Quiz: Application Security

A 25-question self-check on the OWASP Top 10, secure coding, the software supply chain, SAST/DAST/SCA, and threat modeling. Questions tagged [Sec+] map to CompTIA Security+ objectives and [CISSP] to (ISC)² CISSP domains (notably Software Development Security). Answers and one-line explanations are at the end; try the whole quiz first.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] "Shift left" in a secure SDLC means: A. move servers to the left datacenter B. move security activities earlier in development C. prefer left-handed engineers D. delay security until after launch

2. [Sec+] The OWASP Top 10 is best described as: A. a complete security standard you can certify against B. a ranked list of categories of application risk for awareness and prioritization C. a list of specific CVEs D. a compliance law

3. A user changes account_id=1004 to 1005 in a request and reads another customer's data. This is: A. Cryptographic Failures B. Broken Access Control C. SSRF D. Security Misconfiguration

4. [CISSP] Building a SQL command by concatenating user input into a string, so the database cannot distinguish code from data, is the root mechanism of: A. injection B. a denial-of-service attack C. cryptographic failure D. misconfiguration

5. The OWASP category that is the natural home of the Log4Shell vulnerability is: A. Insecure Design B. Identification & Authentication Failures C. Vulnerable & Outdated Components D. Security Logging & Monitoring Failures

6. [Sec+] Positive input validation (allowlisting) is stronger than denylisting because: A. it is faster B. you can reliably define what is allowed, but not enumerate every dangerous input C. it runs on the client D. it encodes output automatically

7. Output encoding must be context-specific because: A. it is required by law B. the rules differ by destination (HTML, JS, URL, SQL), and encoding for the wrong one provides no protection C. it replaces input validation D. browsers ignore it otherwise

8. [CISSP] A tool that analyzes source code without running it to flag insecure patterns is: A. DAST B. SAST C. SCA D. a WAF

9. A tool that inventories third-party libraries and checks them against known-vulnerability databases is: A. SAST B. DAST C. SCA D. a fuzzer

10. [Sec+] In STRIDE, the "E" stands for: A. Encryption B. Elevation of privilege C. Exfiltration D. Endpoint

11. Client-side input validation (in the browser) is: A. a sufficient security control B. a usability feature that must be re-done server-side for security C. stronger than server-side validation D. the same as output encoding

12. [CISSP] The deliverable that makes a threat model actually change the software is: A. a network diagram B. a set of verifiable security requirements C. a penetration-test report D. a compliance certificate

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

13. "A secret deleted from a source file is safe, because the current code no longer contains it."

14. [Sec+] "Input validation alone is sufficient to prevent SQL injection and cross-site scripting."

15. "DAST finds fewer false positives than SAST because it exercises the real running application."

16. "Because most of an application is third-party code, SCA is essential and not optional."

17. [CISSP] "A scanner can find insecure-design flaws and missing business-logic controls."

Section 3 — Fill in the blank (1 pt each)

18. A specific, verifiable statement of what software must do (or never do) to be secure is a security __.

19. [Sec+] The mnemonic that enumerates six threat types (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) is __.

20. A formal, machine-readable inventory of every component in a piece of software is a software __ of materials (introduced in Chapter 23, fully developed in Chapter 29).

21. A library pulled in by one of your dependencies, rather than chosen by you directly, is a __ dependency.

22. [Sec+] The community catalog of specific software weakness types, each with a numbered ID, is the Common __ Enumeration.

Section 4 — Short answer (2 pts each)

23. [CISSP] Explain the difference between input validation and output encoding, and why running both is an example of defense in depth.

24. In two or three sentences, explain why Log4Shell was so difficult for organizations to respond to, even though a patch was available quickly. Name the single capability that most reduced an organization's response time.

25. [Sec+] A SAST scan returns 4,000 findings. Explain why "fix all 4,000" is the wrong instruction, and describe, using the risk idea, how you would decide which to gate a release on.

Answer Key

Click to reveal answers and explanations 1. **B** — shift left moves security activities earlier (design/code), where fixes are cheap. 2. **B** — the Top 10 is a categorized awareness/prioritization list, not a standard, law, or CVE list. 3. **B** — trusting a client-supplied ID without authorization is Broken Access Control (an IDOR). 4. **A** — concatenating data into a command is the injection mechanism. 5. **C** — Log4Shell is a vulnerable component (it also has an injection character). 6. **B** — you can define the allowed shape but cannot enumerate every malicious input. 7. **B** — encoding rules differ by destination; wrong-context encoding gives no protection. 8. **B** — static analysis reads code at rest = SAST. 9. **C** — dependency inventory + known-vuln matching = SCA. 10. **B** — Elevation of privilege. 11. **B** — the client is attacker- controlled, so client checks are usability only and must be re-done server-side. 12. **B** — requirements are what change the build; the diagram only helps discover them. 13. **F** — version control retains history, so a once-committed secret has effectively leaked and must be rotated. 14. **F** — validation helps but valid input (e.g., `O'Brien`, a `<` in a comment) can still be dangerous output; you also need encoding/parameterization. 15. **T** — exercising the real app means a DAST finding is more likely genuinely exploitable, though DAST has more *false negatives*. 16. **T** — since imported code dominates, you must inventory and monitor it; SCA is essential. 17. **F** — scanners find recognizable code/dependency/runtime issues; design and business-logic flaws require threat modeling and human review. 18. requirement. 19. STRIDE. 20. bill. 21. transitive. 22. Weakness. 23. *Input validation* checks that incoming data matches the expected shape (allowlist, server-side) and rejects the rest, governing what enters your logic; *output encoding* transforms data so the destination interpreter (HTML, SQL, shell) treats it as inert, governing how data leaves your logic. Running both is defense in depth because each catches what the other misses — valid input can still be dangerous output, and encoding alone can let malformed data corrupt logic. 24. The hard problem was *finding*, not fixing: Log4j was a deeply transitive dependency in countless products organizations did not know they ran, so without an inventory they could not answer "do we use it, and where?" The capability that most reduced response time was a dependency inventory / SBOM (produced by SCA). 25. A raw count treats every finding as equal, but risk = likelihood × impact: many findings are false positives or low-risk. Tune the tool, suppress known-false patterns, rank by exploitability and asset criticality, and gate the release only on the high-confidence, high-severity subset — not on raw volume. **Topics to review by question:** 1, 12 → §12.1, §12.6; 2–5, 10 → §12.2; 6–7, 11, 14, 23 → §12.3; 13, 16, 21, 24 → §12.4; 8–9, 15, 25 → §12.5; 17–19 → §12.6; 20, 22 → §12.2/§12.4.