Goals
3 min- Know the security-exam format and topic spread.
- Take a timed 10-question mock.
- Score yourself; find weak areas.
- Follow a one-week plan to the real exam.
Exam Orientation
5 minPCES (Python Certified — Entry-level Security mindset)
Format : multiple-choice (check the latest spec for count/time)
Pass mark : ~70%
Topics :
- CIA triad + ethics/authorization (the legal line)
- networking: TCP/IP, ports, OSI, DNS, sockets, TLS
- cryptography: hashing vs encryption, bcrypt, symmetric/asymmetric, signatures
- the OWASP Top 10 (esp. A01 access control, A02 crypto, A03 injection,
A05 misconfig, A07 auth, A08 integrity)
- injection family: SQLi, XSS, command injection — root cause & fix
- authentication: sessions vs tokens, JWT, OAuth, RBAC
- secure coding: secrets management, safe subprocess, input validation
- detection & response: monitoring, log analysis, audit trails, reportingThe security exam tests judgement and principles, not memorising payloads. If you can say "hash passwords with bcrypt, never MD5", "parameterise queries / escape output to separate code from data", "authorize every request, deny by default", "secrets in env, never in code", "always verify the JWT signature", and "only test what you're authorised to" — you'll pass. Reason like a defender.
Mock Exam — 10 Questions
14 minSet a timer for 15 minutes. No notes.
Q1.
The complete fix for SQL injection is:
(A) escaping quotes · (B) blacklisting words like UNION · (C) parameterised queries · (D) hiding errors
Q2.
How should passwords be stored?
(A) plain text · (B) MD5 · (C) SHA-256, unsalted · (D) bcrypt/argon2 (salted, slow)
Q3.
Changing ?id=123 to ?id=124 and seeing another user's data is:
(A) XSS · (B) IDOR / broken access control (A01) · (C) CSRF · (D) SSRF
Q4.
A JWT's payload is:
(A) encrypted, unreadable · (B) signed but readable (base64) · (C) hashed one-way · (D) always empty
Q5.
The primary defence against stored XSS is:
(A) a firewall · (B) parameterised queries · (C) context-aware output escaping · (D) rate limiting
Q6.
In Python, the safe way to run an external command with user input is:
(A) os.system("cmd " + x) · (B) subprocess.run(f"cmd {x}", shell=True) · (C) subprocess.run(["cmd", x]) · (D) eval("cmd " + x)
Q7.
Where should an API key live?
(A) hard-coded in source · (B) committed to git · (C) in client-side JS · (D) in an environment variable / secret manager
Q8.
Scanning a stranger's server "just to learn," without permission, is:
(A) fine if you don't break anything · (B) a crime (unauthorized access) · (C) legal recon · (D) encouraged
Q9.
Running a Flask app with debug=True in production is dangerous because:
(A) it's slow · (B) the debugger console can allow remote code execution + leaks secrets · (C) it disables logging · (D) it's just untidy
Q10.
The CIA triad stands for:
(A) Confidentiality, Integrity, Availability · (B) Control, Identity, Access · (C) Cipher, Integrity, Authentication · (D) Crypto, Internet, Authorization
Answer Key + Commentary
12 minQ1. (C) parameterised queries separate code from data; escaping/blacklist are fragile Q2. (D) bcrypt/argon2 salted + slow; MD5/SHA-256 are too fast / unsalted Q3. (B) IDOR (A01) no ownership check → broken access control (the #1 risk) Q4. (B) signed but readable base64, NOT encrypted → never put secrets in it Q5. (C) output escaping render user data as text, not markup (+ CSP, HttpOnly) Q6. (C) list form no shell to inject into; never shell=True with input Q7. (D) env / secret manager never in code/git/client; rotate if leaked Q8. (B) a crime unauthorized access — intent/"no harm" is no defence Q9. (B) RCE + secret leak Werkzeug console = remote code execution in prod Q10. (A) Confidentiality, Integrity, Availability — what security protects
Scoring
- 9-10: exam-ready.
- 7-8: pass-likely; review your wrong topics.
- 5-6: another week; redo the relevant lessons.
- ≤4: re-walk Lessons 1, 11-13, 27-33 — ethics, crypto, and the OWASP core.
Weak-Area Drills
13 minFor each missed question, do the matching drill:
- SQLi / injection (Q1, Q6) → re-do Lessons 30-31, 43.
- Password storage / crypto (Q2) → re-do Lessons 11-13.
- Access control / IDOR (Q3) → re-do Lessons 28, 40.
- JWT (Q4) → re-read Lesson 38.
- XSS (Q5) → re-do Lessons 32-33.
- Secrets management (Q7) → re-read Lessons 8, 44.
- Ethics / the legal line (Q8) → re-read Lessons 1, 19.
- Misconfiguration (Q9) → re-read Lesson 34.
- CIA / fundamentals (Q10) → re-read Lesson 1.
Re-type the worked examples from memory — security concepts stick when your fingers do them.
One-Week Study Plan
8 minDay 1 ethics + CIA + networking (TCP/IP, OSI, DNS) (L8-1..5) Day 2 sockets + TLS + hashing + passwords (L8-7..13) Day 3 encryption: symmetric, AES modes, asymmetric, signatures (L8-14..18) Day 4 scanning ethics + monitoring + log analysis (L8-19..26) Day 5 OWASP Top 10: access control, crypto, SQLi, XSS, misconfig (L8-27..36) Day 6 auth (sessions/JWT/OAuth/RBAC) + secure coding (L8-37..45) Day 7 reporting + capstone review; full timed mock; review every wrong answer
Two focused hours a day. Then sit the real exam.
Recap — & What You Can Now Do
3 minLevel 8 complete — and with it, the certification track. You can:
- Reason about security with the CIA triad and apply ironclad ethics & authorization.
- Understand networking from packets to TLS, and write your own sockets/servers safely.
- Use cryptography correctly: hashing, bcrypt, symmetric/asymmetric encryption, and signatures.
- Find and fix the OWASP Top 10 — access control, crypto, SQLi, XSS, misconfiguration, integrity.
- Build authentication: secure sessions, JWTs, OAuth, and RBAC.
- Write secure code: secrets management, safe subprocess, input validation.
- Detect and respond: monitoring, log analysis, tamper-evident audit trails, and professional reports.
- Combine it all into an authorized vulnerability scanner — always within the law.
You started at variables and loops; you can now build, automate, and defend real software. That's the full arc of an engineer. The optional Visual Game Builder track (Pygame Zero) awaits if you'd like to keep building for fun — but the certification path is done. Congratulations.
Homework
4 minBook your exam date and add it to your calendar. Optional: write a one-page reflection on the security habits you'll keep (parameterise everything, bcrypt passwords, secrets in env, authorize every request, only test what you're authorised to). Best of all — run your capstone scanner on something you own and fix what it finds. Then secure one real app end to end and add it to your portfolio.
In the exam, when two answers seem plausible, pick the one reflecting the secure, professional, defender's habit — "parameterise, don't escape", "bcrypt, not MD5", "authorize every request, deny by default", "secrets in env", "always verify the signature", "only test what you own or are authorised for". PCES rewards judgement and the security mindset you built all level, not memorised exploits. And beyond the exam: the best security engineers are the ones who can't stop asking "what could go wrong here?" — keep asking it.