Domain 4 – Section A Review: AppSec Fundamentals

CCSP Domain 3 — Cloud Platform & Infrastructure Security Section A — AppSec Fundamentals Review 10 Questions

This section integrates:

Cloud Application Security Awareness
Common Cloud Vulnerabilities (OWASP, SANS)
Secure SDLC: Business Requirements and Design
Secure SDLC: Coding and Testing

Question 1

A PaaS-hosted application has an XSS vulnerability. The development team claims the PaaS provider should fix it. Who is responsible?

A. The PaaS provider
B. The browser vendor
C. Both parties equally
D. The customer, since application code security is always the customer responsibility

Answer & reasoning

Correct: D

Application-level vulnerabilities are always the customer responsibility regardless of service model. The provider manages the platform, not the customer code.

Question 2

A cloud application uses client-side JavaScript validation only. An attacker bypasses it and submits SQL injection payloads. What control was missing?

A. Network-level filtering
B. A WAF
C. Stronger client-side validation
D. Server-side input validation with parameterized queries

Answer & reasoning

Correct: D

Client-side validation can always be bypassed. Server-side validation with parameterized queries is the authoritative defense against injection attacks.

Question 3

A threat model is performed after application development is complete and the code is in production. What is wrong with this timing?

A. Nothing; threat modeling can occur at any time
B. Threat modeling should occur during the design phase before code is written
C. Production systems cannot be threat modeled
D. Threat modeling is only for infrastructure, not applications

Answer & reasoning

Correct: B

Threat modeling during design identifies risks before code is written, when changes are inexpensive. Post-production threat modeling discovers issues that are far more costly to remediate.

Question 4

SAST identifies a potential vulnerability but the development team confirms it is a false positive. What should happen next?

A. Ignore all future SAST findings
B. Document the false positive and tune the SAST rules to reduce noise
C. Replace SAST with manual code review only
D. Disable SAST to prevent future false positives

Answer & reasoning

Correct: B

False positives should be documented and used to tune SAST rules. This reduces noise over time while maintaining the tool value. Disabling or ignoring findings undermines security testing.

Question 5

A cloud application displays detailed database error messages to users. What vulnerability category does this represent?

A. Insufficient logging
B. Broken authentication
C. SQL injection
D. Security misconfiguration

Answer & reasoning

Correct: D

Verbose error messages exposing internal details are a security misconfiguration. Production applications should show generic errors while logging details internally.

Question 6

An attacker exploits SSRF to access the cloud metadata service at 169.254.169.254. What is the potential impact?

A. Exposure of temporary credentials and instance configuration
B. Physical access to the data center
C. Corruption of the hypervisor
D. Denial of service only

Answer & reasoning

Correct: A

The cloud metadata service can expose temporary IAM credentials, API keys, and configuration data. SSRF to this endpoint is a cloud-amplified attack vector.

Question 7

A security requirements document is written after coding is complete. The team discovers the application does not encrypt data at rest as required by regulation. What is the root cause?

A. Security requirements were not defined before development began
B. The developers used the wrong encryption library
C. The CSP does not support encryption
D. The regulation is unclear

Answer & reasoning

Correct: A

Missing security requirements during the requirements phase leads to gaps in the implementation. Defining security requirements before development is far less costly than retrofitting.

Question 8

A CI/CD pipeline deploys code without any security scanning. A vulnerable dependency reaches production. What should be added?

A. A firewall in front of the pipeline
B. Manual code review of every commit
C. SCA scanning in the build stage to check dependencies
D. Post-deployment DAST only

Answer & reasoning

Correct: C

Software Composition Analysis in the build stage catches vulnerable dependencies before they reach production. This is the most effective point to prevent known-vulnerable libraries from being deployed.

Question 9

An application design review reveals a shared database connection string used by all 15 microservices. What principles are violated?

A. Availability and performance
B. Data classification
C. Least privilege and separation of duties
D. Encryption standards

Answer & reasoning

Correct: C

A shared credential across all services violates least privilege (each service should have minimum access) and separation of duties (one compromise should not expose all data).

Question 10

A DAST scan against a staging environment discovers a runtime authentication bypass. SAST did not find this issue. Why?

A. The staging environment has different code than production
B. DAST is always better than SAST
C. SAST was not configured correctly
D. SAST analyzes code patterns but cannot detect runtime behavior like authentication flow issues

Answer & reasoning

Correct: D

SAST examines code structure but cannot simulate runtime behavior. Authentication bypasses often involve logic flaws in request handling that only manifest during execution, which DAST can detect.