric seven-stage process, and DREAD is a severity-rating scheme. STRIDE labels the kind of threat, PASTA drives an end-to-end attacker simulation across seven stages, and DREAD scores severity. Conflating these (for example calling STRIDE attacker-centric and seven-stage) is a common mistake.
- After the design is documented, a structured walkthrough is held to confirm the architecture satisfies the security requirements, that all identified threats have mitigations, and that secure design principles were applied. What is this activity?
- A penetration test
- A user acceptance test
- A retrospective on sprint velocity
- A security design review
Correct answer: A security design review
This is a security design review (also called a secure architecture review). Conducted during design, it validates that the architecture meets the security requirements, that every threat from the threat model has an addressed mitigation, and that principles such as least privilege and defense in depth are reflected. Catching design flaws here is far cheaper than after implementation.
- A risk function asks the development team to evaluate the likelihood and business impact of threats to a specific application's architecture, given its assets, exposures, and existing controls, to drive design decisions. This evaluation is best termed:
- A license compliance audit
- An architectural risk assessment
- A code coverage report
- A load test
Correct answer: An architectural risk assessment
This is an architectural risk assessment. It analyzes the application's architecture, its assets and exposures, the threats against them, and the effectiveness of existing or planned controls, producing a risk-prioritized view that guides design and mitigation decisions. It is broader than a single threat model artifact and ties technical risk to business impact.
- Which statement best captures why secure software architecture and design matters as a discipline in the secure development lifecycle?
- It builds security properties into the structure of the system early, where flaws are cheapest to prevent and remediation of architectural defects is hardest later
- It is a substitute for writing any tests
- It is solely about choosing a faster programming language
- It only matters after a product ships
Correct answer: It builds security properties into the structure of the system early, where flaws are cheapest to prevent and remediation of architectural defects is hardest later
Secure software architecture and design matters because it builds security into the system's structure early, when design flaws are cheapest to prevent. Architectural defects discovered after implementation are among the most expensive to fix because they often require rework across many components, which is why threat modeling and design review happen before coding.
- An architect wants to reuse proven, reusable solutions that embed security into the structure of the design, such as a single component that mediates all access decisions or a wrapper that validates all incoming requests. These reusable solutions are known as:
- Secure design patterns
- Build scripts
- Anti-patterns
- Linter rules
Correct answer: Secure design patterns
These are secure design patterns. They are reusable, proven structural solutions, such as a reference monitor that mediates every access, an input-validation wrapper, or a secure factory, that embed security into the design rather than bolting it on. Anti-patterns are the opposite: recurring designs that introduce weakness.
- In a STRIDE analysis of a logging subsystem, the team is most concerned that a malicious user could later deny having performed a fraudulent transaction. Which STRIDE category and mitigation property is this?
- Repudiation, mitigated by non-repudiation controls such as secure audit logging and signatures
- Spoofing, mitigated by authentication
- Denial of service, mitigated by availability controls
- Tampering, mitigated by integrity controls
Correct answer: Repudiation, mitigated by non-repudiation controls such as secure audit logging and signatures
This is the Repudiation category, mitigated by non-repudiation controls such as tamper-evident audit logs, timestamps, and digital signatures. STRIDE maps Repudiation to the non-repudiation property; strong logging and signing ensure a user cannot credibly deny an action they took. Tampering concerns altering data integrity, which is a different STRIDE threat.
- An architect designs a system so that one centralized component evaluates every access request against policy and cannot be bypassed, ensuring complete mediation. Which design construct does this describe?
- A reference monitor
- A message queue
- A build pipeline
- A content delivery network
Correct answer: A reference monitor
This describes a reference monitor. A reference monitor is the abstract design construct that mediates all access to objects, is tamper-resistant, always invoked (complete mediation), and small enough to be verified. Centralizing authorization this way ensures consistent, unbypassable enforcement rather than scattering checks across the codebase.
- When applying defense in depth at the architecture level for a sensitive application, which design choice best embodies the principle?
- Hiding the server's IP address as the primary defense
- Relying on a single web application firewall as the only control
- Layering independent controls such as network segmentation, authentication, input validation, and encryption so failure of one does not collapse all protection
- Encrypting data once and removing all other controls
Correct answer: Layering independent controls such as network segmentation, authentication, input validation, and encryption so failure of one does not collapse all protection
Defense in depth at the architecture level means layering independent controls such as segmentation, authentication, input validation, and encryption so that the failure or bypass of one layer does not expose the system. Relying on a single control or on obscurity violates the principle, because one failure would leave the system fully exposed.
- A threat model for a multi-tenant SaaS platform identifies that one tenant might read another tenant's data through a shared cache key. Within STRIDE, which threat category does this represent?
- Information disclosure
- Spoofing
- Repudiation
- Denial of service
Correct answer: Information disclosure
Cross-tenant data leakage through a shared cache key is Information disclosure, which violates confidentiality in STRIDE. The mitigation is a design that isolates tenant data, for example by namespacing cache keys per tenant and enforcing authorization on retrieval. It is not a spoofing or denial-of-service concern because no identity is forged and availability is not the target.
- An architect must decide where in the lifecycle to perform threat modeling for maximum value. What is the best answer and why?
- After deployment, because real traffic is available
- During requirements and design, because identified threats can shape the architecture and controls before code exists
- Only during incident response
- Never, if developers follow coding standards
Correct answer: During requirements and design, because identified threats can shape the architecture and controls before code exists
Threat modeling delivers the most value during requirements and design, because the threats it surfaces can directly shape the architecture, trust boundaries, and controls before any code is committed. Waiting until after deployment forces expensive rework of structural decisions. Threat modeling should also be revisited when the design changes materially.
- A team comparing STRIDE and PASTA wants to know the fundamental philosophical difference between them. Which statement is accurate?
- PASTA only labels six threat types and STRIDE runs seven stages
- STRIDE and PASTA are identical and produce the same artifacts
- Both ignore business objectives entirely
- STRIDE is a system-and-property-centric classification of threat types, while PASTA is an attacker- and risk-centric process that simulates attacks across business and technical context
Correct answer: STRIDE is a system-and-property-centric classification of threat types, while PASTA is an attacker- and risk-centric process that simulates attacks across business and technical context
The accurate statement is that STRIDE is a system- and property-centric classification of threat types, while PASTA is an attacker- and risk-centric process that simulates attacks within business and technical context. STRIDE asks what categories of threat apply to each element; PASTA runs a seven-stage simulation that starts from business objectives and ends in risk and impact analysis, often using attack trees.
- To reduce the attack surface of a microservice during design, which decision is most aligned with the principle?
- Exposing every internal function as a public REST endpoint for flexibility
- Enabling verbose debug interfaces in production
- Allowing the service to accept connections from any network by default
- Disabling and removing unused endpoints, protocols, and default features so fewer entry points are reachable
Correct answer: Disabling and removing unused endpoints, protocols, and default features so fewer entry points are reachable
Disabling and removing unused endpoints, protocols, and default features reduces the attack surface, because every reachable interface is a potential entry point an attacker can probe. Exposing all internal functions, enabling debug interfaces, or accepting connections from anywhere all enlarge the attack surface and contradict the principle.
- An architect models an attacker's goal of exfiltrating a database backup. The leaf nodes of the diagram show alternatives like 'steal cloud storage credentials' OR 'exploit a misconfigured bucket' OR 'compromise the backup admin's laptop.' What does this OR structure communicate?
- The diagram is a data flow diagram
- All listed steps must occur together for the attack to succeed
- Any one of the alternative leaf paths is sufficient to achieve the parent goal
- The nodes represent database tables
Correct answer: Any one of the alternative leaf paths is sufficient to achieve the parent goal
In an attack tree, an OR relationship means any one of the alternative child paths is sufficient to achieve the parent goal, whereas an AND relationship would require all children. Modeling these alternatives helps the team see the cheapest or most likely attack paths and prioritize defenses against them. AND nodes, by contrast, require every sub-step.
- While performing an architectural risk assessment, the team weights each identified threat by likelihood and business impact and ranks them to decide which mitigations to fund first. What is the main benefit of this ranking step?
- It removes the need for any controls
- It lets limited resources be directed to the highest-risk design weaknesses first rather than treating all threats equally
- It guarantees zero vulnerabilities
- It measures application response time
Correct answer: It lets limited resources be directed to the highest-risk design weaknesses first rather than treating all threats equally
Ranking threats by likelihood and impact lets limited resources address the highest-risk design weaknesses first rather than treating all threats as equal. Risk-based prioritization is the core value of an architectural risk assessment, ensuring the most consequential issues are mitigated before lower-priority ones. It cannot guarantee zero vulnerabilities or replace controls.
