10 free, exam-style Cyber Secure Coder (CSC) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CSC practice test to study every exam domain.
A login routine builds its query with: "SELECT * FROM users WHERE name = '" + userInput + "'". A reviewer flags it as vulnerable to SQL injection. Which measure is the PRIMARY defense against this flaw?
Correct answer: B - Use parameterized queries (prepared statements)
A password-reset page replies "No account exists for that email" for unregistered addresses and "A reset link has been sent" for registered ones. A security tester marks this as a flaw. What is the weakness, and the BEST fix?
Correct answer: C - Account enumeration; return one identical response either way
When storing user passwords, a unique salt is added to each password before hashing. What is the PRIMARY purpose of the salt?
Correct answer: D - It defeats precomputed (rainbow-table) attacks
A developer wants to stop client-side scripts from reading the session cookie if the site is hit by cross-site scripting. Which cookie attribute MOST directly addresses this?
Correct answer: B - HttpOnly
An input field must accept only a five-digit ZIP code. A teammate proposes rejecting any value containing '<' or '>'. Why is an allow-list approach (e.g., the pattern ^\d{5}$) generally preferred over this deny-list?
Correct answer: A - An allow-list permits only known-good input by default
While threat modeling with STRIDE, the team identifies an attacker who forges another user's identity to gain access. Which STRIDE category is this, and which security property does it primarily threaten?
Correct answer: C - Spoofing; it threatens authentication
A U.S.-based application stores and processes patients' protected health information (PHI). Which regulation MOST directly governs how that data must be protected?
Correct answer: D - HIPAA
A risk analyst assigns each threat an estimated dollar loss and multiplies it by the probability of occurrence to prioritize remediation. Which type of risk assessment is being performed?
Correct answer: B - Quantitative risk assessment
A web application confirms a user's identity at login and then decides which records that user is allowed to view. Which pair correctly identifies these two steps?
Correct answer: A - Authentication, then authorization
A code reviewer runs a tool that inspects the application's source code for vulnerabilities WITHOUT executing the program. Which type of analysis is this?
Correct answer: C - Static analysis
Practice hundreds more CSC questions with instant scoring, weak-area drills, and full exam simulations.