100+ Free PCES Practice Questions

Pass your OpenEDG PCES — Certified Entry-Level Security Professional with Python exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70-80% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

What does the CIA triad in security stand for?

Confidentiality, Integrity, Availability

Confidentiality, Identity, Authentication

Cryptography, Identity, Audit

Control, Inspect, Audit

to track

2026 Statistics

Key Facts: PCES Exam

Exam Questions

OpenEDG

40 min

Exam Duration

OpenEDG

70%

Passing Score

OpenEDG

$59

Exam Fee

OpenEDG

Lifetime

Validity

No expiration

Online

Delivery

OpenEDG Testing Service

The PCES exam has 30 questions in 40 minutes with a 70% passing score. Domains cover security fundamentals (~15%), Python secure coding (~25%), cryptography and authentication (~20%), input/file/HTTP security (~15%), Python web framework security (~10%), and offensive Python and forensics tooling (~15%). Fee is $59 USD. Delivered online via OpenEDG Testing Service. Lifetime validity, no expiration. PCEP is recommended but not required.

Sample PCES Practice Questions

Try these sample questions to test your PCES exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What does the CIA triad in security stand for?

A.Confidentiality, Integrity, Availability

B.Confidentiality, Identity, Authentication

C.Cryptography, Identity, Audit

D.Control, Inspect, Audit

Explanation: The CIA triad is the foundational model of information security: Confidentiality (only authorized parties can read data), Integrity (data has not been tampered with), Availability (authorized users can access data when needed).

2In the OWASP Top 10 (2021), which risk is at #1?

A.Injection

B.Broken Access Control

C.Cryptographic Failures

D.Insecure Design

Explanation: In the 2021 OWASP Top 10, Broken Access Control replaced Injection as #1. Injection moved to #3. Cryptographic Failures (formerly Sensitive Data Exposure) is #2. Insecure Design is a new #4 entry.

3Which Python function is the MOST dangerous to call on untrusted input because it executes arbitrary code?

A.str()

B.int()

C.eval()

D.len()

Explanation: `eval(expr)` evaluates `expr` as Python source — calling it on untrusted input gives the attacker arbitrary code execution. `exec()` is similarly dangerous. Use `ast.literal_eval` if you only need to parse a literal value.

4Why should you AVOID `pickle.loads()` on untrusted data?

A.It is slow

B.Deserialization can execute arbitrary code via __reduce__ methods

C.The output is too large

D.It only supports certain types

Explanation: pickle's `__reduce__` protocol lets a serialized object specify a callable to invoke during deserialization. An attacker who controls the bytes can run any code the process can reach. For untrusted data, use JSON or another safe format.

5Which is the correct way to prevent SQL injection in Python with sqlite3?

A.cursor.execute(f'SELECT * FROM users WHERE name="{name}"')

B.cursor.execute('SELECT * FROM users WHERE name=?', (name,))

C.cursor.execute('SELECT * FROM users WHERE name=' + name)

D.cursor.execute('SELECT * FROM users WHERE name=%s' % name)

Explanation: Parameterized queries pass the value as a parameter, so the database treats it as data, never as SQL. NEVER concatenate or format user input into a SQL string. The placeholder syntax depends on the driver: `?` (sqlite3, qmark), `%s` (psycopg2, pyformat) — both are safe when the value is passed as a parameter.

6Which Python module should you use to generate cryptographically secure random tokens?

A.random

B.secrets

C.os

D.uuid

Explanation: The `secrets` module (added in Python 3.6) is purpose-built for security tokens, password salts, and session IDs. `random` is a Mersenne Twister — fast but predictable and NOT cryptographically secure. `uuid.uuid4()` is acceptable for IDs but not for sensitive tokens.

7Which secrets-module function generates a URL-safe token of N bytes encoded as Base64?

A.secrets.urlsafe(n)

B.secrets.token_urlsafe(n)

C.secrets.url_token(n)

D.secrets.gen_url(n)

Explanation: `secrets.token_urlsafe(nbytes=32)` returns a base64url-encoded text token. `secrets.token_bytes(nbytes)` returns raw bytes. `secrets.token_hex(nbytes)` returns hex. All three are crypto-secure.

8Which hash algorithm should you AVOID for new applications because of known collision attacks?

A.SHA-256

B.SHA-3

C.BLAKE2

D.MD5

Explanation: MD5 and SHA-1 are broken for collision resistance and must not be used for new security-critical applications. Use SHA-256 (the most common modern default), SHA-3, or BLAKE2/BLAKE3.

9Which call computes the SHA-256 hex digest of a bytes value `data` using hashlib?

A.hashlib.sha256(data).hex()

B.hashlib.sha256(data).hexdigest()

C.hashlib.sha256(data).encode()

D.hashlib.hex(sha256, data)

Explanation: `hashlib.sha256(data).hexdigest()` returns the lowercase hex string. `.digest()` returns raw bytes. The input MUST be bytes (use `s.encode()` to convert from str).

10Why should you NEVER store user passwords with plain hashlib.sha256?

A.SHA-256 is too slow

B.SHA-256 is fast and unsalted hashes are vulnerable to rainbow-table and brute-force attacks

C.SHA-256 outputs are too short

D.SHA-256 is deprecated

Explanation: General-purpose hashes (SHA-256, SHA-3) are designed to be FAST — exactly the wrong property for password hashing. Use a slow, salted KDF designed for passwords: bcrypt, argon2 (winner of the Password Hashing Competition), or scrypt.

About the PCES Exam

The OpenEDG PCES (Certified Entry-Level Security Professional with Python) certification validates entry-level secure-coding and security-automation skills using Python 3. It covers security fundamentals, Python secure coding (avoiding eval/exec/pickle on untrusted input, parameterized SQL, secrets/hashlib/hmac, the cryptography library, password hashing), input validation, safe file handling, HTTP/TLS security, Python web framework security (Django, Flask), Python pentest tooling, and Python forensics/automation. PCES sits alongside PCED and PCET in OpenEDG's Python specialization track.

Questions

30 scored questions

Time Limit

40 minutes

Passing Score

70%

Exam Fee

$59 USD (OpenEDG / OpenEDG Testing Service)

PCES Exam Content Outline

~15%

Security Fundamentals

CIA triad (confidentiality, integrity, availability), threat modeling intro (STRIDE), risk vs threat vs vulnerability, OWASP Top 10 conceptual coverage, defence in depth, principle of least privilege

~25%

Python Secure Coding

Avoiding eval/exec on untrusted input; avoiding pickle for untrusted data; using parameterized SQL queries (parameter tuples, not string formatting); validating user input; safe deserialization; logging without leaking secrets

~20%

Cryptography and Authentication

secrets module for crypto-secure randomness; hashlib (SHA-256, SHA-3, BLAKE2; why MD5 and SHA-1 are deprecated); hmac and secrets.compare_digest for constant-time comparison; cryptography library (Fernet symmetric; Hazmat layer for AES-GCM, RSA, ECDSA); password hashing with bcrypt / argon2 / scrypt — never plain hash

~15%

Input, File, and HTTP Security

re module input validation (and ReDoS awareness); pathlib and os.path.realpath to prevent path traversal; avoiding os.system / subprocess shell=True; requests with verify=True; custom CA bundles; TLS configuration; secrets in env vars not source code

~10%

Web Framework Security

Django CSRF middleware, SECURE_* settings, ALLOWED_HOSTS, ORM vs raw SQL; Flask security headers via Talisman; Flask-WTF CSRF protection; secure session cookies

~15%

Offensive Python and Forensics Tooling

Pentest libraries — scapy (packet crafting), paramiko / fabric (SSH automation), requests + BeautifulSoup (web recon), pwntools, impacket, responder; forensics — volatility plugins, dpkt for PCAP analysis, yara-python for malware detection; security event logging and SIEM integration

How to Pass the PCES Exam

What You Need to Know

Passing score: 70%
Exam length: 30 questions
Time limit: 40 minutes
Exam fee: $59 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

PCES Study Tips from Top Performers

1Never use plain hashlib (SHA-256) to store passwords — always use a password hashing function like bcrypt, argon2, or scrypt with a per-user salt

2Use secrets.token_bytes / secrets.token_urlsafe for tokens, never random.random — random is not crypto-secure

3For comparing secrets (HMACs, tokens), always use hmac.compare_digest or secrets.compare_digest to prevent timing attacks

4Memorize: SQL injection is prevented with parameterized queries (cursor.execute(sql, (val,))) — NOT with string formatting or escaping

5Avoid pickle.loads on untrusted data — it can execute arbitrary code; use json for untrusted serialization

6subprocess: pass arguments as a list and avoid shell=True; if you must use shell=True, use shlex.quote on inputs

7TLS: requests defaults to verify=True — never set verify=False in production code, even temporarily

Frequently Asked Questions

What is the OpenEDG PCES exam?

The PCES (Certified Entry-Level Security Professional with Python) is an entry-level cybersecurity certification from the OpenEDG Python Institute. It validates secure-coding skills in Python plus the ability to use Python for security automation, basic offensive tooling, and forensics. PCES is part of OpenEDG's Python specialization track alongside PCED and PCET.

How many questions are on the PCES exam?

The PCES exam has 30 questions in 40 minutes. Item formats include single-select, multi-select, drag-and-drop, gap-fill, and code-snippet questions. The passing score is 70%.

What is the PCES exam fee?

The PCES exam fee is $59 USD via the OpenEDG Testing Service online proctoring platform. Vouchers are sometimes available through OpenEDG and partner academy promotions.

Are there prerequisites for PCES?

There are no formal prerequisites. PCEP (Certified Entry-Level Python Programmer) is strongly recommended — PCES assumes you can already write Python code with functions, classes, exceptions, and basic file I/O. The certification then layers security concepts and Python security libraries on top of that base.

How should I prepare for PCES?

Plan for 40-60 hours of study over 4-6 weeks. Work through the official OpenEDG Python security course on edube.org. Write small Python scripts that hash passwords with bcrypt, encrypt files with Fernet, parse logs, and craft packets with scapy. Read the OWASP Top 10 once carefully. Aim for 80%+ on practice questions before scheduling.

Does the PCES certification expire?

No. PCES has lifetime validity with no expiration and no continuing-education requirement, consistent with OpenEDG's other entry-level Python credentials (PCEP, PCED, PCET).