CSLLP Cheat Sheet 2026

The 30 highest-yield CSLLP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

125 questions
180 min time limit
70.00% to pass
  1. Which security property ensures that data has not been altered in an unauthorized manner? Integrity
  2. Which term describes the likelihood that a threat will exploit a vulnerability and the resulting impact? Risk
  3. Which US regulation protects the privacy of student education records and limits disclosure of personally identifiable information? FERPA
  4. Which design approach assigns permissions based on a user's organizational role rather than their individual identity? Role-based access control (RBAC)
  5. What does the OWASP Top 10 primarily represent? A list of the ten most critical web application security risks
  6. What is the primary purpose of a business continuity plan (BCP) related to software systems? To ensure critical business functions can continue during and after a disruptive event
  7. Which US law mandates security and privacy requirements for federal agency information systems? FISMA
  8. What is the main security concern with using third-party components or libraries in software development? They may introduce known or unknown vulnerabilities that affect the entire application
  9. What is the purpose of a disaster recovery plan (DRP) in secure software operations? To specify procedures for restoring critical systems and data after a disruptive event
  10. Which type of injection attack occurs when malicious commands are injected into an OS shell command executed by the application? Command injection
  11. Which attack category involves sending more data to a buffer than it can handle, potentially allowing code execution? Buffer overflow
  12. Which architectural pattern uses a single component to handle all requests and enforce consistent security checks before routing to handlers? Front controller pattern
  13. In supply chain risk management, 'nth-party risk' refers to: Security risk propagated through a vendor's own suppliers and subcontractors
  14. What does the CIA triad stand for in information security? Confidentiality, Integrity, Availability
  15. Which framework provides guidelines specifically for managing cybersecurity risks within the supply chain and is published by NIST? NIST SP 800-161
  16. A trusted computing base (TCB) refers to: The set of all hardware, firmware, and software critical to enforcing the security policy
  17. Which term describes the process of breaking down complex security requirements into smaller, actionable components? Requirements decomposition
  18. Which security requirement category ensures that data is protected from unauthorized access when stored on disk? Data at rest protection
  19. Which process involves systematically identifying and documenting all software assets and their versions in a production environment? Software inventory management / asset management
  20. What is the purpose of a privacy impact assessment (PIA)? To identify and evaluate risks to personal information in a system
  21. Which US law requires healthcare organizations to implement safeguards protecting the privacy and security of electronic protected health information (ePHI)? HIPAA
  22. Which principle states that a system should default to a secure state when it fails or encounters an error? Fail securely
  23. What does 'test coverage' measure in software security testing? The proportion of code paths, branches, or requirements exercised by the test suite
  24. Which threat modeling methodology focuses on assets, attack surfaces, and mitigations and was developed by Microsoft? STRIDE
  25. Which testing methodology tests software from the outside without knowledge of the internal code or architecture? Black-box testing
  26. A test that verifies the application correctly enforces access restrictions (e.g., a regular user cannot access admin functions) is called: Authorization testing
  27. A security control that detects and alerts on attacks but does not prevent them is called: Detective control
  28. Which security concept ensures that a party cannot deny having performed an action or transaction? Non-repudiation
  29. Which disposal technique renders data on storage media unrecoverable by overwriting it multiple times with random data? Secure wiping/overwriting
  30. Which U.S. executive order significantly elevated software supply chain security requirements for federal government software procurement? Executive Order 14028 on Improving the Nation's Cybersecurity
Turn these facts into recall: