1. What is threat modeling?

a) A process to identify and prioritize security threats

b) A technique to mitigate all types of risks
c) A method for testing software vulnerabilities
d) A tool for encrypting data

Answer: a) A process to identify and prioritize security threats

2. Which of the following is not a primary goal of threat modeling?

a) Identifying potential security vulnerabilities
b) Mitigating all possible threats
c) Prioritizing security efforts
d) Minimizing risk exposure

Answer: b) Mitigating all possible threats

3. What is the primary benefit of threat modeling?

a) Preventing all types of security breaches
b) Identifying security weaknesses early in the development lifecycle
c) Eliminating the need for security testing
d) Ensuring compliance with all security regulations

Answer: b) Identifying security weaknesses early in the development lifecycle

4. Which phase of the software development lifecycle is best suited for conducting threat modeling?
a) Design
b) Development
c) Testing
d) Deployment

Answer: a) Design

5. What is the main purpose of a threat model diagram?

a) To visualize potential security threats
b) To document all software features
c) To outline the entire development process
d) To illustrate system architecture and potential vulnerabilities

Answer: d) To illustrate system architecture and potential vulnerabilities

6. Which of the following is not typically included in a threat model?

a) Entry points for attackers
b) Potential attack vectors
c) Hardware specifications
d) Data flows within the system

Answer: c) Hardware specifications

7. What is a threat actor?

a) A security tool used for threat modeling
b) A person or entity capable of exploiting security vulnerabilities
c) A type of security vulnerability
d) A framework for assessing security risks

Answer: b) A person or entity capable of exploiting security vulnerabilities

8. Which threat modeling methodology focuses on assets, threats, vulnerabilities, and
countermeasures?
a) STRIDE
b) PASTA
c) DREAD
d) VAST

Answer: c) DREAD

9. What does STRIDE stand for in threat modeling?

a) Software, Technology, Risk, Integrity, Data, Environment
b) Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege
c) System, Threat, Risk, Intrusion, Data, Encryption
d) Security, Tampering, Risk, Intrusion, Detection, Encryption

Answer: b) Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of

Privilege

10. Which threat modeling technique uses a hierarchical model to identify threats?
a) PASTA
b) VAST
c) STRIDE
d) DREAD

Answer: b) VAST

11. What does DREAD stand for in threat modeling?

a) Data, Repudiation, Elevation of Privilege, Authentication, Detection
b) Damage potential, Reproducibility, Exploitability, Affected users, Discoverability
c) Design, Risk, Environment, Attack, Detection
d) Denial of Service, Risk assessment, Encryption, Access control, Detection techniques

Answer: b) Damage potential, Reproducibility, Exploitability, Affected users, Discoverability

12. Which of the following is a common threat associated with the "Spoofing" category in STRIDE?
a) Unauthorized access to sensitive data
b) Corruption of system files
c) Injection of malicious code
d) Impersonation of legitimate users

Answer: d) Impersonation of legitimate users

13. Which threat modeling technique focuses on business goals and impacts?
a) STRIDE
b) PASTA
c) VAST
d) DREAD

Answer: b) PASTA

14. What is the primary purpose of a threat matrix?

a) To prioritize security vulnerabilities
b) To map potential threats to countermeasures
c) To document system architecture
d) To visualize data flows within the system

Answer: b) To map potential threats to countermeasures

15. Which of the following is not a common category in a threat modeling framework?
a) Spoofing
b) Intrusion
c) Tampering
d) Elevation of Control

Answer: b) Intrusion

16. Which threat modeling technique emphasizes identifying and protecting valuable assets?
a) PASTA
b) VAST
c) STRIDE
d) DREAD

Answer: a) PASTA

17. What is the primary goal of threat modeling during the design phase?
a) Identifying vulnerabilities in the existing codebase
b) Ensuring compliance with industry standards
c) Identifying and mitigating potential security risks
d) Enhancing user experience

Answer: c) Identifying and mitigating potential security risks

18. Which threat modeling methodology considers attacker motivations and goals?
a) STRIDE
b) PASTA
c) DREAD
d) VAST

Answer: b) PASTA

19. Which of the following is not a step in the threat modeling process?
a) Define security objectives
b) Identify threats and vulnerabilities
c) Create a threat model diagram
d) Test the application for all possible threats

