ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
A fintech team is refactoring a payments microservice. For any transfer above $10 000, the service must verify that the caller has the SeniorApprover role before releasing funds. The architect insists this check be performed inside the service's business logic rather than through external configuration or annotations. Which implementation best exemplifies an imperative (programmatic) security control that meets the requirement?
Inside the transferFunds function, retrieve the caller's roles from the JWT and immediately throw an exception if "SeniorApprover" is not present before continuing processing.
Create a YAML access-control policy that maps the /transfers endpoint to the SeniorApprover role and load it into the organization's API gateway.
Apply a Kubernetes PodSecurityPolicy that prevents the payments microservice's container from running as root to limit privilege escalation.
Add the annotation @PreAuthorize("hasRole('SENIOR_APPROVER')") to the transferFunds method so the framework blocks unauthorized calls automatically.
Imperative (programmatic) security means embedding the authorization logic directly in executable code so that it is evaluated at run time in the application's control flow. Retrieving the caller's roles within the transferFunds function and throwing an exception if "SeniorApprover" is absent is a classic example: the check is expressed through code statements and executes only when that business condition (a high-value transfer) occurs.
In contrast, defining a YAML access-control rule for an API gateway, applying a declarative @PreAuthorize annotation, or using a Kubernetes PodSecurityPolicy all rely on external or metadata-based configuration interpreted by other components or the runtime environment-these are declarative security mechanisms, not imperative ones.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is imperative security control?
Open an interactive chat with Bash
What is a declarative security control, and how does it differ from imperative security?
Open an interactive chat with Bash
What is the role of a JWT in security checks like this?
Open an interactive chat with Bash
What is JWT and how does it work?
Open an interactive chat with Bash
What is the difference between declarative and imperative security controls?
Open an interactive chat with Bash
Why is imperative security control preferred in the transferFunds implementation?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Implementation
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .