HSC Software Engineering practice questions for 2026 with worked solutions
Practice questions for the 2026 HSC Software Engineering exam across all four Year 12 modules, with fully worked solutions. Multiple choice, short answer, code-reading and extended response, modelled on the NESA paper structure.
Reviewed by: AI editorial process; not yet individually human-reviewed
Jump to a section
How to use these practice questions
HSC Software Engineering rewards two things at once: conceptual fluency and hands-on coding. These practice questions cover all four Year 12 modules (Secure Software Architecture, Programming for the Web, Software Automation, and the Software Engineering Project) in the formats NESA uses: multiple choice, short answer, code reading, and extended response.
Work them under timed conditions. The real paper gives you about one minute per mark, so a 20-mark multiple choice section is roughly 20 minutes and a 6-mark short answer is about 6 minutes. Plan extended responses before you write. After each block, check the worked solutions and rewrite anything that lost marks. Do not move on until you can articulate why the marking answer earns full marks.
These prompts are written by ExamExplained for practice. They are modelled on the structure and rubric language of past NESA Software Engineering papers but are not endorsed by NESA. Use them alongside the official NESA past papers and sample papers.
Section I: Multiple choice (Modules 1 to 4)
Which OWASP Top 10 (2021) category best describes an attacker reading another user's invoice by changing the id in the URL
/api/invoices/123to/api/invoices/124?
(A) Injection (B) Cryptographic failures (C) Broken access control (D) Security misconfigurationA web server responds with the status line
HTTP/1.1 301 Moved Permanently. What does this tell the client?
(A) The request succeeded and the body contains the resource
(B) The resource has permanently moved and the client should use the new URL in theLocationheader
(C) The client is not authenticated
(D) The server encountered an errorWhich statement about symmetric and asymmetric encryption is correct?
(A) Symmetric encryption uses a public and private key pair
(B) Asymmetric encryption is generally faster than symmetric encryption
(C) Symmetric encryption uses the same key to encrypt and decrypt
(D) Hashing is a form of symmetric encryptionA model is trained on a dataset of loan applications labelled "approved" or "rejected". This is an example of:
(A) Unsupervised learning (B) Supervised learning (C) Reinforcement learning (D) ClusteringIn Git, which command stages a modified file so it will be included in the next commit?
(A)git commit file.py(B)git push file.py(C)git add file.py(D)git clone file.py
Section II: Short answer
(Module 1, 4 marks) Explain the difference between authentication and authorisation. Give one concrete example of each in a web application that has ordinary users and administrators.
(Module 1, 3 marks) A developer stores user passwords using only the MD5 hash function with no salt. Identify two weaknesses of this approach and state a better practice for each.
(Module 2, 5 marks) Consider the following SQL schema and query.
CREATE TABLE students (id INTEGER PRIMARY KEY, name TEXT, atar REAL);
CREATE TABLE enrolments (student_id INTEGER, course TEXT);
SELECT s.name, COUNT(e.course) AS course_count
FROM students s
LEFT JOIN enrolments e ON e.student_id = s.id
GROUP BY s.id
HAVING COUNT(e.course) >= 2;
(a) Explain what this query returns. (b) Explain why a LEFT JOIN is used here rather than an INNER JOIN, and what effect the HAVING clause has. (c) Rewrite the query so it instead returns students enrolled in exactly zero courses.
- (Module 2, 4 marks) Read the following Python (Flask) route and identify the security vulnerability, then rewrite the database call to remove it.
@app.get("/search")
def search():
term = request.args.get("q")
rows = db.execute("SELECT * FROM products WHERE name LIKE '%" + term + "%'")
return jsonify(rows)
(Module 3, 5 marks) Compare supervised and unsupervised learning. For each, state what the training data looks like and give one realistic application.
(Module 3, 3 marks) Explain what overfitting is, how you would detect it, and one technique to reduce it.
(Module 4, 4 marks) Describe the difference between the waterfall and agile (Scrum) software development methodologies. Identify one project situation that suits each.
(Module 4, 3 marks) Predict the output of the following Python and identify the off-by-one style bug.
def running_total(values):
totals = []
total = 0
for i in range(1, len(values)):
total += values[i]
totals.append(total)
return totals
print(running_total([10, 20, 30]))
Section III: Extended response
- (Integrates Modules 1 and 2, 9 marks) A small business runs an online booking web application that stores customer names, contact details and payment card numbers. Recent audits found that the site sends data over plain HTTP, builds SQL queries by string concatenation, and stores passwords as plain text.
Evaluate the security of this application and recommend a set of improvements. In your response, refer to at least three distinct OWASP Top 10 risks and pair each with a specific developer-side mitigation that fits into a secure development lifecycle.
- (Integrates Modules 3 and 4, 7 marks) A company plans to deploy a machine learning model that screens job applications and ranks candidates. Discuss the ethical risks of this system and describe the software engineering practices (across development, testing and deployment) that the team should adopt to manage those risks responsibly.
Check your knowledge
Attempt every question above under exam conditions before reading on. Then mark yourself against the worked solutions block, paying attention to the marking notes that say what an examiner rewards.
Where to go next
For deeper coverage of the modules these questions draw on, read our Secure Software Architecture deep dive and Programming for the Web deep dive. For dot-point-level answers, browse the full syllabus index.
For the official HSC Software Engineering papers and sample papers, refer to NESA at educationstandards.nsw.edu.au.
- software-engineering
- practice-questions
- hsc-software-engineering
- year-12
- exam-prep
- 2026