Answer: d) Test the application for all possible threats

20. What is the primary goal of the "Tampering" category in STRIDE?

a) Gaining unauthorized access to resources
b) Modifying data or system components
c) Preventing legitimate users from accessing resources
d) Intercepting data in transit

Answer: b) Modifying data or system components

21. Which of the following is not a common countermeasure against threats?

a) Encryption
b) Authentication mechanisms
c) Firewall configurations
d) Ignoring the threat

Answer: d) Ignoring the threat

22. What is the main purpose of threat modeling tools?
a) To eliminate all potential security risks
b) To automate the threat modeling process
c) To replace manual security assessments
d) To generate random threats

Answer: b) To automate the threat modeling process

23. Which of the following is not a common type of threat modeling diagram?
a) Data flow diagrams
b) Sequence diagrams
c) Use case diagrams
d) State transition diagrams

Answer: d) State transition diagrams

24. Which phase of the threat modeling process involves assessing the severity of identified threats?
a) Threat identification
b) Threat modeling
c) Threat analysis
d) Threat mitigation

Answer: c) Threat analysis

25. What is the main purpose of the "Elevation of Privilege" category in STRIDE?
a) Gaining unauthorized access to resources
b) Modifying data or system components
c

) Preventing legitimate users from accessing resources

d) Acquiring higher privileges than authorized

Answer: d) Acquiring higher privileges than authorized

26. Which threat modeling methodology focuses on understanding attacker perspectives?

a) PASTA
b) VAST
c) STRIDE
d) DREAD

Answer: a) PASTA

27. Which of the following is not a common vulnerability that threat modeling helps to identify?
a) SQL injection
b) Cross-site scripting (XSS)
c) Buffer overflow
d) Operating system updates

Answer: d) Operating system updates

28. Which of the following is a key consideration when evaluating threats during the threat modeling
process?
a) The color of the threat
b) The likelihood and impact of each threat
c) The size of the threat
d) The number of threats identified
Answer: b) The likelihood and impact of each threat

29. What is the main purpose of the "Repudiation" category in STRIDE?

a) Gaining unauthorized access to resources
b) Modifying data or system components
c) Preventing legitimate users from accessing resources
d) Denying involvement in an action

Answer: d) Denying involvement in an action

30. Which of the following is a common approach to mitigating security threats identified during
threat modeling?
a) Ignoring the threats
b) Accepting all identified risks
c) Implementing countermeasures
d) Increasing system complexity

Answer: c) Implementing countermeasures

31. What does VAST stand for in threat modeling?

a) Vulnerability Assessment and Scoring Tool
b) Visual Attack Surface Threat modeling
c) Valuable Assets and Security Threats
d) Virtual Attack Simulation Toolkit

Answer: b) Visual Attack Surface Threat modeling

32. Which threat modeling methodology emphasizes the importance of understanding system
components and interactions?
a) STRIDE
b) PASTA
c) DREAD
d) VAST

Answer: d) VAST

33. Which of the following is not a common aspect of threat modeling?

a) Identifying system boundaries
b) Analyzing potential attack vectors
c) Predicting future security threats
d) Assessing potential impact

Answer: c) Predicting future security threats

34. What is the primary goal of the "Information Disclosure" category in STRIDE?
a) Gaining unauthorized access to resources
b) Modifying data or system components
c) Preventing legitimate users from accessing resources
d) Revealing sensitive information

Answer: d) Revealing sensitive information

35. Which of the following is not a common challenge associated with threat modeling?
a) Identifying all potential threats
b) Lack of skilled personnel
c) Overestimating the severity of threats
d) Underestimating the importance of threat modeling
Answer: d) Underestimating the importance of threat modeling

36. Which threat modeling methodology uses a risk-centric approach?

a) STRIDE
b) PASTA
c) DREAD
d) VAST

Answer: c) DREAD

37. What is the main purpose of the "Denial of Service" category in STRIDE?
a) Gaining unauthorized access to resources
b) Modifying data or system components
c) Preventing legitimate users from accessing resources
d) Intercepting data in transit

