question: 1
Which of the following best defines secure coding practices?
A. Writing code quickly to meet deadlines
B. Following a checklist for GUI design
C. Implementing coding techniques to avoid vulnerabilities
D. Outsourcing development to reduce cost

✅ correct answer: C
Explanation: Secure coding focuses on writing software that prevents vulnerabilities such as buffer overflows, SQL injection, and XSS.

question: 2
What is the main objective of threat modeling in software development?
A. To optimize system performance
B. To predict application usage trends
C. To identify and mitigate potential security threats
D. To comply with GUI standards

✅ correct answer: C
Explanation: Threat modeling identifies security risks and helps prioritize controls based on the potential impact and likelihood.

question: 3
Which SDLC phase involves the definition of security requirements?
A. Testing
B. Requirements gathering
C. Implementation
D. Maintenance

✅ correct answer: B
Explanation: Defining security requirements early during the requirements phase ensures integration of security from the start.

question: 4
Which type of testing ensures that security features are working as expected?
A. Functional testing
B. Fuzz testing
C. Penetration testing
D. Security testing

✅ correct answer: D
Explanation: Security testing verifies whether the system’s security mechanisms (like authentication, access control) function properly.

question: 5
Which of the following helps detect known vulnerabilities in code before runtime?
A. Dynamic analysis
B. Fuzzing
C. Static code analysis
D. Load testing

✅ correct answer: C
Explanation: Static code analysis scans code for known issues and vulnerabilities without executing it.

question: 6
Which principle states that a user should have only the permissions necessary to perform their job?
A. Separation of duties
B. Least privilege
C. Role-based access
D. Defense in depth

✅ correct answer: B
Explanation: Least privilege minimizes risk by limiting user access to what’s strictly required for their role.

question: 7
What is the purpose of software configuration management (SCM) in secure development?
A. To track hardware components
B. To manage user accounts
C. To control and audit code changes
D. To manage web server settings

✅ correct answer: C
Explanation: SCM helps track, control, and audit changes to codebases—critical for traceability and accountability.

question: 8
What is the main purpose of input validation in secure software?
A. To improve user experience
B. To reduce software size
C. To prevent injection attacks
D. To enhance logging

✅ correct answer: C
Explanation: Proper input validation prevents attacks like SQL injection, XSS, and buffer overflows.

question: 9
Which software development methodology allows for continuous integration of security?
A. Waterfall
B. V-Model
C. Agile/DevSecOps
D. Spiral

✅ correct answer: C
Explanation: DevSecOps integrates security into Agile development cycles, promoting continuous testing and updates.

question: 10
What is the purpose of a software security policy?
A. To dictate UI color schemes
B. To specify backup intervals
C. To set rules for secure software practices
D. To enforce marketing strategies

✅ correct answer: C
Explanation: A software security policy defines rules and practices for ensuring software is developed, deployed, and maintained securely.

question: 11
Which activity is part of secure design principles?
A. Delaying authentication until production
B. Relying on third-party code without review
C. Minimizing attack surface
D. Ignoring user input

✅ correct answer: C
Explanation: Minimizing the attack surface reduces opportunities for attackers to exploit vulnerabilities.

question: 12
Which of the following is a non-functional security requirement?
A. Encrypting sensitive data at rest
B. Displaying search results
C. Generating invoices
D. Uploading files

✅ correct answer: A
Explanation: Security controls, like encryption, are non-functional requirements that support secure system behavior.

question: 13
What is the goal of a post-release security review?
A. To add new features
B. To test for usability
C. To identify residual vulnerabilities
D. To remove documentation

✅ correct answer: C
Explanation: A post-release review helps identify vulnerabilities that may have been missed before deployment.

question: 14
Which one of the following reduces the risk of hardcoded secrets in code?
A. Using public Git repositories
B. Embedding credentials
C. Secrets management solutions
D. Using eval() functions

✅ correct answer: C
Explanation: Secrets management tools securely store and retrieve sensitive data, avoiding hardcoded secrets in source code.

question: 15
What is a major concern when using open-source components in software?
A. Marketing risks
B. GUI inconsistencies
C. License compliance and vulnerabilities
D. Cost overruns

✅ correct answer: C
Explanation: Open-source components may introduce licensing issues and security flaws if not properly vetted and maintained.

question: 16
What type of testing uses unexpected or random input to identify software defects?
A. Regression testing
B. Fuzz testing
C. Load testing
D. Unit testing

✅ correct answer: B
Explanation: Fuzz testing introduces malformed or random inputs to discover crashes or vulnerabilities.

question: 17
Which principle promotes the separation of responsibilities among developers, testers, and deployers?
A. Defense in Depth
B. Least Common Mechanism
C. Separation of Duties
D. Economy of Mechanism

✅ correct answer: C
Explanation: Separation of Duties reduces the risk of fraud or mistakes by requiring multiple roles in critical functions.

