Domain 3 – Section B Review: Assurance and Supply Chain
This section integrates:
- Cloud-Specific Risks and Threat Modeling
- Secure Coding Practices
- Software Assurance and Validation
- Security Testing Methodologies
Question 1
A threat model for a cloud application identifies SSRF as a high risk. The development team has never heard of SSRF. What does this indicate?
A. Only security teams need to understand SSRF
B. Threat modeling produced a false positive
C. Cloud-specific security training is needed for the development team
D. SSRF is not a real vulnerability
Answer & reasoning
Correct: C
Development teams working on cloud applications must understand cloud-specific threats like SSRF. Training gaps lead to vulnerabilities being introduced and not recognized during development.
Question 2
A software assurance assessment shows maturity level 1 (ad-hoc) for secure coding practices. What does this mean?
A. The organization is at the highest maturity level
B. No coding happens at all
C. Some secure coding occurs but without consistent standards or processes
D. Secure coding is fully mature
Answer & reasoning
Correct: C
Maturity level 1 indicates practices exist but are inconsistent and not standardized. The organization needs to formalize secure coding standards and training.
Question 3
A penetration tester wants to test the CSP hypervisor as part of a cloud application assessment. What should happen?
A. Limit testing scope to customer-owned resources only
B. Proceed with testing since the application runs on the hypervisor
C. Request CSP permission to test the hypervisor
D. Test only during off-peak hours
Answer & reasoning
Correct: A
Cloud penetration testing must be scoped to customer resources. CSP infrastructure including hypervisors is off-limits regardless of permission requests.
Question 4
An API endpoint fails to check whether the authenticated user owns the requested resource. User A can access User B data by changing the ID in the URL. What vulnerability is this?
A. XSS
B. BOLA (Broken Object Level Authorization)
C. SQL injection
D. CSRF
Answer & reasoning
Correct: B
BOLA (also called IDOR) occurs when the application does not verify that the authenticated user is authorized to access the specific object referenced by the ID.
Question 5
An authorization check throws an unhandled exception and the application grants access. What principle was violated?
A. Defense in depth
B. Data classification
C. Fail-secure
D. Least privilege
Answer & reasoning
Correct: C
Fail-secure requires defaulting to a secure state when controls fail. Granting access on exception is a fail-open condition that violates this principle.
Question 6
An annual security assessment finds 20 vulnerabilities. Between assessments, 800 code changes were deployed. What testing gap exists?
A. Annual assessments provide sufficient coverage
B. The annual assessment was too thorough
C. Continuous security testing in the CI/CD pipeline is needed
D. Fewer code changes should be made
Answer & reasoning
Correct: C
Annual assessments cannot keep pace with continuous deployment. Security scanning should be integrated into the CI/CD pipeline to catch vulnerabilities with every change.
Question 7
A bug bounty program receives 300 reports in its first month. 290 are duplicates or out-of-scope. The remaining 10 are valid critical findings. Is the program successful?
A. Only programs with 100% valid reports are successful
B. The program should be cancelled
C. Yes, 10 valid critical findings demonstrate significant security value
D. No, 290 invalid reports indicate failure
Answer & reasoning
Correct: C
Ten critical findings represent substantial security value. Noise is expected in bug bounty programs and can be reduced by refining scope. The findings themselves justify the program.
Question 8
A cloud application stores API keys in environment variables. A developer commits a .env file to a public GitHub repository. What is the FIRST action?
A. Delete the repository
B. Make the repository private
C. Add a disclaimer to the repository
D. Rotate all exposed API keys immediately
Answer & reasoning
Correct: D
Exposed credentials must be rotated immediately since they may already be harvested. Making the repo private or deleting it does not address keys that were already exposed.
Question 9
Verification confirms the code meets the design specification. Validation reveals the software does not meet the security requirements. What happened?
A. Validation is unnecessary if verification passes
B. The design specification did not adequately incorporate security requirements
C. The code has bugs
D. Verification was performed incorrectly
Answer & reasoning
Correct: B
The code correctly implements the design (verification passes) but the design itself did not address security requirements (validation fails). This indicates a gap in the requirements and design phases.
Question 10
A regression test catches a reintroduced XSS vulnerability after a code refactor. What does this demonstrate?
A. Manual testing would have been faster
B. Automated regression testing effectively prevents security regressions during code changes
C. The refactor was unnecessary
D. XSS cannot be fixed permanently
Answer & reasoning
Correct: B
Regression testing automatically validates that previous security fixes remain intact after code changes. This is essential in CI/CD environments with frequent deployments.