ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
During a peer review of a newly written REST API endpoint, the reviewer notices the code accepts a "role" value directly from the request body and, if it equals "admin", skips the usual authorization check. Static analysis produced no findings for this file. According to secure manual code review practices, which type of defect has the reviewer uncovered-one that automated tools frequently miss?
An SQL injection vector created by concatenating user parameters into a query
A low-severity code style inconsistency with project formatting rules
A potential buffer overflow caused by unchecked array indexing
A business-logic authorization flaw that could let a user escalate privileges
The defect is a business-logic authorization flaw: the code trusts a client-supplied role value and bypasses proper authorization, allowing privilege escalation. Such logic errors depend on understanding application context and intent, so they are rarely detected by purely pattern-based static analysis. Buffer overflows, SQL injection patterns, and hard-coded secrets are more readily flagged by automated scanners or compiler warnings, whereas style inconsistencies are low-severity issues unrelated to security controls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.