Q1. Which control mitigates SQL injection attacks? (Q-627fe6)
- A.Input validation✓ Correct
- B.Encryption
- C.Network segmentation
- D.Antivirus
Explanation: Input validation sanitizes user inputs. Learn more.
CompTIA CySA+ Practice Questions: Software Security
16 free, exam-style CompTIA CySA+ (CS0-003) practice questions covering Software Security. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.
Q2. Which tool is used for static application security testing (SAST)? (Q-627fe7)
- A.Nessus
- B.Burp Suite
- C.SonarQube✓ Correct
- D.Metasploit
Explanation: SAST tools like SonarQube analyze source code. Learn more.
Q3. Which vulnerability is associated with buffer overflows? (Q-924457)
- A.Improper input validation✓ Correct
- B.Weak encryption
- C.Misconfigured permissions
- D.Lack of antivirus
Explanation: Buffer overflows occur when input exceeds allocated memory space. Learn more.
Q4. What is the MAIN benefit of using containers for application deployment? (Q-628007)
- A.Improved physical security
- B.Isolation and portability✓ Correct
- C.Faster hardware performance
- D.Reduced need for firewalls
Explanation: Containers isolate applications while maintaining portability across environments. Learn more.
Q5. Which attack exploits race conditions? (Q-924471)
- A.TOCTOU✓ Correct
- B.SQL injection
- C.Phishing
- D.DDoS
Explanation: Time-of-Check to Time-of-Use (TOCTOU) attacks exploit timing vulnerabilities in system operations. Learn more.
Q6. What is the PRIMARY purpose of the OWASP ZAP tool? (Q-628030)
- A.Network scanning
- B.Web application security testing✓ Correct
- C.Password cracking
- D.Memory forensics
Explanation: OWASP ZAP (Zed Attack Proxy) tests web apps for vulnerabilities. Learn more.
Q7. What does CWE stand for in software security? (Q-628035)
- A.Common Weakness Enumeration✓ Correct
- B.Critical Web Exploit
- C.Cloud Workload Encryption
- D.Cybersecurity Warning Event
Explanation: CWE catalogs common software security weaknesses. Learn more.
Q8. What is the MAIN security benefit of deterministic builds? (Q-628043)
- A.Faster compilation
- B.Verifiable artifact integrity✓ Correct
- C.Lower hardware costs
- D.Simplified user training
Explanation: Deterministic builds produce identical outputs from given inputs, detecting supply chain tampering. Learn more.
Q9. What is the MAIN security benefit of runtime application self-protection (RASP)? (Q-628046)
- A.Blocks all zero-day exploits
- B.Detects attacks from within the application✓ Correct
- C.Reduces firewall costs
- D.Simplifies compliance audits
Explanation: RASP embeds protection inside apps to detect runtime attacks. Learn more.
Q10. Which of the following is a risk of unsecured API endpoints? (Q-924520)
- A.Increased hardware costs
- B.Data exposure and unauthorized access✓ Correct
- C.Slower internet speeds
- D.Complex user interfaces
Explanation: Unsecured APIs may leak data or allow privilege escalation. Learn more.
Q11. What is the MAIN security benefit of deterministic builds? (Q-628064)
- A.Faster compilation
- B.Verifiable artifact integrity✓ Correct
- C.Lower hardware costs
- D.Simplified user training
Explanation: Deterministic builds detect tampering by reproducing identical outputs. Learn more.
Q12. What is the MAIN security benefit of deterministic builds? (Q-628071)
- A.Faster compilation
- B.Verifiable artifact integrity✓ Correct
- C.Lower hardware costs
- D.Simplified user training
Explanation: Deterministic builds detect tampering by reproducing identical outputs. Learn more.
Q13. What is the MAIN security benefit of runtime application self-protection (RASP)? (Q-628074)
- A.Blocks all zero-day exploits
- B.Detects attacks from within the application✓ Correct
- C.Reduces firewall costs
- D.Simplifies compliance audits
Explanation: RASP embeds protection inside apps to detect runtime attacks. Learn more.
Q14. What is the MAIN security benefit of deterministic builds? (Q-628081)
- A.Faster compilation
- B.Verifiable artifact integrity✓ Correct
- C.Lower hardware costs
- D.Simplified user training
Explanation: Deterministic builds detect tampering by reproducing identical outputs. Learn more.
Q15. What is the MAIN security benefit of runtime application self-protection (RASP)? (Q-628084)
- A.Blocks all zero-day exploits
- B.Detects attacks from within the application✓ Correct
- C.Reduces firewall costs
- D.Simplifies compliance audits
Explanation: RASP embeds protection inside apps to detect runtime attacks. Learn more.
Q16. In a software development lifecycle (SDLC), what is the benefit of 'shifting left'?
- A.Delaying security testing until deployment
- B.Integrating security early in the development process✓ Correct
- C.Focusing only on perimeter security
- D.Reducing the number of developers
Explanation: Shifting left means performing security testing earlier in the SDLC to find and fix vulnerabilities sooner and cheaper. Learn more.
More CompTIA CySA+ practice topics
- Security Operations (64)
- Threat Management (53)
- Cloud Security (45)
- Incident Response (44)
- Security Operations and Monitoring (32)
- Access Control (21)
- Network Security (18)
- Risk Management (17)
- Data Security (14)
- Vulnerability Management (11)
- Cryptography (10)
- Compliance (9)
- Threat Intelligence (9)
- Threat Detection (7)
- Threat and Vulnerability Management (5)
- More Practice Questions (15)
- All CompTIA CySA+ topics →