ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During a peer review of a new RESTful microservice, you notice that the catch blocks serialize the Java exception message and full stack trace into the JSON response sent to callers. From a secure error and exception handling standpoint, which change most effectively preserves diagnostic information for developers while minimizing information disclosure to attackers?

Include the SQL statement and parameter values that caused the failure inside the JSON error response for faster debugging.
Disable all error logging in production so that no sensitive data can be captured or leaked.
Log the full stack trace on the server and return a generic HTTP 500 response body such as "Internal server error" to the client.
Continue returning the exception message but encode the stack trace in Base64 so it is less readable.

Report Issue

Answer Description

Secure coding guidance recommends that applications send only generic error information to end users and store the detailed diagnostic data on a protected server-side log. Doing so gives developers the context they need for troubleshooting, yet prevents attackers from learning sensitive implementation details such as class names, file paths, or SQL statements. Obfuscating or base-64-encoding the response still releases data to the attacker, disabling logging removes critical forensic evidence, and embedding query details further widens the disclosure.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

Why is it important to log the full stack trace on the server but return a generic error response to clients?

Open an interactive chat with Bash

What risks might arise from including exception messages or stack traces in error responses sent to clients?

Open an interactive chat with Bash

How does secure error and exception handling contribute to forensic evidence collection?

Open an interactive chat with Bash

Why is logging the full stack trace on the server and returning a generic error message recommended?

Open an interactive chat with Bash

What risks are associated with exposing stack traces and exception messages in responses?

Open an interactive chat with Bash

Why is disabling error logging in production not a secure practice?

Open an interactive chat with Bash

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Secure Software Implementation

Your Score:

Settings & Objectives

Secure Software Concepts

Secure Software Lifecycle Management

Secure Software Requirements

Secure Software Architecture and Design

Secure Software Implementation

Secure Software Testing

Secure Software Deployment, Operations, Maintenance

Secure Software Supply Chain

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot