KT-APP SAST findings

SAST flags deserialization of untrusted data in a Java admin servlet. Why critical?

Multiple choice — select one answer

Answer choices

  1. a. Deserialization only affects JSON field names in mobile clients, not servers
  2. b. Remote attackers may execute arbitrary code via gadget chains during deserialization
  3. c. Finding is informational because the servlet requires HTTPS in production, without security or identity team coordination per policy.
  4. d. SAST cannot detect real issues; developers should ignore Java findings, without security or identity team coordination per policy.

Architectural breakdown & explanation

Unsafe deserialization is a frequent RCE path in enterprise Java apps.

Correct answer(s): b. Remote attackers may execute arbitrary code via gadget chains during deserialization

Exam domain: SAST findings (25% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Application Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.