ISC2 CCSP — Certified Cloud Security Professional · Domain 4 · 17% of exam

Cloud Application Security

Drill 20 practice questions focused entirely on Cloud Application Security for the ISC2 CCSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A development team exposes a REST API for a multi-tenant cloud SaaS. During a security review, a tester finds that by changing the numeric 'accountId' parameter in the URL (e.g., /api/v1/accounts/1042/invoices), they can retrieve invoices belonging to other tenants even though the JWT they present is valid for only their own account. The endpoint authenticates the token correctly but returns data without further checks. Which control best addresses this OWASP API Security Top 10 weakness?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services company exposes internal microservices to trusted partner banks through a cloud API gateway. Security requires that both the calling partner service AND the receiving API prove their identities cryptographically before any request payload is processed, preventing spoofed clients even if a partner's API key were leaked. Which control best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 3 of 20

A development team runs a containerized microservice on a managed Kubernetes cluster in a public cloud. The service needs to read objects from a cloud object storage bucket. Currently, developers have embedded a long-lived cloud access key and secret into the container image's environment variables. A security review flags this as a risk. Which approach BEST remediates the finding while following cloud IAM best practices for application identity?

Reviewed for accuracy · Report an issue
Question 4 of 20

A development team is building a cloud-hosted web application that displays user-submitted comments on a public product page. During a threat modeling review, a security engineer flags that attacker-supplied comment text could be rendered directly into the HTML response, allowing malicious scripts to execute in other users' browsers. Which control most directly mitigates this OWASP-classified vulnerability?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial services company deploys a dozen SaaS applications for its employees and wants to centralize authentication so users log in once with corporate credentials. The security team implements SAML-based federation with the corporate identity provider (IdP) issuing assertions to each SaaS relying party. During a design review, an architect warns that this federation model introduces a specific risk that must be mitigated. Which risk is MOST directly created by this federated SSO design, and what is the appropriate mitigation?

Reviewed for accuracy · Report an issue
Question 6 of 20

A security review of a cloud-native microservices application finds that database credentials and third-party API keys are stored in plaintext within environment variables defined in the container image's Dockerfile and committed to the source code repository. The DevOps team needs a remediation approach that removes long-lived secrets from code while enabling automatic rotation and audited retrieval at runtime. Which approach best addresses these requirements?

Reviewed for accuracy · Report an issue
Question 7 of 20

A development team is building a public single-page application (SPA) that runs entirely in the user's browser and must authenticate users against a corporate identity provider using OAuth 2.0. Because the SPA cannot securely store a client secret, the security architect must recommend the appropriate authorization flow to prevent authorization code interception attacks. Which approach should the architect recommend?

Reviewed for accuracy · Report an issue
Question 8 of 20

A development team is integrating a new cloud-hosted analytics application with the company's identity provider. Developers implemented OAuth 2.0 access tokens and use the presence of a valid access token to log the user in and populate their profile page. During a security review, the assessor flags this as an authentication design flaw. What is the MOST accurate reason the current approach is insecure, and what should the team adopt?

Reviewed for accuracy · Report an issue
Question 9 of 20

A development team is deploying a cloud-native web application that exposes a REST API. Regular authenticated users interact only with the standard endpoints, but a penetration tester discovers that by directly invoking the URL '/api/v1/admin/deleteUser', a normal user without any administrative role is able to remove other accounts. The endpoint performs no server-side role verification and relies solely on the fact that the admin function link is hidden from the standard user interface. Which OWASP application security weakness does this MOST directly represent?

Reviewed for accuracy · Report an issue
Question 10 of 20

A development team is building a cloud-native SaaS application that stores customer payment card numbers and personal data in a managed database. During a security review, an assessor notes that the application transmits session tokens over HTTPS but stores card numbers in the database as plaintext, and the application logs include full card numbers for debugging. Which OWASP Top 10 category best describes this finding, and what is the most appropriate remediation?

Reviewed for accuracy · Report an issue
Question 11 of 20

A cloud-native e-commerce service accepts serialized session objects from clients and reconstructs them server-side using the language's native deserialization function. During a threat modeling review, a security engineer flags that an attacker could craft a malicious serialized payload to execute code on the application server. Which mitigation most directly addresses the root cause of this OWASP vulnerability?

Reviewed for accuracy · Report an issue
Question 12 of 20

A development team is building a customer-facing web application hosted on cloud IaaS. The application accepts a URL from users and fetches the content of that URL to generate link previews. During a threat modeling review, a security architect warns that an attacker could abuse this feature to make the server retrieve the cloud instance metadata endpoint (e.g., 169.254.169.254) and potentially expose IAM credentials. Which mitigation most directly addresses this specific vulnerability class?

Reviewed for accuracy · Report an issue
Question 13 of 20

A development team building a cloud-native web application wants to detect vulnerabilities as early as possible in their secure SDLC. They already run software composition analysis on third-party libraries during the build. The security architect now wants a tool that analyzes the team's own source code for flaws like SQL injection patterns before the application is ever compiled or deployed to a running environment. Which testing approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 14 of 20

A cloud-native company builds container images in its CI/CD pipeline and deploys them to a managed Kubernetes service. After a widely publicized incident where a compromised third-party build tool injected malicious code into published artifacts, the security team wants to ensure that only images whose exact component inventory is known and verifiably unaltered can be deployed to production. Which practice most directly addresses this requirement?

Reviewed for accuracy · Report an issue
Question 15 of 20

A development team ships a containerized microservice built on dozens of open-source libraries pulled from public package registries. After a widely publicized vulnerability was discovered in a transitive dependency, the security team wants a repeatable control that continuously identifies known-vulnerable components and their exact versions across all builds before deployment. Which practice most directly addresses this need?

Reviewed for accuracy · Report an issue
Question 16 of 20

A SaaS company integrates dozens of enterprise customers who use their own corporate identity providers for SSO via SAML. The security team discovers that when employees leave a customer organization, their access to the SaaS application often persists for weeks because the SAML federation only handles authentication at login time, not account lifecycle changes. The team needs to eliminate these orphaned accounts automatically. Which approach best addresses the root problem?

Reviewed for accuracy · Report an issue
Question 17 of 20

A DevOps team runs a fleet of microservices in a managed Kubernetes cluster. Each service currently reads a static database password from an environment variable injected at deployment. Security audits found the same credential has not been changed in 14 months, is shared across all services, and appears in CI/CD pipeline logs. The team wants a cloud-native approach that eliminates long-lived shared credentials and provides per-service accountability. Which solution BEST addresses these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 20

A cloud-native software company is maturing its secure SDLC after several vulnerabilities reached production. The CISO wants to reduce the recurrence of insecure code by addressing the root cause rather than relying solely on downstream scanning. Which action most directly builds a durable, preventive security culture within the development teams?

Reviewed for accuracy · Report an issue
Question 19 of 20

A development team is building a new microservices-based cloud application. During the secure SDLC design phase, the security architect wants to systematically identify threats by examining each data flow across trust boundaries between services, the API gateway, and backend datastores. Which approach best fits this requirement?

Reviewed for accuracy · Report an issue
Question 20 of 20

A cloud development team is adopting a secure SDLC for a new microservices-based SaaS platform. The security architect wants threat modeling to deliver the greatest cost and risk-reduction benefit. At which point in the SDLC should structured threat modeling be introduced to maximize its value?

Reviewed for accuracy · Report an issue

More CCSP practice

Keep going with the other ISC2 CCSP — Certified Cloud Security Professional domains, or take a full timed mock exam.

← Back to CCSP overview