CSSLP DOMAIN 3 - SECURE SOFTWARE
DESIGN. EXAM 2025 QUESTIONS AND
ANSWERS
During which phase of the software development lifecycle (SDLC) is threat modeling initiated?
A. Requirements analysis
B. Design
C. Implementation
D. Deployment - ANS B. Design
Certificate Authority, Registration Authority, and Certificate Revocation Lists are all part of
which of the following?
A. Advanced Encryption Standard (AES)
B. Steganography
C. Public Key Infrastructure (PKI)
D. Lightweight Directory Access Protocol (LDAP) - ANS C. Public Key Infrastructure (PKI)
The use of digital signatures has the benefit of providing which of the following that is not
provided by symmetric key cryptographic design?
A. Speed of cryptographic operations
B. Confidentiality assurance
C. Key exchange
D. Non-repudiation - ANS D. Non-repudiation
1 @COPYRIGHT THESTAR 2025/2026
, When passwords are stored in the database, the best defense against disclosure attacks can be
accomplished using
A. encryption
B. masking
C. hashing
D. obfuscation - ANS C. hashing
Nicole is part of the 'author' role as well as she is included in the 'approver' role, allowing her to
approve her own articles before it is posted on the company blog site. This violates the principle
of
A. least privilege
B. least common mechanisms
C. economy of mechanisms
D. separation of duties - ANS D. separation of duties
The primary reason for designing Single Sign On (SSO) capabilities is to
A. increase the security of authentication mechanisms
B. simplify user authentication
C. have the ability to check each access request
D. allow for interoperability between wireless and wired networks - ANS B. simplify user
authentication
Database triggers are PRIMARILY useful for providing which of the following detective software
assurance capability?
A. Availability
B. Authorization
C. Auditing
D. Archiving - ANS C. Auditing
2 @COPYRIGHT THESTAR 2025/2026
DESIGN. EXAM 2025 QUESTIONS AND
ANSWERS
During which phase of the software development lifecycle (SDLC) is threat modeling initiated?
A. Requirements analysis
B. Design
C. Implementation
D. Deployment - ANS B. Design
Certificate Authority, Registration Authority, and Certificate Revocation Lists are all part of
which of the following?
A. Advanced Encryption Standard (AES)
B. Steganography
C. Public Key Infrastructure (PKI)
D. Lightweight Directory Access Protocol (LDAP) - ANS C. Public Key Infrastructure (PKI)
The use of digital signatures has the benefit of providing which of the following that is not
provided by symmetric key cryptographic design?
A. Speed of cryptographic operations
B. Confidentiality assurance
C. Key exchange
D. Non-repudiation - ANS D. Non-repudiation
1 @COPYRIGHT THESTAR 2025/2026
, When passwords are stored in the database, the best defense against disclosure attacks can be
accomplished using
A. encryption
B. masking
C. hashing
D. obfuscation - ANS C. hashing
Nicole is part of the 'author' role as well as she is included in the 'approver' role, allowing her to
approve her own articles before it is posted on the company blog site. This violates the principle
of
A. least privilege
B. least common mechanisms
C. economy of mechanisms
D. separation of duties - ANS D. separation of duties
The primary reason for designing Single Sign On (SSO) capabilities is to
A. increase the security of authentication mechanisms
B. simplify user authentication
C. have the ability to check each access request
D. allow for interoperability between wireless and wired networks - ANS B. simplify user
authentication
Database triggers are PRIMARILY useful for providing which of the following detective software
assurance capability?
A. Availability
B. Authorization
C. Auditing
D. Archiving - ANS C. Auditing
2 @COPYRIGHT THESTAR 2025/2026
