CSLLP Cheat Sheet 2026
The 30 highest-yield CSLLP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
125 questions
180 min time limit
70.00% to pass
- Which security property ensures that data has not been altered in an unauthorized manner? → Integrity
- Which term describes the likelihood that a threat will exploit a vulnerability and the resulting impact? → Risk
- Which US regulation protects the privacy of student education records and limits disclosure of personally identifiable information? → FERPA
- Which design approach assigns permissions based on a user's organizational role rather than their individual identity? → Role-based access control (RBAC)
- What does the OWASP Top 10 primarily represent? → A list of the ten most critical web application security risks
- What is the primary purpose of a business continuity plan (BCP) related to software systems? → To ensure critical business functions can continue during and after a disruptive event
- Which US law mandates security and privacy requirements for federal agency information systems? → FISMA
- What is the main security concern with using third-party components or libraries in software development? → They may introduce known or unknown vulnerabilities that affect the entire application
- What is the purpose of a disaster recovery plan (DRP) in secure software operations? → To specify procedures for restoring critical systems and data after a disruptive event
- Which type of injection attack occurs when malicious commands are injected into an OS shell command executed by the application? → Command injection
- Which attack category involves sending more data to a buffer than it can handle, potentially allowing code execution? → Buffer overflow
- Which architectural pattern uses a single component to handle all requests and enforce consistent security checks before routing to handlers? → Front controller pattern
- In supply chain risk management, 'nth-party risk' refers to: → Security risk propagated through a vendor's own suppliers and subcontractors
- What does the CIA triad stand for in information security? → Confidentiality, Integrity, Availability
- Which framework provides guidelines specifically for managing cybersecurity risks within the supply chain and is published by NIST? → NIST SP 800-161
- A trusted computing base (TCB) refers to: → The set of all hardware, firmware, and software critical to enforcing the security policy
- Which term describes the process of breaking down complex security requirements into smaller, actionable components? → Requirements decomposition
- Which security requirement category ensures that data is protected from unauthorized access when stored on disk? → Data at rest protection
- Which process involves systematically identifying and documenting all software assets and their versions in a production environment? → Software inventory management / asset management
- What is the purpose of a privacy impact assessment (PIA)? → To identify and evaluate risks to personal information in a system
- Which US law requires healthcare organizations to implement safeguards protecting the privacy and security of electronic protected health information (ePHI)? → HIPAA
- Which principle states that a system should default to a secure state when it fails or encounters an error? → Fail securely
- What does 'test coverage' measure in software security testing? → The proportion of code paths, branches, or requirements exercised by the test suite
- Which threat modeling methodology focuses on assets, attack surfaces, and mitigations and was developed by Microsoft? → STRIDE
- Which testing methodology tests software from the outside without knowledge of the internal code or architecture? → Black-box testing
- A test that verifies the application correctly enforces access restrictions (e.g., a regular user cannot access admin functions) is called: → Authorization testing
- A security control that detects and alerts on attacks but does not prevent them is called: → Detective control
- Which security concept ensures that a party cannot deny having performed an action or transaction? → Non-repudiation
- Which disposal technique renders data on storage media unrecoverable by overwriting it multiple times with random data? → Secure wiping/overwriting
- Which U.S. executive order significantly elevated software supply chain security requirements for federal government software procurement? → Executive Order 14028 on Improving the Nation's Cybersecurity
Turn these facts into recall: