Software Development Security
Drill 13 practice questions focused entirely on Software Development Security for the ISC2 CISSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A financial services firm is purchasing a specialized loan-origination application from a small vendor. Because the software will process sensitive customer data and become business-critical, the security team wants assurance that the firm can maintain and remediate the code if the vendor goes out of business or fails to patch discovered vulnerabilities. Which contractual provision BEST addresses this specific concern?
A security tester reviewing a company's REST API discovers that changing the numeric account ID in the URL path /api/v1/accounts/1042/statements to /api/v1/accounts/1043/statements returns another customer's statements. The request carried a valid, authenticated bearer token belonging to the tester. Which underlying flaw most accurately describes this finding, and what is the correct remediation?
A public-facing REST API exposes a customer-lookup endpoint that requires authentication. Security monitoring reveals that a small number of valid API keys are issuing thousands of sequential requests per minute, systematically enumerating account identifiers. Authorization checks are correctly enforced, and no single request is malformed. Which control would MOST directly mitigate this abuse while allowing legitimate clients to continue operating?
A DevSecOps team wants to prevent developers from committing hardcoded API keys and database passwords into the source repository. Occasionally these secrets are discovered only after they have been deployed to production, forcing emergency credential rotation. Which control most effectively addresses this problem as early as possible in the pipeline?
A financial services firm is acquiring a packaged desktop application from a vendor and plans to deploy it across thousands of employee workstations. The security team wants assurance that the executables installed have not been altered between the vendor's build process and the endpoints, and that they genuinely originate from the named vendor. Which control most directly provides this assurance?
A banking web application allows authenticated users to transfer funds via a POST request. Security testing reveals that an attacker can host a malicious page that automatically submits a fund-transfer form to the bank's endpoint; if a logged-in victim visits the page, the transfer executes using the victim's active session cookie. The application relies solely on the session cookie to authorize the request. Which control most directly mitigates this vulnerability?
A defense contractor's data warehouse allows analysts to run aggregate queries (counts, averages) over classified personnel records. A security review discovers that by combining several narrowly-scoped aggregate queries, an analyst can deduce the identity and clearance status of a specific individual—information they are not authorized to see directly. Which database security control BEST addresses this specific weakness?
A Java web application accepts serialized objects from client requests to restore user session state. During a security assessment, a tester crafts a malicious serialized payload that, when processed by the server, executes arbitrary system commands. The development team must remediate this vulnerability. Which approach BEST addresses the root cause?
A development team is beginning a new project to build a customer-facing loan application portal that will process sensitive financial data. The security architect wants to ensure that security cost and effectiveness are optimized across the entire effort. At which point in the software development lifecycle should security requirements first be formally defined and documented to achieve the lowest remediation cost?
A CISO wants to objectively benchmark the organization's software security program across activities such as governance, secure design, secure build, and security testing, and to produce a roadmap that shows measurable improvement over successive years. Which approach BEST meets this goal?
A development team ships a web application that heavily relies on third-party open-source libraries pulled from public package repositories. During a post-incident review, security discovers the breach exploited a known critical vulnerability in a transitive dependency that no one on the team was aware they were using. Which practice, integrated into the build pipeline, would most directly prevent recurrence of this specific issue?
A developer reviews a customer login endpoint that constructs a database query by concatenating user-supplied username and password strings directly into a SQL statement. Penetration testers demonstrated that entering a crafted username allowed authentication bypass and dumping of the user table. Which remediation most fundamentally eliminates this class of vulnerability?
A security assessment of a company's customer support web portal reveals that comments submitted by users are stored in a database and later rendered on an agent's dashboard. A tester submitted a comment containing a script tag, and when an agent opened the ticket queue, the script executed in the agent's browser and exfiltrated the agent's session token. Which control most directly prevents this class of vulnerability?
More CISSP practice
Keep going with the other ISC2 CISSP — Certified Information Systems Security Professional domains, or take a full timed mock exam.
← Back to CISSP overview