Free Secure-Software-Design Practice Test Questions 2026

Which secure coding best practice says to assume all incoming data should be considered untrusted and should be validated to ensure the system only accepts valid data?

A. General coding practices

B. Input validation

C. Session management

D. System configuration

Which security assessment deliverable identities unmanaged code that must be kept up to date throughout the life of the product?

A. Threat profile

B. Metrics template

C. Product risk profile

D. List of third-party software

Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the user authentication component of the company's now product. The base score of the vulnerability was 8.3 and changed to 9.4 after adjusting temporal and environmental metrics.

Which rating would CVSS assign this vulnerability?

A. High seventy

B. Critical severity

C. Medium severity

D. Low seventy

What are the three primary goals of the secure software development process?

A. Performance, reliability, and maintainability

B. Cost, speed to market, and profitability

C. Redundancy, scalability, and portability

D. Confidentiality, integrity, and availability

The software security team is performing security testing for a new software product that is close to production release. They are concentrating on integrations between the new product and database servers, web servers, and web services.

Which security testing technique is being used?

A. Fuzz testing

B. Dynamic code analysis

C. Binary fault injection

D. Binary code analysis

The security team has a library of recorded presentations that are required viewing tor all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for. and code tor possible threats.

Which category of secure software best practices does this represent?

A. Attack models

B. Training

C. Architecture analysis

D. Code review

The software security team has been tasked with assessing a document management application that has been in use for many years and developing a plan to ensure it complies with organizational policies.

Which post-release deliverable is being described?

A. Security strategy tor M&A products

B. Security strategy for legacy code

C. Post-release certifications

D. External vulnerability disclosure response process

Company leadership has contracted with a security firm to evaluate the vulnerabilityofall externally lacing enterprise applications via automated and manual system interactions. Which security testing technique is being used?

A. Properly-based-testing

B. Source-code analysis

C. Penetration testing

D. Source-code fault injection

Credit card numbers are encrypted when stored in the database but are automatically decrypted when data is fetched. The testing tool intercepted the GET response, and testers were able to view credit card numbers as clear text.

How should the organization remediate this vulnerability?

A. Never cache sensitive data

B. Ensure there is an audit trail for all sensitive transactions

C. Ensure all data in transit is encrypted

D. Enforce role-based authorization controls in all application layers

Which mitigation technique can be used to light against a threat where a user may gain access to administrator level functionality?

A. Encryption

B. Quality of service

C. Hashes

D. Run with least privilege

Which threat modeling approach concentrates on things the organization wants to protect?

A. Asset-centric

B. Server-centric

C. Attacker-centric

D. Application-centric

Which secure coding best practice says to require authentication before allowing any files to be uploaded and to limit the types of files to only those needed for the business purpose?

A. File management

B. Communication security

C. Data protection

D. Memory management