- During a security design review of a banking API, reviewers find that sensitive funds-transfer logic trusts a user-supplied account role claim without server-side verification. Which secure design principle was most clearly violated?
- Never trust the client, enforced via server-side authorization and complete mediation
- Open design
- Psychological acceptability
- Economy of mechanism
Correct answer: Never trust the client, enforced via server-side authorization and complete mediation
The violated principle is never trust the client, enforced through server-side authorization and complete mediation. A client-supplied role claim can be forged, so the server must independently verify authorization on every sensitive request. Economy of mechanism (simplicity), psychological acceptability (usability), and open design (no security through obscurity) are valid principles but are not the issue here.
- An architect wants to isolate the blast radius of a compromise so that breaching one tier does not grant direct access to the data tier. Which design pattern best achieves this at the architecture level?
- Tiered network segmentation with enforced trust boundaries and least-privilege access between zones
- Shared admin credentials across all tiers
- A flat, fully-trusted internal network
- Disabling logging between tiers
Correct answer: Tiered network segmentation with enforced trust boundaries and least-privilege access between zones
Tiered network segmentation with enforced trust boundaries and least-privilege access between zones best isolates a compromise. By placing the web, application, and data tiers in separate segments and tightly controlling traffic across each trust boundary, a breach of one tier does not automatically reach the data tier. A flat trusted network or shared credentials would let an attacker move laterally with ease.
- A threat model identifies that an attacker could flood a stateless authentication endpoint with requests to exhaust resources and make the service unavailable. Which STRIDE category is this, and what design mitigation is most appropriate?
- Tampering, mitigated by hashing passwords
- Denial of service, mitigated by rate limiting, throttling, and resource quotas
- Information disclosure, mitigated by TLS
- Spoofing, mitigated by output encoding
Correct answer: Denial of service, mitigated by rate limiting, throttling, and resource quotas
Flooding an endpoint to exhaust resources is a Denial of service threat in STRIDE, mitigated at the design level by rate limiting, throttling, quotas, and scalable or load-shedding architecture. Denial of service violates the availability property. Output encoding addresses cross-site scripting, password hashing addresses credential storage, and TLS addresses confidentiality in transit, none of which fix resource exhaustion.
- An architect documents the completed threat model. Which combination of elements should a thorough threat model contain?
- Assets and trust levels, entry and exit points, a data flow diagram, identified threats with rankings, and mapped countermeasures
- Only the marketing requirements and UI color palette
- Only the final test pass rate
- Only a list of programming languages used
Correct answer: Assets and trust levels, entry and exit points, a data flow diagram, identified threats with rankings, and mapped countermeasures
A thorough threat model documents assets and trust levels, entry and exit points, a data flow diagram, the identified threats with their rankings, and the countermeasures mapped to each threat. This package lets reviewers verify that every meaningful threat at every trust boundary has an addressed mitigation. A language list, UI palette, or test pass rate alone does not constitute a threat model.
- A developer must build a query that filters customer records by an account number supplied through a web form. Which implementation technique most directly prevents SQL injection by ensuring the supplied value is always treated as data and never as executable SQL?
- Wrapping the database call in a try/catch block that suppresses SQL errors
- Using a parameterized query (prepared statement) with a bound parameter for the account number
- Applying a denylist that strips the words SELECT, DROP, and UNION from the input
- Concatenating the value into the query after escaping single quotes
Correct answer: Using a parameterized query (prepared statement) with a bound parameter for the account number
Using a parameterized query (prepared statement) with a bound parameter is the correct technique. Prepared statements send the SQL template and the user-supplied value to the database separately, so the value is parsed strictly as data and can never alter the query structure. OWASP names parameterized queries the primary defense against injection; manual escaping and keyword denylists are error-prone bypassable secondary measures, and suppressing SQL errors hides the problem without preventing it.
- A web application reflects a user-supplied search term back into an HTML page. Which secure coding control most directly prevents cross-site scripting (XSS) when the term is rendered in the HTML body?
- Validating that the term is shorter than 200 characters
- Context-aware output encoding of the term for the HTML body context before rendering
- Storing the term in a server-side session variable
- Setting the HttpOnly flag on the session cookie
Correct answer: Context-aware output encoding of the term for the HTML body context before rendering
Context-aware output encoding for the HTML body context is the correct control. Encoding converts characters such as < > & into their HTML entity equivalents so the browser renders them as literal text rather than executable markup, which is OWASP's primary defense against reflected and stored XSS. Length validation does not neutralize a script payload, HttpOnly only limits cookie theft after a successful XSS, and session storage does not affect how the value is rendered.
- Output encoding is described as context-sensitive in secure coding guidance. What does context-sensitive encoding mean in practice?
- The encoding used must match the location where data is placed, such as HTML body, HTML attribute, JavaScript, or URL
- Encoding is only required for data retrieved from a database, not from user input
- Data is encoded once at input time and never re-encoded on output
- The same encoding routine is applied uniformly to all output regardless of destination
Correct answer: The encoding used must match the location where data is placed, such as HTML body, HTML attribute, JavaScript, or URL
Context-sensitive encoding means the encoding must match the destination where data is placed, such as HTML body, HTML attribute, JavaScript, CSS, or URL context. Each context has different characters that are dangerous and different escaping rules, so a single uniform routine cannot safely cover all of them. Encoding belongs at output time for the specific sink, and it applies to any untrusted data regardless of whether it came from a user or a datastore.
- What is the most important secure coding principle distinguishing input validation from output encoding?
- Input validation should only be done on the client side for performance reasons
- Input validation checks data as it enters the system, while output encoding renders data safely for a specific sink, and both are needed
- Output encoding can be skipped if strong input validation is performed
- Input validation and output encoding are interchangeable defenses that solve the same problem
Correct answer: Input validation checks data as it enters the system, while output encoding renders data safely for a specific sink, and both are needed
Input validation checks data as it enters the system while output encoding renders data safely for a specific sink, and both are needed as complementary defenses. Validation constrains what data the application accepts; encoding ensures data is safely interpreted wherever it is later used. They are not interchangeable, encoding cannot be skipped because valid data can still be dangerous in a given context, and validation must be enforced server-side because client checks can be bypassed.
- A secure coding standard requires input validation to follow an allowlist approach. What does allowlist (positive) input validation specify?
- A list of known-bad characters and patterns that the application rejects
- An explicit definition of exactly what is acceptable, rejecting anything that does not match
- A maximum length applied to every field regardless of its meaning
- A requirement that all input be encrypted before validation
Correct answer: An explicit definition of exactly what is acceptable, rejecting anything that does not match
Allowlist validation defines exactly what is acceptable and rejects anything that does not match. Because it enumerates known-good values, formats, or character ranges, it is far more robust than denylisting, which tries to enumerate known-bad input and is routinely bypassed by encodings and edge cases the list missed. Length limits and encryption are useful but are not what allowlist validation means.
- A C program copies an attacker-controlled string into a fixed 64-byte stack array using strcpy without checking the source length. Which class of vulnerability does this create, and what is the underlying weakness?
- An integer overflow caused by exceeding the maximum value of a counter
- A buffer overflow caused by writing past the bounds of the allocated memory
- A format string vulnerability caused by an untrusted format specifier
- A race condition caused by unsynchronized thread access
Correct answer: A buffer overflow caused by writing past the bounds of the allocated memory
This creates a buffer overflow caused by writing past the bounds of the allocated memory. strcpy copies until a null terminator with no bounds check, so a source longer than 64 bytes overwrites adjacent stack memory, potentially corrupting the return address and enabling code execution. Using a bounded function such as strncpy or strlcpy with explicit size limits is the secure-coding remedy; the other named weaknesses involve different mechanisms.
- Which set of compiler and runtime defenses is most directly aimed at mitigating the exploitation of buffer overflow vulnerabilities in compiled code?
- Content Security Policy, SameSite cookies, and HSTS headers
- Database connection pooling, query caching, and read replicas
- Stack canaries, non-executable memory (DEP/NX), and address space layout randomization (ASLR)
- Code signing, certificate pinning, and OCSP stapling
Correct answer: Stack canaries, non-executable memory (DEP/NX), and address space layout randomization (ASLR)
Stack canaries, non-executable memory (DEP/NX), and address space layout randomization (ASLR) are the defenses aimed at buffer overflow exploitation. Canaries detect stack corruption before a function returns, NX/DEP prevents execution of injected data, and ASLR randomizes memory layout to defeat hardcoded payload addresses. The other groupings address web headers, database scaling, and supply-chain trust rather than memory-corruption exploitation.
- During secure implementation, a team must select a Static Application Security Testing (SAST) tool. What does SAST analyze and when is it typically run?