question: 18
Which of the following is a common risk of using insecure APIs?
A. Faster performance
B. Stronger encryption
C. Broken access controls
D. Reduced development time

✅ correct answer: C
Explanation: Insecure APIs may expose sensitive functions or data due to insufficient authentication and access control.

question: 19
Which activity is best for ensuring security flaws are corrected early?
A. Manual penetration tests post-release
B. Threat modeling during design
C. Disabling logs in test environments
D. Encrypting all logs

✅ correct answer: B
Explanation: Threat modeling during design helps catch flaws early in the SDLC, reducing costly rework later.

question: 20
In secure deployment, which process ensures the integrity and origin of a software release?
A. Code linting
B. Digital signing
C. Code formatting
D. Test-driven development

✅ correct answer: B
Explanation: Digitally signing release packages provides assurance that software comes from a trusted source and has not been tampered with.

question: 21
Which SDLC activity involves evaluating risks such as data loss or system compromise?
A. Feasibility study
B. Risk assessment
C. Load testing
D. Scrum grooming

✅ correct answer: B
Explanation: A risk assessment evaluates potential security impacts to guide control selection and mitigation strategies.

question: 22
Which software architecture model is commonly used to isolate components and minimize the impact of a breach?
A. Monolithic
B. Layered architecture
C. Procedural
D. Event-driven

✅ correct answer: B
Explanation: Layered architecture improves security by isolation, limiting the impact of vulnerabilities within each layer.

question: 23
What should be done before integrating third-party libraries into a secure application?
A. Minify the code
B. Enable debugging
C. Conduct a software composition analysis
D. Replace with open-source equivalents

✅ correct answer: C
Explanation: Software composition analysis (SCA) checks libraries for known vulnerabilities and license issues.

question: 24
Which standard provides a secure coding framework for C and C++?
A. OWASP Top 10
B. SEI CERT
C. ISO 27001
D. NIST SP 800-37

✅ correct answer: B
Explanation: The CERT secure coding standards offer guidelines for developing secure C/C++ applications.

question: 25
Which testing type is best suited to evaluate a system from the attacker’s perspective?
A. Black-box testing
B. White-box testing
C. Unit testing
D. Static testing

✅ correct answer: A
Explanation: Black-box testing simulates an external attacker’s view, testing the system without internal knowledge.

question: 26
Which of the following helps ensure software can be trusted after updates?
A. License auditing
B. Patch regression testing
C. Performance tuning
D. Feature expansion

✅ correct answer: B
Explanation: Regression testing ensures that security controls and functionality remain intact after updates or patches.

question: 27
Which access control method is based on roles assigned to users?
A. MAC
B. DAC
C. RBAC
D. ABAC

✅ correct answer: C
Explanation: RBAC (Role-Based Access Control) assigns permissions based on job roles, simplifying access management.

question: 28
What does security logging provide in the context of secure development?
A. UI event tracking
B. Debug code traces
C. Audit trail for incident response
D. Visual design feedback

✅ correct answer: C
Explanation: Security logs offer an audit trail, aiding in forensics, detection, and compliance during and after incidents.

question: 29
What type of threat is addressed by input sanitization?
A. Brute-force attacks
B. Buffer overflows
C. Resource exhaustion
D. Race conditions

✅ correct answer: B
Explanation: Proper input sanitization can prevent buffer overflows and related memory-based vulnerabilities.

question: 30
Which document defines the organization’s requirements for software security throughout its lifecycle?
A. SLA
B. Security policy
C. Build log
D. Bug tracking sheet

✅ correct answer: B
Explanation: A security policy provides high-level guidance on secure practices across the entire software lifecycle.

question: 31
Which of the following helps identify vulnerabilities in third-party code before integration?
A. Code formatting
B. Dependency scanning
C. Code linting
D. Code splitting

✅ correct answer: B
Explanation: Dependency scanning analyzes third-party code for vulnerabilities and license issues before integration.

question: 32
What is the primary goal of secure software development?
A. To enhance user experience
B. To improve system availability
C. To build software with minimal bugs
D. To protect against security threats and vulnerabilities

✅ correct answer: D
Explanation: The goal of secure development is to ensure the software is resistant to security threats and vulnerabilities.

question: 33
Which of the following is a security best practice for cloud-based applications?
A. Use public cloud services exclusively
B. Rely on the cloud provider’s security features only
C. Implement multi-factor authentication (MFA)
D. Disable encryption

✅ correct answer: C
Explanation: Multi-factor authentication (MFA) strengthens access control and prevents unauthorized access to cloud applications.

question: 34
Which activity is part of continuous security monitoring?
A. Code reviews
B. Vulnerability scanning
C. Code coverage analysis
D. User experience testing

✅ correct answer: B
Explanation: Vulnerability scanning is crucial in continuous security monitoring to detect vulnerabilities throughout the development lifecycle.

