ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Test

Need-to-know limits access to the exact information a person requires and no more. Issuing each analyst a unique account that is restricted to only the schemas they actively support enforces that principle; it prevents them from viewing data outside their job scope and permits easy revocation when their role or project ends. Simply moving data to a replica, adding encryption, or requiring justification without changing the overly broad shared credential all leave universal access in place, so they do not satisfy need-to-know.

Running identical, health-checked instances of the API in at least two availability zones and distributing traffic across them creates an active-active topology. Because requests can be served by either zone at any moment, the loss of one zone is masked by automatic failover at the load balancer, keeping service interruption to only the brief time needed to detect the outage. Horizontal auto-scaling in one zone mitigates load spikes but not zone failure. Nightly backups help with disaster recovery, yet restoring from them can take hours and does not keep the service running. A CDN may cache static content, but dynamic API calls still rely on the origin and will fail if the sole zone is down.

A cryptographic hash such as SHA-256 produces a fixed-length digest that changes unpredictably if even one bit of the file is altered. Storing a baseline digest and recomputing it during each build allows an automated comparison that will immediately reveal unauthorized modification. Encrypting the file only hides its contents and does not detect changes; successful decryption simply proves the key was correct. RAID 1 protects against disk failure, not deliberate or accidental file edits. Comparing compressed file sizes is unreliable because different content can produce the same size, and gzip does not provide integrity assurance.

Code signing applies a digital signature-created with the publisher's private key-to the hash of an executable. When clients download the file, their systems use the corresponding public certificate to validate the signature. If the file has been altered or the signer is untrusted, verification fails, preventing execution. Transport encryption (e.g., HTTPS) protects data only while in transit, hashes published on a web page do not prove who created the code, and obfuscation merely complicates reverse engineering without assuring integrity or authenticity.

Placing the API behind a load balancer and running identical instances in at least two availability zones introduces both horizontal scaling and geographic redundancy. If one instance fails or a zone becomes unavailable, traffic is automatically routed to healthy nodes, maintaining uptime and eliminating the single point of failure. Simply upgrading the VM adds capacity but still leaves one host and one zone vulnerable. Daily snapshots protect data but do not keep the service running when the VM is down. Host-based rate limiting may reduce abuse but does not address component failure or saturation, so overall availability remains largely unchanged.

Accountability relies on the ability to attribute each action to a specific identity and to prove that the recorded evidence has not been altered. Storing logs locally, where the same users who generated the events can modify or erase them, breaks that chain of evidence. A centrally managed, write-once (immutable) logging solution with tightly restricted administrative access protects the integrity and availability of audit records, allowing investigators to trace events back to responsible parties. Encrypting audit files adds confidentiality but does not stop authorized users from deleting or rewriting them. Weekly server backups and multi-factor authentication are valuable practices, yet neither specifically ensures that log evidence remains tamper-proof and attributable throughout the system's life cycle.

Breaking a monolith into independently deployed microservices allows each component to run with its own identity, network segment, and access policies. When one service is compromised, those boundaries limit an attacker's ability to pivot to other data or functions, thereby shrinking the blast radius and adding another layer to the overall security stack. The other choices describe useful operational characteristics-unencrypted internal traffic, blue/green deployments, and auto-scaling-but they do not directly provide an additional security layer that contains a successful attack.

Binding to a port below 1024 requires root (or the CAP_NET_BIND_SERVICE capability). Once the privileged action is complete, continuing execution as root increases the blast radius of any flaw in the file-parsing logic. Dropping privileges immediately after binding-by calling setuid() to switch to a dedicated, unprivileged service account-limits what the process can do if it is compromised. Firewalls, containers, or intermittent sudo do not remove the broader privileges held by the running process and therefore do not satisfy the requirement as effectively.

GDPR is Regulation (EU) 2016/679, an enforceable law passed by the European Union and applicable to any organization processing the personal data of EU residents. PCI DSS, by contrast, is an industry standard created and contractually enforced by the major payment card brands through the PCI Security Standards Council. Non-compliance with GDPR can lead to regulatory fines, whereas failure to meet PCI DSS can result in loss of card-processing privileges and other contractual penalties. The other statements either reverse these roles, mislabel both frameworks as voluntary, or misstate their scope.

Multi-party control requires more than one individual to authorize or perform a critical action. Requiring two engineers to supply separate authentications that each reveal part of the signing key enforces dual control (split knowledge), meaning no single person can sign and release code alone. A sole release manager with a hardware token, automated deployment without human approval, or restricting access to production logs do not involve multiple people jointly authorizing the critical signing action and therefore do not satisfy multi-party control for segregation of duties.

