SWSEC_QB2

Here are 50 multiple-choice questions and answers based on secure development and web
application security principles, with all references to external files or lectures removed.

Secure Software Development Lifecycle

1. Which security activity is most effective when performed early in the development lifecycle to
eliminate bugs at the source?

A) Penetration testing

B) Manual code review

C) Fuzzing

D) Security auditing

Answer: B) Manual code review

2. In the "Three Pillars" of software security, which pillar focuses on identifying and ranking
risks?

A) Knowledge

B) Applied Risk Management

C) Security Operations

D) Software Touchpoints

Answer: B) Applied Risk Management

3. When should "Abuse Cases" be developed to understand how an attacker might subvert a
system?

A) During the maintenance phase

B) During requirements gathering

C) Only after a breach occurs

D) During the deployment phase

Answer: B) During requirements gathering

A) It cannot identify known vulnerabilities.

B) It provides a "point-in-time" snapshot but lacks architectural depth.

C) It is too automated to be useful.

D) It can only be performed by internal staff.

Answer: B) It provides a "point-in-time" snapshot but lacks architectural depth.

5. Which design principle dictates that a system should default to no access if a security
mechanism fails?

A) Open design

B) Fail-safe defaults

C) Least privilege

D) Economy of mechanism

Answer: B) Fail-safe defaults

6. In the STRIDE threat model, what does the "S" represent?

A) Software

B) Spoofing

C) Scripting

D) Systemic

Answer: B) Spoofing

7. Which risk analysis step involves visualizing how an attacker might move through a system?

A) Impact analysis

B) Mapping attack scenarios

C) Risk ranking

D) Asset identification
Answer: B) Mapping attack scenarios

8. Why is manual code review often considered a difficult task to scale?

A) It requires specialized tools that are expensive.

B) It is time-consuming and requires high expertise to spot subtle flaws.

C) It cannot find buffer overflows.

D) It is only applicable to legacy languages.

Answer: B) It is time-consuming and requires high expertise to spot subtle flaws.

9. While traditional testing verifies that a system functions correctly, security testing often
focuses on:

A) User interface aesthetics.

B) What the system should not do.

C) Increasing the speed of the application.

D) Marketing requirements.

Answer: B) What the system should not do.

10. Which pillar of software security involves utilizing attack patterns and security wisdom?

A) Knowledge

B) Applied Risk Management

C) Software Touchpoints

D) Operations

Answer: A) Knowledge

Web Application Weaknesses

11. Which vulnerability occurs when a user can access data or functions they are not authorized
to reach?
A) Injection

B) Broken Access Control

C) Cryptographic Failure

D) Security Misconfiguration

Answer: B) Broken Access Control

12. What is the root cause of Injection vulnerabilities?

A) Using slow hardware.

B) Mixing untrusted user data with command or query strings.

C) Failing to use a firewall.

D) Using too many open-source libraries.

Answer: B) Mixing untrusted user data with command or query strings.

13. Which security failure involves missing or ineffective security controls at the planning stage?

A) Insecure Design

B) Server-Side Request Forgery

C) Security Misconfiguration

D) Software Integrity Failure

Answer: A) Insecure Design

14. An application that uses default administrative passwords is an example of:

A) Injection

B) Security Misconfiguration

C) Insecure Design

D) Cryptographic Failure

Answer: B) Security Misconfiguration

A) Encryption

B) Security Logging and Monitoring

C) Access Control

D) Input Validation

Answer: B) Security Logging and Monitoring

16. What occurs during a Server-Side Request Forgery (SSRF) attack?

A) A user steals a cookie.

B) A web application is coerced into making an unauthorized request to an internal resource.

C) A database is deleted via a SQL command.

D) A user's password is cracked.

Answer: B) A web application is coerced into making an unauthorized request to an internal

17. Why is it dangerous to use vulnerable or outdated components in a web application?

A) It makes the application look unprofessional.

B) They often contain known, exploitable security holes.

C) They take up too much disk space.

D) They are incompatible with modern browsers.