- Network traffic between the client and server during integration testing
- A running application from the outside, sending crafted requests during dynamic test execution
- Application source code, bytecode, or binaries without executing the program, early in development
- Only third-party open-source dependencies for known CVEs
Correct answer: Application source code, bytecode, or binaries without executing the program, early in development
SAST analyzes application source code, bytecode, or binaries without executing the program, and it runs early in development. Because it inspects code structure directly, SAST (also called static analysis security testing) can flag issues such as injection patterns and unsafe API use before the application is built or deployed, enabling fixes when they are cheapest. Testing a running application is DAST, and scanning dependencies for known CVEs is software composition analysis.
- A SAST scan reports 400 potential findings, but a security engineer confirms that 250 of them do not represent real exploitable issues. What is the term for these results, and what implementation practice reduces them over time?
- True positives, reduced by deleting the affected code
- False positives, reduced by tuning rules and triaging findings against the codebase
- Coverage gaps, reduced by increasing test data volume
- False negatives, reduced by lowering the scanner sensitivity
Correct answer: False positives, reduced by tuning rules and triaging findings against the codebase
These are false positives, reduced by tuning scanner rules and triaging findings against the actual codebase. A false positive is a reported issue that is not actually exploitable; high false-positive rates erode developer trust, so secure-coding programs tune rulesets, suppress validated non-issues, and integrate context to keep noise manageable. False negatives are missed real vulnerabilities, which is the opposite problem.
- A development team adds open-source libraries to an application and wants to detect dependencies with known vulnerabilities and license risks. Which tool category addresses this need?
- Runtime application self-protection (RASP)
- Software Composition Analysis (SCA)
- Interactive Application Security Testing (IAST)
- Web application firewall (WAF)
Correct answer: Software Composition Analysis (SCA)
Software Composition Analysis (SCA) addresses this need. SCA tools inventory third-party and open-source components, compare them against vulnerability databases such as the NVD, and surface known CVEs and license obligations so teams can patch or replace risky dependencies. A WAF filters runtime traffic, IAST observes running code during tests, and RASP defends at runtime; none of these inventory the dependency graph the way SCA does.
- Why has Software Composition Analysis become a core secure-implementation control, reflected by Software Supply Chain Failures rising to A03 in the OWASP Top 10:2025?
- Open-source code is exempt from vulnerability disclosure requirements
- Modern applications are largely assembled from third-party and open-source components that carry inherited risk
- Compiled languages cannot contain dependency vulnerabilities
- SCA replaces the need for any first-party secure coding practices
Correct answer: Modern applications are largely assembled from third-party and open-source components that carry inherited risk
Modern applications are largely assembled from third-party and open-source components that carry inherited risk, which is why SCA is now a core control and why Software Supply Chain Failures rose to A03 in the OWASP Top 10:2025. A single vulnerable transitive dependency can compromise an otherwise secure application, so inventorying and monitoring components (often via an SBOM) is essential. SCA complements rather than replaces first-party secure coding, and dependency risk affects compiled and interpreted languages alike.
- In secure code review, what advantage does manual peer review provide over relying solely on automated static analysis?
- It guarantees zero false positives in every finding
- It can identify business-logic and authorization flaws that automated tools struggle to detect
- It runs faster than automated scanning on large codebases
- It eliminates the need for any compiler warnings to be addressed
Correct answer: It can identify business-logic and authorization flaws that automated tools struggle to detect
Manual peer code review can identify business-logic and authorization flaws that automated tools struggle to detect. Tools excel at pattern-based defects but lack understanding of intended application behavior, so a reviewer reasoning about access control, workflow ordering, and trust boundaries catches issues a scanner misses. Manual review is slower, not faster, and does not eliminate compiler-warning work or guarantee perfect accuracy; the two approaches are complementary.
- A secure development standard mandates a security-focused code review before merging. Which practice most improves the effectiveness of these reviews?
- Allowing the original author to approve their own changes to save time
- Using a security checklist tied to known weakness categories such as the CWE list and OWASP risks
- Reviewing only files that changed in the largest commits
- Reviewing code only after it has been deployed to production
Correct answer: Using a security checklist tied to known weakness categories such as the CWE list and OWASP risks
Using a security checklist tied to known weakness categories such as the CWE list and OWASP risks most improves review effectiveness. A structured checklist ensures reviewers consistently examine injection, access control, error handling, and cryptography rather than relying on ad hoc inspection. Author self-approval removes independent scrutiny, reviewing only large commits leaves gaps, and post-deployment review forfeits the chance to stop defects before release.
- The Common Weakness Enumeration (CWE) is frequently referenced during secure implementation. What is CWE?
- A community-developed catalog of software and hardware weakness types and their root causes
- A list of specific, publicly disclosed vulnerability instances in named products
- A scoring system that rates the exploitability of a single vulnerability
- A regulatory standard mandating encryption key lengths
Correct answer: A community-developed catalog of software and hardware weakness types and their root causes
CWE is a community-developed catalog of software and hardware weakness types and their root causes. It classifies categories such as CWE-89 (SQL injection) and CWE-79 (cross-site scripting), giving developers a shared taxonomy to discuss and prevent flaws. Specific disclosed instances are CVEs, not CWEs; encryption mandates come from other standards; and per-vulnerability exploitability scoring is the role of CVSS.
- A team wants to prioritize secure coding effort against the most prevalent dangerous flaws. Which resource pairs a weakness taxonomy with prevalence data to produce a ranked list of the most dangerous software weaknesses?
- The NIST National Vulnerability Database CVE feed
- The CWE Top 25 Most Dangerous Software Weaknesses
- The ISO 27001 Annex A control catalog
- The CIS Critical Security Controls
Correct answer: The CWE Top 25 Most Dangerous Software Weaknesses
The CWE Top 25 Most Dangerous Software Weaknesses pairs the CWE taxonomy with prevalence and severity data to rank the most impactful weakness types. It helps teams focus secure-coding and review effort on the flaws most likely to cause real damage, such as out-of-bounds writes, XSS, and SQL injection. The NVD lists individual CVEs, while ISO 27001 and the CIS Controls are broader control frameworks, not code-weakness rankings.
- As of June 2026, which category newly entered the OWASP Top 10:2025 to reflect risk introduced through compromised or vulnerable third-party components and build pipelines?
- Server-Side Request Forgery
- Software Supply Chain Failures
- Insufficient Logging and Monitoring
- Cross-Site Request Forgery
Correct answer: Software Supply Chain Failures
Software Supply Chain Failures is the category that newly entered the OWASP Top 10:2025, sitting at A03. It captures risk from compromised or vulnerable third-party libraries, build tooling, and distribution pipelines, expanding on the earlier vulnerable-components and integrity concerns. This addition is what drives the emphasis on SCA, SBOMs, and dependency verification in secure implementation.
- In the OWASP Top 10:2025, the Injection category includes which of the following weakness types?
- Only classic SQL injection against relational databases
- Only misconfigured cloud storage permissions
- SQL injection, command injection, LDAP injection, and cross-site scripting
- Only memory-corruption flaws such as buffer overflows
Correct answer: SQL injection, command injection, LDAP injection, and cross-site scripting
In the OWASP Top 10:2025, the Injection category (A05) covers SQL injection, command injection, LDAP injection, and cross-site scripting (XSS), because XSS was folded into Injection starting with the 2021 edition. The common root cause is untrusted data being interpreted as a command or query, so the unifying defenses are parameterization, safe APIs, and context-aware output encoding. Memory corruption and cloud misconfiguration fall under different categories.
- A secure coding standard requires that user input used to build an operating-system command be handled safely. Which approach best prevents OS command injection?
- Logging the command before executing it for auditability
- Avoiding shell invocation and using parameterized APIs that pass arguments as a separate array, with allowlist validation
- Running the command under a different user account
- Passing the full command line as a single string to a shell interpreter after escaping spaces
Correct answer: Avoiding shell invocation and using parameterized APIs that pass arguments as a separate array, with allowlist validation
Avoiding shell invocation and using parameterized APIs that pass arguments as a separate argument array, combined with allowlist validation of any user-controlled values, best prevents OS command injection. Keeping arguments separate from the command prevents shell metacharacters from being interpreted. Building a single shell string is dangerous even with escaping, changing the run-as account limits blast radius but does not stop injection, and logging records the attack without preventing it.
- A developer adopts an established secure coding standard to guide implementation. What is the primary benefit of following a recognized secure coding standard such as the OWASP guidance or a language-specific CERT standard?