Answer: c) Preventing legitimate users from accessing resources

38. Which of the following is not a common outcome of threat modeling?

a) Improved understanding of system architecture
b) Enhanced security posture
c) Elimination of all security risks
d) Identification of vulnerabilities

Answer: c) Elimination of all security risks

39. What is the main purpose of the "Spoofing" category in STRIDE?

a) Gaining unauthorized access to resources
b) Modifying data or system components
c) Impersonating legitimate users or entities
d) Intercepting data in transit

Answer: c) Impersonating legitimate users or entities

40. Which of the following is not a common benefit of threat modeling?

a) Reduction of security-related expenses
b) Early identification of potential security issues
c) Improved communication among stakeholders
d) Elimination of all security vulnerabilities

Answer: d) Elimination of all security vulnerabilities

41. What does PASTA stand for in threat modeling?

a) Process for Attack Simulation and Threat Analysis
b) Projected Analysis of Security Threats and Attacks
c) Predictive Assessment of System Threats and Attacks
d) Practical Application of Security Threat Analysis

Answer: a) Process for Attack Simulation and Threat Analysis

42. Which threat modeling methodology emphasizes the importance of understanding system
boundaries?
a) PASTA
b) VAST
c) STRIDE
d) DREAD
Answer: a) PASTA

43. What is the primary purpose of threat modeling documentation?

a) To secure all system components
b) To document identified threats and countermeasures
c) To replace security testing
d) To comply with regulatory requirements

Answer: b) To document identified threats and countermeasures

44. Which phase of the threat modeling process involves brainstorming potential threats?
a) Threat identification
b) Threat modeling
c) Threat analysis
d) Threat mitigation

Answer: a) Threat identification

45. What is the primary goal of the "Repudiation" category in STRIDE?

a) Gaining unauthorized access to resources
b) Modifying data or system components
c) Preventing legitimate users from accessing resources
d) Denying involvement in an action

Answer: d) Denying involvement in an action

46. Which of the following is not a common challenge associated with threat modeling?
a) Identifying all potential threats
b) Lack of skilled personnel
c) Overestimating the severity of threats
d) Underestimating the importance of threat modeling

Answer: d) Underestimating the importance of threat modeling

47. Which threat modeling methodology emphasizes the importance of understanding system
components and interactions?
a) STRIDE
b) PASTA
c) DREAD
d) VAST

Answer: d) VAST

48. What is the main purpose of the "Denial of Service" category in STRIDE?
a) Gaining unauthorized access to resources
b) Modifying data or system components
c) Preventing legitimate users from accessing resources
d) Intercepting data in transit

Answer: c) Preventing legitimate users from accessing resources

49. Which of the following is not a common outcome of threat modeling?

a) Improved understanding of system architecture
b) Enhanced security posture
c) Elimination of all security risks
d) Identification of vulnerabilities
Answer: c) Elimination of all security risks

API MCQ

1. Which of the following HTTP methods is considered safe and should not have side effects on the
server?
a) GET
b) POST
c) PUT
d) DELETE
**Answer: a) GET**

2. What does CORS stand for in the context of API security?

a) Cross-Origin Resource Sharing
b) Cross-Origin Request Sharing
c) Cross-Origin Request Security
d) Cross-Origin Resource Security
**Answer: a) Cross-Origin Resource Sharing**

3. Which security mechanism prevents CSRF (Cross-Site Request Forgery) attacks?

a) SameSite Cookies
b) CSRF Tokens
c) CAPTCHA
d) HTTPS
**Answer: b) CSRF Tokens**

4. What is the primary purpose of input validation in API security?

a) To prevent SQL Injection attacks
b) To prevent Cross-Site Scripting (XSS) attacks
c) To ensure the integrity and validity of user-supplied data
d) To encrypt sensitive data during transmission
**Answer: c) To ensure the integrity and validity of user-supplied data**

5. Which authentication mechanism involves sending a token with each request?

a) OAuth
b) Basic Authentication
c) HMAC (Hash-based Message Authentication Code)
d) JWT (JSON Web Token)
**Answer: d) JWT (JSON Web Token)**

6. Which of the following is NOT a common method for securing APIs?

a) API Keys
b) OAuth
c) IP Whitelisting
d) Telnet
**Answer: d) Telnet**

7. Which HTTP status code indicates a successful response to a GET request?

a) 200 OK
 b) 404 Not Found
c) 500 Internal Server Error
d) 401 Unauthorized
**Answer: a) 200 OK**

8. Which of the following is a best practice for securely storing API keys?
a) Storing them in plaintext in the source code
b) Encrypting them using a reversible encryption algorithm
c) Storing them in environment variables
d) Storing them in a publicly accessible database
**Answer: c) Storing them in environment variables**

9. Which type of attack involves sending a large number of requests to overwhelm a server?
a) SQL Injection
b) Denial of Service (DoS)
c) Cross-Site Scripting (XSS)
d) Man-in-the-Middle (MitM)
**Answer: b) Denial of Service (DoS)**

10. Which HTTP header can be used to enforce HTTPS connections?

a) Strict-Transport-Security
b) Access-Control-Allow-Origin
c) Content-Security-Policy
d) X-Frame-Options
**Answer: a) Strict-Transport-Security**

11. Which cryptographic algorithm is commonly used for generating secure hashes in API security?
a) MD5
b) SHA-1
c) SHA-256
d) AES
**Answer: c) SHA-256**

12. Which of the following is NOT a common OAuth grant type?

a) Client Credentials
b) Password Credentials
c) Token Credentials
d) Authorization Code
**Answer: c) Token Credentials**

13. Which of the following is a common vulnerability associated with XML-based APIs?
a) SQL Injection
b) Cross-Site Scripting (XSS)
c) XML External Entity (XXE) Injection
d) Cross-Site Request Forgery (CSRF)
**Answer: c) XML External Entity (XXE) Injection**

14. Which of the following HTTP headers can help prevent Clickjacking attacks?
a) Content-Security-Policy
b) X-XSS-Protection
c) X-Frame-Options
d) X-Content-Type-Options
**Answer: c) X-Frame-Options**

15. Which authentication mechanism involves exchanging a username and password for a token?
a) Basic Authentication
b) OAuth
 c) API Key Authentication
d) HMAC Authentication
**Answer: b) OAuth**

16. Which of the following is NOT a characteristic of a secure API?

a) Confidentiality
b) Availability
c) Reliability
d) Monolithic architecture
**Answer: d) Monolithic architecture**

17. In the context of API security, what does Fuzzing refer to?
a) Sending random or malformed data to an API to find vulnerabilities
b) Encrypting API payloads
c) Implementing rate limiting for API requests
d) Testing API endpoints for SQL Injection vulnerabilities
**Answer: a) Sending random or malformed data to an API to find vulnerabilities**

18. Which HTTP status code indicates that the client must authenticate to gain network access?
a) 200 OK
b) 401 Unauthorized
c) 403 Forbidden
d) 404 Not Found
**Answer: b) 401 Unauthorized**

19. Which of the following is a common technique for preventing SQL Injection attacks?
a) Input validation
b) Output encoding
c) Prepared statements
d) Cross-Origin Resource Sharing (CORS)
**Answer: c) Prepared statements**

20. What is the purpose of API rate limiting?

a) To restrict the number of requests an API client can make within a certain time frame
b) To encrypt data transmitted between API client and server
c) To validate the integrity of API responses
d) To prevent Cross-Site Scripting (XSS) attacks
**Answer: a) To restrict the number of requests an API client can make within a certain time
frame**

21. Which of the following is NOT typically included in an API security audit?
a) Authentication mechanisms
b) Input validation techniques
c) Performance optimization strategies
d) Authorization policies
**Answer: c) Performance optimization strategies**

22. Which HTTP method is typically used to update existing resources on the server?
a) POST
b) GET
c) PUT
d) DELETE
**Answer: c) PUT**

23. Which of the following is NOT a common vulnerability associated with JSON Web Tokens (JWT)?
a) Token Expiration
b) Replay Attacks
 c) Session Fixation
d) Insecure Key Storage
**Answer: c) Session Fixation**