Answer: B) They often contain known, exploitable security holes.

18. What is the typical result of Cryptographic Failures?

A) Denial of Service.

B) Exposure of sensitive data like passwords or credit card numbers.

C) Remote code execution.

D) Slowing down the server.

19. Which vulnerability category involves the lack of verification for software updates or data
sources?

A) Software and Data Integrity Failures

B) Broken Access Control

C) Injection

D) SSRF

Answer: A) Software and Data Integrity Failures

20. What is the main goal of using a community-driven list of the most critical web risks?

A) To replace professional security audits.

B) To provide a standardized awareness and focus for developers.

C) To list every possible bug in existence.

D) To rank the most popular web frameworks.

Answer: B) To provide a standardized awareness and focus for developers.

Web Technologies & HTTP

21. Which HTTP method is intended to be "idempotent" and used only for data retrieval?

A) POST

B) GET

C) CONNECT

D) TRACE

Answer: B) GET

22. Which port is the standard for encrypted HTTPS traffic?

A) 80
B) 443

C) 21

D) 25

Answer: B) 443

23. Why are cookies necessary for maintaining user sessions in web applications?

A) Because HTTP is a stateless protocol.

B) To speed up the internet connection.

C) To prevent SQL injection.

D) To encrypt the body of the request.

Answer: A) Because HTTP is a stateless protocol.

24. Which part of a URI allows the client to send data to the server as key-value pairs?

A) Scheme

B) Path

C) Query string

D) Fragment

Answer: C) Query string

25. Which URI component is processed only by the client and not sent to the server?

A) Authority

B) Query

C) Fragment (#)

D) Scheme

Answer: C) Fragment (#)

26. What does percent-encoding (e.g., %20 for a space) allow in a URL?
A) Encryption of the URL.

B) Representation of characters that have special meaning or are non-ASCII.

C) Shortening of the URL for social media.

D) Compression of the data.

Answer: B) Representation of characters that have special meaning or are non-ASCII.

27. What is the purpose of "Punycode" in web addresses?

A) To hide the server's IP address.

B) To represent international (Unicode) characters in the Domain Name System.

C) To compress high-resolution images.

D) To block malicious scripts.

Answer: B) To represent international (Unicode) characters in the Domain Name System.

28. In the URI [Link] which part is the "Authority"?

A) https

B) user:pass@[Link]

C) /

D) [Link]

Answer: B) user:pass@[Link]

29. Which HTTP version introduced multiplexing and server push to improve performance?

A) HTTP/1.0

B) HTTP/1.1

C) HTTP/2

D) HTTP/0.9

Answer: C) HTTP/2
30. Why is it a security risk to include sensitive data in a GET request?

A) GET requests are always encrypted.

B) The data appears in browser history and server logs.

C) GET requests cannot handle parameters.

D) GET requests are slower than POST.

Answer: B) The data appears in browser history and server logs.

Access Control & Path Traversal

31. What is "Horizontal" access control?

A) Moving from a user role to an admin role.

B) Accessing data belonging to another user with the same role level.

C) Bypassing a firewall.

D) Changing the server's OS.

Answer: B) Accessing data belonging to another user with the same role level.

32. What is "Vertical" access control?

A) A user accessing their own profile.

B) A lower-privileged user accessing functions meant for higher-privileged users.

C) A server communicating with another server.

D) Loading a page from the top down.

Answer: B) A lower-privileged user accessing functions meant for higher-privileged users.

33. An attacker uses ../../etc/passwd in a URL to read a system file. What is this attack called?

A) Cross-Site Scripting

B) Path Traversal (or Directory Traversal)

D) Session Hijacking

Answer: B) Path Traversal (or Directory Traversal)

34. What is "Data Indirection" in secure object referencing?

A) Encrypting the entire database.

B) Using a temporary mapping (like an index) instead of the real database key in the UI.

C) Storing data on a remote server.

D) Using multiple servers to host one file.

Answer: B) Using a temporary mapping (like an index) instead of the real database key in the UI.

35. Why must access control be enforced on the server side?

A) Because client-side code (like JavaScript) can be bypassed by the user.

B) Because it is faster for the server.

C) Because browsers do not support security.

D) Because it reduces network traffic.

Answer: A) Because client-side code (like JavaScript) can be bypassed by the user.

36. A web application that relies on "hidden" HTML fields to determine a price is vulnerable to:

A) Parameter tampering

B) Phishing

C) Brute force

D) DNS poisoning

Answer: A) Parameter tampering

37. Which security principle is violated if an application doesn't re-check a user's permissions
when they access a specific record?

A) Fail-safe defaults
B) Complete mediation

C) Least privilege

D) Open design

Answer: B) Complete mediation

38. What is the benefit of "Canonicalization" in security?

A) It makes the code run faster.

B) It converts input into a standard form to prevent bypasses like /%2e%2e/.

C) It translates the website into multiple languages.

D) It compresses the database.

Answer: B) It converts input into a standard form to prevent bypasses like /%2e%2e/.

39. "Defense-in-depth" in access control implies:

A) Using only one very strong password.

B) Using multiple layers of security, such as app-level checks and OS-level permissions.

C) Hiding the server in a basement.

D) Encrypting all data twice.

Answer: B) Using multiple layers of security, such as app-level checks and OS-level
permissions.

40. If an attacker changes a URL from account=101 to account=102 and sees another person's
data, this is an example of:

A) Insecure Direct Object Reference (IDOR)

B) Cross-Site Request Forgery

C) Buffer Overflow

D) Logic Bomb

Answer: A) Insecure Direct Object Reference (IDOR)

41. What is the primary target of a Cross-Site Scripting (XSS) attack?

A) The web server's database.

B) The user's browser.

C) The server's file system.

D) The network router.

Answer: B) The user's browser.

42. Which type of XSS involves a malicious script being permanently stored on the server (e.g.,
in a comment)?

A) Reflected XSS

B) Stored (or Persistent) XSS

C) DOM-based XSS

D) Blind XSS

Answer: B) Stored (or Persistent) XSS

43. What is the most effective way to prevent XSS when displaying user-supplied data?

A) Using a faster database.

B) Context-aware output encoding.

C) Increasing the server's RAM.

D) Disabling cookies.

Answer: B) Context-aware output encoding.

44. A "Homograph" attack exploits:

A) Weak passwords.

B) Visual similarities between different characters (e.g., 'o' and 'ο').

D) Slow network speeds.

Answer: B) Visual similarities between different characters (e.g., 'o' and 'ο').

45. Which principle states that security should not depend on the secrecy of the design or
implementation?

A) Economy of mechanism

B) Open design

C) Least privilege

D) Separation of privilege

Answer: B) Open design

46. "Psychological acceptability" as a security principle means:

A) Security must be so complex that it scares attackers.

B) Security mechanisms should not make the system significantly harder to use.

C) Users must be trained to be paranoid.

D) Developers must be happy with their code.

Answer: B) Security mechanisms should not make the system significantly harder to use.

47. "Least Common Mechanism" suggests:

A) Using the most popular software available.

B) Minimizing the amount of shared state or shared functions between different users.

C) Only using security tools once.

D) Deleting rare code branches.

Answer: B) Minimizing the amount of shared state or shared functions between different users.

48. In the STRIDE model, "Repudiation" refers to:

A) Stealing data.
B) A user claiming they didn't perform an action because of a lack of logs/evidence.

C) Crashing the server.

D) Altering data in transit.

Answer: B) A user claiming they didn't perform an action because of a lack of logs/evidence.

49. What is the main goal of "Sanitization"?

A) To make the code look clean.

B) To remove or neutralize potentially harmful characters from input data.

C) To delete old user accounts.

D) To speed up the database.

Answer: B) To remove or neutralize potentially harmful characters from input data.

50. Which security touchpoint is often referred to as "Testing from the outside in"?

A) Code review

B) Penetration testing

C) Risk analysis

D) Requirements gathering

Answer: B) Penetration testing