- It allows the team to skip code review for standard-compliant code
- It removes the need for security testing later in the lifecycle
- It guarantees the application will pass any compliance audit automatically
- It provides consistent, vetted rules so developers avoid known dangerous constructs and patterns
Correct answer: It provides consistent, vetted rules so developers avoid known dangerous constructs and patterns
A recognized secure coding standard provides consistent, vetted rules so developers avoid known dangerous constructs and patterns. Standards encode hard-won lessons (for example, mandating parameterized queries, safe string functions, and proper error handling), reducing variance across a team and preventing recurring classes of defects. Standards complement rather than replace testing and code review, and following them does not by itself guarantee audit success.
- A secure coding guideline requires that error and exception handling never expose internal details to end users. Which implementation correctly applies this principle?
- Logging detailed error information server-side while returning a generic, non-revealing message to the user
- Catching exceptions and silently continuing execution without recording anything
- Returning the full stack trace and SQL error to the client for easier debugging
- Disabling all logging so that no sensitive data is ever recorded
Correct answer: Logging detailed error information server-side while returning a generic, non-revealing message to the user
Logging detailed error information server-side while returning a generic, non-revealing message to the user correctly applies the principle. Detailed internals such as stack traces, SQL fragments, or file paths aid attackers in reconnaissance, so they belong in protected server logs, not client responses. Returning full traces leaks information, disabling logging destroys the audit trail, and silently swallowing exceptions can mask security-relevant failures.
- During secure implementation, why should a development team enable compiler warnings at a high level and treat security-relevant warnings as errors?
- Compiler warnings surface coding defects such as implicit conversions and unsafe function use that can lead to vulnerabilities
- Treating warnings as errors disables all optimization for safety
- Higher warning levels make the compiled binary run faster
- Warnings are only cosmetic and have no security relevance
Correct answer: Compiler warnings surface coding defects such as implicit conversions and unsafe function use that can lead to vulnerabilities
Enabling high warning levels matters because compiler warnings surface coding defects such as implicit conversions, format-string issues, and unsafe function use that can lead to vulnerabilities. Treating security-relevant warnings as errors forces developers to resolve them before the build succeeds, catching weaknesses at compile time. Warning levels do not affect runtime speed, are far from cosmetic, and do not inherently disable optimization.
- A secure coding standard distinguishes declarative from programmatic (imperative) security. Which statement accurately describes declarative security?
- Security controls such as roles and access rules are defined externally in configuration or metadata rather than in code
- Security behavior is written inline within application methods using explicit code checks
- It is a synonym for runtime self-defense added after deployment
- It refers to security implemented only at the database tier
Correct answer: Security controls such as roles and access rules are defined externally in configuration or metadata rather than in code
Declarative security defines controls such as roles, access rules, and transport requirements externally in configuration or container/metadata rather than embedding them in application code. This separates security policy from business logic, making it easier for administrators to review and change without recompiling. Programmatic (imperative) security, by contrast, places explicit checks inline within the code, which offers finer granularity at the cost of maintainability.
- A developer must implement secure handling of a numeric quantity field that is later used to size a memory allocation. Which concern is most important to address in the implementation?
- Logging every value the field receives
- Ensuring the field is encrypted at rest
- Storing the value as a string to avoid numeric errors
- Validating bounds and guarding against integer overflow before the value is used in allocation or indexing
Correct answer: Validating bounds and guarding against integer overflow before the value is used in allocation or indexing
Validating bounds and guarding against integer overflow before the value is used in allocation or indexing is the most important concern. An attacker-controlled number that overflows can wrap to a small or negative value, leading to undersized buffers and subsequent memory corruption (a classic integer-overflow-to-buffer-overflow chain, CWE-190). Encryption, string storage, and logging do not address the arithmetic-bounds risk that drives the vulnerability.
- A web application accepts a file path fragment from users to retrieve documents. Which secure implementation control most directly prevents path traversal (directory traversal) attacks?
- Returning a 404 status for any request that fails
- Canonicalizing the resolved path and confirming it stays within an allowed base directory, plus allowlist validation of the filename
- Compressing the response to reduce information exposure
- Encrypting the file contents before returning them
Correct answer: Canonicalizing the resolved path and confirming it stays within an allowed base directory, plus allowlist validation of the filename
Canonicalizing the resolved path and confirming it remains within an allowed base directory, combined with allowlist validation of the filename, most directly prevents path traversal. Sequences such as ../ can escape the intended directory, so the application must resolve the canonical path and reject anything outside the permitted root rather than trusting the raw input. Encryption, status codes, and compression do not constrain which file is accessed.
- A secure coding standard requires that secrets such as API keys and database passwords not be embedded in source code. What is the correct secure implementation practice?
- Commit secrets to a private repository branch that only senior developers can read
- Store secrets outside the codebase in a secrets manager or protected configuration, injected at runtime
- Encrypt the secrets with a key that is also stored in the same source file
- Hard-code the secrets but obfuscate them with base64 encoding
Correct answer: Store secrets outside the codebase in a secrets manager or protected configuration, injected at runtime
Storing secrets outside the codebase in a secrets manager or protected configuration and injecting them at runtime is the correct practice. Hard-coded credentials (CWE-798) end up in version history, build artifacts, and backups where they are easily harvested, regardless of base64 or private-branch placement. Encrypting a secret with a key kept in the same file provides no real protection because the key travels with the ciphertext.
- A development team wants a security testing tool that instruments the running application from inside the application server, so it observes actual code execution paths while real or simulated traffic exercises the app. Which testing approach is described?
- Software Composition Analysis (SCA)
- Static Application Security Testing (SAST)
- Interactive Application Security Testing (IAST)
- Black-box fuzzing
Correct answer: Interactive Application Security Testing (IAST)
Interactive Application Security Testing (IAST) places agents or instrumentation inside the running application so it correlates runtime behavior with the underlying code as traffic exercises the app, giving it both runtime context and code-level precision with lower false positives. SAST analyzes code without executing it, and SCA inspects third-party and open-source components for known vulnerabilities rather than instrumenting execution.
- A team relies almost entirely on its own source code scanner but ships products built on many open-source libraries. After a widely publicized flaw in a popular logging library, leadership asks which testing capability would have flagged the vulnerable dependency. Which is the best answer?
- Stress testing
- Software Composition Analysis (SCA)
- Fuzz testing
- Dynamic Application Security Testing (DAST)
Correct answer: Software Composition Analysis (SCA)
Software Composition Analysis (SCA) inventories third-party and open-source components and matches them against known-vulnerability databases, so it would have flagged the vulnerable logging library by version. Source-code SAST scanners focus on the team's own proprietary code, and DAST or fuzzing probe runtime behavior rather than enumerating dependency versions.
- During test planning a CSSLP asks whether the testers will have access to source code, architecture diagrams, and credentials. The engagement is configured so testers receive full internal knowledge of the application. Which test configuration is this?
- Acceptance testing
- White-box testing
- Gray-box testing
- Black-box testing
Correct answer: White-box testing
White-box testing gives testers full internal knowledge such as source code, design documents, and credentials, enabling thorough coverage of internal logic and paths. Black-box testing provides no internal knowledge and gray-box provides partial knowledge, while acceptance testing validates that the software meets agreed requirements rather than describing the tester's level of knowledge.
- A security tester is given only the public URL of a web application, with no credentials, source code, or design documentation, and is asked to find vulnerabilities the way an external attacker would. Which testing configuration most closely matches this scenario?
- Gray-box testing
- Black-box testing
- Regression testing
- White-box testing
Correct answer: Black-box testing
Black-box testing provides the tester no internal knowledge, so it mirrors an external attacker probing the application's exposed surface only. White-box supplies full internal artifacts and gray-box supplies partial knowledge such as limited credentials, whereas regression testing re-runs prior tests to confirm fixes have not been undone.
- A team distinguishes test categories by what they verify: some confirm the application performs its intended functions, while others confirm qualities like performance, scalability, and resilience. Into which category does load and stress testing of a web service primarily fall?
- Functional testing
- Unit testing
- Acceptance testing
- Non-functional testing
Correct answer: Non-functional testing
Non-functional testing evaluates qualities such as performance, scalability, reliability, and resilience rather than specific features, so load and stress testing belong here. Functional testing confirms that features behave per requirements, unit testing isolates individual components, and acceptance testing confirms the product satisfies the customer's agreed criteria.
- A CSSLP is documenting the difference between three terms for a defect-tracking standard. The team needs to label a coding mistake that, when reachable and exploitable by an attacker, lets them violate the security policy. Which term applies to that specific exploitable weakness?
- Vulnerability
- Error
- Failure
- Defect
Correct answer: Vulnerability
A vulnerability is a weakness that an attacker can exploit to violate the security policy, distinguishing it from a generic defect (any flaw in the software) or an error (a human mistake that introduces a defect). A failure is the observable deviation from expected behavior when a defect is triggered, which is the symptom rather than the exploitable weakness itself.
- To ensure security requirements are actually tested, an architect asks the test team to derive scenarios from how an attacker would intentionally try to break or abuse each feature, not just how a legitimate user would use it. What kind of test cases are being requested?
- Boundary value tests
- Compatibility tests
- Smoke tests
- Misuse and abuse case tests
Correct answer: Misuse and abuse case tests
Misuse and abuse case tests are derived from adversarial scenarios that model how an attacker would deliberately misuse or attack a feature, directly exercising negative security requirements. Boundary value tests focus on input edges, smoke tests confirm basic build sanity, and compatibility tests check behavior across platforms rather than adversarial behavior.
- A team is choosing a security testing methodology that provides a structured, repeatable framework for measuring the operational security of systems and is organized around channels such as human, physical, wireless, telecommunications, and data networks. Which methodology best fits?
- ISO 9001 quality management
- OWASP Mobile Top 10
- Open Source Security Testing Methodology Manual (OSSTMM)
- NIST Cybersecurity Framework Profiles
Correct answer: Open Source Security Testing Methodology Manual (OSSTMM)
The Open Source Security Testing Methodology Manual (OSSTMM) provides a repeatable, metrics-driven framework for testing operational security across channels including human, physical, wireless, telecommunications, and data networks. The OWASP Mobile Top 10 is an awareness list, NIST CSF Profiles describe risk posture, and ISO 9001 addresses general quality management rather than security test methodology.
- A web application security team wants a phased, web-focused methodology that walks testers through reconnaissance, configuration testing, authentication testing, session management, input validation, and more. Which guide is the standard reference for that workflow?
- STRIDE threat model
- CWE Top 25
- OWASP Web Security Testing Guide
- NISTIR 8397 guidance
Correct answer: OWASP Web Security Testing Guide
The OWASP Web Security Testing Guide provides a phased, web-focused methodology covering reconnaissance, configuration, authentication, session management, input validation, and other categories. The CWE Top 25 is a weakness ranking, NISTIR 8397 offers minimum software verification guidance, and STRIDE is a threat-modeling mnemonic used during design rather than a testing workflow.
- A SAST tool flags a line of code as a SQL injection vulnerability, but after manual review the team confirms that the input is fully parameterized and cannot be exploited. How should this finding be classified?
- False negative
- False positive
- True positive
- Zero-day
Correct answer: False positive
A false positive is a finding the tool reports as a vulnerability that is not actually exploitable, which is exactly the parameterized, non-exploitable SQL flag described. A false negative is a real vulnerability the tool missed, a true positive is a confirmed real vulnerability, and a zero-day is a previously unknown flaw with no available fix.
- A penetration tester reviewing test results worries most about the category of risk that automated and manual testing failed to detect even though the weakness is real and exploitable. What is this undetected-but-real category called?
- True positive
- False negative
- Accepted risk
- False positive
Correct answer: False negative
A false negative is a real, exploitable vulnerability that testing failed to report, making it the most dangerous gap because the team is unaware of it. A false positive is a non-issue flagged as a problem, a true positive is a correctly identified real flaw, and accepted risk is a known risk a decision-maker has chosen to tolerate.
- A CSSLP is asked to define the difference between two assurance activities. One asks 'are we building the product right?' (conformance to specifications) and the other asks 'are we building the right product?' (meeting the user's actual needs). Which pairing correctly maps the questions?
- Validation answers 'building it right'; verification answers 'building the right product'
- Both questions are answered only by regression testing
- Verification answers 'building it right'; validation answers 'building the right product'
- Both questions are answered only by acceptance testing
Correct answer: Verification answers 'building it right'; validation answers 'building the right product'
Verification confirms the software is built right by checking conformance to specifications and design, while validation confirms the right product was built by checking it meets the user's real needs. Acceptance testing is one validation activity and regression testing re-checks prior behavior, so neither alone covers both assurance questions.
- After developers patch a confirmed authentication-bypass vulnerability, the security tester re-executes the exact original exploit steps to confirm the specific flaw is now closed before broader testing. What is this focused re-test of the fixed defect called?
- Stress testing
- Exploratory testing
- Smoke testing
- Confirmation (retest) testing
Correct answer: Confirmation (retest) testing
Confirmation testing, also called retest, re-executes the original failing steps to verify that a specific reported defect has been fixed. Smoke testing checks broad build stability, exploratory testing investigates without predefined cases, and stress testing pushes the system beyond normal limits rather than verifying a single fix.
- Two organizations debate when to introduce each scanner. The lead architect wants the tool that runs against running, deployed instances to catch issues like server misconfiguration and runtime input handling, while another runs in the IDE against source before compilation. Which statement correctly assigns the runtime tool?
- Both DAST and SAST require the application to be deployed and running
- Neither DAST nor SAST can detect server misconfiguration
- DAST runs against the running application and catches runtime issues like misconfiguration; SAST runs against source before execution
- SAST runs against the running application; DAST runs against source before execution
Correct answer: DAST runs against the running application and catches runtime issues like misconfiguration; SAST runs against source before execution
DAST (Dynamic Application Security Testing) exercises a running, deployed application and can surface runtime issues such as server misconfiguration and input-handling errors, while SAST analyzes source code statically before execution. Reversing the two is the common misconception the question targets, and DAST does not require source access while SAST does not require a running instance.
- A program manager wants automated security checks to run on every code commit so insecure changes are caught continuously rather than only before release. Which practice best satisfies this goal?
- Running DAST only manually after each major release
- Integrating SAST and SCA into the CI/CD pipeline as automated gates
- Performing code review only at end-of-project sign-off
- Scheduling a single annual external penetration test
Correct answer: Integrating SAST and SCA into the CI/CD pipeline as automated gates
Integrating SAST and SCA into the CI/CD pipeline as automated gates provides continuous, per-commit security feedback that catches insecure changes early. A single annual penetration test, release-only manual DAST, and end-of-project review all leave long windows where insecure code accumulates undetected between checks.
- During testing, engineers discover a hidden administrative endpoint that exposes diagnostic data and was never listed in the requirements or design documents. From a secure-testing standpoint, what is the primary concern this represents?
- An expected functional requirement that needs only a passing test case
- Undocumented functionality that expands the attack surface and must be reviewed or removed
- A non-functional performance characteristic to benchmark
- A regression that confirmation testing will close
Correct answer: Undocumented functionality that expands the attack surface and must be reviewed or removed
Undocumented functionality, such as a hidden admin or diagnostic endpoint, expands the attack surface, often bypasses the security controls applied to documented features, and must be reviewed and removed or properly secured. Treating it as a normal requirement, a performance metric, or a regression all miss that it was never authorized in the first place.
- A protocol gateway must accept untrusted binary input. The team wants automated testing that feeds large volumes of malformed, unexpected, and random inputs to provoke crashes, hangs, or memory-corruption conditions. Which technique is being described?
- Equivalence partitioning
- User acceptance testing
- Fuzz testing
- Static code review
Correct answer: Fuzz testing
Fuzz testing automatically feeds malformed, unexpected, or random inputs to a target to provoke crashes, hangs, or memory-corruption conditions, making it ideal for hardening parsers of untrusted binary input. Equivalence partitioning is a functional input-design technique, user acceptance testing validates business needs, and static code review inspects code without executing it.
- A team building a fuzzer for a service with no input specification wants the tool to learn interesting inputs by mutating a corpus of valid samples and using code-coverage feedback to evolve toward new paths. Which fuzzing style is this?
- Software composition analysis
- Manual penetration testing
- Generation-based (grammar) fuzzing built from a formal spec
- Mutation-based, coverage-guided fuzzing
Correct answer: Mutation-based, coverage-guided fuzzing
Mutation-based, coverage-guided fuzzing starts from a corpus of valid samples, mutates them, and uses code-coverage feedback to evolve inputs toward new execution paths, which suits a target lacking a formal input specification. Generation-based fuzzing requires a grammar or spec to construct inputs, while penetration testing and SCA are unrelated activities.
- A client asks a security firm to perform an engagement where ethical hackers actively attempt to exploit vulnerabilities and chain them together to demonstrate real-world impact, including reaching sensitive data. Which activity is this?
- Static analysis
- Penetration testing
- Vulnerability scanning
- Compliance auditing
Correct answer: Penetration testing
Penetration testing has ethical hackers actively exploit and chain vulnerabilities to demonstrate real-world business impact, going beyond merely listing weaknesses. Vulnerability scanning enumerates potential issues without proving exploitability, static analysis inspects code, and compliance auditing checks adherence to controls rather than attempting exploitation.