24. What does the "SameSite" attribute in cookies help prevent?

a) Cross-Site Scripting (XSS) attacks
b) Cross-Site Request Forgery (CSRF) attacks
c) Session fixation attacks
d) Man-in-the-Middle (MitM) attacks
**Answer: b) Cross-Site Request Forgery (CSRF) attacks**

25. Which of the following is NOT a recommended practice for securing APIs against injection
attacks?
a) Parameterized queries
b) Input validation
c) Output encoding
d) Disabling HTTPS
**Answer:

d) Disabling HTTPS**

26. Which cryptographic algorithm is commonly used for encrypting data transmitted over HTTPS?
a) RSA
b) AES
c) DES
d) HMAC
**Answer: b) AES**

27. Which of the following is a common method for preventing brute force attacks on API
authentication endpoints?
a) Captcha verification
b) Account lockout policies
c) Cross-Site Request Forgery (CSRF) tokens
d) Biometric authentication
**Answer: b) Account lockout policies**

28. Which of the following is NOT a typical component of an API security architecture?
a) Firewall
b) Load Balancer
c) API Gateway
d) Web Browser
**Answer: d) Web Browser**

29. Which HTTP header can be used to mitigate the risk of Clickjacking attacks?
a) Content-Security-Policy
b) X-XSS-Protection
c) X-Frame-Options
d) X-Content-Type-Options
**Answer: c) X-Frame-Options**

30. What does the "Authorization" header typically contain in API requests?
a) User's password
b) User's username
c) API key or access token
d) Session ID
**Answer: c) API key or access token**
31. Which of the following is NOT a recommended practice for securely handling API keys?
a) Storing them in plaintext in the client-side code
b) Rotating keys periodically
c) Restricting key usage permissions
d) Encrypting keys at rest
**Answer: a) Storing them in plaintext in the client-side code**

32. Which of the following is NOT a common vulnerability in API authentication mechanisms?
a) Brute Force Attacks
b) Cross-Site Scripting (XSS)
c) Token Leakage
d) Man-in-the-Middle (MitM) Attacks
**Answer: b) Cross-Site Scripting (XSS)**

33. Which HTTP status code indicates that the requested resource has been permanently moved to
a new URL?
a) 200 OK
b) 301 Moved Permanently
c) 404 Not Found
d) 500 Internal Server Error
**Answer: b) 301 Moved Permanently**

34. Which of the following is NOT a common security risk associated with APIs?
a) XML Injection
b) SQL Injection
c) Man-in-the-Browser (MitB) Attacks
d) DNS Spoofing
**Answer: d) DNS Spoofing**

35. Which authentication mechanism involves sending a username and password with each
request?
a) HMAC Authentication
b) OAuth
c) Basic Authentication
d) JWT Authentication
**Answer: c) Basic Authentication**

36. Which of the following HTTP headers can help mitigate the risk of XSS attacks?
a) Content-Security-Policy
b) X-XSS-Protection
c) X-Frame-Options
d) X-Content-Type-Options
**Answer: b) X-XSS-Protection**

37. Which of the following is NOT a common method for securely transmitting sensitive data over
APIs?
a) HTTPS
b) Base64 encoding
c) Encryption
d) Tokenization
**Answer: b) Base64 encoding**

38. What does a CSRF token typically contain?

a) User's username
b) User's password
c) Random value unique to the user's session
d) Encrypted API key
 **Answer: c) Random value unique to the user's session**

39. Which of the following is a common method for ensuring data integrity in API requests?
a) Digital Signatures
b) Base64 Encoding
c) OAuth Tokens
d) Encryption
**Answer: a) Digital Signatures**

40. Which HTTP status code indicates that the requested resource could not be found on the
server?
a) 200 OK
b) 404 Not Found
c) 500 Internal Server Error
d) 401 Unauthorized
**Answer: b) 404 Not Found**

41. Which of the following is a common technique for securing API endpoints against unauthorized
access?
a) OAuth Tokens
b) Session IDs
c) JWT Authentication
d) HTTP Basic Authentication
**Answer: c) JWT Authentication**

42. Which of the following is NOT a typical component of an API security architecture?
a) Intrusion Detection System (IDS)
b) Web Application Firewall (WAF)
c) API Gateway
d) Load Balancer
**Answer: a) Intrusion Detection System (IDS)**

