ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During a peer review of a newly added open-source utility class, you notice a very long Base64 string assigned to a byte array. The variable is never referenced elsewhere and has no explanatory comment. From a secure code review perspective, what is the most significant risk that should be flagged?

It shows the developer forgot to implement allow-list input validation for external data sources.
It indicates a possible optimistic locking flaw that could cause data-consistency issues in multithreaded scenarios.
It may be an encrypted backdoor or other hidden malicious payload intentionally embedded in the code.
It suggests the build process is ignoring compiler warnings that could hide buffer overflows.

Report Issue

Answer Description

Large, unexplained blocks of high-entropy data-such as lengthy Base64 strings-are classic indicators of concealed or packed content. Attackers often embed encrypted payloads or backdoors this way, intending to decode and execute them at runtime or under specific conditions. Because the data is unused in the visible logic, it is unlikely to be an intentional feature and more likely to be malicious or unauthorized. Concurrency flaws, missing input validation, or ignored compiler warnings are valid concerns in other contexts, but they are not implied by an orphaned, high-entropy blob. Therefore, the primary issue to raise is the potential presence of hidden malicious code (for example, an encrypted backdoor), which demands immediate investigation or removal.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.