CompTIA CASP+ Security Engineering Test 2 with 100% Correct answers
1. What is the main purpose of Secure Software Development Lifecycle (SDLC)
in security engineering?
• A) Increase project duration
• B) Incorporate security practices at each phase of development
• C) Improve software performance
• Answer: B) Incorporate security practices at each phase of development
• Explanation: SDLC helps integrate security considerations early, reducing vulnerabilities before
deployment.
2. What is the best approach to mitigate the risk of unauthorized access in a web
application?
• A) Implement input validation
• B) Enforce strong authentication mechanisms
• C) Increase the size of the web server
• Answer: B) Enforce strong authentication mechanisms
• Explanation: Strong authentication ensures that only authorized users can access the
application, preventing unauthorized access.
3. Which of the following techniques can be used to prevent Cross-Site Request
Forgery (CSRF) attacks?
• A) Using CAPTCHA
• B) Enforcing complex passwords
• C) Implementing anti-CSRF tokens
• Answer: C) Implementing anti-CSRF tokens
• Explanation: Anti-CSRF tokens verify the legitimacy of requests by adding a unique identifier to
each request, preventing CSRF attacks.
4. What is a primary purpose of code signing in security?
• A) To improve software performance
• B) To verify the integrity and authenticity of software
• C) To allow open-source distribution
• Answer: B) To verify the integrity and authenticity of software
• Explanation: Code signing ensures that software is from a trusted source and has not been
tampered with.
5. What type of testing checks the robustness of software when facing abnormal
or extreme input?
, • A) Fuzz testing
• B) Integration testing
• C) Unit testing
• Answer: A) Fuzz testing
• Explanation: Fuzz testing provides random, unexpected input to identify vulnerabilities that may
occur under stress or unusual conditions.
6. Which security principle is best described by limiting users’ access rights to
the minimum necessary to perform their tasks?
• A) Separation of duties
• B) Least privilege
• C) Security by obscurity
• Answer: B) Least privilege
• Explanation: The least privilege principle reduces the risk of accidental or malicious misuse by
limiting access rights.
7. Which cryptographic method should be used to ensure data confidentiality in
transit?
• A) Digital signatures
• B) Encryption
• C) Hashing
• Answer: B) Encryption
• Explanation: Encryption scrambles data so only authorized parties can read it, protecting
confidentiality during transmission.
8. What is a common defense against SQL injection attacks?
• A) Using HTML encoding
• B) Using parameterized queries
• C) Disabling error logging
• Answer: B) Using parameterized queries
• Explanation: Parameterized queries separate SQL code from user inputs, preventing malicious
code from being executed.
9. Which strategy involves isolating components to prevent the spread of security
breaches?
• A) Load balancing
• B) Network segmentation
• C) Code obfuscation
• Answer: B) Network segmentation
• Explanation: Network segmentation limits security incidents to isolated segments, reducing the
impact of breaches.
1. What is the main purpose of Secure Software Development Lifecycle (SDLC)
in security engineering?
• A) Increase project duration
• B) Incorporate security practices at each phase of development
• C) Improve software performance
• Answer: B) Incorporate security practices at each phase of development
• Explanation: SDLC helps integrate security considerations early, reducing vulnerabilities before
deployment.
2. What is the best approach to mitigate the risk of unauthorized access in a web
application?
• A) Implement input validation
• B) Enforce strong authentication mechanisms
• C) Increase the size of the web server
• Answer: B) Enforce strong authentication mechanisms
• Explanation: Strong authentication ensures that only authorized users can access the
application, preventing unauthorized access.
3. Which of the following techniques can be used to prevent Cross-Site Request
Forgery (CSRF) attacks?
• A) Using CAPTCHA
• B) Enforcing complex passwords
• C) Implementing anti-CSRF tokens
• Answer: C) Implementing anti-CSRF tokens
• Explanation: Anti-CSRF tokens verify the legitimacy of requests by adding a unique identifier to
each request, preventing CSRF attacks.
4. What is a primary purpose of code signing in security?
• A) To improve software performance
• B) To verify the integrity and authenticity of software
• C) To allow open-source distribution
• Answer: B) To verify the integrity and authenticity of software
• Explanation: Code signing ensures that software is from a trusted source and has not been
tampered with.
5. What type of testing checks the robustness of software when facing abnormal
or extreme input?
, • A) Fuzz testing
• B) Integration testing
• C) Unit testing
• Answer: A) Fuzz testing
• Explanation: Fuzz testing provides random, unexpected input to identify vulnerabilities that may
occur under stress or unusual conditions.
6. Which security principle is best described by limiting users’ access rights to
the minimum necessary to perform their tasks?
• A) Separation of duties
• B) Least privilege
• C) Security by obscurity
• Answer: B) Least privilege
• Explanation: The least privilege principle reduces the risk of accidental or malicious misuse by
limiting access rights.
7. Which cryptographic method should be used to ensure data confidentiality in
transit?
• A) Digital signatures
• B) Encryption
• C) Hashing
• Answer: B) Encryption
• Explanation: Encryption scrambles data so only authorized parties can read it, protecting
confidentiality during transmission.
8. What is a common defense against SQL injection attacks?
• A) Using HTML encoding
• B) Using parameterized queries
• C) Disabling error logging
• Answer: B) Using parameterized queries
• Explanation: Parameterized queries separate SQL code from user inputs, preventing malicious
code from being executed.
9. Which strategy involves isolating components to prevent the spread of security
breaches?
• A) Load balancing
• B) Network segmentation
• C) Code obfuscation
• Answer: B) Network segmentation
• Explanation: Network segmentation limits security incidents to isolated segments, reducing the
impact of breaches.