43. Which HTTP method is typically used for retrieving data from a server without modifying it?
a) POST
b) GET
c) PUT
d) DELETE
**Answer: b) GET**

44. Which cryptographic algorithm is commonly used for hashing passwords before storing them in
a database?
a) MD5
b) SHA-1
c) SHA-256
d) AES
**Answer: c) SHA-256**

45. Which of the following is NOT a common vulnerability associated with API keys?
a) Key Leakage
b) Brute Force Attacks
c) Insufficient Key Length
d) Cross-Site Request Forgery (CSRF)
**Answer: d) Cross-Site Request Forgery (CSRF)**

46. Which of the following is a common method for securing APIs against SQL Injection attacks?
a) Input validation
b) Output encoding
 c) Prepared statements
d) Cross-Origin Resource Sharing (CORS)
**Answer: c) Prepared statements**

47. Which HTTP status code indicates that the client does not have permission to access the
requested resource?
a) 200 OK
b) 401 Unauthorized
c) 403 Forbidden
d) 404 Not Found
**Answer: c) 403 Forbidden**

48. Which of the following is a common technique for mitigating the risk of API endpoint
enumeration?
a) Rate Limiting
b) API Key Rotation
c) Implementing Custom Error Messages
d) Hiding Error Details
**Answer: d) Hiding Error Details**

49. Which HTTP header can be used to specify the MIME type of the data being sent or received?
a) Content-Type
b) Content-Length
c) Content-Encoding
d) Content-Disposition
**Answer: a) Content-Type**

50. Which of the following is a common method for securing APIs against XML Injection attacks?
a) Input validation
b) Output encoding
c) XML Encryption
d) Session Management
**Answer: c) XML Encryption**

51. What does the term "JWT" stand for in the context of API security?
a) Java Web Tokens
b) JSON Web Tokens
c) JavaScript Web Tokens
d) JSON Web Transfers
**Answer: b) JSON Web Tokens**

52. Which HTTP status code indicates that the server

encountered an unexpected condition that prevented it from fulfilling the request?

a) 200 OK
b) 404 Not Found
c) 500 Internal Server Error
d) 401 Unauthorized
**Answer: c) 500 Internal Server Error**

53. Which of the following is NOT typically a part of API documentation regarding security?
a) Authentication mechanisms
b) Sample API responses
c) Authorization policies
d) Server hardware specifications
**Answer: d) Server hardware specifications**
54. Which cryptographic algorithm is commonly used for encrypting data transmitted over SSL/TLS
connections?
a) RSA
b) AES
c) SHA-256
d) HMAC
**Answer: b) AES**

55. Which of the following is a common technique for securing APIs against brute force attacks?
a) CAPTCHA verification
b) API key rotation
c) Rate limiting
d) Digital signatures
**Answer: c) Rate limiting**

56. Which HTTP header can be used to prevent a web page from being displayed in an iframe?
a) Content-Security-Policy
b) X-Frame-Options
c) X-XSS-Protection
d) X-Content-Type-Options
**Answer: b) X-Frame-Options**

57. What is the purpose of OAuth in API security?

a) To encrypt data transmitted between client and server
b) To authenticate and authorize users accessing APIs
c) To prevent Cross-Site Scripting (XSS) attacks
d) To enforce strict content security policies
**Answer: b) To authenticate and authorize users accessing APIs**

58. Which of the following is NOT a common vulnerability associated with API versioning?
a) Insecure Direct Object References (IDOR)
b) Deprecated Functionality
c) Lack of Documentation
d) Backward Incompatible Changes
**Answer: a) Insecure Direct Object References (IDOR)**

59. Which authentication mechanism involves sending a shared secret along with each request?
a) HMAC Authentication
b) OAuth
c) JWT Authentication
d) Basic Authentication
**Answer: a) HMAC Authentication**

60. Which HTTP status code indicates that the client's request lacks proper authentication
credentials?
a) 200 OK
b) 401 Unauthorized
c) 403 Forbidden
d) 404 Not Found
**Answer: b) 401 Unauthorized**