Software Development Security for CISSP

Sample Practice Questions

1. Question 1

   Which of the following is the BEST method to validate secure coding techniques against injection and overflow attacks?
   1. A. Scheduled team review of coding style and techniques for vulnerability patterns
   2. B. The regular use of production code routines from similar applications already in use
   3. C. Using automated programs to test for the latest known vulnerability patterns
   4. D. Ensure code editing tools are updated against known vulnerability patterns
   Explanation

   The correct answer is: C. Using automated programs to test for the latest known vulnerability patterns.

   Injection and overflow defects are well-characterized weakness classes covered by mature signature and dataflow rules in SAST, DAST, and IAST tooling, so the most reliable validation is automated scanning that continuously updates its rule packs against current CWE and CVE patterns and runs at scale every build. Periodic team review of coding style catches some issues but is inconsistent, slow, and dependent on the reviewer's familiarity with every variant. Reusing production code from similar applications spreads any existing flaws and is not a validation technique at all. Updating the editor with vulnerability rules helps developers as they type but does not validate the finished code; only the build-time automated scan delivers repeatable, comprehensive evidence of secure coding for the entire injection and overflow surface.

2. Question 2

   An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?
   1. A. SQL injection (SQLi)
   2. B. Extensible Markup Language (XML) external entities
   3. C. Cross-Site Scripting (XSS)
   4. D. Cross-Site Request Forgery (CSRF)
   Explanation

   The correct answer is: C. Cross-Site Scripting (XSS).

   Cross-Site Scripting injects attacker-controlled script into a page so that when the victim's browser renders it the script runs in the user's origin and can read document.cookie or otherwise exfiltrate session material, which exactly matches a compromised site whose script executed in the user's browser and stole session cookies. SQL injection targets the database tier by manipulating queries on the server and does not run code in the victim's browser. XML External Entity attacks abuse XML parsers to disclose files or perform SSRF against backend services, again a server-side issue with no browser-side script execution. CSRF rides an authenticated session to perform state-changing actions but does not read cookies because the same-origin policy prevents the malicious page from inspecting them, so only XSS fits.

3. Question 3

   An attack utilizing social engineering and a malicious Uniform Resource Locator (URL) link to take advantage of a victim's existing browser session with a web application is an example of which of the following types of attack?
   1. A. Clickjacking
   2. B. Cross-site request forgery (CSRF)
   3. C. Cross-Site Scripting (XSS)
   4. D. Injection
   Explanation

   The correct answer is: B. Cross-site request forgery (CSRF).

   Cross-Site Request Forgery is the attack in which a victim is socially engineered into clicking a crafted link that triggers a state-changing request against a web application where the user holds an active authenticated session; the browser automatically attaches session cookies, so the malicious request executes with the victim's privileges without their awareness. Clickjacking tricks a user into clicking a hidden UI element by overlaying it under a transparent frame, which is mitigated by X-Frame-Options and is a different mechanism. XSS injects script into a page the victim renders rather than forging a request from another origin. Injection generically describes interpreter abuse such as SQL or command injection on the server, unrelated to riding an authenticated session through a crafted link. CSRF matches every element of the scenario.

4. Question 4

   Which of the following does the security design process ensure within the System Development Life Cycle (SDLC)?
   1. A. Proper security controls, security objectives, and security goals are properly initiated.
   2. B. Security objectives, security goals, and system test are properly conducted.
   3. C. Proper security controls, security goals, and fault mitigation are properly conducted.
   4. D. Security goals, proper security controls, and validation are properly initiated.
   Explanation

   The correct answer is: A. Proper security controls, security objectives, and security goals are properly initiated..

   The security design phase is where the project initiates its security agenda by articulating the security goals (the high-level outcomes the system must achieve), the security objectives (measurable conditions that prove those goals), and the proper security controls (the technical and administrative mechanisms selected to satisfy them); all three are written down and approved here so later phases inherit a clear baseline. System testing and validation are downstream verification activities performed during the test phase, not initiation, so any option that places them in design conflates phases. Fault mitigation is implemented and exercised during operations and maintenance once the system is running. Only the option that pairs controls, objectives, and goals as initiated artifacts of the design phase reflects how the SDLC actually flows.

5. Question 5

   In software development, which of the following entities normally signs the code to protect the code integrity?
   1. A. The organization developing the code
   2. B. The quality control group
   3. C. The developer
   4. D. The data owner
   Explanation

   The correct answer is: A. The organization developing the code.

   Code signing for distributed software is performed using a certificate issued to the publishing organization, not to an individual, because the legal and reputational accountability for the released artifact rests with the organization and the private key must be protected under organizational key-management controls so signing survives personnel changes; this is also why operating-system trust stores enroll publisher organizations, not individual engineers. The quality control group verifies functionality but is not the legal publisher of record. Individual developers come and go, and tying signing trust to a person undermines long-term verifiability. The data owner is responsible for data classification and handling, not for asserting the integrity of software releases. Only the developing organization is the recognized signing entity.

Other CISSP domains

• Asset Security (46 questions)
• Communication and Network Security (58 questions)
• Identity and Access Management (IAM) (55 questions)
• Security and Risk Management (75 questions)
• Security Architecture and Engineering (71 questions)
• Security Assessment and Testing (54 questions)
• Security Operations (68 questions)