question: 35
What is the purpose of code obfuscation in securing software?
A. To improve code readability
B. To prevent reverse engineering
C. To increase system performance
D. To simplify debugging

✅ correct answer: B
Explanation: Code obfuscation makes it more difficult for attackers to reverse-engineer the code and exploit vulnerabilities.

question: 36
Which of the following is considered a security control for web applications?
A. HTTPS encryption
B. Caching static files
C. JavaScript compression
D. SEO optimization

✅ correct answer: A
Explanation: HTTPS encryption ensures secure communication between the client and server, preventing man-in-the-middle attacks.

question: 37
What does data masking do?
A. Hides encryption keys
B. Scrambles sensitive data
C. Tracks changes in real-time
D. Stores backup copies securely

✅ correct answer: B
Explanation: Data masking obfuscates sensitive information, such as credit card numbers, so it can be used in non-production environments without exposing actual data.

question: 38
What is a zero-day vulnerability?
A. A vulnerability fixed by the vendor
B. A flaw that has been publicly disclosed
C. A flaw that has not yet been discovered
D. A flaw that has not yet been patched

✅ correct answer: D
Explanation: A zero-day vulnerability is a flaw that has not been patched by the vendor, making it particularly dangerous until addressed.

question: 39
Which type of test ensures that security controls are working as expected after an update?
A. Unit testing
B. Regression testing
C. Performance testing
D. Fuzz testing

✅ correct answer: B
Explanation: Regression testing ensures that security controls remain intact after updates, patches, or new features.

question: 40
What is the best practice for protecting secrets in a production environment?
A. Hardcoding credentials in the source code
B. Storing secrets in environment variables
C. Encrypting all logs
D. Disabling firewall rules

✅ correct answer: B
Explanation: Storing secrets in environment variables prevents them from being exposed in the codebase and helps ensure their security.

question: 41
What is SQL injection an example of?
A. Input validation vulnerability
B. Logic flaw
C. Memory leak
D. Access control vulnerability

✅ correct answer: A
Explanation: SQL injection is an input validation vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code.

question: 42
Which of the following would be critical in securing a mobile application?
A. Enabling root access
B. Avoiding code signing
C. Implementing secure data storage
D. Disabling SSL/TLS encryption

✅ correct answer: C
Explanation: Secure data storage ensures that sensitive information on mobile devices is properly encrypted and protected from unauthorized access.

question: 43
Which of the following is the first step in secure software deployment?
A. Running a vulnerability scan
B. Configuring firewall rules
C. Implementing encryption
D. Reviewing system documentation

✅ correct answer: A
Explanation: Vulnerability scanning should be the first step to identify any existing security gaps before deployment.

question: 44
Which strategy is commonly used to mitigate privilege escalation?
A. Code obfuscation
B. Principle of Least Privilege
C. Enabling full system access
D. Regular patching

✅ correct answer: B
Explanation: Least privilege ensures that users only have the minimum privileges necessary to perform their job, limiting opportunities for privilege escalation.

question: 45
Which of the following should be done to secure a web server?
A. Disable encryption
B. Use an outdated version of software
C. Restrict administrative access to trusted IPs
D. Use weak passwords for root accounts

✅ correct answer: C
Explanation: Restricting administrative access to trusted IPs prevents unauthorized users from accessing sensitive configurations on the web server.

question: 46
Which of the following is the best practice for secure software architecture?
A. Hardcoding passwords
B. Using unencrypted HTTP
C. Implementing defense-in-depth
D. Disabling multi-factor authentication

✅ correct answer: C
Explanation: Defense-in-depth adds multiple layers of protection, ensuring that if one layer fails, others still provide security.

question: 47
What is the primary goal of cryptography in secure software?
A. To speed up data transmission
B. To ensure data confidentiality and integrity
C. To store user preferences
D. To monitor system performance

✅ correct answer: B
Explanation: Cryptography ensures that data remains confidential and untampered with during transmission or storage.

question: 48
Which of the following is a valid secure coding principle?
A. Minimizing input validation
B. Avoiding proper error handling
C. Protecting against buffer overflows
D. Ignoring logging for performance

✅ correct answer: C
Explanation: Protecting against buffer overflows is a core secure coding practice to prevent attackers from corrupting memory and gaining control of the system.

question: 49
What type of encryption is used to secure data at rest?
A. Symmetric encryption
B. Asymmetric encryption
C. Hashing
D. Salting

✅ correct answer: A
Explanation: Symmetric encryption is used for data at rest because it efficiently encrypts and decrypts large amounts of data with a single key.

question: 50
Which of the following tools is typically used for continuous security testing in the software development lifecycle?
A. Version control
B. Static analysis tools
C. Project management software
D. Test coverage tools

✅ correct answer: B
Explanation: Static analysis tools analyze code for vulnerabilities early in the SDLC, enabling continuous security testing during development.