Log in Start practising free
CISSP

Software Development Security

16 free practice questions with explanations

Practise all 16 questions free →

PassNova has 16 free CISSP practice questions on Software Development Security, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Software Development Security: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 16 free in the browser.

  1. Which secure software development practice involves validating all input on the server side and rejecting data that does not conform to an explicit list of acceptable values?

    • A Output encoding
    • B Allow-list (whitelist) input validation
    • C Obfuscation
    • D Code signing

    Answer: Allow-list input validation accepts only data matching a predefined set of permitted values, which is more secure than trying to block known-bad input.

  2. A web application allows attackers to inject malicious SQL because user input is concatenated directly into database queries. Which control is the MOST effective defense?

    • A Disabling logging on the database
    • B Renaming the database tables
    • C Increasing the database server's RAM
    • D Using parameterized queries (prepared statements)

    Answer: Parameterized queries separate code from data so user input is treated strictly as a value, preventing SQL injection.

  3. In the OWASP context, which attack injects malicious scripts into a trusted website so they execute in other users' browsers, potentially stealing session cookies?

    • A Server-Side Request Forgery (SSRF)
    • B SQL injection
    • C Cross-Site Scripting (XSS)
    • D Cross-Site Request Forgery (CSRF)

    Answer: Cross-Site Scripting (XSS) injects scripts into a trusted page that then run in victims' browsers, often used to steal session tokens.

  4. Which software development methodology emphasizes building security in from the start by integrating security activities such as threat modeling and code review into each phase of the SDLC?

    • A Ad hoc development
    • B Big-bang integration
    • C Waterfall with security only at deployment
    • D DevSecOps

    Answer: DevSecOps integrates security practices like threat modeling and continuous testing throughout the development pipeline rather than bolting them on at the end.

  5. A database enforces that a transaction either completes entirely or has no effect at all, leaving the database unchanged if any part fails. Which ACID property describes this guarantee?

    • A Isolation
    • B Durability
    • C Atomicity
    • D Consistency

    Answer: Atomicity guarantees that all operations within a transaction succeed together or none take effect, treating the transaction as an indivisible unit.

  6. A developer accidentally commits an API secret key to a public code repository. Which secure development practice would have BEST prevented this exposure?

    • A Storing secrets in environment variables or a secrets manager and scanning commits
    • B Adding more code comments
    • C Increasing the application's logging verbosity
    • D Renaming the variable holding the key

    Answer: Keeping secrets out of source code by using a secrets manager or environment variables, combined with pre-commit secret scanning, prevents credentials from being committed.

Start practising Software Development Security →
More CISSP topics

Practise another topic

Asset Security & Security Architecture47 questions Security Assessment, Testing & Operations37 questions Security & Risk Management36 questions Communication & Network Security32 questions Identity & Access Management32 questions
← Back to CISSP