HTTPS already provides confidentiality and integrity while the files are in transit, and authenticated access to the portal establishes who initiated the download. Once the binaries leave the portal, however, customers have no cryptographic proof that they remain unaltered or truly originated from the publisher. That open issue concerns the principle of integrity (with authenticity and non-repudiation as collateral benefits). Applying a digital code-signing certificate to each release embeds a signature created with the publisher's private key. Customers can later validate the signature with the corresponding public key-even on an offline or air-gapped network-to confirm the software has not been modified. Strengthening portal authentication, storing the files encrypted, or adding redundancy helps other principles (confidentiality, availability) but does not allow customers to detect post-download tampering.

The disruption occurs because user and transaction state exists only in the memory of the failed node. Enabling stateful session replication (or a shared session store) copies each user's session data to the standby server in real time. When the primary node goes offline, the remaining cluster member already holds current session information, so users continue without interruption. Lengthening health-check intervals would delay detection, round-robin DNS lacks failure awareness, and relocating the passive node improves fault isolation but does not preserve in-memory session state. Only session replication directly eliminates the observed logouts and data loss, thereby enhancing high availability through seamless node takeover.

A cryptographic hash such as SHA-256 produces a unique, fixed-length digest of the binary. Any bit-level change-whether accidental corruption or malicious tampering-will create a different digest, so comparing the locally calculated value to the one supplied by the publisher detects alteration. This protects the integrity of the software. Hashes alone do not hide the contents (confidentiality), prove who published the file (non-repudiation or authenticity), or make the file more accessible (availability).

Fail secure (fail-safe) means the system should default to the most secure state when a required component fails. Rejecting every request that cannot be positively authenticated ensures no unauthorized transactions occur. Allowing cached tokens, disabling authentication, or processing queued requests without revalidation all leave paths for compromise and violate fail secure requirements.

Excessive or outdated permissions are an entitlement management issue. Periodic access-certification (attestation) campaigns force resource owners or managers to review every permission granted to each identity and revoke those no longer needed, keeping entitlements aligned with job duties. Multifactor logins, encryption, and repository replication all improve security or availability in other areas, but they do not reduce unnecessary privileges that have already been granted.

Attribute-Based Access Control evaluates attributes about the subject (e.g., role=physician, userID), the object (e.g., attendingPhysicianID on the record), and the requested action (read or write). A policy can therefore permit read access to all users whose role attribute equals physician while restricting write access to those whose userID matches the record's attendingPhysicianID. Traditional role-based access control cannot easily express this per-record condition without creating an explosion of roles, discretionary access control would rely on individual users to manage ACLs, and mandatory access control uses fixed classification labels that do not reflect dynamic doctor-patient assignments. Hence, ABAC is the most appropriate choice.

The maximum acceptable time to restore service is captured by the Recovery Time Objective (RTO), while the maximum allowable period of data loss is captured by the Recovery Point Objective (RPO). Both metrics belong in the non-functional continuity section of the software security requirements. MTBF and MTTR describe reliability and repair metrics, MTD with SLO mixes disaster tolerance with performance targets, and MTTF with MTTD address failure occurrence and detection time. None of those pairs simultaneously conveys the allowed downtime and data-loss window required by the business owner.

Automatically adding or removing additional server instances based on real-time load is a horizontal scaling technique. When traffic spikes, new instances are created so capacity grows with demand, keeping the service available; when demand drops, instances are terminated, controlling cost and operations effort. Backups enhance recoverability but do not address peak load. Rate limiting protects the servers but intentionally rejects excess requests, reducing availability. Moving to a larger single VM is vertical scaling and still leaves a single point of failure; capacity is fixed once it reaches that VM's limits.

Accurate, synchronized timestamps let investigators place events from different components on a single, trusted timeline. NIST SP 800-92 notes that without trustworthy time information, log analysis cannot determine the order or relationship of actions-undermining accountability. Compressing or deleting logs affects retention, not chronology. Masking user IDs removes attribution data and actually hinders investigations.

Economy of mechanism favors the simplest security design that still meets requirements. Reusing a single, battle-tested identity provider to supply SAML or OIDC tokens lets each microservice rely on the same straightforward mechanism, avoids duplicating complex authentication code, and gives users one credential set (SSO). Writing separate custom modules, storing credentials in local files, or forcing unique logins for every service all add unnecessary components or credentials, increasing attack surface and violating the simplicity goal.