- A CISO wants to clarify the core difference between a vulnerability scan and a penetration test before approving budget. Which statement most accurately captures the distinction?
- They are identical activities with different names
- A vulnerability scan exploits weaknesses while a penetration test only lists them
- A vulnerability scan automatically identifies and reports potential weaknesses; a penetration test attempts to actively exploit them to prove impact
- A penetration test is fully automated while a vulnerability scan is always manual
Correct answer: A vulnerability scan automatically identifies and reports potential weaknesses; a penetration test attempts to actively exploit them to prove impact
A vulnerability scan automatically identifies and reports potential weaknesses, typically with broad coverage and possible false positives, while a penetration test actively exploits selected weaknesses to demonstrate real impact. The other choices reverse the activities, conflate them, or wrongly claim a pen test is fully automated when it is primarily expert-driven.
- A standard penetration testing methodology defines ordered phases. After planning and reconnaissance, the tester actively probes the target to enumerate live services, open ports, and running software versions before attempting exploitation. What is this phase commonly called?
- Reporting
- Maintaining access
- Covering tracks
- Scanning (enumeration)
Correct answer: Scanning (enumeration)
Scanning, or enumeration, follows reconnaissance and actively probes the target to map live services, ports, and software versions to identify exploitable entry points before the exploitation phase. Reporting documents results at the end, while maintaining access and covering tracks are later post-exploitation steps, not the pre-exploitation enumeration step.
- A scope document for a penetration test must be agreed before work begins so testers do not exceed authorization. Which artifact formally defines the targets, methods, timing, and limits the testers are permitted to use?
- Regression test suite
- CVSS score sheet
- Software bill of materials
- Rules of engagement (scope agreement)
Correct answer: Rules of engagement (scope agreement)
The rules of engagement, or scope agreement, formally define authorized targets, permitted methods, timing windows, and out-of-bounds limits so testers stay within legal and operational authorization. A CVSS score sheet rates severity, a software bill of materials lists components, and a regression test suite re-checks prior behavior, none of which authorize the engagement.
- A team must decide test-data handling for a security test environment that needs realistic data without exposing real customers. Which control best preserves data utility while removing the privacy and breach risk of production data in test?
- Deleting all data so tests run against empty tables
- Data masking or tokenization that replaces sensitive fields with realistic but non-identifying values
- Granting testers direct read access to the live production database
- Copying the full production database unchanged into the test environment
Correct answer: Data masking or tokenization that replaces sensitive fields with realistic but non-identifying values
Data masking or tokenization replaces sensitive fields with realistic but non-identifying values, keeping test data useful while removing the privacy and breach exposure of real records. Copying production unchanged or granting live access spreads sensitive data into less-controlled test systems, and emptying the tables destroys the realism the tests need.
- A security testing report must rate each finding consistently so teams across the organization prioritize the same way. The team wants an open, standardized framework whose base metrics include attack vector, attack complexity, privileges required, and impact to confidentiality, integrity, and availability. Which framework fits?
- Common Weakness Enumeration (CWE)
- ISO 27001 control set
- Common Vulnerabilities and Exposures (CVE) identifiers
- Common Vulnerability Scoring System (CVSS)
Correct answer: Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) provides standardized base metrics including attack vector, attack complexity, privileges required, and CIA impact, producing comparable severity scores across teams. CVE assigns unique identifiers to specific vulnerabilities, CWE categorizes weakness types, and ISO 27001 lists management controls rather than scoring individual finding severity.
- A CSSLP is verifying an application against the OWASP Application Security Verification Standard and must select the assurance level for a high-value application that handles sensitive transactions and is a likely target of skilled attackers. Which ASVS level is appropriate for such applications containing sensitive data?
- Level 1 (lowest, suitable for any application)
- A level chosen at random per test run
- Level 3 (highest assurance, for critical applications)
- Level 0 (no verification required)
Correct answer: Level 3 (highest assurance, for critical applications)
ASVS Level 3 is the highest assurance tier intended for the most critical applications, such as those handling sensitive transactions that are likely targets of skilled attackers. Level 1 is the basic baseline appropriate for any application, there is no defined Level 0, and assurance level must be chosen deliberately from the risk profile rather than at random.
- A SOC analyst notices unusual outbound traffic from a production application server and confirms it is a genuine security breach. According to the NIST incident response lifecycle, which phase immediately follows detection and analysis?
- Containment, eradication, and recovery
- Preparation
- Lessons learned
- Risk acceptance
Correct answer: Containment, eradication, and recovery
Containment, eradication, and recovery is the phase that follows detection and analysis in the NIST SP 800-61 incident response lifecycle. Once an event is confirmed to be a real incident, the team first limits its spread (containment), removes the root cause such as malware or a breached account (eradication), and restores systems to normal verified operation (recovery). Preparation is wrong because it occurs entirely before any incident, and lessons learned (post-incident activity) comes only after recovery is complete.
- During incident response, an operations team isolates a compromised microservice from the rest of the production network before investigating it in depth. Which incident response objective does this action primarily serve?
- Containment to limit the damage and prevent further spread
- Eradication of the underlying root cause
- Detection of additional indicators of compromise
- Recovery to restore normal business operations
Correct answer: Containment to limit the damage and prevent further spread
Containment to limit the damage and prevent further spread is the objective being served when a compromised service is isolated from the network. Containment buys time and stops lateral movement before the slower work of removing the root cause (eradication) and rebuilding to a clean state (recovery) takes place. Isolating the host does not by itself remove the malware or restore service, so eradication and recovery are not yet satisfied.
- An organization is establishing a patch management program for its deployed applications. What is the BEST practice for handling a vendor-released security patch before it is applied to production systems?
- Wait until the next annual maintenance window regardless of severity
- Test the patch in a staging environment that mirrors production before promoting it
- Apply the patch directly to production to close the vulnerability window fastest
- Apply the patch only to the systems that have already been exploited
Correct answer: Test the patch in a staging environment that mirrors production before promoting it
Testing the patch in a staging environment that mirrors production before promoting it is the best practice. Patches can break functionality or introduce instability, so validating them in a representative non-production environment prevents a fix from causing an outage. Applying untested patches straight to production risks downtime, and deferring all patches to a fixed annual window ignores the urgency of critical vulnerabilities.
- A critical, actively exploited remote-code-execution vulnerability is disclosed for a library running in production. The organization's normal patch cycle is monthly. What is the MOST appropriate response?
- Invoke the emergency (out-of-band) patch process with expedited but documented change control
- Wait for the next scheduled monthly patch window to avoid disrupting the cycle
- Disable all logging so the exploit attempts are not recorded
- Permanently shut down the application until the next major release
Correct answer: Invoke the emergency (out-of-band) patch process with expedited but documented change control
Invoking the emergency (out-of-band) patch process with expedited but documented change control is the most appropriate response. Mature patch management programs distinguish routine scheduled patching from emergency patching for critical, actively exploited flaws, allowing fast deployment while still recording the change for traceability. Waiting for the monthly window leaves a known exploited vulnerability open, and disabling logging would destroy the evidence needed for monitoring and incident response.
- In secure configuration management, what is the primary purpose of establishing a documented secure baseline configuration for deployed systems?
- To eliminate the need for access controls on production hosts
- To guarantee that no patches will ever need to be applied
- To allow each administrator to configure servers according to personal preference
- To define a known-good, approved state that systems are measured against and drift is detected from
Correct answer: To define a known-good, approved state that systems are measured against and drift is detected from
Defining a known-good, approved state that systems are measured against and drift is detected from is the primary purpose of a secure baseline. The baseline captures hardened, approved settings so that any deviation (configuration drift) can be identified and remediated, preserving a consistent and secure posture. A baseline does not remove the need for patching or access controls, and it exists precisely to prevent ad hoc per-administrator configuration.
- A team adopts immutable infrastructure, where servers are never modified in place but are replaced by rebuilding from a versioned, hardened image on each change. From a configuration management security standpoint, what is the chief advantage of this approach?
- It allows secrets to be safely hardcoded into the base image
- It prevents configuration drift and unauthorized in-place changes from accumulating
- It removes the need to ever scan images for vulnerabilities
- It eliminates the requirement for any access logging
Correct answer: It prevents configuration drift and unauthorized in-place changes from accumulating
Preventing configuration drift and unauthorized in-place changes from accumulating is the chief advantage of immutable infrastructure. Because running systems are replaced from a known, version-controlled image rather than patched live, undocumented manual changes cannot persist, and every system traces back to a reviewed baseline. Immutable infrastructure still requires image vulnerability scanning, externalized secret management, and access logging.
- During secure software deployment, an application requires a database credential to function at startup. Which secure activation practice correctly provisions this secret?
- Retrieve the credential at runtime from a secrets manager using the application's least-privileged identity
- Embed the credential in the deployment package so it ships with the binary
- Pass the credential as a command-line argument visible in the process list
- Store the credential in a comment inside the application's configuration file
Correct answer: Retrieve the credential at runtime from a secrets manager using the application's least-privileged identity
Retrieving the credential at runtime from a secrets manager using the application's least-privileged identity is the correct secure activation practice. Secure deployment provisions secrets dynamically and scoped to the minimum needed, keeping them out of artifacts and source. Embedding secrets in packages or configuration files exposes them to anyone with artifact or repository access, and command-line arguments leak into process listings and logs.
- A release engineer is deploying a new application version across deployment environments. Why is it important to keep development, QA/staging, and production environments separated?
- To make the production environment less monitored than the others
- To ensure all environments share a single database for consistency
- To allow developers to use production credentials freely in development
- To prevent untested code, test data, or weaker controls in lower environments from affecting production
Correct answer: To prevent untested code, test data, or weaker controls in lower environments from affecting production
Preventing untested code, test data, or weaker controls in lower environments from affecting production is why deployment environments are separated. Isolation ensures that only validated, approved builds reach production and that the relaxed configurations and sample data used for development cannot leak into or compromise live systems. Sharing production credentials or a single database across environments, or under-monitoring production, would defeat the purpose of separation.
- In operations and maintenance, what distinguishes problem management from incident management?
- Incident management restores service quickly, while problem management identifies and eliminates the underlying root cause of recurring incidents
- They are identical processes with different names
- Problem management restores service immediately, while incident management documents root causes
- Incident management applies only to hardware and problem management only to software
Correct answer: Incident management restores service quickly, while problem management identifies and eliminates the underlying root cause of recurring incidents
Incident management restoring service quickly while problem management identifies and eliminates the underlying root cause of recurring incidents is the correct distinction. Incident management focuses on rapid restoration of normal operations after a disruption, whereas problem management investigates patterns to find and permanently remove the root cause so the same incidents stop recurring. The two are complementary but distinct disciplines, not interchangeable.
- An organization wants to formally review, approve, and schedule proposed changes to its production software before they are applied. Which operations and maintenance process governs this, and what body typically authorizes the changes?
- Release retirement, authorized by external auditors
- Change management, authorized by a Change Advisory Board (CAB)
- Capacity management, authorized by the marketing department
- Incident management, authorized by the help desk
Correct answer: Change management, authorized by a Change Advisory Board (CAB)
Change management, authorized by a Change Advisory Board (CAB), governs the formal review, approval, and scheduling of production changes. A CAB evaluates the risk, impact, and rollback plans of proposed changes so that unauthorized or poorly assessed modifications do not destabilize or weaken the security of running systems. Capacity and incident management address different operational concerns and do not provide change authorization.
- A company is decommissioning an application that stored regulated customer data on solid-state drives. What is the MOST appropriate action to ensure the data cannot be recovered after disposal?
- Reformat the drive with a quick format and reuse it immediately
- Move the files to the recycle bin and empty it
- Rely on a single-pass overwrite, which is fully effective on all SSDs
- Securely sanitize the media using a method suited to SSDs, such as cryptographic erase or a vendor secure-erase command
Correct answer: Securely sanitize the media using a method suited to SSDs, such as cryptographic erase or a vendor secure-erase command
Securely sanitizing the media using a method suited to SSDs, such as cryptographic erase or a vendor secure-erase command, is the most appropriate disposal action. Wear-leveling on SSDs means overwriting logical addresses does not reliably reach all physical cells, so media-appropriate sanitization (cryptographic erase or the drive's secure-erase) is required, consistent with NIST SP 800-88 media sanitization guidance. Deleting files, quick-formatting, or assuming a single overwrite suffices all leave recoverable data on flash media.
- After deploying software, the operations team enforces an application allowlist (whitelist) on production servers. What security benefit does this configuration provide?
- It encrypts all data at rest automatically
- It removes the need to apply security patches
- It guarantees that the application is free of vulnerabilities
- Only explicitly approved executables can run, blocking unauthorized or malicious code from executing
Correct answer: Only explicitly approved executables can run, blocking unauthorized or malicious code from executing
Allowing only explicitly approved executables to run, blocking unauthorized or malicious code from executing, is the benefit of application allowlisting. By denying everything not on the approved list, allowlisting prevents attacker-introduced binaries, droppers, and unapproved tools from running, which is part of secure activation and environment hardening. Allowlisting does not encrypt data, remove vulnerabilities, or replace patching.
- Continuous monitoring of a deployed application detects a spike in failed authentication attempts followed by a successful login from an unusual location. Which operations capability is MOST directly responsible for correlating these events and raising an alert?
- A blue-green deployment switch
- A software bill of materials (SBOM) generator
- Security information and event management (SIEM) correlation of aggregated logs
- A nightly full backup job
Correct answer: Security information and event management (SIEM) correlation of aggregated logs
Security information and event management (SIEM) correlation of aggregated logs is most directly responsible for correlating these events and raising an alert. A SIEM ingests logs from many sources, applies correlation rules, and flags suspicious patterns such as brute-force attempts followed by anomalous access, feeding the detection-and-analysis phase of incident response. Backups, deployment switches, and SBOM generation serve recovery, release, and supply-chain purposes rather than real-time event correlation.
- An operations team performs ongoing vulnerability management on production systems. Beyond simply scanning, what step turns scan output into effective risk reduction during maintenance?
- Counting the total number of CVEs and reporting only the count to leadership
- Closing every finding by marking it as a false positive
- Prioritizing and remediating findings based on exploitability, asset criticality, and exposure, then verifying the fix
- Scanning once at deployment and never again during the system's life
Correct answer: Prioritizing and remediating findings based on exploitability, asset criticality, and exposure, then verifying the fix
Prioritizing and remediating findings based on exploitability, asset criticality, and exposure, then verifying the fix, is what turns scan output into real risk reduction. Scanning alone produces a list; risk-based triage focuses limited effort on the issues that matter most and confirmation testing proves the vulnerability is actually closed. Merely counting CVEs, blanket-dismissing findings, or scanning only once provides no assurance that exploitable weaknesses are addressed over the system's life.
- When a routine production deployment introduces a regression that degrades security controls, which operational practice allows the team to most quickly return to a known-good state?
- A tested rollback procedure that reverts to the previous validated release
- Permanently disabling change management to speed future deploys
- Granting all developers standing production administrator access
- Deleting the audit logs that recorded the deployment
Correct answer: A tested rollback procedure that reverts to the previous validated release
A tested rollback procedure that reverts to the previous validated release lets the team most quickly return to a known-good state after a bad deployment. Predefined, rehearsed rollback (and patterns like blue-green or canary that support it) restore the prior secure version with minimal exposure. Disabling change management, deleting audit logs, or handing out standing production admin rights would weaken security and accountability rather than aid recovery.
- A regulator asks a software producer to confirm its Software Bill of Materials (SBOM) includes the baseline data fields described by the NTIA's minimum elements. Which set of fields reflects that baseline?
- Supplier name, component name, version, unique identifiers, dependency relationships, SBOM author, and timestamp
- CPU architecture, memory footprint, license cost, and release date only
- Source code, compiled binary, unit test results, and code coverage percentage
- Marketing description, download count, vendor logo, and support phone number
Correct answer: Supplier name, component name, version, unique identifiers, dependency relationships, SBOM author, and timestamp
The correct answer is supplier name, component name, version, unique identifiers, dependency relationships, SBOM author, and timestamp. The NTIA's 2021 minimum elements define these seven baseline data fields so that organizations can identify each component and its relationships; later CISA updates add fields such as component hash and license but build on this same baseline. The other options describe build artifacts, performance attributes, or marketing data, none of which constitute the component inventory an SBOM is meant to provide.
- A vendor delivers an SBOM as a CycloneDX file, while an internal team standardizes on SPDX. What is the BEST reason both formats are acceptable for supply chain security?
- Both formats encrypt the application binary so attackers cannot read the code
- Both are machine-readable SBOM standards that can capture components, versions, and dependencies for vulnerability and license analysis
- Both replace the need to run software composition analysis on the product
- Both are programming languages used to compile dependencies reproducibly
Correct answer: Both are machine-readable SBOM standards that can capture components, versions, and dependencies for vulnerability and license analysis
The correct answer is that both are machine-readable SBOM standards that can capture components, versions, and dependencies for vulnerability and license analysis. SPDX (a Linux Foundation/ISO standard) emphasizes license detail, while CycloneDX (an OWASP project) emphasizes security context, but both express the same core inventory and are widely accepted, so tooling can ingest either. They are data formats, not encryption schemes or languages, and an SBOM informs but does not replace ongoing composition analysis.
- During a code-signing implementation review, an architect must explain what a valid signature on a release artifact actually proves to the consumer. Which statement is accurate?
- It proves the artifact originated from the holder of the signing key and has not been altered since signing
- It proves the artifact will run faster than an unsigned build
- It proves the artifact is free of all vulnerabilities and malware
- It proves the source code is publicly available for inspection
Correct answer: It proves the artifact originated from the holder of the signing key and has not been altered since signing
The correct answer is that it proves the artifact originated from the holder of the signing key and has not been altered since signing. Code signing binds a publisher's private key to a hash of the artifact, giving recipients authenticity and integrity assurance when they verify with the corresponding certificate. It says nothing about whether the code is vulnerability-free, faster, or open source; a signed artifact can still contain flaws, which is why signing complements rather than replaces testing.
- To prevent a stolen signing key from being used to sign malicious builds, which control is MOST effective for a code-signing program?
- Email the private signing key to each developer who needs to release
- Use the same long-lived self-signed certificate for every product indefinitely
- Commit the signing key to the source repository so builds can find it
- Store signing keys in a hardware security module (HSM) and sign only within a controlled, audited service
Correct answer: Store signing keys in a hardware security module (HSM) and sign only within a controlled, audited service
The correct answer is to store signing keys in a hardware security module (HSM) and sign only within a controlled, audited service. An HSM keeps the private key non-exportable and restricts signing operations to authorized, logged requests, which is why modern code-signing guidance mandates hardware-backed key storage. Emailing keys, committing them to source, or reusing an unmanaged self-signed certificate all expose the key and let an attacker forge trusted signatures, exactly the SolarWinds-class outcome the control prevents.
- A 2020-style supply chain attack in which adversaries compromised a vendor's build system and inserted a backdoor into a digitally signed update that was then distributed to thousands of customers BEST illustrates which risk?
- A denial-of-service flood against a single web server
- An employee clicking a phishing link unrelated to any software product
- A trusted-vendor software update channel being weaponized to distribute malicious code to many downstream organizations
- A user choosing a weak password on a public website
Correct answer: A trusted-vendor software update channel being weaponized to distribute malicious code to many downstream organizations
Correct answer: A trusted-vendor software update channel being weaponized to distribute malicious code to many downstream organizations. trusted-vendor software update channel being weaponized to distribute malicious code to many downstream organizations. Supply chain attacks of this kind exploit the inherent trust customers place in signed vendor updates, so a single upstream compromise propagates to every consumer of the update. Weak passwords, denial-of-service floods, and isolated phishing are real threats but do not capture the upstream-to-downstream propagation that defines a software supply chain attack.
- An organization adopting the SLSA framework wants build provenance that an attacker cannot forge even if a build step is malicious. Which capability is the primary goal of generating signed provenance during the build?
- Encrypting the artifact so only paying customers can run it
- Reducing the artifact's file size for faster downloads
- Producing verifiable, tamper-evident metadata about how and from what source an artifact was built
- Automatically translating source code into another programming language
Correct answer: Producing verifiable, tamper-evident metadata about how and from what source an artifact was built
The correct answer is producing verifiable, tamper-evident metadata about how and from what source an artifact was built. SLSA's build track raises assurance by requiring provenance that ties an artifact to its source and build process, with higher levels signing that provenance and isolating the build so it cannot be forged. Provenance is integrity and traceability metadata, not a compression, translation, or licensing-encryption mechanism.
- A platform engineer is reducing the risk that a compromised build runner can tamper with releases. Which practice MOST directly hardens the build platform under a secure supply chain model?
- Letting every engineer SSH into the production build runners to debug interactively
- Reusing one long-lived build server that is never patched to keep builds reproducible
- Disabling all logging on the build pipeline to improve performance
- Running builds in isolated, ephemeral environments with least-privilege credentials and no developer access to the running build
Correct answer: Running builds in isolated, ephemeral environments with least-privilege credentials and no developer access to the running build
The correct answer is running builds in isolated, ephemeral environments with least-privilege credentials and no developer access to the running build. Isolating and tearing down build environments prevents persistence and tampering, while least-privilege credentials limit what a compromised step can reach, both core to SLSA's higher build levels. Interactive access, an unpatched shared server, and disabled logging each expand the attack surface and undermine the trustworthiness of produced artifacts.
- Before integrating a commercial third-party component, a team must assess its risk. Which combination BEST characterizes a thorough third-party software risk evaluation?
- Checking only that the price fits the project budget
- Reviewing the supplier's security posture, vulnerability disclosure and patch history, component provenance, and support and end-of-life commitments
- Verifying only that the component's documentation is well formatted
- Confirming only that the component compiles without warnings
Correct answer: Reviewing the supplier's security posture, vulnerability disclosure and patch history, component provenance, and support and end-of-life commitments
The correct answer is reviewing the supplier's security posture, vulnerability disclosure and patch history, component provenance, and support and end-of-life commitments. Third-party software risk spans the supplier's ability to find and fix flaws, the trustworthiness of what they ship, and how long they will maintain it, so all of these factors inform the decision. Compilation success, price, and documentation formatting may matter operationally but do not measure the security risk the component introduces.
- A developer wants to keep dependency management secure as new package versions are released. Which approach BEST balances staying patched with avoiding unvetted or malicious updates?
- Pin versions with a lockfile, then update through a reviewed process that re-runs composition analysis before promoting changes
- Configure the build to always pull the latest available version of every dependency automatically
- Never update any dependency once the application ships
- Allow any developer to add a new registry source without review
Correct answer: Pin versions with a lockfile, then update through a reviewed process that re-runs composition analysis before promoting changes
The correct answer is to pin versions with a lockfile, then update through a reviewed process that re-runs composition analysis before promoting changes. Pinning yields reproducible builds and blocks silent updates, while a deliberate, scanned update path lets the team adopt security fixes without trusting unvetted releases. Auto-pulling latest invites malicious or breaking updates, never updating leaves known vulnerabilities unpatched, and unreviewed registry sources open the door to dependency confusion and typosquatting.
- A security architect wants to detect when an attacker swaps a legitimate package for a malicious one on a public registry before it reaches the build. Which control MOST directly addresses this?
- Renaming internal packages to shorter names
- Verifying package integrity against expected cryptographic hashes or signatures and enforcing them in the lockfile
- Increasing the build server's RAM to speed up installs
- Allowing unauthenticated writes to the artifact repository for convenience
Correct answer: Verifying package integrity against expected cryptographic hashes or signatures and enforcing them in the lockfile
The correct answer is verifying package integrity against expected cryptographic hashes or signatures and enforcing them in the lockfile. Integrity hashes recorded in the lockfile cause the install to fail if a fetched package does not match what was previously vetted, catching substitution and tampering before the build consumes it. Adding RAM, renaming packages, or permitting unauthenticated writes do nothing to detect a swapped artifact and the last actively weakens the repository.
- An organization wants a single capability that lets it answer, within hours of a new vulnerability disclosure such as a critical flaw in a widely used logging library, exactly which products and versions contain the affected component. Which capability provides this?
- Asking customers to report whether they think they are affected
- Maintaining and querying an up-to-date SBOM for each released product
- Rebuilding every product from scratch to see what breaks
- Increasing the marketing budget for affected products
Correct answer: Maintaining and querying an up-to-date SBOM for each released product
The correct answer is maintaining and querying an up-to-date SBOM for each released product. Because an SBOM inventories every component and version, security teams can search it to immediately identify which shipped products embed a newly disclosed vulnerable component, dramatically shortening response time. Rebuilding from scratch, marketing spend, and crowdsourcing guesses from customers do not give the authoritative, queryable component inventory an SBOM provides.
- A company outsources part of its development to a subcontractor who may further outsource work. To manage supply chain risk introduced by these fourth parties, the BEST practice is to:
- Require contractual flow-down of security obligations and the right to assess subcontractors used by the supplier
- Prohibit the supplier from using any tools, eliminating the need for oversight
- Rely solely on the supplier's marketing claims about quality
- Assume the prime supplier handles all risk and require nothing about subcontractors
Correct answer: Require contractual flow-down of security obligations and the right to assess subcontractors used by the supplier
The correct answer is to require contractual flow-down of security obligations and the right to assess subcontractors used by the supplier. Fourth-party (downstream subcontractor) risk is managed by ensuring the supplier passes the same security requirements, breach-notification, and audit rights down its own supply chain, giving the buyer visibility beyond the direct vendor. Assuming the prime handles everything, banning all tooling, or trusting marketing claims leaves the extended supply chain unmanaged and unverifiable.